ISPE released the second edition of the Good Automated Manufacturing Practice (GAMP 5) guide in 2022. For any pharmaceutical company running a Computerized System Validation (CSV) programme, this revision introduces changes that affect how you classify systems, write your documentation, and demonstrate compliance to regulators.
This article breaks down the most significant changes and tells you exactly what you need to review in your existing programme.
Why GAMP 5 Was Updated
The first edition of GAMP 5 was published in 2008 - before cloud computing, SaaS applications, and AI-assisted manufacturing became routine in pharmaceutical operations. The second edition modernises the guidance to reflect:
- Widespread adoption of cloud-hosted and SaaS systems
- Agile software development methodologies replacing waterfall
- Greater reliance on vendor-supplied, pre-configured systems
- Stronger regulatory emphasis on critical thinking over procedural box-ticking
- Data integrity as a first-class validation concern
Revised Software Risk Categories
The original GAMP 5 defined five software categories (1 through 5). The second edition consolidates these into three categories based on the level of configuration and customisation:
Category 1 - Infrastructure Software
Operating systems, middleware, database engines, and network services. These do not directly implement GxP functions but underpin systems that do. The validation approach focuses on qualification of the infrastructure itself and ensuring it is fit for purpose.
Category 2 - Non-Configured Products
Commercial off-the-shelf (COTS) software used without any configuration - for example, a word processor used to write SOPs. Minimal validation is required; a risk assessment and vendor evaluation usually suffice.
Category 3 - Configured and Custom Applications
This is where most pharmaceutical systems sit: LIMS, ERP, MES, DMS, and purpose-built applications. The validation effort is proportionate to the system's impact on patient safety, product quality, and data integrity, not its technical complexity.
Practical impact: If you previously categorised your LIMS as "Category 4" and your MES as "Category 5", you will need to re-document your rationale using the new three-category framework. This is a documentation update, not a re-validation - but it must be done before your next inspection.
The Critical Thinking Principle
The most philosophically significant change in the second edition is the explicit call for critical thinking throughout the validation lifecycle. GAMP 5 now states that validation activities should be driven by scientific and risk-based judgement, not by automatic adherence to a prescribed set of documents.
In practice, this means:
- Your IQ/OQ/PQ structure should reflect actual risk, not template habit
- Test case selection must be justified, not exhaustive
- Deviations that pose no GxP risk should be documented as such and closed proportionately
- Validation teams must demonstrate they understand why each control is in place
For companies that have relied on rigid templates, this is a call to review your validation documentation philosophy.
Cloud and SaaS Systems
GAMP 5 Second Edition provides dedicated guidance for cloud-hosted and SaaS applications - a gap that caused significant uncertainty under the first edition. Key points:
- The regulated company retains responsibility for validation, even when the system is hosted and managed by a third-party vendor
- Vendor audit and supplier qualification become more critical than ever
- Change management for vendor-controlled updates must be addressed in your VMP
- Data migration and backup validation must be explicitly covered
Lifecycle Documentation Changes
The second edition simplifies documentation by focusing on key records that demonstrate control and traceability, rather than a fixed list of mandatory documents. Your Validation Master Plan should now address:
- System inventory and risk classification rationale
- Supplier assessment and audit outcomes
- Traceability from requirements through to testing
- Change control and periodic review processes
- Data integrity controls and audit trail configuration
What to Review in Your Existing Programme
If your CSV programme was built to the first edition of GAMP 5, here is the minimum set of items to review:
- System inventory: Re-classify all systems using the three-category framework
- Validation Master Plan: Update category definitions and decision rationale
- SOPs: Update any references to the old five-category model
- Cloud/SaaS systems: Ensure supplier qualification records are current
- Test protocols: Confirm critical thinking rationale is documented for test case selection
- Periodic review schedule: Confirm your review cycle addresses vendor-controlled changes
Inspection note: FDA and MHRA inspectors have already referenced GAMP 5 Second Edition in observations. If your documentation still uses the old five-category language without explanation, expect a question.
Free GAMP 5 System Classification Worksheet
Use our structured worksheet to classify your computerised systems under GAMP 5 Second Edition and determine the right validation scope - ready for your next regulatory inspection.
Get Free Worksheet →