GAMP 5 Category 4Good Automated Manufacturing Practice Category 4 (Configured Software)

GAMP 5 Category 4 (Configured Software) applies to vendor-provided applications whose behavior is tailored by user configuration rather than by developing bespoke code. MES, electronic batch record (eBMR/eDHR), LIMS, and QMS platforms typically fall here because they are delivered with standard services (workflow engines, rules, forms, audit trails) and are instantiated through configuration: master data, recipes, parameters, roles, electronic signatures, and interface mappings. Compared with Category 3 (non-configured) products, Category 4 configurations can significantly alter GMP-relevant outcomes; compared with Category 5 (custom), risk is reduced by the controlled framework of the platform.

• Examples: MES workflows, ISA‑88 recipes and phases, eBR templates, LIMS test routing, QMS CAPA workflows, WMS batch-handling rules.
• Primary artifacts: User Requirements Specification (URS), Configuration Specification (CS), risk assessment, configuration and integration test evidence, and change control records.
• Regulatory anchors: EU GMP Annex 11 (validation, audit trails, security), 21 CFR Part 11 (e-records/e-signatures), 21 CFR 211.68 and 820.70(i) (automated/ computerized processes).

Annex 11 requires systems to be validated with a documented, risk-based approach; Part 11 expects trustworthy, reliable electronic records and signatures; 21 CFR 211.68 and 820.70 require control and validation of automated processes. For Category 4 MES, defining scope, boundaries, and interfaces is foundational. ISA‑95 helps partition responsibilities across Levels 0–4 (process, control, MES, enterprise), clarifying where configuration lives, where master data originates (e.g., ERP), and which interfaces are GxP-critical.

GAMP 5 (2nd ed.) promotes critical thinking and risk-based, product-quality and patient-safety-driven effort. Category 4 does not mandate a fixed set of documents; rather, it tailors rigor to the impact and detectability of each configured function. CSA principles emphasize focusing testing where it matters—high-risk scenarios and intended-use outcomes—while leveraging supplier evidence for low-risk areas.

1. Define intended use via URS and process risk mapping (link functions to quality attributes and data integrity).
2. Perform functional risk assessment: severity of failure on product/patient, detectability by procedural/technical controls, and occurrence likelihood.
3. Right-size specification: a configuration specification (CS) precise enough for reproducibility and independent verification.
4. Plan testing: positive/negative, boundary, and exception handling; define objective acceptance criteria.
5. Leverage supplier testing for standard services; prioritize site verification on configured/high-risk behavior.
6. Summarize assurance: traceability matrix linking URS→CS→Tests→Deviations→Residual risk.

Configuration is the design in Category 4. Treat it with engineering discipline: uniquely identify each object (workflow, rule, recipe, role), capture parameter values with rationale, and baseline releases with environment provenance. Annex 11 expects change control, periodic review, and security; Part 11 requires authority checks and audit trails; 211.68/820.70 expect validated changes. Tight control avoids regression and preserves data integrity.

• Artifacts: Configuration Specification (CS), environment map, configuration item (CI) register, release notes, rollback plan.
• Controls: segregated environments, migration packages with checksums, peer review, and automatic audit trails for configuration changes.
• Records: rationale for risk-based testing scope; deviation handling and impact assessment; updated traceability.

Configured MES must enforce ALCOA+ principles. Annex 11 and MHRA guidance expect validated audit trails, secure user management, and procedural/technical controls that render records trustworthy. Part 11 adds expectations for electronic signatures, authority checks, and record retention. Category 4 validation should explicitly verify that configuration implements these controls and that they operate consistently in all intended workflows.

• Identity, roles, and least-privilege RBAC; periodic review.
• Enforced sequence with interlocks/permits-to-proceed for critical steps; controlled by configuration rather than SOPs alone.
• Time-synchronized, computer-generated audit trails; review workflows with exception detection.
• Electronic signatures: meaning, intent, and association to records; two-person signatures where risk warrants.
• Record preservation: backup/restore tests including audit trails and signatures; data export retains context/metadata.

"Data should be attributable, legible, contemporaneous, original, and accurate (ALCOA) and meet expectations for completeness, consistency, and endurance (ALCOA+)."

Testing substantiates that configuration satisfies intended use under normal and stressed conditions. For Category 4, emphasize scenario-based verification, negative tests on critical checks, and interface error-handling. IQ assures platform installation parameters; OQ challenges configured platform functions; PQ (or scenario UAT) demonstrates process-fit and operator usability under controlled SOPs.

• Prefer scripted scenarios over field-by-field testing for low-risk UI.
• Probe boundary conditions: min/max tolerances, abnormal sequences, network dropouts.
• Verify security and audit logging as part of each scenario, not as a one-off.

ISA‑95 clarifies the semantics and pathways for MES integrations (to ERP, LIMS, historians, labeling, WMS). Category 4 validation must include interface qualification: correct mapping, transaction integrity, reconciliation, and robust exception handling. Given modern MES runs atop ICS/IT converged stacks, align with NIST SP 800‑82 for network zoning, authentication, patching, backup/restore, and monitoring—documenting how security controls preserve the validated state and data integrity.

• Define interface criticality and testing depth (GxP vs. non-GxP payloads).
• Prove idempotency/duplicate handling and recovery from partial failures.
• Document security posture: RBAC integration (e.g., SSO), time sync (NTP), and segregation (production vs. test).
• Verify that cybersecurity changes (patches) follow change control with regression scope based on risk.

Annex 11 expects appropriate supplier assessment. For Category 4, a qualified supplier with mature SDLC and test evidence allows rational reduction of duplicate testing on standard services. Perform proportionate assessment: quality certifications, SDLC description, defect metrics, penetration/security posture, and change/release management. Leverage vendor IQ/OQ templates cautiously—confirm suitability to intended use and site configuration.

• Audit scope: platform services coverage, testing independence, and tool qualification.
• Reuse with verification: adopt vendor tests for low-risk functions; add site tests for configured/high-impact functions.
• Maintain a supplier file: versions, disclosures, vulnerability notes, and release notes mapped to your risk register.

Inspection findings in configurable systems often trace to incomplete configuration definition, weak change control, or superficial testing of high-impact logic. Data integrity lapses frequently originate from inconsistent use of audit trails, privilege creep, or ineffective periodic reviews. Avoid these with explicit configuration governance and risk-driven testing.

• No single Configuration Specification; configuration scattered across screenshots and emails.
• Untested negative paths for interlocks (e.g., using equipment on hold).
• Over-reliance on vendor OQ without verifying site-specific configuration or interfaces.
• Insufficient audit-trail review of configuration changes; no periodic access review.
• Poor segregation of duties for configuration promotion; lack of chain-of-custody for migration packages.
• Interface reconciliation gaps leading to orphan or duplicated records.

V5 Ultimate treats configuration as first-class, versioned design assets across MES, QMS, eBMR/eDHR, LIMS, WMS, and Maintenance. Workflows, recipes, interlocks, roles, and interfaces are captured in a unified configuration model with promotion workflows, automated configuration audit trails, and environment provenance. Risk registers link requirements to configuration items and tests; interface contracts embed reconciliation rules; and e-record/e-signature controls are parameterized and verified against intended use.