Key Concepts of GAMP 5

GAMP guidelines aim to achieve fitness of the IT System for the intended use. The various types of documents are prepared when a system is validated as per GAMP recommendations to meet the compliance requirements.

Five key concepts are there in these guidelines which are as follows:

1. Product and Process Understanding

2. Life Cycle Approach within a QMS

3. Scaleable Life Cycle Activities

4. Science-Based Quality Risk Management

5. Leveraging Supplier Involvement

The important aspect in an IT validation process is understanding the Products and Processes. When an IT asset or IT system is deployed to automate a business process, you need to know the complete details of the process. This is to ensure fitness for expected use for critical GxP applications that may impact patient safety, product quality and data integrity.

While evaluating an IT system, the stakeholders need to capture the complete business requirements so that he/she may verify the same from the checklist while implementing the system. The extent and details of the requirement specifications remain linked with the risk involved, process complexity and importance of data in the value chain. The proper documentation of user requirement specification (URS) help in establishing a proper scope of work for the project. This URS becomes a base document for identification of the functionality, user verification and acceptance of the process. The incomplete process understanding hinders compliances and business benefits. Proper documents are prepared using standard templates of the organization and test scripts and screenshots are taken while doing acceptance testing of the process.

Adopting a complete computerized system life cycle by covering all activities systematically is essential from the compliance point of view. All activities involved from System conception to retirement needs to be well documented. Multiple parameters are crucial when an IT system is reviewed and gaps are identified e.g. Audit trail of the system changes, data backup of IT system, Unique login procedure with password protection, risk of changes at the database level, roles and authorizations as per the level. In addition to the above issues, data needs to be protected till the retirement of the IT system. Any deviation in the process or introduction of the new process triggers a change control as per QMS guidelines.

The decision of how much documentation needs to be done depends on the system category, GxP risks process severity and anticipated risks. Any small change in the system triggers a requirement of re-validation as per the organization’s procedure and thus need the proper documentation. The periodic review and evaluation play an important role and ensure that there is no deviation in the process from maintaining compliance.

Quality risk management is a systematic process for assessment, control, communication and review of risks. Risk should be anticipated wrt potential impact on patient safety. Controls are introduced in the system to reduce risks to an acceptable level. These controls are documented properly with justification from IT, Owner and QA team members.

Supplier plays a very important role in the implementation of any new IT system. The supplier may assist with requirements, risk assessment as per his/her experience, creation of functional/technical specifications, system configurations as per the process requirement, testing, support and maintenance. The supplier should also be assessed for suitability, accuracy and completeness. The supplier helps in arranging various documents that are required for IT system validation.