When I first started working with pharmaceutical companies almost 15 years ago, whenever an idea to implement a computer system came up, there would be a sharp intake of breath and someone would mention the dreaded ‘V’-word - validation. Feared, maligned and little understood except (seemingly) by sandal-wearing men with grey beards. It was if we were talking about some arcane mystic ritual.

In this paper, I explain the modern approach to validation of computer systems and how, with a bit of preparation and forethought, it's not the monster that many people think it is.

• Assessing your current level of CSV maturity – where you are
• Providing reasonable targets for the future – where you want to go
• Making it clear what gaps need to be filled – how to get there

In Don’t Mention the V-Word, I pointed out that in the past, a judgement call would often be made about whether a system was ‘GxP’ or ‘non-GxP’. It was a binary response. The judgement was often made on the basis of a simple tick-box box – either it is ‘GxP’ or it isn’t. In the paper, I introduced an alternative – a risk based approach. This is the approach that is strongly recommended by the FDA and many other regulatory authorities.

In this paper – GxP Risk Management – I show how a risk based approach can be used in practice, and how risk can be identified, assessed, controlled, monitored and reviewed across the system lifecycle. I also discuss why you'd want to take such an approach - what are the benefits?

US federal regulation 21 CFR Part 11 is often mis-understood and mis-applied, however a little understanding of what it is meant for goes a long way to removing confusion.

This important regulation provides the basis for being able to use computer systems to manage records required by GxP regulations. It is an extremely important regulation because it supports innovation and the use of technology as long as certain conditions are met. From an industry perspective, it provides the open door to exploit computer systems in ways to optimise their own processes. However, in order to gain the benefits, we need to ensure that a number of things are in place which will affect our SOPs, validation process, how we maintain systems etc.

In this paper – Introduction to 21 CFR Part 11 – I describe the parts of the regulation, when it applies, the impact and how to work with it in practice.

After writing GxP Risk Management, it occurred to that there was still more to say regarding exactly how and when to carry out risk assessments related to GxP IT systems and specifically, to discuss how the outcomes of the assessment should be collected and what affect they typically have on project deliverables such as the Validation Plan, User Requirements Specification (URS) etc.

This paper takes a very practical approach and focuses on the risk assessment part of the risk management lifecycle to point out in a very concrete way the artifacts, or the outcomes of the whole effort and how they can be used to gain the benefits promised by a risk-based approach. In addition, the paper discusses how to keep your assessment efforts up-to-date so that they form a valuable repository of evolving project and post-project thinking about risks.

This paper will appear early in 2012.