GAMP 5 Computerized System Validation for Medical Devices (2nd Ed.)

Manufacturing execution systems (MES), laboratory information systems (LIMS), electronic quality management systems (eQMS), ERP platforms, and increasingly AI- and cloud-based tools all run the production and quality processes behind medical devices. Regulators expect these computerized systems to be validated, and for two decades the de facto global framework has been ISPE GAMP® 5: A Risk-Based Approach to Compliant GxP Computerized Systems. The Second Edition (2022) re-oriented the standard around critical thinking and risk-based assurance — aligning it directly with FDA's Computer Software Assurance (CSA) policy that is now final for medical devices.

This guide explains GAMP 5 Second Edition for medical device manufacturers: what it covers (and what it does not), the software categories, the V-model lifecycle, the shift from traditional computerized system validation (CSV) to critical-thinking-driven assurance, and how it maps to FDA's CSA guidance and 21 CFR Part 11.

Scope: What GAMP 5 Covers — and What It Does Not

GAMP 5 governs computerized systems used in GxP processes — that is, software used to manufacture, test, control quality over, or manage a regulated product. For a medical device manufacturer, that covers the production and quality-system software that FDA's CSA guidance addresses: MES, LIMS, eQMS, document management, calibration and maintenance systems, electronic batch records, and lab automation.

It does not cover software that is the medical device or is embedded in it — Software-as-a-Medical-Device (SaMD) or Software-in-a-Medical-Device (SiMD). Those follow IEC 62304 (medical device software life cycle), ISO 14971 risk management, and FDA's device-software guidance. GAMP 5 is about the factory and quality-system software, not the product software. This boundary is the single most common point of confusion and is now stated explicitly in FDA's final CSA guidance: CSA applies to production and quality-system software; device software functions are out of scope.

First vs. Second Edition: What Changed in 2022

The First Edition (2008) established the risk-based V-model lifecycle, software categories 1–5, and the GAMP core principles. The Second Edition (July 2022) keeps that framework but modernizes its application. The headline changes:

New and updated appendices address IT infrastructure (M11), critical thinking, specifying requirements, Agile software development, software tools, distributed ledger systems (blockchain), and artificial intelligence and machine learning. Critically, the Second Edition reframes the objective: the goal is not a mountain of paperwork but demonstrable confidence that the system is fit for its intended use — a point ISPE and FDA now make in identical terms.

The Five Core Principles

The Second Edition is built on five principles that should govern every validation program:

1. The product and process understanding and the lifecycle approach are fundamental. Validation is a lifecycle within the QMS, not a one-time project; the system must remain in a validated state through changes, upgrades, and retirement.
2. Lifecycle activities are scalable. Effort is proportional to the system's risk, complexity, and novelty — not applied uniformly.
3. A range of approaches to verifying fitness for purpose is acceptable. Vendor evidence, prior testing, configuration checks, and risk-based testing all have a place.
4. The value of supplier involvement is leveraged. Reuse the supplier's development documentation and testing rather than re-testing what the vendor already validated.
5. Compliance is facilitated by efficient and effective record-keeping and communication. Records should support decisions and enable efficient oversight, not bury them.

The throughline is critical thinking — using knowledgeable SMEs to tailor the approach to the specific system and its risk, rather than treating a checklist as the deliverable.

The Software Categories (Second Edition)

GAMP 5 categorizes software to help scale validation effort. The Second Edition's central warning, repeated by ISPE, is that "categorization is not intended to provide a checklist approach to validation." The category is a starting point, not a prescription; critical thinking determines the actual deliverables.

Category 2 was removed in the Second Edition. If your SOPs still reference it, update them — an auditor familiar with the current edition will flag legacy references.

A practical rule that catches teams off-guard: a custom Excel macro or Python script that processes GxP data is Category 5 regardless of code size. A 20-line VBA routine that writes a specification limit into a batch record carries the same regulatory classification as a bespoke application, because the risk is in the function, not the line count.

Most ERP, LIMS, and eQMS platforms are Category 4 — configured standard products. Your validation should focus on your configuration (workflows, approval chains, reports), reusing the vendor's platform-level evidence rather than re-validating the base product.

The V-Model Lifecycle

GAMP 5's lifecycle is conventionally represented as a V-model: requirements and specifications are defined down the left leg; verification activities mirror them up the right leg, with traceability between what was planned and what was tested.

• User Requirements Specification (URS) → verified by User Acceptance / Performance Qualification (PQ)
• Functional Specification → verified by Operational Qualification (OQ)
• Configuration / Design Specification → verified by Installation Qualification (IQ) and configuration checks

The V-model is a form of waterfall methodology. The Second Edition explicitly acknowledges that many projects now use iterative or Agile development, and it describes how the lifecycle phases apply in Agile situations as well as linear ones — the phases still exist, but they cycle in iterations rather than running once.

From CSV to CSA: Critical Thinking in Practice

The defining shift in the Second Edition — and in FDA policy — is from Computerized System Validation (CSV) to Computer Software Assurance (CSA). Traditional CSV had a reputation for exhaustive, documentation-heavy, "test-everything" execution. As FDA and ISPE now argue, "a mountain of paperwork did not equate to proper CSV," and it often failed to actually ensure product quality, data integrity, or patient safety.

CSA reorients the work around intended use and risk:

• Define the intended use and the system's impact on product quality, data integrity, and patient safety.
• Identify the high-risk functions — those whose failure could compromise safety or quality — and apply more rigorous, often scripted or hybrid testing.
• For "not high" risk functions, apply leaner methods such as exploratory (unscripted) testing or scenario-based testing.
• Leverage vendor evidence and prior testing where appropriate.
• Document the risk rationale and the assurance record, not a generic test script for everything.

This is exactly the proportionate, risk-based logic GAMP 5 Second Edition prescribes through critical thinking. The two documents now reinforce each other.

FDA CSA Guidance Timeline

The CSA policy has moved quickly — and medical device manufacturers are the first audience for the finalized version:

The 2025–2026 final versions add a formal Definitions section (formalizing IaaS/PaaS/SaaS cloud models), explicitly include AI/ML as technologies requiring risk-based assurance, and strengthen cybersecurity expectations (SOC reports, SBOMs, vendor security documentation). The CSA lifecycle framing — "high process risk" → more rigorous testing; "not high" risk → leaner methods — mirrors GAMP 5's scalable approach.

Data Integrity: ALCOA+ and Part 11 / Annex 11

GAMP 5 is inseparable from data integrity. Regulators expect electronic records to be attributable, legible, contemporaneous, original, and accurate — the ALCOA principles — plus complete, consistent, enduring, and available (ALCOA+). The Second Edition clarifies expectations around electronic records, electronic signatures, and audit trails.

Two predicate rules anchor this:

• 21 CFR Part 11 (U.S.) — electronic records and electronic signatures; requires validated systems, audit trails, and controls.
• EU GMP Annex 11 (EU) — the European counterpart; broadly equivalent.

For medical device manufacturers, Part 11 and the QMSR (which preserves Part 11 and UDI obligations) apply to production and quality-system software. GAMP 5 provides the lifecycle method to achieve these requirements; it is the "how," not the "what."

GAMP 5 also aligns with ICH Q9 (Quality Risk Management) for risk-based decision-making throughout the lifecycle, and with MHRA and FDA data-integrity guidance.

Implementation Checklist

• Inventory all GxP computerized systems and classify each (Category 1/3/4/5) with documented rationale.
• Intended use statement for each system, tied to product quality / data integrity / patient safety impact.
• Risk assessment (ICH Q9-aligned) identifying high-risk vs. not-high-risk functions.
• Validation plan scaled to risk — scripted/hybrid testing for high-risk functions; exploratory/scenario testing for not-high.
• Supplier evidence reused where valid (vendor IQ/OQ, validation summaries, SOC 2 reports).
• Audit trails and access controls verified (ALCOA+, Part 11 / Annex 11).
• Change control that maintains the validated state through releases, including SaaS auto-updates with documented impact assessment.
• Traceability matrix linking requirements → configuration → tests → evidence.
• Periodic review of each system's validated state.
• Update SOPs that still reference Category 2 or treat categories as a checklist.

Common Pitfalls

1. Checklist validation. Treating the category as a fixed deliverable list rather than a starting point for critical thinking.
2. Re-testing the vendor's platform. Re-validating the base LIMS/eQMS instead of the manufacturer's configuration.
3. Ignoring Category 5 scripts. Uncontrolled spreadsheets and macros processing GxP data — a frequent audit finding.
4. One-and-done thinking. No change-control process to maintain the validated state, especially for cloud/SaaS updates.
5. Documentation over substance. Volumes of test scripts that do not demonstrate fitness for intended use — the exact failure mode CSA and GAMP 5 2nd Edition target.

Key Takeaways

• GAMP 5 Second Edition (2022) is the leading framework for GxP computerized system validation; it governs production and quality-system software, not device software itself (SaMD/SiMD follow IEC 62304).
• The 2022 edition shifts emphasis to critical thinking, risk-based scaling, Agile support, and supplier involvement, and removes Category 2.
• Software categories (1, 3, 4, 5) scale effort by risk and complexity but are not a validation checklist.
• The CSV → CSA transition is now FDA policy: a final CSA guidance (September 2025), updated February 3, 2026 to align with the QMSR, formalizes risk-based, intended-use assurance for medical device production and QMS software.
• Data integrity (ALCOA+) and 21 CFR Part 11 / Annex 11 are the predicate requirements GAMP 5 helps you satisfy.
• Maintain the validated state across the lifecycle — including SaaS and AI/ML updates — through documented change control and impact assessment.

Sources

• ISPE, GAMP® 5: A Risk-Based Approach to Compliant GxP Computerized Systems, Second Edition (2022).
• ISPE Pharmaceutical Engineering, What You Need to Know About GAMP® 5 Guide, 2nd Edition (Jan–Feb 2023) and Computer Software Assurance and the Critical Thinking Approach (Mar–Apr 2024).
• FDA, Computer Software Assurance for Production and Quality System Software — draft guidance September 13, 2022; final guidance September 24, 2025 (Federal Register 2025-18468); updated final guidance Computer Software Assurance for Production and Quality Management System Software, February 3, 2026.
• FDA, Quality Management System Regulation final rule (QMSR), effective February 2, 2026 (incorporates ISO 13485:2016 by reference; preserves 21 CFR Part 11 and UDI).
• 21 CFR Part 11, Electronic Records; Electronic Signatures; EU GMP Annex 11, Computerised Systems.
• ICH Q9(R1), Quality Risk Management.
• Scilife, GAMP 5 Guide for GxP Compliant Computerized Systems and GAMP 5 and GAMP 5 2nd Edition: What are the main differences?
• GoValidation, GAMP 5 Categories Explained 2026: Real Software Examples for Each Category.
• Xevalics Consulting, GAMP5 2nd Edition & You: Categories of Software & Hardware.
• PSC Software, FDA's Computer Software Assurance 2026: Changes and What to Do Next; Hogan Lovells, FDA finalizes computer software assurance guidance for production and quality system software.
• FDLI, Advancing the Transition to Computer Software Assurance: Responding to the FDA Draft Guidance for Production and Quality System Software (2023).