March 3, 2020 Blog Post
Computer System Validation Part 4: Software Risk Categories Demystified
Last week we broke down the risk Categories 1 & 3 in GAMP-5. If you missed last week’s blog, click here to read it now. This week we will consider risk Categories 4 & 5 in more detail.
As a brief recap, GAMP-5 risk Categories 1 & 3 are those software products and applications that pose the LEAST risk as compared to the risk Categories 4 and 5. Remember, Category 2 was discontinued under GAMP-5 and no longer applicable. The reason risk is important from a practical standpoint is that the risk a software product or application imposes is directly related to the level and complexity of software validation required.
Defining the system landscape and appropriate category may not be a simple task, but it is important to understand your software system and its intended purpose to ensure that you are not doing more or less than is necessary to adequately address the risk. This understanding will then lead to a validation effort that is commensurate with the complexity and risk of the system. Let’s turn our attention to understanding risk Categories 4 and 5. Then, we will wrap things up by taking another look at the V-Model in the context of what level of effort is required for each of these risk categories. Category 4: Configured software
As we learned last week with Category 3, the name of the category can be a bit misleading. Risk Category 3 is labeled as “Non-Configured Products” while risk Category 4 is labeled as “Configured Software” but neither label helps us distinguish between the two. A more useful and less confusing label for Category 3 software could be “Pre-Configured Products” as these products clearly don’t come as empty shells with no configuration. If they did, they would automatically be listed as risk Category 5 because they would need to be customized to be usable. Similarly, risk Category 4 products would leave us less confused if they were distinguished as “Customer-Configured Software.” Even then, I find that risk Category 3 and 4 software products are the toughest to tease out as they have many similarities. First, both are often referred to as Commercial-Off-The-Shelf (COTS) or Off-The-Shelf (OTS) products. Second, both are often marketed by the vendor as configurable products. So, what does help us determine the difference? If we focus on the complexity of the functionality available to users and the risks of implementing the functionality, we get a better picture of how to make good judgements around the two. If, for instance, the functionality of the software is configured in a way that returns different outputs depending on the configuration, the level of risk is higher than simple configurations that allow process steps to match business practices without the ability to change the output. For example, in QMS software, a lower risk configuration is the choice to route documents for approvals in parallel or in serial order. Both options provide the same outcome … an approved or rejected document. However, some companies prefer to route documents for approvals in a certain order and others prefer for everyone to have the ability to review at the same time. An example of a higher risk configuration is functionality within the software to have bi-directional data exchange directly with another software product. Even though it is a “configurable” option within the software, implementing it would require the system to be categorized at a higher risk level. Now, for a little lighter reading, let’s look at risk Category 5 … Category 5: Custom software This category is straightforward. It is the highest risk category because this software is unique to the business that creates it. Due to the custom nature of the software, it usually has not been developed and tested to the same rigors as commercially available products. Sometimes; however, companies take commercial software that otherwise would be considered lower risk and makes so many customizations to it that it ends up being category 5 software as well. It’s easy to understand that custom built software from the ground up requires every tier of validation in the V-Model; however, another situation exists that many people miss. What happens when a company decides to create a custom macro to interact with a commercial software product in order to drive a unique business process? Not only is the company responsible for documenting and testing the design, configuration, functional, and user requirements, they are also responsible to performing integration testing with the commercial application they are customizing. Additionally, the custom code needs to have its source code managed and backed up to prevent overwriting or loss. From a business perspective, all of this takes resources (monetary and human) and an enormous amount of time. If Life Sciences companies required the same level of risk/benefit analysis that they do with other parts of the business before allowing true customization, most would decide against it. By the time a software product can be customized and validated properly, new versions of the commercial product are being implemented which require more validation. This becomes cyclical and the business never truly gets something that simply works and makes sense for them to use. Pretty soon, companies find that their IT and CSV departments are massive while the business is continuously limping along with out of date software to run the business. No one actually wins in these situations except maybe for the massive IT and CSV departments that have budgets that are out of control. Custom software used to be necessary in Life Sciences because the commercial products were typically not developed or suited to the unique regulatory environment within which we work. But, like everything else, times have changed and today, we enjoy a large number of commercial products that not only have been developed specifically for this industry but also specific for the niches within the industry. I’d like to wrap things up today with a graphic that shows the efforts needed for each of the risk categories listed in GAMP-5. If you are reading this and happen to be responsible for decisions related to whether or not to customize software products for relatively minor conveniences just because you can, please take a long look at the real cost to your business before deciding that it is a good idea.
Thoughts? Please comment below …
Melita Ball CEO and Principal Consultant
Copyright © 2019R MBC & Affiliates, Inc|, All rights reserved.
Our mailing address is: 9910 N Camino Del Plata Tucson, AZ 85742 (520) 665-9081