GAMP 5

What GAMP 5 is

GAMP 5 — A Risk-Based Approach to Compliant GxP Computerized Systems — is the industry guide published by ISPE (International Society for Pharmaceutical Engineering) that defines how regulated companies specify, validate, and maintain computerized systems. The current version is the second edition, published in July 2022.

Its core ideas: scale validation effort to risk, complexity, and novelty; leverage supplier activities and documentation instead of repeating them; apply critical thinking rather than templated test volume; and manage systems across their whole lifecycle — concept, project, operation, retirement — not just at go-live.

Its best-known tool is the software category classification: Category 1 (infrastructure software), Category 3 (non-configured products), Category 4 (configured products), and Category 5 (custom applications). The category signals how much specification and verification work the regulated company owes on top of what the supplier already did. A configured multi-tenant eQMS is typically assessed as Category 4.

Why GAMP 5 dominates vendor qualification

When a quality team qualifies an eQMS, LIMS, or MES supplier, the assessment is almost always GAMP-shaped: what category is the system, what does the supplier's quality system cover, which lifecycle deliverables exist (URS, risk assessment, configuration specification, test evidence, traceability), and what residual work belongs to the regulated company.

The second edition (2022) matters because it modernized the framework for how software is actually built and run now: it embraces agile and incremental delivery, cloud services and SaaS, automated testing and tool-supported traceability, and aligns with the critical-thinking direction FDA later formalized in its Computer Software Assurance guidance. Validation positions written against the 2008 first edition tend to over-document and under-think — exactly what the second edition argues against.

How GAMP 5 relates to the regulations

GAMP 5 is the how behind several regulatory whats:

• 21 CFR Part 11 §11.10(a) — requires validation of systems handling electronic records; GAMP 5 supplies the lifecycle method
• EU GMP Annex 11 — requires risk-based validation of computerised systems across their lifecycle; GAMP 5 is the de-facto interpretation most EU sites use
• FDA CSA Final Guidance (February 3, 2026) — FDA's own risk-based assurance position; directionally aligned with GAMP 5's critical-thinking principle, focused on production and quality system software
• ISO 13485 / QMSR contexts — software used in the QMS must be validated for intended use; GAMP categories scope that work

Using GAMP 5 without drowning in paper

The practical failure mode with GAMP 5 is treating it as a template library: generating maximum documentation for every system regardless of risk. The framework itself says the opposite — a Category 4 configured product with a qualified supplier should lean on supplier evidence, focus testing on the regulated company's configuration and intended use, and document decisions rather than boilerplate.

A workable pattern: classify the system honestly, assess the supplier once and deeply (quality system, lifecycle deliverables, change and release discipline), write a URS that reflects your intended use rather than the vendor's feature list, risk-assess per requirement, and let the risk tier drive test depth.

How Complere positions against GAMP 5

Complere is assessed as a GAMP 5 Category 4 configured product and ships the lifecycle deliverables a GAMP-shaped supplier assessment asks for — VMP, URS, risk assessment, traceability matrix, IQ/OQ/PQ protocols, Part 11 checklist, and audit trail specification — per module, generated against the customer tenant. Validation depth is scoped per requirement risk in line with FDA's CSA guidance. The artifact list and clause mapping are public on the validation pack page; the methodology is described in the validation approach, and the category model in the GAMP 5 categories guide.