| Category | Configurability | Risk Level | Validation Intensity | Key Deliverable | | :--- | :--- | :--- | :--- | :--- | | | N/A (Platform) | Low | IQ Only | Installation Verification | | 3. Standard | None (As-is) | Low | IQ + UAT | Black Box Testing | | 4. Configured | High (No Code) | Medium/High | Full IQ/OQ/PQ | Config Specs & Testing | | 5. Custom | N/A (Code Written) | Very High | Full SDLC | Code Review & Unit Testing |
How do you categorize a piece of software? Does it need full validation? Can you rely on vendor testing?
Disclaimer: This post is for educational purposes. Always refer to the official ISPE GAMP 5 guide (Second Edition) and consult your quality assurance team for specific validation requirements. gamp 5 categories of software
Full software development life cycle (SDLC) rigor. This includes:
Category 2 (Firmware) was removed in GAMP 5 because modern firmware is now complex enough to fit into the other categories based on its function. RxERP +1 Category Type Description Examples Risk Level Category 1 Infrastructure Software Foundational software used to run other applications. Not configured for specific business processes. Operating systems (Windows, Linux), databases (Oracle, SQL), antivirus, firewalls. Low Category 3 Non-Configured Products Off-the-shelf software used "as installed" without customization or changes to match business processes. Lab instrument control software, static data viewers, simple firmware. Low to Moderate Category 4 Configured Products Software that can be tailored to specific needs using built-in vendor tools (no code changes). LIMS, ERP (SAP), SCADA, MES, Warehouse Management Systems. Moderate Category 5 Custom Applications Bespoke software developed in-house or by a third party specifically for a business need. Custom database scripts, bespoke instrument interfaces, complex Excel macros. High Key Differences and Validation Focus 10 sites GAMP 5 Categories Explained: Validation Guide (2025) Dec 5, 2025 — | Category | Configurability | Risk Level |
Misidentifying software can lead to two costly mistakes:
Category 3 refers to "off-the-shelf" (OTS) software that is used as-is, without any customization or configuration to fit specific business processes. Common examples include laboratory instrument software with fixed workflows or simple calculators. Validation for Category 3 systems is relatively straightforward. It typically involves verifying that the software meets the user requirements through installation qualification and basic operational testing. The focus is on ensuring the software performs its intended function in the specific user environment. Category 4: Configurable Software Custom | N/A (Code Written) | Very High
Laboratory Information Management Systems (LIMS), Electronic Document Management Systems (EDMS), Enterprise Resource Planning (ERP) systems (like SAP), or SCADA systems.
Standing for Good Automated Manufacturing Practice , GAMP 5 is the benchmark guideline for validating computerized systems. However, one of the most persistent sources of confusion within the guideline is the categorization of software.
Custom-coded manufacturing execution logic, in-house developed Python scripts for data analysis, customized ERP modules written specifically for your site, or a mobile app coded from scratch.