EU Annex 11 – Risk Management

As stated in the earlier post EU Annex 11 has been updated and becomes effective on the 30 June 2011. This is part of a series of reviews detailing what has changed and the impact on Computer Systems Validation.

Risk Management now underpins the whole process of Computer Systems Validation. This has been a driving force since the introduction of GAMP4 and even more so through GAMP5.
In the revised EU Annex 11 risk management is placed at the heart of the lifecycle of computerised systems

1. Risk Management

Risk management should be applied throughout the lifecycle of the computerised system taking into account patient safety, data integrity and product quality. As part of a risk management system, decisions on the extent of validation and data integrity controls should be based on a justified and documented risk assessment of the computerised system.

This aligns with Annex 15 Qualification and Validation which states

A risk assessment approach should be used to determine the scope and extent of validation.

The ISPE GAMP5 was issued in 2008 and providing a process incorporating a risk based approach. However it is still taking companies time to integrate a risk based approach in to their process. Although a risk based approach based on process understanding can save a lot of work in the implementation and operation of computerised systems it is a major change the current process.
The steps to incorporating a science and risk based approach to computer systems validation is to determine and document in validation procedures the points where risk assessments will be performed and which tools are the most appropriate.

Although risk management should be a continuous process the key stages in a project where risk assessments should be performed and the suggested risk tools.

• Identification of User Requirements - Preliminary Hazard Analysis
• Design Review (Functional Design Specification) – Failure Mode Effects Analysis (FMEA)
• System Handover – Update of FMEA
• Incident Management – Fault Tree Analysis / Fishbone (Ishikawa) Diagrams / Statistical Tools
• Change Control - Update of FMEA

The FMEA should be the underpinning quality risk management tool for computerised systems and this should be updated regularly based on process data (incidents, changes, etc) to ensure that the risks that were initially identified during the project phase and the perceived risk scores are supported by operating data and the controls that have been put in place to reduce risk are affective. As a minimum the FMEA should be checked and updated during the periodic review of the computerised system.

See Article Quality Risk Management for more information.
Your comments on implementing a Quality Risk Management approach within computerised systems validation and also Annex 11 are welcome.