Risk-Based Validation of Commercial Off-the-Shelf Computer Systems 9

Figure 3: Validation tasks for system risks and GMP categories, showing only validation phases. The principle is shown for early validation phases in Figure 3. Of course, to generate such information is more time consuming and only makes sense if several systems in GAMP category three or five should be validated. Conclusion Risk analysis and evaluation of software and computer systems is a good tool to optimize validation costs by focusing on systems with high impact on both the business and compliance. Substantial cost savings are possible for medium and low-risk systems. Validation activities of a low-risk system can be limited to documenting which systems have been used. The risk is less dependent on the type of system than on the type of records generated by the system. For example, a LIMS system used in a research environment has a lower compliance risk than the same system used in pharmaceutical quality control. Regulatory agencies require companies to base the extent of validation they complete on a justified and documented risk assessment. To do this efficiently, we recommend the following steps: 1. Develop a risk management master plan. This describes the company's approach to risk assessment and has templates and examples for easy and consistent implementation. This plan should also include validation tasks for each risk category. 2. Develop a risk management project plan for each computer system validation project. Use the risk management master plan approach as a source to define steps, owners, and deliverables. 3. Identify risks, possible hazards and harms and define the risk category, for example: high, medium, and low. This should be based on likelihood and severity. To estimate the severity, look at the records handled by the system and at their impact on product quality and consumer safety. 4. Determine validation tasks for each lifecycle phase. Use the approach, templates, and examples from the risk management master plan 5. Develop a risk management plan with a sound justification and the documentation of your results. For the long term, we recommend that risk assessment be extended to full risk management with an action plan for risk mitigation and on-going review and control. Ludwig Huber, PhD, is a compliance program manager at Agilent Technologies, tel. 1 49 7243 602 209, ludwig_huber@agilent.com References 1. "GAMP Good Automated Manufacturing Practice, Guide for Validation of Automated Systems in Pharmaceutical Manufacture," Version 3, March 1998, Version 4, December 2001. 2. US Food and Drug Administration,"Pharmaceutical CGMPs for the Twenty-First Century: A Risk-Based Approach," http://www.fda.gov/oc/guidance/gmp.html and "FDA Issues Final Report on its '21st Century' Initiative on the Regulation of Pharmaceutical Manufacturing," http://www.fda.gov/bbs/topics/news/2004/NEW01120.html (Rockville, MD, Sept. 2004). 3. US FDA, General Principles of Software Validation: Final Guidance for Industry and FDA Staff, (FDA, Rockville, MD, Jan. 2002). 4. US FDA, Guidance for Industry. Part 11, Electronic Records; Electronic Signatures—Scope and Application (FDA, Rockville, MD, Aug. 2003). 5. Pharmaceutical Inspection Convention, Good Practices for Computerized Systems Used in Regulated Environments (PIC/S, Geneva, Switzerland, Jan. 2002). 6. US FDA, Code of Federal Regulations, Title 21, Food and Drugs, Part 11 "Electronic Records; Electronic Signatures; Final Rule; Federal Register 62 (54), 13429-13466.  7. Pharmaceutical Inspection Convention, Good Practices for computerized Systems in Regulated "GXP: Environments, (DRAFT) (PIC/S, Geneva, Switzerland, Jan. 2002). 8. DIA/FDA Industry Training Session, May 2003. 9. H. Mollah, "Risk Analysis and Process Validation," BioProcess Int., 2 (9),(2004). 10. ISO 14971:2000, "Medical Devices—Application of Risk Management to Medical Devices," (ISO, Geneva, Switzerland, 2000).11. Labcompliance, Risk Management Master Plan, 2004. 12. G. Stoneburner, A. Goguen, and A. Feringa, Risk Management Guide for Information Technology Systems. Recommendations of the National Institute of Standards and Technology," NIST Special Publication 800-30 (NIST, Gaithersburg, MD, July 2002). 13. PhRMA, "Letter to the FDA, Related to Proposed FDA Guidance on the Scope and Implementation of 21 CFR Part 11," on Oct. 29, 2001. 14. International Society for Pharmaceutical Engineering, White Paper, "Risk-Based Approach to 21 CFR Part 11," (ISPE, Tampa, FL, 2003). 15. J. Murray at the Institute of Validation Technology "Computer System Validation" conference, May 2004. 16. "Qualification and Validation," Annex 15 to the EU Guide to Good Manufacturing Practice, 2001. 17. ISPE, GAMP Good Automated Manufacturing Practice, Good Practice Guide: A Risk-Based Approach to Compliant Electronic Records and Signatures(ISPE, Tampa, FL, Feb. 2005).