Risk analysis and evaluation of software and computer systems is a good tool to optimize validation costs by focusing on systems with high impact on both the business and compliance. Substantial cost savings are possible for medium and low-risk systems. Validation activities of a low-risk system can be limited to documenting which systems have been used. The risk is less dependent on the type of system than on the type of records generated by the system. For example, a LIMS system used in a research environment has a lower compliance risk than the same system used in pharmaceutical quality control.
2. Develop a risk management project plan for each computer system validation project. Use the risk management master plan approach as a source to define steps, owners, and deliverables.
3. Identify risks, possible hazards and harms and define the risk category, for example: high, medium, and low. This should be based on likelihood and severity. To estimate the severity, look at the records handled by the system and at their impact on product quality and consumer safety.
4. Determine validation tasks for each lifecycle phase. Use the approach, templates, and examples from the risk management master plan
5. Develop a risk management plan with a sound justification and the documentation of your results.
For the long term, we recommend that risk assessment be extended to full risk management with an action plan for risk mitigation and on-going review and control.
Ludwig Huber, PhD, is a compliance program manager at Agilent Technologies, tel. 1 49 7243 602 209, email@example.com
1. "GAMP Good Automated Manufacturing Practice, Guide for Validation of Automated Systems in Pharmaceutical Manufacture," Version 3, March 1998, Version 4, December 2001.
2. US Food and Drug Administration,"Pharmaceutical CGMPs for the Twenty-First Century: A Risk-Based Approach," http://www.fda.gov/oc/guidance/gmp.html and "FDA Issues Final Report on its '21st Century' Initiative on the Regulation of Pharmaceutical Manufacturing," http://www.fda.gov/bbs/topics/news/2004/NEW01120.html (Rockville, MD, Sept. 2004).
3. US FDA, General Principles of Software Validation: Final Guidance for Industry and FDA Staff, (FDA, Rockville, MD, Jan. 2002).
4. US FDA, Guidance for Industry. Part 11, Electronic Records; Electronic Signatures—Scope and Application (FDA, Rockville, MD, Aug. 2003).
5. Pharmaceutical Inspection Convention, Good Practices for Computerized Systems Used in Regulated Environments (PIC/S, Geneva, Switzerland, Jan. 2002).
6. US FDA, Code of Federal Regulations, Title 21, Food and Drugs, Part 11 "Electronic Records; Electronic Signatures; Final Rule; Federal Register 62 (54), 13429-13466.
7. Pharmaceutical Inspection Convention, Good Practices for computerized Systems in Regulated "GXP: Environments, (DRAFT) (PIC/S, Geneva, Switzerland, Jan. 2002).
8. DIA/FDA Industry Training Session, May 2003.
9. H. Mollah, "Risk Analysis and Process Validation," BioProcess Int., 2 (9),(2004).
12. G. Stoneburner, A. Goguen, and A. Feringa, Risk Management Guide for Information Technology Systems. Recommendations of the National Institute of Standards and Technology," NIST Special Publication 800-30 (NIST, Gaithersburg, MD, July 2002).
13. PhRMA, "Letter to the FDA, Related to Proposed FDA Guidance on the Scope and Implementation of 21 CFR Part 11," on Oct. 29, 2001.
14. International Society for Pharmaceutical Engineering, White Paper, "Risk-Based Approach to 21 CFR Part 11," (ISPE, Tampa, FL, 2003).
15. J. Murray at the Institute of Validation Technology "Computer System Validation" conference, May 2004.
16. "Qualification and Validation," Annex 15 to the EU Guide to Good Manufacturing Practice, 2001.
17. ISPE, GAMP Good Automated Manufacturing Practice, Good Practice Guide: A Risk-Based Approach to Compliant Electronic Records and Signatures(ISPE, Tampa, FL, Feb. 2005).