CSV & Validation

GAMP 5 Risk Categories Explained: How to Classify Your System

10 min read By Ahmad Al-Sharif, Senior CSV Consultant

GAMP 5 (Good Automated Manufacturing Practice, 5th Edition) published by ISPE is the most widely recognised framework for categorising and validating computerised systems in pharmaceutical manufacturing. Its risk-based approach allows companies to calibrate validation effort to the actual risk a system poses to product quality and patient safety - rather than treating every piece of software identically.

The Second Edition of GAMP 5 (2022) introduced significant changes to the category structure. This article explains the current categories, what the Second Edition changed, and how to apply classification practically.

Why Classification Matters

GAMP 5 categories determine how much validation work is needed for a given system. A system classified in the wrong category can lead to two problems: over-validating low-risk systems (wasting resources) or under-validating high-risk systems (creating regulatory exposure). Regulators do not mandate that you use GAMP 5 categories, but they do expect that your validation approach is risk-based and justified - and GAMP 5 provides a widely accepted methodology for achieving this.

The Original GAMP 5 Categories (First Edition)

The first edition of GAMP 5 (2008) defined five software categories:

  • Category 1 - Infrastructure Software: Operating systems, database engines, and middleware. Low risk because they are not GxP-specific. Typically requires only inventory management and vendor qualification.
  • Category 2 - Non-configured Products (removed in 2nd Edition): Standard instruments with fixed firmware. This category was removed in the 2022 revision - see below.
  • Category 3 - Non-configured Products (instruments/firmware): Standard commercial off-the-shelf software used without configuration. Examples include standard balance firmware or simple PLCs with fixed logic. Requires good supplier documentation and functional testing.
  • Category 4 - Configured Products: Commercial software configured to meet specific user requirements, such as LIMS, ERP, DMS, or MES systems. The largest and most complex category - requires full lifecycle validation including configuration specification, functional testing, and change control.
  • Category 5 - Custom Applications: Bespoke software written specifically for the company. Highest validation burden - requires the same as Category 4 plus full source code review and software development lifecycle documentation.

What Changed in GAMP 5 Second Edition (2022)?

The Second Edition restructured the category system significantly:

  • Category 2 was removed. The original Category 2 (instruments with non-configurable firmware) was merged into Category 3. This simplifies the classification but means teams need to re-examine systems previously classified as Category 2.
  • Critical Thinking emphasis. The Second Edition places much stronger emphasis on applying critical thinking and scientific judgement rather than prescriptive checklists. Validation teams must demonstrate that they understand why each test is performed, not just that it was performed.
  • Agile and cloud systems. New guidance covers agile-developed software and cloud-hosted SaaS systems - categories that did not exist in 2008 and were causing significant industry confusion.
  • Data integrity integration. Data integrity requirements (ALCOA+) are now embedded throughout the lifecycle rather than treated as a separate consideration.

Practical impact: If you have systems documented as GAMP 5 Category 2, you should review them under the Second Edition framework. They will now classify as either Category 1 (infrastructure) or Category 3 (non-configured products), with corresponding changes to required validation documentation.

Category 3 in Practice: Non-Configured Products

Category 3 covers standard commercial software or instruments that are used as-designed without user configuration - the vendor has defined all the functionality, and the user simply operates it. Classic Category 3 examples: a validated pH meter, a spectrophotometer with manufacturer firmware, a standard analytical balance, a simple PLC with fixed control logic.

Typical Category 3 validation package:

  • Supplier assessment or audit (confirming the supplier has a suitable software development process)
  • Risk assessment documenting why the system is Category 3
  • Installation Qualification and basic functional testing
  • SOP for operation and periodic re-qualification

Category 4 in Practice: Configured Products

Category 4 is where most pharmaceutical companies spend the majority of their CSV effort. A configured product is standard commercial software that is set up - through configuration rather than custom code - to meet the company's specific GxP requirements. Examples include LIMS (Laboratory Information Management Systems), MES (Manufacturing Execution Systems), ERP systems with GxP modules, DMS (Document Management Systems), and historian systems.

The validation workload for Category 4 is substantial because configuration creates user-specific functionality that the vendor has not tested. Required documentation typically includes:

  • User Requirements Specification (URS)
  • Functional Requirements Specification (FRS) or Configuration Specification
  • Vendor audit or supplier qualification assessment
  • Risk assessment and validation plan
  • IQ / OQ / PQ protocols and reports
  • Data migration validation (if migrating from a legacy system)
  • Validation Summary Report

Where Do SaaS and Cloud Systems Fit?

This is one of the most common questions in modern pharmaceutical CSV. SaaS systems (Software as a Service) delivered via the cloud - like cloud-hosted LIMS, eDMS, or eQMS platforms - do not fit neatly into the original GAMP 5 categories because the software development and hosting are entirely controlled by the vendor.

GAMP 5 Second Edition provides specific guidance: SaaS systems should be treated similarly to Category 4 (configured products) for the user-facing configuration, but with a much heavier emphasis on supplier qualification and audit rights. The supplier's SOC 2 Type II report, business continuity plans, data residency, and backup validation all become part of the validation package.

Free GAMP 5 System Classification Worksheet

Use our structured worksheet to classify your computerised systems under GAMP 5 Second Edition and determine the right validation scope.

Download Free Checklist →
GAMP 5 CSV Risk Categories ISPE Pharmaceutical Software SaaS Validation
A

Ahmad Al-Sharif

Senior CSV Consultant · 12 years in pharmaceutical validation

Ahmad leads PHARPRO's CSV and digital validation practice. He has delivered validation projects across Jordan, UAE, Saudi Arabia, and Europe - covering FDA 21 CFR Part 11, EU GMP Annex 11, and ISPE GAMP 5 frameworks.

Frequently asked questions

GAMP 5 Category 2 (non-configured firmware on instruments) was removed in the Second Edition (2022). Those systems now classify as Category 1 (if they are infrastructure) or Category 3 (if they are non-configured commercial products). Companies should review any systems previously documented as Category 2 and update their validation rationale accordingly.
An Excel spreadsheet used for GxP calculations is typically treated as a Category 3 or 4 system depending on its complexity and configurability. A simple spreadsheet with fixed, locked formulas may be Category 3. A complex spreadsheet with macros, user-defined functions, or significant configuration is Category 4. All GxP spreadsheets require validation - the category determines the depth of testing required.
Indirectly, yes. The category influences the depth of functional testing required. Category 3 systems typically need installation verification and basic functional checks. Category 4 systems require comprehensive functional testing covering all configured functionality against the FRS. Category 5 requires this plus source code review. However, risk assessment results always take precedence - a low-risk Category 4 system may require fewer test cases than a high-risk Category 3 system.
Yes. If a vendor releases a major software update that adds significant new functionality, or if the company adds custom development on top of a configured product, the classification should be re-evaluated. Change control is the mechanism - any change that could affect a system's GxP status requires a formal change control assessment.

Ready to work with PHARPRO?

Get a free assessment of your compliance programme - no obligation.

Request Free Assessment Explore CSV Services
PHARPRO - Expert Pharma Consulting

Not sure how to classify your systems under GAMP 5? PHARPRO helps pharma teams apply the correct risk categories and build proportionate validation packages.

CSV Consulting Services → Free Assessment
Related Insights

Keep reading

More in-depth guides from the PHARPRO compliance team.

GAMP 5 Second Edition: Key Changes for CSV
New risk categories, critical thinking, and what the Second Edition means for your validation programme.
Risk Assessment in CSV: Applying GAMP 5 Principles
How to conduct a risk assessment for computerised systems and document it to regulatory standards.
CSV for SaaS and Cloud Applications in Pharma
Validation approach, vendor qualification, and documentation strategy for cloud-hosted GxP systems.
How to Write a URS for a Pharmaceutical Computerised System
Structure, GxP requirements, and a step-by-step guide to a compliant User Requirements Specification.
IQ OQ PQ Explained: What Each Phase Requires
Regulatory basis, documentation requirements, and what auditors look for in each qualification phase.