Risk-Based Validation of Commercial Off-the-Shelf Computer Systems 5

Risk evaluation process
This phase is used to categorize and prioritize the risk from a business and compliance, or health risk standpoint.

Table II: Template for risk evaluation.

Data should be entered into a form with entry fields for risk descriptions, business (continuity) impact, product quality, safety, and compliance impact, as well as probability of occurrence. An example is shown in Table II and the various impacts are described below. Impact on business continuity. This is related to a company's ability to market a new product and its reliance on system uptime for continuous shipment of product. Evaluating these issues will answer these questions: in currency, how big would be the losses due to delays of new product approval and shipment stoppages? Impact on product quality. The question here is whether the system has an impact on product quality. This question asks whether the system impacts the identity, strength, safety or efficacy of a drug. A direct impact on product quality means that any failure cannot be corrected before a new drug is approved for marketing or before a batch is released for shipment.
For a "high-risk" classification, the probability of detecting the problem would be low or zero. An example is an analysis system used in quality control where analysis results are used as criteria for the release of product.
Impact on human health and safety. Includes consumer safety and environmental hazards. An example of high severity would include circumstances whereby poor product quality could cause adverse effect to the health of patients or users.
Note: Because an impact on health and safety can only occur when there is also an impact on product quality, we combine both factors.
Impact on compliance. This is related to the risk of failing regulatory inspections and receiving single or multiple WLs or inspectional observation reports. A typical compliance issue is the insufficient integrity of regulated data.
There are other indirect affects wherein the health of a patient or a worker is affected, such as claims against the company, product recalls, a negative reputation for the company, etc.

Table III: Template to determine the overall risk factor.

Information from this category will be used to calculate an overall risk factor. In our example, the risk categories are converted into numeric values such that: high = 3, medium = 2, and low = 1 (See Table III). Risk factors are calculated using the following formula:
(Business Impact + Safety + Compliance Impact) × Probability of Occurrence = Risk Factor
Factors contributing to risk
High-risk factors. Examples of factors contributing to high-risk levels include those related to product quality and health and safety, business continuity, and regulatory compliance.
Product quality and health and safety.

• Systems used to monitor, control, or supervise a drug manufacturing or packaging process.
• Systems used in a production environment for testing, release, labeling, or distribution of products;
• Users interact manually with the system and data having the ability to manipulate data.
• System failure can have direct impact on product quality.
• No or low probability that the problem will be detected or can be corrected;
• Product quality problems may lead to death or serious and permanent injury.