In the article Validation Determination the use of categorising software was discussed and how this can support the approach to the validation. In this post we are looking at types of software which fall in to these categories for Process Control Systems / Automation Systems.

Categorising software is used to support the approach to the validation based on complexity and novelty of the computerised system.

The categories detailed within this post are based on GAMP 5 Software Categories.

GAMP Software Category 1 – Infrastructure Software

Unless a very simple control system (PLC and HMI) there is likely to be some elements of infrastructure software.

Infrastructure software in its most simple form is the operating system which the application software resides.

Additional software for managing the infrastructure the process control system includes:

  • Operating Systems
  • Anti-virus Software
  • Active Directory / Domain Controller
  • Database Software (SQL / Oracle)
  • Server and Network Hardware
  • Virtual Environments
  • Firewalls, including configuration
  • Server and Network Monitoring Tools
  • Backup Systems

Note: Infrastructure should be built, configured and deployed in accordance with defined process / procedure and critical aspects and / or configuration verified. Infrastructure is qualified but not validated. The validation is performed on the hosted application not on the infrastructure.

GAMP Category 3 – Non Configurable Software

Configuration relates to adding functionality through standard modules, library items to standard software applications to meet the business requirements.

In a process control system a DCS would be configured from standard modules to control a specific process and would fall under GAMP Category 4.

An electronic chart recorder which is also configured with Input Ranges, Alarm Setpoints, etc. would fall under GAMP Category 3 for while it is has parameters entered under the configuration it does not define functionality or a process flow.

It is important to understand the distinction between true configuration and parameterisation when assigning the category.

Other examples that would fit under GAMP category 3 would be systems that are provided with computerised controllers, including Programmable Logic Controllers (PLC’s) where the application is not modified (although may be parameterised) to meet the business need. Within the pharmaceutical industry there are many examples of these including Labelling and Packaging equipment.

There is no fixed rule as to the validation approach for GAMP Category 3 systems. This should be combined with the impact or criticality of the process that the system is monitoring and / or controlling. It can support decisions as to lifecycle steps that may not need to be performed for example Source Code Reviews, limited verification activities and greater reliance on vendor test documentation.

As with any supplier you should ensure that the software has been performed in accordance with an appropriate quality management system. However the GAMP Category can support the decision as to the level of supplier assessment that needs to be performed (Postal Questionnaire rather than Full Site Audit.

EU Annex 11 states that the need for an audit should be based on a risk assessment refer to the Validation Determination post.

Related: Train Your Staff on Risk Based Equipment Qualification

GAMP Software Category 4 – Configured Software

Configured software for a process control system is software applications that are configured to meet specific business needs (see above GAMP Category 3).

GAMP Category 4 – Configured Software range in complexity from simple configuration of SCADA system graphics to complex process control within a DCS or PLC (linking standard library objects to control the process).

Examples of configurable software for a Process Control System includes:

  • DCS / SCADA Mimics
  • DCS / SCADA Databases (Alarms, Tags, History)
  • PLC / DCS programs configured from Standard functions library / IEC61131-3

For GAMP Category 4 software the approach to the computer systems validation may be to use the supplier’s documentation and verification to demonstrate the suitability of the standard modules and limit the regulated company’s verification to the critical functions of the business process and functions to support regulatory compliance (security, electronic records, etc.).

GAMP Software Category 5 – Bespoke Software

Bespoke software is software that is generally written from scratch to fulfil the business need. As this software is going the full development lifecycle there is a higher level of risk of errors within the application code.

In terms of a Process Control System GAMP Category 5 software may range from PLC logic (Ladder, Sequence Flow Chart, C++, etc.) to custom scripts written within the SCADA / DCS system.

As GAMP Software Category 5 the level of verification through software testing (FAT, SAT, IQ, OQ, etc.) will be increased. The level and formality of performing and documenting this testing will be determined on the GMP Impact (Product Quality, Patient Safety, Data Integrity and GMP regulatory requirements).


The Validation Determination can be used to identify each component of the system and the associated software category(s).

The GAMP Software Category may be used to support Computer Systems Validation decisions which may be documented within the Validation Determination Statement or within the Validation Plan.

The GAMP Category can also be used to support further risk assessments, for example consider the type of software category for controlling / monitoring each function. The likelihood of failure or the failure going undetected may be lower for less complex / novel software.