This is post #4 in a short series about assessing and mitigating risk with regulated software. Over the past few weeks, I’ve discussed the rationale for taking a risk-based approach to this topic, as well as the first couple of steps to take: determining whether a system is regulated and, if so, determining its risk level.
Today, we’ll take a look at how to assess the risk of a proposed change to a regulated system, which is the third part of our four-part approach.
Part Three: Change Risk Level
When the time comes to consider making a change to a regulated system, such as upgrading the version or adding an integration with another system, the risk of the proposed change needs to be assessed. Create a standardized set of questions/criteria, along with standardized answer choices, that you can use to evaluate the complexity and impact of the proposed change on the system (any system) and its users.
The result of the change risk assessment will determine the change risk level (CRL). These levels should also be standardized and clearly defined (e.g., very low, low, medium, high, very high).
The SRL and CRL, together, are used to determine the minimum amount of rigor that the change would require in order to maintain the system’s validated state.
Check back soon for the post on part four of this four-part approach: mitigating the risk involved in implementing a system change. While you wait, here’s The Ultimate Guide to 21 CFR Part 11.
