You now understand the principles and reasons to do risk based computer system validation. You even know some examples of how to apply the approach from ICH and the FDA. Last time, I showed you how to measure the risk of your systems and how to prioritize each feature based on risk using a simple but powerful risk assessment how-to. Now it’s time for the payoff.
Because it’s the right thing to do…
FDA and EMEA and other regulatory bodies want you to focus your resources on the items that present the greatest risk to the public health and safety. As a consumer, I want you to do the same. As a firm engaged in the business of healing and promoting health, you want to make sure you are paying attention to the right things.
Easy for you to say…
The approach is simple, really. The devil is in the details. The FDA will not give you the details. I am often asked why FDA does not just tell us when to do more and when we can do less. And while they are at it, tell us what more means and what less means. I strongly believe that we do not want FDA to do this. Our industry is quite diverse. We make drugs, we research drugs, we design and manufacture medical devices, we conduct clinical research on drugs and medical devices, we manage blood and tissue, we conduct laboratory studies; some of our systems fall within the scope of Part 11 and others do not. Even among those that fall within the scope of Part 11, some need more scrutiny than others. Add to this complexity and diversity a wide range of risks associated with specific products and services.
What to do…
For low risk systems – especially commercial off the shelf systems (COTS) – you can take advantage of vendor audits, experience of other users, and your own unit and integration testing. All of this can reduce the complexity and detail of your specification, design, and testing. Of course, as the risk and complexity of your system go up, your diligence must also intensify.
What does all of this buy me?
Firstly, a risk based approach does not buy you protection in the even of something bad happening. Let’s say you have a recall because of malfunction of a feature you determined to be low risk. Can you stay out of trouble by saying, “Hey, we did risk management?” The answer is that FDA will assume you did not understand your risk as well as you thought. In other words, your measurement of the risk turned out to be inaccurate. Risk based approach also does not mean that you can get away with fewer validation resources. That may be the result, but that is not why we do this. We identify and prioritize risks so that we can focus our finite resources on the most important things.
What it will buy you is this: you can rest assured that you are paying attention to the things you should. You will reduce the amount of non-value adding paperwork and will have a much better understanding of you product, process, or service and the computer systems that control them. Finally, you will feel proud knowing that you are doing all you can to protect patients.