Software validation - GAMP 5 based Computer System Validation (CSV)

Software validation -  GAMP 5 based Computer System Validation (CSV)


Our Principal Consultant Richard Mulders led the ‘Discussion Forum’ at the Eurachem General Assembly in May 2020 and also presented diverse workshops on Computer System Assurance and Validation of Computerized Systems in a risk-based way, where he gave a short introduction to GAMP5 computer system validation.

Regulatory instances give more and more focus to the validation status of computerised systems in laboratories. With computerised systems being all systems used within the laboratory where electronic data/information is created, reported, and/or stored, this means that laboratories must be able to show evidence of validation for its intended use for both software (e.g. LI(M)S, (e)DMS) and equipment (e.g. HPLC, balance) systems. And that the validation of these systems has been executed following a structured process.

Although ISPE’s GAMP 5 (a risk-based method for validation of computerised systems) was originally created for the pharmaceutical industry, it can as well help in defining a structure to validate computerised systems in laboratories.

GAMP 5 is all about providing sufficient evidence that an organisation is in control of its systems throughout the entire System Life Cycle.

First, it needs to be decided (and documented) what a system is supposed to do for your process.

Second, a solution can be selected which satisfies these needs.

Validation again is based on the solution which was chosen. The more the system is used in the same way within the same industry, the lower the risk that there are still errors in the system. Therefore, systems are separated into three different categories depending on the risk to laboratory results and the chance for error in the system.



Figure 1. Illustration of GAMP software categories 



Where for Category 3 and 4 systems, lots of information about development, testing and qualifying the system can be retrieved and re-used from the supplier, this still must be done for Category 5 systems.
And finally, when the system is in use, this validation status must be kept by only allowing controlled changes in users, procedures, software, hardware, data, equipment, and environment to the system.
In the end this all leads to the answer to the question: Can I provide sufficient evidence that the system was developed, installed, configured, tested, implemented (including training and procedures), and maintained in a controlled way?



 Figure 2. Illustration of the components
of a computerised system