In June 2006, FDA (CDER and CBER) adopted the ICH document, "Quality Risk Management". Taken in context with the other FDA guidance, we can gain much insight into how to do Risk Based Computer System Validation in a way that achieves higher quality and satisfies our regulatory obligations.
For those of you looking for a specific, "cookbook", approach from regulators, you will continue to be disappointed. ICH Q9 gives us an overview of the principles of Quality Risk Management and provides broad examples of how to apply Quality Risk Management.
The principles are the same as what I have been preaching. For example, risks must be linked to patient safety. For those in the manufacturing world, that is sometimes hard to grasp. Q9 gives some insight here if you read it carefully enough. Of pharmaceutical quality, it says, "product quality should be maintained...such that the attributes that are important to the quality of the drug product remain consistent with those used in the clinical studies." What this means is simply that you should think about risk in terms of product quality. To do that, you need to find out how your computer system impacts the attributes that are important to quality of the product (as discovered during the clinical studies).
This will seem over simplified to some of you and may require a leap of faith for others. It is highly important, though, that you understand the fundamental questions we are trying to answer with the risk based approach: what could go wrong? how probable is it that it will go wrong? how bad would it be if it did go wrong? Answering these questions allows us to prioritize risks, mitigate risks, and assign resources to the highest risks.
By now, many of you are probably thinking, "Enough with the background and philosophy. Let's have some specifics." I promise that I will get somewhat more specific next week when we will take a look at Annex II of Q9. Annex II provides examples of how to apply Quality Risk Management in several circumstances. The week after that, I will cover how to measure risk and what to do about it and the last week in July, I will write about incorporating risk management into your organization's approach to validation.