Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Computerised
Systems
Risk
Assessment
Page 1/16
Copyright 2006 ps_testware
1 PREFACE
2 GOAL
2.1
SCOPE
2.2
OBJECTIVES
2.3
REQUIREMENTS
4
4
5
5
6
7
8
10
14
15
4 CONCLUSION
15
Page 2/16
Copyright 2006 ps_testware
PREFACE
This White Paper describes the process followed by ps_testware during Risk
Assessments intended to target the validation effort for cGxP and Part 11 regulated
computers systems. Risk assessments identify the possible risks and threats posed by
a computer system to the business and to compliance with the rules and regulations
defined by regulatory organisations. The Risk Assessment identifies the risks that the
system poses to product safety, efficacy and quality, and the risks that it poses to
data integrity, authenticity and confidentiality. "Product" refers to human or veterinary
drugs, biological products, medical devices or radiological products.
Process validation, included system and software validation, is a requirement of the
current Good Practice (cGxP) regulations of the Food and Drug Administration (FDA)
and the European Union (EU). The Quality System regulation requires that when
computers or automated data processing systems are used as part of production or
the quality system, the manufacturer shall validate computer software for its intended
use according to an established protocol. For example cGMP for Finished
Pharmaceuticals (FDA, 21 CFR Part 210 and 211), cGMP for Medical Devices (FDA, 21
CFR Part 820) and GLP for Non-clinical Laboratory Studies (FDA, 21 CFR Part 58).
In addition to the above validation requirement, computer systems that implement
part of a manufacturers production processes or quality system (or that are used to
create and maintain records required by any other cGxP regulation) are subject to the
Electronic Records and Signatures regulation (FDA, 21 CFR Part 11). This regulation
establishes additional security, data integrity, and validation requirements when
records are created or maintained electronically. The additional Part 11 requirements
should be carefully considered and included in the requirements for any automated
record keeping system. System validation and software validation should demonstrate
that all Part 11 requirements have been met.
Even for commercial off-the-shelf software the FDA suggests that end users should
conduct functional testing of software that covers all functions of the program that the
end user will use. For both off-the-shelf software and custom-built software, risk
assessment is a tool that can justify limits being placed on the testing of systems and
functions. It is impractical to completely validate every aspect of a cGxP computer
system. Therefore the effort should be focused on critical areas such as risks to
regulatory compliance, the business, and project completion. By assessing the
processes and computer system for risks the effort can be focused on the most critical
parts of the system.
In the next chapter, the scope, objectives and the requirements of a risk assessment
are defined.
The third chapter explains the methodology and model that ps_testware uses to
conduct a risk assessment. The stages of a project at which a risk assessment should
be conducted, and the steps to be taken within each of the four phases of the risk
assessment are discussed.
Page 3/16
Copyright 2006 ps_testware
The Risk Analysis document, that is the result of a risk assessment, will show
if a computer system requires validation;
what aspects of the computer system or process are critical to product and
patient safety;
what aspects are critical to business and;
what corrective actions and preventive measures are needed to realise a
computer system that meets the expectations of the regulatory organisations.
GOAL
A principal objective of risk assessments is to identify and evaluate the risk factors
involved in the development, implementation and enhancement of a computerised
system (CS) (e.g. computerising a manual process, the purchase and implementation
or enhancement of a cGxP computer system). Risk assessment will be used to
determine the scope and extent of the necessary validation processes and any
allowable exclusion from them, ensuring that the appropriate Software Development
Life Cycle (SDLC) phases, documentation, and level of testing are applied. Choosing
the right validation strategy depends on understanding the risks and their
consequences.
2.1 Scope
The scope of a risk assessment includes the factors that threaten compliance with the
regulations applicable to a cGxP computer system and those that may have a negative
business impact. The following topics are generally within the scope of a risk
assessment.
Business Processes (cGxP);
Electronic records, signatures and audit trails (21 CFR Part 11);
System Development and implementation methodology, including completion of
documentation to required standards;
System Configuration, System Security and Change Control;
Standard Operating Procedures (SOPs) for system operation, system
management, support, etc;
Protocols for Installation Qualification (IQ), Operational Qualification (OQ) and
Performance Qualification (PQ);
User training / coaching and training records;
General system issues such as system performance, maintenance, backup and
recovery, disaster recovery, data retention and network management.
This is not a limited list and will be adapted to the specific situation.
The risk assessments made prior to and during the validation of a system will normally
examine the above mentioned topics to determine if there is a potential impact on
compliance with the regulations or a potential impact on the business. Any threat
assessed as having impact on regulatory compliance will be within the scope of the
validation plan.
Page 4/16
Copyright 2006 ps_testware
2.3 Requirements
Conducting a risk assessment is a multi-disciplinary task. The responsibilities for the
risk assessment will be dependent on the organisational structure and the processes
that are being assessed. The senior person responsible for Quality Assurance should
be the owner of the Risk Assessment, the Risk Analysis document and the Validation
Process as a whole. Other key people in the organisation (such as the Business and
System Owners) should also be approvers of the Risk Analysis document. These
people have also great added value as information source. Examples of other
personnel who may have important input for the risk assessment are:
provide a lot of information on software and hardware related issues. They are
responsible for the investigation and evaluation of those risks identified as a result
of software and hardware implementation and therefor important for the risk
assessment.
Customers can identify important requirements (business) for the process and
are therefor a possible source for the risk assessment.
Page 5/16
Copyright 2006 ps_testware
The intention of this chapter is to explain the assessment model and methodology
used by ps_testware. The risk assessment methodology can be divided into four
phases: Planning phase, Performing phase, Reviewing phase and Follow-up phase.
Planning # CS
Performing CSn
Performing CS3
Performing CS2
Performing CS1
Review CSn
Reviewing
Reviewing CSC2S3
Reviewing CS1
Follow-up
- V(M)P
- Actio
ns
on
Page 6/16
Copyright 2006 ps_testware
Planning phase: The goals of the Planning phase are to define the scope of the
risk assessment and to identify the resources and the time required. The output is
a prioritised list of systems to assess, defined risk factors, an established risk
assessment team and allocated time, resources and material.
Performing phase: The goal of the Performing phase is to conduct the system
specific risk assessments. The output is a draft risk analysis document with a list
of (possible) regulatory and business risks presented by specific computer
systems including recommended corrective actions and preventative measures.
Reviewing phase: The goals of the Reviewing phase are the review and
approval of the draft risk analysis document. The output is a risk analysis
document that can be published and circulated, and be used to justify to
inspectors the decisions taken concerning the scope and the depth of validation
activities.
implementation of a plan to deal with the identified risks, threats and defined
actions. The output is a Follow-up Plan that is incorporated in the next issue of
the Validation Plan, or in a Test Plan. If the risk assessment is part of the total
validation process, the Follow-up phase can be a basis for creating or amending
the validation plan, adapting the validation activities or analysing the risks while
executing validation activities.
These 4 phases are explained in more detail in the sections 3.2 to 3.5, but first the
timing and number of risk assessments necessary is discussed.
3.1 Timing
Because the validation process should start at the beginning of the SDLC, the risk and
threats to non-compliance and priorities are likely to change throughout the project.
Therefore the risk assessment should be conducted at several stages of the project.
The number and timing of risk assessments should be documented in a validation
(master) plan. Figure 2 shows examples of good moments to conduct risk
assessments (RA).
The best time to conduct a first risk assessment is during the completion of the
Business Model and User Requirements. Other moments are after a Supplier
Assessment (Audit), after completion of Functional Specifications, after the test phase
and when the system undergoes major changes.
An efficient way of working while conducting a risk assessment is to combine it with a
first review of the existing documents (Design Qualification (DQ) or Design Review).
This involves planned and systematic documented reviews of documentation
throughout the SDLC. These reviews validate the deliverables for constancy and
correctness against standards, identify (possible) problems and propose the necessary
corrective actions.
Page 7/16
Copyright 2006 ps_testware
URS
RA
RA
PQ protocol
and results
Validation
Plan/Strategy
Testing of the FS
FS
OQ protocol
and results
RA
Hardware DS
IQ protocol
and results
RA
Integration
testing
Software DS
Software
Module Spec
Module
testing
RA
Implementation
(change
control)
Building
Project Planning
Page 8/16
Copyright 2006 ps_testware
3. After creating and approving the necessary procedures, and defining the risk
factors, the risk assessment process will be defined in an approved document,
such as a validation master plan. One of the biggest risks an organisation can take
is failing to define their approach to risk assessment and validation. Sometimes a
risk assessment is conducted as a basis for the (draft) validation master plan and
so it cannot be defined in an approved Validation Master Plan. Then the risk
assessment will be part of a policy statement or quality assurance. The number
and timing of further risk assessments will be documented in the validation plan.
If there are several operational computer systems in the organisation, the following
steps will be followed to identify regulated computer systems and rank them by
priority for the Performing phase.
4. An inventory of all computer systems utilised by the organisation will be
generated and maintained. For each computer system the available participants
and documentation that can be of use for system specific risk assessment in the
Performing phase will be identified.
5. From the inventory list created and maintained as defined in step 4, systems that
require validation based on the regulatory impact and business risks will be
identified. Here a checklist is used with 15 question that can be answered with
Yes or No. If one of the questions is answered with Yes the computer
system should be validated and a system specific risk assessment should be
conducted. This checklist is not the only method of doing this, but it does give a
good first indication. For each computer system that requires validation,
prospective validation or retrospective evaluation needs are identified and the
current validation status is recorded on the inventory list.
Page 9/16
Copyright 2006 ps_testware
Page 10/16
Copyright 2006 ps_testware
Page 11/16
Copyright 2006 ps_testware
High
Medium
Low
Negligible
Impact
assessment
Threat
likelihood
High
Medium
Low
Page 12/16
Copyright 2006 ps_testware
High
Medium
Low
Negligible
Detection
likelihood
Threat
classification
Low
Medium
High
Page 13/16
Copyright 2006 ps_testware
9. The completion of the draft risk analysis document records the results of the
assessment, and all defined preventative and corrective actions for the high
priority risks. The contents of the risk assessment document should include:
Introduction, a short description of the assessment and the computer system
included the GAMP categories of software used in the system;
Scope, which aspects are within the scope of the risk assessment;
Objectives, and what is the summarised outcome of the risk assessment;
Inputs, which documents and participants were used for the risk assessment;
Business processes, which identified functions have been assessed;
Risk criteria, what criteria were used for the likelihood and impact.
The most important constituent of the risk analysis document is the list of potential
threats to regulatory compliance and the business, together with an assessment of
the likelihood and impact of each risk event / threat, and a prioritised assessment of
each risk event / threat. These can be divided in three parts:
Page 14/16
Copyright 2006 ps_testware
CONCLUSION
Risk Assessment is a tool to assist in defining and following a better and efficient
validation process. The assessment gives a clear and reliable picture of all the risks
and threats to the business and towards compliance of cGxP and 21 CF Part 11
requirements. The identified risks and threats are assessed and corrective actions and
preventive measures are defined.
The principal benefit is that a structured process of conducting risk assessments
produces a solid base for determining and justifying the scope and extent of, and
exclusions from the validation process. Through a detailed risk analysis document that
identifies the risks, their consequences, and the necessary preventative and corrective
actions, the right validation strategy can be chosen.
Page 15/16
Copyright 2006 ps_testware
Quality is (y)our
business
info@pstestware.com
www.pstestware.com
Page 16/16
Copyright 2006 ps_testware