The recently published (August 2022) EU GMP volume 4 Annex 1 introduces several changes. In particular there is an increased requirement for the use of risk assessment and risk management methodologies.
These are probably one of the most mis-used and mis-understood pharmaceutical activities.
Firstly, what is “risk assessment”?
This has been defined by the FDA as A systematic process of organizing information to support a risk decision to be made within a risk management process. It consists of the identification of hazards and the analysis and evaluation of risks associated with exposure to those hazards.
ICH Q9 (Quality Risk Management) – defines this as a systematic process of organizing information to support a risk decision to be made within a risk management process. It consists of the identification of hazards and the analysis and evaluation of risks associated with exposure to those hazards and focuses the behaviours of industry and regulatory authorities on the two primary principles of Quality Risk Management, which are:
- The evaluation of the risk to quality should be based on scientific knowledge and ultimately link to the protection of the patient; and
- The level of effort, formality and documentation of the Quality Risk Management process should be commensurate with the level of risk.
Ideally, risk assessments are used to identify areas of process risk or weakness, allowing the company to identify, prioritise and focus their resources on the most important risks and to eliminate them or implement mitigation activities.
Current Issues
However, all too often these are not properly performed, seen as a “tick box” activity or even used to create / validate a reason or excuse as to why some activities don’t need to be done. I was once asked “if we upgrade our filling machine, will we have to revalidate it or can we just risk assess it”.
Risk assessments are typically used at the time of process sign-off or approval from the customer, then “Archived” and thus fail to be properly updated and communicated to the team.
The resulting “risk number” or “risk priority number” is usually the result of arbitrary assignment of severity and occurrence, risks sometimes manipulated to try and demonstrated a process or system is “low risk” or worse still, intentionally ranking failure modes lower than true risk in order to avoid required improvement activities.
I’ve also seen them being used to try and retrospectively justify and action or decision already taken.
In the main, risk assessments are only every as good as the team behind them and this is where the majority of risk assessments fall down:
- The amount of time needed to complete a comprehensive risk assessment is almost always underestimated.
- The team used to create the risk assessment are limited. Issues beyond the team members knowledge aren’t likely to be assessed, detected or resolved, thus it stands to reason that a team composed of widely diverse experience knowledge and disciplines perform better. In the past I have seen risk assessments written by a single person, not ideal as this negates fact the team concept is one of the values of risk assessments such as FMEA.
The wrong risk assessment tools for the task are often used. While there are many risk assessment methodologies and tools available, unless they are used by those with some expertise in the field of risk assessment the tools recommended by the ICH should be used:
- Failure Mode Effects (Criticality) Analysis (FMEA & FMECA)
- Fault Tree Analysis (FTA)
- Hazard Analysis and Critical Control Points (HACCP)
- Hazard Operability Analysis (HAZOP)
- Preliminary Hazard Analysis (PHA)
One weakness of theses is they concentrate on the consequence of the risk and do not relate to the source of the risk event, or the circumstances linking the two.
However, the biggest issue with many risk assessments is that they only assess the “risk” of an end results happening, without understanding risks are not just events. Risks are fundamentally the relationships between events. To manage risks, you must focus on understanding the system mechanisms that control the cause-and-effect relationships.
Of course, there are many others such as “bow Tie” assessments used mainly in engineering-based industries. Other tools such as Ishikawa diagrams can also be used but while these are useful in identifying possible causes for an effect or problem, they are not usually suitable for use as a risk assessment tool.
The Upside.
Although I have looked at the issues surrounding the mis-use of risk assessments, I would not like to give the impression I was “anti-risk” assessment, to the contrary I believe risk assessments if performed correctly provide a structured and an easy to understand method identifying potential risks and communicating these risks to all – from senior management to those on the shop floor.
When used correctly risk assessments are not only a regulatory requirement, they provide you with the right information to allow you to make the right decisions and to prioritise the right actions. They provide a structured and thus consistent way of identifying probable design or process failures that impacts product quality, process reliability and safety or environmental hazards.
Risk assessments also:
- Provide a method for prioritising the importance of potential risks, and indeed allows you to choose which risks are worth accepting and which are not.
- Provides a method for capturing “lessons learned” about failures or potential failures from similar situations and processes as a means of minimizing risk.
- Helps to define actions and responsibilities in cross functional teams.
- When combined with Control Plans or Control Strategies they can help optimise process control and reliability and most importantly product quality.
- Substantially reduce costs by identifying design and process improvements early in the development process when relatively easy and inexpensive changes can be made.
- Provide new ideas for improvements in similar designs or processes.
- If used early enough in process design or during technology transfer, they can save great amounts of time and money by identifying issues before they become complex or expensive to rectify.