Validation of Spectrometry Software: Risk Analysis Methodologies for Commercial Spectrometer Software - - Spectroscopy
FindAnalytichem Custom Search
About Search
 Home   Mass Spectrometry   ICP-MS   Infrared   FT-IR   UV-Vis   Raman   NMR   X-Ray   Fluorescence  
Make This Page Your Home Page!

Validation of Spectrometry Software: Risk Analysis Methodologies for Commercial Spectrometer Software
Jul 1, 2006
By: R.D. McDowall
Spectroscopy
 Volume 21, Issue 7
1234
Next »

In the last "Focus on Quality" column (1), I noted that the risk analysis methodology used in the GAMP Good Practices Guide for Validation of Laboratory Computerized Systems (GPG) (2), which was based upon failure mode effect analysis (FMEA), was too complicated. The rationale was that we purchase mostly commercial software in regulated laboratories that already has been tested by the respective vendor. Therefore, why do we need to potentially repeat work that has already been performed?

Before we begin this discussion, it is worth mentioning that I have written a paper on risk assessment at the system level, and determination of how much validation is required has been published recently by Advanstar Communications (3). This publication looked at the nature of the software used in the system and the impact of the records produced by the system to determine how much validation was required. The outcome if validation was required was one of two options: Full validation based upon a system implementation life cycle when the detailed steps to be undertaken are defined in a validation plan for the system. Lower-risk systems could be validated using a single integrated validation document that defined the intended use, security and access control, compliance issues, and preservation of the records produced by the system.

In this column, I want to go into more detail and compare the FMEA used by the GPG with a simpler and, in my view, quicker risk analysis methodology called functional risk assessment (FRA).

Document Your User Requirements

Before beginning the discussion, what should be our starting point for the risk analysis and risk assessment?To be effective, any risk analysis is based upon available information (4). Therefore, the best source of this is the user requirements specification (URS). When you are conducting a risk assessment at the requirements or functional level, the URS should be relatively complete. This means that you have a good understanding of what the system will be doing, and this is reflected in the quality of the user requirements. If you don't have this, there is little point in going further, as you will be wasting your time regardless of which risk methodology you select.

Modified FMEA


Figure 1: GAMP risk assessment process flow (based upon Appendices 1 and 2 of reference 2).
The risk assessment methodology approach flow chart used in the GPG is shown in Figure 1. It is a two-phase approach that determines first the system risk, then at the functional level the hazards, the probability of occurrence, and their severity to identify and prioritize the risks that could occur when using the system.

The process works as follows and is divided between assessing the overall system impact and testing priority of the hazards of the individual functions that comprise it:

1. Classify the system. This uses the seven different categories between A and G as we discussed in the previous column (1) and assesses the technical complexity of a system.

2. Next, the business impact of the system is determined. This is a plot of the compliance risk (assessed as low, medium, or high) versus business risk based on the importance of the system to the business (also low, medium, and high). This determines the business impact as a single figure between 1 and 5 (a range from very low to very high), shown in Figure 2.


Figure 2: Determination of business impact of a system (adapted from reference 2).




1234
Next »

Rate This Article
Your original vote has been tallied and is included in the ratings results.
View our top pages
 Average rating for this page is: 2.47
Comments
arya / bethesda, MD, UNITED STATES
 Posted Aug 01 2006 04:04PM
hi bob, great articles as usual. i've always been taught (and i thought the FDA expects) that even if you have requirements based off of out of the box functionality, you must still ensure they work. to reduce work by taking faith in the vendor suitably testing their software, i agree with the premise of testing the critical requirements only. therefore i'd say your model is suitable if the company has the stance stating they are accepting the vendor's testing of their software, and just verifying the critical functionality. but i've always wanted a simpler version of the GAMP risk assessment for custom functionality (i.e. custom LIMS functionality, custom calcs, etc) because that's where i think risk analysis is more critical. if you develop custom features, you'll have an FRS...wouldn't it be beneficial to do a GAMP-style risk assessment during the FRS in order to develop possible breaking scenarios for the custom features? that way you'd list possible coding caveats, and could test appropriately to break code.
Read More Comments
Post a Comment
Please complete the form below to post your comment.
Bold = Required
Email Address Your email address will NOT be published.
Display Name appears with your comment
City
State
Country
Remember me: YesNo
Comment read our privacy policy
Note: does not support HTML
All comments submitted are subject to review, and may be delayed before posting. We reserve the right not to post comments.
Headlines from LCGC North America and Chromatography Online
Compilation of clinical applications
analytica China 2010
ChromaTOF 4.32
Developing Malaysian biotechnology
Green Chromatography (Part 2): The Role of GC and SFC
Source: Spectroscopy, 7/1/2006
Click here