GAMP 5 (Good Automated Manufacturing Practice, Fifth Edition) is ISPE's industry framework for validating computerized systems in GxP-regulated life sciences environments. First published in 2008 and updated in the Second Edition in 2022, it provides practical, risk-based guidance for planning, executing, and maintaining software validation. GAMP 5 is not a regulatory requirement itself but is widely accepted by FDA, EMA, and other regulators as a credible implementation framework for meeting GxP validation obligations.
GAMP 5 Second Edition, published by ISPE in January 2022, fundamentally realigned the framework with FDA's CSA philosophy. Key changes include: explicit endorsement of critical thinking over prescriptive documentation; integration of vendor evidence as a legitimate and preferred validation input; recognition of agile and iterative development approaches; expanded guidance on cloud and SaaS systems; updated software category definitions; and a stronger emphasis on proportionate effort based on patient safety risk. The Second Edition effectively makes GAMP 5 a practical implementation guide for CSA-aligned validation.
GAMP 5 Second Edition uses three primary software categories. Category 3 covers infrastructure software — operating systems, database engines, and standard IT platforms — which requires installation qualification and configuration documentation but minimal functional testing. Category 4 covers configurable software — ERP systems, LIMS, MES — where validation focuses on the regulated company's configuration rather than the underlying software. Category 5 covers custom or bespoke software developed specifically for the regulated company, requiring the most rigorous validation including full software development lifecycle documentation.
Category 4 validation focuses on demonstrating that the company's specific configuration meets its intended GxP use — not on re-testing the underlying software vendor's core functionality. Validation activities typically include: vendor assessment and leveraging vendor IQ/OQ packages; configuration specifications documenting how the system is set up; targeted testing of configured workflows against user requirements; and user acceptance testing covering GxP-critical functions. The Second Edition explicitly supports using vendor test evidence to reduce redundant company-level testing.
Category 5 custom software requires the most comprehensive validation because there is no vendor testing evidence to leverage. Required activities include: formal software development lifecycle documentation (requirements, design, coding standards, unit and integration testing); software code review or testing at source level; full IQ, OQ, and PQ execution; and ongoing change control aligned with the development lifecycle. Category 5 systems carry the highest validation burden and should be justified — configurable commercial alternatives are often preferable from a validation risk and cost perspective.
GAMP 5 risk assessment operates at two levels. First, system-level risk assessment classifies the overall system impact: does it directly affect product quality, patient safety, or data integrity? Second, function-level risk assessment — through a Functional Risk Assessment or Critical Function Assessment — evaluates each system function individually to determine its GxP criticality. High-criticality functions receive detailed, scripted testing; low-criticality functions may require minimal evidence. This layered approach ensures validation effort is proportionate to actual risk across the system.
GAMP 5 Second Edition strongly endorses leveraging vendor test evidence as a primary validation input, particularly for Category 4 systems. Where a software vendor provides credible documentation — test protocols, test results, quality certifications, SOC 2 reports, or formal IQ/OQ packages — the regulated company should assess this evidence rather than duplicate the testing. The company's responsibility is to evaluate the vendor's quality system, confirm the relevance of vendor testing to their configuration, and supplement with targeted company-level testing for GxP-critical configurations.
A system is GxP-impacting if it creates, modifies, maintains, archives, retrieves, or transmits GxP records; directly controls or monitors a regulated manufacturing or laboratory process; or supports GxP decision-making in a way where system failure could affect product quality or patient safety. GAMP 5 recommends a documented GxP impact assessment as the first step in the validation process. Systems with no GxP impact — IT infrastructure supporting non-regulated business functions — do not require formal GxP validation, though standard IT governance still applies.
GAMP 5 Second Edition provides explicit guidance for cloud and SaaS validation, acknowledging that the traditional on-premise qualification model does not directly translate to hosted environments. Key guidance includes: the regulated company's validation responsibility cannot be outsourced, but testing effort can be shared with vendors; infrastructure qualification (IQ) can be addressed through vendor-provided cloud certification and SOC 2 evidence; configuration qualification remains the company's direct responsibility; and contractual provisions must ensure access to vendor documentation required for validation.
GAMP 5 Second Edition does not mandate the V-model, though it remains a valid approach where appropriate. The Second Edition recognizes that modern software deployment — particularly agile and iterative development, and SaaS configuration — may not align naturally with a linear V-model structure. What GAMP 5 requires is logical traceability: user requirements must be demonstrably addressed by testing, and the validation record must show how risks were identified and mitigated. The V-model is one structure for achieving this; it is not the only acceptable one.
Yes. GAMP 5 Second Edition explicitly addresses agile development, recognizing that iterative development cycles require adapted validation approaches. For agile environments, each sprint or release cycle should include risk assessment for GxP-impacting changes, documented testing evidence for new or changed functions, and integration into the overall validation record. The challenge is maintaining audit-ready documentation across rapid iterations — a strong Configuration Management and change control process is essential. GAMP 5's critical thinking principle supports flexible implementation as long as GxP impact is continuously assessed.
GAMP 5 Second Edition incorporates data integrity as a core validation consideration, not a separate compliance activity. Validation must confirm that GxP systems enforce ALCOA+ principles — that data is Attributable, Legible, Contemporaneous, Original, Accurate, Complete, Consistent, Enduring, and Available. Specific data integrity validation checks include: audit trail completeness and protection, prevention of unauthorized data modification, user access controls and individual accountability, and system clock accuracy. GAMP 5 treats data integrity as a first-order validation outcome, not an audit trail checklist item.
GAMP 5 requires that User Requirements Specifications describe what a system must do from a business and GxP perspective, independent of any specific technical implementation. Requirements must be clear, testable, uniquely identified, and traceable through the validation lifecycle. The URS should capture: GxP functional requirements, data integrity requirements, interface requirements, performance requirements, and security requirements. GAMP 5 Second Edition emphasizes that URS quality directly determines validation quality — vague or incomplete requirements produce unverifiable validation evidence.
GAMP 5 requires that all changes to validated systems pass through a formal change control process that assesses GxP impact before implementation. The impact assessment must determine whether the change affects validated functions, what testing is required to re-establish validated status, and whether the change triggers formal requalification. GAMP 5 Second Edition notes that not all changes require the same level of revalidation — the change control response must be proportionate to the GxP risk of the specific change. Vendor-initiated changes (patches, upgrades) require the same assessment as company-initiated changes.
GAMP 5 requires that validated systems undergo periodic review to confirm ongoing validated status. Reviews should assess: whether the system continues to meet its original GxP requirements; accumulation of unreviewed changes; outstanding deviations or performance anomalies; changes in regulatory requirements affecting the system; and vendor support and software version currency. GAMP 5 Second Edition supports risk-based review frequency — higher-risk systems warrant more frequent review. The outcome of a periodic review is a documented determination: validated status confirmed, or a defined remediation or revalidation action.
GAMP 5 Second Edition and FDA's September 2022 CSA final guidance are closely aligned — both were developed in parallel and reflect the same industry consensus on risk-based, proportionate validation. GAMP 5 can be considered the practical implementation framework for CSA principles: where CSA articulates what the FDA expects philosophically, GAMP 5 provides the operational tools — risk assessment templates, category frameworks, vendor assessment guidance — to implement it. Organizations following GAMP 5 Second Edition are effectively following a CSA-compatible approach.
GAMP 5 is a published ISPE guidance document available for purchase from the ISPE website. ISPE membership is not required to obtain or use GAMP 5, though members receive discounted pricing. The guidance is not a freely downloadable public document — it is a commercially published technical guide. Many pharmaceutical companies purchase multiple copies or enterprise licenses for distribution to validation teams. Supporting ISPE Good Practice Guides and GAMP Communities of Practice provide supplementary guidance that often is available to members.
GAMP 5 applies to any computerized system used in GxP-regulated activities. This explicitly includes: laboratory systems (LIMS, CDS, electronic notebooks), manufacturing systems (MES, SCADA, DCS, EBR), quality systems (QMS, CAPA, document management), clinical systems (EDC, CTMS), and infrastructure supporting these systems. GAMP 5 also addresses process control and embedded systems, though these have specific validation considerations covered in associated GAMP Good Practice Guides. The primary scoping criterion is GxP impact — not system type or technology platform.
GAMP 5 requires a validation documentation set proportionate to system risk and category. At minimum for a Category 4 system: Validation Plan (describing the overall strategy), User Requirements Specification, vendor assessment documentation, Configuration Specification, IQ protocol and report, OQ protocol and report, PQ protocol and report, any deviation reports and resolutions, and a Validation Summary Report. GAMP 5 Second Edition notes that document format is less important than document purpose — combined documents covering multiple phases are acceptable where they maintain clarity and traceability.
GAMP 5 is accepted by regulatory authorities globally, not only by the FDA. EMA and national competent authorities in Europe routinely reference GAMP 5 as an acceptable implementation framework for EU GMP Annex 11 compliance. Health Canada, TGA (Australia), PMDA (Japan), and other major regulatory agencies similarly recognize GAMP 5 as credible industry guidance. Multinational pharmaceutical companies typically use GAMP 5 as the single global implementation framework, supplementing with jurisdiction-specific requirements where necessary.