Skip to main content

GAMP 5 Categories Explained 2026: Real Software Examples for Each Category

written by
Sundar
Director, GoVal
Published on
Last updated on
Reading time: 5 min read

Ready to modernize?

See GoVal in Action

Book a 30-minute walkthrough with our validation specialists. No slides — just your questions, answered live.

Contact Us
Summary

GAMP 5 second edition (2022) defines four active software categories that determine how much validation a GxP system requires. Category 1 covers infrastructure software requiring only configuration control, Category 3 covers non-configured commercial software, Category 4 covers configured software, and Category 5 covers custom software requiring a full SDLC. Category 2 was officially removed. Correct category assignment is the foundation for every proportionate, CSA-based validation programme.

GAMP 5 second edition (2022) defines four active software categories that determine how much validation a GxP system requires — from configuration documentation only (Category 1) to full software development lifecycle (Category 5). Your category assignment is the starting point for every CSA-based validation programme.

GAMP 5 Categories — Quick Reference

CategoryTypeValidation RequiredRisk Level
Category 1Infrastructure SoftwareConfiguration documentation + change control onlyLow
Category 2Removed in 2022No longer applicable — update any SOPs referencing thisN/A
Category 3Non-Configured StandardFunctional testing for intended useLow–Med
Category 4Configured StandardFull IQ/OQ/PQ on your configurationMed–High
Category 5Custom SoftwareFull SDLC lifecycle validationHigh

Each Category — What It Means in Practice

Category 1 — Infrastructure

OS, databases, and virtualisation platforms used as supplied. No IQ/OQ/PQ needed. Document version, patch level, and config baseline. Every infrastructure change needs a downstream GxP impact assessment.

  • Windows Server / Red Hat Linux
  • Oracle DB / MS SQL Server
  • VMware vSphere / Hyper-V
  • Active Directory / Azure AD
Category 3 — Non-Configured Standard

Commercial software used exactly as supplied — no custom workflows or fields. Validation focuses on whether it does what you need it to do in your environment, not the vendor's software quality.

  • Excel (for read-only reference data)
  • Standard PDF readers/viewers
  • Fixed-function lab instrument firmware
  • Standard network monitoring tools
Category 4 — Configured Standard

The most common category in pharma. Validate your configuration — workflows, approval chains, reports — not the base platform. Leverage vendor test evidence; FDA CSA explicitly endorses this approach to minimize re-testing.

  • SAP ERP (QM/MM/PM modules)
  • Veeva Vault QMS / eTMF
  • Waters Empower LIMS
  • MasterControl / GoVal VLMS
Category 5 — Custom Software

Built specifically for you — including any custom script that processes GxP data, regardless of code length. Full Software Development Life Cycle (SDLC) required. Avoid Category 5 where a Category 4 commercial alternative exists.

  • Custom SCADA / DCS systems
  • Bespoke MES / lab automation
  • Python/R/VBA scripts on GxP data
  • Custom GxP system integrations

How to Classify Your Software — 4 Steps

1. Determine software origin

Was it developed specifically for your organisation? If yes, it is Category 5, regardless of anything else.

2. Check the configuration level

Can it be configured with your workflows, fields, and approval chains? If yes, it is Category 4. If it is used exactly as the vendor ships it, it is Category 3.

3. Identify infrastructure software

Is it an OS, database engine, virtualisation platform, or directory service? If yes, it is Category 1. No IQ/OQ/PQ is needed — just configuration documentation and change control.

4. Apply the correct validation requirement

Category 1: Configuration baseline only. Category 3: Functional testing for intended use. Category 4: Full IQ/OQ/PQ on your configuration. Category 5: Full SDLC documentation.

GAMP 5 + FDA CSA — How They Work Together

GAMP 5 provides the category-based triage. FDA CSA endorses the exact same risk-based approach to validation effort.

CategoryGAMP 5 RequirementFDA CSA Approach
Category 1Config documentation + change controlNo change — same lightweight approach
Category 3Functional testing for intended useLeverage vendor testing where available
Category 4Full IQ/OQ/PQ on your configurationUse vendor evidence for base platform; focus testing entirely on your configuration
Category 5Full SDLC lifecycle validationNo vendor evidence to leverage — full testing rigor and unscripted documentation required

Related Topics

GxP Compliance Software CSV vs. CSA Guidance Validation Software Comparison Unified GxP Validation

Frequently Asked Questions

What are the GAMP 5 software categories? +
GAMP 5 second edition (2022) defines four active categories: Category 1 (infrastructure — config only), Category 3 (non-configured commercial — functional testing), Category 4 (configured commercial — full IQ/OQ/PQ on configuration), Category 5 (custom — full SDLC). Category 2 was removed in the 2022 second edition.
What GAMP category is SAP, a LIMS, or a QMS? +
Most ERP, LIMS, and QMS platforms — SAP, Waters Empower, Veeva Vault, MasterControl, GoVal — are Category 4: configured standard products. Your validation focuses on your configuration (workflows, approval chains, reports), not the base platform. Leverage vendor documentation to avoid re-testing what the vendor has already validated.
Does a custom Excel macro or Python script need GAMP 5 validation? +
Yes — if it processes GxP data, it is Category 5 regardless of code size. A 20-line VBA macro that calculates a specification limit and writes to a batch record is Category 5. Code length does not change regulatory classification.
Why was Category 2 removed from GAMP 5? +
The GAMP 5 second edition (2022) removed Category 2 (previously covering firmware and instruments), addressing those systems within the remaining categories. If your SOPs still reference Category 2, update them — an auditor familiar with the current edition will flag it.
What validation is required for GAMP 5 Category 4 systems? +
URS, risk assessment, vendor audit or SDI review, and full IQ/OQ/PQ focused on your specific configuration. An RTM links every URS requirement to test cases. Leverage vendor evidence for base platform functionality; test and document everything specific to your configuration.
How do GAMP 5 categories and FDA CSA work together? +
Highly complementary. GAMP 5 provides category-based triage. FDA CSA guidance (September 2025) endorses the same risk-based approach and explicitly supports leveraging vendor evidence for Category 4 base functionality. Together they produce a proportionate, defensible validation programme.

Stop Guessing Your GAMP 5 Categories

GoVal classifies every system in your portfolio, configures the right validation workflow, and keeps your entire portfolio audit-ready — without inconsistency from manual classification.

Book a Free Demo →