Validation Procedure: Performing a Risk Assessment
In today’s blog, I will begin discussing the elements of a computer systems validation. It’s important to remember that a computer system is more than just the software – although often times that’s where the bulk of effort is required. Keep in mind that a computer system is composed of the hardware and the software, along with a process system that is made up of the people, the procedures and the equipment used to perform a business function. All of these components need to be taken into consideration as each can have a significant impact on the system’s quality.
The first element we will start with is your Validation Procedure. The FDA recommends that your validation SOPs include, but not necessarily be limited to, the following:
• performing a risk assessment
• writing a validation plan
• writing a validation report
• addressing change control
• writing a test case
• amending a test case
• handling validation deviations
• validating after a change
• performing system maintenance
The level of confidence and, therefore, the level of validation effort needed, vary depending upon the functions of the system and how your site specifically uses those functions. Therefore, your test plan and test cases should be developed based on a site-specific risk assessment. A Risk Assessment is a process that consists of a system assessment combined with a measurement method (i.e. high, medium, low) that is used to identify the processes in the system that create the most risk to patient care or to the business if the process fails. The thought of doing a risk assessment scares many people, but the risk assessment process does not need to be complex. A simple risk assessment spreadsheet will work very well. Simply list the system functions and critical control points and then assign a risk value to each. This way you can quickly identify the processes with the most risk.
Examples of high risk activities for patient care include issue of ABO incompatible blood or release of a grossly inaccurate glucose result. While there is no patient risk for inaccurate or missing billing, there is significant business risk which should also be evaluated.
Be sure to revisit your risk assessment each time your system is updated so that new processes can be added as appropriate and the comparative risk can be re-evaluating.
Next time, we’ll talk about the Validation Plan itself.
