Definition · Plain-language
GAMP 5
GAMP 5 is ISPE’s “Good Automated Manufacturing Practice” guide, providing a risk-based framework for assuring that computerised systems used in regulated industries are fit for intended use.
The step most authors miss
Doing CRediT right? Don’t stop at the statement.
A CRediT statement credits you inside one paper. The recognition CRediT was built for happens when those roles are tied to you, persistently. Sign in with your ORCID — free — and claim your CRediT contributions on casrai.org, the home of the standard. They become a verified, portable part of your identity, not a line that disappears into one PDF.
Free: claim your contributions, then export a journal-ready CRediT statement, schema.org structured data, JATS XML, CSV or BibTeX — and preview your public profile. A membership publishes that profile publicly and verifies the journals you serve.
A risk-based approach to validation
The central message of GAMP 5 is that validation effort should be proportionate to risk and to the system’s impact on patient safety, product quality and data integrity. Rather than applying the same heavy documentation to every system, organisations scale rigour to risk and complexity. GAMP 5 promotes a software-category framework — distinguishing, for example, infrastructure, configurable products and custom applications — so that effort is concentrated where it matters most. This avoids both under-validation of critical systems and wasteful over-validation of low-risk ones.
From CSV to CSA
The second edition of GAMP 5, published in 2022, strengthens the shift from traditional Computerised System Validation (CSV) towards Computer Software Assurance (CSA). CSA emphasises critical thinking, leveraging supplier activities, and using the most efficient testing methods (including unscripted and exploratory testing) rather than generating documentation for its own sake. The goal is the same — confidence that a system is fit for intended use — but the means become more efficient and risk-focused, aligning with the FDA’s own CSA direction for production and quality-system software.
Guidance, not regulation
It is important to recognise that GAMP 5 is industry guidance from ISPE, not a law. No regulation requires the use of GAMP 5 by name. However, it has become the de facto standard methodology that companies use to demonstrate compliance with binding requirements such as FDA 21 CFR Part 11 and EU GMP Annex 11. Regulators are familiar with its framework, so following GAMP 5 provides a recognised, defensible route to validating computerised systems and assuring their data integrity.
Key facts
At a glance
- Definition: ISPE risk-based framework for validating computerised systems
- Full name: Good Automated Manufacturing Practice (5th generation)
- Current edition: Second edition, published 2022
- Key shift: from traditional CSV towards Computer Software Assurance (CSA)
- Status: industry guidance, not a regulation
- Supports compliance with: 21 CFR Part 11 and EU GMP Annex 11
Common misconceptions
What people often get wrong
Often heard: GAMP 5 is a regulation that companies are legally required to follow.
Actually: GAMP 5 is industry guidance published by ISPE, not a law. No regulation mandates it by name, but it is the de facto methodology used to demonstrate compliance with binding rules such as 21 CFR Part 11 and EU Annex 11.
Often heard: Every computerised system needs the same exhaustive validation.
Actually: GAMP 5 is explicitly risk-based: effort should be proportionate to a system’s impact on patient safety, product quality and data integrity. Critical systems warrant more rigour; low-risk systems warrant less.
Often heard: CSA replaces validation with no testing at all.
Actually: Computer Software Assurance does not remove the need for assurance; it makes it more efficient and risk-focused — leveraging supplier activities and the most appropriate testing methods rather than producing documentation for its own sake.
Going deeper
