Pharmacy Courses

Risk-Based Approach for Computer Systems Validation


GxP regulated companies are expected to adopt a risk-based approach for computer systems validation to ensure computerised systems are fit for intended use.


Risk management should be applied throughout the lifecycle of the computerised system, with focus on patient safety, data integrity and product quality.


Here are some examples of activities throughout the computer system life cycle involving justification:

- Justification should be provided for starting a project to implement a new system. Similarly, justification should be provided for making a change to an existing system.


- Regulated companies wishing to use computer systems or services provided by external suppliers should assess the suitability of the supplier before using their services. Justification should be provided for the level of supplier assessment / auditing and for acceptance of the suitability of the supplier.


- System Evaluation / Impact assessment is an important activity in a risk-based approach to computer system validation. Typically the GxP applicability, impact on patient safety and product quality, involvement of electronic records and electronic signatures, etc. are categorised as part of the assessment. For example, whether the system has Direct or Non-direct impact on patient safety or product quality. Justification should be provided for any categorisation that has been assigned.


- The Test Plan typically describes the Test Strategy and outlines the extent of required testing. This needs to be justified as does the adequacy of test environments. Any differences between the test and intended production environments should be justified.


- The Test Report summarises the results of testing and should include justification for any changes to the scope of the validation project or acceptance of any known issues with the system.


- The need for changes to a system in operation should be justified and controlled via change control.


- The frequency of periodic review should be justified.


- Risks should be reviewed periodically and the effectiveness of controls should be monitored. If the residual risk or acceptability of risk has changed, then the controls may need to be changed. That may mean providing justification for relaxation of controls where the controls were too stringent, or further controls if deemed necessary.


- At the end of the system life cycle, justification of the approach for system retirement should be provided. This may involve migration of data from the system to be retired, to a new system. The reliability of the source data is an important aspect to the success of data migration. Therefore justification should be provided for why migrated data should be trusted.


Documenting justification for decisions made aids the defence of actions taken, should they be queried at a later date.


Importance of Justification in GxP Regulated Activities.

Justification is about providing good reason for something. It is about the ‘why’ we do what we do.


EU GMP Annex 11 Computerised Systems mentions justification in the context of Risk Management and Validation.


1. Risk Management

Risk management should be applied throughout the lifecycle of the computerised system taking into account patient safety, data integrity and product quality. As part of a risk management system, decisions on the extent of validation and data integrity controls should be based on a justified and documented risk assessment of the computerised system.


4. Validation

4.1 The validation documentation and reports should cover the relevant steps of the life cycle. Manufacturers should be able to justify their standards, protocols, acceptance criteria, procedures and records based on their risk assessment.


A risk-based approach is about focussing effort on the things that matter most. It requires critical thinking to ensure the most important or critical aspects of a process or system are given most attention. Those efforts should not be hampered by spending too much time on things that don’t matter so much.


A risk-based approach to computer system validation is about avoiding unnecessary or overly burdensome work that adds little value. It must be justified.


Providing good reason for the extent of validation, is the difference between a risk-based approach and cutting corners.


Read also: 


Resource Person: Kieran McKeever

Previous Post Next Post