GAMP 5 (Good Automated Manufacturing Practice, 5th Edition) published by ISPE is the most widely recognised framework for categorising and validating computerised systems in pharmaceutical manufacturing. Its risk-based approach allows companies to calibrate validation effort to the actual risk a system poses to product quality and patient safety - rather than treating every piece of software identically.
The Second Edition of GAMP 5 (2022) introduced significant changes to the category structure. This article explains the current categories, what the Second Edition changed, and how to apply classification practically.
Why Classification Matters
GAMP 5 categories determine how much validation work is needed for a given system. A system classified in the wrong category can lead to two problems: over-validating low-risk systems (wasting resources) or under-validating high-risk systems (creating regulatory exposure). Regulators do not mandate that you use GAMP 5 categories, but they do expect that your validation approach is risk-based and justified - and GAMP 5 provides a widely accepted methodology for achieving this.
The Original GAMP 5 Categories (First Edition)
The first edition of GAMP 5 (2008) defined five software categories:
- Category 1 - Infrastructure Software: Operating systems, database engines, and middleware. Low risk because they are not GxP-specific. Typically requires only inventory management and vendor qualification.
- Category 2 - Non-configured Products (removed in 2nd Edition): Standard instruments with fixed firmware. This category was removed in the 2022 revision - see below.
- Category 3 - Non-configured Products (instruments/firmware): Standard commercial off-the-shelf software used without configuration. Examples include standard balance firmware or simple PLCs with fixed logic. Requires good supplier documentation and functional testing.
- Category 4 - Configured Products: Commercial software configured to meet specific user requirements, such as LIMS, ERP, DMS, or MES systems. The largest and most complex category - requires full lifecycle validation including configuration specification, functional testing, and change control.
- Category 5 - Custom Applications: Bespoke software written specifically for the company. Highest validation burden - requires the same as Category 4 plus full source code review and software development lifecycle documentation.
What Changed in GAMP 5 Second Edition (2022)?
The Second Edition restructured the category system significantly:
- Category 2 was removed. The original Category 2 (instruments with non-configurable firmware) was merged into Category 3. This simplifies the classification but means teams need to re-examine systems previously classified as Category 2.
- Critical Thinking emphasis. The Second Edition places much stronger emphasis on applying critical thinking and scientific judgement rather than prescriptive checklists. Validation teams must demonstrate that they understand why each test is performed, not just that it was performed.
- Agile and cloud systems. New guidance covers agile-developed software and cloud-hosted SaaS systems - categories that did not exist in 2008 and were causing significant industry confusion.
- Data integrity integration. Data integrity requirements (ALCOA+) are now embedded throughout the lifecycle rather than treated as a separate consideration.
Practical impact: If you have systems documented as GAMP 5 Category 2, you should review them under the Second Edition framework. They will now classify as either Category 1 (infrastructure) or Category 3 (non-configured products), with corresponding changes to required validation documentation.
Category 3 in Practice: Non-Configured Products
Category 3 covers standard commercial software or instruments that are used as-designed without user configuration - the vendor has defined all the functionality, and the user simply operates it. Classic Category 3 examples: a validated pH meter, a spectrophotometer with manufacturer firmware, a standard analytical balance, a simple PLC with fixed control logic.
Typical Category 3 validation package:
- Supplier assessment or audit (confirming the supplier has a suitable software development process)
- Risk assessment documenting why the system is Category 3
- Installation Qualification and basic functional testing
- SOP for operation and periodic re-qualification
Category 4 in Practice: Configured Products
Category 4 is where most pharmaceutical companies spend the majority of their CSV effort. A configured product is standard commercial software that is set up - through configuration rather than custom code - to meet the company's specific GxP requirements. Examples include LIMS (Laboratory Information Management Systems), MES (Manufacturing Execution Systems), ERP systems with GxP modules, DMS (Document Management Systems), and historian systems.
The validation workload for Category 4 is substantial because configuration creates user-specific functionality that the vendor has not tested. Required documentation typically includes:
- User Requirements Specification (URS)
- Functional Requirements Specification (FRS) or Configuration Specification
- Vendor audit or supplier qualification assessment
- Risk assessment and validation plan
- IQ / OQ / PQ protocols and reports
- Data migration validation (if migrating from a legacy system)
- Validation Summary Report
Where Do SaaS and Cloud Systems Fit?
This is one of the most common questions in modern pharmaceutical CSV. SaaS systems (Software as a Service) delivered via the cloud - like cloud-hosted LIMS, eDMS, or eQMS platforms - do not fit neatly into the original GAMP 5 categories because the software development and hosting are entirely controlled by the vendor.
GAMP 5 Second Edition provides specific guidance: SaaS systems should be treated similarly to Category 4 (configured products) for the user-facing configuration, but with a much heavier emphasis on supplier qualification and audit rights. The supplier's SOC 2 Type II report, business continuity plans, data residency, and backup validation all become part of the validation package.
Free GAMP 5 System Classification Worksheet
Use our structured worksheet to classify your computerised systems under GAMP 5 Second Edition and determine the right validation scope.
Download Free Checklist →