The Risk Assessment And analysis
Risk Assessment is a qualitative/quantitative identification of the possible risks or hazards associated with a process. Techniques such as FMEA/FTA (Failure Mode and Effects Analysis/Fault Tree Analysis) should be utilized. A risk assessment is recommended for all validations. A risk assessment completed for existing equipment may be acceptable for similar new equipment. The intent is to determine risk. Based on the identified risk, validation requirements can be determined.
Depending on the nature of the equipment, its intended use, and the potential for the equipment/utility to affect process and product quality, a full or lean validation approach can be used. Full qualification covers the complete extent of validation, including installation, operation, and performance for all critical components, where applicable. Lean validation is recommended in accordance with the FDA guidance for industry "Process Validation: General Principles and Practices" and the International Conference on Harmonization (ICH) Q9 "Quality Risk Management" to save time and cost by focusing only on critical aspects of validation through the implementation of a scientific and risk-based approach.
A Risk Analysis (RA) approach shall be utilized when:
- Lean validation approach is planned to be implemented.
- When overall new system quality and/or business impact is unknown
- When system or system functionality changes quality and/or business impact is unknown in conjunction with change control.
Basic risk management facilitation methods (flowcharts, check sheets, etc.) and Failure Mode Effects Analysis (FMEA) shall be utilized while performing the Risk Analysis. FMEA provides for an evaluation of potential failure modes for processes (systems) and their likely effect on outcomes and / or system (product) performance. Once failure modes are established, risk reduction can be used to eliminate, contain, reduce or control potential failures. FMEA relies on product and process understanding.
Risk Assessment
- The Risk Assessment (RA) identifies, analyzes, and evaluates all critical parameters required for the Quality Risk Assessment of the System.
- The risk assessment begins with a list of requirements, derived from the User Requirements Specification (URS) if available. For each requirement identified as Critical in relation to GMP, a risk scenario is defined.
- The Risk Assessment team is responsible for determining the Severity, Probability, and Detectability of each potential failure. The ranking scheme outlined below should be applied.
Severity
| Score |
Classification |
Description |
| 1 |
Negligible |
a. The hazard is not likely to affect a product attribute, manufacturing process parameter or product quality.
b. The hazard likely has no effect on the facility, systems, process, or equipment/instrument used in the activity. |
| 3 |
Minor |
a. A risk that affects a quality attribute, a critical process parameter, an equipment or instrument critical for process or the control strategy, of which there is a minimal impact to patients (system, process, equipment, personnel, environment).
b. A situation or condition that is not in full compliance with internal, customer, regulatory, or industry expectations, but is not expected to create a regulatory authority objection. |
| 5 |
Major |
a. A risk that affects a quality attribute, a critical process parameter, an equipment or instrument critical for process or the control strategy, of which there is a potential impact to patients (system, process, equipment, personnel, environment).
b. A relevant violation of internal, customer, regulatory or industry expectations unlikely to lead to regulatory action/warning, manufacturing suspension, or license/certificate revocation. |
| 10 |
Critical |
a. The risk affects a critical quality attribute, a critical process parameter, equipment or instrument critical for process or the control strategy, of which the impact to patients (system, process, equipment, personnel, and environment) is highly probable, including life-threatening situations.
b. The risk constitutes a significant violation of internal, customer, regulatory, or industry expectations that may lead to regulatory action/warning, manufacturing suspension, or license/certificate revocation (this includes voluntary withdrawal of product from a market by the Company). |
Probability of Occurrence
The probability of occurrence evaluates the frequency at which potential risk(s) may occur in a given system or situation. The probability score is based on the likelihood that the effect occurs due to the failure mode.
| Score |
Classification |
Description |
| 1 |
Unlikely Occurrence |
The probability of the occurrence of the failure is very low, but theoretically possible. |
| 2 |
Seldom Occurrence |
If procedures are followed, the failure potential is minimal. |
| 3 |
Occasional Occurrence |
The risk may occasionally occur even if procedures are followed. |
| 4 |
Likely Occurrence |
It is likely that the risk can occur even if procedures are followed. |
| 5 |
Frequent Occurrence |
The risk may occur frequently, even if procedures are followed. |
Detectability
Detectability refers to the probability of detecting a failure. The detectability score is based on the ability to detect the effects of the failure mode or the ability to detect the failure mode itself.
| Score |
Classification |
Description |
| 1 |
Good Detectability |
The risk has either a validated automatic detection system that is a direct measure of failure or: two or more manually operated validated detection systems (direct or indirect) that are effective in detecting the risk. |
| 3 |
Likely to Detect |
The risk has a single manually operated validated detection system that is a direct measure of failure. |
| 5 |
Limited Detectability |
The risk has limited detectability, no control strategy, or all the controls failed to identify the risk before release. |
Risk Priority Number (RPN)
The Risk Priority Number (RPN) is the product of three factors: the probability of occurrence (O), detectability (D), and severity (S). For example, with O = 1, D = 3, and S = 3, the RPN is 9 (1 x 3 x 3). It is important to note that the RPN is not a measure of risk itself, but rather a measure of the priority of risk to allocate limited resources to the most significant problems. Higher calculated RPN numbers indicate higher priority.
| Priority |
RPN Range |
Actions |
| Low Priority - No Action Needed |
≤ 9 |
Risk is evaluated as "acceptable" without measures to be taken. |
| Medium Priority - Medium Risk |
10 - 36 |
Measures must be taken to reduce the risk with the goal to reach. |
| High Priority - High Risk |
≥ 37 |
Measures must be taken to reduce the risk with the goal to reach. |
After completing the risk assessment, potential failures that may have adverse effects on product quality and/or patient safety are rated as Critical or as having a Direct Impact. Failures identified that have no potential adverse effects on product quality or patient safety are rated as Non-Critical or as having No Impact.
For all identified Critical or Direct Impact risks, measures must be defined to minimize the likelihood of occurrence or to reduce the severity of the failure consequences. These defined measures should be necessary, appropriate, and specific, and may include technical and organizational measures. The defined measures should be integrated into future qualification/validation steps.
The identified potential failures, their evaluation and rating, and the resulting measures should be documented, along with a justification for the evaluation and rating. The Risk Assessment should undergo a formal review and approval cycle.
The results of the Risk Assessments should be reviewed and approved by the System Owner, Subject Matter Expert(s), and Quality Assurance.
Risk analysis that has already been executed for existing equipment can be applied to functionally equivalent equipment.