In July the ISPE (International Society for Pharmaceutical Engineering) published the second edition of the GAMP 5 guidelines for validating IT systems in the pharmaceutical sector. GAMP 5 guidelines are now a standard used by the regulatory bodies themselves during inspections.
First published in 2008, the GAMP 5 guidelines have been revised and extended in light of developments in the IT sector.
The overall structure of the document remains unchanged and has eight macro-chapters:
In general, the main changes are greater attention to service providers, the evolution of software development (in particular the Agile methodology), the importance of critical thinking and the implementation of data integrity recommendations (data and information protection). In the same way, the appendices to GAMP 5 were updated and extended: these focused, among other things, on blockchain, artificial intelligence, cloud computing and open source software.
Let’s explore some innovations introduced in the second edition of GAMP 5 guidelines
More attention to service providers
The new GAMP 5 guidelines give greater importance to service providers, especially cloud systems. Selection of suppliers through audits and the stipulation of clearly-defined contracts form the basis of risk reduction both during the initial validation and at the maintenance phase. It should be remembered that final responsibility for compliance always lies with the regulated company, even when one or more tasks in the cycle are delegated to an external provider. Remaining on the subject of suppliers, it should be pointed out that these are not directly subject to GxPs. This therefore makes it necessary to refer to other standards, such as the ITIL (Information Technology Infrastructure Library), a set of guidelines that provides recommendations on the provision of quality IT services and on the processes and means an organisation needs to sustain them.
Evolution of software development (Agile methodology)
Another innovation in the latest GAMP 5 version is the Agile software development method. Introduced in the early 2000s, the term Agile refers to software development models than are less structured than their predecessors. They’re more focused on the final goal and consist of smaller teams; they’re characterised by incremental development based on adaptive planning and continuous customer involvement.
Again according to GAMP 5 guidelines, when developing software tools can be used to support each stage of the software life cycle; such tools do not require validation, but an assessment for adequacy, and they must be used by personnel trained and qualified on GxP issues.
On the testing front there has been a shift in focus to discourage excessive production of documentary evidence. The goal of testing is to identify defects, minimise risk of error and demonstrate the system is fit for purpose. GAMP 5 guidelines also introduce the concept of unscripted tests. These differ from scripted tests in that they do not require sequential verification actions; they rely, instead, on the testers’ experience to identify system defects and explore the functionality of the software beyond the specifications and the manuals. They are therefore dynamic, non-codifiable tests. Nevertheless, these unscripted tests must still be documented: it is still necessary to indicate what was tested, by whom, when, with what goals and with what results.
Data integrity (data and information protection)
The new GAMP 5 guidelines introduce backup copy integrity tests, the BCP (Business Continuity Plan), DR (Disaster Recovery), loss of IT infrastructure, the service provider, access to premises, connectivity and cybersecurity attacks up to and including loss of the software application.
The new version of the GAMP 5 guidelines promotes critical thinking, understood as a decision-making process useful for identifying the correct approach to specific circumstances. Critical thinking allows for an aware understanding and assessment of where business processes and data flows can potentially affect patient safety, product quality and data integrity. Critical thinking is thus a valuable aid when making decisions concerning the quality and compliance of IT systems.