How to Configure GAMP 5 Category 4 Systems Correctly

Why GAMP 5 Category 4 Compliance Is Harder Than It Looks

GAMP 5 Category 4 covers configurable commercial software — systems like ERP, LIMS, and MES that you set up through built-in tools and parameter settings, without touching the underlying source code.

Here's a quick snapshot of what that means in practice:

Question Answer What is it? Commercial software configured to your business needs without code changes Common examples ERP, LIMS, MES, SCADA, QMS, Chromatography Data Systems Validation focus Your specific configurations and business processes — not the vendor's base code Key activities URS, supplier assessment, IQ/OQ/CQ, risk-based testing, traceability matrix Main risk Misconfiguration, inadequate change control, or over/under-validation

So if you're implementing a configurable system in a GxP environment, your validation obligation is real — and it centers on how you've set the system up, not how the vendor built it.

That distinction sounds simple. In practice, it trips up validation teams constantly.

Configurable software sits in a unique middle ground. It's more complex than off-the-shelf Category 3 software, but it doesn't carry the full development burden of custom Category 5 code. That "in-between" status means validation strategies are often poorly scoped — either over-engineered or dangerously thin.

This is especially costly for validation managers juggling dozens of systems, tight timelines, and resource constraints. Getting Category 4 right the first time matters.

I'm Stephen Ferrell, Chief Product Officer at Valkit.ai and a contributing author to the ISPE GAMP 5 Second Edition, with over two decades helping regulated organizations design and execute risk-based validation strategies for GAMP 5 Category 4 systems. In this guide, I'll walk you through exactly how to configure, validate, and maintain Category 4 systems correctly — so you can stay compliant without drowning in unnecessary documentation.

Defining GAMP 5 Category 4: Configurable Software vs. Custom Code

In Good Automated Manufacturing Practice (GAMP), software isn't just "software." It is classified into categories that help us determine how much work we need to do to prove it’s safe and effective. GAMP 5 category 4 is often described as the "Goldilocks" category—it's complex enough to do exactly what your business needs, but standard enough that you aren't writing the software from scratch.

According to the GAMP 5 Software Categories, Category 4 consists of "Configured Products." These are standard software packages where the user can tailor the functionality to suit their specific business process by "filling in the blanks" or setting parameters. You aren't changing the source code; you are simply telling the software how to behave for your specific workflow.

To understand where GAMP 5 category 4 sits, we have to look at its neighbors. Category 3 software is "Non-configurable," like a simple calculator or a firmware-driven pH meter where you just turn it on and use it. Category 5 is "Bespoke" or custom-built software, where every line of code is written specifically for you.

Feature Category 3 (Non-Configurable) Category 4 (Configurable) Category 5 (Custom/Bespoke) Code Modification None None Extensive Configuration Minimal/None High (Parameters/Rules) N/A (Built to spec) Risk Level Low to Medium Medium High Validation Effort Installation & Functional Check Detailed Configuration Focus Full SDLC & Code Review Typical Example Standard Lab Instrument ERP, LIMS, MES Custom Production Robot

Key Examples of GAMP 5 Category 4 Systems

Most of the "heavy hitters" in a pharmaceutical or biotech facility fall under GAMP 5 category 4. For instance, Laboratory Information Management Systems (LIMS) are classic examples. While the core database is standard, you configure the sample types, the approval workflows, and the report templates.

Other common examples include:

• Enterprise Resource Planning (ERP): Systems used for GxP-relevant procurement or inventory management.
• Manufacturing Execution Systems (MES): Used for electronic batch records and recipe management.
• Chromatography Data Systems (CDS): Where you configure user roles, signature routing, and calculation methods.
• Quality Management Systems (QMS): Tailored for your specific deviation and CAPA workflows.

As noted in GAMP 5 Categories Explained, even a simple spreadsheet can jump from Category 1 (infrastructure) to Category 4 if you start adding complex macros or scripts that drive business decisions.

Distinguishing Category 4 from Category 5 Bespoke Code

The line between "configuring" and "customizing" can sometimes feel blurry, but for GAMP compliance, the distinction is vital.

Configuration involves using the vendor's built-in tools. Think of it like a high-end suit: Category 3 is "off the rack," Category 4 is "tailored to fit your measurements," and Category 5 is "hand-sewn from a bolt of cloth." In Category 4, you are adjusting parameter settings, defining business rules, and setting up user interfaces within the existing software framework.

Once you start writing new source code or developing custom modules that the vendor didn't provide, you have crossed into Category 5 territory. This requires a much more intensive validation effort, including formal code reviews and a full Software Development Life Cycle (SDLC).

Implementing a Risk-Based Approach for GAMP 5 Category 4

We often say that validation should be "just enough." Not "as much as humanly possible," but exactly enough to ensure patient safety, product quality, and data integrity. This is the heart of the risk-based approach outlined in ICH Q9 and the GAMP 5 guidelines.

For GAMP 5 category 4, the risk isn't usually in the base code (the vendor has hopefully tested that). The risk lies in your configuration. If you configure your ERP to allow a user to bypass a quality check, that’s a massive risk to product quality.

Scaling Validation Effort for GAMP 5 Category 4

One of the biggest mistakes we see is treating every feature of a massive system like an ERP with the same level of scrutiny. You don't need to validate the "color of the buttons" with the same intensity as the "release for sale" logic.

We scale our validation effort based on:

1. Complexity: How complex is the configuration?
2. Supplier Assessment: Do we trust the vendor's development process?
3. Impact Analysis: Does this specific function impact the GxP process?
4. ALCOA+ Principles: How does this configuration affect data integrity (Attributable, Legible, Contemporaneous, Original, Accurate)?

By focusing on high-risk functions, companies can often reduce their total testing documentation by significant margins—sometimes up to 80% for low-risk changes if they follow the latest Computer Software Assurance (CSA) principles.

Critical Thinking in Configuration Risk

The GAMP 5 Second Edition places a heavy emphasis on "Critical Thinking." Rather than just following a checklist, we ask our teams to look at the "Failure Modes."

Using Bloom’s Taxonomy as a guide, we move beyond simple "Remembering" (Does the system turn on?) to "Analyzing" and "Evaluating." For example, instead of just checking if a user can log in, we use critical thinking to ask: "What happens if a user tries to delete an audit trail entry? Does the configuration prevent this?"

This shift from "check-the-box" mentality to a risk-focused mindset is what separates a compliant system from a truly safe one.

The Validation Lifecycle: Applying the V-Model to Category 4

The V-Model is the classic framework for validation, and it applies beautifully to GAMP 5 category 4. On the left side of the "V," we define what we need. On the right side, we verify that we got it.

For a Category 4 system, the lifecycle usually looks like this:

• User Requirements Specification (URS): What does the business need the system to do?
• Functional Specification (FS): How will the software function to meet those needs?
• Configuration Specification (CS): Exactly which settings, parameters, and rules are we changing?
• Configuration Qualification (CQ): Testing those specific settings to ensure they work as intended.

At Valkit.ai, we specialize in Digitizing CQ with ValKit AI, moving away from paper-heavy processes to automated, digital workflows that link your requirements directly to your tests.

Verification and Testing Strategies for GAMP 5 Category 4

Testing for Category 4 systems is broken down into three main phases:

1. Installation Qualification (IQ): Is the software installed correctly on the server?
2. Operational Qualification (OQ): Do the functions work as the vendor described?
3. Performance Qualification (PQ): Does the system work for our specific process under real-world conditions?

We also advocate for Exception-based reporting. In modern validation, if a low-risk test passes, a simple "Pass" is often sufficient. We save the detailed screenshots and "War and Peace" length descriptions for the high-risk, critical configurations. This approach, combined with a robust Traceability Matrix, ensures that every requirement in your URS is accounted for in your testing.

Design Qualification and Supplier Audits

Since you are relying on a vendor's core code, you must perform a Supplier Assessment. You don't necessarily need to fly to their headquarters (though for high-risk systems, you might), but you do need to verify that they have a solid Quality Management System (QMS).

A Quality Agreement with the vendor is also essential. It defines who is responsible for what—especially when it comes to patches, updates, and technical support. A vendor's "pre-validated" claim is meaningless unless it is evaluated against your specific intended use and configuration.

Maintaining Compliance through Change Control and Supplier Involvement

Validation isn't a "one and done" event. It's a continuous lifecycle. Once a GAMP 5 category 4 system is live, it enters the "Operations" phase, where Change Control becomes your best friend (or your worst enemy if not handled correctly).

Any change—whether it's a new user role, a modified report, or a software patch—must be assessed for its impact on the validated state. We utilize Delivering CSA with ValKit AI to streamline this, ensuring that changes are documented, tested, and approved without slowing down the business.

Handling Updates in GAMP 5 Second Edition

The GAMP 5 Second Edition (2022) brought some much-needed updates for the modern world, specifically regarding:

• Cloud Computing and SaaS: Moving away from "owning the server" to a shared responsibility model.
• AI/ML Integration: Guidelines for validating systems that learn and change over time.
• Agile Methodologies: Moving away from linear, "Waterfall" projects to iterative development.
• Continuous Monitoring: Using system logs and audit trails to maintain a state of control.

Modern Category 4 systems, especially those hosted in the cloud, require a more dynamic approach to maintenance. You can't just validate it once and forget it for five years. You need a process for managing the frequent updates that SaaS vendors push out.

Long-term Maintenance and Retirement

Eventually, every system reaches the end of its life. Retirement is a formal phase of the GAMP lifecycle. It involves:

• Data Migration: Ensuring your GxP data is safely moved to a new system or archived.
• System Decommissioning: Turning off the old system in a controlled manner.
• Periodic Review: Regularly checking that the system is still fit for purpose while it's still in use.

Frequently Asked Questions about GAMP 5 Category 4

What is the difference between GAMP 4 and GAMP 5 for Category 4?

GAMP 4 was very prescriptive—it felt like a checklist that you had to follow regardless of risk. GAMP 5 shifted the focus to a risk-based approach. It also removed Category 2 (which was used for firmware) and reclassified it into Categories 3, 4, or 5 based on how much configuration is involved. GAMP 5 is much more flexible and encourages critical thinking over simple documentation.

How does the GAMP 5 Second Edition impact cloud-based Category 4 systems?

The Second Edition explicitly supports Infrastructure as a Service (IaaS) and Software as a Service (SaaS). It emphasizes that while you can't control the vendor's data center, you can control your configuration and how you use the system. It encourages leveraging the vendor's own testing to avoid duplicating work, provided you have audited them and trust their processes.

Can a system contain both Category 4 and Category 5 components?

Absolutely. This is called a "hybrid" system. For example, you might have a standard GAMP 5 category 4 ERP system, but you've written a custom Category 5 script to link it to a specific piece of lab equipment. In these cases, you assess each component individually. The overall system classification is usually driven by the highest-risk component.

Conclusion

Configuring and validating GAMP 5 category 4 systems doesn't have to be a bureaucratic nightmare. By focusing on your specific configurations, applying critical thinking, and using a risk-based approach, you can ensure compliance while keeping your projects on track.

The world of validation is moving toward digital transformation. At Valkit.ai, we believe that "documentation on steroids" isn't the answer—smart automation is. Our AI-powered platform helps companies in Scotland, Indiana, and beyond reduce validation costs by up to 80% and turn weeks of work into hours.

If you're ready to see how ValKit AI: Revolutionizing Validation Execution can transform your next Category 4 implementation, we’re here to help. Let’s move beyond the checklist and start validating with purpose.