Process Control Systems GAMP

5 Software Categories
January 21, 2013| Software Validation, Validation Articles | 2 comments

In the article Validation Determination the use of categorising software was

discussed and how this can support the approach to the validation. In this post
we are looking at types of software which fall in to these categories for Process
Control Systems / Automation Systems.
Categorising software is used to support the approach to the validation based on
complexity and novelty of the computerised system.
The categories detailed within this post are based on GAMP 5 Software
Categories.

GAMP Software Category 1

Infrastructure Software
Unless a very simple control system (PLC and HMI) there is likely to be some
elements of infrastructure software.
Infrastructure software in its most simple form is the operating system which the
application software resides.

Additional software for managing the infrastructure the process control system
includes:

Operating Systems
Anti-virus Software
Active Directory / Domain Controller
Database Software (SQL / Oracle)
Server and Network Hardware
Virtual Environments
Firewalls, including configuration
Server and Network Monitoring Tools
Backup Systems
Note: Infrastructure should be built, configured and deployed in accordance with
defined process / procedure and critical aspects and / or configuration verified.
Infrastructure is qualified but not validated. The validation is performed on the
hosted application not on the infrastructure.

GAMP Category 3 Non

Configurable Software
Configuration relates to adding functionality through standard modules, library
items to standard software applications to meet the business requirements.
In a process control system a DCS would be configured from standard modules to
control a specific process and would fall under GAMP Category 4. An electronic
chart recorder which is also configured with Input Ranges, Alarm Setpoints, etc.
would fall under GAMP Category 3 for while it is has parameters entered under
the configuration it does not define functionality or a process flow.
It is important to understand the distinction between true configuration and
parameterisation when assigning the category.
Other examples that would fit under GAMP category 3 would be systems that are
provided with computerised controllers, including Programmable Logic
Controllers (PLCs) where the application is not modified (although may be
parameterised) to meet the business need. Within the pharmaceutical industry
there are many examples of these including Labelling and Packaging equipment.

There is no fixed rule as to the validation approach for GAMP Category 3 systems.
This should be combined with the impact or criticality of the process that the
system is monitoring and / or controlling. It can support decisions as to lifecycle
steps that may not need to be performed for example Source Code Reviews,
limited verification activities and greater reliance on vendor test documentation.
As with any supplier you should ensure that the software has been performed in
accordance with an appropriate quality management system. However the GAMP
Category can support the decision as to the level of supplier assessment that
needs to be performed (Postal Questionnaire rather than Full Site Audit.
EU Annex 11 states that the need for an audit should be based on a risk
assessment refer to the Validation Determination post.

GAMP Software Category 4

Configured Software
Configured software for a process control system is software applications that are
configured to meet specific business needs (see above GAMP Category 3).
GAMP Category 4 Configured Software range in complexity from simple
configuration of SCADA system graphics to complex process control within a DCS
or PLC (linking standard library objects to control the process).
Examples of configurable software for a Process Control System includes:

DCS / SCADA Mimics

DCS / SCADA Databases (Alarms, Tags, History)
PLC / DCS programs configured from Standard functions library /
IEC61131-3
For GAMP Category 4 software the approach to the computer systems validation
may be to use the suppliers documentation and verification to demonstrate the
suitability of the standard modules and limit the regulated companys verification
to the critical functions of the business process and functions to support
regulatory compliance (security, electronic records, etc.).

GAMP Software Category 5

Bespoke Software

Bespoke software is software that is generally written from scratch to fulfil the
business need. As this software is going the full development lifecycle there is a
higher level of risk of errors within the application code.
In terms of a Process Control System GAMP Category 5 software may range from
PLC logic (Ladder, Sequence Flow Chart, C++, etc.) to custom scripts written
within the SCADA / DCS system.
As GAMP Software Category 5 the level of verification through software testing
(FAT, SAT, IQ, OQ, etc.) will be increased. The level and formality of performing
and documenting this testing will be determined on the GMP Impact (Product
Quality, Patient Safety, Data Integrity and GMP regulatory requirements).

Summary
The Validation Determination can be used to identify each component of the
system and the associated software category(s).
The GAMP Software Category may be used to support Computer Systems
Validation decisions which may be documented within the Validation
Determination Statement or within the Validation Plan.
The GAMP Category can also be used to support further risk assessments, for
example consider the type of software category for controlling / monitoring each
function. The likelihood of failure or the failure going undetected may be lower
for less complex / novel software.