Computerized System Science Based Quality Risk Management- Free

cGMP-World for Pharmaceutical IndustryTitle: Computerized System Science Based Quality Risk ManagementPrepared By: Doc. No.: Guidance - CS-001Title & Date: Revision No.: 00Reviewed By: Effective Date: 01/01/2017Title & Date: Expiry Date: 01/01/2019Reviewed & Approved By: Originator Department:Title & Date: Distribution:Reviewed & Approved By:Title & Date:Reviewed & Approved By:Title & Date:Reviewed & Approved By:Title & Date:1. Purpose1.1 Quality risk management is a systematic process for the assessment, control, communication, and review of risks to patient safety, product quality, and data integrity, based on a framework consistent with ICH Q9.1.2 It is used:  to identify risks and to remove or reduce them to an acceptable level  as part of a scalable approach that enables regulated companies to select the appropriate life cycle activities for a specific system Organizations may already have established risk assessment methods and tools.2. Scope2.1 This guidance is applicable to all types of computerized systems used in regulated activities, including those supporting clinical trials, toxicological studies, Active Pharmaceutical Ingredients (API) production, formulated product production, warehousing, distribution, and pharmacovigilance. cGMP - World for Pharmaceutical Industry Page 1 of 32 Copyright©www.cgmp-world.com. All rights reserved

cGMP-World for Pharmaceutical Industry This page is blank Intentionally cGMP - World for Pharmaceutical Industry Page 2 of 32Copyright©www.cgmp-world.com. All rights reserved

cGMP-World for Pharmaceutical IndustryTable M3.1: Risk Management Roles and Responsibilities Role ResponsibilitiesProcess Owner/System Owner  Establish team and provide resourcesTeam consisting of Subject (may be delegated to nominatedExperts (SMEs) and key users project manager)Quality Unit  Involvement in risk assessments asSupplier required  Approve documentation MatterIdentify, analyze and evaluate risks to patient safety, product quality and data integrity  Develop controls  Identify, analyze and evaluate risks associated with regulatory compliance and maintaining company quality standards and policies  Involvement in risk assessments as required  Approve documentation  Provide information on their product, how it works and how it might fail.  Provide advice on controls.  Involvement in risk assessments as requiredNote: SMEs may include as necessary Process Owner, System Owner,Quality Unit, Business or IT Application Support, IT or EngineeringOperations Support, Infrastructure specialists, supplier, or any otherappropriate specialist cGMP - World for Pharmaceutical Industry Page 3 of 32Copyright©www.cgmp-world.com. All rights reserved

cGMP-World for Pharmaceutical Industry3. Guidance3.1 This guidance provides further guidelines on the following topics:  scalability of the process  applying risk management based on the business process  risk management throughout the system life cycle  risk assessment method  the selection and use of controls  residual risk  using risk assessments to scale system life cycle activities  risk communication and documentation  examples of applying the process to different types of systems cGMP - World for Pharmaceutical Industry Page 4 of 32Copyright©www.cgmp-world.com. All rights reserved

cGMP-World for Pharmaceutical Industry This page is blank Intentionally cGMP - World for Pharmaceutical Industry Page 5 of 32Copyright©www.cgmp-world.com. All rights reserved

cGMP-World for Pharmaceutical Industry3.2 Applying Risk Management Based on the Business Process: In order to effectively apply a quality risk management program to computerized systems, it is important to have a thorough understanding of the business process supported by the computerized systems, including the potential impact on patient safety, product quality, and data integrity. Aspects to consider include:  What are the hazards? To recognize the hazards to a computerized system requires judgment and understanding of what could go wrong with the system, based on relevant knowledge and experience of the process and its automation. Consideration should include both system failures and user failures.  What is the harm? Potential harm should be identified based on hazards. Examples of potential harm include: - production of adulterated product caused by the failure of a computerized system - failure of an instrument at a clinical site that leads to inaccurate clinical study conclusions - failure of a computerized system used to assess a toxicology study that leads to incomplete understanding of a drug’s toxicological profile  What is the impact? In order to understand the impact on patient safety, product quality, and data integrity, it is necessary to estimate the possible consequence of a hazard. cGMP - World for Pharmaceutical Industry Page 6 of 32Copyright©www.cgmp-world.com. All rights reserved

cGMP-World for Pharmaceutical Industry This page is blank Intentionally cGMP - World for Pharmaceutical Industry Page 7 of 32Copyright©www.cgmp-world.com. All rights reserved

cGMP-World for Pharmaceutical Industry3.3 Risk Management Throughout the System Life Cycle Appropriate risk management processes should be followed throughout the life cycle in order to manage identified risks and to determine the rigor and extent of the activities required at each phase of the life cycle. While risk-based decision making should be used throughout the life cycle, different approaches may be appropriate to different situations, ranging from formal risk assessments to decisions taking into account pertinent risk factors. For example, formal risk assessments are usually performed at several stages when developing new software. A formal risk assessment would normally not be required, however, when determining the need for a formal supplier audit. This risk-based decision, typically, is made and documented by the project team also taking into account novelty and complexity, the categorization of components, and any intention to leverage supplier documentation. Figure M3.3 shows the typical use of risk-based decision making throughout the life cycle. Figure M3.3: Typical Use of Risk-Based Decision Making cGMP - World for Pharmaceutical Industry Page 8 of 32Copyright©www.cgmp-world.com. All rights reserved

cGMP-World for Pharmaceutical Industry This page is blank Intentionally cGMP - World for Pharmaceutical Industry Page 9 of 32Copyright©www.cgmp-world.com. All rights reserved

cGMP-World for Pharmaceutical Industry  information for requirements development, system specification and system descriptions  information to assist with developing the strategy for achieving compliance and fitness for intended use3.3.1.1 GxP Determination The initial risk assessment should include a decision on whether the system is GxP regulated (i.e., a GxP assessment). If so, the specific regulations should be listed, and to which parts of the system they are applicable. For similar systems, and to avoid unnecessary work, it may be appropriate to base the GxP assessment on the results of a previous assessment, provided the regulated company has an appropriate established procedure.3.3.1.2 System Impact The initial risk assessment should determine the overall impact that the computerized system may have on patient safety, product quality, and data integrity due to its role within the business processes. This should take into account both the complexity of the process, and the complexity, novelty, and use of the system. Categorization assists in assessing system complexity and novelty. In general, high impact systems typically include those that:  generate, manipulate, or control data supporting regulatory safety and efficacy submissions cGMP - World for Pharmaceutical Industry Page 10 of 32Copyright©www.cgmp-world.com. All rights reserved

cGMP-World for Pharmaceutical Industry This page is blank Intentionally cGMP - World for Pharmaceutical Industry Page 11 of 32Copyright©www.cgmp-world.com. All rights reserved

cGMP-World for Pharmaceutical IndustryFigure M3.4: Deciding on the Need for Further Assessment cGMP - World for Pharmaceutical Industry Page 12 of 32Copyright©www.cgmp-world.com. All rights reserved

cGMP-World for Pharmaceutical Industry This page is blank Intentionally cGMP - World for Pharmaceutical Industry Page 13 of 32Copyright©www.cgmp-world.com. All rights reserved

cGMP-World for Pharmaceutical Industry3.3.2 Functional Risk AssessmentWhere these are required, functional risk assessments should beused to identify and manage risks to patient safety, product quality,and data integrity that arise from failure of the function underconsideration. This is covered by steps 2 and 3 of the process.Functions with impact on patient safety, product quality, and dataintegrity are identified by referring to the URS, functionalspecification (FS), and the output of the initial risk assessment.A method for performing functional risk assessment is provided inSection 5.5 of this guidance. The assessments should be performedby SMEs.Computerization may introduce particular risks (e.g., electronicrecord integrity, system availability, security, infrastructure) nototherwise associated with the manual business processes. Thedesign of computerized systems may provide controls for identifiedrisks, but may introduce other risks that require controlling. Thisshould be included in the assessment.More information on the use of risk assessments for particularsystem types and for infrastructure is given in the relevant GAMPGood Practice Guides.3.3.3 Risk-Based Decisions During Test Planning Testing is often performed at several levels depending on the risk, complexity, and novelty of the system.Significant savings may be realized if the need for additional controlsfor the business process or the computerized system is recognizedearly in the development process. Measures identified to managerisk should be implemented and verified. Verification of controls,typically, is covered during testing of the system and should coverany additional controls required to address deficiencies found duringtesting. cGMP - World for Pharmaceutical Industry Page 14 of 32Copyright©www.cgmp-world.com. All rights reserved

cGMP-World for Pharmaceutical Industry This page is blank Intentionally cGMP - World for Pharmaceutical Industry Page 15 of 32Copyright©www.cgmp-world.com. All rights reserved

cGMP-World for Pharmaceutical Industry3.3.4 Risk-Based Decisions When Planning System Retirement Risk-based decisions are required when planning system retirement, e.g.:  approach to data and record retention and migration  approach to verification3.4 Risk Assessment Method Risk management aims to establish controls such that the combination of severity, probability of occurrence, and detectability of failures is reduced to an acceptable level. Severity refers to the possible consequence of a hazard. The method presented in this section provides a simplified functional risk assessment tool. It is not mandatory – other detailed risk assessment methods may be used. It is used, if necessary and appropriate, during step 3 of the 5-step process. Each of the hazards identified for a function is assessed in two stages, as shown in Figure M3.5: 1. Severity of impact on patient safety, product quality and data integrity is plotted against the likelihood that a fault will occur, giving a Risk Class. 2. Risk Class is then plotted against the likelihood that the fault will be detected before harm occurs giving a Risk Priority. cGMP - World for Pharmaceutical Industry Page 16 of 32Copyright©www.cgmp-world.com. All rights reserved

cGMP-World for Pharmaceutical Industry This page is blank Intentionally cGMP - World for Pharmaceutical Industry Page 17 of 32Copyright©www.cgmp-world.com. All rights reserved

cGMP-World for Pharmaceutical Industry Function impact is context sensitive. For example, failure of an instrument in an in-process Quality Control (QC) laboratory for chemical intermediates is far less likely to affect patient safety than the same instrument in a QC laboratory that releases drug product to market, because there are many additional controls between the intermediate and the patient in the former case, where there may be none in the latter.3.4.1 The Selection and Use of Controls Controls are measures that are put in place to reduce risk to an acceptable level. They may be part of a computerized system function, in parallel manual procedures, or they may be downstream, intended to trap fault conditions after they have occurred, e.g., QC release testing. Controls typically are aimed at:  eliminating risk through process or system redesign  reducing risk by reducing the probability of a failure occurring  reducing risk by increasing the in-process detectability of a failure  reducing risk by establishing downstream checks or error traps (e.g., fail-safe, or controlled fail state). In some cases, it may not be possible to reduce risk through downstream controls (e.g., for an adverse event reporting system, for which there is no downstream), so controls in such cases generally are integral to the system or process and are aimed at preventing the failure from occurring or making it more detectable if it does. In other cases, the identified risk may be sufficiently low or easily detectable such that specific controls are not required. Controls for a given process may be automated within the system, such as alarms, restrictions to data fields, required data fields, or dialog box prompts for verification. Alternatively, they cGMP - World for Pharmaceutical Industry Page 18 of 32Copyright©www.cgmp-world.com. All rights reserved

cGMP-World for Pharmaceutical Industry This page is blank Intentionally cGMP - World for Pharmaceutical Industry Page 19 of 32Copyright©www.cgmp-world.com. All rights reserved

cGMP-World for Pharmaceutical IndustryTable M3.3: Wider Risk Control Approaches3.5 Residual Risk Residual risks after implementing control measures should be considered, e.g., after testing, to determine whether selected control strategies for the system should be adjusted. If the residual risk is above the threshold of acceptable risk, then appropriate controls should be implemented and verified, and the impact on previously implemented risk control measures should also be considered.3.6 Scaling Life Cycle Activities Activities aimed at ensuring GxP compliance and fitness for intended use, throughout the life of the system, should be scaled according to:  system impact on patient safety, product quality and data integrity (risk assessment)  system complexity and novelty (architecture and categorization of system components)  outcome of supplier assessment (supplier capability) cGMP - World for Pharmaceutical Industry Page 20 of 32Copyright©www.cgmp-world.com. All rights reserved

cGMP-World for Pharmaceutical Industry This page is blank Intentionally cGMP - World for Pharmaceutical Industry Page 21 of 32Copyright©www.cgmp-world.com. All rights reserved

cGMP-World for Pharmaceutical Industry facilitate this, risk assessments should be documented such that the results can be easily accessed during the life cycle. This may be achieved using a risk register. The risk-based approach will be effective only if the risk control strategies that are put in place are monitored during the life of the computerized system to ensure they remain in place and are effective. Hence, as part of the periodic review, the risk register should be reviewed to ensure that all the control strategies remain appropriate.4. Risk Assessment Methods and Tools The following are commonly used methods and tools for risk assessment:  Hazard and Operability Analysis (HAZOP)  Computer Hazards and Operability Analysis (CHAZOP)  Failure Mode and Effects Analysis (FMEA)  Failure Mode, Effects, and Criticality Analysis (FMECA)  Fault Tree Analysis (FTA)  Hazard Analysis and Critical Control Points (HACCP)  Basic Risk Management Facilitation Methods  Preliminary Hazard Analysis (PHA)  Risk Ranking and Filtering5. Examples This section includes examples of the application of risk management. They are indicative and not intended to be definitive. Other approaches are equally applicable. 5.1 Example 1 – Approaches for Different Categories of Systems The examples provided in this appendix show the risk management process applied to three categories of system. cGMP - World for Pharmaceutical Industry Page 22 of 32Copyright©www.cgmp-world.com. All rights reserved

cGMP-World for Pharmaceutical Industry This page is blank Intentionally cGMP - World for Pharmaceutical Industry Page 23 of 32Copyright©www.cgmp-world.com. All rights reserved

cGMP-World for Pharmaceutical Industry 5.1.1 Example Category 4 Configured ProductFor a typical Category 4 product it may be necessary to carry out aninitial risk assessment to determine whether the system is GxPregulated and to understand the overall system impact, followed byone or more detailed risk assessments as the system specification isdeveloped. However, for some systems it may be possible to cover allrisks in the initial assessment; see Figure M3.7.Figure M3.7: Risk-Based Approach for Configured Product (Category 4) cGMP - World for Pharmaceutical Industry Page 24 of 32Copyright©www.cgmp-world.com. All rights reserved

cGMP-World for Pharmaceutical Industry This page is blank Intentionally cGMP - World for Pharmaceutical Industry Page 25 of 32Copyright©www.cgmp-world.com. All rights reserved

cGMP-World for Pharmaceutical Industry5.2 Example 2 – Determining System and Functional Impact This example presents a method of determining system impact and provides information that can be used later as part of functional risk assessments. Figure M3.9 shows how process knowledge helps determine system impact, and how the understanding of the importance of the process steps assists with the determination of functional risk in step 2 of the 5- step process. System impact is chosen to be the impact for the highest assessed process step. System impact can be used to scale compliance activities.Figure M3.9: Analyzing the Business Process for Steps 1, 2, and 3 in the Five Step Process cGMP - World for Pharmaceutical Industry Page 26 of 32Copyright©www.cgmp-world.com. All rights reserved

cGMP-World for Pharmaceutical Industry This page is blank Intentionally cGMP - World for Pharmaceutical Industry Page 27 of 32Copyright©www.cgmp-world.com. All rights reserved

cGMP-World for Pharmaceutical IndustryFigure M3.10: Risk Assessment Based on Impact cGMP - World for Pharmaceutical Industry Page 28 of 32Copyright©www.cgmp-world.com. All rights reserved

cGMP-World for Pharmaceutical Industry This page is blank Intentionally cGMP - World for Pharmaceutical Industry Page 29 of 32Copyright©www.cgmp-world.com. All rights reserved

cGMP-World for Pharmaceutical IndustryTable M3.4: Examples of Risk Assessments for Medium and High Impact Functions (continued)*Note that there is no implication that these functions should always bedefined as high or medium impact; such an assignment must be madewithin the context of the business process. They are simply used asexamples to illustrate the concept of generic versus specific hazardanalysis and risk assessment. cGMP - World for Pharmaceutical Industry Page 30 of 32Copyright©www.cgmp-world.com. All rights reserved

cGMP-World for Pharmaceutical Industry This page is blank Intentionally cGMP - World for Pharmaceutical Industry Page 31 of 32Copyright©www.cgmp-world.com. All rights reserved

cGMP-World for Pharmaceutical Industry6. Related Documents Not applicable7. References: GAMP 5: A Risk-Based Approach to Compliant GxP Computerized Systems8. Revision HistoryRevision No. Effective Date Reasons for Change 00 01/01/2017 First Issue cGMP - World for Pharmaceutical Industry Page 32 of 32Copyright©www.cgmp-world.com. All rights reserved