PROCESSES USED IN RISK MANAGEMENT
GAMP4 and HACCP are two well-known processes used to manage risk in FDA-regulated industries. They are not specific tools
for assessing risks. Rather, they cover the wider set of activities important in risk management. Both GAMP4 and HACCP allow
the use of some of the RA tools previously discussed. GAMP4 is an amalgam of HACCP, FMEA, and FTA. For details see the ISPE
Hazard Analysis and Critical Control Points (HACCP)
HACCP is the primary risk reduction process used in the food industry, including firms regulated by FDA and USDA. HACCP is
defined as a systematic risk management approach to the identification, evaluation, and control of hazards. It is not intended
to be a stand-alone program, and it can easily be integrated with a GMP quality system. There are five preliminary steps to
prepare for HACCP:
- Assemble the HACCP team.
- Describe the product and its distribution.
- Describe the product's intended use and users.
- Develop a process flow diagram.
- Verify the process flow diagram.
Once these steps have been taken, the HACCP program follows seven principles:
- Conduct a hazard analysis.
- Determine the Critical Control Points (CCPs).
- Establish Critical Limits (CLs).
- Establish monitoring procedures.
- Establish corrective action.
- Establish verification plan.
- Establish record keeping and documentation procedures.
HACCP typically identifies and addresses biological, chemical or physical hazards — that is, those that could cause injury
or illness.21 While these hazards are critical to drug products as well, there is no reason why HACCP cannot be expanded to include compliance
and regulatory risks (for example, making an uncontrolled change to a process). DeSain and Sutton describe using HACCP in
a biopharmaceutical context.22
Once hazards and risks have been identified, decisions need to be made as to whether or not the risks must be controlled or
mitigated in some way. Risk evaluation uses the information generated by risk assessment, whether it is qualitative or quantitative,
and overlays it upon societal, business, regulatory, and financial realities to answer, "How much risk are we prepared to
take?" As shown in Figure 5, some risks are simply unacceptable — the probability of a serious outcome is too high and must
be modified or the product or process must be abandoned. Other risks are acceptable — either the consequences are so minimal
or the chance of them happening are so remote that the risk is negligible.
Figure 5. Conceptual Model Used in Risk Evaluation
Other risks, however, may be accepted if the benefits outweigh the risks or if the risks can be controlled or reduced so that
the benefit-to-risk ratio is acceptable. Risks that are "as low as reasonably practicable" (ALARP), are evaluated on the basis
of technical and economic practicability.
WAYS TO CONTROL OR MITIGATE RISKS
After risks are identified, their impact characterized, and the decisions made as to which risks need to be reduced or eliminated,
controlling them is often a creative, technological, and economic challenge. Before a change is made, perform an evaluation
to assure that the proposed change does not create any new or unexpected risks. Some of the standard ways of reducing or controlling
- Substitution — using a safe solvent instead of a potentially toxic one
- Uncoupling or loosely coupling a process — breaking apart a process so there are inherent stops to prevent a process from
"running away" and getting out of control
- Process simplification — reducing the number of steps or "risk exposures" that could occur
- Isolation — moving or enclosing an activity so it presents fewer potential risks
- Elimination — removing a potential risk
- Changing conditions — modifying the temperature, pressure, or time
- Providing more information — giving those involved more useful information regarding prevention or response to a problem
- Decreasing the frequency of an event happening — reducing the number of times a potentially hazardous material is used
- Decreasing the consequences should an event occur — providing protective equipment to workers or using an assay that tests
for the presence of a known potential contaminant
- Duplicating assets — creating redundancy or increasing inventories
- Changing the source — using a vendor or material source that is potentially more reliable or consistent
- Implementing procedures — instituting procedures that prevent an accident or a failure
- Engineering controls — designing and implementing electronic, mechanical, or other controls to prevent the problem
- Training — providing personnel with knowledge and skills so they better understand the process and how to effectively mitigate
- Validation — demonstrating (and documenting) that a process or system consistently performs according to its defined requirements