Gamp Categories -

If you can’t change any settings, it’s Category 3.

: Regulatory bodies like the FDA expect a logical justification for why a system was validated in a certain way. Following GAMP categories provides that justification. How to Choose a Category When assessing a new system, ask these three questions: gamp categories

Most enterprise systems fall into this category. These are standard products where the user can configure specific business processes or workflows without changing the software's source code. If you can’t change any settings, it’s Category 3

, provide a critical framework for this through its software categorization system. By classifying software into specific "risk buckets," GAMP 5 allows organizations to scale their validation efforts—focusing heavy documentation on complex custom code while streamlining standard off-the-shelf tools. The Four Pillars of GAMP 5 Software While earlier versions included a Category 2, GAMP 5 has simplified the framework into four primary categories: 1. Category 1: Infrastructure Software These are the foundational layers that support your GxP applications. They are generally considered low-risk because they are mature, widely used products. Examples: Operating systems (Windows, Linux), database engines (SQL, Oracle), and network management tools. Validation Approach: Typically managed through IT infrastructure qualification rather than individual system validation. 2. Category 3: Non-Configurable Software This category covers "Commercial Off-The-Shelf" (COTS) software used for specific business processes but cannot be modified to change how it functions. Examples: Simple laboratory instruments, firmware, or standard office applications like basic spreadsheets. Validation Approach: Verification focuses on confirming the software is installed correctly and meets the user's requirements (URS) through standard testing. 3. Category 4: Configurable Software This is the most common category in the industry. These systems allow users to configure business-specific workflows and rules without changing the underlying source code. Examples: LIMS (Laboratory Information Management Systems), ERP systems (like SAP), and SCADA systems. Validation Approach: Requires a more rigorous life cycle, including detailed configuration specifications and traceability from requirements to testing. 4. Category 5: Custom (Bespoke) Software These are applications or modules built from scratch specifically for a company's unique needs. They carry the highest risk because the code is unproven in the wider market. Examples: Custom-coded macros, unique interfaces, or entirely proprietary internal applications. Validation Approach: Demands the most exhaustive validation, including full design specifications, code reviews, and comprehensive unit, integration, and system testing. Why Categorization Matters The goal of categorization isn't just to check a box; it's to apply How to Choose a Category When assessing a

These are the foundational systems that are not application-specific. They are often widely used and considered low risk because they are developed according to established IT standards.