This article describes how to adopt risk-based approaches for the validation of commercial computer systems used in the regulated pharmaceutical industry. This paper will help to guide readers through a logical, risk-based approach for computer system validation. It offers recommendations on how to define risks for different system and validation tasks and for risk categories along the entire life of a computer system. The scope of this paper is limited to Commercial Off-the-Shelf (COTS) systems and does not include risks typically involved during software development.
The article contains two parts. Part one deals with risk assessment, in which we discuss approaches to categorizing computer systems into high, medium, and low-risk levels. (These levels serve as an example. Any ranking of levels of risk that is relevant to the product and the manufacturer may be substituted. The thought process of ranking is the same.) Part two offers recommendations for validation steps for the different categories as defined in part one.
Industry task forces have recommended risk-based approaches for validation for a long time. For example, Good Automated Manufacturing Practice (GAMP) has a chapter in its "Guide for Validation of Automated Systems in Pharmaceutical Manufacture"(1). Also, the United States Food and Drug Administration has recognized the importance of risk-based compliance. This became most obvious when the FDA announced its science and risk-based approaches as part of the Twenty-First Century drug Good Manufacturing Practice (GMP) initiative in 2003 (2).
"We will focus our attention and resources on the areas of greatest risk with the goal of encouraging innovation that maximizes the public health protection," said FDA Commissioner Mark McClellan at an FDA–industry training session (8). David Horowitz added, "there are two elements to a risk-based approach to inspections: We need to go to the right places and we need to look at the right things" (8).
One reason for this risk-based approach is FDA's limited resources to inspect all manufacturing sites every two years.
"We have over 6000 domestic drug facilities and the number of GMP inspections that we have been able to inspect has declined by about two thirds in the last 20 years. So we can't take the chance that we are squandering our limited resources on lower risk facilities. That would prevent us from doing a minimum level of scrutiny and oversight and working with the higher risk facilities," Horowitz said (8).
In the meantime, FDA has begun to allocate its resources based on risk. For example, beginning in the fall of 2004, FDA began using a risk-based approach for prioritizing domestic manufacturing site inspections for certain human pharmaceuticals. This approach should help the Agency predict where its inspections are likely to achieve the greatest public health impact (2).
The FDA is not only taking advantage of the risk-based approaches, but also encourages the industry to do so, for instance, in software and computer validation. The industry guidance on General Principles of Software Validation states:
The selection of validation activities, tasks, and work items should be commensurate with the complexity of the software design and the risk associated with the use of the software for the specified intended use (3).
The same guide has also specific recommendations on what is expected for lower risk systems: