Hardware y software para sistemas informatizados - GAMP 5
In this article, we analyze the hardware and software categories for computerized systems according to GAMP 5
Version 5 of the GAMP guide (Good Automated Manufacturing Practice) – published by the ISPE International Society for Pharmaceutical Engineering – introduces the classification of software as one of the main changes.
We analyze the changes in GAMP 5 concerning the hardware and software categories for computerized systems.
GAMP categories of software and hardware
The GAMP categories were originally introduced to provide an initial assessment regarding validation requirements/deliverables.
In GAMP 4 there were five categories. These have been reviewed in GAMP 5 to four categories:
- Category 1: infrastructure software that includes operating systems, database administrators, etc.
- Category 3: non-configurable software that includes operating systems, database administrators, etc.
- Category 4: configured software that includes LIMS, SCADA; SCS, CDS, etc.
- Category 5: custom software.
In the following table, you can see a comparison of the software categories in GAMP 4 and GAMP 5:
GAMP 4 Software categories | GAMP 5 Software categories |
Category 1: Operating system.
• Only operating systems. |
Category 1: Infrastructure Software.
Wide scope to cover:
|
Category 2: Firmware.
|
Category 2: Firmware.
|
Category 3: Standard software packages.
|
Category 3: Non-configured products.
|
Category 4: Configurable software packages.
|
Category 4: Configured products.
|
Category 5: Personalized software (custom).
|
Category 5: Custom Applications.
|
Why classify software?
Looking at the table above, there is an integrated risk assessment. The lowest risk and most widely available software are in category 1 (operating systems, databases, office software and other widely available software). This is widely available software that can be used by anyone and in any industry. As we move down the categories, as shown in the table, the software usually specializes more in its function (from a general office application to software that can control a spectrometer to acquire and process data and then report the results). As we move up the list, users’ ability to change software performance and process results increases until we reach category 5. Category 5 is a unique solution that is conceived, specified, written, tested and maintained by the users or the organization, here is the greatest risk.
Classification of software and its impact in the laboratory
Category 1
Category 1 has undergone a radical change and expansion of the simple operating systems, which had been constant in versions 1 to 4 of GAMP, to the infrastructure software. This category is divided into two subcategories:
- • Layered software established or commercially available.
• Infrastructure software tools.
The intention is for the infrastructure software in this category to provide the computing environment to run regulated and unregulated applications within the organization. All software in this category must be controlled and qualified in an organization so that the IT department does not apply dual standards, which may question the status of validated applications if it is not done.
The software in the layered software subcategory established or commercially available has been expanded to include:
- Databases.
- Programming languages.
- Middleware.
- Office software.
- Statistical programming tools and spreadsheet packages.
Keep in mind that many of these software tools are the basic products for applications used in the laboratory or are the base layer under which laboratory applications operate. Category 1 also includes office software such as word processing applications, spreadsheets, databases, and presentations. So, before rushing to think that it is not necessary to validate the Excel sheets, we must know that the guide indicates that the “applications developed with these packages” are excluded from category 1 and that they can be of category 3, 4 or 5. Respectively, depending on its complexity.
The second subcategory is that of the infrastructure software tools that comprise a wide variety of software, such as:
- Network monitoring software
- Anti-virus
- Backup
- Support
- IT configuration management tools and other network software
This gives the IT group the tools to establish, protect, monitor and manage their computing environment and networks, and the place where they store their lab data and electronic records. However, care should be taken with the applications in this subcategory, since the use of the applications could drastically change the category to which it is assigned. If there are no regulatory data in these tools, then they are category 1, but if they are the only tools for problem management or change control processes for regulated application, this changes the category and the validation group moves towards the following categories.
From the perspective of laboratory, audit, and inspection, what is required is the control of the applications that belong to group 1. Some of the typical controls are:
- Identification of the software (name, version, and provider)
- Where it is installed, including the path to the server: virtual server
- Configuration to operate in your environment
- Demonstration that the software has been installed correctly
- A simple demonstration that the software works
Everything must be done regardless of where the software originates: open-source or commercial software. Also, change control and configuration management are essential elements of control both in category 1 and in the other software categories. So, we qualify these software elements, we do not validate them. Instead, we validate the software in categories 3,4 and 5.
Category 2
Category 2 of GAMP 4 has been eliminated. This category was related to the firmware. The reason is that the firmware can vary from simple custom software so it can be included in the other categories according to their nature.
In its original form, the firmware was a set of operating instructions for an instrument integrated into a read-only memory (ROM) chip or used to initiate more complicated programs in an instrument or device.
Over time, the firmware chips have become larger to allow more instructions to enter and ROM can be replaced with flash ROM. Then, instead of a simple set of instructions, the user can now change the way the instrument works.
Therefore, the reason for the interruption of GAMP 5 is that the software found in the firmware can be classified in the remaining software found in the firmware that can be classified in the remaining software categories. In doing so, you should eliminate the impact of user-defined programs that are possible with the most complex type of firmware systems.
Category 3
Category 3 in GAMP 5 has been renamed from Standard Software to Product not configured to sharpen the difference between this software and category 4 software.
This category includes software that is used as installed and may also include software that is configurable (category 4) but is used unconfigured or with the standard defaults provided by the software provider.
Despite the name of the category (Products not configured), the category 3 software is also configured, but for the runtime configuration environment (this distinguishes category 3 from category 4 software). That is to say:
- When installing a category 3 application, the software can operate and automate the business process without any modification.
- The configuration for the execution environment is only the definition of the elements in the software to allow the system to work within the installed environment. Some typical parameters of runtime configuration are the definition of user and types of users for authorized persons, the entry of the department or the name of the company in the report headers, the selection of units to present or report data, the location of default data storage (either a local or network directory), and the default printer.
Category 4
The name of this category has changed to help refine and redefine software categories; The guide has gone from defining the software as “package” in GAMP version 4 to “product” in GAMP version 5.
The main difference between software category 3 and 4, is the ability to modify the function of the software to match a business process. The user has the means and the knowledge to change the functionality of the device in a way that changes the results generated by the device. As a direct consequence, this triggers a greater validation effort.
And the understanding of the thin line that seems to separate “configure” (Category 4) from “customize” (category 5) is key to managing the software and the risk of validation.
Category 5
GAMP 5 has not changed much in this area, apart from the change of custom software to a custom application. This is the riskiest software since it can be unique and not be subject to the same rigors of specification and testing as commercial products since it could be done internally or subcontracted to a commercial software company.
This category of software implicitly includes written macros, for example within a spectrometer application to produce a shortcut to process or manipulate data. These macros are custom software and not an application in itself. Each macro is a custom software and nor an application in itself. Each macro must be validated and controlled to ensure that it does what it is supposed to do. Also, we have this category of software user-defined programs written in category 2 instruments; again, each one will be validated.
Therefore, each application, module, program defined by the user or macro must be specified, the version-controlled constructed and tested (including the integration tests with the commercial application, as applicable) at least to guarantee the quality of the software. Also, custom code modules must have their source code managed and backed up to avoid overwriting or loss, respectively.
At Oqotech, we work day by day on process validation and efficiency, accompanying our clients from computerization to the validation of computerized systems, maintenance of the validated environments and GxP training to the internal team.