By C-realize IT…
Risk Management in CSV Software Validation
A singular event in mid-July 2024 underlined the importance of risk management in IT systems. An anti-virus program software update from cybersecurity specialists CrowdStrike intended to close vulnerabilities in Microsoft Windows operating systems reacted in unforeseen ways with the basic OS, causing those systems to crash, displaying the ‘blue screen of death’ and become unusable.
Since CrowdStrike is a market-leading solution for cyber-attack protection and since MS Windows powers the overwhelming majority of global IT systems, the effects were severe and worldwide, causing huge disruption to travel, healthcare, payment, and online services of all kinds. This lasted several days until systems could be rebuilt with basic Windows operating system reinstalled and data recalled from backups.
Dealing with known unknowns
The CrowdStrike disaster exposed risk management failures on multiple levels: from the authors of the update not having tested the new code sufficiently through to clients who did not have sufficient resilience in backup systems and data.
Yet coding errors and software ‘glitches’ are basic facts of life in IT systems. These are ‘known knowns’: the ‘known unknowns’ are how and when they will arise and manifest themselves – and how serious will be the effects on systems.
The risk management protocols within a Computer Systems Validation (CSV) project provide ways to quantify these unknown factors and mitigate them in advance.
Risk Management protocols
CSV Risk Management follows a tried and tested four step IACR protocol; Identify, Analyze, Control, and Review.
- Identify: Risk management starts from the very beginning of the validation project with an initial system level impact assessment covering the regulatory needs for system to be validated and to what extent, both determined by intended use of the For complex systems, a component level impact assessment can distinguish high impact components within the system and GAMP defined software categories; non-configured (Out of Box or Off the Shelf) and configured (i.e. custom-built) software. This initial assessment should also define which data most need to be protected. In the Risk Management Phase, the Identification focus is on different functional areas of the system and its different sources of input to identify potential risks such as product & process knowledge, user requirements, vendor assessment, GxP criticality and complexity of the system.
- Analyze: There are different methods and tools to analyse and quantify identified risks. The GAMP guidelines that are widely used in the life science industries heavily rely on the Failure Mode Effects Analysis (FMEA) method for this purpose. While this works well for complex systems that are tailored to fit a specific purpose, it becomes very time consuming while adding little value for a large portion of systems which are commercial-off-the-shelf.
- Control: Once the risk factors for the different functional areas are quantified, the team can then find ways to control these risks. The most effective strategies here are adaptation of the system design, adapted ways of working to include training of personnel to new procedures, and putting in place controls which allow early detection of a potential harm
- Review: At the end of the project, the implemented controls should be reassessed for their efficacy. Risk management should also not be limited to the validation project but should be monitored throughout the systems lifecycle when changes occur, when problems arise, during periodic review, etc.
CSV Risk Management benefits
Apart from the obvious benefits of mitigating the damage to operations, reputation and regulatory compliance if (or more likely when) trouble strikes, effective risk management procedures provide other returns to the organization.
Rather than being seen as a cost center or an unavoidable burden of full regulatory compliance, the Risk Management function within a validation project provides valuable tools that help to keep the project on track. It guides ways of working more efficiently, saving on time and resources while keeping the same level of quality and compliance when done correctly.
C-realize can offer pre-developed Risk Management procedures and tools to meet all CSV needs in the life sciences.
Resources
Click on C-realize Blog to learn more about Computer System Validation risk management.
C-realize provide help and support for all your Pharma, Biotech and Medical Devices needs in software development, cloud computing services and regulatory compliance advice and solutions, to learn more please book in a Introductory Consultation Session.