Skip links

GAMP 5 2nd Edition: What You Need to Know


ISPE’s GAMP is the leading organisation globally providing guidance to use software in the GxP regulated industries. Its guidance aims to safeguard patient safety, product quality and data integrity in the use of GxP computerised systems. The goal is achieving computerized systems that are fit for intended use and meet current regulatory requirements, by building upon existing industry good practice in an efficient and effective manner. GAMP’s objectives have progressed from a focus on compliance to include encouragement and support for innovation and technical progress that benefits both the patient and the public.

GAMP objectives now include the integrity and accuracy of records and data throughout the product life cycle and significant GAMP® guidance on the topic has been published.

GAMP publications include practical guidance and ‘how to’ appendices to help companies with their computer validation procedures. These cover management, development and operation. There are a range of more detailed publications underneath the main GAMP publications covering important topics, and these have been updated since GAMP 5 (often referred to as the seminal publication) was published.

A brief History of GAMP Main Documents
  • 1991 – working party formed in UK – led by Dr Tony Margetts, to devise a draft set of guidelines for computer validation to take account of EU and US regulatory requirements and to make use of existing internationally recognised standards such as ISO
  • 1994 – London: First international conference, first draft launched as a supplier guide
  • Anthony J. Trill of the UK Medicines Control Agency suggested the name GAMP (Good Automated Manufacturing Practice) and this is the name now recognised across the globe.
  • 1995 – launch of GAMP 1 in Amsterdam, incorporating the European Interpretation of the EC (European Commission) GMP Annex 11 and comments from many companies
  • 1996 – GAMP 2 – Basle -Revision and new content, incorporating further comments from Europe and the USA. GAMP group joined with ISPE. GAMP is now a unique partnership between computer users, suppliers, and regulators serving the pharmaceutical industry.
  • 1998 – GAMP 3 – Baltimore – Revision and new content. Separation into User and Supplier Guides and detail on application to process control systems and addition of Volume Two – case studies
  • 2001 – GAMP 4 – Major revision and new content in line with regulatory and technological developments. Broadened scope to include regulated healthcare industries, GCP, GLP, GMP, GDP. Greater coverage of user responsibilities and detail on operational activities. GAMP became a technical subcommittee of ISPE and continues to be supported by, and benefit from the resources offered by ISPE.
  • 2008 – GAMP 5 – incorporation of the ICH guidance on science and risk based approaches throughout the life cycle supported by the pharmaceutical quality system. The whole document including the Management, Development and Operational appendices are rewritten to reflect the risk based approach.
  • 2017 – GAMP Records and Data Integrity Guide – provides principles and practical guidance on meeting current expectations for the management of GxP regulated records and data, ensuring that they are complete, consistent, accurate, secure and available throughout their life cycle.
  • 2022 – GAMP 5 2nd edition – more details below


GAMP 5 second edition

  • The body of GAMP 5 second edition is mainly the same as the first edition with the following emphasis:-
    • Referencing the new and changed appendices
    • Consistency with GAMP 5 and Records and Data Integrity Guides
    • The importance of IT service providers/suppliers including cloud services
    • Support of current software industry practices and development approaches, agile and iterative SDLC, and use of tools and automation
    • Use of emerging technologies, AI, blockchain
    • Consistent with the latest ISPE initiatives, Knowledge Management, Pharma 4.0
New Appendices
    • Appendix D8 Agile,
    • Appendix D9 Software tools
    • Appendix D10 AI and ML
    • Appendix D11 Distributed ledger systems
    • Appendix M11 IT infrastructure
    • Appendix M12 Critical thinking
Appendices with a change in focus
    • Appendix D1 specifying requirements
    • Appendix D5 testing and use of critical thinking
    • Appendix S2 Electronic Production Records
Sections removed
    • Appendix D2 Functional Specifications (combined with Requirements)
    • Appendix O7 Repair activity (combined with Operational Change Control)
    • Appendix S5 Managing Quality with Outsourced IS/IT Environments (now part of IT Infrastructure)


More details on the new and changed appendices

New Appendices

Appendix D8 – Agile

Emphasis is on the method and benefits of Agile being utilized in a GxP compliant way, rather than trying to bend or map agile practices onto a traditional V-Model framework. For example, assuring there are clear requirements, which are fulfilled in an identifiable way, rather than attempting to equate directly agile artifacts such as Epics/User Stories and release reports to URS and Validation Reporting.

Project stakeholders and certain resources involvement is slightly different, e.g., quality have traditionally been involved only at the start/end phases, which isn’t effective for iterative methods. This require adapting to meet the iterative cadence of continuous discovery/build/test. Similarly, tools used throughout development generate data which can be used continuously to track artifacts (e.g. requirements, designs, testing) replacing traditional documentation and manual traceability activities, freeing resources to focus on value-added work.

It is highlighted that software development activities and management (e.g requirement/backlog approvals, testing approvals etc.) should be under control, but are not GxP data themselves, and not subject to electronic signature/record regulations (CFR Part 11 / Annex 11).

Guidance is provided on how DevOps models can be utilized to handle quality and compliance, providing a more Agile approach to quality, and practical advice offered on interfacing effectively between the regulated companies and Agile based suppliers.

  • • Key agile tools/ capabilities:
    • Backlog management and grooming (features that will be added in the next releases)
      • Real-time status of requirements and traceability
      • Includes audit trails for changes
  • Test management
    • Evidence of test status
    • Typically using automated regression testing (more efficient and thorough)
  • Code repository
    • Reduces the risk of error due to configuration and parallel development by several teams/people

Appendix D9 – Software Tools

Encourages the used of SDLC and DevOP’s software tools, especially regarding automated traceability throughout development and testing compared to manually managed traceability. Advises tools used to support the software development process do not require validation, but emphasizes the importance of selecting the right tools based on assessment of the relevant lifecycle components and processes these may be relied on to automate. A risk assessment framework is provided to help understand the relevant areas to focus on.

Appendix D10 – Distributed Ledger Systems (Blockchain)

The objective of this appendix is guidance on what to consider when distributed ledger (or blockchain) technology is involved in part of a system touching GxP processes. It touches only briefly on the technology itself and its potential use cases. The scope focuses on large-scale public blockchains and helps understand the unique considerations involved such as their role in a system, governance, open-source nature, distributed controls, and the impact that the maturity of related vendors and communities can have.

Appendix D11 – AI and ML

Another entirely new area of GAMP guidance, this provides a description of AI/ML in the context of a GxP system and provides a detailed lifecycle definition that can be used as a framework to validate such systems. Machine Learning (ML) is treated as a subsystem within a GAMP based lifecycle, managed under agile iterations to train, define, and validate a predictive model, which is then continuously monitored and evaluated as an input to changes managed under change control.

Highlighted are detailed considerations to data integrity of the data sets used for model training and testing. Additional to ALCOA+ type DI considerations, the quality of data cleansing, classifications, and labelling is critical to the quality of the resultant models (emphasizing quality of output = quality of input).

Appendix M11 – IT Infrastructure

This replaces the original Appendix S5 with a considerable update to cover XaaS suppliers of infrastructure. The focus is on qualification, validation, and quality management and clarifying the shifting responsibilities between suppliers and regulated companies depending on IaaS, PaaS, and SaaS service models.

Appendix M12 – Critical Thinking

Critical thinking is a key theme throughout the new material, it is widely encouraged in comparison to overly prescriptive, templatized lists and compliance-based validation. The latter having emerged as a common cause of poor system/validation quality and impedes a regulated company’s general ability to adopt digital technologies. This appendix aims to clarify the intention of risk-based approaches to require critical thinking in their application over following check lists and box-ticking type activities.


Appendices with Change in Focus

Appendix D1 – Specifying Requirements

The previous version contained appendices for user requirements specification and functional specifications, these are now combined into this Appendix called specifying requirements

Requirements may be independent of a specific solution or based on one in highly specific cases, or a pre-selected vendor. Agile practices are included such as allowing requirements to evolve over

time rather than expecting them to be fully defined up front, and the terminology and hierarchy (Epic > User Story).

Requirements can be captured as a document or managed as artifacts in a digital system (tool).

Appendix D5 – Testing of Computerized Systems

Now incorporates the use of critical thinking to decide when formal testing is required based on risk, and emphasizes testing by any means in any part of the life cycle to find errors. Unscripted testing or informal testing is encouraged to increase test coverage and efficiency, and to improve testing generally, provided it is documented.

Appendix S2 Electronic Production Records (EPR Systems)

EPR systems can include document management, supply chain management, MES, EBR, ERP, process control systems, data historian, and LIMS. The update emphasizes the impact of newer technology (since the 1st edition) that these systems benefit from leveraging, such as cloud-based technology, and the ability to easily generate real time reports for review by exception. These systems typically have built in audit trail functions and the capability to review audit trails, and may incorporate blockchain and cloud technology to increase security.


Dr. Anthony Margetts

GAMP co-founder

David Margetts

GAMP5 2nd Edition contributor

David Holt

GAMP5 2nd Edition contributor

Factorytalk are a leading solution provider and consultancy for the GxP industries, specializing in GxP software and Computer System Validation

Leave a comment