|

GAMP 5 Overview

1. Purpose

This article provides an overview of GAMP 5 and its role in the validation of computerized systems used in regulated environments. It establishes the fundamental principles used to ensure that systems are fit for intended use and that validation effort is aligned with risk.

GAMP5 ISPE book title Page image

2. Scope and Application

GAMP 5 applies to computerized systems that support GMP processes, including systems used in manufacturing, laboratory operations, quality management, and data handling.

It is applicable to:

  • New system implementations
  • Existing systems undergoing changes
  • Legacy systems requiring retrospective validation
  • Infrastructure and platform systems supporting GMP applications

GAMP 5 provides a framework that can be scaled based on system impact, complexity, and risk.

3. Key Principles

GAMP 5 is based on a set of core principles that guide validation activities. These include:

  • Product and process understanding
  • Lifecycle approach to validation
  • Scalable validation based on risk
  • Leveraging supplier activities
  • Focus on critical aspects of the system
  • Ensuring data integrity

These principles ensure that validation is efficient, defensible, and aligned with regulatory expectations.

4. Lifecycle Approach

GAMP 5 promotes a structured lifecycle model for computerized systems. Validation is not a single activity but a series of controlled steps from concept through retirement. Typical lifecycle stages include:

  • Concept and planning
  • Requirements definition
  • System design and configuration
  • Testing and verification
  • System release
  • Operation and maintenance
  • Retirement and data archival

Each stage must be documented and controlled to maintain the validated state.

5. Risk-Based Approach

Risk management is a core principle of GAMP 5 and serves as the primary mechanism for determining the extent of validation activities. Validation is not applied uniformly. It is scaled based on the level of risk a system presents to product quality, patient safety, and data integrity. Risk assessment evaluates:

  • Impact on product quality
  • Impact on patient safety
  • Data integrity risk
  • System complexity and degree of configuration

These factors are considered together to determine the overall risk profile of the system. Systems that directly affect batch release decisions, critical process parameters, or GMP data require a higher level of control. Systems with indirect or no GMP impact require proportionally less verification. The outcome of risk assessment defines:

  • Depth of requirements and specifications
  • Extent of testing and verification
  • Level of supplier leverage
  • Degree of data integrity controls
  • Rigor of lifecycle management

Higher-risk systems require comprehensive validation, including full lifecycle documentation, extensive testing, and strict control over data and system changes. Lower-risk systems may be verified using simplified approaches with reduced documentation and greater reliance on supplier evidence.

The diagram below illustrates how validation effort is scaled based on system risk and complexity. It demonstrates that validation rigor increases as system impact and configurability increase, ensuring that effort is focused on areas that present the greatest risk.

Diagram showing risk-based scaling of validation effort based on system impact and complexity

6. V-Model Concept

GAMP 5 uses the V-model to represent the structured relationship between specification activities on the left side and corresponding verification activities on the right side. The model ensures that every requirement is traceable to a defined test and that system functionality is verified against documented expectations. The V-model establishes direct alignment between:

  • User Requirements Specification and Performance Qualification
  • Functional Specification and Operational Qualification
  • Configuration and Design Specification and Installation Qualification with configuration verification

On the left side of the V, system requirements and specifications are progressively defined, moving from high-level user needs to detailed functional and configuration definitions. At the base of the V, the system is built or configured based on these specifications.

On the right side of the V, verification activities confirm that the system meets the defined specifications. Installation Qualification verifies that the system is installed and configured correctly. Operational Qualification confirms that the system functions as intended. Performance Qualification demonstrates that the system performs effectively under routine operating conditions and meets user requirements.

This structure ensures:

  • Clear traceability from requirements to testing
  • Systematic and complete verification of functionality
  • Alignment of validation activities with intended use

The diagram below illustrates how specification and testing activities are paired within the V-model, ensuring that each requirement is verified through corresponding qualification activities.

GAMP 5 V-model showing relationship between requirements, specifications, and corresponding testing activities

7. Supplier Involvement and Leverage

GAMP 5 emphasizes the use of supplier documentation and testing where appropriate.

Supplier activities may include:

  • Development testing
  • Factory acceptance testing
  • Standard documentation packages

Use of supplier documentation must be justified based on:

  • Supplier quality systems
  • Documentation quality and completeness
  • Relevance to intended use

Supplier leverage reduces duplication while maintaining control over validation.

8. Data Integrity Considerations

GAMP 5 requires that computerized systems maintain data integrity throughout their lifecycle. Key expectations include:

  • Secure user access and role management
  • Audit trail functionality
  • Protection of electronic records
  • Controlled data storage and backup

These controls support compliance with regulatory requirements for electronic records and signatures.

9. Integration with Validation Practices

GAMP 5 does not replace regulatory requirements. It provides a structured approach for implementing them. It supports:

  • Risk-based validation planning
  • Consistent documentation practices
  • Scalable testing strategies
  • Lifecycle control of computerized systems

GAMP 5 should be applied as a practical framework to ensure that computerized systems remain compliant and fit for use throughout their lifecycle.