In the previous post in this series, I discussed the process you can use to determine whether a particular IT system is regulated. That post described the first part of a four-part approach to assessing and mitigating risk with regulated IT systems. Today’s post will cover the second part – what to do once you know you’re dealing with a regulated system.
Part Two: System Risk Level
Once you’ve determined that a system is regulated, the next step is to determine that system’s risk level (SRL). You will need to divide systems into types, write a standard definition for each type, and assign each type a risk level (e.g., low, medium, high). The definitions should include a rationale for why you believe that system type involves more or less risk.
A system’s SRL is only assessed once, and it determines the degree of rigor needed to ensure that the system is implemented in a validated (i.e., proven to be trustworthy) state. The SRL is assigned to the system forever and is considered in the calculation each time a change is proposed to that system.
Up next? Part three: how to assess the risk of a proposed change to a regulated system. While you’re waiting for that post, check out The Ultimate Guide to 21 CFR Part 11.