ISPE │ GAMP5 – A Risk-based Approach to Compliant GxP Computerized Systems, Second Edition: Presentation of the Major Changes

September 1, 2022 9:58 am || Eric Collier and Laurent Saugrin || Categorized in:


The scope of this article includes the major technical content changes that have been made in the newly released Second Edition of the ISPE│GAMP5 A Risk-Based Approach to Compliant GxP Computerized Systems guide. This article lists these changes, and points to the applicable sections and/or appendices that have been newly created or revised (from First Edition of the guide) to address the modifications.

Finally, this article is to be used as an introduction to a series of subsequent articles that will go into the details of the nature of each listed topic (I.e., change), and how they can be applied in CSV and/or CSA programs and activities.


The primary purpose of the changes available in the second edition of the guide is to address the specific goal to: “protect patient safety, product quality, and data integrity by facilitating and encouraging the achievement of computerized systems that are effective, reliable and of high quality (1).

Nowadays, health industries have access to various tools, programs (i.e., approaches to software development and validation), IT services, etc. that can help them to reach that goal with continuous high efficiency, with the unique goal to provide their patient with high quality products that are safer than ever.

GAMP5 second edition includes updates to its technical content, emphasizing (but not limited to) the following topics:

  • *New* Computer Software Assurance (CSA). A new patient centric, streamlined risk-based approach designed for the development, validation, and compliance of non-product software. (2)

The use of CSA for non-product software implies a paradigm shift in focus: CSV, as it stands today, is a documentation heavy exercise. Documentation is done at the expense of critical thinking and testing. CSA brings about a paradigm shift in this approach by encouraging critical thinking over documentation. By leveraging the tenets of CSA, companies can execute more testing with less documentation while focusing on critical aspects affecting patient safety, product quality and data integrity.

  • *New* Use of Agile software development and other non-linear lifecycle models for software development and software validation. (3)

Agile methodology is best described as an approach to software development that seeks the continuous delivery of working software created in rapid iterations. As widely adopted by many industries, including health industries, it is suited to the development of GxP systems in place of typical models such as the Waterfall development model or the V-model.  This fundamental change in the development process directs attention away from the delivery of immutable specification documents and towards records produced by tools designed to support requirements and test management in an iterative development lifecycle model.

  • *New* and *Modification* Increasing use of cloud technologies such as Software-as-a-Service (SaaS). (4)

Companies in the pharmaceutical, biotechnology, or medical devices industries have traditionally hosted in-house developed, configured, and commercially-off-the-shelf GxP applications on-premises.  Hosting these applications on-premises grants total responsibility and control over the security and integrity of the created GxP data to the regulated company. Additionally, internal, or out-sourced IT SMEs are responsible for the maintenance and administration of the applications and their infrastructure.  In this era that is hyper focused on overall operating expenses, on-premises environments have become less viable as the cost associated with infrastructure maintenance, data retention, and personnel eclipse the costs of Software-as-a-Service, Infrastructure-as-a-Service or Platform-as-a-Service delivery models.

  • *New* Use of Artificial Intelligence (AI) and Machine Learning (ML) (5)

The guide acknowledges that: “Artificial Intelligence (AI) and Machine Learning (ML) are transforming the way in which the life sciences industry is doing business and processing data” and that “The use of such AI, along with the subdiscipline of ML, presents the life sciences industry with a challenge in maintaining the overall quality and regulatory compliance of such IT systems, applications, and/or solutions”. Accordingly, it is necessary to properly assess the importance of data integrity and risk management associated with the use of these tools in business operation.

  • *New* Concept of Critical Thinking (6)

Critical thinking is a key activity throughout the system life cycle.  However, what really defines “Critical Thinking”?

The guide stipulates that “Critical thinking promotes decision-making and good judgement on where and how to apply and scale quality and compliance activities for computerized systems”. Additionally, it reads “Regulatory authorities are adopting critical thinking to help determine whether controls and fit for intended use to ensure patient safety, product quality, and data integrity”. In other words, can critical thinking be simply viewed as the idea of questioning or brainstorming further each aspect of the activity in a system life cycle?

In coming weeks, we will publish detailed articles on each of the topics highlighted above. While each topic taken individually is significant, together they reveal a sea change in how automated systems will be developed, tested, and operated in the near future. Stay tuned!


(1)  ISPE│GAMP5, Second Edition – Section 1.1 Rational for GAMP5 Second Edition

(2)  Reference to testing using CSA can be found in section 25.5 of this guide, and CSA specific Appendix is: ISPE GAMP RDI Good Practice Guide: Data Integrity by Design, First Edition, October 2020

(3) Appendix D8 – Agile Software Development

(4)  Use of cloud-based services are taken for account throughout the entire guide. However, specifics on this topic are available in applicable (but not limited to): Appendix M1 – Validation Planning, Appendix M11 – IT Infrastructure, Appendix D3 – Configuration and Design and Appendix 06 – Operational Change and Configuration Management

(5)  Appendix D11 – Artificial Intelligence and Machine Learning (AI/ML)

(6)  Appendix M12 – Critical Thinking

About the Author:

Eric S. Collier, Assistant Director, Automation and IT
Eric has more than 30 years of experience as a project manager and software engineer providing best-in-class services and products to regulated industry in the areas of automation, manufacturing intelligence, computerized system validation, electronic records and signatures, and data integrity.