Risk management of existing systems is just as important as for new systems. The question is not: how old is the system? But rather: what is it being used for? You may also ask yourself what happens if something goes wrong and what is the likelihood that something does go wrong.
The main difference for new systems is that typically no information on the development process is available. Instead, there is lots of knowledge from past experience. This experience can be used to judge the criticality of the system.
Typical problems specific for Legacy systems are:
- Software not validated during development. This can cause problems if the system is being used for new applications.
- No support from vendor. This can result in reduced uptime because of hardware or software problems.
- No documentation of installation can result in FDA observations or warning letters.
- No documentation of testing. This can result in FDA observations or warning letters.
- No documentation of hardware or software updates. This can result in FDA observations or warning letters.
- Functions as required by new regulations are not implemented. This can result in FDA observations or warning letters.
High-Level Evaluation and Assessment:
For high-level risk assessment of Legacy systems you can follow the steps as outlined in high level risk assessment section of the article “How to create Risk Management Master Plan For FDA Regulated Companies“
Systems are categorized as high, medium or low risk. The result of this exercise is used to decide if and to what extent Part 11 requirements will be implemented or if it is necessary to develop and implement a detailed risk management plan for a specific process or system. Proposals for such assessments are be made by operations and approved by the risk management team.
The resulting risk level information is used for considerations like:
- Can the Legacy system still be used or is it better to upgrade or purchase a new one?
- How extensively do we test the Legacy system? For example, high risk systems will be tested under normal AND high load conditions.
- How much back-up do we need? For example, for high risk systems we should have validated back-ups for all components. For medium risk systems a back-up of the most critical components is enough and for low risk systems there is no need.
- How often do we have to back-up data generated by the system?
- What requirements of Part 11 should be implemented in the computer system? For example, for high risk systems computer generated audit trails should be implemented while for low risk systems a paper based manual audit trail is enough.
Factors contributing to high risk Legacy systems are:
- Used in regulated applications
- Used in production environments
- Used in production quality control environment
- Product quality problems may permanently impact people’s health.
- Probability of detecting and correcting errors is low or zero.
- Must run 24 hours a day, 7 days a week.
- Highly complex
- Highly customized
- No support from vendor, e.g., no documented evidence on validation during development, or no phone or on-site support in case of problems.
Factors contributing to low risk systems are:
- Not used in regulated applications
- Used in early product development stage
- Product quality problems may not have any impact on people’s health.
- Probability of detecting and correcting errors is high
- Used occasionally
- Widely used commercial systems
- No customization
- Downtime not critical
- Support from vendor, e.g., documented evidence on validation during development, local language phone support and/or on-site support in case of problems.
you can use below form to collect inputs and the rational behind the decision
Detailed Risk management:
Detailed risk management should cover all lifecycle phases. For commercial systems risk factors should be identified for:
- Describing the use and functions of the system
- Documentation of installation
- Testing
- On-going use
- Changes
- Retirement
Sample checklist to identify risks and activities to control it given below.
Risk mitigation and on-going control : should follow the recommendations made in Risk Mitigation and On-going monitoring section of the article “How to create Risk Management Master Plan For FDA Regulated Companies“
Below Forms should be used to document mitigation and observations during on-going use.
Related Articles :
How to Do Risk Assessment of IT Networks for FDA compliance
How to do Risk Management of Computer Systems Used for FDA Compliance