Sunday, August 26, 2007

A risk management solution designed to facilitate risk-based qualification, validation

InfoTrac OneFile (R)
Journal of GXP Compliance , 07/01/2006 10 4
A risk management solution designed to facilitate risk-based qualification, validation, and change control activities within GMP and Pharmaceutical regulatory compliance environments in the EU, Part I: fundamental principles, design criteria, outline of process. O'Donnell, Kevin *~|~*Greene, Anne *~|~*
COPYRIGHT 2006 Advanstar Communications, Inc.

Risk-based Qualification, Validation, and Change Control--Opportunities for Improvement In the European Union (EU), the Good Manufacturing Practice (GMP) requirements place specific obligations on manufacturers of medicinal products to implement risk-based qualification, validation, and change control programmes. (1,2,3)
Annex 15 to the EU Guide to GMP titled, "Qualification and Validation," requires:
a) That a risk assessment approach be used to determine the scope and extent of validation. (Note: Within the EU GMP and others, the term, 'validation,' is generally understood to encompass qualification as well as validation activities.)
b) That risk analysis be employed when assessing the likely impact of changes.
How these GMP requirements are met has been the subject of much discussion between Regulators and Industry in recent years, and as a Regulatory Agency, the Irish Medicines Board has received numerous requests from Industry for guidance in this area.
From the authors' experience as a GMP Inspector, it is evident that risk factors are often taken into account when designing qualification and validation programmes, and when processing change control proposals. However, as mentioned in the International Conference on Harmonization (ICH) Guideline on Quality Risk Management, ICH Q9, (4) the use of risk management in the Pharmaceutical Industry has, to date, been limited, and the full benefits of risk management, as a valuable component within a quality system, have yet to be realised.
Despite ever-increasing qualification and validation costs, as described in publications of the International Society of Pharmaceutical Engineering (ISPE) and others, (5-7) there is evidence that defective and non-compliant medicinal products continue to be manufactured and released. These often result in product recalls being required to protect patients and users of medicinal products. (8,9) As discussed in ISPE's White Paper on Risk-Based Qualification for the 21st Century, (5) current qualification practices, for example, are often document-intensive, expensive, and time-consuming, but do not necessarily add value, or lead to clear patient risk-mitigation strategies or process understanding. Likewise, validation activities sometimes do not adequately address the critical aspects of processes. (10) In the area of change control, proposed changes often involve substantial capital expenditure and large project teams, but sometimes important risks introduced by the change !
are not identified. Therefore, it is likely that the use of more formalised and scientific approaches to risk management may prove beneficial within GMP environments.
A Risk Management Solution for GMP and Regulatory Compliance Environments
There are many formal risk management tools available, such as Fault Tree Analysis, (11) Failure Modes and Effects Analysis (FMEA), (12) and Hazard Analysis and Critical Control Points (HACCP). (13) However, most were not specifically designed for GMP applications, much less as solutions for facilitating risk-based qualification, validation, and change control activities within GMP environments. As a result, a degree of design modification is often required before an existing tool may be used for these activities. Of the tools which are GMP-specific, such as the approaches developed by ISPE (14) and GAMP, (15) their focus tends to be somewhat narrow, being tailored for equipment and systems qualification and computerised systems validation, respectively. As a result, the day-to-day practicalities of how to apply GMP risk management more broadly remain somewhat under-developed.
In addition, few if any, of the available tools were designed as complete, documented, and ready-to-use risk management methodologies that address all of the components of risk management and have been accepted via ICH Q9 as important. These are as follows: risk assessment, risk control, risk communication and risk review. As a result, a further degree of modification is often required before any of the existing risk management tools may be used as a complete risk management solution.
In response to the requests received by the Irish Medicines Board from Industry for guidance in the interpretation of the risk-related requirements of Annex 15 to the EU GMP Guide, and as part of our efforts to better understand how risk management may be used in practice, the Irish Medicines Board has developed a practical risk management methodology, or tool, designed specifically as a means of addressing those Annex 15 requirements. As part of this work, a series of practical case studies have been developed on the use of this tool, in order to show how the tool works in practice. This risk management solution is designed so that it provides a complete and documented means of addressing all of the aforementioned components of risk management.
In this series of papers, in two parts, this risk management methodology is described. In Part I, the principles underlying this approach are given, and the design criteria used for development of the risk management tool are outlined. The tool uses a documented ten-step process, also described in Part I. In Part II, the scope and structure of the risk management tool are described, and some of the limitations of this tool are given. An outline of some of the principle findings made to date with this tool is also given in Part II. (It is emphasised that this work is not intended to place any specific regulatory obligations on manufacturers, nor is the risk management solution presented here being promoted in any way as a tool that should be used by Industry. This work simply demonstrates how GMP risk management may be applied in practice.)
Is this Risk Management Solution Intended to Replace other Available Tools?
It is not the intent of this work to replace other available tools; existing tools are valuable in their own right. The risk management methodology described here was designed for a specific purpose--to facilitate risk-based and patient-focused qualification, validation, and change control activities. This tool focuses on evaluating how GMP controls, both current and proposed, lead to mitigation and control of the risks identified, and on the qualification and validation status of such controls.
Importantly, this work does not seek to "reinvent the wheel," and during the technical development of this risk management solution, some of the useful features and concepts behind other risk management tools and approaches were adopted or taken into account. For example:
* FMEA and FMECA
This risk management solution draws upon some features of FMEA and FMECA, (16) in that it recognises the value in assigning Probability, Severity, and Detection ratings during risk assessment work, and in re-assessing these ratings following risk control strategies. It also recognises the value in breaking down the item under study into manageable components for individual assessment.
However, the approach developed here handles risk detection in a markedly different way. Here, detection controls are considered and evaluated after the risk has been estimated, not before, and significantly, this tool requires a formal and critical evaluation of any detection controls that are in place, in order to determine whether these controls actually give assurance that the risk is adequately controlled and that no further controls are required.
This approach also classifies GMP controls differently, and this impacts upon how risks are generally estimated and controlled. This tool requires one to address qualification and validation issues for current controls as well as for new controls, even when the related risk is deemed acceptable with current controls. Also, this approach does not make use of FMEA's 'Risk Priority Number' concept, and 'Failure Mode' terminology is not used.
* HACCP
This risk management solution draws upon some concepts of HACCP, in that it recognises the value in prevention rather than detection, and the value in determining critical control points, their related limits, and target levels. HACCP also provides a comprehensive and documented approach for practical risk management exercises.
However, HACCP-based applications do not normally offer a clear, formal process for characterising or differentiating (by either qualitative or quantitative means) the risks posed by a potential hazard, and the HACCP requirement to pre-define corrective actions for situations when Critical Control Points (CCP) limits have been exceeded is not used here. Rather, this solution provides a formal means of assessing individual risks, and it focuses on identifying and implementing GMP controls which give assurance, via qualification and validation, that such risks are either reduced to an acceptable level or controlled to an acceptable level.
* The GAMP 4 Risk Assessment Process
This risk management solution draws upon some features of the GAMP 4 Risk Assessment process, in that it recognises the value in estimating risks on the basis of likelihood and severity considerations only, not on detection factors, and the value in using the risk assessment process to help focus validation activities and to assess change control proposals. Also, the GAMP process considers the complexity and degree of customisation of the item under study when determining how much rigor to apply during the risk management process.
However, the approach described here deals with risk detection in a different way, as it does not allow users to automatically assign risk priorities simply on the basis of detection ratings.
* The ISPE Impact Assessment Process
This risk management solution draws upon some features of the ISPE Impact Assessment process, as described in ISPE's Baseline Guide on Commissioning and Validation, in that it recognises the value in using structured and systematic techniques to determine critical components of systems on an "impact" basis, with respect to product quality. It also recognises the value in focusing qualification activities on those critical components.
However, the approach described here addresses additional items, such as the risks presented when equipment and system faults occur, as well as risk control, communication, and review activities.
The Fundamental Principles Underlying this Risk Management Solution
A number of key principles underlie the design of this risk management solution. These were considered fundamental to this application of risk management in GMP and Regulatory Compliance environments, and are shown in Figure 1.
These principles were based primarily upon the guidance of ICH Q9, on the current EU GMP requirements, and on the ISO 14971:2000 Standard, on the application of risk management for medical devices. (17) The authors' own experiences in using other risk management tools, and a broad review of risk management-related publications also provided insight on key issues.
As is evident, the Principles noted in Figure 1 are largely self-explanatory. The following notes provide some background and explanatory information relating to each:
* Principle 1 is based on Annex 15 (Qualification and Validation) to the EU GMP Guide. (1) It implies that, before validation master plans and qualification and validation protocols are finalised, risks associated with the items under study should be considered, resulting in the identification of risk-based critical parameters requiring qualification or validation. This Principle also implies that, before change control proposals are approved, the potential risks presented by the change should be identified and a strategy determined for managing such risks.
* Principles 2, 3, and 4 reflect the guidance presented in ICH Q9 and other publications, such as ISO/IEC Guide No. 73, titled, "Risk Management--Vocabulary--Guidelines for Use in Standards." (18) The inclusion of loss of product availability in the definition of harm is considered important in GMP risk management activities, because the loss of product availability may adversely impact not only business, but also patients and users of medicinal products.
* Principle 5 reflects the author's experience in applying risk management principles and tools to GMP situations--that sometimes, the probability of occurrence of harm, or the severity of that harm, just cannot be reduced to levels that render the risk acceptable with current or realistic resources, but that such risks can be controlled to an acceptable level by means of detection or other risk-control measures.
* Principles 6 and 7 recognise that risk can be difficult to quantify, and that there may be uncertainties in the outcome of any risk management exercise. As discussed in ICH Q9, for example, different stakeholders may perceive different potential harms, or place a different probability on the occurrence of each harm, or assign different severities to each harm, and this can lead to uncertainty. This principle implies that the risk management solution should be able to address such difficulties and uncertainties. (The papers 19-22, detailed in the References section, provide useful information in this regard.)
* Principle 8 requires that the risk management solution should help to formally identify who the stakeholders are for the item under study. This enables the concerns of those stakeholders to be taken into account and for appropriate definitions of severity to then be determined.
* Principle 9 is far reaching, and it renders this solution somewhat different to other risk management tools with respect to dealing with risk detectability. Here, users may not automatically conclude that a high detectability for a negative event or its effects means that a risk is acceptable or adequately controlled. For example, the ability to detect glass in filled and stoppered vials may sometimes be high, but this detection control does not mean that the vial filling and sealing process is under adequate GMP control if the incidence of glass in vials is relatively high.
* Principle 10, also based on ICH Q9, means that the risk management solution must formally be able to identify and manage any new risks that may be introduced as part of Risk Control activities. New risks can be introduced, for example, when a new Process Analytical Technology (PAT)-based sensor is installed in a drying vessel to monitor a parameter such as water content. The material housing the sensor may be incompatible with the contents of the dryer, or it may not be adequately robust, giving rise to a risk of product contamination.
* Principle 11 recognises the benefit of using multi-disciplinary teamwork when performing risk management, and is certainly not a new concept. Well established tools such as HACCP, as outlined by the Codex Alimentarius Commission, (23) require the use of multi-disciplinary teams.
* Finally, Principle 12, again reflecting ICH Q9, recognises that much of what we do within GMP environments is risk-based, even if we do not call it that. This is important, because often, there may be no need to use a formal risk management tool, when existing procedures may be adequate. This principle, in a subtle way, also recognises the fact that risk events can have multiple causes, with multiple associated risks, some less important that others. This can result in formal risk management activities becoming costly and quite labour-intensive exercises, and should, therefore, be targeted at the most complex or critical issues.
Design Criteria for this Risk Management Solution
During the design stage for this risk management solution, it was determined that the tool had to meet certain pre-defined criteria if it was going to serve its intended purpose: to facilitate risk-based qualification, validation, and change control activities.
These pre-defined criteria were as follows:
* That the tool should offer GMP and Regulatory Compliance environments a documented, scientific, practical, systematic, transparent and flexible solution for determining and managing, on a risk basis, the scope and extent of qualification and validation, and the likely impact of changes.
* That the tool should allow for the highest risks to be identified and prioritised for action.
* That the tool should be a readily usable and complete risk management solution, without requiring extensive modification before it may be used to address all of the required elements of risk management.
* That the tool should have wide applicability across GMP and Regulatory Compliance environments.
* That the tool should directly conform to each of the twelve aforementioned principles which were defined as being important for facilitating risk-based qualification, validation, and change control activities within GMP and Regulatory Compliance environments.
With the above design criteria in mind, a structured and systematic risk management process was developed. This comprises of ten discrete process steps, as outlined in Figure 2. A detailed, instructional worksheet has been developed, which facilitates each of the ten steps. This worksheet is used to document the risk management exercise, and to guide users through the actual risk management process. Detailed guidance on carrying out each of these ten steps is available in the Tool's User Manual.
This ten-step process, as outlined above, complements some of the points made in ISPE's White Paper of 2005, (5) which, while focused only on equipment and facility qualification, made a number of very useful recommendations on ways to achieve true risk-based qualification. One was that risk assessments, process development, and experimental design should be used to identify critical features, functions, and critical process parameters, and that qualification efforts should be process-based, and focused on the concept of risk-mitigation for patients. The risk management solution developed here offers a practical means for how this might be achieved.
While this risk management methodology provides a means by which risk management might be of use within GMP environments, at the same time, it was designed to serve as a potential risk management solution for GMP regulators, for use within their own work activities. This is considered important, recognising the significant contribution made by ICH Q9 in promoting the use of risk management principles and tools by both parties. This aspect of the tool is explained in more detail in Part II of this paper.
CONCLUSION
In Part I of this paper, a risk management solution is described that is designed to facilitate risk-based qualification, validation, and change control activities within GMP and regulatory compliance environments in the EU. This solution is based upon a set of pre-defined, fundamental principles and design criteria, which were considered important. It offers a documented and ready-to-use ten-step process for determining and managing, on a risk basis, the scope and extent of qualification and validation, and the likely impact of changes.
This is a formal and rigorous approach to risk management. As such, it is designed so that its use should be commensurate with the complexity and/or criticality of the issue to be addressed. It is not intended for use in all situations, or to address all risk areas or concerns, and in many instances, in line with ICH Q9 principles, a more informal approach to risk management may be more appropriate, and indeed proportionate.
In Part II of this paper, the scope of this risk management solution is presented, and the structure of the tool and some of its key features are described. Some novel aspects relating to this risk management solution are also presented, and a number of limitations associated with this solution are discussed. Finally, an outline of the main findings made to date with using this tool is given.
Overall, this work seeks to demonstrate how risk management principles may be used in practical terms across a broad range of EU GMP and Regulatory Compliance environments. It is hoped that these efforts will serve to build upon the milestone that was ICH Q9, and the work done to date by FDA, ISPE, GAMP and many others in promoting true risk-based qualification, validation and change control activities.
ABOUT THE AUTHORS
Kevin O'Donnell is currently Market Compliance Manager at the Irish Medicines Board (IMB), Dublin, Ireland. He joined the Inspectorate Department of the IMB in 2001; he was appointed a GMP Inspector in 2002, and took up his current position in 2005. His current responsibilities involve managing a number of compliance programmes within the IMB, including IMB's Quality Defect and Recall programme and its Sampling and Analysis Market Surveillance activities.
Kevin has a chemistry background; he obtained his Chemistry Degree from University College Galway, Ireland, in 1991, and his Masters Degree in Pharmaceutical Quality Assurance from the Dublin Institute of Technology, Dublin, in 2002. He spent a number of years working in the Pharmaceutical Industry, both in Ireland and in the United States before joining the IMB. Kevin has an active interest in education, having spent three years as a Mathematics teacher in his native County Donegal, Ireland. He lectures occasionally, in pharmaceutical-related degree courses in Dublin. Kevin can be reached at kod1@eircom.net.
Anne Greene, PhD, is currently a lecturer in Pharmaceutical Technology at the School of Chemical and Pharmaceutical Sciences at the Dublin Institute of Technology in Dublin, Ireland. She is also Course Director for Masters of Sciences studies in Pharmaceutical Quality Assurance and Validation Technology at DIT.
Professor Greene came to academia after serving as Technical Services Chemist at Sterling Winthrop from 1990 through 1992 and as Validation Manager at Wyeth Medica Ireland from 1992 through 1996. She can be reached via email at anne.greene@dit.ie.
REFERENCES
1. The Rules Governing Medicinal Products in the European Community, Volume IV, published by the European Commission, and available at www.pharmacos.eudra.org/F2/eudralex/vol-4/home.htm.
2. European Commission Directive 2003/94/EC of 8 October 2003 laying down the Principles and Guidelines of Good Manufacturing Practice in respect of Medicinal Products for Human Use and Investigational Medicinal Products for Human Use, Official Journal of the European Union L262, 14/10/2003.
3. European Commission Directive 91/412/EEC of 23 July 1991 laying down the Principles and Guidelines of Good Manufacturing Practice for Medicinal Products for Veterinary Use, Official Journal of the European Union L228, 17/08/1991.
4. ICH Q9--Quality Risk Management, at Step 4 of the ICH Process, November 9th, 2005. Available at www.ich.org.
5. 'A White Paper on Risk-Based Qualification for the 21st Century,' ISPE's Qualification Task Team Steering Committee, ISPE 9 March 2005, available at http://www.ispe.org.
6. G. C. Wrigley, 'Strategies for Minimising Validation Costs,' Journal of Validation Technology, Vol. 10, Issue 3, 2004.
7. Proceedings of the conference titled "Reducing Validation Costs," Dublin Institute of Technology, Dublin, Ireland, 9 September, 2004.
8. For information in this regard, see the quality defect and recall sections of the Irish Medicines Board Annual Reports for 2003 and 2004, available from www.imb.ie.
9. For information on recalls which have occurred in the UK over recent years, see the Drug Alerts section of the website of the UK Medicines and Healthcare Products Regulatory Agency, at http://www.mhra.gov.uk.
10. For information in this regard, see the presentations from the Irish Medicines Board Inspectorate Information Days of 27 September 2002 and 15 October 2004, available from the IMB upon request.
11. IEC 61025--Fault Tree Analysis.
12. IEC 60812--Analysis Techniques for System Reliability--Procedures for Failure Mode and Effects Analysis (FMEA).
13. WHO Technical Report Series No. 908, 2003, Annex 7, Application of Hazard Analysis and Critical Control Point (HACCP) methodology to pharmaceuticals.
14. ISPE Baseline Pharmaceutical Engineering Guide, Volume 5, 'Commissioning and Validation,' March 2001.
15. GAMP 4 Guide, 'Validation of Automated Systems,' December 2001.
16. Military Standard No. MIL-STD-1629A, Procedures for Performing a Failure Mode, Effects, and Criticality Analysis (FMECA), U.S. Department of Defense, Washington, DC, 24 November, 1980.
17. ISO 14971:2000, 'Medical Devices--Application of Risk Management to Medical Devices,' December 2000.
18. ISO/IEC Guide 73:2002, 'Risk Management--Vocabulary--Guidelines for Use in Standards.'
19. D. W. Vincent and B. Honeck, Risk Management Analysis Techniques for Validation Programs,' Journal of Validation Technology, Vol. 10, Issue 3, 2004.
20. For example, see EMEA Public Statement of 18 October 2005 on the risk of inhibitor development for Factor VIII recombinant products, available at http://www.emea.eu.int.
21. E. C. Tidswell, 'Risk Profiling Pharmaceutical Manufacturing Processes', European Journal of Parenteral and Pharmaceutical Sciences 2004; 9 (2):49-55.
22. M. G. Morgan, 'Risk Analysis and Management', Scientific American, July 1993.
23. Recommended International Code of Practice: General Principles of Food Hygiene Cac/rcp 1-1969, rev. 3-1997, amd., (1999). [Note: This document is from the Codex Alimentarius Commission and the FAO/WHO Food Standards Programme.]
Article Acronym Listing
<pre>
CCP Critical Control Point
CPP Critical Process Parameter
EU European Union
FDA Food and Drug Administration
FMEA Failure Mode and Effects Analysis
FMECA Failure Mode, Effects and Criticality Analysis
GAMP Good Automated Manufacturing Practice
GMP Good Manufacturing Practice
HACCP Hazard Analysis and Critical Control Points
ICH International Conference on Harmonization
ISO International Organization for Standardization
ISPE International Society of Pharmaceutical Engineering
MA Marketing Authorization
PAT Process Analytical Technology </pre>
Addendum
Laminated Card for the Risk Management Tool
Risk = P x S
This Card shows the default Probability, Severity, and Detection definitions for the Risk Management Tool. It also shows the Risk Table, with the Risk Acceptability criteria. Important: The definitions shown for each P, S, &amp; D Level are default definitions; they can be modified as required. See Step 3 of the Tool Worksheet for details.
<pre>
Probability of Occurrence Levels for the Negative Event

High The Negative Event is Likely to Occur
Medium The Negative Event May Occur
Low The Negative Event is Unlikely to Occur
Remote The Negative Event is Very Unlikely to Occur, or is Extremely
Unlikely to occur

Severity Levels for the Effects of the Negative Event

Critical The Effects are Severe
* Very Significant GMP/MA Non-Compliance
* Potential Patient Injury
Moderate The Effects are Moderately Severe
* Significant GMP/MA Non-Compliance
* Potential Patient Impact
Minor The Effects are Not Severe
* Minor GMP/MA Non-Compliance
* No Patient Impact

Risk = P x S

Negative
Event Prob: Minor Severity Moderate Severity Critical Severity

High Unacceptable Risk Intolerable Risk Intolerable Risk
Medium Acceptable Risk Unacceptable Risk Intolerable Risk
Low Acceptable Risk Acceptable Risk Unacceptable Risk
Remote Acceptable Risk Acceptable Risk Acceptable Risk </pre>
RISK DEFINITIONS:
Intolerable: Work to eliminate the Negative Event, or build in systems or controls to ensure the effects of the Negative Event are not realised (e.g. via back-up or redundant controls).
Unacceptable: Reduce the risk, or control the risk to an acceptable level.
Acceptable: The risk is acceptable as is. No risk reduction or new controls are required.
Detection Control Ratings:
** High -- the control will likely detect the negative event or its effects
** Medium -- the control may detect the negative event or its effects
** Low -- it is not likely that the control will detect the negative event or its effects
** Zero -- no detection control in place
By Kevin O'Donnell (Corresponding Author) Compliance Department, Irish Medicines Board and Anne Greene, School of Chemistry and Pharmaceutical Sciences, Dublin Institute of Technology
Note: The views expressed in this paper are those of the authors, and should not be taken to represent the views of the Irish Medicines Board.
<pre>
Figure 1 Principles Underlying this Risk Management Solution

NO. PRINCIPLE

1. That the scope and extent of qualification and validation, and the
likely impact of changes, should be determined and managed on a
risk basis.
2. That risk is the combination of the probability of ocurrence of
harm and the severity of that harm, and that harm is considered to
be damage to health, including the damage that can occur from loss
of product quality or availability.
3. That as a minimum, risk management contains the following four
components: risk assessment, risk control, risk communication, and
risk review, as defined and described in ICH Q9.
4. That a consideration of "what might go wrong" is fundamental to the
risk management exercise.
5. That there may be some risks that cannot be eliminated or reduced
to an acceptable level with current or realistic controls or
resources, but that may be controlled to an acceptable level with
improved detection or other measures, as determined on a case-by-
case basis.
6. That risk management is not an exact science and, while a
scientific approach should form the basis of the risk management
process, there may be uncertainties associated with the outcome of
the risk management exercise.
7. That risk may be assessed qualitatively as well as quantitatively,
and that a good qualitative assessment of risk may be more valid
than a poor quantitative assessment.
8. That the main stakeholders associated with the application of risk
management within GMP and Regulatory Compliance environments are
patients and users of medicines, including healthcare
professionals, as well as Industry and Regulators, and that, while
the concerns of all involved stakeholders should be taken into
account in any risk management exercise, protection of the patient
is of prime importance, and therefore, risk management should
ultimately link to the protection of the patient.
9. That, in GMP environments, a high detectability of risk does not
necessarily mean that the risk is eliminated or adequately
controlled.
10. That the implementation of risk control measures could, in itself,
inadvertently introduce new risks, which will need to be managed.
11. That performing risk management exercises can be improved through
the use of multi-disciplinary teams.
12. That a formal risk management process may not always be necessary
or appropriate in all situations, and that the level of effort,
rigor, formality, and documentation associated with the risk
management process should be commensurate with the complexity and/
or criticality of the issue being addressed.

Figure 2 A Ten-Step Risk Management Process

Step 1: Document Specific Information on the Risk Management Exercise
Being Undertaken:
* Identify whether the exercise is a Prospective, Retrospective, or a
Change Control risk management exercise.
* Define the item under study and the scope of the exercise. If
possible, define boundaries for the item under study.
* Provide relevant background information so that the reason for the
risk management exercise is made clear.
* State any pertinent assumptions being made, especially those
relating to qualification and validation, and document any
significant uncertainties associated with the data being used in the
exercise.

Step 2: Who's Who? -- Define the Risk Management Team:
* Identify the risk management team leader and other team members.
* The team should be multi-disciplinary and include persons
knowledgable in the item under study.
* At least one person should have a firm understanding of the risk
management process, principles, and methodology.
* If possible, there should be personnel on the team who have the
necessary authority (or the means) to make key decisions regarding
the implementation and funding of risk mitigation controls.

Step 3: Review the Default Definitions Provided for Negative Event
Probability, Severity, and Detection:
* Review the default Probability, Severity, and Detection definitions
provided in this Risk Management Tool. These are presented on a
laminate card, which accompanies the tool worksheet.
* The team then decides whether the default definitions as provided
are appropriate for the specific risk management exercise at hand.
* This is where new or modified Probability, Severity, and Detection
definitions can be drawn up, if required. For example, the
definitions for Probability of Occurence can be made quantitative,
or the Severity definitions can be altered to better reflect the
concerns of any specific stakeholders.
* A Risk Table (or matrix) is used by this Risk Management Tool, and
this is also shown on the laminate card. (See page 25.)

Step 4: What Might Go Wrong? -- Identify Potential Negative Events:
* Review relevant documentation, records and data, and use
brainstorming techniques to identify potential negative events for
the item under study. (Note: Guidance on brainstorming is provided
in a Questions and Answers document provided with the tool.)
* Of the potential negative events identified, review each, discussing
their potential severities, and select and list those considered to
be the most critical and/or complex negative events, for formal
evaluation in this exercise.
* As this is a formal and rigorous risk management methodology, only
the highest priority or most important potential negative events
should normally be selected for formal evaluation. However, any
number can be selected.

Step 5: Risk Evaluation -- Is the Risk Acceptable, Unacceptable, or
Intolerable?
* For each potential negative event, identify and document the
potential negative consequences.
* Document and critically evaluate any currently in place back-up or
redundancy controls for the potential negative event, and assign a
Severity rating.
* Identify and document the cause(s) of each potential negative event.
* Document and critically evaluate any currently in place preventive
controls for each cause, and assign a Probability of Occurrence
rating to each cause.
* Using the Risk Table provided on the laminated card which
accompanies the tool worksheet, estimate each risk associated with
the potential negative event.
* This results in the classification of each risk as either
Acceptable, Unacceptable, or Intolerable.
* Risks deemed to be Acceptable progress directly to Step 8 of the
worksheet; all other risks progress to Step 6.

Step 6: Risk Evaluation -- Is the Risk Adequately Controlled?
* Document and critically evaluate any detection controls currently in
place for each Unacceptable and Intolerable risk.
* Assign a Detection rating to these controls, and determine whether
these controls give assurance that the risk is adequately
controlled and that no further controls are required.
* Risks that are considered adequately controlled progress directly to
Step 8. All other risks progress to Step 7.

Step 7: Risk Control:
* Identify and critically evaluate any new or improved back-up or
redundancy controls, which may be put in place for Unacceptable and
Intolerable risks.
* With these controls in mind, assign a new Severity rating to the
potential negative event.
* Identify and critically evaluate any new or improved preventive
controls, which may be put in place for the cause(s) of each
Unacceptable and Intolerable risk.
* With these controls in mind, assign a new Probability of Occurrence
rating to each cause.
* Using the Risk Table provided on the laminated card, which
accompanies the tool worksheet, re-estimate each risk.
* This results in the re-classification of each risk as either
Acceptable, Unacceptable, or Intolerable.
* Risks deemed to be Acceptable progress to Step 8 of the worksheet;
all other risks continue through Step 7.
* Identify and critically evaluate any new or improved detection
controls for each Unacceptable and Intolerable risk.
* Assign a Detection rating to these controls, and determine whether
these controls give assurance that the risk is now adequately
controlled and that no further controls are required.
* Risks that are considered adequately controlled progress to Step 8.
* For risks that are still not considered adequately controlled, Step
7 (Risk Control), should be repeated. (A redesign of the item under
study may be necessary in order to eliminate the potential negative
event.)

Step 8: Qualification and Validation:
* For each control listed on Worksheets No. 5, 6, and 7, identify the
items (such as documentation, equipment, facilities, personnel
resources, etc.), which are required for the control to be in place.
* Determine Critical Process Parameters, their limits, and any other
acceptance criteria or required outcomes for each control.
* Determine any training and assessment of training requirements for
each control.
* Determine any Qualification or Validation activities required for
each control, and assign a Qualification and Validation status to
each.

Step 9: Action Items:
* Document any action items arising out of the risk management
exercise, and assign responsibilities for each.
* These could be actions required to implement a control, or they
could be Qualification or Validation exercises.

Step 10: Risk Communication and Continuous Improvement (Periodic Review)
Activities:
* Identify and document any communication activities required for the
risks identified during the exercise.
* Assign responsibilities and timelines for each communication.
* Define when the risk management exercise should be reviewed as part
of continuous improvement, and document any key areas or issues to
be reviewed at that time.
* Close out the risk management exercise. </pre>

InfoTrac OneFile (R)












No comments:

Pharmaceutical Validation Documentation Requirements

Pharmaceutical validation is a critical process that ensures that pharmaceutical products meet the desired quality standards and are safe fo...