The principle is shown for early validation phases in Figure 3. Of course, to generate such information is more time consuming
and only makes sense if several systems in GAMP category three or five should be validated.
Figure 3: Validation tasks for system risks and GMP categories, showing only validation phases.
Risk analysis and evaluation of software and computer systems is a good tool to optimize validation costs by focusing on systems
with high impact on both the business and compliance. Substantial cost savings are possible for medium and low-risk systems.
Validation activities of a low-risk system can be limited to documenting which systems have been used. The risk is less dependent
on the type of system than on the type of records generated by the system. For example, a LIMS system used in a research environment
has a lower compliance risk than the same system used in pharmaceutical quality control.
Regulatory agencies require companies to base the extent of validation they complete on a justified and documented risk assessment.
To do this efficiently, we recommend the following steps:
1. Develop a risk management master plan. This describes the company's approach to risk assessment and has templates and examples
for easy and consistent implementation. This plan should also include validation tasks for each risk category.
2. Develop a risk management project plan for each computer system validation project. Use the risk management master plan
approach as a source to define steps, owners, and deliverables.
3. Identify risks, possible hazards and harms and define the risk category, for example: high, medium, and low. This should
be based on likelihood and severity. To estimate the severity, look at the records handled by the system and at their impact
on product quality and consumer safety.
4. Determine validation tasks for each lifecycle phase. Use the approach, templates, and examples from the risk management
5. Develop a risk management plan with a sound justification and the documentation of your results.
For the long term, we recommend that risk assessment be extended to full risk management with an action plan for risk mitigation
and on-going review and control.
Ludwig Huber, PhD, is a compliance program manager at Agilent Technologies, tel. 1 49 7243 602 209, firstname.lastname@example.org
1. "GAMP Good Automated Manufacturing Practice, Guide for Validation of Automated Systems in Pharmaceutical Manufacture,"
Version 3, March 1998, Version 4, December 2001.
2. US Food and Drug Administration,"Pharmaceutical CGMPs for the Twenty-First Century: A Risk-Based Approach,"
http://www.fda.gov/oc/guidance/gmp.html and "FDA Issues Final Report on its '21st Century' Initiative on the Regulation of Pharmaceutical Manufacturing,"
http://www.fda.gov/bbs/topics/news/2004/NEW01120.html (Rockville, MD, Sept. 2004).
3. US FDA, General Principles of Software Validation: Final Guidance for Industry and FDA Staff, (FDA, Rockville, MD, Jan. 2002).
4. US FDA, Guidance for Industry. Part 11, Electronic Records; Electronic Signatures—Scope and Application (FDA, Rockville, MD, Aug. 2003).
5. Pharmaceutical Inspection Convention, Good Practices for Computerized Systems Used in Regulated Environments (PIC/S, Geneva, Switzerland, Jan. 2002).
6. US FDA, Code of Federal Regulations, Title 21, Food and Drugs, Part 11 "Electronic Records; Electronic Signatures; Final Rule; Federal Register 62 (54), 13429-13466.