System Level Risk, Impact & Complexity Assessment in CSV


In Earlier post we understand GxP Assessment & Categorization of Computerized System. It is first stage of whether a system requires a validation is to identify whether the system has a GxP impact.

Now in this article we are going to understand System Level Risk, Impact & Complexity Assessment in computer system validation.

Applying risk assessment procedures to validation is a highly effective means of ensuring that all critical requirements are tested with the appropriate level of documentation in order for a system or process to be considered as validated or verified.

Validation risk assessment is a structured & documented approach to assessing risks in a computerized system, equipment, instrument & process.


Risk is the combination of the probability of occurrence of harm & the severity of that harm.

A measure of the probability & severity of undesired effects, often as the simple product of probability & consequence.

Risk Management should be viewed as an on-going Quality Management process.

A systematic evaluation of the risk of a process by determining

-          What can go wrong (Risk Identification)

-          How likely is it to occur (Risk Estimation)

-          What the consequences are.

Examination of process & develop safety barriers to minimize chance of error. Understand where risk comes from & how people process information.

           

Data Integrity App

System Criticality & Impact Assessment

- Does the system impact patient safety?

- Does the system impact or capture data about the quality of the product?

- Does the system impact on GMP regulated records?

- Is the system involved in capturing information that would take an action or support the execution of an action that impacts the product quality (e.g. product recall, adverse event reporting)?

- Does the system functionality create any hazards to the environment including people working on the system such as process control systems?

 

Complexity Assessment

- System complexity nature as Standard COTS/Configurable COTS/Customized (bespoke)

- Is the system interfaced with other system/s?

- Is the technical contingency plan in place if system becomes non-functional?

- Does the system impact multiple or companywide functions, or is new infrastructure required?

- Does the system implementation involve data migration?

- Does the Product Vendor or system implementation vendor have any prior experience of implementing the system at any other pharmaceutical organization?

- Are the estimated numbers of concurrent users as 5- 10 or 10 -15 or more than 15?

 

Determine level of Risk & Assessment using below scale.

Rating Scale

 

2    3

High

1 ≥ 2

Medium

0  ≥ 1

Low

 Initial Risk Ranking

To determine the Initial Risk Ranking of GxP Computerized system, follow below matrix between Overall System Impact & complexity

Overall Risk Rating is determined using the traditional 9 box grid image.

Complexity

Overall Impact

Low Complex

 

Medium Complex

 

High Complex

 

High Impact

MEDIUM RISK

HIGH Risk

HIGH Risk

Medium Impact

Low Risk

MEDIUM Risk

HIGH Risk

Low Impact

Low Risk

Low Risk

MEDIUM Risk

 

Decision based on Risk Rating:

Many decisions can be made from the initial risk ranking including the approach and extent of the validation.

 Supplier Auditing – High Risk items only. Medium and low risk computerized systems have only a postal questionnaire.

Risk Assessments – High and Medium risk systems will be subject to more detailed risk assessments, low risk computerized systems will not.

Level of verification activities – High and Medium risk systems have detailed formalized testing, Low risk computerized systems have reduced testing, either commissioning or supplier verification.

Level of security – Low risk computerized systems minimal controls over security, High and Medium Risk computerized systems have full security controls applied.


Frequency of periodic reviews.

The above list is not exhaustive; the regulated company can use Risk Rating to determine level of validation, deliverables & controls through lifecycle of computerized system

 

Data Integrity –Risk Assessment

•Risk assesses all lab areas prior to the audit to identify equipment that produce electronic data files.

•Categories the equipment according to GAMP5.

•Auditors will focus on instrumentation that falls under USP<1058> categories B & C and GAMP5 categories 3, 4 and 5.

•Perform an internal Data Integrity audit on medium & high risk equipment.

•Does the equipment meet the requirements of 21 CFR part 11 (as yourself the 5 questions regarding electronic data)?

•Check that electronic data can only be accessed through the instrument software & not via the operating system.

•Identify gaps and implement short term corrective action before audit (if possible):

•Discuss longer term corrective actions with management team.

 

Risk Severity:

Critical: Very Significant Non-Compliance with GMP or Patient Injury

Major: Significant Non-Compliance with GMP or Patient Impact

Minor: Minor Infringement of GMP No expected Patient Impact

 

Risk Assessment - Assess Potential Risks and Consequences

Risk Identification – Identify the Potential Risks

Risk Estimation – Determine the Likelihood that the Risk will Occur

Risk Impact – Determine the Potential Impact of the Risk

Risk Detection – Determine the Detectability of the Risk

Risk Classification – Define & Quantify Risk Level

Risk Analysis – Determine Cost/Benefit Analysis

Risk Mitigation/Avoidance – Determine Risks which can be Lessened or Avoided

Risk Strategy - Determine and Document Strategies for Managing Risk

Risk Monitoring – Monitor Changes, New Risks, Risk Levels & Update Risk Plans


 “Trust but Verify “ Ronald Reagan

 

Across the internet, there are millions of resources are available which provide information about Everything.

 

If you found all content under one roof then it will save your time, effort & you will more concentrated on your important activity.

Data Integrity App

Our Data integrity app will helpful for understanding what Data integrity & CSV really means & How 21 CFR Part 11, EU Annex 11 & other regulatory guidelines affects in pharmaceutical Industry.

 

Data Integrity App Include 

- Basic Data Integrity Concepts

- ERES & Its Requirement

- CSV & Its best practices 

- Mock Inspection and General Q&A

- Checklist for inspection

- Inspection Readiness

- Useful SOP’s

- Stay Regulatory Compliant.

 

“Stay One Step Ahead in Pharma IT Compliance” 


Data Integrity App Link:


https://play.google.com/store/apps/details?id=com.innovativeapps.dataintegrity

 

Try our "Data Integrity" app which helps you to better understand current regulatory agencies thinking on Data Integrity & CSV.



Comments

Post a Comment

Popular posts from this blog

What is System Release Certificate (SRC) in computer system validation?

Image
  In Earlier post we understood What is Validation Master Plan, Its content & Regulatory requirement in Computer system validation? Now in this article we are going to understand what is System Release Certificate (SRC) in computer system validation. System Release Certificate (SRC) is authorizes the release of System for use in the Production Environment at Location for the users in the department. The objectives of this SRC are to certify that System has been successfully validated and can be used by the users in the department at Location. It is essential because it confirms that all project/system has been completed as per regulatory standard mentioned in project plan.   This certificate provides confirmation that all activities specified in the validation plan have been completed & all acceptance criteria have been met and the software is ready for deployment. All system-related documents/procedures will be provided, developed and/or will be revised be...
Read more

What is RTM & Its importance in CSV?

Image
  In Earlier post we understood What is Configuration Specification, Its Roles & Elements in Computer system Validation. Now in this article we are going to understand What is Traceability Matrix, Its Use, & Benefits    in Computer system Validation.   What is Traceability Matrix? (TM) A TM is a document that co-relates any two-baseline documents that require a many-to-many relationship to check the completeness of the relationship. It is used to track the requirements and to check the current project requirements are met. What is RTM? RTM is a method used to establish the relationship between documents. Its purpose is to ensure that requirements have not only been traced to the appropriate design elements but also that requirements have been met through test or other means of verification. The traceability matrix is a tool both for the validation team, to ensure that requirements are not lost during the validation project, and for auditors, t...
Read more

GxP Assessment & Categorization of Computerized System

Image
The first stage of whether a system requires a validation is to identify whether the system has a GxP impact. The result of the GxP Assessment and system Category checklist decided whether Validation required for computerized system. If Outcome is “GxP Applicable” then follow Computer system validation procedure and other risk assessment for validating the system. All systems which handle data or processes which fall under the impact of GxP or any other regulatory requirements must be validated Determine whether the application has been validated elsewhere you in organization. The amount of work required may be significantly reduced by referring some of the deliverables in as in state or with slight changes. The details must be addressed in the change control. If required any “Non GxP Applicable “systems that process data critical to operations of the business such as those involving financial, certain personal data etc. Quality assurance, IT, CSV responsibility person, HOD of ...
Read more