Alternative Approach to Risk Assessment of Computerised Systems

The aim is to obtain an indication of the risk that a requirement entails and whether further risk-minimising measures are required.The application of the Golden Circle method produces the following tasks required to achieve the goal of risk assessment of computerised systems:

1. Create a user requirements specification (URS) with all regulatory and process requirements
2. Identify unwanted effects and add the necessary risk-minimising measures as requirements in the URS
3. Assign software and hardware category as per ISPE GAMP® 5 definition to the requirements set out in the URS
4. Determine the GxP relevance for each requirement
5. Determine the risk priority number
6. Evaluate the risk priority number

Steps 1–3 are already described in 9.D.1 System classification as per ISPE GAMP® 5 and 9.E Validation of computerised systems and are therefore only briefly summarised here. Determination of GxP relevance, calculation of the risk priority number and its possible evaluation (steps 4–6) are explained below.

As a rule, computerised systems are made up of modules, components and functions that can be assigned to different software categories as per ISPE GAMP® 5 for fulfilment of a requirement . For example, an individually programmed interface is assigned to software category 5, while a standard monitoring system without configuration correlates to software category 3. For the risk assessment, each requirement can therefore be considered and evaluated separately.

Risk analysis methods can be used to identify potentially unwanted effects or missing requirements. The results should be added iteratively as a requirement in the URS and also subjected to a risk assessment.

Step 4: Determination of GxP relevance

ISPE GAMP® 5 provides a number of examples of risk assessment, but is not specific in terms of information concerning risk priority or the impact of unwanted effects on patient safety, product quality and data integrity of a computerised system. ISPE GAMP® 5 thus ultimately only follows the formulation of ICH Q9, to define qualitative descriptions such as “high”, “medium” or “low” in as much detail as possible. Quotations to this effect can be found in Figure 9.D-4.

Figure 9.D-4 Statements of ICH Q9 and ISPE GAMP® 5 on the classification of risks

As part of computer system validation, it is important to determine whether a function of the system can have an impact on patient safety, product quality and data integrity and is therefore GxP relevant. Another important aspect is whether a malfunction can have an indirect or direct influence. Where the risk of malfunction cannot be eliminated by technical measures, monitoring should be implemented and correction should be possible.

With the introduction of GxP relevance as an example of a risk-describing variable, the aspects that have been set out can be differentiated into five levels (Figure 9.D-5). These levels should be specified in greater detail by each user for their own particular risk management process.

Figure 9.D-5 Definition of GxP relevance

Step 5: Calculation of the risk priority number

The risk priority number for a requirement from the specifications for a computerised system is calculated from the ISPE GAMP® 5 category of the system and the GxP relevance as follows:

Risk priority number (RPN) = (ISPE GAMP® 5 category) x (GxP relevance)

Figure 9.D-6 Risk priority numbers from ISPE GAMP® 5 category and GxP relevance

Step 6: Evaluation of the risk priority number

The need for technical or organisational measures for the minimisation of risk is determined on the basis of the risk priority number for the requirement in question.

An example of a scheme for determination of the need for measures is shown in Figure 9.D-7.

Figure 9.D-7 Acceptance criteria and need for measures

This means that for requirements that have a risk priority number < 5, no technical or organisational measures are required and a simple functional test is sufficient. By contrast, measures are necessary for requirements with a risk priority number ≥ 15. For requirements with risk priority numbers between > 5 and < 15, measures are recommended.