ISPE GAMP®5, 2nd Edition in practice: System categorisation & Risk management of computerised system validation

ISPE GAMP®5, 2nd Edition in practice: System categorisation & Risk management of computerised system validation
Table of Contents

ISPE GAMP®5, 2nd Edition in practice: System categorisation & Risk management of computerised system validation

In the pharmaceutical industry, the validation of computerised systems is essential in order to guarantee the high quality, safety and compliance requirements. Faulty systems can have serious consequences, ranging from product defects to regulatory violations. Companies are therefore faced with the challenge of validating their systems not only in compliance with regulations, but also efficiently and risk-based.

The ISPE GAMP®5, 2nd Edition provides companies with a practical framework for the risk-based validation and categorisation of computerised systems. The aim of the guideline is to ensure that IT systems meet the high requirements for product quality, patient safety, data integrity and compliance.

This article examines two central elements of computerised validation: system categorisation in accordance with ISPE GAMP®5, 2nd Edition and the implementation of risk management.

Why are system categorisation and risk management the basis of any efficient validation strategy?

The validation of computerised systems is mandatory – regardless of whether it is a simple Excel spreadsheet or a complex production control system. The requirements vary depending on the type, complexity and GxP relevance.

System categorisation and risk management as an integrative validation concept

System categorisation is used to classify systems according to their complexity and degree of individualisation. In this context, there are two approaches to categorising validation objects (systems, applications):

  • Overall evaluation of the system: The system is validated based on the highest categorisation of the most critical individual component and thus determines the overall rating.
  • Individual evaluation of the system components: Each component of the system is validated and categorised separately. This allows targeted and customised validation measures to be defined for individual components.

Risk management identifies, evaluates and manages risks that could potentially impact product quality, patient safety, data integrity and compliance.

The close link between system categorisation and risk management results in a risk-based validation concept that meets the requirements of the EU GMP Guideline, Attachment 11, and ICH Q9, “Quality Risk Management”.

System categorisation according to ISPE GAMP®5, 2nd Edition – The foundation for successful validation

ISPE GAMP®5, 2nd Edition: Practical guide for system categorisation

System categorisation is an important first step in the validation of computerised systems. The validation effort can be better estimated and categorised early on in the planning phase. The categorisation supports the targeted division of the systems into different categories depending on type (standard, configurable, customer-specific) and complexity. It therefore forms the basis for customised and scalable validation models, such as the V-model.

The system categorisation according to ISPE GAMP®5, 2nd Edition serves as a practice-oriented guideline and should not be understood as a rigid specification. The systems used are divided into four software categories (1, 3-5):

Graphic "Software categories according to ISPE GAMP®5, 2nd Edition" for the blog post "ISPE GAMP® 5, 2nd Edition in practice: System categorisation & Risk management of computerised system validation"

Software categories - classify systems optimally

It is also recommended that the systems be subdivided into further user-specific groups. This allows system types with similar potential risks and requirements to be assessed and validated in a standardised manner:

  • Process plants
  • Laboratory systems
  • Spreadsheet programs (e.g. Excel)

Other criteria that could be relevant:

  • Single workstation solution, network operation
  • Server/client structures
  • Cloud-based systems

Significance of categorisation - increasing efficiency through precise allocation and risk evaluation

The categorisation (category 1, 3-5) serves as an initial orientation for estimating the validation effort. In practice, however, mixed forms often occur, for example a combination of categories 3 and 4. A precise mapping of the requirements to the respective categories is therefore of crucial significance.

The categorisation according to ISPE GAMP®5, 2nd Edition forms the basis for the implementation of risk management measures to ensure practical, efficient and scalable validation planning. Additional criteria such as GxP relevance and the associated impact on patient safety, product quality and data integrity must also be evaluated.

Quality risk management: The key to secure and compliant system validation

Risk management: Process for risk identification and management

Quality risk management is a systematic process that aims to assess, control, communicate and monitor risks over the entire life cycle of a system. Risk management comprises various phases, including risk assessment (consisting of risk identification, risk analysis and risk evaluation), risk control (including risk acceptance and risk reduction), risk communication and risk monitoring.

Risk evaluation: The first step towards risk reduction

In accordance with ISPE GAMP®5, 2nd Edition, the risk analysis is already carried out as part of the requirements specification. In accordance with ISPE GAMP®5, 2nd Edition, a process risk analysis must be carried out to identify risks with regard to patient safety, product quality, data integrity and compliance. The aim is to assess the risk potential of a requirement and determine whether additional measures are required to minimise the risk.

Graphic "Quality risk management over the life cycle" for the blog post "ISPE GAMP® 5, 2nd Edition in practice: System categorisation & Risk management of computerised system validation"
  • Risk identification: At the beginning, potential risks are identified in relation to functions, interfaces, implemented requirements, user interactions and technical components in order to proactively protect both users and the overall process from application and implementation errors in requirements.
  • Risk analysis Each identified risk is assessed on the basis of its probability of occurrence and potential impact. In the further course of the process, the risks are prioritised and thus form the basic building block for a targeted classification.
  • Risk evaluation: The result of the risk analysis is usually summarised in the form of a risk priority number.
  • Risk classification: The risk classification ensures that the effort and measures are proportionate to the actual impact of a system on GxP-relevant aspects. For this purpose, the risk priority number is divided into levels (high, medium, low).
  • Documentation: All relevant steps, evaluations and measures must be documented in a fully traceable and GxP-compliant manner in accordance with Annex 11 and EU GMP Guidelines Part I, Chapter 4.

Sound risk management thus forms the basis for a targeted, economical and GxP-compliant validation strategy.

If you would like further information on the classification of our solutions in the various categories, please do not hesitate to contact us.

Risk management: Effective measures to minimise risk

Mitigating measures are defined on the basis of the identified and classified risks. These include test cases to ensure that the most risky and critical system functions are tested appropriately. It should be noted that a complete test of all system functions cannot be carried out in practice and individual verification cannot provide proof of the completeness of the software. Risk management serves to minimise, control or reduce identified risks to an acceptable level by means of suitable measures.

A risk is only considered to be managed when its level has been demonstrably reduced. In terms of ICH Q9, the transfer to other divisions or processes is not considered risk minimisation.

Risk management and control strategies (according to ISPE GAMP®5 Appendix M3)

Risk reduction – process and system design adjustments:

  • Automated data checks (e.g. plausibility and verification checks)
  • Electronic safety devices to avoid double checks
  • Training of end users: GxP risks and system use
  • Verification of alternative technical solutions for increased requirements

Risk reduction – Change strategy:

  • Training on risk identification and communication
  • Structured progress monitoring for better control of high-risk projects

Risk elimination:

  • Organisational or technical measures to eliminate risks
  • Requirements with excessive, irreducible risk should not be implemented

Risk acceptance:

  • Acceptance of a residual risk if further minimisation is disproportionate to the risk
  • Can be active (formal decision) or passive (passive decision)

Risk communication: Creating transparency – managing risks

Risk communication is a continuous exchange about risks and risk management between all parties involved. It takes place throughout the entire validation process and should be maintained permanently.

The traceability matrix is a proven tool for structured risk communication. This tool documents requirements, functional specifications and identified risks. This ensures that potential vulnerability and critical aspects remain transparent and comprehensible.

It is also advisable to refer to documented risks from comparable, already validated systems. In order to further reduce the risks, valuable findings from previous validation projects should be incorporated into the current validation. These include risks that have already been assessed and control and monitoring measures that have been implemented.

Risk monitoring: Keeping an eye on risks – security throughout the entire system life cycle

Risk monitoring refers to the continuous observation and evaluation of potential risks over the entire life cycle. The process is monitored from initiation to completion in order to identify existing risks at an early stage and evaluate the effectiveness of the measures taken. In addition, this enables the identification of new potential risks for the company in order to derive targeted countermeasures. Consistent monitoring of the system ensures that it always meets the high quality, safety and compliance requirements.

System categorisation and risk management – two key success factors of risk-based validation

The interaction of system categorisation and risk-based quality management is essential for successful validation. The categorisation according to ISPE GAMP®5, 2nd Edition enables an optimal assessment of the validation effort and forms the basis for a scalable validation approach.

Risk management ensures that potential risks to patient safety, product quality, data integrity and compliance are identified, assessed and effectively minimised at an early stage throughout the entire life cycle of a system.
A balanced acceptance of risk is crucial.

A residual risk is only accepted if further minimisation would require a disproportionately high effort.

Risk communication can be supported by using the traceability matrix. It promotes exchange, documents risks transparently and incorporates findings from previous validation projects. Risk monitoring identifies potential risks at an early stage and initiates targeted measures in good time. The system permanently meets the high quality, safety and compliance requirements.

Overall, the combination of system categorisation and risk management creates a valid, flexible and GxP-compliant validation practice that is tailored to the complexity and relevance of the respective system.

Share now!

Subscribe to the newsletter

You want to stay up to date? Then subscribe to our newsletter.

More blog articles

To the blog overview

You want to digitalize your business?

Leave us a message. We will get back to you!

Contact
Portrait of employees discussing in the office