June 1, 2020

We live in a world where speed is vital to success. Patients and consumers expect products to be of good quality and available when needed. Therefore, companies must oblige in the expected product delivery demands or risk losing out on the market share.

This begs the question: how can companies assure they make a quality product that’s readily available to meet market demands while continually improving operations? Many companies utilize numerous project methodologies including Lean Six Sigma, Agile, and Total Quality Management to streamline their processes and operations.

A computer system validation demonstrates regulatory compliance, the fulfillment of user requirements, and the ability to discern invalid and/or altered records. A full validation can be tedious if not planned well and using proven methodologies. Inevitably, this elongates the timeline to promote an IT solution into production.

When thoughtfully and methodically planned, validation can be performed efficiently. Validation teams in just about every industry are moving to risk-based testing (RBT) approach when planning their validation activities.

What is software risk?

To enable process efficiencies, software and computer solutions must perform consistently and effectively. Furthermore, regulated life sciences companies have to execute computer system validation requirements in alignment with 21 CFR Part 11. It is mandatory to verify that the software and computer solution consistently achieves the intended purpose while producing accurate and reliable results.

Browsing will generate many examples and definitions of software risk. In general, software risk is the combination of the impact of something happening (a feature failure), and the probability that it could happen.

For example, a process step in a workflow automates a request for signature approval. Unfortunately, the user can’t remember their password and gets locked out after multiple attempts. As risk mitigation, you might add a helpful link that prompts the user to reset the password, hopefully before they lock themselves out completely. Software risk determines what happens each time a user is locked out and what is the probability of it happening with people who have system access? Risk-based testing helps answer questions like these.

What is Risk-Based Testing (RBT)?

RBT is a test approach that can influence and prioritize the testing of features and functions in software. When used correctly, it combines the principles of risk management and project management to build a robust testing plan to determine software risk. The selection of what to test is based on the risk of failure, the function of importance, and the likelihood or impact of failure.

In addition, conducting risk-based testing can also identify the proper test design and prioritize the execution of test scenarios. This includes the most critical risks which will have a serious, negative impact on the business. Moreover, RBT includes risks identified by customers that unearth the product or feature issue early in the lifecycle and are mitigated by implementing design changes.

Additional factors to take into consideration include:

  • The level of testing performed on the base or preconfigured solution
  • The results of the risk ranking performed on the user and functional requirements
  • The risk ranking of a supplier, in accordance with the company’s risk evaluation, audit performance, etc.

Benefits of Risk-Based Testing

Risk-based testing offers multiple benefits from an efficiency and resource perspective. Obviously, it enables compliance with 21 CFR Part 11 validation requirements to base your approach on a “justified and documented risk assessment and a determination of the potential of the system to affect product quality and safety, and record integrity.”1 For instance, validation would not be important for a word processor used only to generate SOPs.

In addition to the obvious software quality assurance positives, another hidden benefit of RBT is the positive effect it can have on preparing and helping teams and organizations to implement change management.

RBT requires all team members to be aligned on terminology, method of risk ranking, and all components that apply to them. By facilitating this alignment, stakeholders and team members have an instant framework to have more constructive and clear discussions. This alignment itself remediates an inherent risk within teams—the common risks of miscommunication and misunderstandings. Risk-based testing creates a form of positive engagement that can launch a team into productive risk management planning and ultimately, healthy product design and reduced software risk.

Another benefit of RBT is when product owners, software developers, and testing teams become more aligned in defining the risk as clearly as possible. This intuitively engages multiple perspectives and a diverse way of thinking while working toward a common goal of successfully demonstrating a requirement is validated and working as intended. Risk-based testing helps a team prioritize critical or high-risk requirements or scenarios that pose the highest likelihood of failure. Risk-based testing offers the framework and structure to discuss and prioritize risks based on quantitative measurements as opposed to personal objectives.

Finally, since RBT is performed throughout the software development lifecycle (SDLC), risks can be identified during the requirements and design phases. When identified pre-market, testing provides opportunities to remediate risks before an issue occurs. Proactive RBT assessments can help a team determine how they can make the most of the potentially limited time and resources they have at their ready. Simply stated, RBT as an element of system validation provides the entire project team the clarity and focus to build a robust and thoughtful test plan.

Available Tools

Failure Mode and Effects Analysis (FMEA) templates can be very helpful only when a team has defined, sound requirements. A requirement traceability matrix is not only required but a very valuable tool to guide the ongoing discussions. Likewise, having the ability to assess the potential failures and risk rank the requirements, serve as the baseline that drives a good test strategy and plan.

We live in a world where speed is vital to success. Patients and consumers expect products to be of good quality and available when needed. Therefore, companies must oblige in the expected product delivery demands or risk losing out on the market share.

This begs the question: how can companies assure they make a quality product that’s readily available to meet market demands while continually improving operations? Many companies utilize numerous project methodologies including Lean Six Sigma, Agile, and Total Quality Management to streamline their processes and operations.

A computer system validation demonstrates regulatory compliance, the fulfillment of user requirements, and the ability to discern invalid and/or altered records. A full validation can be tedious if not planned well and using proven methodologies. Inevitably, this elongates the timeline to promote an IT solution into production.

When thoughtfully and methodically planned, validation can be performed efficiently. Validation teams in just about every industry are moving to risk-based testing (RBT) approach when planning their validation activities.

Conclusion

Testing is more than looking for problems and fixing them. Risk-Based Testing (RBT) helps identify the highest risks and to ensure critical functionality is operational. Risk-based testing helps teams consider risk throughout all phases of the testing (and re-testing) process. RBT helps stakeholders facilitate a structured alignment that enables the allocation of appropriate time and resources for testing, as well as significantly minimizing risk across a software system.

AssurX Validation Management Services utilizes a full suite of automated tools to build and maintain a requirements traceability and test matrix (RTM). The RTM can help any company adopt the manual process to automated tools for extended efficiencies that benefit the organization throughout the lifetime of the validated computer system.

To learn more about driving testing efficiencies with the initial validation or with ongoing releases and upgrades, contact AssurX­ to learn more about quality and compliance automation solutions and validation software solutions to automate your company’s requirement and test matrix.

References and Resources

  1. FDA Guidance Document: Part 11, Electronic Records; Electronic Signatures – Scope and Application:
    https://www.fda.gov/regulatory-information/search-fda-guidance-documents/part-11-electronic-records-electronic-signatures-scope-and-application#iiic
  2. FMEA Quick Guide (isixsima.com): https://www.isixsigma.com/tools-templates/fmea/fmea-quick-guide/