EN | EE | RU

Disclaimer: Our company categorically condemns the fascist, annexationist war unleashed by the mad dictator Ρ€utin against the people of independent, democratic Ukraine and wishes for a swift victory over the fascist invaders!
We do not provide services to fascists. Glory to Ukraine! 

About
Partners
References
Contacts

Send request

Risk-Oriented Approach

A risk-oriented or risk-based approach is an important tool for pharmaceutical quality management, and, in particular, for validation activities. It is implemented in the form of risk analyzes (risk assessments) carried out at the early stages of qualification / validation, whereby risk analyzes lay the foundation for all further validation activities.

Good Manufacturing practice (GMP) rules, from the very moment of their emergence, are a set of general regulations, i.e. prescriptions in terms of policy and approaches to pharmaceutical production. At the same time, the focus of these regulations has always been on the patients and their safety. Thus, the foundations of a risk-based approach were already laid in GMP from the very beginning.

For the most part, GMP guidelines lack specific requirements in terms of the design of systems and equipment, as well as the parameters of manufacturing processes and quality control of medicinal products. In other words, only general requirements are mainly declared, but there is no description of specific implementation of these requirements. Thus, GMP sets some general framework within which a regulated company must on its own make decisions regarding specific ways to implement GMP requirements. Clearly, such decisions are critical to patient safety, product quality, and the integrity of regulated records and data. Such decisions are sometimes also referred to as regulated decisions, or GxP decisions (x in GxP stands for the type of Good Practices in order to include, along with Manufacturing, other good practices closely related to Pharmaceutical Industry, such as GDP, GLP, GCP, GAMP etc.) When making such decisions, the regulated company should base its considerations on a risk assessment, i.e. apply a risk-based approach.

If we consider the evolution of GMP regulatory documentation, we can see that in new versions of documents, even those few, relatively specific requirements present are gradually being replaced by the requirement to make a decision based on risk assessment. In the course of international GMP requirements harmonization, the risk-based approach plays an increasingly important role, which is particularly illustrated by the adoption by the European Medicines Agency of the ICH Q9 Guideline on Quality Risk Management as a regulatory document.

ICH Q9 defines two primary principles of quality risk management:

  • The evaluation of the risk to quality should be based on scientific knowledge and ultimately link to the protection of the patient; and
  • The level of effort, formality and documentation of the quality risk management process should be commensurate with the level of risk.

In other words, the risk assessment should be based on full knowledge of the system / understanding of the process, and should be balanced so that the resources of the regulated company are spent optimally, and more resources should be spent, where the level of risk is higher. Unnecessarily high use of resources in areas, where it is not justified by the level of risk, can deprive other areas of resources, where they are critical to assurance of patient safety, product quality and data integrity.

Another critical aspect of a risk-based approach is its integrity. The integrity of the risk-based approach suggests that risk mitigation / elimination measures should be applied:

  • firstly, to all elements of the system or process where these risks may occur, and,
  • secondly, to all stages of the life cycle of respective systems or processes.

The practice of conducting risk assessments and the history of incidents in the pharmaceutical industry show that risks can occur in all elements of a system or process that are in any way in contact with the product, or even indirectly related to it, as well as at all lifecycle stages of such systems and processes. Therefore, a risk-based approach should cover all elements and lifecycle stages of such systems and processes, which, in relation to a pharmaceutical manufacturing facility, also includes the stages of its design, construction, as well as installation and commissioning of equipment.

In addition, a holistic risk-based approach should provide full traceability, from regulatory requirements and product quality parameters, to manufacturing process requirements, manufacturing environment parameters and related design solutions.

A very picturesque example of a not integer, unbalanced risk-based approach would be the situation if Nif-Nif pig from the well-known fairytale Three litte pigs, who built himself a straw house, decided to install an iron door to protect himself from the wolf.

Risk Analyses (Risk Assessments)

Risk analysis is conducted when the modification of an existing system or process, or the implementation of a new one, is planned. The focus of the risk analysis is the corresponding system or process, as well as the objectives and tasks associated with their modification or implementation. Based on the regulatory requirements of the pharmaceutical industry and GMP requirements regarding the clear documentation of all GMP-regulated processes, it can be asserted that risk analysis always involves a set of documented descriptions of systems and/or processes, i.e., specifications, or in other words, a documented project that is subject to risk analysis.

The outcome of the risk analysis is a list of identified and assessed (classified) risks, recommendations/measures for risk reduction or elimination, and references to validation activities during which the implementation of the measures proposed during the risk analysis is verified.

Depending on the objectives, the systems/processes under consideration, and the expected outcomes/documentation format, there is a wide variety of different types of risk analyses. Risk analyses can be classified according to several criteria, such as scope/detail, assessment (classification) method, and types of risks considered.

Depending on the scope and level of detail in the examination of systems and processes, risk analyses can be classified as basic (general) or detailed.

Depending on the method of assessing (classifying) the identified risk, risk analyses can be either qualitative, which involves only two possible answers to the question of whether a given risk is critical within the framework of the applicable regulatory requirements: yes or no (or three options if "n/a – not applicable" is also considered), or quantitative, which involves assessing the degree of criticality expressed as a numerical parameter.

Depending on the type of risks (hazards) considered, risk analyses can be categorized as GMP/GxP, EHS (Environment, Health, Safety – sometimes used in a different order, such as HSE or HES), commercial, etc. Additionally, during the risk analysis, several types of risks (hazards) can be considered simultaneously, such as GMP and EHS.

It is important to note that the terminology related to the risk-based approach, as used in the previously mentioned ICH Q9 Guideline on Quality Risk Management, differs from the traditionally established terminology associated with validation activities. In traditional validation, the term "risk analysis" is used as the corresponding stage of validation activities. In the terminology of Computerized System Validation (CSV), as well as in various risk management activities, the term "risk assessment" is used instead of "risk analysis."

In the ICH Q9 Guideline on Quality Risk Management, the equivalent meaning of the traditional "risk analysis" is covered by the combination of processes designated by the terms "risk assessment" and "risk control," while the term "risk analysis" is used in a different context: as one of the subprocesses constituting the overall process of risk assessment, along with risk identification and risk evaluation.

It should be noted that the aforementioned quality risk management framework is not a regulatory requirement, but rather a recommendation. Several ISPE guidelines offer their own risk management models, which slightly differ (e.g., the GAMP series of guidelines). Additionally, there are specialized ISO standards that regulate risk management processes (e.g., ISO 31000 Risk Management, ISO 14971 Application of Risk Management to Medical Devices, etc.), as well as many other risk management models used in various industries. A regulated company can independently choose the appropriate risk management model.

Since the subject of this section is validation activities, and to avoid confusion, we will use the traditional term "risk analysis" for validation activities here and throughout, which includes the following processes:

  • Risk identification
  • Risk assessment (classification)
  • Development of measures/recommendations
  • Assignment of validation activity stages at which the implementation of the proposed measures/recommendations will be verified.

ICH Q9 offers a number of risk management tools:

  • Failure Mode Effects Analysis (FMEA)
  • Failure Mode, Effects, and Criticality Analysis (FMECA)
  • Fault Tree Analysis (FTA)
  • Hazard Analysis and Critical Control Points (HACCP)
  • Hazard Operability Analysis (HAZOP)
  • Preliminary Hazard Analysis (PHA)

The FMEA and FMECA tools can be considered as methods of risk analysis within the framework of validation activities and will be accordingly discussed below. The other tools are not typical for the pharmaceutical industry, especially concerning the execution of validation activities.

Basic Risk Analysis

The Basic Risk Analysis (BRA) is the first stage of validation activities. It is an initial risk assessment during which the production facility or a specific production area, where changes are planned as part of a project, is considered as a whole, and individual systems and processes that may impact patient safety, product quality, and/or data integrity are identified. These systems are then subject to detailed risk analyses, as well as subsequent applicable stages of qualification and validation.

It can be said that during the basic risk analysis, the scope of GMP (GxP) requirements is determined in relation to individual systems and processes, or in other words, the "GxP coverage" of the project is defined.

It is important to understand that when assessing the impact of systems and processes within the framework of a basic risk analysis, the focus should be less on the characteristics of these systems and processes themselves (which will be examined later during detailed risk analyses) and more on the objectives and methods of their use at the pharmaceutical company. For example:

  • Are these systems/processes involved in any production processes, and if so, in which ones?
  • Do these systems handle or come into contact with open products, primary packaging materials, clean process utilities, etc.?
  • Can these systems and processes indirectly affect product safety, for example, by causing or allowing mix-ups (of raw materials, intermediates, products, etc.), compromising the integrity of records and data, increasing the risk of human error, etc.?

The same system/process can be critical from a GMP/GxP perspective or unrelated to these regulatory requirements (i.e., not requiring validation) depending on the objectives and methods of use of these systems/processes at the company.

For instance, a ventilation system, HVAC (consisting of air handling units, ductwork, supply/exhaust grilles, and anemostats, as well as an electronic control system):

  • It is GMP/GxP-critical if it serves production areas (especially cleanrooms).
  • It is not GMP/GxP-critical if it serves office rooms or administrative buildings of the company where no production areas are present.

Another example is a Compressed Air (CA) generation and distribution system:

  • It is GMP/GxP-critical if compressed air is used as a process utility, i.e., it comes into contact with the product (raw materials, intermediates), primary packaging materials, clean equipment, or other clean process utilities.
  • It is GMP/GxP-critical if compressed air is used only as a utility for pneumatic components in equipment automation systems, but the exhausted compressed air is discharged into cleanrooms (indirect impact).
  • It is not GMP/GxP-critical if compressed air is used only for pneumatic components in equipment automation systems, and the exhausted compressed air is discharged into technical zones/non-classified areas.

Similarly, cleaning processes (room cleaning) are GMP/GxP-critical if they are applied to production areas, and they are not critical if they are applied to administrative areas.

The ISPE Baseline Guide for Pharmaceutical Engineering, Volume 5 "Commissioning and Qualification" provides the following classification of systems/processes based on their impact on the product:

  • Systems with direct impact on product quality
  • Systems with indirect impact on product quality
  • Systems with no impact on product quality

Systems/processes with direct and indirect impacts are considered GMP/GxP-critical and must undergo qualification/validation.

Typically, the following systems/processes are considered GMP/GxP-critical:

  • Production area layout, including:
    • The mutual arrangement of rooms
    • Personnel and material flows
    • The concept of hygienic zones
    • Airlocks between different hygiene zones
  • Clean (classified) rooms and adjacent CNC (controlled not classified) areas
  • HVAC (heating, ventilation and air-conditioning) systems serving cleanrooms and CNC zones
  • Systems for generating and distributing clean compressed air (CA) and process gases (e.g., nitrogen)
  • Systems for generating, storing, and distributing pharmaceutical water, including:
    • Purified Water (PW)
    • Water for Injections (WFI)
    • Pure Steam (PS)
  • Equipment for raw material processing and product manufacturing
  • Equipment for product filling
  • Equipment for primary/secondary packaging, labeling, serialization, and aggregation
  • Processes that make up the technological chain of pharmaceutical production
  • Equipment cleaning processes
  • Analytical methods used for quality control and stability testing of pharmaceutical products

Typically, the following systems/processes are not considered GMP/GxP-critical:

  • Systems for generating and distributing process utilities:
    • Plant steam
    • Cold/hot (potable or technical) water
    • Recirculated chilled water
    • Recirculated hot water (facility heating, process heating, etc.)
    • Refrigerants (cooling systems)
    • Other recirculated heat transfer fluids (glycol)
  • Sewage systems
  • Power supply
  • Fire suppression and fire alarm systems
  • Video surveillance systems

Sometimes, the decision on whether a system is GMP/GxP-critical is not so straightforward and may raise discussions. For example, a technical (plant) steam generation system supplies technical steam to Water for Injection (WFI) generation system and an autoclave (e.g., one that operates on the principle of spraying with superheated water). It is clear that both of these systems are GMP/GxP-critical, but they also require the presence of technical steam to function. A breakdown of the technical steam generation system would mean halting the technological process. Typically, such a risk is considered economic rather than GMP/GxP-related. However, if it concerns the production of a unique drug, where a production halt could lead to its unavailability on the market and, consequently, pose a threat to the health of patients who rely on this drug, considering this risk as GMP/GxP-critical may be justified. In such a case, a full qualification/validation of the technical steam generation system may not though be necessary, but certain technical and organizational measures might be required. Examples of such measures could include:

  • Using a reliable boiler with an integrated monitoring system
  • Reduced intervals for periodic maintenance
  • Storing an additional stock of spare parts needed for system repairs

The main outcome of the basic risk analysis is a list of systems/processes identified as GMP/GxP-critical and requiring qualification/validation. Thus, the basic risk analysis lays the foundation for all subsequent validation activities. In certain cases, it is also possible that due to changes made to the project at later stages of validation, including the changes to address deviations discovered during the design qualification (DQ), a reassessment of the GMP/GxP-criticality of certain systems may be necessary. As a result, the basic risk analysis may need to be conducted again (or updated, in terms of its documentation).

Detailed Risk Analysis

During the detailed risk analysis (usually simply referred to as risk analysis), each system/process subject to qualification/validation is considered individually. In this process:

  • Individual components, product transfer operations/stages, and aspects related to the system/process are examined sequentially;
  • Potential risks associated with them are identified;
  • Depending on the type of risk analysis, each identified risk is qualitatively or quantitatively assessed and/or categorized as critical/non-critical (or unacceptable/acceptable);
  • Measures to mitigate/eliminate the risk or increase the detectability of events related to this risk are proposed;
  • It is determined at which subsequent stages of qualification/validation the implementation of the proposed measures will be verified.

Detailed risk analysis is the most important and knowledge-intensive element of validation activities, serving as the source of control points and acceptance criteria for the qualification and validation stages that follow. The risk mitigation/elimination measures identified during the detailed risk analysis are subsequently transformed into acceptance criteria in the control points of Design Qualification (DQ), Installation Qualification (IQ), Operational Qualification (OQ), Performance Qualification (PQ), and various validation protocols.

As mentioned above, risk analyses can be classified not only by the criterion of detail but also by the type of assessment: qualitative or quantitative, as well as by the nature of the risks considered. The three most typical types of (detailed) risk analyses in the pharmaceutical industry are:

  • GMP Risk Analysis (GMP RA): A risk analysis that typically considers only GMP/GxP aspects and uses a qualitative risk assessment, i.e., determining whether the risk is critical (substantial), with two possible answers: "yes" or "no."
  • FMEA (Failure Mode and Effects Analysis) / FMECA (Failure Mode, Effects, and Criticality Analysis): A risk analysis that uses a quantitative (numerical) risk assessment and may also include a final qualitative categorization of the risk (critical/non-critical), determined based on the overall quantitative risk assessment.
  • EHS (Environment / Health / Safety): A risk analysis that primarily considers personnel and environmental safety issues, typically conducted at facilities producing potentially hazardous, toxic, and highly potent pharmaceutical products. This type of analysis may use either qualitative (as in GMP RA) or quantitative (as in FMEA/FMECA) risk assessment model.

Let's take a closer look at these types of risk analyses.

GMP Risk Analysis

During GMP Risk Analysis, risks associated with potential violations of GMP/GxP requirements are typically considered. Sometimes, in addition to GMP/GxP risks, other types of risks may also be included in the scope of consideration if they are few in number and it does not make sense to conduct a separate risk analysis for them. Such additional risks may include economic risks, safety risks, EHS risks, user-requirement non-compliance risks, etc.

Risk analysis is documented in tabular form. Typically, such a table contains 7 columns with the following designations:

A – Sequential Number / Risk Identifier

This column indicates either a simple sequential number or a specific risk identifier in another format. Generally, a continuous numbering system is used for all rows in the risk table, and each row is assigned a unique sequential number (e.g., 01, 02, 03… etc.). In some cases, identifiers may consist of several numerical components with a delimiter, or may include alphabetical characters (e.g., 1.01, 1.02, 2.01… or A01, A02… etc.). The format of the risk numbers/identifiers is chosen by the regulated company at its discretion and is documented in the Validation Master Plan (VMP). The only requirement is that the chosen system ensures full traceability, and each row in the table has a unique number or identifier.

B – Process Step / System Component

This column of the table answers the question of where, in which element, at which process step, or in connection with which aspect/characteristic of the system or process the risk might arise (which, in turn, is indicated in the next column of the table). Examples might include:

  • Reverse-osmosis membranes, agitator, vent filter, valves, sensors, control system, etc. (system components)
  • Ampoule sealing, tableting, holding phase (during sterilization), dedusting, cleaning, etc. (technological steps/processes)
  • System component labeling, temperature, agitator rotation speed, etc. (various characteristics and aspects related to the system or process)

In essence, column B is part of the risk definition, as it contains information about where the risk originates or its association with a system component, process step, etc.

C – Potential Deviation

This column in the table specifies what could happen, i.e., the potential deviation associated with the considered risk. Typically, this is formulated as a concise narrative statement, often in the form of an incomplete sentence:

  • Excessively high temperature
  • Temperature outside acceptable limits
  • Contamination with foreign objects
  • Located in inaccessible places (labeling)
  • Dry running (pump)

D – GMP Risk

This column indicates the qualitative category of the identified risk, i.e., whether the deviation constitutes a GMP risk ("yes") or not ("no"). To determine this, two questions can be posed:

  • Question 1: "Is the process step or process parameter critical? Can it impact the quality/safety of the product?"
  • Question 2: "Is there a risk that GMP-related information is missing or incorrect (e.g., documentation)?"

If the answer to either of these questions is affirmative, the risk is considered GMP-critical.

In certain cases, when the deviation/risk wording regarding a specific system or process is not applicable or doesn't make physical sense, some companies may use a third response option – "n/a" (not applicable), provided that this is allowed by the protocol format and described in procedures/VMP. However, such a practice may not be particularly meaningful, as non-applicable risks can simply be excluded from consideration, and if they still appear in the risk table, the "no" response option would also be correct in this case.

E – Explanation

This column provides explanations/justifications as to why the specified risk was deemed non-critical from a GMP perspective. If the risk was considered GMP-critical, the relevant explanations and justifications are also provided in this column. Sufficient justification usually involves direct consequences of the deviation, where the criticality is obvious or which directly violate GMP requirements, such as "risk of contamination," "risk to product quality," "violation of regulated data integrity", etc. If the initial wording of the risk represents a direct violation of GMP requirements, this can be stated in the explanation: "Direct violation of GMP requirements."

There is also a practice where references to specific points in regulatory documentation (e.g., GMP guidelines) are provided in the E column as justification, similar to the protocols of audits and inspections. Considering that in risk analysis, it is necessary to provide such references for a significantly larger number of points (whereas in audits/inspections this is only required for identified non-compliances), this practice is excessive and requires an unjustifiably high amount of labor. The situation where work time is spent on formally searching for guideline references instead of focusing on a thorough analysis of the system/process and potential deviations can be viewed as an example of an unbalanced risk-based approach.

F – Tests / Actions

This column records the measures necessary to mitigate/eliminate the identified risk, as well as control actions (tests, validation trials, etc.) to increase the detectability of circumstances (deviations) associated with this risk. Such measures/actions must be proposed for GMP risks. For risks categorized as non-GMP risks, measures for their mitigation/elimination or increased detectability may also be proposed if necessary.

The measures/actions proposed in this column form the basis for formulating acceptance criteria in the protocols for subsequent stages of qualification and validation.

Measures/actions in the risk table are generally formulated in a concise and summarized form, without specifying the technical details associated with their implementation, but detailed enough to make their impact on the identified risk clear, so that they can be later transformed into specific technical and/or organizational solutions and, of course, to allow the formulation of appropriate acceptance criteria in qualification and validation protocols.

Risk management measures (controls) can be divided into three levels (ISPE GAMP RDI Guideline):

  • Technical (equipment level)
  • Procedural (process level)
  • Behavioral (organizational level)

Level 1. Technical Controls

Controls at this level involve implementing technical solutions at the equipment/system level. This might include installing additional sensors, control settings, and alarm signals, using special materials and constructions, equipping with additional systems, organizing protective laminar airflows, installing protective screens, implementing Cleaning in Place (CIP) systems, special layout solutions, and solutions regarding Heating, Ventilation, and Air Conditioning (HVAC) systems, pressure cascades, interlocking doors in airlocks, and so on. In summary, these are controls that operate without direct human involvement.

Level 2. Procedural Controls

These are controls related to modifying or adding additional steps to the technological process or auxiliary processes. Such controls are typically documented in procedures or instructions related to production, quality control, maintenance, etc. Examples of these controls include cleaning, separation of operations over time, various manual control and monitoring operations concerning process and environmental parameters, in-line sampling, In-Process Control (IPC), container labeling, documentation, data entry into electronic systems, and so on.

Procedural controls may also include additional control activities (tests), including specific qualification and validation activities. Therefore, sometimes, in the Tests/Actions column, validation activities are directly indicated as measures, for example, CLV (Cleaning Validation), PV (Process Validation), CSV (Computerized System Validation).

Level 3. Behavioral Controls

These controls are related to the competence, motivation, and overall behavior of the company's employees. This involves not only knowledge of the subject but also a conscientious attitude toward work, motivation, a sense of responsibility towards the patient, and so on. In this context, the atmosphere within the company, relationships between employees, and their job satisfaction are very important, potentially requiring additional resources. The commitment of the company's senior management to creating a positive atmosphere and motivating staff to comply with GMP requirements, including leading by example, plays a critical role here. Additionally, it is necessary to encourage staff to report problems and mistakes without fear of potential punishment (punishment for unintentional mistakes is unacceptable). Effective behavioral measures also include ensuring effective knowledge transfer and personnel rotation between different functions. Despite such a wide range of possible measures, behavioral measures in risk analysis are generally limited to training staff concerning the relevant critical operation/process, as other behavioral measures have little to do with the production process and are more related to corporate culture. Sometimes, in operations requiring significant physical/mental effort, appropriate measures may include introducing breaks for staff rest and more frequent operational rotation between workstations; however, such controls could also be categorized as procedural (Level 2).

Current regulatory expectations are that, if possible, all three levels of controls should be utilized as much as possible. The main focus should be on lower-level controls: primarily technical controls. Only if technical controls are impossible or economically unfeasible within the existing project, and procedural measures can reliably mitigate the identified risk, is it permissible not to apply technical measures. In other cases, "replacing" lower-level controls with higher-level controls is not allowed, as higher-level measures are considered supportive and complementary to lower-level measures.

G – Implementation (Follow-Up)

In the Implementation column, the qualification and validation stages, as well as sometimes other activities (e.g., calibration), are indicated, during which the implementation of the proposed measures/actions is verified. It is in the protocols of these qualification and validation stages that the proposed measures/actions, formulated as acceptance criteria, are included.

References to qualification and validation stages are indicated in abbreviated form, for example, DQ, IQ, CSV, PV, etc.

Dividing the Risk Table into Sections

The risk table is usually divided into several thematic sections, each of which lists the risks associated with specific process steps, system components, or project aspects. These sections may include:

  • General (general aspects related to system design)
  • Materials
  • Process Step 1 (e.g., water filtration and softening)
  • Process Step 2 (e.g., reverse osmosis)
  • Process Step N (e.g., storage and distribution of purified water)
  • Process media and utilities
  • System operation
  • Monitoring / GMP parameters
  • Labeling
  • Documentation

FMEA/FMECA Risk Analysis

This type of risk analysis is listed as a potential tool for quality risk management in the ICH Q9 guideline, which in turn references the international standard IEC 60812 (Analysis techniques for system reliability – Procedure for failure mode and effects analysis FMEA).

The FMEA standard uses specific terminology related to risks and deviations that is not typical of classic GMP risk analysis, and it primarily focuses on examining the chain of consequences stemming from circumstances associated with the identified risk, up to the final outcome. The FMEA standard was developed for industry in general and does not have exclusive relevance to the pharmaceutical industry.

FMECA is considered an extended version of FMEA, additionally incorporating a quantitative assessment of risk criticality based on a combination of evaluations of the severity of consequences and frequency of occurrence. Furthermore, the ICH Q9 guideline also indicates a third component for assessing risk criticality: the probability of detection (from a risk assessment perspective, it is more practical to use the “probability of non-detection”).

If GMP RA uses only one column in the table for categorizing risks as GMP-critical or non-critical (yes/no), FMECA applies a set of several numerical parameter components:

  • Probability of Occurrence (O – Occurrence)
  • Probability of Non-Detection (ND – Non-Detection)
  • Severity of Consequences (S – Severity)

In addition to this, a comprehensive (overall) risk level assessment is also provided, calculated using the formula:

R=O × ND × S

To express risk levels for individual risk components, different numerical ranges can be used (e.g., 1..3, 1..10, etc.). Various designations for parameter components and the overall risk criticality can also be employed. Based on the value of the overall risk criticality 𝑅, a qualitative assessment is performed. A predefined cutoff threshold is used for this purpose. For example, if a criticality level of 6 is set as the cutoff, the risk is considered GMP-critical if 𝑅 ≥ 6, and GMP non-critical if 𝑅 < 6.

It is important to remember that there is some confusion in terminology regarding these risk analysis methods: traditionally, the scheme for assessing overall risk criticality based on the three components mentioned above, which according to ICH Q9 is related to FMECA, is often referred to as FMEA, which is not entirely correct according to ICH Q9 and IEC 60812.

The FMEA/FMECA risk table is similar in appearance to the risk table used in GMP Risk Analysis. The only difference is the presence of four additional columns for the quantitative assessment of risk criticality, corresponding to the three risk components and the overall level of criticality.

The risk table may also contain additional columns, particularly for indicating deadlines and responsible people. Otherwise, the FMEA/FMECA procedure, in the context of validation activities, is not different from GMP Risk Analysis.

Conducting FMEA/FMECA risk analyses requires significantly more effort and resources than GMP Risk Analysis. However, FMEA/FMECA does not provide a substantial improvement in the quality/reliability of validation activities. Assigning numerical values to individual aspects of risk usually lacks solid scientific justification and is often subjective. It can happen that the calculated overall risk criticality level in FMEA/FMECA contradicts direct GMP requirements or established practice. In such a situation, attempts are made to adjust the risk criticality parameters to obtain the "correct" overall value, which turns FMEA/FMECA risk analysis into a useless simulation. Considering that it requires substantially more resources to conduct, this also represents an example of an unbalanced risk-based approach.

Overall, it can be stated that the FMEA/FMECA method is not very well-suited for analyzing risks related to GMP/GxP. However, using FMEA/FMECA for EHS risk analysis may be justified, as there may be a scientifically grounded basis for determining quantitative parameters, such as the toxicity of a substance, its concentration in the product, the amount of substance being processed, and the duration of the operation.

EHS Risk Analysis

For EHS Risk Analysis, both the traditional GMP Risk Analysis approach and the FMEA/FMECA method can be used. In this case, instead of risks related to GMP/GxP, EHS (Environment, Health, Safety) risks are evaluated. EHS risks are associated with personnel safety and environmental issues. EHS risk analyses are typically conducted at facilities that produce potentially hazardous, toxic, and highly potent pharmaceutical products.

Otherwise, the procedure for conducting and documenting the analysis corresponds to GMP Risk Analysis or FMEA/FMECA risk analysis, depending on the chosen model.

In some cases, combined GMP and EHS risk analyses are also conducted. In such cases, the risk table includes columns for the assessment/categorization of both GMP and EHS risks.

Practical Techniques for Conducting Risk Analyses

When conducting risk analyses, it is important to consider several aspects and apply certain practical techniques, which, in addition to knowledge of the subject matter, require specific training and experience.

Brainstorming

The identification of potential risks is carried out using the "brainstorming" method, which, by nature, is a chaotic process. On one hand, the goal is to cover all possible negative situations and risks as comprehensively as possible, while on the other hand, it is crucial to structure the thought process clearly and organize the components/aspects of the subject under analysis in an orderly manner. In this sense, it may be useful to first write down all situations and risks that come to mind in a chaotic order on a separate sheet, and then, by structuring and, if necessary, breaking down or combining them, place them in the table in a logically justified order. There are no regulatory guidelines on how this should be done in practice. Everyone finds a method of recording and processing initial thoughts that works for them and transforms them into risk descriptions.

As unprofessional as it may sound, any "plagiarism" and "copy-pasting" is highly encouraged when conducting risk analyses: any sources containing descriptions of risks can help broaden the base of risks considered and reduce the likelihood of missing something. However, this applies only to risk identification! Significant discrepancies may arise in the assessment of risks, so blindly copying rows from a risk table from another project is unacceptable!

Discipline

The chaotic nature of the brainstorming process must be offset by discipline in the process of generating ideas, processing them, and creating risk descriptions. Thoughts should be recorded briefly and concisely, but in sufficient detail to understand the essence of the risk and distinguish it from other risks.

If risks are initially recorded in a chaotic order, they should be marked (for example, crossed out) in the original notes as they are entered into the structured table, to ensure that all initial entries have been considered.

It is also important to clearly separate the process of identifying risks from the process of assessing the identified risks. Attempting to do both simultaneously will complicate the task and may result in some risks being overlooked. This refers to assessing the consequences of a risk from the perspective of GMP requirements. The initial assessment of whether a given risk is possible and plausible should be conducted in parallel with risk identification, to immediately filter out clearly unrealistic risks.

Route of Analysis

Brainstorming is a chaotic process, so it is essential to anchor the flow of thoughts to a specific route, or in other words, to follow a specific path or trajectory when considering risks. Otherwise, there is a risk of getting lost in unrelated thoughts and missing a significant number of risks. This is important because, within a holistic risk-based approach, as many as possible potential risks must be considered.

An analogy can be drawn between the route of analysis and a checklist, where items to be checked are listed. When conducting risk analysis, project documentation with a detailed description of process steps or a schematic diagram of the equipment, detailing components, their interconnections, and product flow, can be used as a basis for such a checklist.

Using a specific route during risk analysis provides structure and ensures discipline in the brainstorming process. In this context, we are not talking about a single trajectory covering the entire risk analysis, but rather multiple trajectories that "cover" the analyzed object "thoroughly".

The following are examples of possible trajectories/routes that can be used for a risk of analysis:

  • Product Flow:
    • Sequence of process operations applied to the product (basis: description of the technological process).
    • Product movement along various segments/components of the equipment (basis: schematic diagram of the equipment/functional specification).
  • Movement through Equipment Components:
    • Product movement along various segments/components of the equipment (basis: schematic diagram of the equipment/functional specification) – the same as in product flow.
    • Listing all components of the equipment (when there is no clear product flow direction), for example, top to bottom/left to right according to the schematic / pipe & instrumentation (P&I) diagram.
  • Movement around equipment at Connection Boundaries (Process Utilities).
  • Movement around the outer perimeter of a component (e.g., in the case of a tank/vessel, the following may be considered: the vessel, jacket, load cells, agitator, spray ball, all ports and connected components – vent filter, valves, manhole, sight glass/illumination system, etc.).
  • Listing all applicable process parameters (temperature, pressure, humidity, oxygen content).
  • Listing potential nonconformities related to process parameters (too high, too low, unknown, unrepresentative, unreadable, etc.).
  • Listing various aspects, classifications, characteristics, etc.:
  • Materials:
    • Components made of metal
    • Components made of polymeric materials
  • Contact with Product/Cleanroom Environment:
    • Surfaces in contact with the product
    • Surfaces in contact with the cleanroom environment
    • Surfaces not in contact with the product or cleanroom environment
  • Cleanroom Grades (A, B, C, D, CNC, NC)

…etc.

Typically, at least one route of analysis is used for each thematic section of the risk table. Moreover, the trajectories of the routes can be nested, for example:

  • Level 1 (top level): Individual process operations related to a specific process stage are considered sequentially.
  • Level 2: For each individual process operation, the applicable process parameters (temperature, pressure, etc.) are considered in turn.
  • Level 3: For each process parameter, the applicable nonconformity (too high, too low, etc.) is then considered.

Correctly chosen routes ensure a concise, coherent, and logical structure for risk analysis, while incorrect choices or the absence of such a route result in a chaotic and unbalanced risk analysis that typically does not meet the criteria of a holistic risk-based approach. The ability to choose the correct route of analysis in each specific case comes with experience in conducting risk analyses and requires extensive practice.

Criteria for Including Risks in the Analysis

When conducting risk analyses, beginner specialists often wonder which risks, from the seemingly endless number of possible risks, should be considered and included in a GMP risk analysis. For example, the impact of a meteorite falling on a sterile product filling line would certainly pose a threat to product quality, yet such a risk is not typically included in a risk analysis. Similarly, the risk that an operator might poison a batch of the product with a rare toxin (which would not be detected during laboratory testing) is also not typically included. The risk of a bird flying into the production area is less far-fetched than the previous examples, but even this risk, in such a specific wording, is generally not included.

In each of the examples mentioned above, the risk does not meet certain criteria used to determine whether it should be included in the analysis, such as:

  • Realism: The probability of the event occurring is not negligibly small (in the case of a meteorite, this probability is close to zero).
  • Direct relevance to the facilities, equipment/systems, utilities/materials/product, personnel, and the technological process (the meteorite case is an external factor, similar to wildfires, floods, tornadoes, military actions, etc., i.e. not likely to be addressed by typical GMP risk mitigation controls).
  • The risk should be associated with expected/possible:
    • Operation or malfunctions of infrastructure/equipment/systems
    • Expected progress or errors during the technological process
    • Operation or errors by personnel (due to lack of experience/knowledge, ignorance, inattention, or physical incapacity) – this does not include mental disorders, malicious criminal behavior, etc. – such issues are usually considered by regulated companies outside the scope of GMP.
    • Proper and improper quality parameters of the utilities, materials and products used – obviously, the presence of ricin or cholinesterase inhibitors in materials is not typically expected.
  • The risk should be formulated to encompass a group of similar risks that have the same potential impact on product quality and require the same or similar measures for mitigation/elimination (the risk associated with a bird flying into the production area should be rephrased more generally, e.g., the entry of animals/pests into production areas).
  • A risk should not be generally included in the table if it is absolutely clear without explanation that it is not critical from a GMP (EHS or other requirements, depending on the type of risk analysis being conducted) perspective. If explanations are required, or if measures related to the risk need to be included for reasons not related to GMP, then such a risk should be included in the risk table.

As with the route of analysis, the ability to correctly select risks for inclusion in a risk analysis requires experience and practice.

The Four-Eyes Principle

The Four-Eyes Principle means that at least two people must be involved in a given process. In the context of GMP, all particularly critical operations, such as weighing raw materials, equipment cleaning checks, etc., must be performed with the participation of two employees. This requirement also applies to all validation activities, including risk analyses.

In practice, this means that risk analysis can be conducted jointly by two specialists, or the first specialist conducts the risk analysis independently, and then the second specialist reviews it and, if necessary, corrects or supplements it. In addition to being a requirement, applying the Four-Eyes Principle helps make the risk analysis less subjective, as well as more comprehensive and balanced.

The specialists at Tarqvara Pharma Technologies have years of experience in conducting qualification, validation, and acceptance tests within the pharmaceutical industry, in full compliance with international, European, and national GMP/GxP regulations and standards.

See also:
Qualification / Validation / Commissioning
Computerized Systems Validation (CSV)
Commissioning (FAT/SAT)

 

+372 580 500 39
in@tarqvara.com

Tallinn, Estonia