Risk Analysis Approach for Computerized Systems in Pharmaceutical Industries
Risk management is part of the quality process of industries in many areas: aeronautic, finance, automobile, health. In pharmaceutical industry, the main objective of the risk management is to reduce the risks on patient safety, product quality and data integrity, in accordance with applicable regulations.
Risk analysis is part of the risk management process of quality projects under GxP regulations, it usually follows GAMP 5 recommendations.
What is a risk analysis?
Risk analysis is the estimation of the risk associated with the identified hazards. It is the qualitative or quantitative process of linking the likelihood of occurrence and severity of harms. In some risk management tools, the ability to detect the harm (detectability) also factors in the estimation of risk. (Q9 ICH Guideline)
In pharmaceutical industries, risk analysis are focused on the detection and mitigation of risks impacting patient safety, product quality, data integrity and the compliance with applicable regulations. The risk analysis allows the definition of ways to reduce the identified risks, by establishing a necessary testing effort and/or processes and the set-up of controls limiting the residual risks at an acceptable level.
The assessment of the risks is generally done following GAMP 5 recommendations and follows a qualitative process through different risk priorities (high, medium or low) rather than a quantitative one (score calculation).
How to build the risk analysis of a computerized system?
The risk analysis is built from the specifications of the system, its technical aspect and the applicable regulations. Risks associated to specific processes are then included to the analysis. Risk analysis must be done at an early stage, before the beginning of the testing of a new system or an existing system under change, and should be documented.
It is recommended to involve different members of the project team (business, IT, quality, ...) during the elaboration of the risk analysis to ensure a maximal coverage of the risks. Each entity will be able to identify more specifically the risks linked to their own processes regarding the system used, the infrastructure, the regulations for example.
The GAMP 5 recommendation is based on AMDEC methodology and is generally used as reference to build a risk analysis. This approach links the severity of the risk (S), the probability of occurrence of the harms (P) and the detectability of the harms (D) in order to calculate the priority of the risk :
R = S x P x D
Severity of the risk (S): What are the impacts on patient safety, quality of the product or data integrity? On a regulatory perspective?
Probability of occurrence of the harm? (P): What is the probability that the harm occurs?
Detectability of the harm (D): What is the probability to detect the harm?