Zamann Pharma Support logo

Siedlerstraße 7 | 68623 Lampertheim, Germany

What is GAMP 5 Guideline? Checklist for GAMP 5 compliance

Last update on July 22, 2024

What is GAMP 5 Guideline ?

GAMP is the acronym used to summarize the term “Good Automated Manufacturing Practices“. These are a compilation of recommendations published by the International Society for Pharmaceutical Engineering (ISPE) in the form of a book to provide guidance on the compliance of computerized systems in regulated industries.

GAMP 5 Guide, 2nd Edition, aims to continue to protect patient safety, product quality, and data integrity by facilitating and encouraging the achievement of computerized systems that are effective, reliable, and of high quality. GAMP is a risk-based framework for validating and controlling digital healthcare and pharmaceutical systems.

Whilie, understanding what is GAMP 5 Guideline? It is important to note that rather than being a regulation, GAMP 5 is a set of principles and procedures created to help validate automated computer systems for manufactured pharmaceutical products. In other words, this guideline helps manufacturers meet regulations they must comply with to go to market. These best practices are respected and used by regulated companies and their suppliers all over the world. Lets understand GAMP 5 categories and checklist for GAMP 5 compliance in this article. 

Who does it apply to?

GAMP 5 targets to provide a explanation of how pharmaceutical/medtech companies should validate their computer systems. In practice, this means that these recommendations apply both to the users of automated pharmaceutical products, as well as the manufacturers who create and market them.

GAMP is not mandatory, nor is it a legally binding framework, but it remains the industry standard for validating automated systems. Developers in regulated industries typically use GAMP 5 to go to market with greater efficiency and less risk

Users should be aware of which assure computerized pharmaceutical products are appropriate for their intended purpose. For manufacturers, GAMP 5 guides them to ensure their products meet necessary regulatory standards according to a risk-based approach.

What are GAMP 5 software categories?

GAMP categories are mainly used to subdivide computerized systems according to their complexity. In this way, the validation strategy can be focused on the points where the system is riskier. There is generally an increasing risk of failure or defects with the progression from standard software and hardware.

The more complex a system is, the greater its risks will be. These risks primarily involve data integrity, product quality, and patient safety.

There are 4 categories in which GAMP 5 groups computerized systems according to their complexity. These categories define the approach to full validation. In other words, they determine the validation route to follow and the necessary documents to demonstrate that your system is suitable for the use that will be given and complies with the GxP regulation. The GAMP categories described are summarized below.

GAMP 5 software categories e.g. LIMS ibeing used in Laboratories
  • Category 1 software are the least risky and most widely available software.
  • The operating system on which the application software runs is the simplest sort of infrastructure software. Additional software for managing the process control system’s infrastructure consists of operating systems, antivirus software, active directory , database software, server and network hardware, virtual environments, and firewalls.
  • Risk: Lowest
  • Testing: Normal installation
  • Example: Operating systems, Database engine, Programming language, firewall, antivirus, network and performance monitoring tool, tools supporting IT system
  • This category has been removed from GAMP and is no longer relevant.
  • Nowadays, firmwarehas evolved to the point the majority is counted as category 3, 4, or 5. So, when GAMP 4 transitioned to GAMP 5, category 2 was removed but the numbering was not changed, leaving only categories 1, 3, 4, and 5.
  • Run time parameters may be entered and stored but the software cannot be configured to suit the business process.
  • These Software are without any configurable functions, they are marketed freely or are integrated into hardware to allow their operation.
  • Risk: Moderate
  • Testing: Noormal installation and vendor checks,  risk based testing ,SOPs, requirements and life cycle approach,
  • Example: As examples, Firmware based application, COTS software, tools for statistical calculation, software for data acquisition without configuration capacity, control panel viewers, spreadsheets used as databases or as documents without some level of configuration.
  • These software are often very complex that can be configured by user to meet the specific needs of users business process ( example via work flow, process flow ). Remember that here software code is not altered.
  • They allow you to run a specific business process. These configurations include, but are not limited to, operating, measurement, control parameters, and may use other external interfaces to complete the function.
  • Risk: Medium 
  • Testing: As mentioned in Cat 3 and  process mapping, data flow and configuration testing.
  • Example: ERP (Enterprise Resource Planning), LIMS, SCADA, DCS, ADR reporting, EDMS, CRM, Spreadsheets, simple HMI
  • They are those that are tailored to meet specific needs of the organization that optimize its processes. Here, software custom designed and coded to suit the business process.
  • Risk: Highest 
  • Testing:As mentioned in Category 4 and Rigorous – supplier checks, code review, unit tests.
  • Example: Internally and externally developed IT application, Process controlled application, customer ladder logic, custom firmware, ERP systems or developments of these made to meet the specific needs for an organization or a specific business, among others.

Checklist for GAMP 5 compliance

Implementing GAMP 5 guidelines in software of different GAMP categories is a strategic process that requires meticulous planning, execution, and ongoing management to ensure compliance and enhance the quality and integrity of the data.  Lets see practical, step-by-step approach to implementing GAMP 5 in LIMS software, ensuring your system is robust, reliable, and regulatory-compliant.

When implementing GAMP 5, you’ll need to consider your product and specific regulatory requirements for your industry. It’s also important to account for any cross-industry regulations that may apply. Use the following GAMP 5 compliance checklist to more closely align with the framework.

  • Begin by classifying your LIMS based on GAMP 5 categories, which will dictate the level of validation needed. LIMS often falls into Category 4 (configured software) or Category 5 (bespoke software).
  • Understanding which category your LIMS falls into helps tailor the validation process to meet specific regulatory and business needs.
  • Perform a thorough risk assessment focused on identifying potential vulnerabilities in the software which impacts on product quality, data integrity, and patient safety.
  • Strategic Testing Plan: Use insights from the risk assessment to craft a comprehensive testing strategy, ensuring a robust approach to verification.
  • Comprehensive Testing Execution: Dive into a suite of tests including integration, system, user acceptance, and unit tests to guarantee the software meets GAMP 5 standards for reliability and performance.
  • Define clear and detailed user requirements for your LIMS. This document should describe what the system needs to do from a functional, technical, and regulatory perspective.
  • The URS is foundational for the entire GAMP 5 implementation process, guiding subsequent specifications, design, testing, and validation activities.
  • Ensure it aligns with business processes and regulatory requirements, such as FDA 21 CFR Part 11 for electronic records and signatures.
  • Evaluate each requirement based on its overall impact on safety,quality and data protection.
  • Choose a LIMS vendor with a strong track record of compliance with GAMP 5 and other relevant standards like security, reputation, and ability to deliver. This involves a deep dive into their history for any regulatory missteps, financial penalties, or challenges that could impact their service.
  • Evaluate their quality management system, development lifecycle processes, and support services. Ensure the vendor understands your URS and can demonstrate how their system meets these requirements.
  • Choose vendors who not only validate and maintain thorough documentation for their products but also prioritize transparency and support in their operations.
  • When partnering with software vendors, companies must exercise caution, ensuring GAMP 5 compliance through thorough vetting to prevent legal entanglements. Companies must use caution when signing agreements with software vendors. GAMP 5 compliance encourages companies to do their due diligence and avoid agreements that could lead to legal issues.
  • For a Category 5 LIMS, work closely with the vendor during the design and development phases to ensure the software is built to meet your specified requirements.
  • For Category 4 systems, configure the off-the-shelf software according to your process needs while ensuring compliance with GAMP 5 guidelines.
  • Develop functional specifications (FS) that describe in detail the functionalities identified in the URS.
  • Create specification detailing how the software will meet specific user need,design specifications (DS) that detail how the LIMS will fulfill these functionalities, including system architecture, data models, and integrations with other systems.
  • Based on the FS and DS, configure or customize your LIMS. For Category 5 systems, this step might involve significant software development.
  • Ensure that any customization or development work is documented in detail, including the rationale behind design choices and how they meet the URS and mitigate identified risks.
  • Develop a validation plan that outlines the scope, approach, resources, responsibilities, and criteria for validating the LIMS. 
  • This plan should cover all stages from installation (IQ) to operational (OQ) and performance qualification (PQ). The validation activities should prove that the LIMS performs as intended in your specific environment.
  • Conduct validation testing to verify that the software meets all defined user requirements and functions as intended. This typically includes unit testing, integration testing, and user acceptance testing.
  • Create a traceability matrix that maps user requirements to functional specifications, test cases, and test results. This ensures that all user requirements are addressed and validated, providing a clear audit trail from requirements through to system implementation.
  • Establish a robust change control process to manage any modifications to the system, ensuring that changes do not adversely affect system compliance or integrity.
  • Configuration management practices should be in place to maintain documentation of all system configurations and customizations.
  • Implement features and controls within the system / LIMS to ensure data integrity and security, in line with GAMP 5 guidelines and relevant regulatory requirements (e.g., FDA 21 CFR Part 11).
  • This includes audit trails, user access controls, electronic signatures, and data backup and recovery mechanisms.
  • Train all end-users and IT support staff on the proper use of the system , emphasizing the importance of compliance with SOPs and regulatory requirements.
  • Develop or update Standard Operating Procedures (SOPs) that outline how to use the LIMS in daily operations, including data entry, data processing, reporting, and system maintenance.
  • In order to be useful, software must be operationally sound. Implement specific operational controls and procedures. Create a disaster recovery and business continuity strategy to protect your software from outages.
  • User requirements and regulatory specifications can change over time. For this reason, GAMP 5 recommends conducting periodic reviews to meet user requirements and regulatory standards.
  • Revisit validation documentation whenever the software changes, use automation to analyze software end-to-end and track modifications.
  • Make risk assessment a core part of your reviews and monitor the software’s impact on safety and data protection.

Recognizing no software is perfect, it’s essential to have a maintenance strategy in place. This involves scheduling regular updates, and fixes. For this we can create a schedule for maintenance and updates. Establish a plan for receiving, responding to, and documenting trouble tickets. Document all maintenance and support requests

Need help with Implementation in GAMP 5


GAMP categories streamline system validation by matching system complexity with an appropriate strategy, prioritizing the resolution of high-risk issues to ensure optimal functionality.

Implementing GAMP 5 standards not only minimizes process and product risks but also enhances market presence, customer satisfaction, and the likelihood of favorable FDA audits through diligent adherence.

The GAMP 5 Guide, 2nd Edition, goes beyond basic compliance by promoting up-to-date IT practices, comprehensive quality risk management (QRM), and superior software engineering to improve product quality and safety for patients and the general public.

Need Help?

New in systems validation and need help with kick-off? Our experts are happy to assist you with the best validation program according to your available resources. Please do not hesitate to contact us if you have any questions.

Useful Link:

Sagar Pawar

Sagar Pawar

Sagar Pawar, a Quality Specialist at Zamann Pharma Support, brings over 11 years of experience in Quality domain for the pharmaceutical and medical technology industries. Specializing in qualification, validation, Computer System Validation (CSV), and Nitrosamine activities, Sagar is currently focused on enhancing the Zamann Service portfolio by developing and implementing robust strategies to address Nitrosamine-related challenges. Outside of work, Sagar enjoys trekking and cooking. Connect with Sagar on LinkedIn to discuss topics related to equipment qualification, GMP Compliance and Nitrosamine-related challenges.