The GAMP5 second edition improved upon the original edition from 2008 and was released in July 2022.
The updated guide keeps the same structure but updates its content to highlight the growing area of cloud services. It also addresses the increasing use of testing automation software to maintain compliant systems.
Why revise ISPE GAMP5?
The timing of the new release is important as it coincides with the release of new FDA guidance “Computer Software Assurance for Production and Quality System Software”.
This document provides additional guidance on validating computer systems. It explains how the industry should ensure quality in cloud services, new AI and infrastructure technologies, and automated system tests.
An important Highlight is the guidance acknowledgment of automated testing – “Using automated testing brings benefits to test coverage, repeatability, and speed.” (Appendix D5 – Testing of Computerized Systems, section 25.1.1)
New technologies have been added as new Appendices. These technologies include Artificial Intelligence and Machine Learning (AI/ML), blockchain, cloud computing, and Open-Source Software (OSS).
Key GAMP5 Updates – Summary:
- Modernization and Automation: The update highlights the integration of IT and cloud services, and the increased use of automation, aiming to enhance control, quality, and reduce risks.
- Alignment with FDA Guidance: The release coincides with new FDA guidelines on computer software assurance, which helps the industry adapt to cloud services and automated testing.
- Acknowledgment of Automated Testing: The updated guidelines recognize the benefits of automated testing such as improved test coverage, repeatability, and speed.
- Inclusion of New Technologies: Technologies like AI/ML, blockchain, cloud computing, and open-source software are now considered, expanding the scope and applicability of the guidelines.
Modern Approach to GAMP5 Computer System Validation
Modern methods use data and documents generated by automated tools instead of traditional, detailed manual documentation for specifications and testing.
This approach leverages the capabilities of software tools to maintain records and information in a compliant way, and streamlines processes.
Automated Testing and the GAMP5 Test Management Process
Testing should focus on the system’s intended use, with a clear link between test cases and requirements to ensure thorough coverage. High-risk requirements with regulatory significance or direct product impact must be scripted for testing. Automate and reuse these high-risk scripted tests throughout the system’s life cycle.
Agile development, common in both on-premise and SaaS software, allows for automated test cases to be created alongside code development or executed after a new version is made ready. The scope and burden of this additional testing, depends on the automated tests’ thoroughness.
Scripted testing (manual or automated) focuses on the software’s intended use as defined by internal workflows, adjusting for risk levels of each requirement.
Even with detailed test coverage, there may still be a need for separate unscripted or scripted tests to assess end-to-end workflows and specific system use cases.
Modernizing Software Testing using Critical Thinking – ISPE GAMP5 Updates
Critical thinking is a crucial component in the context of the updated ISPE GAMP®5 guidelines for several reasons explored below. It is necessary to note that Quality support roles, Compliance Specialists, and IT Admin should aim to eliminate unnecessary testing burden.
Summarized straight from the ISPE GAMP 5 guide:
Critical thinking fosters informed decision-making on applying and scaling quality and compliance for computerized systems. Success hinges on understanding business processes and analyzing their impact on patient safety, product quality, and data integrity.
Improved risk understanding leads to better risk control and robust scaling of controls and validation activities.
Practical Advice from Industry Experts:
Knowing how the business works and how the system functions is important for making the right decisions when testing software.
WHO is using the application and HOW the application being used is core consideration for risk assessment for functional requirements.
IT Quality and testing departments cannot truly assess product impact or risk without having a clear understanding of the process. Visual business process maps are important for project teams. They help align everyone at the start of a project, and make a significant impact.
Coordination with stakeholders and SMEs is required – but so is the individual compliance specialists/IT QA resources personal knowledge of the system and use cases.
SME resources help paint the full picture but they cannot make the final call on risk level as they often have roles which introduce a conflict of interest. For example “This is a low risk because if we assign it a high risk it’s going to increase my workload”.
The FDA guidance promotes the idea of minimum viable coverage (MVC) and emphasizes the importance of getting it right.
There are several areas impacted by misunderstanding MVC this including the following:
- Tester takes additional time to write and test in development
- Reviewers take additional time to review scope and steps
- Increased steps increase the chance of test script errors or defects during testing
- During execution, the testing timelines increase.
- Reviewers experience increased testing timelines post-execution.
- Periodic reviewers spend additional time reviewing the additional scope of testing
- Additional testing increased the burden of SDLC impact and increases review times
- During an audit, unnecessary steps hide important details that are not needed.
- Business users spend time doing unnecessary UAT testing
- Increased system downtime affects users and production schedules.
Extra work places undue pressure on team members across the whole organization and increases project timelines.
The root cause of this can often be traced to a one-size-fits-all interpretation of compliant software testing strategy.
The solution is commitment of the project team to critical thinking and developing a non-superficial understanding of an application and the work being done.
Leveraging Critical Thinking in Implementing GAMP5 Updates
Adapting to Modern Regulations, Technologies, and Testing Strategies
Understanding and Implementing Regulations: The update aligns with new FDA guidance, which emphasizes modern approaches like automated testing and cloud services.
Critical thinking helps stakeholders understand these changes, evaluate their implications, and implement them effectively to meet regulatory requirements.
Adapting to Technological Advancements: With the integration of emerging technologies critical thinking allows us to assess how these technologies can be utilized within the accepted framework of computerized system validation.
This involves analyzing the risks, benefits, and potential impacts on quality and compliance.
Optimizing Test Management: The revised guidelines highlight the importance of linking test cases to requirements for thorough coverage, particularly for high-risk functionalities.
Critical thinking aids in discerning which aspects of the system require more rigorous testing and how automated tools can be leveraged to enhance test accuracy, repeatability, and efficiency.
Evolving Validation Strategies: Modern validation approaches now rely more on data and artifacts generated by automated tools rather than extensive manual documentation.
Critical thinking is necessary to evaluate the adequacy of these automated outputs in proving system validation and ensuring they meet all necessary specifications and regulatory standards.
Risk Management: The update to GAMP®5 emphasizes risk-based approaches to testing and validation, particularly for software directly affecting product quality or regulatory compliance.
Critical thinking is key in identifying potential risks, determining their severity, and deciding on the appropriate level of scripted testing and automation.
Agility in Development and Testing: While Agile development emphasizes flexibility, collaboration, and rapid iteration, it can conflict with the rigorous documentation and compliance requirements of bodies like the FDA.
Incorporating critical thinking into Agile practices enables teams to navigate complex requirements and make informed decisions.
Enhancing Agility with Automated Testing
Automated testing can improve development processes by increasing efficiency, consistency, and speed. Here’s how automated testing can be leveraged to support Agile methodologies:
- Integration: Automated tests can be integrated into CI/CD pipelines, allowing for immediate feedback on code changes. This ensures that new code is quickly verified for integration issues, bugs, and compliance with requirements.
- Deployment: Automated deployment processes can rapidly move tested code to production, reducing the time between development and release.
- Rapid Feedback: Automated tests can be run frequently, even on each commit, providing rapid feedback to developers. This helps in identifying and fixing issues early, reducing the cost and time associated with bug fixing.
- Regression Testing: Automated regression tests ensure that new changes do not break existing functionality, maintaining the stability of the product through continuous development cycles.
- Scalability: Automated tests can cover a large number of test cases, including those that are time-consuming or complex.
- Consistency: Automated tests are consistent in their execution, reducing the risk of human error and ensuring reliable results across multiple test runs.
- Automatic Documentation: Automated tests can generate logs and reports that document the testing process, providing a clear audit trail for compliance purposes.
- Traceability: Automated tests should be linked to specific requirements, ensuring traceability from application function to test cases and test results.
Best Practices for Implementing Automated Testing
- Start with High-Value Tests: Prioritize automating tests that provide the most value, such as critical functionality, high-risk areas, and repetitive tasks.
- Maintain Test Suites: Regularly update and maintain automated test suites to ensure they remain relevant and effective as the application evolves.
- Train the Team: Ensure that the team is well-trained in writing and maintaining automated tests. This includes understanding the tools, frameworks, and best practices for automated testing.
Commitment to Automated Tests = ensuring compliance with regulatory requirements – all while supporting the flexibility and responsiveness that Agile methodologies promote.
GAMP®5 Categories
The process of assessing system components applies the GAMP software categories and hardware categories as input to establishing the required activities, based on how the system is constructed or configured.
This should take into account architecture, complexity, and novelty, including maturity and level of configuration or customization. Categorization should, however, be regarded as only part of the process of defining the required life cycle strategy based on critical thinking
The updated appendix in GAMP 5 emphasizes several key changes to categorization:
- Component Integration: Computerized systems are typically composed of various components that span different categories, which should be considered as a continuous spectrum rather than discrete groups.
- Risk-Based Scaling: The categorization of software is one aspect of a broader risk-based approach where the scale of life cycle activities is determined by the system’s overall impact on good practices (GxP), its complexity, and its novelty. This scaling is influenced by how critical the business process supported by the system is.
- Utility of Software Categories: Despite a broader focus, software categories remain useful. They help determine the necessary rigor in supplier assessments and aid in evaluating the likelihood of failures or defects in the system.
The ISPE GAMP®5 guide categorizes software into different types, each with specific considerations for validation based on their role and impact. Each category requires a different level of scrutiny and validation based on the potential risk to GxP processes.
Managing the lifecycle of these software components involves continuous monitoring and updating processes to handle new versions and patches, ensuring they do not introduce new risks.
Category 1 includes basic software like operating systems, middleware, and tools for network monitoring and security in IT services. While generally reliable and indirectly tested through application testing, critical tools like those for password management should undergo specific risk assessments to decide if additional controls are needed.
(There is no Category 2 )
Category 3 – Standard
These are off-the-shelf components that may require minimal configuration. Their validation depends on the extent of their configuration and their impact on GxP processes. Supplier assessments and user requirements should focus on ensuring these components perform as intended within the regulated environment.
Category 4 – Configured
This category involves software that can be heavily customized to fit specific business processes. The validation process is more rigorous here due to the potential risks introduced by custom configurations. Supplier assessments and thorough testing of the configured application are critical to ensure functionality and compliance.
Category 5 – Custom
These are tailor-made solutions designed to meet specific needs of a regulated company. They carry a high risk due to the lack of prior user experience and potential for undetected errors. Rigorous functional risk assessments and validation are crucial here.