‘Have you heard of CSV?’ part 3. The risk-based approach in CSV.

Risk assessments are used frequently in the life sciences industry throughout the manufacturing of pharmaceutical products. In Ref.1 and in Ref.2 posted previously, we came across the ‘risk-based approach’ concept in the Computerized System Validation (CSV) process. The aim of this post (the third of the CSV-series) is for the reader to gain a better understanding and appreciate the importance of this concept in regards to CSV and how it is applied in CSV. We will first define the relevant terminology, and then examine the following key questions:

  • When do we perform risk assessments in CSV?
  • What is the risk-based approach?
  • How do we control and review risks in CSV?

Let’s first start with some important definitions

The ICH Q9 guideline (Ref.3) and the FDA’s interpretation on the ICH Q9 guideline (Ref.4) define important ‘risk management’-related terms in the context of the pharmaceutical product. The GAMP5 guideline (Ref.5) defines the same terms in the context of computerized systems. In the table below we provide a summary of these terms, their definitions and offer some examples.

Term Term explanation
Harm A harm is something that could potentially have a negative effect on:

  1. patient safety: Eg. Incorrect amounts of active pharmaceutical ingredient present in the finished product due to failure of the CS.
  2. product quality: Eg. Inefficient tracking and delayed alert of a product recall due to failure of the CS.
  3. data integrity: Eg. Incorrect clinical or laboratory results generated due to failure of the CS. Eg. Confidential data leaked to the public due to security defects of the CS.
Risk According to Ref.3, risk is the combination of:

  1. the probability or likelihood that a harm occurs and
  2. the severity of that harm (i.e. the impact of the harm on patient safety, data integrity, or product quality).
Risk Assessment Activity that analyses/evaluates the risk that a harm may pose.

Eg. The output of a risk assessment can be the validation effort required to test or validate a CS.

Quality risk management Governance that provides guidance and oversees how risk assessments are handled within the organization.

 Table 1: Important terms in Risk Management. Note: CS=Computerized System


When do we perform risk assessments?

Risk management should be applied in all phases of the CSV lifecycle (Fig.1 in Ref.2) according to the European Medicines Agency on computerized systems (Ref.6). A risk assessment is one of the steps used in risk management, which may be used to help decide whether to start a CSV project (Concept phase), assess a supplier/vendor, determine the effort of the validation of a computerized system, or even provide valuable information on how much testing is required during the verification steps (Project phase). Risk assessments also contribute in our decision-making on changes or events during the Operation phase of the system and also to assess the approach during the Retirement phase of a computerized system. The GAMP5 guideline describes in detail the various instances where risk-based decisions can take place (Ref.5).

What is the ‘risk-based approach’ in CSV?

The risk-based approach in CSV is a focused science-based, decision-making strategy that takes into consideration appropriate ways to identify, manage and control risks associated with a computerized system. There are two strategies often used when applying the risk-based approach in CSV. These strategies can work in parallel and can also support each other:

  • The first strategy is used to determine the validation effort or thoroughness required to validate a computerized system.
  • The second strategy is used to evaluate the risk priority assigned to a risk encountered throughout the CSV lifecycle.


Validation effort

As you may recall from the previous CSV post (Fig.2 in Ref.2), the risk assessment during the Planning step of the Project phase in the CSV lifecycle helps to decide how we proceed with the validation of a computerized system. Applying the risk-based approach, several factors should be considered, such as:

  • the system’s GxP assessment (Ref.5)
  • the system’s classification according to the GAMP5 categories (Ref.5)
  • supplier’s/vendor’s capabilities (Ref.5)
  • the system’s impact on patient, product, data and on business processes (Ref.5)
  • industry regulations (Ref.5)
  • electronic records & signatures applicability (Ref.5 & Ref.7)
  • IT infrastructure readiness (Ref.8)
  • degree of testing required (Ref.9)

Some of these factors may also be applicable when deciding on the effort required to verify the system’s functionality in other steps or phases of the CSV lifecycle. The same factors may be also addressed in case of a change management during the system’s operation, as well as before and during its retirement.


Fig. 1: A typical CSV risk-based strategy to evaluate validation effort.

Although the validation effort is derived in a qualitative way, subject matter expertise is crucial. When we want to decide on how much effort or thoroughness is required for the validation of a computerized system, a ‘High validation effort’ rating generally means that the computerized system belongs to a high GAMP5 category, has a significant effect on the business processes and requires detailed verification. Therefore, more thorough testing, documentation and traceability would be required for this type of computerized system. A ‘low validation effort’ rating, would generally mean a system belonging to a lower GAMP5 category and having a lesser effect on the business processes; in this case an approach with less validation effort would be required. Fig. 1 summarizes the strategy used to determine the validation effort for a computerized system. Details on the GAMP5 categories are listed in Ref.1.

Risk Priority

The GAMP5 guideline offers a method used frequently by CSV practitioners to assess and evaluate a harm and its associated risk. The evaluation of each component is expressed as ‘Low, Medium, High’, except for risk class, which is expressed with a numerical rating, i.e. ‘1,2,3’.


Fig.2. General representation of Risk Priority calculation.

The estimation of Risk Class and Risk Priority to assess risk is general, qualitative and sometimes even subjective, although it also depends largely on subject matter knowledge and expertise. This subjectivity may sometimes cause difficulties in reaching a common agreement when assessing the risk of the harm in question. The task of the CSV practitioner is to assess and evaluate the harm in question as accurately and objectively as possible and within the given context, therefore providing a risk priority that is realistic as possible. Depending on the risk priority assigned for a given risk, the CSV practitioner decides on the most appropriate ways to manage and control this risk. Table 1 lists some examples of harms and Fig. 2 summarizes the steps to estimate the risk class and risk priority for a given risk.

Other tools used by CSV practitioners to perform risk assessments are: process mapping, risk ranking, flowcharts, statistical tools, FMEA (Failure Mode Effects Analysis), FTA (Fault Tree Analysis), HAZOP (Hazard Operability Analysis), HACCP (Hazard Analysis and Critical Control Points), PHA (Preliminary Hazard Analysis) and RCA (Root Cause Analysis) assisted by the Ishikawa (fish bone) diagram.


How do we control and review the risk in CSV?

So far we have examined what is needed to assess risks in order to validate a computerized system and also how to assess risks in order to rate them. Since risks can be encountered throughout the CSV life cycle, it is therefore good CSV practice to perform scheduled reviews of the computerized systems and apply good documentation and traceability practices. Once a risk has been identified, the CSV practitioner will attempt to eliminate it by design or mitigate it by:

  • lowering the severity of the risk
  • decreasing the probability of the risk from occurring
  • increasing the detectability of the risk
  • developing standard procedures to mitigate risks

As we saw in Fig.3 of Ref.2, periodic reviews are a good way to preserve the validated status of a computerized system and hence control risks. With efficient and well-documented change management procedures, the CSV team verifies that the identified risks are being managed and controlled to an acceptable level.



Applying a risk-based approach to CSV aims to reduce or eliminate potential problems arising during the validation and operation of a computerized system. A recent publication highlighted the value of assessing risk to ensure the data integrity guidelines outlined in Ref.6 for CSV projects and regulated systems in operation (Ref.10). Others meanwhile have underscored the value of applying a risk-based approach to audit trails and audit trail reviews for regulated systems involved in CSV (Ref.11).

The subjectivity involved in the risk-based approach to CSV is notable however. The process of rating risks and the strategies used to validate a computerized system are a balanced mix of science, experience, pragmatism, as well as understanding the context in which the system operates in.

Keep reading the CSV blog series with Part 4: Suppliers of Computerized Systems in CSV

References (links)

  1. Have you heard of CSV? Do you want to learn more about it? 09 March 2015. /2015/03/09/have-you-heard-of-csv-do-you-want-to-learn-more-about-it/
  2. Have you heard of CSV? Part2. Do you want to learn even more about it? 24 Apr 2015. /2015/04/24/have-you-heard-of-csv-part-2-do-you-want-to-learn-even-more-about-it-2/
  3. International Conference on Harmonization (ICH) Q9 – Quality Risk Management. 09 Nov 2005. http://www.ich.org/fileadmin/Public_Web_Site/ICH_Products/Guidelines/Quality/Q9/ Step4/Q9_Guideline.pdf
  4. Guidance for Industry. FDA Interpretation of Q9 Quality Risk Management. June 2006. http://www.fda.gov/downloads/Drugs/…/Guidances/ucm073511.pdf
  5. GAMP5: A Risk-based approach to Compliant GxP Computerized Systems. ISPE, Fifth Edition, February 2008, www.ispe.org
  6. European Commission Volume 4. Good Manufacturing Practice Medicinal Products for Human and Veterinary Use. Annex 11: Computerized Systems. 2011. http://ec.europa.eu/health/files/eudralex/vol-4/annex11_01-2011_en.pdf
  7. GAMP Good Practice Guide: A risk-based approach to compliant electronic records and signatures. ISPE 2005.
  8. GAMP Good Practice Guide: IT infrastructure Control and compliance. ISPE 2005.
  9. GAMP Good Practice Guide: Testing of GxP Systems. ISPE 2005.
  10. Lopez O., “A computer data integrity compliance model”. Pharmaceutical Engineering, Vol.35, No.2, p.79-87, March/April 2015. http://www.pharmaceuticalengineering.org/
  11. Perez R, Reid C., Wyn S., “A risk-based approach to audit trails”. Pharmaceutical Engineering, Vol.35, No.2, p.88-91, March/April 2015. http://www.pharmaceuticalengineering.org/

Ilias Christodoulopoulos

LinkeIn link: http://ch.linkedin.com/in/iliaschristodoulopoulos
Ilias Christodoulopoulos
‘Have you heard of CSV?’ part 3. The risk-based approach in CSV.
Article Name
‘Have you heard of CSV?’ part 3. The risk-based approach in CSV.
The aim of this post is to gain a better understanding and appreciate the importance of this concept in regards to CSV and how it is applied in CSV.
Publisher Name
Atos Consulting CH
Publisher Logo

Leave a Reply

Your email address will not be published. Required fields are marked *