CSV & Validation

GAMP 5 Second Edition: Key Changes for Your CSV Programme

8 min read By Mohammad Awawdeh

ISPE released the second edition of the Good Automated Manufacturing Practice (GAMP 5) guide in 2022. For any pharmaceutical company running a Computerized System Validation (CSV) programme, this revision introduces changes that affect how you classify systems, write your documentation, and demonstrate compliance to regulators.

This article breaks down the most significant changes and tells you exactly what you need to review in your existing programme.

Why GAMP 5 Was Updated

The first edition of GAMP 5 was published in 2008 - before cloud computing, SaaS applications, and AI-assisted manufacturing became routine in pharmaceutical operations. The second edition modernises the guidance to reflect:

  • Widespread adoption of cloud-hosted and SaaS systems
  • Agile software development methodologies replacing waterfall
  • Greater reliance on vendor-supplied, pre-configured systems
  • Stronger regulatory emphasis on critical thinking over procedural box-ticking
  • Data integrity as a first-class validation concern

Revised Software Risk Categories

The original GAMP 5 defined five software categories (1 through 5). The second edition consolidates these into three categories based on the level of configuration and customisation:

Category 1 - Infrastructure Software

Operating systems, middleware, database engines, and network services. These do not directly implement GxP functions but underpin systems that do. The validation approach focuses on qualification of the infrastructure itself and ensuring it is fit for purpose.

Category 2 - Non-Configured Products

Commercial off-the-shelf (COTS) software used without any configuration - for example, a word processor used to write SOPs. Minimal validation is required; a risk assessment and vendor evaluation usually suffice.

Category 3 - Configured and Custom Applications

This is where most pharmaceutical systems sit: LIMS, ERP, MES, DMS, and purpose-built applications. The validation effort is proportionate to the system's impact on patient safety, product quality, and data integrity, not its technical complexity.

Practical impact: If you previously categorised your LIMS as "Category 4" and your MES as "Category 5", you will need to re-document your rationale using the new three-category framework. This is a documentation update, not a re-validation - but it must be done before your next inspection.

The Critical Thinking Principle

The most philosophically significant change in the second edition is the explicit call for critical thinking throughout the validation lifecycle. GAMP 5 now states that validation activities should be driven by scientific and risk-based judgement, not by automatic adherence to a prescribed set of documents.

In practice, this means:

  • Your IQ/OQ/PQ structure should reflect actual risk, not template habit
  • Test case selection must be justified, not exhaustive
  • Deviations that pose no GxP risk should be documented as such and closed proportionately
  • Validation teams must demonstrate they understand why each control is in place

For companies that have relied on rigid templates, this is a call to review your validation documentation philosophy.

Cloud and SaaS Systems

GAMP 5 Second Edition provides dedicated guidance for cloud-hosted and SaaS applications - a gap that caused significant uncertainty under the first edition. Key points:

  • The regulated company retains responsibility for validation, even when the system is hosted and managed by a third-party vendor
  • Vendor audit and supplier qualification become more critical than ever
  • Change management for vendor-controlled updates must be addressed in your VMP
  • Data migration and backup validation must be explicitly covered

Lifecycle Documentation Changes

The second edition simplifies documentation by focusing on key records that demonstrate control and traceability, rather than a fixed list of mandatory documents. Your Validation Master Plan should now address:

  1. System inventory and risk classification rationale
  2. Supplier assessment and audit outcomes
  3. Traceability from requirements through to testing
  4. Change control and periodic review processes
  5. Data integrity controls and audit trail configuration

What to Review in Your Existing Programme

If your CSV programme was built to the first edition of GAMP 5, here is the minimum set of items to review:

  • System inventory: Re-classify all systems using the three-category framework
  • Validation Master Plan: Update category definitions and decision rationale
  • SOPs: Update any references to the old five-category model
  • Cloud/SaaS systems: Ensure supplier qualification records are current
  • Test protocols: Confirm critical thinking rationale is documented for test case selection
  • Periodic review schedule: Confirm your review cycle addresses vendor-controlled changes

Inspection note: FDA and MHRA inspectors have already referenced GAMP 5 Second Edition in observations. If your documentation still uses the old five-category language without explanation, expect a question.

Free GAMP 5 System Classification Worksheet

Use our structured worksheet to classify your computerised systems under GAMP 5 Second Edition and determine the right validation scope - ready for your next regulatory inspection.

Get Free Worksheet →
GAMP 5 CSV ISPE Risk Categories Cloud Systems FDA EU GMP Annex 11

Ready to Align Your CSV Programme with GAMP 5 Second Edition?

PHARPRO's consultants have hands-on experience updating CSV documentation to the latest ISPE guidance.

Get a Free Assessment View CSV Services
PHARPRO - Expert Pharma Consulting

Need help updating your CSV programme for GAMP 5 Second Edition? PHARPRO provides full-lifecycle CSV consulting aligned with the latest ISPE guidance.

Computerized System Validation (CSV) → Free Assessment
Related Insights

Keep reading

More in-depth guides from the PHARPRO compliance team.

GAMP 5 Risk Categories Explained
What changed in the Second Edition, how to classify your system, and how category affects testing depth.
CSV for SaaS and Cloud Applications in Pharma
Validation approach, vendor qualification, and documentation strategy for cloud-hosted GxP systems.
Risk Assessment in CSV: Applying GAMP 5 Principles
How to conduct a risk assessment for computerised systems and document it to regulatory standards.
EU GMP Annex 11: A Practical Compliance Checklist
Supplier assessment, validation documentation, audit trails, and data integrity - 2025 edition.
AI Validation Lifecycle Software for Pharma
How AI is changing IQ/OQ/PQ documentation - and what it still cannot replace in regulated environments.