QAQC Managers Group Indonesia| QRM Workshop 18-19 Dec 2020

COMPUTERIZED SYSTEM RISK ASSESMENT

Risk Assessment No. : 0000-XXX-ABC-MM-YY
System : HPLC
Software Name : System XYZ 3
Site :
Date :

Prepared by Sign Date

Validation Lead
QC Supervisor
Reviewed by Sign Date
QC Manager
Approved by Sign Date
QA Manager

Page 1 of 15

RESTRICTED
 QAQC Managers Group Indonesia| QRM Workshop 18-19 Dec 2020

1. System Description

1.1. General overview

Instruksi:
Deskripsikan system dalam cakupan risk assessment, kemampuan system, cakupan
penggunannya. Informasi ini penting untuk dapat menentukan cakupan dari risk assessment.
The System XYZ 3 system supports the pharmaceutical processing and evaluation of chromatographic
and calculation processes of analytical data in GxP-Controlled environment of laboratories as well as
archive of data. The system covers data and processes established in an analytical lab from raw material
analysis to drug product control.
The chromatographic data system (CDS) will be used for the following purposes:
• Development of analytical methods and test sequences
• Control of analytical instruments (HPLC)
• Processing and evaluation of chromatograms
• Reporting of analytical results and management of data
• Backup and restore of data
The intention of this document is to give guidance on how to perform a Risk Assessment (RA) including
gap analysis for the computerized system. Process workflow include data workflow, authorization and
configuration are in scope in this Risk Assessment.
Prerequisites are User Requirements Specification, System Specification (e.g. Functional & Configuration
Specification), Authorization and Role Specification.
<untuk dilanjutkan selama workshop >

1.2. System diagram

Instruksi:
Deskripsikan bagaimana system terhubung dengan system/peralatan lainnya, misal HPLC
terhubung dengan server penyimpanan data dan printer, atau mesin pencetak tablet terhubung
dengan printer, alat-alat in-process control, dll. Contoh:

<untuk dapat dicoba membuat system diagram selama workshop berdasar kondisi di tempat kerja peserta>

RESTRICTED
 QAQC Managers Group Indonesia| QRM Workshop 18-19 Dec 2020

1.3. Data
Instruksi:
Deskripsikan data apa yang dihasilkan dari system tersebut, data statis dan data dinamis.
Jelaskan bagamana data diolah, disimpan dan dicetak (jika dilakukan).

Chromatography data is needed in the framework of analytical determinations for method development,
release and stability testing of pharmaceuticals.

Regulatory requirements lead to the implementation of test procedures in testing standards. Analytical
determinations are to be conducted according to specifications and procedures defined in those testing
standards.

Sequences created manually in the CDS. Data describing the samples (weights, standard concentrations,
dilution factors etc.) entered manually in the CDS.

Sequences are transferred to data acquisition clients which control the chromatographic systems and
receive the chromatographic data. The acquired data is synchronized with the servers. In case the
connection to the servers is lost the data acquisition clients serve as buffer which synchronizes with the
servers after the connection is recovered.

After data acquisition, the chromatographic data can be evaluated in the CDS. The results can be viewed
online or in the form of reports which represent an extract of the data base.

Data are stored in the data base of the CDS.

<untuk didiskusikan selama workshop, data apa saja yang dihasilkan oleh system HPLC dalam contoh>

1.4. Access Control

Business Role Description

Guest This role has limited, view only access to the system.

This role has the privileges to run sequences, process data, and perform the
Analyst
sign off on results

Approvers of data This role has the privileges for view audit trails and lock channels.

This role has privileges for managing the System XYZ master data including
Key users
managing e.g. projects, methods.

This role has privileges for managing the System XYZ master data incl.
Master Data manager
custom fields and reports

Administrator This role has all privileges. Full administrative privileges, used in cases,
where Admin_restr is not sufficient, only.

<untuk didiskusikan selama workshop, akses control yang ditetapkan oleh masing-masing industri
bedasarkan akses level yang tersedia, misal level analyst ada level 1,2,3 dll >

2. Description of Process
Instruksi:

RESTRICTED
 QAQC Managers Group Indonesia| QRM Workshop 18-19 Dec 2020

Deskripsikan bagaimana perusahaan menggunakan system tersebut dari awal sampai akhir (misal
mulai dari masuk ke system sampai keluar dari system, mulai setting sampai data/proses selesai)

System XYZ 3 business description

System XYZ 3 business description

<untuk didiskusikan selama workshop, flow business processes di area kerja masing-masing >

3. Infrastructure

3.1. Hardware
- P Server
- Q Server
- LACE
- PC Client
- Network Printer

3.2. Software
- System XYZ 3.
This system was categorized as category GAMP 4.

<untuk didiskusikan selama workshop, infrastructure di area kerja masing-masing >

4. Methodology
6.1. Principles

RESTRICTED
 QAQC Managers Group Indonesia| QRM Workshop 18-19 Dec 2020

Present in this section, the methodology used for the risk assessment. The following
paragraphs provide an example of such a methodology:
 Identify and describe the process of system operation and critical steps of the process.
 Identify one or more risk scenarios for each step. The risk scenarios are based upon
potential failure modes of a process, sources of variability, disruption or other
possibilities of non-conformance to the regulation(s). Distinguish clearly between the
scenarios generated by user or caused by the system itself. Risk scenarios should answer
the question, “What could go wrong?”. Identify potential areas of risks that are common
across multiple processes.
 Determine for each risk, the reference to the corresponding section in the GMP
regulations that could be impacted.
 Identify GMP related consequences. Identify potential consequences resulting from the
risk scenario, in the context of Good Manufacturing or Good Distribution Practices. This
wording should be clear enough to assess the risk criticality.
 State the GMP Risk classification for each risk identified
 Determine the control strategy to reduce the risk
 Determine the mitigated consequences, likelihood and final mitigated risk level.

6.2. Methodology
This section describes the GMP Risk Classification (Critical, Major and Minor) and the
associate definitions of each classification. All participants in the risk analysis must have a
common understanding of the GMP Risk Classification.
Risk assessment: contoh

Risk Level Consequences

Critical (C) 1. Has possibility on data manipulation, undetected error. .
2. There is a violation of GMP regulation, with severe impact on patients
safety, (e.g., death, hospitalisation, long term effects)
Major (M) 1. Has no possibility on data lose or manipulation data but has impact to
operation.
2. There is a direct and undetectable violation of GMP regulations,
without non serious impact on patient safety.
Minor (m) 1. There is no effect on data and process of operation.
2. Indirect or detectable violation of GMP regulations, with little/no
impact to patient health.

Likelihood Likelihood
Level
High One or more failures might occur in a year. Control measures are not available or are inadequate.

Medium The probability of failure is between Low and High: A failure might occur every 1-5 years, control
measures may be breached.

Low The probability of failure is unlikely or improbable: A failure might occur every 10 years, control
measures are failsafe.

RESTRICTED
 QAQC Managers Group Indonesia| QRM Workshop 18-19 Dec 2020

Risk Category (Severity x Likelihood)

Likelihood Severity
H M L
H H H M
M H M L
L H L L

Risk Mitigation Approach:

Control Description
Strategy
Technical System designed/redesigned to build in error controls.
Control
Procedure Procedures supporting the use of the control system.
Control

Validation Adding additional validation controls (i.e. qualification activity to confirm system
Control performance). This will be applied for high and medium risk to reduce the consequence
or likelihood of possible failures occurring.

<untuk didiskusikan selama workshop, bagaimana scoring di area peserta >

RESTRICTED
 QAQC Managers Group Indonesia| QRM Workshop 18-19 Dec 2020

5. Risk Analysis

No Process step Potential Failure Existing Control Potential Cause C L RL Control Strategy MC ML MRL

Log into the system, All users could access all the Functional No different access H L M 1. Configure access rights L L L
1 selection of a data and resources, misuse Specification rights within the system 2. Conduct performance test
chromatographic system and incorrect / unauthorized System XYZ/
by user access possible Manual book
System XYZ 3
2 Commissioning, creating All user can perform same Functional No individual user H M H 3. Configure access rights L L L
and saving of an activity Specification types and rights 4. Conduct performance test
instrument method System XYZ/ defined:
Non authorized person
Manual book
conducts high risk activity. 1) All users could
System XYZ 3
perform all actions
2) No separation
administrator / user
3 Calibration of Control or data acquisition not NA System failure H M H 5. Conduct performance test L L L
components of the or only partially possible for Non trained employee
chromatographic system Waters HPLC components conducts the activity

4 Start batch run (one or Acquisition of a series of User Manual System failure H M H 6. Conduct performance test M L L
more sample lists) injections not possible or only book System XYZ Non trained employee 7. Conduct training to
possible with errors. 3 conducts the activity employee – different
training to different
access level.
5 Automatic quantification 1. Users can't create or modify User Manual System failure H M H 8. Configure access right L L L
custom fields book System XYZ Non trained employee 9. Conduct performance test
3 conducts the activity 10. Conduct training to
2. Custom field calculations
No individual user employee – different
are not possible or possible
types and rights training to different
with restrictions only
defined access level.
3. Custom field calculations
incorrect

RESTRICTED
 QAQC Managers Group Indonesia| QRM Workshop 18-19 Dec 2020

No Process step Potential Failure Existing Control Potential Cause C L RL Control Strategy MC ML MRL
6 Automatic quantification Wrong calculation NA System failure -wrong H M H 1. Create SOP include L L L
formula enter. training to relevant user
Non trained employee group
conduct the activity
No LSOP to guide the
process
7 Business Role Incorrect roles and NA H M H 2. Create user matrix L L L
Requirements authorizations assigned for 3. Configure the system
(segregation of duties) system users. 4. Conduct configuration
test
8 Electronic signature must Data Integrity impacted in NA H M H 5. Configure the system L L L
be saved in the audit trail general for regulatory 6. Conduct configuration
with associated details compliance. test
9 Report generation (eg Graphics cannot be labeled NA H L H 7. Conduct performance test L L L
quantitative and with result data. Correctness
qualitative results, of peak mapping and
chromatograms, integration not comprehensible
evaluation parameters)

<untuk didiskusikan selama workshop>

C:Consequences L: Likelihood, RL: Risk Level, MS: Mitigated Severity, ML: Mitigated Likelihood

RESTRICTED