GAMP5® 2nd edition and CSA FDA: Why they can be good for business.
Some important points that the second edition of GAMP5® and CSA bring and make us think about ‘how system validations will be from now on.
The purpose of this article is to reconcile the main points of change between the first and second versions of the GAMP5 guide and consider some topics of the CSA guide issued by the FDA. This article does not replace the required reading of such guides.
What is GAMP5®, second edition?
Life Sciences companies, especially biopharmaceutical and medical device companies, are highly regulated and need to prove that their products and their manufacturing and development processes are consistent.
This is the role of validation: to generate documented evidence to prove that equipment, systems, spreadsheets, processes, and procedures work in a way that protects patient or consumer, product quality, and data integrity.
ISPE® (International Society of Pharmaceutical Engineering) developed the GAMP (Good Automated Manufacturing Practice) guide to help the Life Sciences community in developing consistent validations.
Version 5 of the guide was released in 2008 and recently, in 2022, the second edition of the publication was released, bringing insights that can be very useful to these business sectors.
Main differences between GAMP5 first and second editions
The GAMP5 Guide second edition included the following topics:
Appendix D8 - Agile Software Development
This item summarizes the principles of agile methodologies and frameworks and illustrates how they can be implemented to align with GAMP5® and GxP (impact on good practices) principles. In 2021, ISPE® released an appendix guide entitled Enabling Innovation that was basically included in the second version of GAMP5®.
The main point of this literature is the iterative and incremental approach to the software development process and is a trend that has been dominating the market as a whole. The wide adoption of this method is explained by the agility and flexibility that the framework brings to business teams. Although a traditional Waterfall model offers several advantages and is useful in various scenarios including a regulatory one, it has some disadvantages because it is not aligned with rapid and constant changes in the current market.
Thus, to cope with these demands and achieve better results in the medium and long terms, it is necessary to seek new outlets. Adopting this appendix can help your business to perform better, while robustly maintaining compliance that is expected by regulatory agencies. The adoption of an iterative and incremental development process in relevant GxP applications is in the foundations of agile methodologies, such as Scrum. The idea is that this software creation is guided by several smaller cycles, in which functionalities are introduced, feedback is collected, and requirements reviewed, with each step being validated and formally delivered to a business (partial releases).
In this approach, the URS (User Requirement Specification) is developed incrementally (for each implementation stage), by part or by process that leads to development and configuration and testing and release in iterative cycles.
Tools instead of documents:
This is a critical point that can impact a business positively. The new edition of the GAMP5® Guide encourages and recommends the use of software tools to support Agile practices that can bring opportunities to improve a traditional documentation approach, which presents barriers and potentially introduces non-compliance risks (with paper, almost any change could be approved and would be harder to track). Software tools to support validation allow the team to write functional and quality requirements efficiently to initiate the agile process, managing the life cycle of each requirement independently. A set of requirements can form a release. Testing environments is an excellent example of where software tools can work and provide opportunities to improve delivery performance. Moreover, there is a higher occurrence of efficient, performance testing using fewer human resources.
A tool can provide automatic traceability without the need to manually create a matrix document. Traceability can be obtained dynamically and demonstrated by the tool, which, if necessary, can generate reports at key stages (i.e., partial releases).
Note: FIVE Validation has developed a validation and management system that follows an agile framework, with validations 5x faster and that serves FDA and EMA requirements.
Click to learn more: paperless validation.
Appendix D9 - Software Tools
This item describes the recommended risk-based approach for tools that support computer system lifecycle processes, IT processes and IT infrastructure (development, support and maintenance tools). Tools that are used must go through a process of selection, assessment of the risks associated with their use, installation and configuration, and that are available in a usable form that is safe. Tools that accelerate or assist the validation process must have controls to maintain integrity, security, and availability.
In the case of GO!FIVE® software, developed by FIVE Validation, all the data integrity controls of GxP records are provided, made available, and validated by the QA team. Any approval or acceptance of documents or test results has a consistent access control, traceability, and electronic signature.
Click to learn more: paperless validation.
The GAMP5 Guide second edition included the following topics:
The term 'ledger' is widely used in accounting. It is similar to an official and final digital input file, where each business transaction is recorded.
Distributed Ledgers is the combination of replicated, shared, and synchronized digital data that is geographically dispersed (distributed) across many places, countries, or institutions. Unlike a centralized database, a distributed ledger system does not require a central administrator, and consequently has no single central point of failure.
As more members of the healthcare technology industry choose to participate in the network, it can span entire supply chains, from raw materials manufacturers to pharmacies, clinics or hospitals.
The network effects this technology and may put pressure on biopharmaceutical manufacturers to participate in it, for both regulatory and commercial purposes.
Even if the regulated company chooses not to participate, it is very likely that one of its suppliers or customers do.
Blockchain can be used to track the origin of pharmaceutical products, the transportation of drugs, and the procurement of raw materials. Blockchain technology can also reduce the number of intermediaries involved in the pharmaceutical process, thereby reducing costs and improving security.
Their adoption is important for innovation. It also describes what is the importance of data integrity for AI/ML quality and understanding inherent risks.
The use of AI, along with the subdiscipline of ML, presents the life sciences industry a challenge in maintaining the overall quality and regulatory compliance of such systems, applications and/or IT solutions.
This appendix provides a basic understanding for these digital solutions and guidance on how to ensure integration and suitability for use in a relevant GxP environment.
Now, in the second edition, appendix M11 clarifies the risk-based strategy recommendation for good practices in managing internal infrastructure or external providers, especially cloud infrastructure.
Controlled IT infrastructure is a prerequisite for ensuring that relevant GxP applications are managed in this environment.
Infrastructure plays a significant role in ensuring that applications are on a stable platform with the necessary and reliable communication and interfaces.
The IT infrastructure supports the performance and availability of the applications, as well as data integrity, security and confidentiality. Many of the required processes depend on some aspects of infrastructure management, such as information security, load balancing, backup and restore, disaster recovery, etc.
Wasting time and effort on activities that do not add value can lead to insufficient or excessive work, with potential additional costs and delays, and can reduce focus on more valuable and essential quality activities.
The use of rigid tables, or overly prescriptive templates derived from procedures that do not allow case by case adaptation, or prevents critical thinking, can inhibit innovation and the adoption of new technologies.
GAMP5 promotes a risk-based approach to ensure suitability for intended use.
Some practitioners do not apply sufficient thought to ensure that the approach they are about to adopt could be customized and proportional to the needs of each system.
A practical example of critical, or rational, thinking (a term we often use as well) is to classify CDS (Chromatography Data System) as category 4 - configuration, as suggested by the GAMP current edition in the table in item 12.1 as a typical example of how it can have its document cycle optimized.
Classifying it as a GAMP category 4 makes sense when there are custom calculations or an interface to LIMS (Laboratory Information Management System), for example. But this same system is often installed using its off-the-shelf (standard) functions, which in this case, the life cycle approach could be different.
When we classify a system as GAMP category 4, it is usual that the procedures require a Functional Specification. When the CDS is used in its standard function (i.e., without interfaces and without custom calculations), why would we produce a Functional Specification? To replicate or repeat statements that are already in the manufacturer's manual? Obviously, this is waste of time because it adds no value.
It is this kind of critical thinking that the current version of GAMP5 seeks to encourage. There must be a reason to produce documents and tests that add value, that focus on product quality, patient or consumer health, and data integrity, in other words, what really matters.
On the other hand, critical thinking should not be used as a tool to disregard some deliverables in the validation life cycle because of simply lack of design time or cost that was not anticipated.
Critical thinking should also be used to plan the effort applied to testing.
Finally, the new version of the GAMP5 Guide encourages the freedom of rational use, however, we must use these guidelines responsibly and with commitment to quality. Decisions should be made in multidisciplinary teams and recorded in documents that explain such strategies, such as the Validation Plan.
Existing system documents should be used to determine the extent of details, where applicable.
There are mentions of it in the Review by Exception (RBE), adoption of Cloud Technology, Blockchain, making data available in real time, and further clarity regarding data in the Audit Trail and its review.
Tools instead of documents
This is a critical point that can impact a business positively. The new edition of the GAMP5® Guide encourages and recommends the use of software tools to support Agile practices that can bring opportunities to improve a traditional documentation approach, which presents barriers and potentially introduces non-compliance risks (with paper, almost any change could be approved and would be harder to track).
Software tools to support validation allow the team to write functional and quality requirements efficiently to initiate the agile process, managing the life cycle of each requirement independently. A set of requirements can form a release.
Testing environments is an excellent example of where software tools can work and provide opportunities to improve delivery performance. Moreover, there is a higher occurrence of efficient, performance testing using fewer human resources.
A tool can provide automatic traceability without the need to manually create a matrix document.
Traceability can be obtained dynamically and demonstrated by the tool, which, if necessary, can generate reports at key stages (i.e., partial releases).
Note: FIVE Validation has developed a validation and management system that follows an agile framework, with validations 5x faster and that serves FDA and EMA requirements.
Click to learn more: paperless validation.
What is CSA FDA?
CSA stands for Computer Software Assurance, and it is an FDA guide for quality assurance of software used throughout the manufacturing process, and quality assurance of medical products.
In summary, some important points about CSA, which a draft version was released in Sept/2022:
- Does not consider patient or consumer risk, nor data integrity - only process risk;
- Does not consider probability of occurrence and detectability in risk composition;
- Does not encourage mitigating actions that are not related to the scope of testing (such as guidance on procedures or new developments) to mitigate risks;
- The risk determination is reported directly in the requirement.
CSA and GAMP5® testing
Although the guidelines in the GAMP5 and CSA Guides are different, there is an interesting synergy between both texts regarding the scope of testing, as well as, the types of suggested, recommended, guided or unguided tests.
Testing should not be limited to a detailed, prescriptive protocol including a step-by-step process. The use of exploratory testing and other unguided techniques is encouraged to extend test coverage and improve defect detection.
Non-scripted tests should be documented and can later be leveraged as part of the overall verification step. The use of automated testing has benefits for check coverage, repeatability, and execution speed.
Some testing approaches that can be used:
Unscripted Testing - usually produced by project teams.
This does not infer a “no test documentation” approach.
Again, non-scripted tests should be documented and later can be leveraged as part of the overall verification step.
The second edition of GAMP5 encourages that testing should not be limited to a step-by-step detailed and prescriptive protocol. Therefore, it is feasible to explain the testing strategy that a project team is applying and can be justified in the Validation Plan or Test Protocol.
Tests that are foreseen by a project team no longer need be ignored for lack of robustness in their evidence.
However, it is still necessary to capture some data that shows that the test was and will be executed (e.g., who executed it, date, problems faced in the test execution and whether it passed or failed).
However, the test script does not need to be detailed, especially tests related to transactions or functionality that are not critical and have low risk.
This is not to say that the project team should be accepting inconsistencies in documentation, but if teamwork is present, ‘can guidance, in the use of documentation best practices, be sufficient to make good use of such tests?’
Why not then leave the need to repeat critical testing to the formal qualification phases of installation, operation, and performance so that quality is assured?
Unscripted testing can be ad-hoc, error-guessing, and exploratory.
- Ad-hoc means that tests or scenarios have always and completely been extemporaneous.
- Error-guessing is a test design technique in which test cases are derived and based on the performer's knowledge of past failures or general failure modes.
- Exploratory testing is one based on the experience of an executor who defines scenarios spontaneously according to their existing relevant knowledge.
Unguided testing reduces script writing time, drafting errors, and speeds up reporting, with the bonus of providing system operation training to users.
Successfully integrating unguided testing into your validation strategy means more critical thinking and less documentation − ultimately saving time, effort, and cost.
Scripted Testing
Testing in which the executor's actions are prescribed by written instructions in a test case.
Consistent guided testing: scripted testing efforts in which management system or automation risks include evidence of repeatability, traceability to requirements, and consistent proof of test execution.
Limited scripted testing: hybrid approach of scripted and non-scripted testing that is appropriately scaled according to the risk that the system implementation brings.
This approach can apply scripted testing for high-risk features or operations and script-less testing for low- and medium-risk items as part of the same assurance effort.
Software tool that serves both areas: Projects and Quality
Imagine that there is a vendor that can provide a consistent validation document production software, but with the agility that is needed in the areas of IT, Engineering or Supply.
Imagine also that this same tool can manage requirements, risks and tests in an integrated way, for GxP (quality impact) and non GxP relevant functionalities?
Click to learn more: paperless validation.
Conclusion - Paradigm Shift
GAMP5 first edition broke new ground in 2008 by bringing the rationality of focusing validation activities on what really matters, using quality risk management as a way of dedicating focused efforts.
During that year of 2008, it took the pharmaceutical and medical devices community a while to absorb all the benefits that this guide was bringing.
Everything leads one to conclude that the second edition continues the approach of basing decisions on risk, but seeks openness to innovate and make agile, taking away some rigid aspects such as very prescriptive templates or grand procedures.
Those who adopt these new ways of doing things will save more time and gain agility in the methods of complying. Our ultimate goal is to prevent validation from being the "heavy anchor" of a business that hinders innovation.
This is already a reality for the FIVE Validation team, to invest more time in coherence between teams, encouraging them to adopt best practices, than simply producing validation documents.
CLICK HERE to schedule a meeting and find out how the FIVE Validation team can produce documents 5x faster than by a paper-based process that they did in 2018.
GAMP5® has reserved intellectual rights registered with the ISPE and is available for purchase at https://ispe.org/
About the Author
SILVIA MARTINS is an electrical engineer with 20 years of experience in Systems Validation. She was trained in England in GAMP5 and FDA 21 CFR Part11, in SAP validation in Germany, and in Data Integrity and Data Governance in Denmark, she coordinated the group that elaborated the 1st Guide for Computerized Systems Validation together with ANVISA, the Data Integrity Manual and the Cloud Qualification of Suppliers Manual, both at Sindusfarma. She also provided training courses for VISA and ANVISA inspectors in Brazil. She is the CEO and co-founder of FIVE Validation.