Every software validation that is part of a Quality Risk Management program should start with a formal, documented risk assessment of the laboratory informatics (LIMS, ELN, SDMS, CDS, etc.) system being validated. Risk assessments consist of the identification of hazards and the analysis and evaluation of risks associated with exposure to those hazards. An assessment begins with a well-defined problem description or risk hazard, which allows for an appropriate risk management tool and the types of information that will address the risk question to be more readily identifiable. As an aid to clearly define the risk(s), three fundamental questions need to be asked for each potential risk:
- What might go wrong? (risk identification)
- What is the likelihood (complexity) it will go wrong?
- What are the consequences (criticality)?
Asking the question What might go wrong? means a risk assessment is performed to identify hazards that may occur within the system and the evaluation of risks associated with exposure to those hazards. Information that helps identify risks can be pulled from historical data, theoretical analysis, informed opinions, and concerns from potential stakeholders of the system. Here, it is also important to identify the consequences for each potential hazard. This step in the process may be evaluated by an internal team that should include a Subject Matter Expert (SME) or if an internal SME is not available, a Laboratory Informatics Consultant with knowledge of the system being validated and the laboratory processes. Once the risk is clearly defined, the types of information that will address the risk are more readily accessible.
By answering the question What is the likelihood it will go wrong?, you will be determining the complexity of the system being assessed. The likelihood of failure that an identified risk could occur might be classified as high, medium, or low. High or medium likelihood could indicate a sufficiently capable risk against which controls are ineffective (high) or only partly effective (medium). Low likelihood of failure could indicate a risk lacking in motivation or capability and against which controls are already in place to prevent or delay the risk from materializing. The following are examples of complexity levels.
- High: Custom Developed functions within either purchased or custom systems
- Medium: Configured functions within commercial off-the-shelf (COTS) purchased systems
- Low: Standard, non-configured functions within commercial off-the-shelf (COTS) purchased systems
The final question, What are the consequences? means you have to evaluate the type of laboratory informatics system being used in terms of your industry regulations and the character of the data being produced. Do the data have a direct impact on patient safety or product quality? The following are examples of criticality levels.
- High: Direct impact on patient safety, product quality, or the integrity of associated data
- Medium: Indirect impact on patient safety, product quality, or the integrity of associated data
- Low: No impact on patient safety, product quality, or the integrity of associated data
When finalizing an assessment, it is key to evaluate all the identified risk hazards against given risk criteria. Robust risk evaluations will take into consideration the strength of evidence for all three of the fundamental questions and then determine how to handle the risk control, and whether to reduce and/or accept certain risks. Risk reduction means you must focus on how to mitigate the severity and probability of the identified risk. However, it should be noted that introducing this control may introduce new risks into the system or elevate the significance of other identified risks.
Deciding to accept the probability of risk should be determined by the risk assessment team based on whether or not they feel appropriate controls are in place to reduce these risks to a manageable level. If a risk assessment is performed correctly, your organization will be well prepared should an identified risk or hazard occur. Additionally, by applying these principles, your validation effort will be reduced, saving time and money while mitigating risk. Critical to the success of your Risk Assessment is having access to internal SMEs or if they are unavailable, engaging 3rd party Subject Matter Experts.
Do you feel you have a strong understanding of the risks involved with your system? Have you identified hazards that can occur? Have you successfully performed a Risk Assessment on your Laboratory Informatics (LIMS, ELN, SDMS) system? If so, did it reduce your validation effort?