|

Computerized System Types and Classification

1. Purpose

This article defines a risk-based approach for identifying and classifying computerized systems used in regulated environments. Classification determines validation scope, testing depth, and lifecycle controls based on system impact, complexity, and data criticality.

2. Scope of Computerized Systems

Computerized systems include software, hardware, and infrastructure performing data processing, storage, transfer, or control functions in GMP environments.

2.1 System Types

Typical system types include:

  • Laboratory Systems
  • Manufacturing Systems
  • Quality Systems
  • Business Systems
  • Infrastructure Systems
  • End-User Systems

Examples include:

  • Laboratory Information Management Systems (LIMS)
  • Chromatography Data Systems (CDS)
  • Manufacturing Execution Systems (MES)
  • Enterprise Resource Planning systems (ERP)
  • Document management systems
  • Databases
  • Cloud platforms
  • Spreadsheets

3. Risk-Based Classification Framework

System classification converts system characteristics into validation decisions based on risk. The diagram below illustrates how system intended use, risk factors, and software complexity are evaluated together to establish system classification and determine the appropriate validation scope. It emphasizes that classification is a structured decision process based on impact and complexity rather than system type alone.

Risk-based framework showing how intended use, risk factors, and software complexity determine computerized system classification and validation scope

3.1 Primary Risk Factors

Classification must evaluate:

  • Impact on Product Quality
  • Impact on Patient Safety
  • Data Criticality
  • System Complexity
  • Degree of Configuration or Customization
  • Supplier Capability

3.2 Impact Categories

High impact systems typically include:

  • Systems used in batch release decisions
  • Systems managing GMP raw data
  • Systems controlling critical process parameters
  • Systems supporting critical quality attributes

Medium impact systems typically include:

  • Systems supporting GMP processes indirectly
  • Systems managing supporting quality data
  • Systems used for monitoring or trending

Low impact systems typically include:

  • Administrative systems
  • General business applications
  • Systems without GMP data relevance

4. Software Complexity Considerations

Software complexity determines validation depth, testing rigor, and reliance on supplier documentation. It is based on how much system behavior can be defined or modified by the user. This concept aligns with principles defined in GAMP 5. Systems are classified as:

  • Standard Systems
  • Configured Systems
  • Custom Systems

Standard Systems: Fixed functionality with minimal configuration.

  • Limited user-defined parameters
  • Predictable operation
  • High reliance on supplier documentation
  • Basic installation and functional verification

Configured Systems: System behavior defined through configuration.

  • User-defined workflows, rules, and permissions
  • Configuration directly impacts data and processing
  • Requires verification of configuration and functionality
  • Moderate reliance on supplier documentation

Custom Systems: Functionality developed or significantly modified.

  • Custom code or unique features
  • Full control over system behavior
  • Requires full lifecycle validation
  • Extensive testing with minimal supplier reliance

Software complexity must be evaluated together with system impact to define validation scope.

5. Validation Scope Determination

Validation scope is based on impact and complexity. The diagram below shows how system impact and software complexity combine to define the level of validation effort, testing depth, and documentation required. It provides a structured view of how validation expectations increase with both risk and system configurability.

Matrix showing validation scope based on system impact levels and software complexity categories

5.1 High Impact Systems

  • Full lifecycle validation
  • Detailed requirements and specifications
  • Complete IQ, OQ, and PQ
  • Extensive functional and configuration testing
  • Comprehensive data integrity verification
  • Limited supplier reliance

5.2 Medium Impact Systems

  • Scaled validation approach
  • Defined requirements
  • Focused IQ and OQ
  • Targeted PQ where required
  • Partial supplier leverage

5.3 Low Impact Systems

  • Basic installation and functionality verification
  • Minimal documentation
  • High supplier reliance
  • No formal PQ

6. Documentation Requirements

System classification must be documented in a manner that clearly justifies validation decisions and demonstrates a consistent, risk-based approach.

Classification documentation must include:

  • System description and intended use: Defines what the system does, where it is used, and how it supports GMP processes
  • Risk assessment: Documents evaluation of impact on product quality, patient safety, and data integrity
  • Impact classification: Identifies whether the system is high, medium, or low impact with justification
  • Complexity assessment: Defines whether the system is standard, configured, or custom and explains the basis for that determination
  • Validation scope definition: Specifies the required level of testing, documentation, and lifecycle controls derived from classification

Documentation must provide clear rationale linking system characteristics to validation scope.

7. Practical Use of Classification

Classification must drive:

  • Validation planning
  • Documentation depth
  • Test strategy
  • Data integrity controls
  • Change control rigor
  • Periodic review expectations