GAMP 5 second edition (2022) defines four active software categories that determine how much validation a GxP system requires — from configuration documentation only (Cat 1) to full software development lifecycle (Cat 5). Your category assignment is the starting point for every CSA-based validation programme.
GAMP 5 Categories — Quick Reference
Four active categories. One removed. Each maps to a distinct validation burden.
Each Category — What It Means in Practice
OS, databases, virtualisation platforms used as supplied. No IQ/OQ/PQ. Document version, patch level, and config baseline. Every infrastructure change needs a downstream GxP impact assessment.
- Windows Server / Red Hat Linux
- Oracle DB / MS SQL Server
- VMware vSphere / Hyper-V
- Active Directory / Azure AD
Commercial software used exactly as supplied — no custom workflows or fields. Validation focuses on whether it does what you need it to do in your environment, not the vendor's software quality.
- Excel (read-only reference data)
- Standard PDF readers/viewers
- Fixed-function lab instrument firmware
- Standard network monitoring tools
Most common in pharma. Validate your configuration — workflows, approval chains, reports — not the base platform. Leverage vendor test evidence; FDA CSA explicitly endorses this approach.
- SAP ERP (QM/MM/PM modules)
- Veeva Vault QMS / eTMF
- Waters Empower LIMS
- MasterControl / GoVal VLMS
Built specifically for you — including any Python/VBA script that processes GxP data, regardless of code length. Full SDLC required. Avoid Category 5 where a Cat 4 commercial alternative exists.
- Custom SCADA / DCS systems
- Bespoke MES / lab automation
- Python, R, VBA scripts on GxP data
- Custom GxP system integrations
How to Classify Your Software — 4 Steps
GAMP 5 + FDA CSA — How They Work Together
| Category | GAMP 5 Requirement | CSA Approach |
|---|---|---|
| Cat 1 | Config documentation + change control | No change — same lightweight approach |
| Cat 3 | Functional testing for intended use | Leverage vendor testing where available |
| Cat 4 | Full IQ/OQ/PQ on your configuration | Use vendor evidence for base platform; test your config |
| Cat 5 | Full SDLC lifecycle validation | No vendor evidence to leverage — full rigour required |
Frequently Asked Questions
What are the GAMP 5 software categories? +
What GAMP category is SAP, a LIMS, or a QMS? +
Does a custom Excel macro or Python script need GAMP 5 validation? +
Why was Category 2 removed from GAMP 5? +
What validation is required for GAMP 5 Category 4 systems? +
How do GAMP 5 categories and FDA CSA work together? +
What is Category 1 infrastructure software and what validation is needed? +
What lifecycle validation is required for Category 5 custom software? +
Stop Guessing Which Category Your Systems Fall Under
GoVal classifies every system in your portfolio, configures the right validation workflow, and keeps your entire portfolio audit-ready — without inconsistency from manual classification.
Get Your System Portfolio Categorised