Introduction and Literature Overview
Objectives and Principles of Risk Management
- Identify the risks: What can go wrong?
- Analyze the risks: What is the likelihood or probability that something goes wrong and what are the consequences or what is the severity if something goes wrong?
- Estimate the risk priority number (RPN) and assess if the risk is acceptable or too high.
- If the risk is too high develop and implement control steps to reduce or eliminate the risk.
- Analyze the residual risk and assess if it is acceptable.
- Risk or unwanted event: Car runs over a pedestrian crossing the road.
- Probability of occurrence: Depends on the road traffic - low
for country roads, medium for town roads and high for city
Severity: Always high, because the accident may lead to permanent injury or death.
- Risk level expressed by the risk priority number (RPN): Always high, because of high severity and some probability. The RPN increases from the country road to the city street due to increasing probability.
- Control steps to reduce probability: Depends on the risk
- Country road: Look left and right before crossing the road.
- Town road: Use pedestrian traffic lights or a pedestrian crossing.
- City street: Use pedestrian overpass or underpass.
- Residual risk: Is acceptable because probability of occurrence has been reduced.
- Is an integral value of all organization processes, e.g., for compliance, security, health and safety.
- Is part of decision making, for example, whether to implement changes or not.
- Is systematic, structured and timely.
- Is based on the best available information, for example, on historical data and on science.
- Has the health and safety of patients in mind.
- Is aligned with a company's culture, strategies, risk profile and performance measures.
- Decisions should always be justified, documented and communicated to everybody affected by the project.
- Is an ongoing process to improve the efficiency of the organization.
Benefits and Issues for the Regulated Industry
Objectives of the Tutorial
- An overview of regulatory and quality standard requirements and recommendations.
- Tools and common practices available for risk assessment and management.
- Strategies for implementation with practical help on how to document the outcome.
- Recommendations for special applications, e.g., for laboratory systems, software and computer validation, equipment maintenance and qualification and for process validation.
- The European Council Directive 93/42/EEC of June 14 1993 Concerning Medical Devices (1) was one of the first regulatory documents that requested to eliminate risks as much as possible during the design and manufacturing of medical devices when weighed against the benefits to the patient.
- The US FDA Quality System Regulation (2) requested to validate the design of medical devices and that design validation should include risk analysis, as appropriate.
- The EU GMP Annex 15 for "Validation and Qualification" (3) requests a risk assessment approach to determine the scope and extent of validation and to evaluate the impact of the change of facilities, systems and equipment on the (medicinal) product including risk analysis.
- Risk-based compliance was an important element of the FDA's Pharmaceutical cGMP Initiative for the 21st Century in 2002 (4).
- Risk-based compliance was also a key component in the FDA's new approach for dealing with electronic records and signatures: 21 CFR Part 11 (5).
- Probably the single most important document related to risk management for the pharmaceutical industry is the ICH Q9 "Guide on Quality Risk Management" from 2005 (6). It describes a systematic approach for risk management and applies to drug development and manufacturing including laboratories.
- The World Health Organization Expert Committee on Specifications for Pharmaceutical Preparation published a paper entitled "Hazard and Risk Analysis in Pharmaceutical Products" (30). It provides general guidance on the use of Hazard Analysis and Critical Control Points (HACCP) to ensure the quality of pharmaceuticals.
- The Pharmaceutical Inspection Convention/Cooperation Scheme (PIC/S) gave an example of a methodology for implementing ICH Q9 in the pharmaceutical field (29).
- In 2001 GAMP published the "Guide for Validation of Automated Systems (GAMP 4)" (7). Appendix M3 was dedicated to risk assessment. It mainly focuses on risk-based validation of computer systems.
- Its successor GAMP 5 was released in 2008 (8). The title: 'A Risk-Based Approach to Compliant GxP Computerized Systems' indicates that the entire guide is focused on risk-based compliance of computerized systems.
- The Global Harmonization Task Force (GHTF) has published a risk management guidance for the medical device industry titled: 'Implementation of Risk Management Principles and Activities within a Quality Management System' (9).
- In 2000 ISO published a standard 14971:2000: 'Application of Risk Management to Medical Devices'. Even though it was developed for medical devices the FDA also recommended the approach for pharmaceutical applications. The standard was updated in 2007 (10).
- In 2009 ISO released two more standards: ISO 31000 on "Risk Management Principles and Guidelines" (11) and ISO 31010 on "Risk Assessment Techniques" (12). Both standards are applicable to all industries.
- R. Jones (13) gave an overview of risk management for pharmaceutical development and manufacturing with an introduction to risk assessment techniques and with focus on probabilistic risk assessment (PRA).
- Campbell (14) discussed how quality risk management principles can be applied to achieve a practical equipment verification strategy.
- Several authors contributed to a book: "Risk Management in the Pharmaceutical Industry" (34). The book includes introductory chapters on regulatory requirements and risk management tools followed by a total of six case studies.
- J.L. Vesper (33) authored a book titled: "Risk Assessment and Risk Management in the Pharmaceutical Industry: Clear and Simple". The book gives an overview of the risk management process and some of the more commonly used risk assessment methods and tools. It also examines how the various tools can be applied to identifying hazards and evaluating their potential impact and effects.
- Huber (15) applied the concepts of risk management to the validation of commercial off-the-shelf computer systems.
- K. O'Donnel and A. Green described a risk management solution designed to facilitate risk-based qualification, validation and change control activities within GMP and the pharmaceutical regulatory compliance environment in the EU in two parts. Part I (35) gave an overview on fundamental principles and design criteria outlined in the process and Part II (36) focused on tools, structure limitations, principle findings and novel elements.
United States Food and Drug Administration (FDA)
FDA 21 CFR 820: Quality System Regulation (2)
- Â§30(g): Design validation. Each manufacturer shall establish and maintain procedures for validating the device design. Design validation shall be performed under defined operating conditions on initial production units, lots, batches or their equivalents. Design validation shall ensure that devices conform to defined user needs and intended uses and shall include testing of production units under actual or simulated use conditions. Design validation shall include software validation and risk analysis, where appropriate.
FDA Guidance: General Principles of Software Validation (2002) (21)
- This guidance recommends an integration of software life cycle management and risk management activities. Based on the intended use and the safety risk associated with the software to be developed, the software developer should determine the specific approach, the combination of techniques to be used and the level of effort to be applied.
- The selection of validation activities, tasks and work items should be commensurate with the complexity of the software design and the risk associated with the use of the software for the specified intended use.
- For lower risk devices, only baseline validation activities may be conducted. As the risk increases additional validation activities should be added to cover the additional risk.
Pharmaceutical cGMPs for the 21st Century: A Risk-Based Approach (4)
- Risk-based orientation: In order to provide the most effective public health protection, the FDA must match its level of effort against the magnitude of risk. Resource limitations prevent uniformly intensive coverage of all pharmaceutical products and production. Although the agency has already been implementing risk-based programs, a more systematic and rigorous risk-based approach will be developed.
FDA Guidance: Part 11, Electronic Records; Electronic Signatures - Scope and Application (2003) (5)
- We recommend that you base your approach on a justified and documented risk assessment and a determination of the potential of the system to affect product quality and safety and record integrity.
- We recommend that your decision on whether to apply audit trails should be based on "a justified and documented" risk assessment.
FDA Guidance: Quality Systems Approach to Pharmaceutical CGMP Regulations (2006) (22)
- Quality risk management is a valuable component of an effective quality systems framework. Quality risk management can, for example, help guide the setting of specifications and process parameters for drug manufacturing, assess and mitigate the risk of changing a process or specification and determine the extent of discrepancy investigations and corrective actions.
- In a quality system, personnel should be qualified to do the tasks that are assigned to them in accordance with the nature of, and potential risk of, their operational activities.
- Although QU personnel should not take on the responsibilities of other units of the organization, these personnel should be selected based on their scientific and technical understanding, product knowledge, process knowledge and/or risk assessment abilities to appropriately execute certain quality functions (This quality systems feature is also found in the cGMP regulations, which identify specific qualifications, such as education, training and experience or any combination thereof (see 211.25 (a) and (b)).
- The quality systems approach also calls for periodic auditing of suppliers based on risk assessment.
- Although the cGMP regulations (211.180(e)) require a product review at least annually, a quality systems approach calls for trending on a more frequent basis as determined by risk.
- As with other procedures, audit procedures should be developed and documented to ensure that the planned audit schedule takes into account the relative risks of the various quality system activities, the results of previous audits and corrective actions, and the need to audit the complete system.
The Council Directive 93/42/EEC of 14 June 1993 Concerning Medical Devices (1) requires a risk-based design and manufacture validation and reducing risks to acceptable levels.
- The devices must be designed and manufactured in such a way that when used under the conditions and for the purposes intended, they will not compromise the clinical condition or the safety of patients, or the health and safety of users or, where applicable, other persons, provided that any risks which may be associated with their use constitute acceptable risks when weighed against the benefits to the patient and are compatible with a high level of protection of health and safety.
- The solutions adopted by the manufacturer for the design and
construction of the devices must conform to safety principles,
taking account of the generally acknowledged state of the art.
In selecting the most appropriate solutions, the manufacturer must apply the following principles in the following order:
- Eliminate or reduce risks as far as possible (inherently safe design and construction).
- Where appropriate take adequate protection measures including alarms if necessary.
- In relation to risks that cannot be eliminated, inform users of the residual risks due to any shortcomings of the protection measures adopted.
Annex 15 to the EU GMPs Validation and Qualification (3) has legal status. It uses risk-based approaches to validation and for changes to facilities, systems and equipment.
- A risk assessment approach should be used to determine the scope and extent of validation.
- The likely impact of the change of facilities, systems and equipment on the product should be evaluated, including risk analysis.
Annex 11 to the EU GMPs Using Computerized Systems (23) requires to base controls for computerized systems on a justified and documented risk assessment. Once finalized the Annex will have legal status.
- Extent of validation and data integrity controls should be based on a justified and documented risk assessment.
Pharmaceutical Inspection Convention/Cooperation Scheme (PIC/S)
The PIC/S Good Practices Guide on using Computers in GxP Environments (24) was developed for inspectors but it is also a good source document for user firms. Risk-based approaches are recommended throughout the life of a computer system.
- For GxP regulated applications it is essential for the regulated user to define a requirement specification prior to selection and carry out a properly documented risk analysis for the various system options.
- The inspector will consider the potential risks as identified and documented by the regulated user, in order to assess the fitness for purpose of the particular system(s).
- This risk-based approach is one way for a firm to demonstrate that they have applied a controlled methodology to determine the degree of assurance that a computerized system is fit for its purpose. It will certainly be useful evidence for consideration by an inspector.
- Regulated users should be able to justify and defend their standards, protocols, acceptance criteria, procedures and records in the light of their own documented risk and complexity assessments, aimed at ensuring fitness for purpose and regulatory compliance.
- The business/GxP criticality and risks relating to the application will determine the nature and extent of any assessment of suppliers and software products.
- The URS should also form the basis for a risk assessment of the system for GxP compliance requirements, in addition to other risks such as safety. The risk analysis may be based on the FS, which is related to the URS (e.g. for bespoke systems). The risk assessment and the results including the reasons for the ranking as either: 'critical' or 'non-critical' should be documented. The nature of any GxP risks should be clearly stated.
- The risk analyses and the results, together with reasoning for critical or non-critical classifications should be documented. Risks potentially impacting on GxP compliance should be clearly identified.
- Inspectors will be interested in the company's approach to identifying GxP risks and the criteria for assessing the fitness for purpose of the system application.
United States Pharmacopeia (USP)
- <232> Elemental Impurities (Proposal)
The presence of unexpected elemental contaminants, as well as that of impurities likely to be present, should be considered in determining compliance and planning the risk-based extent of testing. 232>
- <467> Residual Solvents
Solvents that are known to cause unacceptable toxicities should be avoided in the production of drug substances, excipients or drug products unless their use can be strongly justified in a risk benefit assessment.467>
International Conference for Harmonization
ICH Q9: Quality Risk Management (6) is the single most important reference document for risk management for the pharmaceutical industry. ICH focuses on scientific knowledge and the link to the protection of the patients as a primary principle. The guide also gives recommendations for implementation.
- Two primary principles of quality risk management are:
- The evaluation of the risk to quality should be based on scientific knowledge and ultimately linked to the protection of the patient; and
- The level of effort, formality and documentation of the quality risk management process should be commensurate with the level of risk.
- It is neither always appropriate nor always necessary to use a formal risk management process (using recognized tools and/or internal procedures e.g., standard operating procedures). The use of informal risk management processes (using empirical tools and/ or internal procedures) can also be considered acceptable.
International Organization for Standardization (ISO)
ISO 14971:2007 - Application of Risk Management to Medical Devices (10)
- This International Standard specifies a process for a manufacturer to identify the hazards associated with medical devices (including in vitro diagnostic (IVD) medical devices), to estimate and evaluate the associated risks, to control these risks and to monitor the effectiveness of the controls.
- The requirements of this International Standard are applicable to all stages of the life cycle of a medical device.
- This International Standard does not apply to clinical decision making.
- This International Standard does not specify acceptable risk levels.
- This International Standard does not require that the manufacturers have a quality management system in place. However, risk management can be an integral part of a quality management system.
ISO 31000:2009 - Risk Management - Principles and Guidelines (11)
- This International Standard provides principles and generic guidelines on risk management. It can be used by any public, private or community enterprise, association, group or individual. Therefore, this International Standard is not specific to any industry or sector.
- This International Standard can be applied throughout the life of an organization and to a wide range of activities, including strategies and decisions, operations, processes, functions, projects, products, services and assets.
- This International Standard can be applied to any type of risk, whatever its nature, whether having positive or negative consequences.
- Although this International Standard provides generic guidelines, it is not intended to promote uniformity of risk management across organizations. The design and implementation of risk management plans and frameworks will need to take into account the varying needs of a specific organization, its particular objectives, context, structure, operations, processes, functions, projects, products, services or assets and specific practices employed.
- It is intended that this International Standard be utilized to harmonize risk management processes in existing and future standards. It provides a common approach in support of standards dealing with specific risks and/or sectors and does not replace those standards.
- This International Standard is not intended for the purpose of certification.
ISO 31010:2009 - Risk Assessment Techniques (12)
- This International Standard is a supporting standard for ISO 31000 and provides guidance on selection and application of systematic techniques for risk assessment.
- Risk assessment carried out in accordance with this International Standard contributes to other risk management activities.
- The application of a range of techniques is introduced, with specific references to other International Standards, where the concept and application of techniques are described in greater detail.
- This International Standard is not intended for certification, regulatory or contractual use.
- This International Standard does not provide specific criteria for identifying the need for risk analysis, nor does it specify the type of risk analysis method that is required for a particular application.
- This International Standard does not refer to all techniques and omission of a technique does not mean it is not valid. The fact that a method is applicable to a particular circumstance does not mean that the method should necessarily be applied.
The ICH Process
- What might go wrong?
- What is the likelihood (probability) that it will go wrong?
- What are the consequences (severity) if something does go wrong?
Criteria for Severity, Probability and Risk Acceptance
Procedure for Estimating Probability and Severity
Likely to happen
|High||Probable||Every 3 days|
|Low||Can happen||Every 3 weeks|
|Very low||Improbable||Every 2 months|
Graphical Determination of the Overall Risk
Determination of the Overall Risk with Risk Priority Numbers
Estimating Severity of Potential Harms
Impact on Product Quality
Impact on People's Health and Safety
Impact on Business Continuity
Impact on Compliance
Estimating Probability of Potential Harms
- Historical data from using the same process or system.
- Historical data from using a similar process or system.
- For equipment and systems: Information from the vendor, for example, reliability estimates, costs for guaranteed uptime and extended warrantee.
- Initial production data.
|FTA||FMEA / FMECA||HACCP||PHA / PRA|
|Principle||Graphical, deductive, structured tool.||Structured inductive tool, can be qualitative and quantitative.||Prevent known hazards to reduce risks at specific CPs.||Qualitative inductive tools.|
|Advantages||Visual fault tree diagrams with standardized symbols to show the pathway from basic events to the undesired event.||Very universal and scalable, e.g., for high level and detailed risk assessment.||Full risk
Specific and flexible.
Focus on prevention.
Record keeping answers product liability and compliance questions.
|Easily adaptable to most situations.|
|Limitations||Can quickly become very complex because it looks at one failure at a time.||Tool does not
consider operational issues or operator performance.
Does not show interaction between events.
|Requires detailed information on the product and process.||Relative unstructured, therefore may miss potential hazards.|
Graphics with standardized symbols.
Dedicated software recommended.
Detailed process diagrams.
|Drawings and tables.|
|Main Application and Use||Used to define a
particular undesired event and identify its causes (basic
For potential problems with serious impact.
e.g., medical device, hospitals.
Used to identify known and potential failure modes and impact on processes, facilities and equipment.
Used during design and operation.
|Food and chemical
Adapted for pharmaceutical industry by WHO.
Covers full product chain.
|Used early in new
products and changes in products and processes (design
First step of complex risk assessments.
The Importance of a Generic Risk Management Master Plan
- The company's risk management policy.
- The links between the company's organizational objectives and policies and the risk management policy.
- Relationship of the risk management plans with other documents, e.g., validation master plans or quality manual.
- The approach to the company's risk management process.
- Members of risk management teams (by function).
- Responsibilities of the project leader and team members.
- Products and processes that should be covered by risk management.
- Contents of individual Risk Management Project Plan.
- Detailed steps for risk management.
- How the likelihood is defined.
- How to identify risk levels.
- Factors contributing to high and low severity.
- Definition and determination of RPNs with examples.
- Criteria and examples for acceptable risk thresholds.
- How to make a high-level risk assessment.
- Communication of project status and outcome of risk management processes.
- Frequency and procedures for ongoing review.
Templates and Forms
Examples and Case Studies
Software for Risk Assessment and Risk Management
Failure Modes, Effects and Criticality Analysis (FMECA)
- How can a product or process fail?
- What is the likelihood that it fails and if so, what is the likelihood that the failure will be detected? and,
- What will be the effect on the rest of the process or system if a failure occurs and is not detected such that it can be corrected?
Advantages and Limitations
- Wide applicability from design to manufacturing, servicing and maintenance of mechanical and electronic equipment.
- Identifies failure modes, their causes and effects on the system.
- Ideal for simple to medium complex systems.
- Optimized for single individual failure modes, but they don't work well for combinations of failure modes.
- Can be time-consuming for complex systems.
- Select a team and team leader. All team members must be subject matter experts.
- Select the FMECA form from the company's Risk Management Master Plan or if not available, create one.
- Train team members on the process and on criteria for ranking likelihood of occurrence and impact of failure when it occurs.
- Make the team members familiar with the design of the product or process to ensure that all team members have the same understanding. This can be through distributing product and process documentation supported by flow diagrams.
- Set up one or more brainstorming meetings. Multiple sessions are recommended for complex product/process designs. Individual sessions can focus on subsets of the entire product/process.
- Brainstorm the product or process design for possible failures. Document the outcome on a flipchart.
- Sort all suggested failures by categories.
- Combine or remove similar or duplicate entries.
- Document potential effects on the system, subsequent operation and end user (e.g., patient).
- Assign rating factors for each identified severity, occurrence and detectability. Definition and scale of rating factors should be taken from the company's Risk Management Master Plan not only to ensure objectivity and consistency with the project team but also with other risk management projects. Justify the rating with reference to the plan. For occurrence, historical data from the same or similar projects can be used.
- For each identified effect list all possible causes of failures with justifications and with all uncertainties.
- Calculate the risk priority number using the formula from the Risk Management Master Plan. The RPN is a measure for the overall risk associated with the project.
- Take actions to reduce potential critical risks.
- Assign owners, a schedule and deliverables for the actions.
- After the action has been implemented make a new rating for severity, occurrence and detection and calculate the RPN.
Fault Tree Analysis (FTA)
Advantages and Limitations
- Highly systematic but also flexible.
- The 'top-down' approach focuses attention on the failure effects which are directly related to the top event.
- Useful for analyzing systems with many interfaces.
- Pictorial representation helps to easily understand the system behavior.
- Uncertainties in the probability of the base events are included in the calculations of the probability of the top event.
- The static model does not address time interdependencies.
- Fault trees can only deal with binary states (failed/not failed).
Steps for FTA Analysis
1. Form a Team and Determine a Team Leader
2. Definition of a Problem and Justification of the Project
3. Construction of the Fault Tree
4. Evaluate the Fault Tree
5. Prepare a Report
Hazard Analysis and Critical Control Points (HACCP)
HACCP Principles and Methodology
- Conduct a hazard analysis.
- Determine critical control points (CCPs).
- Establish critical limits for each CCP.
- Establish a monitoring system for the CCPs.
- Establish corrective actions when the CCP is not under control.
- Establish verification procedure to confirm HACCP is working effectively.
- Establish documentation concerning all procedures and records on these principles and their application.
1. Develop a HACCP Plan
- The scope of the project,
- steps, tasks,
- responsibilities and
- a time line.
2. Assemble a HACCP Process Team and Define a Team Leader
- quality control,
- quality engineering and
- members of other disciplines directly involved in the plan's day-to-day operation.
3. Describe the Product or Process and Develop a Flow Diagram of the Process
4. Verify the Flow Diagram Onsite
Implementing HACCP Principles
1. Identify all Potential Hazards
2. Conduct a Hazard Analysis
- chemical and
- physical compounds.
3. Determine Critical Control Points
- equipment malfunction,
- failures of sensors,
- human errors,
- power failures and
- external impacts such as natural forces, e.g., lightning or wind.
- Does this step involve a hazard of sufficient risk and severity to warrant its control?
- Does a control point for the hazard exist?
- Is control at this step necessary to prevent, eliminate or reduce the risk of the hazard to consumers?
4. Establish Critical Limits for Each Control Point
- salt concentration,
- pH or
- sensory parameters.
5. Establish a Monitoring Procedure
- Visual observations and
- measurement of temperature, time, pH and moisture level.
6. Establish Corrective Actions
- Determine and correct the cause of non-compliance.
- Determine the disposition of a non-compliant product.
- Record the corrective actions that have been taken.
- What is done when a deviation occurs,
- who is responsible for implementing the corrective actions, and
- that a record will be developed and maintained of the actions taken.
7. Establish Verification Procedures
- That the plan is scientifically and technically sound.
- That all hazards have been identified and that the HACCP plan is properly implemented.
- That these hazards will be effectively controlled.
8. Document and Communicate all Activities
- A summary of the hazard analysis, including the rationale for determining hazards and control measures.
- The HACCP plan.
- Training records of the key project leader and HACCP team members.
- Records generated during the operation of the plan.
Hazard and Operability Studies (HAZOPs)
- Appointment of project leader and project team. The team should include personnel not directly involved in the design of the project or process.
- Definition of objectives.
- Establishing a set of guide words.
- Collection of the required documentation.
- Splitting the system or process into smaller pieces and subsystems and reviewing the relevant documentation.
- Defining and recording deviations, possible causes, actions to address the identified problem and person(s) responsible for the corrective action.
- Evaluating the remaining risk for deviations that cannot be addressed.
Preliminary Hazard Analysis (PHA) and
Preliminary Risk Analysis (PRA)
1. Form a Project Team
2. Create a Project Plan
3. Describe the Situation
4. Identify Hazards
5. Estimate the Probability of Occurrence and Severity
6. Prioritize Risks for Control
7. Prepare a Report
Step 1: Project Preparation and Planning
- Description of the potential risk management project.
- Definition of potential problems with some examples for hazards and harms.
- Background information.
- Benefits of the proposed project.
- List of departments that should be part of the project.
Identification of the Project Manager and Team
- Experienced in risk management.
- Project management skills.
- Excellent communication skills.
- Knowledge of the organization, system, process or application being assessed.
- Ability to manage people without direct reporting.
- With the help of functional managers selects a risk management team.
- Manages the entire process.
- Ensures necessary resources.
- Organizes and chairs team meetings.
- Drafts the risk management project plan.
- Represents the team in management meetings.
- Communicates the status and outcome of the project to management and peers.
- Affected operations (product development, manufacturing).
- Project management.
- Information Services (IS).
- Quality Assurance (QA).
- Legal department.
- Quality Control (QC).
- Plant safety, maintenance and engineering.
- Regulatory affairs.
- Sales and marketing.
- Suppliers (optional).
Define Team Responsibilities
- Provides evidence of their commitment to the risk management process.
- Provides necessary resources.
- Defines and documents the policy for determining criteria for risk acceptability.
- Approves the Risk Management Master Plan.
System User Departments
- Contribute to development and maintenance of Risk Management Project Plans.
- Create and maintain equipment inventory.
- Give inputs on potential hazards with estimation on severity and probability for initial RM.
- Monitor efficiency of ongoing RM and give inputs on new hazards.
- Advises the facility/laboratory on possible hazards and harms related to environment and staff safety.
Information Services (IS)
- Advises the facility on possible hazards and harms related to IT, e.g., security.
- Participates in risk assessment and mitigation.
- Reviews Risk Management Project Plans related to networks.
Risk Management Team
- Develops and maintains the Risk Management Project Plan.
- Provides expertise to develop and implement RM for processes and systems during development and during initial and ongoing use.
- Responsible for risk assessment and the final decision on if and how to mitigate risks.
Quality Assurance (QA)
- Provides quality assurance expertise in the creation of the risk management plans.
- Monitors regulatory requirements and develops and updates company policies for RM.
- Develops and coordinates a training program on RM.
- Gives inputs for risk analysis and participates in risk assessment.
- Reviews and approves individual Risk Management Project Plans and deliverables.
- Some of the activities can be outsourced to consultants, e.g., identification and classification of risks.
- Inform users on potential risks arising from known software bugs and provide workaround solutions.
- Get trained on risk assessment and management.
- Provide inputs on hazards and possible harms for new and ongoing risk management projects.
Create a Risk Management Project Plan
- The purpose should be specific to the system and should include a short system description.
- The scope defines what is and what is not covered by the plan. It also documents constraints and limitations.
- This section describes responsibilities of corporate management, the operations manager and staff, IT managers and staff and the risk management team. Unlike the master plan the project plan lists responsible people by name AND function, rather than by function only.
- Describes the approach taken for managing the risk.
- Describes how risks, hazards and potential harms are identified and documented. Includes tables with risks, hazards, harms and suggestions for mitigation.
- Describes how risks are evaluated, categorized, prioritized and documented. It includes matrices with risks, categories for probability and severity and risk codes.
- Documents risk threshold values for the project.
- Evaluates alternatives of risk mitigation versus costs. Describes actions in case mitigations are required. It also includes a time schedule for actions and estimates and documents residual risk priority numbers after mitigation.
- Compares risk threshold as originally defined with the RPN obtained after mitigation. Based on the outcome the residual risk is accepted rejected.
- Describes how risks are monitored, reported and documented during use of the system. Describes the actions in case new hazards are reported or if the risk level has changed.
- Outlines action items with owners.
Step 2: Risk Identification
- Customer complaints.
- Failure investigations.
- Corrective and preventive action plans.
- Specifications for processes and systems.
- Experience with the same process or system already installed and running.
- Experience with similar processes and systems.
- Experience with suppliers of the system and suppliers of material used for the process.
- Failure rates of the same or similar systems and processes.
- Trends of failures.
- System and process validation reports.
- Service records and trends.
- Internal and external audit results.
- FDA inspection reports.
|Risk description, hazard, typical situations of occurrence||Possible harm||Suggestion for risk control|
Step 3: Risk Evaluation
|Risk description /ID||Impact on patient health (Level 1-3)||Impact on business continuity (Level 1-3)||Occurrence (Level 1-5)||Risk priority number|
Step 4: Risk Acceptance
|Factor 8 and
|Routinely accepted, no action taken.|
|Operation requires written, time-limited waiver endorsed by management. Mitigation subject to cost/benefit analysis.|
|Factor Higher than 16: Code 3||Not accepted. Mitigation required. Alternative approaches should be evaluated.|
Step 5: Risk Mitigation
|Risk description /ID||Mitigation strategy||Cost of mitigation||Cost of non-mitigation||Mitigate yes/no|
Possibilities to Mitigate Risks
- Removing the risk source (eliminating the risk).
- Changing the likelihood.
- Changing the consequences.
- Ensuring that the risk is detected and can be treated when it occurs.
- Sharing the risk with other parties.
Estimating Costs vs. Benefits
Risk Mitigation Plan
- Mitigation options.
- How options will be implemented.
- Resource requirements.
- Performance measures.
- Required documentation.
- Communication requirements.
Step 6: Ongoing Monitoring, Reviews and Updates
|Risk description /ID||Observation||Recommendation for change||Urgent yes/no|
|Risk description /ID||Change/Addition||Urgent yes/no|
Step 7: Documentation and Communication
- Risk Management Master Plan - This shows your company's approach towards risk assessment and risk management.
- Risk Management Project Plan - This shows the plan for specific system and mitigation strategies.
- Lists with description of risk categories, ranking criteria and results of ranking.
- Justification for not mitigating risks with high factors.
- Risk mitigation plans.
- Mitigation actions taken
- Review reports.
- Design and development of a product or process.
- Selection and assessment of suppliers.
- Training, especially proof of effectiveness.
- Risk-based computer validation.
- Risk-based qualification of analytical equipment.
- Part 11 compliance.
- Pharmaceutical manufacturing.
- Scheduling internal audits.
- Starting material - qualification and handling.
- Validation of analytical procedures
- Qualification of equipment
- Change control to introduce new starting material.
- Archiving electronic records.
CCP Decision Tree
Critical Control Limit (CCL)
Critical Control Point (CCP)
FMEA - Failure Modes and Effects Analysis
FMECA - Failure Modes, Effects and Criticality Analysis
FTA - Fault Tree Analysis
HACCP ï¿½ Hazard Analysis and Critical Control Points
In the context of HACCP: Any circumstance in the production, control and distribution of a (pharmaceutical) product which can cause an adverse health effect (Ref. 30).
Hazard: A biological, chemical or physical agent that is reasonably likely to cause illness or injury in the absence of its control (Ref. 32).
Validation (related to HACCP)
Verification (related to HACCP)
PHA - Preliminary Hazard Analysis
PRA - Preliminary risk analysis
Probability of Detection
QRAS - Quantitative Risk Assessment System
Overall process of risk identification, risk analysis and evaluation (ISO 14971:2007).
Process in which decisions are made and measures implemented by which risks are reduced to, or maintained within, specified levels (ISO 14971:2007).
The comparison of the estimated risk to given risk criteria using a quantitative or qualitative scale to determine the significance of risk.
Risk Priority Number
RMMP - Risk Management Master Plan
RMPP - Risk Management Project Plan
- The European Council Directive 93/42/EEC of 14 June 1993 Concerning Medical Devices.
- FDA 21 CFR 820: "Quality System Regulation (for Devices)".
- EU GMP, Annex 15: "Validation and Qualification", 2010.
- FDA: Pharmaceutical cGMPs for the 21st Century: "A Risk-Based Approach: Second Progress. Report and Implementation Plan", 2003.
- FDA Industry Guidance: "Part 11, Electronic Records; Electronic Signatures - Scope and Application", 2003.
- ICH Q9: "Quality Risk Management", 2005.
- GAMP 4: "Guide for Validation of Automated Systems", 2001.
For ordering go to: http://www.labcompliance.com/seminars/audio.ispe.org
- GAMP 5: "A Risk-Based Approach to Compliant GxP Computerized Systems", 2008. For ordering go to: http://www.labcompliance.com/seminars/audio.ispe.org
- GHTF: "Implementation of Risk Management Principles and Activities within a Quality Management System", 2005.
- ISO 14791:2007: "Application of Risk Management to Medical Devices".
- ISO 31000: "Risk Management" Principles and Guidelines", 2009.
- ISO 31010: "Risk Assessment Techniques", 2009.
- R. Jones, Pharmaceutical Manufacturing: "How to Understand the Process and Assess the Risks to Patient Safety", Pharmaceutical Engineering, November 2009, 16.
- I. Campbell: "Applying Quality Risk Management Principles to Achieve a Practical Verification Strategy", Pharmaceutical Engineering, November 2009, 24-38.
- L. Huber (15): "Risk-Based Validation of Commercial Off-the-Shelf Computer Systems", Journal of Validation Technology, 11(3), 2005.
- Labcompliance: "Risk Management Master Plan", 2010.
- Labcompliance SOP: "Risk Assessment Used for Systems Used in GxP Environments".
- Labcompliance SOP: "Risk Assessment for Laboratory Systems", 2010.
- Labcompliance SOP: "Risk-Based Qualification of Network Infrastructures".
- Labcompliance Case Studies: "Risk-Based Methodologies for Laboratory Tasks".
- FDA Guidance: "General Principles of Software Validation", (2002).
- FDA Guidance for Industry: "Quality Systems Approach to Pharmaceutical CGMP Regulations", (2006).
- EU GMP, Annex 11: "Using Computerized Systems".
- Pharmaceutical Inspection Convention/Cooperation Scheme (PIC/S): "Good Practices for Computerised Systems in Regulated 'GxP' Environments".
- United States Pharmacopeia: <232> Elemental Impurities (Proposal).232>
- USP Chapter <467> Residual Solvents.467>
- FDA Guidance: "FDA Reviewers and Compliance on Off-The-Shelf Software Use in Medical Devices", 1999.
- FDA Guidance: "Inspections of Quality Systems" (Medical Devices), ORA Inspectional References.
- PIC/S Quality Risk Management: "Implementation of ICH Q9 in the Pharmaceutical Field", 2010.
- Report by WHO Expert Committee on "Specifications for Pharmaceutical Preparation", Annex 7, Application of HACCP Methodology to Pharmaceuticals, 2003.
- FDA Guidance: "Fish and Fisheries Products Hazards and
Controls", Appendix 3, 2001.
- National Advisory Committee on Microbiological Criteria for
Foods, "HACCP Principles and Application Guidelines", 1997.
- J.L. Vesper: "Risk Assessment and Risk Management in the Pharmaceutical Industry: Clear and Simple", Davis Healthcare International Publishing, LLC, ISBN 1-930114-94-X, 2006.
- Concept Heidelberg: "Risk Management in the Pharmaceutical Industry", Editio Cantor Verlag, 2008, ISBN 978-3-87193-370-7.
- K. O'Donnel and A. Greene: "A Risk Management Solution Designed to Facilitate Risk-Based Qualification, Validation and Change Control Activities within GMP and Pharmaceutical Regulatory Compliance Environments in the EU", Part I: Fundamental Principles, Design Criteria, Outline of Process, Journal GXP Compliance, 10 (4) 12-25 (2006).
- K. O'Donnel and A. Greene, "A Risk Management Solution Designed to Facilitate Risk-Based Qualification, Validation and Change Control Activities Within GMP and Pharmaceutical Regulatory Compliance Environments in the EU", Part II: Tool Scope, Structure, Limitation, Principle Findings and Novel Elements, Journal GXP Compliance, 10 (4) 26-35 (2006).
- ISO/IEC Guide 73:2002: "Risk Management - Vocabulary", Guidelines for Use in Standards".