Risk Assessment in Pharmaceuticals | Principles and Applications

Manufacturing pharmaceuticals entails many processes and systems, equipment and personnel activities that can impact the quality of the product and the safety of the consumer. While there are many strong controls in place and validated systems, it is impossible to completely eliminate all risks. The intent of pharmaceutical quality systems is to not remove every possible risk, but instead identify, evaluate, control and regularly monitor risks so that they remain at an acceptable level.

In my experience, the most significant change in pharmaceutical quality management in the last twenty years has been the transition from compliance to a science- and risk-based approach. Agencies now expect organizations to make decisions based on scientific knowledge and formal risk assessments rather than on assumptions or previous practices.

Risks are assessed today for almost all areas of the pharmaceutical industry from manufacturing, validation and change control to investigations, qualification, supplier management, computerized systems and contamination control.

By properly performing a risk assessment, organizations can put their energies into the areas of greatest risk relative to product quality and patient safety.

What is Risk Assessment?

Risk assessments are an organized, knowledgeable means of identifying hazards, determining the probability and seriousness of possible failures and evaluating what control measures are appropriate to mitigate those risks. As outlined in ICH Q9 Quality Risk Management, the definition of "risk" includes two parts:
1. The chance of an event occurring that causes harm
2. The severity of that harm

The outcome of a risk assessment will answer some of the most important questions regarding risk;
1. What can happen?
2. How likely am I to have a risk event happen?
3. What impact is there if the risk occurs?
4. What can be done to control the ongoing risk?
5. Is the remaining risk acceptable?
The outcome of risk assessment will provide a scientific basis for making decisions and for allocating your resources.

Why Risk Assessment is Important in Pharmaceuticals

There is a degree of risk to every pharmaceutical operation. Some examples are:

• Contamination of product
• Failure of equipment
• Human error
• Interruption of utilities
• Integrity failure of data
• Variability of processes
• Quality issues from suppliers

When a structured risk assessment is not in place, organizations can utilize their limited resources to address a low-level risk and ignore high-level risks.

Risk assessments provide the framework for organizations to improve:

• Quality of product
• Safety of patients
• Compliance with regulations
• Prioritization of corrective actions
• Understanding of processes
• Strength of decisions

From my experience, those organizations that have an established risk management program to evaluate and manage risks generally have a stronger compliance history and reduce the number of reoccurring quality issues.

Regulatory Expectations for Risk Management

Risk management is an integrated component of world pharmaceutical regulatory compliance and referential guidelines.

The pharmaceutical regulatory agencies have an expectation of applying a risk-based business model throughout the pharmaceutical company’s operations.

Some of the key regulatory references include:
- ICH Q9 Quality Risk Management
- ICH Q10 Pharmaceutical Quality System
- EU GMP Guidelines
- FDA Quality Systems Guidance
- WHO GMP Guidelines

Inspectors will often review the risk assessment with respect to:
- Deviations
- CAPA
- Change controls
- Validation activity
- Supplier qualification
- Computerized systems
Insufficiently justified risk assessments can lead to a potential regulatory investigation.

Risk Assessment Key Elements

A typical formal risk assessment will have multiple stages.

1. Risk Identification

The first stage of risk identification is identifying possible hazards impacting product quality or patient safety, or compliance with applicable regulations. Examples of such possible hazards include:

• Equipment failure
• User error
• Microbial contamination
• Improper raw materials
• Utility failure

The goal of this process is to identify all reasonably foreseeable hazards.

2. Risk Analysis

Following the identification of hazards, a risk analysis will be performed for each of the identified hazards. Some of the typical risk evaluation criteria for the analysis include:

• Severity
• Likelihood
• Ability to detect

Risk analysis provides the ability to assess the combined significance of an identified risk.

3. Risk Evaluation

The evaluated risk from the risk analysis will then be compared to the predefined acceptance criteria for risk. Some standard questions asked will include:

• Is the risk acceptable?
• Does more control need to be put in place?
• Should the risk be elevated in priority?

The purpose of this stage is to assist in determining the overall significance of an identified risk and provide guidance in making decisions to prioritize.

4. Controlling risk

The use of controls allows individuals to help decrease their risks to an acceptable level through multiple methods, such as:

• Additional monitoring of processes
• Redesigning any existing processes
• Automating different business processes
• Ongoing Training programs for existing staff or new employees
• Validating existing processes

All risk reductions should have the benefit of scientific validation.

5. Reevaluation of risk

Risk evaluation must be dynamic and should never be static. Conducting periodic evaluations on an ongoing basis ensures the following:

• That existing controls are functioning
• Identify any new risks
• Evaluate any changes to the affected process

The ongoing evaluation of risk is an integral component of the overall risk management during the life cycle.

Common Risk Evaluation Tools

Assessment methods differ depending on the difficulty of the evaluation issue.

1. Failure Mode and Effects Analysis (FMEA)

FMEA is generally accepted as one of the most dependable evaluations in evaluating pharmaceutical risk. Using FMEA one will evaluate:

• What would be the various ways a process may fail
• An assessment of the consequence if it were to be negatively impacted
• The probability of it occurring
• An assessment of the ability to detect the fault

Then a Risk Priority Number (RPN) is used to prioritize actions based on the above evaluations.
Common usage includes:

• Validation of processes
• Qualification of equipment
• Manufacturing operations and Utilities

2. Hazard Analysis and Critical Control Points (HACCP)

Originating in the food industry, HACCP is now routinely applied to pharmaceuticals. HACCP utilizes a methodology to determine:

• What hazards may exist
• Where critical control points are identified
• How to monitor the critical control points selected

HACCP is definitely an option for consideration when attempting to maintain sterile manufacturing operations and/or achieving contamination control.

3. Risk Ranking and Filtering

Risk Ranking is a simple and effective means of ranking risk. Risk is classified to:

• Low Risk
• Medium Risk
• High Risk

Risk Ranking is often utilized when:

• The Qualification of suppliers is required
• Planning for an audit
• Controlling change

4. Fault Tree Analysis (FTA)

FTA identifies root causes of potential failures through a top-down approach. It examines how multiple events may combine to result in a system failure. FTA applications include:

• Utility failures
• Equipment reliability
• Safety systems

FTA is particularly useful for complex systems.

5. Hazard Analysis

A hazard analysis systematically assesses possible hazards and their potential consequences and is often used during:

• Facility design
• Process development
• Contamination control planning

This method allows the identification of potential vulnerabilities earlier in the project lifecycle.

Applications of Risk Assessment in Pharmaceuticals

Pharmaceutical activities can benefit from the use of risk assessment.

1. Change Control

A risk assessment will assist with evaluating the potential consequences of a proposed change. Examples of Change Control Assessments are as follows:

• Change to equipment
• Change to process
• Upgrade of software
• Change to raw materials

Higher risk changes may require additional qualification or validation.

2. Validation Activities

Validation programs increasingly rely on risk based methodologies. A risk assessment can assist with determining:

• Critical Process Parameters
• Locations for sampling
• Testing requirements
• Revalidation requirements

This will increase the efficiency of validation while ensuring compliance.

3. Managing Deviations

A risk assessment can also aid with the management of deviations through the evaluation of the:

• Impact of the product
• Risk to patient safety
• Consequences if compliance

Risk based decision making should promote a higher quality investigation.

4. Supplier Qualification

Not all suppliers have the same risk. Risk assessment can assist with establishing priorities for:

• Auditing of suppliers
• Monitoring of activities
• Qualification requirements

More critical suppliers will require a greater degree of oversight.

5. Validation of Computerized Systems

In the modern pharmaceutical environment, there are many updated computerized systems used. A risk assessment can assist with identifying the:

• Scope of validation
• Depth of testing
• Controls related to data integrity
• Controls related to security

Validation based on a risk assessment is now the accepted industry practice.

6. Contamination Control

Risk assessments are essential to contamination control strategies. Typical evaluation areas include:

• Facility Design
• Personnel Practices
• Material Flow
• Cleaning
• Environmental Monitoring

Annex 1 highlights contamination control risk management.

Common Mistakes in Pharmaceutical Risk Assessments

Pharmaceutical risk assessments have several key weaknesses which impact their effectiveness. Here are some common problems with risk assessments:
- Incomplete identification of hazards
- Subjective scoring
- Lack of multi-disciplinary participation
- Lack of periodic assessment or review of risks
- Excessively complicated methodology
- Insufficient documentation
The most common example I observe is treating the risk assessment as documentation, rather than as a tool for decision-making.

Characteristics of an Effective Risk Assessment

Strong risk assessments share a variety of similar characteristics. These include:
- Science-based
- Data driven
- Objective
- Documented
- Periodically reviewed
- Supported by suitable content experts
Effective assessments should promote action, not just produce documentation.

Role of Cross-Functional Teams

Risk assessment is optimized by having input from multiple disciplines on the team. The team can contain personnel from range of department such as:

• Quality Assurance
• Production
• Engineering
• Validation
• Quality Control
• Regulatory Affairs

By having a cross functional team approach; the team will perform better in identifying the various risks and reducing biasness associated with those risks.

Risk Assessment and Regulatory Inspection

As there has been an increase in inspectors examining how Organizations are implementing their Risk Management principles; the following questions are common and the inspector may ask during the inspection:

• How does the Organization identify risks?
• How does the Organization document the decisions made with regard to those risks?
• How frequently does the Organization review the risk?
• How does the Organization verify the controls put in place?

Companies that have established a risk management system that is mature are likely to perform better during regulatory inspections.

Risk Assessment Best Practices for Pharmaceutical Industry

Companies that have strong risk management programs tend to have several things in common. Best Practices recommended to the pharmaceutical industry:

• Implement ICH Q9 principles consistently
• Use appropriate risk assessment tools to assess Risk
• Utilize Multidisciplinary Teams
• Document the rationale of the risk assessment clearly
• Periodically Review Risk
• Link the Risk Assessment to the Companies Corrective Action Preventative Action (CAPA) and Change Control Systems
• Use objective data whenever possible to assess risk

By implementing these Best Practices, a company will have improved compliance along with increased operational performance.

Today, risk assessment is one of the most important factors to include in quality systems utilized by today's pharmaceutical industry. Regulatory authorities now require organizations to consider science and risk elements when determining how to make decisions about product quality, patient safety and overall compliance. Risk assessment provides a means for companies to properly allocate resources and focus on critical issues across all areas of operations such as validation, change control, investigations, supply chain management, or contamination control.

Based on my personal experience working with different clients in the pharmaceutical industry, companies that utilize risk management as a part of their daily operations typically achieve higher compliance levels, improved understanding of their manufacturing processes and an enhanced overall quality system across the entire product lifecycle. It is important for organizations to realize that risk assessment is not just a regulatory requirement but also serves as a valuable management tool that can help support both continuous improvement and achieve operational excellence throughout the life of products.

Regulatory References

1. ICH Q9 Quality Risk Management
https://database.ich.org/sites/default/files/Q9%28R1%29_Guideline.pdf
2. ICH Q10 Pharmaceutical Quality System
https://database.ich.org/sites/default/files/Q10_Guideline.pdf
3. FDA Quality Systems Approach to Pharmaceutical cGMP Regulations
https://www.fda.gov/media/71023/download
4. EU GMP Guidelines Volume 4
https://health.ec.europa.eu/medicinal-products/eudralex/eudralex-volume-4_en

Share

Tweet

Share

Pin it

Share