The Myth of Category Classification

GAMP classifies software into five categories. Many pharmaceutical and medical device companies’ CSV (Computerized System Validation) Standard Operating Procedures (SOPs) likely determine the level of CSV implementation and deliverables based on this category classification.

However, category classification is not absolute. Even within Category 3, there are high-risk systems, and conversely, even within Category 5, there are low-risk systems. Therefore, if systems are constructed based solely on category classification, this approach may fail to meet the expectations of patients and regulatory authorities.

Furthermore, while category classification was effective for structural equipment and process control systems, it has limited practical utility for IT applications. This is because IT applications often involve a mixture of Categories 3, 4, and 5 components within a single system.

Evolution of Understanding: From Rigid Classification to Risk-Based Continuum

The publication of GAMP 5 Second Edition in July 2022 brought significant clarification to this issue. This latest edition explicitly states that “computerized systems are generally made up of a combination of components from different categories; the categories should be viewed as a continuum” and emphasizes that “categorization is not intended to provide a checklist approach to validation.” The Second Edition stresses that category classification is merely one factor among many—including risk analysis, system complexity, novelty, and critical thinking by experienced subject matter experts—that should inform validation strategy.

Issues with Japan’s Regulatory Approach

Japan’s Ministry of Health, Labour and Welfare issued the “Guideline for Computerized System Management for Manufacturers of Medicinal Products” in October 2010 (Heisei 22), which came into effect in April 2012 (Heisei 24). This guideline placed significant emphasis on category classification, which has had problematic consequences. The guideline’s heavy reliance on category-based approaches has led many Japanese companies to adopt overly rigid validation strategies that do not adequately account for actual system risks.

Global Regulatory Context: The Absence of Category Classification

It is crucial to note that neither FDA nor EMA regulatory requirements for software validation include category classification systems. The FDA’s approach has evolved significantly with the issuance of draft guidance on “Computer Software Assurance for Production and Quality System Software” in September 2022, which was finalized in September 2025. This guidance introduces a risk-based approach called Computer Software Assurance (CSA) that focuses on:

• Identifying the intended use of software
• Determining risk-based approaches based on potential impacts on product quality and patient safety
• Determining appropriate assurance activities commensurate with risk
• Establishing appropriate records

The FDA’s CSA framework explicitly moves away from documentation-heavy, prescriptive validation approaches toward a more flexible, risk-based methodology that emphasizes critical thinking and leverages vendor documentation and automated testing tools.

Similarly, EU GMP Annex 11, revised in 2011 and currently undergoing further significant updates (expected 2025-2026), mandates a risk-based approach throughout the system lifecycle but does not prescribe software category classifications. The revised Annex 11 emphasizes:

• Risk management applied throughout the computerized system lifecycle
• Focus on patient safety, data integrity, and product quality
• Integration with ICH Q9 Quality Risk Management principles
• Comprehensive supplier management and data integrity controls

The Proper Approach: Comprehensive Risk-Based Assessment

Systems used by pharmaceutical and medical device companies—not limited to software alone—should determine the degree of quality management and quality assurance based on comprehensive risk assessment. This assessment should consider:

• Patient and User Safety: The potential impact on patient safety if the system fails to perform as intended
• Product Quality Impact: How system failures could compromise product quality, including effects on manufacturing processes, analytical results, and product release decisions
• Data Integrity: The criticality of data generated, processed, or stored by the system, considering the ALCOA+ principles (Attributable, Legible, Contemporaneous, Original, Accurate, plus Complete, Consistent, Enduring, and Available)
• System Complexity and Novelty: The technical complexity of the system and whether it involves new or unproven technologies
• Business Process Criticality: The importance of the business process supported by the system to GxP operations
• Regulatory Impact: Whether the system directly supports regulatory submissions or regulatory compliance activities

Contemporary Best Practices

Modern validation approaches, as reflected in GAMP 5 Second Edition and FDA’s CSA guidance, advocate for:

1. Critical Thinking: Application of scientific and risk-based thinking by knowledgeable subject matter experts rather than rote application of predetermined validation templates
2. Leveraging Supplier Information: Maximizing use of supplier documentation, testing, and quality management systems to avoid redundant validation activities
3. Scalable Validation Approaches: Tailoring validation activities to actual risk rather than following rigid category-based templates
4. Iterative and Agile Methods: Supporting modern software development methodologies including Agile, DevOps, and continuous integration/continuous deployment (CI/CD) approaches
5. Automated Testing and Monitoring: Utilizing automated testing tools, continuous monitoring, and system-generated records (such as audit trails and system logs) as validation evidence
6. Unscripted Testing: For appropriate risk levels, employing exploratory testing, scenario testing, and error-guessing techniques alongside traditional scripted testing

Practical Implementation Considerations

When implementing a risk-based approach to system validation:

• Conduct Comprehensive Risk Assessments: Perform detailed risk assessments that consider all relevant factors beyond simple category classification
• Document Risk-Based Decisions: Clearly document the rationale for validation approaches chosen, demonstrating how decisions align with identified risks
• Maintain System Inventories: Keep up-to-date inventories of all computerized systems with documented intended uses and risk classifications
• Engage Cross-Functional Teams: Involve quality assurance, IT, process owners, and subject matter experts in validation planning and execution
• Implement Effective Change Control: Establish robust change control processes that reassess risk when systems are modified
• Focus on What Matters: Concentrate validation efforts on high-risk features, functions, and operations while applying appropriate but less burdensome approaches to lower-risk elements
• Embrace Continuous Improvement: Regularly review and update validation strategies based on operational experience, technological advances, and regulatory expectations

The Role of Category Classification Today

This is not to say that category classification has no value. When properly understood and applied, software categorization can serve as a useful initial tool for:

• Establishing baseline expectations for supplier involvement and documentation
• Providing a common language for discussing system characteristics across organizations
• Informing initial estimates of validation effort and resource allocation

However, category must be viewed as just one input into a comprehensive risk-based validation strategy, not as a deterministic factor that alone dictates validation approaches. The continuum nature of categories, combined with the reality that modern systems incorporate components from multiple categories, means that validation strategies must be tailored based on holistic risk assessment rather than rigid category-based rules.

Conclusion

The pharmaceutical and medical device industries are in a period of significant transformation in how we approach computerized system validation. Regulatory authorities worldwide are converging on risk-based approaches that emphasize critical thinking, appropriate use of supplier information, and validation activities scaled to actual risk rather than predetermined category classifications.

Organizations that continue to rely primarily on category-based validation approaches risk both over-validating low-risk systems (wasting resources) and under-validating high-risk systems (potentially compromising patient safety, product quality, or data integrity). The path forward requires embracing contemporary risk-based validation methodologies that align with current international regulatory expectations and industry best practices.

As we move into an era of increasing digitalization, artificial intelligence, cloud computing, and advanced automation in pharmaceutical manufacturing and quality systems, the limitations of rigid category-based validation become even more apparent. Success requires organizations to develop mature risk management capabilities, invest in personnel training on modern validation approaches, and foster cultures of critical thinking and continuous improvement in quality assurance practices.