As you move from Category 3 → 4 → 5, the risk, complexity, and validation effort increase significantly because more of the system's behavior is determined by your specific design or configuration.
You must document the configuration (Configuration Specification) and test that the specific configurations work as intended. Vendor audits become more important here. Examples:
Note: In the transition from GAMP 4 to GAMP 5, Category 2 (Firmware) was removed. Most items previously in this category were moved to Category 3 or 4. Category 3: Non-Configured Products gamp 5 categories with examples
These are the foundational tools that manage the environment in which your applications run. They are not specific to your business process, but the system cannot function without them.
These are "off-the-shelf" (OTS) software packages that are used exactly as they are provided by the vendor. You might enter data into them, but you aren't changing how the software itself functions. As you move from Category 3 → 4
Custom PLC (Programmable Logic Controller) code for a unique assembly line robot. Summary Table: Effort vs. Category Risk Level Primary Validation Focus Cat 1 Infrastructure Installation Qualification (IQ) Cat 3 Non-Configured Low/Medium URS & Operational Testing Cat 4 Configured Medium/High Configuration Specs & Risk Assessment Cat 5 Code Review, Design Specs, Full Testing Why Categorization Matters
Complex software where the "out of the box" version is tailored to fit a business process via a configuration interface. Examples: Note: In the transition from GAMP 4
By correctly identifying a system as Category 3 instead of Category 5, a company can save hundreds of hours in unnecessary documentation. Conversely, misidentifying a Category 5 system as Category 3 is a major compliance risk that could lead to "Warning Letters" during an audit.