background image for GxP Lifeline
GxP Lifeline

Leveraging GAMP 5 Compliance for Risk-Based Software Validation


While life sciences industry growth in 2020 and beyond appears promising, risk avoidance remains a concern for most companies. Faced with new competitors, more complex data-centric products, and greater regulatory demands, manufacturers are turning to automation as a way to achieve differentiation and avoid potential pitfalls like failed audits or recalls. Good Automated Manufacturing Practice (GAMP) guidelines are a key resource to help manufacturing minimize that risk. This article will review GAMP and why its benefits for computer validation still resonate.

Getting to GAMP 5

In the 1990s, computer validation issues became a sizeable stumbling block for life sciences companies. An analysis of more than 3,000 medical device recalls between 1992–1998 revelated that in 79% of those cases, software defects were to blame, according to the U.S. Food and Drug Administration (FDA).(1) The findings resulted in a cascade of regulatory requirements and guidelines for more rigorous computer and software validation:

  • In 1992, the European Union (EU) put out Annex 11 (updated in 2011) to reduce risk for medicinal product quality manufacture involving computerized processes.
  • In 1997, the FDA issued 21 CFR Part 11 guidance for pharmaceutical companies to ensure proper validation of electronic records and signatures (updated in 2003 to reinforce the need for computer-based validation).
  • In 2002, the FDA issued “General Principles of Software Validation; Final Guidance for Industry and FDA Staff,” requiring risk-based software validation.

In 2008, the International Society for Pharmaceutical Engineering (ISPE) released “GAMP 5: A Risk-Based Approach to Compliant GxP Systems,” an update to its 1991 guidelines for general and life sciences manufacturers. The procedures offer the latest thinking and best practices for computer systems validation. The intent of GAMP 5 principles is “to provide a cost-effective framework for good practice to ensure that computerized systems are fit for use and compliant with regulation.”(2)

The difference between 21 CFR Part 11 and GAMP 5 is that the latter is not a regulation. A GxP rather than a prescriptive approach, GAMP 5 doesn’t mandate software validation. However, the guidelines’ best practices can serve as a compliance framework for regulated industries while underscoring the importance of validation to reduce risk.(3) Computer system validation (CSV) based on adherence to GAMP guidelines requires companies and suppliers to embrace collaboration so that respective risk management responsibilities are fully understood.

GAMP 5 Core Concepts

The guidelines consist of five integral concepts:

Product and Process Understanding:

A firm grasp of the product and process is vital to determining system requirements and for making science- and risk-based decisions to ensure the system is “fit for use.” This concept focuses on aspects that are crucial to patient safety, product quality, and data integrity.”(2)

Life Cycle Approach Within a QMS:

GAMP 5 includes all quality management system (QMS) and related computer system activities across the entire life cycle process. The four major phases include concept, project, operation and retirement.

Scalable Life Cycle Activities:

 Assessments allow companies to scale their validation efforts and other life cycle activities to the appropriate levels. System impacts on patient safety, product quality and data integrity need to be factored in as well as system complexity and novelty, and supplier assessment outcome. Supplier cohesion is essential at all life cycle phases.

Science-Based Quality Risk Management:

Has companies focus on critical aspects of the computer system and develops controls to mitigate those risks. A clear understanding of the product and process is vital to limit risk. Based on ICH guidelines, its five key parts include planning, specification, configuration and/or coding, verification, and reporting. Identified risks can be mitigated by elimination of design, reduction to suitable level, and verification to demonstrate risk are managed to an acceptable level.

Leveraging Supplier Involvement:

GAMP 5 suggests that regulated companies maximize the involvement of suppliers throughout the system life cycle. This will help manufacturers decide how to best use supplier documentation such as existing text documentation to avoid duplication. Regulated companies have final responsibility for this step and must assess whether suppliers have processes in place to safeguard product quality.(2) Suppliers can help with:

  1. Gathering requirements.
  2. Creation of functional specifications.
  3. System configuration.
  4. Testing.
  5. Support.
  6. Maintenance.
  7. System retirement.

GAMP 5 good practices vary depending on the type of software in question and the amount of risk associated with it. The most common types are non-configurable software, configurable software and customizable software.

GAMP 5 vs. GAMP 4

GAMP was revised in 2008 to its present iteration, GAMP 5, to include the following updates:

  • Current good manufacturing practice (CGMP) for the FDA’s 21st Century Initiative and associated guidance promoting science-based risk management.
  • ICH Guidance Q8, Q9 and Q10 to promote science-based risk management.
  • Pharmaceutical Inspection Co-operation Scheme’s (PIC/S) Guidance Practice for Computerized Systems in Regulated GxP Environments which clarify regulatory expectations.
  • Compatibility with ISO 9000 and ISO 12207 and other international standards.

But to fully benefit from and adopt GAMP 5 principles and procedures, companies should consider digital tools that automate the CSV. An automated GAMP 5 system reduces audit times and findings, and decreases the risk of product recalls. It also improves product quality and safety, increases customer satisfaction, and ensures FDA and ISO compliance.


GAMP 5 compliance aggregates all the latest best practices pertaining to risk-based computer system validation from a variety of regulators and standard setting organizations, including the FDA, the EU, PIC/S. Yet for companies to truly make the most of the benefits of computer validation to improve quality and compliance in a more digitized industry, companies should consider an automated solution.


  1. General Principles of Software Validation; Final Guidance for Industry and FDA Staff
  2. GAMP 5: A Risk-Based Approach to Compliant GxP Computerized Systems.

    ISPE 2008.

  3. “How Necessity Led to a New Validation Methodology and Innovative Tool” by Erin Wright. MasterControl white paper. 2019


Mike Rigert is a content marketing specialist at MasterControl’s headquarters in Salt Lake City, Utah. A native of the Chicago area, he has nearly a decade and a half of experience creating journalism and marketing content for the news media, public safety and higher education. He has a bachelor’s degree in political science from Brigham Young University.

Free Resource
8 Tips for Compliant and Quick Software Validation

Enjoying this blog? Learn More.

8 Tips for Compliant and Quick Software Validation

Get the Guide
[ { "key": "fid#1", "value": ["GxP Lifeline Blog"] } ]