In this series we will explore the documentation required to successfully deliver and record a Computer System Validation (CSV) project.
For GxP systems it is necessary to establish a series of documentation to record the approach and execution of validation. The documents in this series are based on a GAMP5 approach to a Category 4 – Configured Product.
A Risk Assessment is critical to the proper execution of Risk based validation. By assessing business process risks it is possible to target testing to only those areas most vital to the business, this saves time and therefore cost in your validation efforts.
Let’s look at some of the key elements in a Risk Assessment;
There are 3 factors that should be considered when performing a risk assessment each scored on a scale of 1-5;
- Probability – this is the measure of how likely the event is to occur, for example if an even definitely will occur it may be scored a 5, however of the event is unlikely it may score a 3.
- Severity – Similarly probability this score is based on the likely impact of the risk, for example if the risk would lead to a significant loss of time or materials it may be scored a 5 but if the risk occurring would only lead to 5minutes of downtime and no additional cost it may be scored a 1.
- Detectability – Detectability is scored on a reverse scale to the others with 5 being the least detectable and 1 being the most. For example if you would know immediately the scale and impact of the risk then the score would be 1 but if you wouldn’t know the issue had arisen or wouldn’t know the extent the score would be 5. This becomes more clear when calculating the total risk score which we will look at in the next section.
Now that we have scored each factor of our risk we need to calculate the total risk score,
To calculate the total risk multiply the scores of each of the factors (this is why detectability has a higher score, 5, if it is less detectable) so the calculation will be Probability x Severity x Detectability.
This gives a minimum score of 1x1x1=1 and a maximum of 5x5x5=125. These scores can be divided into 3 sections; Minor (scores 1-12), Major (scores 13-45) and Critical (scores 46-125) although this scoring can vary from business to business.
Actions and Mitigation
Once the risks have been scored and assigned a category, each business must define its own risk appetite but traditionally, Minor risks require no mitigation. Major require mitigation but if mitigation is not possible it can be accepted by the business but should be regularly reviewed until it can be successfully mitigated. Critical risks cannot be accepted by the business and the associated process or validation should stop until mitigation can be put in place.
Each risk should be addressed through mitigation and then reassessed until the mitigations reduce the score to an acceptable level. Some examples of mitigation actions are system configuration, additional validation testing and procedural controls.
Practically we could use this example; we have a system that monitors the temperature inside a freezer. We have identified a risk that if the temperature leaves the appropriate range no one will be notified in time to correct the error or move the materials. If our risk has a detectability score of 5 and other scores of 3 for an overall score of 45 (Major) we may want to target that first, in this example we could use a configuration control to set up the system to e-mail key users in the event of a temperature deviation and a validation control to verify that the system sends the e-mails correctly. Now when we re-assess we have a detectability of 1 and the other scores have not changed for an overall score of 9, now a minor risk.
In the next instalment of the series we will look at the User Requirement Specification.
To see our previous series blog post click here.