What changed in GAMP 5 Second Edition?
GAMP 5 Second Edition, published by ISPE in July 2022, keeps the same risk-based framework and five software categories as the 2008 original. What changed is emphasis: it formalizes critical thinking by subject matter experts (Appendix M12), aligns with FDA's CSA approach, explicitly supports agile development, and adds new appendices for AI/ML, cloud services, and blockchain.
GAMP 5 Second Edition didn't add new rules. It changed what counts as good judgment — and that distinction is exactly where most teams misread it.
What Was Published, and When
ISPE released GAMP 5 Second Edition in July 2022, the first major revision since the original 2008 guide. Fourteen years is a long gap in software terms — the 2008 edition assumed linear, waterfall-style development and had nothing to say about cloud services, SaaS, or AI. Second Edition updates the guidance for how software is actually built and hosted today, without discarding the underlying risk-based approach.
What It Actually Requires
The core theme is a shift from rigid, document-heavy compliance toward critical thinking — knowledgeable SMEs deciding validation scope and depth based on actual risk to patient safety, product quality, and data integrity, not a fixed checklist. This is formalized in a new appendix (M12) and deliberately mirrors FDA's Computer Software Assurance guidance, which the two were developed to align with.
| Area | First Edition (2008) | Second Edition (2022) |
|---|---|---|
| Core framework | Risk-based, ICH Q9 aligned | Unchanged — same 5 software categories, same lifecycle |
| Validation approach | Document-heavy, linear V-model | Critical thinking (Appendix M12), CSA-aligned |
| Development lifecycle | Assumes sequential development | Explicitly supports agile and iterative delivery |
| Emerging technology | Not addressed | New appendices: AI/ML (D11), cloud/XaaS, blockchain, open source |
| Service providers | Limited guidance | Expanded emphasis on leveraging supplier/SaaS evidence |
What It Does NOT Change
The most common misconception: that Second Edition means less validation. It doesn't. The five software categories, the requirement for a documented risk assessment, and the expectation of traceable evidence all remain intact. What changed is where effort goes — proportionate to risk, rather than uniform regardless of it. A low-risk configured report screen may need less scripted testing than before; a batch release workflow needs just as much rigor as it always did, arguably more, because the reasoning behind reduced effort elsewhere must now be explicitly documented too.
The misreading to watch for: "Critical thinking" is sometimes used to justify skipping documentation entirely, on the logic that an SME's judgment doesn't need to be written down. It does. Second Edition asks teams to document the risk rationale behind every scope decision — the thinking has to be visible, not just applied.
How GoVal Applies These Principles
GoVal classifies every system by GAMP 5 category at intake and scales validation documentation to that classification automatically — the practical mechanism for applying critical thinking consistently rather than case by case. Risk assessments, IQ/OQ/PQ scope, and test depth all tie back to a documented risk rationale, so the reasoning behind every scope decision is captured and audit-trailed, not left to memory or a scattered email thread.
Related Topics
Frequently Asked Questions
What is GAMP 5 Second Edition and when was it published? +
What changed between GAMP 5 First Edition and Second Edition? +
Does GAMP 5 Second Edition replace the software categories? +
How does GAMP 5 Second Edition relate to FDA's CSA guidance? +
Does critical thinking under GAMP 5 mean less documentation? +
How does GoVal support GAMP 5 Second Edition principles? +
Apply GAMP 5 critical thinking with a documented, audit-trailed process
GAMP 5 classification, risk-based test scoping, and evidence that scales to actual system risk — in GoVal.
