GAMP’s Biggest Problem is the Name

GAMP5 is pretty clear in its ambition:

This Guide applies to computerized systems used in regulated activities covered by:

•Good Manufacturing Practice (GMP) (pharmaceutical, including Active Pharmaceutical Ingredient (API), veterinary, and blood)

•Good Clinical Practice (GCP)

•Good Laboratory Practice (GLP)•Good Distribution Practice (GDP)

•Good Pharmacovigilance Practices (GVP)

•Medical Device Regulations (where applicable and appropriate, e.g., for systems used as part of production or the quality system, and for some examples of Software as a Medical Device (SaMD1))

GAMP 5: A Risk-Based Approach to Compliant GxP Computerized Systems (2nd edition),

The biggest problem with GAMP is when you search GAMP you get:

That’s right, the ISPE telling you that GAMP is all about manufacturing. A point that Wikipedia is more than happy to reinforce:

This means that I spend a lot of time explaining why GAMP is relevant outside of manufacturing, to a lot of skeptical people who already struggle with the idea that GCP or GLP isn’t some special and unique flower.

To add to that, it is structured like a GxP. I see a G-some letters-P I instantly think Good <something> Practices. It is how my brain and the brain of every single person who works in the GxPs have been trained.

Second, what is that 5? What does it mean? It’s such a bit of esoteric lore that I have to spend more time explaining. For absolutely no value.

And then last, I inevitably have to deal with skepticism about something published by the International Society of Pharmaceutical Engineering being even remotely relevant to the work a study investigator is doing.

Without a doubt, GAMP is a powerful methodology and toolbox. It just shoots itself in the foot every time. It is unfortunate that with the 2nd edition the ISPE did not take a big breath and successfully rebrand as maybe GDIP or something.

Computer system changes and the GAMP5 framework

Appropriate controls shall be exercised over computer or related systems to assure that changes in master production and control records or other records are instituted only by authorized personnel. Input to and output from the computer or related system of formulas or other records or data shall be checked for accuracy. The degree and frequency of input/output verification shall be based on the complexity and reliability of the computer or related system. A backup file of data entered into the computer or related system shall be maintained except where certain data, such as calculations performed in connection with laboratory analysis, are eliminated by computerization or other automated processes. In such instances a written record of the program shall be maintained along with appropriate validation data. Hard copy or alternative systems, such as duplicates, tapes, or microfilm, designed to assure that backup data are exact and complete and that it is secure from alteration, inadvertent erasures, or loss shall be maintained.

21 CFR 211.68(b)

Kris Kelly over at Advantu got me thinking about GAMP5 today.  As a result I went to the FDA’s Inspection Observations page and was quickly reminded me that in 2017 one of the top ten highest citations was against 211.68(b), with the largest frequency being “Appropriate controls are not exercised over computers or related systems to assure that changes in master production and control records or other records are instituted only by authorized personnel. ”

Similar requirements are found throughout the regulations of all major markets (for example EU 5.25) and data integrity is a big piece of this pie.

So yes, GAMP5 is probably one of your best tools for computer system validation. But this is also an argument for having one change management system/one change control process.

When building your change management system remember that your change is both a change to a validated change and a change to a process, and needs to go through the same appropriate rigor on both ends. Companies continue to get in a lot of trouble on this. Especially when you add in the impact of master data.

Make sure your IT organization is fully aligned. There’s a tendency at many companies (including mine) to build walls between an ITIL orientated change process and process changes. This needs to be driven by a risk based approach, and find the opportunities to tear down walls. I’m spending a lot of my time finding ways to do this, and to be honest, worry that there aren’t enough folks on the IT side of the fence willing to help tear down the fence.

So yes, GAMP5 is a great tool. Maybe one of the best frameworks we have available.