and supplier assurance principles

Core Principles of GAMP 5 (2nd Edition)

• Product and process understanding
• Risk management based on patient safety and data integrity
• Scalable lifecycle activities
• Supplier involvement and leveraged documentation
• Quality built into the system through good engineering practices

System Categories in GAMP 5

GAMP 5 classifies systems into five categories based on complexity and configurability:

• Category 1: Infrastructure software (OS, database, browsers)
• Category 3: Non-configurable software (off-the-shelf tools)
• Category 4: Configured software (LIMS, ERP with user-defined settings)
• Category 5: Custom-developed software

Validation effort increases from Category 3 to 5. Category 1 requires qualification, not validation.

GAMP 5 V-Model Explained

The V-model is the backbone of the GAMP 5 lifecycle and demonstrates the relationship between specification and testing phases:

Specification	Verification
User Requirements Specification (URS)	User Acceptance Testing (UAT)
Functional Specification (FS)	Functional Testing (FT)
Design Specification (DS)	Design/Configuration Testing (DT)
System Build	Installation Qualification (IQ)

Step-by-Step GAMP 5-Based CSV Process

1. Validation Planning

• Create a Validation Master Plan (VMP) and system-specific Validation Plan (VP)
• Define roles and responsibilities: QA, IT, Business, Validation
• List regulatory requirements and intended system use
• Identify risk categories and deliverables based on GAMP classification

2. Risk Assessment

• Conduct initial risk analysis (FMEA or HACCP tools)
• Assess system impact on GxP processes, data integrity, product quality
• Use ISPE’s risk-based approach: probability × severity × detectability
• Document mitigation measures for identified high risks

3. Supplier Assessment

• Evaluate supplier’s development process, testing, and quality system
• Use questionnaires, audits, and review of vendor documentation
• Leverage existing vendor IQ/OQ evidence where appropriate

4. Requirements Specification

• URS: High-level business needs, compliance, performance goals
• FS: Functional logic, workflows, user privileges
• DS: Technical architecture, database structure, interface design
• In agile projects, these may evolve during sprints

5. Verification & Testing

• IQ: Installation of hardware/software, network config, patch levels
• OQ: System functionality under specified conditions
• PQ: End-to-end testing with real-life user scenarios
• UAT: Formal user sign-off on business process compliance
• Include both positive and negative test cases

6. Data Integrity Considerations

• Ensure ALCOA+ principles are embedded: Attributable, Legible, Contemporaneous, Original, Accurate, + Complete, Consistent, Enduring, Available
• Validate audit trails, electronic signatures (21 CFR Part 11/Annex 11)
• Verify access controls and password policies
• Backups, disaster recovery, and archiving processes should be qualified

7. Documentation Requirements

• Validation Plan and Risk Assessment
• User, Functional, and Design Specifications
• Test Protocols: IQ, OQ, PQ, UAT
• Deviation Logs and CAPA records
• Traceability Matrix linking requirements to tests
• Validation Summary Report

Maintaining a Validated State

• Implement Change Control system for all updates, patches, or enhancements
• Revalidation required if changes impact validated functions
• Audit trails and version controls must be active and reviewed periodically
• Training records of users and system administrators must be maintained

CSV in the Cloud: GAMP 5 Guidance

• Cloud-hosted SaaS systems must follow GAMP 5 with shared responsibilities
• Define Service Level Agreements (SLAs) and Data Processing Agreements (DPAs)
• Supplier audits and documented security controls required
• Backups, business continuity, and disaster recovery must be validated

Common Pitfalls in CSV

• Incomplete risk assessments
• Over-documentation for low-risk systems
• Inadequate testing and traceability
• Missing audit trail validation
• Neglecting periodic review and system revalidation

Example: GAMP 5 CSV for a LIMS System

• Category: 4 (Configured Software)
• Risk: High (GxP and product release)
• URS: Sample login, result calculation, analyst ID tracking
• OQ: Sample barcode scanning, result entry validation
• PQ: Full batch release scenario simulation
• Data Integrity: Result modification audit trail, electronic approval path

Conclusion

GAMP 5 offers a robust framework for risk-based validation of computerized systems across the pharmaceutical lifecycle. It ensures consistent, compliant, and efficient validation by focusing on criticality, system complexity, and regulatory alignment. By leveraging GAMP 5, companies can minimize validation burden while meeting global compliance standards and maintaining patient safety and data integrity.

For GAMP 5-based CSV templates, protocols, and traceability matrix samples, visit PharmaSOP.in. To integrate risk-based validation into your VMP, explore services at PharmaValidation.in.

Further Reading

• ISPE GAMP 5 Guide
• FDA Process Validation Guidance
• EU GMP Annex 11
• ICH Q8, Q9, Q10 Guidelines
• WHO Technical Series: Computerized Systems