Oct 8, 2019

Technical library

Risk Analysis Approach for Computerized Systems in Pharmaceutical Industries

Risk management is part of the quality process of industries in many areas: aeronautic, finance, automobile, health. In pharmaceutical industry, the main objective of the risk management is to reduce the risks on patient safety, product quality and data integrity, in accordance with applicable regulations.

Risk analysis is part of the risk management process of quality projects under GxP regulations, it usually follows GAMP 5 recommendations.


What is a risk analysis?

Risk analysis is the estimation of the risk associated with the identified hazards. It is the qualitative or quantitative process of linking the likelihood of occurrence and severity of harms. In some risk management tools, the ability to detect the harm (detectability) also factors in the estimation of risk. (Q9 ICH Guideline)

In pharmaceutical industries, risk analysis are focused on the detection and mitigation of risks impacting patient safety, product quality, data integrity and the compliance with applicable regulations. The risk analysis allows the definition of ways to reduce the identified risks, by establishing a necessary testing effort and/or processes and the set-up of controls limiting the residual risks at an acceptable level. 

The assessment of the risks is  generally done following GAMP 5 recommendations and follows a qualitative process through different risk priorities (high, medium or low) rather than a quantitative one (score calculation).


How to build the risk analysis of a computerized system?

The risk analysis is built from the specifications of the system, its technical aspect and the applicable regulations. Risks associated to specific processes are then included to the analysis. Risk analysis must be done at an early stage, before the beginning of the testing of a new system or an existing system under change, and should be documented.

It is recommended to involve different members of the project team (business, IT, quality, ...) during the elaboration of the risk analysis to ensure a maximal coverage of the risks. Each entity will be able to identify more specifically the risks linked to their own processes regarding the system used, the infrastructure, the regulations for example.

The GAMP 5 recommendation is based on AMDEC methodology and is generally used as reference to build a risk analysis. This approach links the severity of the risk (S), the probability of occurrence of the harms (P) and the detectability of the harms (D) in order to calculate the priority of the risk :

R = S x P x D

Severity of the risk (S): What are the impacts on patient safety, quality of the product or data integrity? On a regulatory perspective?

Probability of occurrence of the harm? (P): What is the probability that the harm occurs?

Detectability of the harm (D): What is the probability to detect the harm? 

(Figure M3.5: Risk Assessment Method - ISPE GAMP 5 A Risk-Based Approach to Compliant GxP Computerized Systems)

Each parameter is assessed following three values: High, Medium or Low. The team must aggree on the meaning of the High/Medium/Low values of each parameter before the implementation of the risk analysis. For example, is there a direct impact on patient safety? If Yes the Severity is High. Is the detection of the harm difficult and could be done only manually? If Yes, the detectability is Low.

This method allows the calculation of 3 Risk Priorities: High, Medium, Low. The more the priority is high, the more the effort to control it is. Many controls exist to delete or reduce the identified risks: specific fonctional testing, redesign of the system, procedures, trainings,...


How to maintain the Risk analysis?

Risk analysis must be updated throughout the lifecycle of the system, each time the system and its specifications evolve. If new risks are identified, they must be added to the risk analysis, if identified risks are impacted by the change of a functionality, they must be reassessed.

Also, controls implementated following a risk assessment must be tracked and resolved as soon as possible.



Risk analysis has become essential in the quality approach of the validation of computerized systems in the pharmaceutical industry. It ensures that the system guarantees a controlled risk management for patient safety, product quality and data integrity, in accordance with pharmaceutical regulations.

  • PDCA: why not a version 2.0?

    How about improving a tool of continuous improvement?

  • V cycle in the pharmaceutical environment

    The V cycle is a model of project management organization divided into... 

  • Consultants, How can you use active listening?

    Find out how active listening can help you integrate more easily at a client's?