This article describes how to adopt risk-based approaches for the validation of commercial computer systems used in the regulated
pharmaceutical industry. This paper will help to guide readers through a logical, risk-based approach for computer system
validation. It offers recommendations on how to define risks for different system and validation tasks and for risk categories
along the entire life of a computer system. The scope of this paper is limited to Commercial Off-the-Shelf (COTS) systems
and does not include risks typically involved during software development.
The article contains two parts. Part one deals with risk assessment, in which we discuss approaches to categorizing computer
systems into high, medium, and low-risk levels. (These levels serve as an example. Any ranking of levels of risk that is relevant
to the product and the manufacturer may be substituted. The thought process of ranking is the same.) Part two offers recommendations
for validation steps for the different categories as defined in part one.
Computer systems are widely used in pharmaceutical industry for instrument control and data evaluation in laboratories and
manufacturing. They are also widely used for data transmission, documentation, and archiving. When used in regulated environments
they should be formally validated. The main compliance-related purpose of their validation is to ensure accuracy and integrity
of data created, modified, maintained, archived, retrieved, or transmitted by the computer system. In addition, a computer
validation, typically, is a pre-requisite to obtaining reliable system operation and the highest system uptime, which are
business requirements of the industry. Depending on the complexity and functionality, validation of computer systems can be
a huge task.
The efforts for validation should be balanced against the benefits, which means the amount of work should be in line with
the problems that can occur if the system is not fully validated. The mechanism to balance benefits against investments is
risk assessment in which we define the extent of validation according to the risk a specific computer can have on data integrity,
and ultimately, product quality and safety. The risk-based approach should enhance industry's ability to focus on identifying
and controlling critical functions that affect product quality and data integrity.
Industry task forces have recommended risk-based approaches for validation for a long time. For example, Good Automated Manufacturing
Practice (GAMP) has a chapter in its "Guide for Validation of Automated Systems in Pharmaceutical Manufacture"(1). Also, the
United States Food and Drug Administration has recognized the importance of risk-based compliance. This became most obvious
when the FDA announced its science and risk-based approaches as part of the Twenty-First Century drug Good Manufacturing Practice
(GMP) initiative in 2003 (2).
"We will focus our attention and resources on the areas of greatest risk with the goal of encouraging innovation that maximizes
the public health protection," said FDA Commissioner Mark McClellan at an FDA–industry training session (8). David Horowitz
added, "there are two elements to a risk-based approach to inspections: We need to go to the right places and we need to look
at the right things" (8).
One reason for this risk-based approach is FDA's limited resources to inspect all manufacturing sites every two years.
"We have over 6000 domestic drug facilities and the number of GMP inspections that we have been able to inspect has declined
by about two thirds in the last 20 years. So we can't take the chance that we are squandering our limited resources on lower
risk facilities. That would prevent us from doing a minimum level of scrutiny and oversight and working with the higher risk
facilities," Horowitz said (8).
In the meantime, FDA has begun to allocate its resources based on risk. For example, beginning in the fall of 2004, FDA began
using a risk-based approach for prioritizing domestic manufacturing site inspections for certain human pharmaceuticals. This
approach should help the Agency predict where its inspections are likely to achieve the greatest public health impact (2).
The FDA is not only taking advantage of the risk-based approaches, but also encourages the industry to do so, for instance,
in software and computer validation. The industry guidance on General Principles of Software Validation states:
The selection of validation activities, tasks, and work items should be commensurate with the complexity of the software design
and the risk associated with the use of the software for the specified intended use (3).
The same guide has also specific recommendations on what is expected for lower risk systems: