The prospect of conducting risk assessments, as part of the quality risk management (QRM) strategy promoted by the International
Conference on Harmonization (ICH) Q9 guideline, tends to evoke blank stares and confusion. It also prompts many questions:
Which of the many tools—PHA, HACCP, FMEA, etc.—should we use? How could we possibly conduct a line-by-line analysis of every
risk known to bioprocessing? Is this really useful?
The CMC Strategy Forum on Practical Applications of Quality Risk Management, held in Bethesda, MD, on July 27 and 28, tackled
these challenges and questions through a hands-on workshop and plenty of lively discussion.
In the workshop, small groups used the preliminary hazard analysis (PHA) method to assess the risks involved in operating
a large-scale production bioreactor for a monoclonal antibody. As the groups considered inputs such as duration, media, and
temperature, they identified the possible hazards involved and the harms those hazards could cause, and then assigned a severity
score to each harm. They also assigned a separate risk score to each potential harm, based on the likelihood that it would
occur. Then they multiplied those numbers to reach an overall risk score, addressed the controls used to prevent or mitigate
the event, and decided whether or not the risk would be acceptable (Table 1).
Table 1. A partial risk assessment worksheet created during a fictitious exercise for the operation of a production bioreactor,
using the preliminary hazard analysis (PHA) method. Each potential harm was assigned a severity score (on a scale of 1–9),
and each potential hazardous situation was given an occurrence score, based on the likelihood that it would occur, taking
into account the controls used to prevent or mitigate the event. The two scores were multiplied to reach an overall risk index.
After the breakout sessions, everyone understood the concepts, terminology, and process much better, and had a good appreciation
for the challenges involved in conducting risk assessments. They also had a lot of questions, which were discussed with the
HOW TO ACCOUNT FOR CONTROLS
One common question raised during the risk assessment exercise was how to account for the controls that mitigate risks.
Several speakers stressed that the effectiveness of controls should never affect how one ranks the severity of a potential
harm. "Severity rankings are dependent on harm only," said Joe Siemiatkoski of Biogen Idec. "You should never lower a severity
score by taking credit for controls."
For example, if a given harm, such as bioreactor contamination, is considered high, say 9 on a scale of 1 to 10, that severity
ranking should not be lowered just because numerous measures are in place to prevent contamination. Instead, those controls
would lower the ranking number assigned to the likelihood that such a harm would occur. Then, when the total risk is assessed
by multiplying the severity and likelihood scores, its overall risk ranking would not be high, and thus additional controls
may not be warranted.
Dan Weese of Amgen explained that this approach is important for documenting the potential risks to any given unit operation.
"You may have a risk where you are confident that a later step will take care of it, but what if a later step is removed?"
he said. "You need the risk to be flagged as severe in the earlier unit operation, so you don't lose your record of it."