Software Categorization in Pharmaceutical Manufacturing
(This article is a continuation from Issue 106.)
Implementation of Packaged Software and Functional Classification
In recent years, custom software development has become less common. In most cases, organizations purchase commercial off-the-shelf (COTS) packaged software that meets user needs and adapt it to user requirements through configuration and customization.
When implementing commercial packages, users and suppliers typically determine during requirements definition how user-requested functional requirements will be implemented. The typical classification of functions is as follows:
| Function Classification | Description | Implementation Method |
| 1) Use as standard package features | Use standard features without modification | No changes |
| 2) Modification through configuration | Adjust features through parameter settings | Configuration |
| 3) Modification through customization | Change features through external development or modification | Code development |
| 4) Unused features | Features included in package but not used | Not utilized |
Relationship with GAMP Category Classification
The above functional classification is closely related to the software categories defined in ISPE’s (International Society for Pharmaceutical Engineering) GAMP 5 (Good Automated Manufacturing Practice) guidelines.
GAMP 5 classifies software into the following categories:
| GAMP Category | Description | Examples |
| Category 1 | Infrastructure software | OS, databases, networks |
| Category 3 | Standard packaged software (COTS) | Unmodified commercial products |
| Category 4 | Configurable software | Products whose functions can be adjusted through parameter settings |
| Category 5 | Custom software | User-developed products |
When expanding the functions of packaged software, it is possible to visually represent how each function will be utilized:
- Functions used without modifying the package product (corresponding to Category 3)
- Functions used by configuring the package product (corresponding to Category 4)
- Functions used by customizing the package product (corresponding to Category 5)
- Cases where package product features are not used
By categorizing functions in this way, validation requirements for each function can be organized. In most cases, when using commercial packages, Categories 3-5 will be mixed.
For functions modified through configuration (Category 4), functional specifications and configuration specifications must be created. For functions modified through customization (Category 5), functional specifications and design specifications must be created.
Important Changes in GAMP 5 Second Edition
The GAMP 5 Second Edition, published in July 2022, brought significant updates to the approach to software validation. The main changes in the Second Edition are as follows:
Understanding Categories as a “Continuum”
The Second Edition explicitly states that “computerized systems are generally made up of a combination of components from different categories; the categories should be viewed as a continuum.” This means that rather than rigidly classifying a single system into one category, an appropriate approach should be taken according to the nature of each component and component function that constitutes the system.
Emphasis on Critical Thinking
The Second Edition added a new appendix on Critical Thinking (M12). This emphasizes the importance of experienced Subject Matter Experts (SMEs) determining appropriate approaches based on patient safety, product quality, and data integrity-centered thinking, rather than a checklist-based approach.
Alignment with Computer Software Assurance (CSA)
GAMP 5 Second Edition is aligned with the US FDA’s (Food and Drug Administration) draft guidance “Computer Software Assurance for Production and Quality System Software” issued in September 2022 (final version published in September 2025). CSA represents a paradigm shift from traditional Computer System Validation (CSV), promoting a more flexible, risk-based approach.
The four steps of CSA:
| Step | Content |
| 1 | Identify intended use |
| 2 | Determine risk-based approach |
| 3 | Determine appropriate assurance activities |
| 4 | Establish appropriate record |
Addressing New Technologies
The Second Edition added appendices on the following new technologies and topics:
- Agile development methodology (D8)
- Software tools (D9)
- Distributed Ledger Systems (Blockchain) (D10)
- Artificial Intelligence/Machine Learning (AI/ML) (D11)
- IT Infrastructure (M11)
- Cloud computing
- Open Source Software (OSS)
Importance of Data Integrity
In computerized system validation, data integrity is an extremely important element. In December 2018, the FDA issued the final version of the “Data Integrity and Compliance With Drug CGMP: Questions and Answers” guidance, clarifying the role of data integrity in cGMP (current Good Manufacturing Practice).
The fundamental principles of data integrity are known as ALCOA+:
| Principle | Meaning | Requirement |
| Attributable | Attribution | Data must be identifiable to who created it |
| Legible | Readability | Data must be readable and understandable |
| Contemporaneous | Simultaneity | Data must be recorded at the time of performance |
| Original | Originality | Data must be original or a true copy |
| Accurate | Accuracy | Data must be accurate and complete |
| Complete | Completeness | All data must be retained |
| Consistent | Consistency | Data must be chronologically consistent |
| Enduring | Durability | Data must be retained throughout the lifecycle |
| Available | Availability | Data must be accessible when needed |
Regardless of category classification, all computerized systems must meet data integrity requirements.
Practical Application of Risk-Based Approach
To reiterate, in IT applications, categories commonly coexist. Therefore, rigidly classifying an entire system into a single category does not necessarily lead to an appropriate validation strategy.
As indicated by GAMP 5 Second Edition and FDA CSA Guidance, the most important aspect when implementing software validation is adopting a comprehensive risk-based approach rather than adhering to simple category classification.
Elements of Risk Assessment
A risk-based approach must consider the following elements:
| Assessment Element | Considerations |
| GxP Impact | System’s impact on patient safety, product quality, and data integrity |
| System Complexity | Technical complexity, degree of integration |
| Novelty | Use of new technologies or methods for the organization |
| Vendor Capability | Supplier’s quality management system and development processes |
| Usage Track Record | Industry usage track record and maturity |
| Degree of Customization | Degree of deviation from standard features |
Product Risk and Degree of Validation
Even for Category 3 standard packages, if manufacturing high-risk pharmaceuticals such as anticancer drugs or psychotropic drugs, sufficient validation activities commensurate with that risk must be implemented. This includes:
- Thorough vendor assessment
- Detailed risk assessment
- Comprehensive functional testing
- Verification of data integrity controls
- Continuous monitoring and review
On the other hand, even for Category 5 custom software, if manufacturing low-risk products such as vitamins or nutritional supplements, or for systems with low GxP impact, the degree of validation can be appropriately scaled down. However, basic data integrity requirements must always be met.
Appropriate Use of Category Classification
Category classification is effective for relatively simple and clearly defined systems such as structural facilities (e.g., HVAC systems, water purification systems) and analytical instruments (e.g., HPLC, spectrophotometers). For these systems, categories are relatively clear, and it is easier to establish appropriate validation strategies based on categories.
However, for complex IT applications, category classification should be used as a starting point or reference information, and validation strategies should not be determined based solely on it.
Conclusion
GAMP 5 Second Edition and FDA CSA Guidance have brought significant progress to the approach to computerized system validation in pharmaceutical manufacturing. What these guidelines commonly emphasize is:
- Prioritization of Risk-Based Approach: While category classification is a useful tool, a comprehensive approach considering multifaceted elements such as risk assessment, system complexity, novelty, and GxP impact is necessary.
- Importance of Critical Thinking: It is essential for experienced SMEs to conduct thinking centered on patient safety, product quality, and data integrity.
- Balance between Flexibility and Efficiency: While meeting regulatory requirements, avoiding overly conservative approaches and utilizing the latest technologies and best practices is recommended.
- Emphasis on Data Integrity: For all computerized systems, ensuring data integrity based on ALCOA+ principles is a fundamental requirement.
- Continuous Improvement: Responding to new technologies such as Agile development, cloud computing, and AI/ML, and continuously improving validation processes is required.
For readers, it is recommended to utilize category classification as a useful tool while not relying excessively on it alone, but rather constructing a more comprehensive and effective validation strategy centered on risk-based approach and critical thinking. GAMP 5 Second Edition and FDA CSA Guidance will serve as excellent resources to support such practices.
Comment