Risk assessment is the foundation of modern Computerized System Validation. GAMP 5 Second Edition makes this explicit: validation effort should be proportionate to the system's GxP impact and business risk - not determined by system complexity or the age of the software. This guide explains how to apply risk principles practically in your CSV programme.
Two Levels of Risk Assessment in CSV
GAMP 5 introduces two distinct risk assessment levels:
- System-level risk assessment - determines whether the system has GxP impact and what category it falls into. This drives the overall validation approach.
- Functional risk assessment - evaluates each function or feature within the system to determine which require testing and to what depth.
Both levels must be documented, reviewed by QA, and used to justify the scope and depth of the validation package.
System-Level Risk Assessment
Step 1: GxP Impact Assessment
The first question is always: is this system subject to GxP requirements? Ask:
- Does the system create, modify, maintain, archive, retrieve, or transmit GxP records?
- Does the system control or monitor a process that directly affects product quality or patient safety?
- Does the system support or produce data used in regulatory submissions?
If any answer is yes, the system requires validation. Document the rationale - both the conclusion and the reasoning.
Step 2: GAMP 5 Category Classification
Classify the system using the GAMP 5 Second Edition categories:
- Category 1 - Infrastructure software (OS, databases, network tools). Qualified, not formally validated.
- Category 3 - Configured products (LIMS, ERP, EDMS, MES with standard configuration). Standard validation package.
- Category 4 - Custom applications (bespoke software, heavily modified products). Full SDLC validation with design documentation.
Note on the old 5-category model: GAMP 5 First Edition had Categories 1–5. The Second Edition consolidates to 3 categories. If your SOPs still reference the old model, update them - inspectors are aware of the change and may question outdated references.
Functional Risk Assessment
For each function or module within the system, score the risk using three dimensions:
- Severity (S) - the potential impact on patient safety, product quality, or data integrity if this function fails (typically scored 1–3: low, medium, high)
- Probability (P) - the likelihood of failure occurring
- Detectability (D) - the likelihood that a failure would be detected before causing harm
The risk score (S × P × D or S × P / D depending on your model) determines the test priority: high-risk functions receive exhaustive testing; low-risk functions may be excluded from formal testing with documented justification.
Translating Risk to Testing
Risk-based testing means your test cases are directly linked to risk scores:
- High-risk functions → comprehensive OQ testing with positive and negative test cases
- Medium-risk functions → selective testing of critical workflows
- Low-risk functions → exclusion from testing with documented rationale (or referencing vendor testing evidence)
The traceability matrix links each risk score to test coverage. This is the document inspectors use to verify that your testing was proportionate and justified.
Documenting Risk Decisions
Risk assessment decisions must be traceable and signed. For each risk decision, document:
- The function or system component being assessed
- The risk scores and the rationale for each score
- The conclusion (validate / do not validate; test / do not test)
- Any assumptions made
- QA review and approval signature with date
Inspection risk: Risk assessments that are filled in retrospectively - after the validation decision has already been made - are a data integrity concern. Inspectors may check version history and metadata. Conduct and document risk assessments before validation planning decisions are made.
PHARPRO Risk Assessment Support
PHARPRO conducts GxP impact assessments, GAMP 5 category classification, and functional risk assessments for pharmaceutical computerised systems across all GAMP categories. Our risk documentation is audit-ready and aligned with current regulatory expectations from FDA, EU GMP, and PIC/S.