Really, I don't recommend you do a detailed risk assessment on every record in the building. I think you need to set up a
systematic way of doing it—and you are going to put certain records in certain categories from the very beginning. If a record
is used to release product and this record is incorrect and you release an unsafe product – I would make that your highest
category, direct impact to public health (15).
Risk-based validation takes two steps: Define the risk category—for example, high, medium, and low—and define the extent
of validation for each category according to guidelines as laid out by the company.
One final comment before we start with risk-based approaches. The model proposed in this paper has two objectives. The first
is to get started quickly to take immediate benefit of the risk-based approach. Start with a qualitative risk assessment based
on experience with the same or similar systems and gain further experience for full risk management for later implementation.
The second is to fulfill FDA requirement of basing the extent of validation for each level on justified and documented risk
It is quite obvious that there are no generally accepted models to copy, and there is no universal solution. Each company
must figure out the answers for itself because success really does depend on the unique situation of a company. The model
suggested in this article is just one example for implementation. The FDA would allow many others. For example, this model
suggests three risk categories: high, medium, and low. It also would be acceptable to have only two: high and low, or five
and more. All models would be accepted as long as the approach is justified and documented.
Approaches for risk assessment and management
The National Institute for Standards and Technology (NIST) has defined the term risk as:
The probability that a particular threat-source will exercise (accidentally trigger or intentionally exploit) a particular
information system vulnerability and the resulting impact if this should occur (12).
The types of risks a pharmaceutical company deals with include patient risk (safety and efficacy of drugs), regulatory risks
[FDA 483's, Warning Letters (WLs), product recalls, etc.], and financial risk due to, for example: inability to get products approved for marketing, inability to ship finished products,
or consequences of unauthorized disclosure of trade secrets and private information.
Risk management is the entire process from identifying and evaluating the risk to defining risk categories, and taking steps
to reduce risk to acceptable levels. Risk assessment includes the first two parts: analysis and risk evaluation.
There are a number of standard risk assessment techniques available and widely used in the industry. The most important ones
include the Failure Mode and Effects Analysis (FMEA) approach, Fault Tree Analysis (FTA), and the application of Hazard Analysis
and Critical Control Point (HACCP) methodology. All three methods have been described in brief by H. Mollah (9).
An approach widely used in medical device industry is based on the International Organization for Standards (ISO) 14971.10
While FMEA and FTA are based more on quantitative, statistical data, the ISO approach is more qualitative in nature. The concept
is to determine risk factors based upon their likelihood and severity, the mitigation of those risks, and monitoring and updating
the process as necessary.
The model, as described by GAMP (1) is similar but adds detectability as another criterion: the more likely the problem will
be detected, the lower the risk. Labcompliance has developed an extensive risk management master plan using the concept as
described in the ISO standard (10).
For the scope of this publication, we follow the approach as described in the ISO standard. The model presented in this paper
is more qualitative than quantitative and is very much based on the experience of users, validation groups, and auditors either
with the same or with similar systems. For the scope of this paper, we introduce readers to the concept of full risk management,
but then only focus on risk assessment. However, bear in mind that some of the current validation tasks, such as vendor assessment
and even testing, are already steps towards the mitigation of risks involving computer systems.