Skip to main content

GAMP 5 Categories Explained 2026: Real Software Examples for Each Category

Computer System ValidationBy Gobinath7 min read
GAMP 5 Categories Explained 2026: Real Software Examples for Each Category

GAMP 5 second edition (2022) defines four active software categories that determine how much validation a GxP system requires — from configuration documentation only (Cat 1) to full software development lifecycle (Cat 5). Your category assignment is the starting point for every CSA-based validation programme.

GAMP 5 Categories — Quick Reference

Four active categories. One removed. Each maps to a distinct validation burden.

Category
Type
Risk Level
Validation Required
1
Infrastructure Software
Low
Configuration documentation + change control only
2
Removed in 2022
N/A
No longer applicable — update any SOPs still referencing this
3
Non-Configured Standard
Low–Med
Functional testing for intended use
4
Configured Standard
Medium–High
Full IQ/OQ/PQ on your configuration
5
Custom Software
High
Full SDLC lifecycle validation

Each Category — What It Means in Practice

🖥️ Category 1 — Infrastructure

OS, databases, virtualisation platforms used as supplied. No IQ/OQ/PQ. Document version, patch level, and config baseline. Every infrastructure change needs a downstream GxP impact assessment.

  • Windows Server / Red Hat Linux
  • Oracle DB / MS SQL Server
  • VMware vSphere / Hyper-V
  • Active Directory / Azure AD
📦 Category 3 — Non-Configured

Commercial software used exactly as supplied — no custom workflows or fields. Validation focuses on whether it does what you need it to do in your environment, not the vendor's software quality.

  • Excel (read-only reference data)
  • Standard PDF readers/viewers
  • Fixed-function lab instrument firmware
  • Standard network monitoring tools
⚙️ Category 4 — Configured

Most common in pharma. Validate your configuration — workflows, approval chains, reports — not the base platform. Leverage vendor test evidence; FDA CSA explicitly endorses this approach.

  • SAP ERP (QM/MM/PM modules)
  • Veeva Vault QMS / eTMF
  • Waters Empower LIMS
  • MasterControl / GoVal VLMS
🔧 Category 5 — Custom

Built specifically for you — including any Python/VBA script that processes GxP data, regardless of code length. Full SDLC required. Avoid Category 5 where a Cat 4 commercial alternative exists.

  • Custom SCADA / DCS systems
  • Bespoke MES / lab automation
  • Python, R, VBA scripts on GxP data
  • Custom GxP system integrations

How to Classify Your Software — 4 Steps

1
Determine software originWas it developed specifically for your organisation? If yes → Category 5, regardless of anything else.
2
Check the configuration levelCan it be configured with your workflows, fields, and approval chains? Yes → Category 4. Used exactly as the vendor ships it? → Category 3.
3
Identify infrastructure softwareOS, database engine, virtualisation platform, or directory service? → Category 1. No IQ/OQ/PQ — just config documentation and change control.
4
Apply the correct validation requirementCat 1: config baseline only. Cat 3: functional testing. Cat 4: full IQ/OQ/PQ on your config. Cat 5: full SDLC documentation.

GAMP 5 + FDA CSA — How They Work Together

CategoryGAMP 5 RequirementCSA Approach
Cat 1Config documentation + change controlNo change — same lightweight approach
Cat 3Functional testing for intended useLeverage vendor testing where available
Cat 4Full IQ/OQ/PQ on your configurationUse vendor evidence for base platform; test your config
Cat 5Full SDLC lifecycle validationNo vendor evidence to leverage — full rigour required

Frequently Asked Questions

What are the GAMP 5 software categories?
GAMP 5 second edition (2022) defines four active categories: Category 1 (infrastructure — config only), Category 3 (non-configured commercial — functional testing), Category 4 (configured commercial — full IQ/OQ/PQ on configuration), Category 5 (custom — full SDLC). Category 2 was removed in the 2022 second edition.
What GAMP category is SAP, a LIMS, or a QMS?
Most ERP, LIMS, and QMS platforms — SAP, Waters Empower, Veeva Vault, MasterControl, GoVal — are Category 4: configured standard products. Your validation focuses on your configuration (workflows, approval chains, reports), not the base platform. Leverage vendor documentation to avoid re-testing what the vendor has already validated.
Does a custom Excel macro or Python script need GAMP 5 validation?
Yes — if it processes GxP data, it is Category 5 regardless of code size. A 20-line VBA macro that calculates a specification limit and writes to a batch record is Category 5. Code length does not change regulatory classification.
Why was Category 2 removed from GAMP 5?
The GAMP 5 second edition (2022) removed Category 2 (previously covering firmware and instruments), addressing those systems within the remaining categories. If your SOPs still reference Category 2, update them — an auditor familiar with the current edition will flag it.
What validation is required for GAMP 5 Category 4 systems?
URS, risk assessment, vendor audit or SDI review, and full IQ/OQ/PQ focused on your specific configuration. An RTM links every URS requirement to test cases. Leverage vendor evidence for base platform functionality; test and document everything specific to your configuration.
How do GAMP 5 categories and FDA CSA work together?
Highly complementary. GAMP 5 provides category-based triage. FDA CSA guidance (September 2025) endorses the same risk-based approach and explicitly supports leveraging vendor evidence for Category 4 base functionality. Together they produce a proportionate, defensible validation programme.
What is Category 1 infrastructure software and what validation is needed?
OS, database engines, virtualisation platforms, and directory services. No IQ/OQ/PQ required. Document installed version, patch level, and configuration baseline. Ensure every infrastructure change goes through formal change control with downstream GxP impact assessment.
What lifecycle validation is required for Category 5 custom software?
Full SDLC documentation: URS, Functional Specification, Design Specification, source code review, full IQ/OQ/PQ, vendor SDLC audit if externally developed, defect tracking records, and ongoing change control. The most documentation-intensive category — avoid it where a Category 4 commercial alternative exists.

Stop Guessing Which Category Your Systems Fall Under

GoVal classifies every system in your portfolio, configures the right validation workflow, and keeps your entire portfolio audit-ready — without inconsistency from manual classification.

Get Your System Portfolio Categorised