The history of drug regulation has been a pattern of tragedy followed by a statutory or regulatory response: Deaths from sulfanilamide
prompted the Food, Drug and Cosmetics (FD&C) Act in 1938; the birth defects caused by thalidomide resulted in the 1962 Kefauver-Harris
amendments to the FD&C Act; and the Tylenol tampering incidents changed the cGMP requirements about packaging. FDA's move
to a scientific approach to regulation is a tacit acknowledgment that existing regulations are not adequate due to FDA's limited
resources, the increasing number of drugs and firms, and the explosive growth in knowledge and technology in some parts of
the industry.2 The agency is telling industry that it needs to "know itself"— that is, thoroughly understand its products and processes.
Firms need to have a formal, standardized, and rigorous process for identifying risks, determining their potential hazard,
and mitigating hazards that are deemed unacceptable.
OTHER REGULATORY PLAYERS
Other regulatory agencies in the US require RARMs. Among them are the Occupational Safety and Health Administration (OSHA)
and the Environmental Protection Agency (EPA). OSHA requires a "process hazard analysis" to evaluate and control hazards in
the process,8 while EPA requires hazard assessments for stationary sources of regulated chemicals.9
Pharmaceutical manufacturers are using some forms of RARM in their safety programs. Many firms evaluate intermediates, active
pharmaceutical ingredients (APIs), and final products in toxicology screens to determine the potential acute health effects
(for example, dermal, ocular, inhalation, ingestion) to workers. Engineering controls or personal protective equipment is
used to protect the workers from such hazards.
Other national authorities that regulate drugs use "as necessary" terminology. The Canadian GMPs note, "Manufacturing processes
are controlled, and any changes to the process are evaluated. Changes that have an impact on the quality of the drug are validated
as necessary."10 In November 2003, the International Conference on Harmonization (ICH) established an expert working group to begin writing
a new document, Q9 - Quality Risk Management.11
In 2001, ISPE published a new version of its Guide for Validation of Automated Systems.12 GAMP4, as it is known, includes a process for conducting RARM on automated systems with the intended goals of avoiding any
intolerable risk to patient safety or the business and to maximize the business benefits from the new computer or automated
GAMP4 recommends that risk assessment be performed at several stages during system development. One goal is to determine what
validation, if any, is needed to help achieve the needed reduction of risk and maximization of benefits. The GAMP4 methodology
identifies the potential risks and risk-scenarios whereby a failure or risk-event could occur. The impact (immediate and longer-term)
and the likelihood of occurrence are estimated for each event. Risks can be prioritized from these estimates and risk mitigation
strategies developed. GAMP4 is an example of a RARM approach that has been optimized for a specialized domain or technology.