There are several components to risk assessment for GXP:
See GAMP 5, ISO 14971 (Med Devices), ICH Q9, Quality Risk Management
1-High level assessment of regulatory applicability; i.e., is the system GxP, HIPPA, SOX, etc., and what is the level of criticality for the system as a whole.
2-Requirements level risk: There are a number of methodologies which might be used here (see GAMP 5) - FMEA, Hazard Analysis, Fault Trees, Impact Analysis. Depending on the type of system (e.g. SW application vs. Medical Device vs. Mfg Eqpt) and development phase (design, validation, production) one or another of these methods may be preferable. FMEA seems generally to be the most popular, at least in my experience (although not necessarily the best in all circumstances).
Marked as spam