1. No category

Risk Assessment - Validation Center

This SOP Template (template) is being provided by Praxis Management International, LLC (Praxis) for the
"fair use" by you, the User, as that term is defined under the U.S. Copyright Laws. All other use,
reproduction or re-transmission in any form or by any means, electronic or mechanical, including
photocopying and recording, or by any information storage or retrieval system, without prior written
permission from Praxis is prohibited. ©2013-2015 Praxis Management International, LLC. All rights
reserved.
Praxis makes no representations or warranties concerning the suitability or use of, or reliance on, the
Template. Any actual or implied representation or warranty that the Template does not infringe the
intellectual property rights of any third party is specifically hereby void. Any special, indirect or
consequential damages or any damages whatsoever resulting from the use or misuse of the Template,
the loss of use, data, or profits, whether in an action of contract, negligence, or other tortious action
arising out of or in connection with the Template shall be born exclusively by the User.
© Copyright 2013-2015, Praxis Management International, LLC
praxislifesciences.com
STANDARD OPERATING PROCEDURE
TITLE: System Risk Assessment
Dept:
Effective Date:
SOP No.: 1
Version
1.0
PAGE
2 OF 10
Contents
Purpose: .............................................................................................................. 3
SOP Scope: ......................................................................................................... 3
Definitions: .......................................................................................................... 3
Responsibilities .................................................................................................. 3
Risk Assessment Context .................................................................................. 3
Procedures .......................................................................................................... 4
Risk Assessment Timing ..................................................................................................... 4
Risk Assessment and Documentation ................................................................................. 4
ATTACHMENT A: System and Major Function Risk Assessment ................ 9
© Copyright 2013-2015, Praxis Management International, LLC
praxislifesciences.com
STANDARD OPERATING PROCEDURE
TITLE: System Risk Assessment
Dept:
Effective Date:
SOP No.: 1
Version
1.0
PAGE
3 OF 10
Purpose:
This SOP defines the procedures to assess and analyze system quality risk for
Information Technology systems used in regulated activities.
SOP Scope:
This SOP applies to all computer-based systems used in FDA-regulated activities.
Definitions:
Hazard: A potential source of harm
Criticality Level: a measure of the severity of a hazard
Complexity Level: a measure of the probability of a hazard
Risk: A measure of the severity (criticality) and probability (complexity) of a hazard
Risk Assessment: A comprehensive evaluation of risks and associated impacts
Major System Function: Sets of requirements that together define a capability or feature
of the system.
Responsibilities
The Quality Manager is responsible for
 Leading system risk assessments.
 Contributing expertise on compliance with regulations and regulatory guidelines.
The IT Director is responsible for
 Implementing the practices for system risk assessment as specified within this
SOP.
 Contributing technical expertise to each computerized system’s risk assessment.
The Business Managers are responsible for
 Contributing business area expertise to each computerized system’s risk
assessment.
Risk Assessment Context
System Risk Assessment is a component of the overall Risk Management process, as
described in SOP System Risk Management. The assignment of criticality levels and
complexity levels to systems and major system functions plays an important role in Risk
Control.
© Copyright 2013-2015, Praxis Management International, LLC
praxislifesciences.com
STANDARD OPERATING PROCEDURE
TITLE: System Risk Assessment
Dept:
Effective Date:
SOP No.: 1
Version
1.0
PAGE
4 OF 10
Procedures
Risk Assessment Timing
1. Each system’s risk assessment is performed as early as possible in the system’s life
cycle and is based on the system’s intended use.
1.1. Risk assessments are done during development of User Requirements
Specifications and Functional Requirements Specifications.
1.2. For purchased systems, the Risk Assessment must be completed prior to the
vendor audit because the vendor assessment method is based on the system’s
criticality level. See SOP Vendor Assessment for details.
1.3. For all systems, the Risk Assessment must be completed prior to the Validation
Plan.
2. Each system’s Risk Assessment is reviewed prior to any changes to the
computerized system. If the planned changes impact the existing Risk Assessment,
the assessment is updated and approved.
2.1. For custom modifications to either custom developed or purchased systems:
2.1.1. Review the Risk Assessment during the update of User Requirements
Specifications and Functional Requirements Specifications.
2.1.2. Complete the Risk Assessment prior to the Validation Plan.
2.2. For vendor supplied changes or patches to purchased systems:
2.2.1. Where the vendor supplied changes or patches can be selectively
applied, evaluate each one to determine which will be installed.
2.2.2. Review the system’s Risk Assessment for the changes and patches that
will be applied.
2.2.3. Complete the Risk Assessment prior to the Validation Plan.
Risk Assessment and Documentation
1. The QA Manager, IT Director and Business Manager(s) reference the computerized
system’s User Requirements Specification and Functional Requirements
Specification to identify major system functions.
1.1. Major system functions are typically grouped under a common heading in User
Requirements Specifications and System Requirements Specifications.
1.2. Major system functions are documented on the System Risk Assessment
template, Appendix A.
2. The IT Director identifies the system version number to which the Risk Assessment
applies.
3. The level of risk associated with each major system function is evaluated using the
tables, below, and criticality and complexity levels are assigned.
© Copyright 2013-2015, Praxis Management International, LLC
praxislifesciences.com
STANDARD OPERATING PROCEDURE
TITLE: System Risk Assessment
Dept:
SOP No.: 1
Effective Date:
Version
1.0
PAGE
5 OF 10
4. The resulting major system function criticality levels, complexity levels, and the
rationale for each level are documented on the System Risk Assessment template,
Appendix A.
4.1. For high criticality and medium criticality functions, the rationale identifies the
function’s involvement in a regulated process, its potential direct or indirect
impact on the product, or the GxP compliance that it provides.
4.2. For low criticality functions, the rationale states that the function has no
involvement in a regulated process, no potential for product impact, and
provides no GxP compliance.
5. After the criticality level for all major system functions have been identified, the
overall system criticality level is determined.
5.1. The overall criticality level for each system is the same as the highest criticality
level of the component major system functions.
5.1.1. For example, a system comprised of 3 low criticality functions, 4 medium
criticality functions, and 1 high criticality function would receive an overall
criticality level of “High” due to the rationale that the highest criticality level
of its component major system functions is “High”.
5.2. The resulting system criticality level and the rationale for the level are
documented on the System Risk Assessment template, Appendix A.
6. The completed System Risk Assessment is reviewed and approved by the QA
Manager, IT Director, and Business Manager(s).
System Risk Assessment Criticality Level Identification
Criticality
Level
High
Criticality
Definition
Direct control of:
- Manufacturing
- Labeling
- Distribution
- Product Testing
- Product Release
Direct impact on:
- Product Quality
- Product Efficacy
- Patient Safety
- Personnel Safety
Examples









© Copyright 2013-2015, Praxis Management International, LLC
Manufacturing controls
Automated product inspection
Label management & automation
Distribution tracking to enable
recalls
Laboratory test results
Adverse event tracking
Clinical trial results
Patient medical records
Product quality status management
praxislifesciences.com
STANDARD OPERATING PROCEDURE
TITLE: System Risk Assessment
Dept:
SOP No.: 1
Effective Date:
Version
1.0
PAGE
6 OF 10
System Risk Assessment Criticality Level Identification
Criticality
Level
Medium
Criticality
Low
Criticality
Definition
Indirect involvement in:
- Manufacturing
- Labeling
- Distribution
- Product Testing
- Product Release
Indirect impact on:
- Product Quality
- Product Efficacy
- Patient Safety
- Personnel Safety
Provides GxP compliance
for regulations not already
identified as “High
Criticality”
Any function not already
identified as “High
Criticality” or “Medium
Criticality
Examples










Calibration tracking
Validation tracking
Document management
Training tracking
Corrective/Preventive action
tracking
System access tracking
Electronic submissions to
regulatory agencies
Product work order management
Deviation tracking
Audit tracking
 Manufacturing cost reports
 Turnaround time reports
System Risk Assessment Complexity Level Identification
Complexity
Level
Definition
Examples
Custom developed
functions within either
purchased or custom
systems
 Custom accounting report
developed in COBOL
 Custom code developed to send email notification from an off-theshelf training management system
Medium
Complexity
Configured functions within
off-the-shelf purchased
systems
 Report configured with an off-theshelf query tool
 Calculation configured in a
laboratory system
 Calculation configured in an off-theshelf spreadsheet tool
 Product release algorithm
configured in an off-the-shelf
inventory control system
Low
Complexity
Standard, non-configured
functions within off-the-shelf
purchased systems
 Standard test result report within an
off-the-shelf laboratory system
 Standard data entry screen in a
medical records system
High
Complexity
© Copyright 2013-2015, Praxis Management International, LLC
praxislifesciences.com
STANDARD OPERATING PROCEDURE
TITLE: System Risk Assessment
Dept:
Effective Date:
© Copyright 2013-2015, Praxis Management International, LLC
SOP No.: 1
Version
1.0
PAGE
7 OF 10
praxislifesciences.com
STANDARD OPERATING PROCEDURE
TITLE: System Risk Assessment
Dept:
Effective Date:
SOP No.: 1
Version
1.0
PAGE
8 OF 10
References:
Eudralex Volume 4, Annex 15: Qualification and Validation, European Commission, July
2001
General Principles of Software Validation; Final Guidance for Industry and FDA Staff,
FDA, January 11, 2002
Glossary of Computerized System and Software Development Terminology, FDA, April
30, 2003
Good Practices for Computerised Systems in Regulated “GxP” Environments, PIC/S,
September, 2007
Guidance for Industry, FDA Reviewers and Compliance on Off-The-Shelf Software Use
in Medical Devices, FDA, September 9, 1999
Guidance for Industry: Computerized Systems Used in Clinical Investigations, FDA,
May, 2007
Guidance for Industry: Part 11, Electronic Records; Electronic Signatures – Scope and
Application, FDA, August 2003
Guidance for Industry: Q9 Quality Risk Management, FDA, June, 2006
21 CFR Part 820, Quality System Regulation, FDA, April 1, 2007
© Copyright 2013-2015, Praxis Management International, LLC
praxislifesciences.com
STANDARD OPERATING PROCEDURE
TITLE: System Risk Assessment
Dept:
Effective Date:
SOP No.: 1
Version
1.0
PAGE
9 OF 10
ATTACHMENT A: System and Major Function Risk Assessment
System Name
_______________________________________
System Version
_______________________________________
System Criticality Level
 High
 Medium
 Low
System Criticality Rationale ___________________________________________
Major System Function Criticality and Complexity Analysis
Major System
Function
Criticality
Level
Rationale for Criticality Level
© Copyright 2008-2015, Praxis Management International, LLC
Complexity
Level
Rationale for Complexity Level
praxislifesciences.com
STANDARD OPERATING PROCEDURE
TITLE: System Risk Assessment
Dept:
Effective Date:
SOP No.: 1
Version
1.0
PAGE
10 OF 10
Major System Function Criticality and Complexity Analysis
Major System
Function
Criticality
Level
Risk Assessment Approvals:
Rationale for Criticality Level
Complexity
Level
Rationale for Complexity Level
Signature and Date
Quality Manager
___________________________________
_________
Business Manager
___________________________________
_________
IT Director
___________________________________
_________
© Copyright 2013-2015, Praxis Management International, LLC
praxislifesciences.com

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz