The key is not to do less work, but to do smarter work—focusing on how the software integrates into your unique process and ensuring that the data it produces remains beyond reproach.
Category 3 in the GAMP 5 framework refers to (e.g., parameter settings, screen layouts, workflow definitions) but whose source code is not altered . Because the functionality is pre‑qualified by the vendor, validation effort focuses on:
The GAMP 5 lifecycle model (Planning → Specification → Build → Test → Release → Operation → Retirement) applies, but is replaced by Configuration . The major activities are illustrated below:
: Validation efforts primarily center on Installation Qualification (IQ) and Operational Qualification (OQ) . gamp 5 category 3
| Phase | Key Activities | Primary Deliverables | |-------|----------------|----------------------| | | • Define scope, risk classification, team roles • Create Validation Master Plan (VMP) with Category 3 focus | VMP, Project Charter | | 2. Requirements Specification | • User Requirements Specification (URS) • Functional Specification (FS) derived from URS • Gap analysis (vendor vs. URS) | URS, FS, Gap Analysis Report | | 3. Configuration & Build | • Configure the package (parameter settings, workflows, security, interfaces) • Document each configuration item (CI) | Configuration Specification (CS), CI Register | | 4. Supplier Qualification | • Vendor audit (ISO‑9001, GAMP 5 compliance, change‑control) • Review of vendor validation package (VVP) | Supplier Qualification Report, VVP Acceptance | | 5. Testing | • IQ – Installation Qualification (infrastructure, OS, DB) • OQ – Operational Qualification (configuration meets FS) • PQ – Performance Qualification (real‑world use cases) | IQ Protocol/Report, OQ Protocol/Report, PQ Protocol/Report | | 6. Release | • Review of all testing, deviations, risk assessment • Formal sign‑off | Release Summary, Validation Sign‑off Sheet | | 7. Operation | • SOPs for daily use, backup, security, incident handling • Periodic review (e.g., annual) | SOPs, Periodic Review Report | | 8. Change Control | • Impact‑based change control (minor config change vs. major functional change) | Change Request, Impact Assessment, Updated CI Register | | 9. Retirement | • Data migration, archiving, system de‑commissioning | Retirement Plan, Archive Verification |
Ensure the software allows for "ALCOA+" principles (Attributable, Legible, Contemporaneous, Original, Accurate). Even simple Category 3 tools must have secure login and audit trails if they handle GxP data. Conclusion
You use the "default" settings. If you change a setting that doesn't alter the business process (like changing the screen color or language), it remains Category 3. The key is not to do less work,
While the end user can enter standard runtime parameters (e.g., setpoints, alarm limits, print intervals), they cannot modify the underlying logic, code, or predefined functional blocks. Common examples include:
This approach ensures compliance with regulatory expectations (FDA, EU GMP Annex 11, 21 CFR Part 11) without unnecessary documentation overhead for simple, fixed-function software.
Standard laboratory instrument software (e.g., a simple pH meter or balance software). The major activities are illustrated below: : Validation
Prepared: 10 April 2026
Understanding GAMP 5 Category 3: Strategies for Compliant Non-Configured Software
In the highly regulated world of pharmaceuticals, medical devices, and biotechnology, ensuring that computerized systems are "fit for intended use" is not just a best practice—it is a legal requirement. To navigate this complexity, the International Society for Pharmaceutical Engineering (ISPE) developed the framework.