February 25, 2020 Blog Post
Computer System Validation Part 3:
Software Risk Categories Demystified
Last week we talked about the benefits of using the GAMP-5 risk-based approach to
software validation. This week we will explore the risk categories in more detail.
The first thing that many people notice is that the category numbers skip the number 2. The reason for this is that the previous version (GAMP-4) had a “category 2” that focused on firmware. That category was discontinued under GAMP-5 as firmware is now categorized in categories 3, 4, or 5 based on the functionality of the firmware rather than the firmware designation alone.
The second question that usually pops up quickly in this discussion is how risk is applied to the categories or which category poses the least risk and which poses the greatest risk. In this classification, Category 1 software poses the least risk while Category 5 poses the most risk. The amount of work one must do to validate is dependent upon the category assigned. Category 1 software requires less work and deliverables to prove validation than Category 5 applications.
Now that the obvious questions are out of the way, let’s dive into the risk categories. We will cover categories 1 and 3 (remember, category 2 was discontinued) in this blog and examine categories 4 and 5 next week.
Category 1: Infrastructure Software: This category includes commercially available software like general operating systems, office applications, and databases. It also includes infrastructure software tools used to support the general environment for both regulated and nonregulated applications.
Some examples of the “commercially available” software sub-category include spreadsheet, word processing, and presentation applications. It should be noted, however, that these applications do not solely exist in this category. Any new application developed by using these office packages are excluded from the category and need to be evaluated for categories 3, 4, or 5 depending on their complexity and use. This is why you hear CSV experts say, “you don’t validate Excel but you do validate anything you program into it using macros and other automation.”
Other infrastructure software tools include network monitoring software, IT help desk software, IT configuration management software tools, and even anti-virus software. As with the commercially available software, these tools may need to be re-categorized into a higher level of risk based on how it is used or what data are held in it.
A common example is IT help desk software. IT help desk software can only be a category 1 if no regulated data are held here. If, however, you are using IT help desk software for change management of regulated applications or to manage product complaints, the category needs to be changed to a higher-level risk category.
Category 3: Non-configured products: The name of category 3 is somewhat misleading and often misunderstood so I’ll dive a little deeper into what really goes in here. Non-configured products are those applications and systems that are capable of operating and automating a business process without any modification to their pre-configured state when purchased. However, this category also applies to applications that can be configured or modified to meet business process requirements but you can only do so within the built-in limits of the application. So, “non-configured” is really not what is meant under this definition as all products in this category come configured out of the box. What really distinguishes category 3 from category 4 software is the fact that business process configuration is limited to the scope of pre-determined limits within the application. These pre-determined application limits are more stable because they are fixed thus, the lower risk category. In category 4 applications, the base functionality of the software can be modified to match a business process and this ability introduces a greater level of risk.
Even as little as eight years ago, there weren’t many software products that could be used out of the box in our regulated industry. These software products were simply not designed or developed with the regulated environment in mind. Things like audit trails and Part 11 compliant electronic signatures were usually not part of the package as sold and we had to turn to bolt on applications that raised the risk considerably. Today, this industry enjoys many options of pre-configured, extremely affordable, off the shelf solutions in this category.
I am still confuddled as to why so many Life Sciences companies still spend millions of dollars every year on custom software that takes many months or years to implement and an army of people to sustain when we have so many other elegant and affordable solutions at our fingertips.
Join me next week as we continue our journey with categories 4 and 5. Thoughts? Please comment below … Cheers!
Melita Ball CEO and Principal Consultant
Copyright © 2019R MBC & Affiliates, Inc|, All rights reserved.
Our mailing address is: 9910 N Camino Del Plata Tucson, AZ 85742 (520) 665-9081