Assessing and Managing Risks in a GMP Environment

In a recent issue of the Economist, an international publication not known for hyperbole, risk management was discussed: "Managing risk is one of the things that bosses are paid for," yet "most companies still don't have any idea what is required of risk management."¹ While each of us informally uses risk management in our personal and professional lives, regulatory agencies and the pharmaceutical and biopharma industry are looking at how this process can be formalized and implemented with the goal of reducing risks to patients. To do this, we must have a much better understanding of risks, how to identify and assess them, and, when appropriate, the most suitable methods to control them.

Risk assessment and risk management in a Good Manufacturing Practice (GMP) context is a challenge to both firms and regulators, but the benefits of better and more cost-effective assurance of the safety, identity, strength, purity, and quality of products is substantial. This article discusses risk assessment (RA) and risk management (RM). It provides an overview of the concepts, tools, and processes used and the organizational structure that can support a combined program. RA is part of the broader process of risk management RM (Figure 1). The combination of both is called RARM and can be applied to both products and processes.

Figure 1. The Risk Management Process

FDA'S INTEREST

FDA's 2002 initiative, "GMPs in the 21st Century"

²

has raised visibility and interest in RARM. The initiative, of which RARM is a key element, emphasizes new control technologies and modern quality management systems.

While RARM is not a formal requirement of Current Good Manufacturing Practice (cGMP) regulations, the concepts have been at the heart of the agency's drug approval activities since 1962. When reviewers consider the safety of a drug, they use data gathered from adequate and well-controlled animal and clinical studies. Side effects and potential hazards are weighed against the benefits to the patient. Information provided on the label and inserts helps mitigate potential risks by communicating facts and cautions. If the product's risks outweigh its safety and benefits, the drug or biological is not approved or licensed.

James L. Vesper, MPH

RARM is used in other FDA-regulated industries. For example, medical devices regulated by the Center for Devices and Radiation Health and created according to FDA's Quality System Regulation (formerly called "GMPs for Medical Devices"), must meet the requirement that "Design validation shall include software validation and risk analysis, where appropriate."³ In sectors of the food industry, notably the seafood and juice segments, FDA even requires the use of a specific RARM program.^4,5 FDA's regulations for low-acid canned foods also incorporate specific RARM principles.⁶

Recent FDA guidance documents such as Q7A, the GMP requirements for making active pharmaceutical ingredients,⁷ frequently use terms such as "critical" and "where appropriate." This indicates that a rational judgment, based on potential risks and the best ways to control them, is important in deciding what to do.

The history of drug regulation has been a pattern of tragedy followed by a statutory or regulatory response: Deaths from sulfanilamide prompted the Food, Drug and Cosmetics (FD&C) Act in 1938; the birth defects caused by thalidomide resulted in the 1962 Kefauver-Harris amendments to the FD&C Act; and the Tylenol tampering incidents changed the cGMP requirements about packaging. FDA's move to a scientific approach to regulation is a tacit acknowledgment that existing regulations are not adequate due to FDA's limited resources, the increasing number of drugs and firms, and the explosive growth in knowledge and technology in some parts of the industry.² The agency is telling industry that it needs to "know itself"— that is, thoroughly understand its products and processes. Firms need to have a formal, standardized, and rigorous process for identifying risks, determining their potential hazard, and mitigating hazards that are deemed unacceptable.

OTHER REGULATORY PLAYERS

Other regulatory agencies in the US require RARMs. Among them are the Occupational Safety and Health Administration (OSHA) and the Environmental Protection Agency (EPA). OSHA requires a "process hazard analysis" to evaluate and control hazards in the process,

⁸

while EPA requires hazard assessments for stationary sources of regulated chemicals.

⁹

Pharmaceutical manufacturers are using some forms of RARM in their safety programs. Many firms evaluate intermediates, active pharmaceutical ingredients (APIs), and final products in toxicology screens to determine the potential acute health effects (for example, dermal, ocular, inhalation, ingestion) to workers. Engineering controls or personal protective equipment is used to protect the workers from such hazards.

Other national authorities that regulate drugs use "as necessary" terminology. The Canadian GMPs note, "Manufacturing processes are controlled, and any changes to the process are evaluated. Changes that have an impact on the quality of the drug are validated as necessary."¹⁰ In November 2003, the International Conference on Harmonization (ICH) established an expert working group to begin writing a new document, Q9 - Quality Risk Management.¹¹

In 2001, ISPE published a new version of its Guide for Validation of Automated Systems.¹² GAMP4, as it is known, includes a process for conducting RARM on automated systems with the intended goals of avoiding any intolerable risk to patient safety or the business and to maximize the business benefits from the new computer or automated systems.¹³

GAMP4 recommends that risk assessment be performed at several stages during system development. One goal is to determine what validation, if any, is needed to help achieve the needed reduction of risk and maximization of benefits. The GAMP4 methodology identifies the potential risks and risk-scenarios whereby a failure or risk-event could occur. The impact (immediate and longer-term) and the likelihood of occurrence are estimated for each event. Risks can be prioritized from these estimates and risk mitigation strategies developed. GAMP4 is an example of a RARM approach that has been optimized for a specialized domain or technology.

BENEFITS OF A RARM PROGRAM

Investing time and resources on a RARM for a process or product has a variety of benefits, the most significant of which is reducing potential sources of risk to acceptable levels. If an accident or failure occurs, a properly conducted RARM helps assure that the impact to people, the organization, and the environment is considerably less than if an analysis was not done and no controls were in place. When a mitigation plan is used, for example, people are protected because they wear protective equipment or a back-up supplier of a critical raw material has been identified. Intangible benefits that are important in today's regulatory and business climate also include being able to react in a standardized and organized way that gives confidence to regulatory agencies, shareholders, and those watching through the lens of the media.

Occasionally, RARM yields an additional, serendipitous benefit. For example, one drug firm replaced methylene-chloride-based tablet-coating with a water-based procedure. Initially implemented to improve workplace health and safety, the substitution also significantly reduced costs, reduced air emissions, and simplified waste treatment. These "win-win" situations are rare, but they do occur.

CONNECTING RARM TO QUALITY SYSTEMS

Tools for assessing and controlling risk should have an important place in the quality system of a drug or biologicals organization. Product and process development groups are key in providing data used in RARM. This was acknowledged by the ICH, which established another expert working group to develop "Q8 — Pharmaceutical Development."

¹⁴

Key data include product quality attributes, specifications, and the critical processing parameters that must be met.

Firms that are establishing new facilities, products, or processes should use RARM. Interdisciplinary teams will evaluate potential process flows and select processes and materials that are known to run more consistently and with fewer potential hazards. Once a process is selected, a team can perform a more extensive RARM, identify possible failures, and define ways of preventing or recovering from such failures.

Technology transfer can also benefit from a formal RARM. While the development reports found in technology transfer packages usually identify critical parameters and ranges (that are later validated), they often do not provide detail about potential adverse events, especially those considered highly unlikely. Using a process like HazOpS (described) forces one to answer these questions and helps ensure that the RARM was thorough, complete, and well documented.

RARM can be integrated into a change management program. Most firms today include some aspects of RARM but often in a cursory, informal way. Using a formal RARM methodology forces the reviewers to rigorously consider potential impacts, how to prevent or control (mitigate) them, and ways to monitor the product or process to ensure that the control measures are effective. FDA's Scale-Up and Post Approval Change (SUPAC) initiative is an example of this approach, calling for more controls and monitoring (and regulatory agency involvement) as the scope and complexity of the change increases.¹⁵

At a minimum, using RARM during change management entails compiling a checklist of things to consider. Records should be kept of what was and wasn't found on the list. Management strategies may involve additional monitoring, short-term intensive testing, and validation. RARM methods can also be used to determine what equipment and which aspects of a process should be validated or need not be validated.

One other important GMP quality system element that relates to RARM is the deviation subsystem, which firms call Corrective Action & Preventive Actions (CAPA), Discrepancy and Failure Investigations, or something similar. During the investigation of a discrepancy, the RARM should be reviewed to see if the failure was considered and, if not, why not? This is not an exercise in blame or finger pointing. It is an attempt to improve the chances of finding a previously unidentified risk, and it also helps make future RARMs more sensitive and effective.

ORGANIZATIONS AND RARM

RARM procedures don't exist in a vacuum. For people to perform effective and useful RARMs, the process must be integrated with other GMP quality system elements and be proceduralized. Organizational and management structures need to support RARM efforts by providing people, resources, time, and training.

The organizational culture must support a RARM initiative. Organizational culture refers to the values, norms, beliefs, and practices that govern how an organization functions. Some of these elements are explicitly written down, but more often the culture is a powerful, unwritten force that persists despite reorganizations and reassignments of personnel.

If an organization's culture is open to continual learning, improvement, and challenge, a RARM program will thrive and produce positive benefits. Conversely, if an organization relies on past success (or lack of serious failures) as a substitute for sound engineering practices, communicates ineffectively, over-simplifies risks, or stifles professional differences of opinion, RARM will be ineffective and not add any real value. If you don't believe that, read NASA's Columbia accident report.¹⁶

One external culture changer is FDA. If FDA continues to move towards its goal of a more scientific basis for regulation, firms will need to formally elucidate and document process risks, controls, and monitoring practices. At the same time, FDA will need to significantly change the way it performs inspections to enable its investigators to properly evaluate RARM practices.

ORGANIZING THE RISK MANAGEMENT PROCESS

RARM techniques have been developed and used extensively for decades in other industries. The experienced practitioners are chemical and aeronautical engineers, environmental experts, and workplace health and safety professionals. We must learn to talk the established language. Fifteen basic terms are defined.

The overwhelming majority of risk management processes follow the same general 11-step approach:

1. Establish goals and an overall structure and process for conducting the RARM.

2. Establish the team to conduct the RARM. It should be a cross-functional (interdisciplinary) team of knowledgeable experts in the product, technology, or discipline. Match team members to the scope of the RARM.

3. For a given RARM, define the scope of the process or product of interest.

4. Identify potential hazards.

5. Identify how the risk might be expressed and its criticality. Consider its severity, frequency, and probability of detection.

6. Determine if the risk is acceptable or if it must be mitigated in some way.

7. If risk is to be controlled, identify appropriate methods.

8. Reevaluate controlled risk to determine if residual risk is acceptable or unacceptable.

9. Implement risk control methods.

10. Document RARM activities.

11. Monitor the process or product to ensure the RARM was effective and to determine if previously unknown risks have become apparent.

In a GMP environment, the involvement of the quality unit is essential at certain points. Requiring the quality unit's approval for completion of certain tasks is recommended. Additionally, running periodic quality audits to ensure the proper use and functioning of the RARM system is good practice.

WHO OR WHAT IS AT RISK?

Defining the scope of a risk involves determining who or what is at risk. RARMs can be extensive and include considerations of the environment, workplace health and safety, GMP compliance, facilities and equipment, patients, finances, and corporate image.

From a GMP standpoint, regulatory agencies are concerned with the impact of a failure (an "expressed" risk) on the safety, identity, strength, purity, and quality of the drug product and what that means to the product's users. A failure may signal an underlying weakness of a process or system. In a GMP context, a RARM focuses on what a failure means to the product and the patient and, secondarily, to the particular manufacturing process and elements within the quality system. This is considerably different than the "classic" RARMs of the chemical, nuclear, and aerospace industries that are conducted out of concern for workers, the equipment and facility, the community, and the environment.

RISK ANALYSIS METHODS

A number of widely accepted and well-defined methods and processes for conducting RARMs have been developed. Some focus only on risk assessment, while others also address the broader process of risk management. Some can be easily applied to a variety of manufacturing, testing, and logistics processes or products, while others have been optimized for certain type of processes, such as those found in chemical or API manufacturing.

Some methods are mathematically based, using historical data to predict the reliability of a component or feature. The methods described below are qualitative or semiquantitative. A common characteristic of all these methods is that they are meant to be proactive — used before a process or product is developed and finalized.

Methods vary in how they view potential failures. Most use inductive logic — that is, they use "forward thinking" to explore potential consequences of a failure. These tools are used to address "what if?" questions. Other tools use a deductive approach, looking "backward" or "top down" to address the question "What caused X to happen?"

There is some variation in risk assessment tools and methods, especially in how tables used to present data are formatted. The American Institute of Chemical Engineers' guidelines describe how to use most of the methods summarized below.¹⁷

Preliminary Risk Analysis (PRA)

PRA is a qualitative method for initial consideration of new technologies or processes when there is little specific information available. It is an inductive tool used to determine the event sequences that can transform a hazard into an accident, the accident's potential consequences, and how the accident can be prevented. One variation of the PRA is a free-form brainstorming session where a cross-functional group of experts asks "what if" questions to identify the impact and make recommendations. The quality of the results is highly dependent on the experience and knowledge of the participants.

A second variation involves pre-developed data-gathering tables. The process should lead the team through systems, subsystems, potential hazards, events that could lead to a hazardous situation or accident, the consequences and severity of the situation or accident, and recommendations to prevent the situation or accident. Data used could be based on similar processes or equipment as well as estimations of hazards (such as toxicity and flammability). PRAs are a first approximation of risk and can be used as a high-level, "quick and dirty" decision-making process. As more is learned about a process or product, other risk analysis techniques can be used.

Hazard and Operability Studies (HazOpS)

HazOpS (also written as "HAZOPS") was developed in the 1960s by the chemical industry. It is a systematic, inductive evaluation of a process to identify how deviations from the intended design and functionality can occur, the impact of these deviations, and how they can be corrected. HazOpS uses a defined set of guide words (for example, no, more, less, part of, reverse) applied to a set of parameters (for example, flow, pressure, temperature, sampling, maintenance). A pair is evaluated against a node — an identified point in a process that could potentially fail in some way — resulting in a table of situations that might result in failure, along with the consequences and specific causes (Figure 2). These results are evaluated and corrective actions are identified and implemented. The strength of HazOpS is its structure and formality, since each of the guidewords and parameters must be considered. HazOpS reviews take time — one estimate is 200 person-hours per $2 million of capital investment evaluated.

¹⁸

Figure 2. Example of a HazOps Worksheet

Fault Tree Analysis (FTA)

FTA is a graphical way of showing the undesired top event (a failure, incident, or accident) and then determining the underlying fault events that could contribute to it. Developed for the aerospace industry, FTA is a deductive method that uses symbols such as "gates" and "events" that are combined in such a way to show how a failure can be caused by chains of causally related events. FTA diagrams (Figure 3) are created for each possible failure or accident in a system. FTA can produce complex documents that are not easily comparable to process flow diagrams or piping and instrumentation drawings. To some, creating FTAs is more of an art than a science, since analysts can create different yet equivalent drawings.

¹⁹

Figure 3. Example of an FTA Diagram

Failure Mode and Effects Analysis (FMEA)

FMEA and its slightly more complex derivation, Failure Mode, Effects, and Criticality Analysis (FMECA), are two of the more common risk assessment methods used in the medical device industry. These quantitative methods, applied to a component or part of a system, identify all possible failure modes and their effect on surrounding components and the system. A table or spreadsheet is created listing the failure modes, causes, symptoms, effects on other components and the overall system, a quantitative estimate on the frequency of occurrence, a quantitative estimate on the severity of the failure, a quantitative estimate on the chance of detection, and possible ways to reduce or eliminate the failure.

Multiplying the estimates of the frequency, severity, and chance of detection provides a numerical risk factor that can be used to evaluate whether or not the risk is acceptable or needs to be controlled in some way. FMECA can also use statistical and historical failure data to quantitatively determine the probability of a failure. Kieffer, Bureau, and Borgmann describe applications of FMEA in the manufacture of liquids, tablets, and packaging processes.²⁰

Event Tree Analysis (ETA)

ETA is another qualitative (and potentially quantitative), structured, graphical, inductive tool used to examine the impact of an incident and its interactions with various systems. Using the initial failure and the safety or control systems that are in place, the ETA team asks what would happen if each safety system was successful or failed at each point in a sequential or chronological timeline. Different outcomes are identified and described (Figure 4). ETA is useful for both new and modified systems and for assessing the adequacy of existing systems and controls. ETA also can assess operator responses to an incident. This tool is extremely useful in evaluating GMP systems and process controls.

Figure 4. Example of an ETA Diagram

PROCESSES USED IN RISK MANAGEMENT

GAMP4 and HACCP are two well-known processes used to manage risk in FDA-regulated industries. They are not specific tools for assessing risks. Rather, they cover the wider set of activities important in risk management. Both GAMP4 and HACCP allow the use of some of the RA tools previously discussed. GAMP4 is an amalgam of HACCP, FMEA, and FTA. For details see the ISPE guidelines.

¹³

Hazard Analysis and Critical Control Points (HACCP)

HACCP is the primary risk reduction process used in the food industry, including firms regulated by FDA and USDA. HACCP is defined as a systematic risk management approach to the identification, evaluation, and control of hazards. It is not intended to be a stand-alone program, and it can easily be integrated with a GMP quality system. There are five preliminary steps to prepare for HACCP:

• Assemble the HACCP team.
• Describe the product and its distribution.
• Describe the product's intended use and users.
• Develop a process flow diagram.
• Verify the process flow diagram.

Once these steps have been taken, the HACCP program follows seven principles:

• Conduct a hazard analysis.
• Determine the Critical Control Points (CCPs).
• Establish Critical Limits (CLs).
• Establish monitoring procedures.
• Establish corrective action.
• Establish verification plan.
• Establish record keeping and documentation procedures.

HACCP typically identifies and addresses biological, chemical or physical hazards — that is, those that could cause injury or illness.²¹ While these hazards are critical to drug products as well, there is no reason why HACCP cannot be expanded to include compliance and regulatory risks (for example, making an uncontrolled change to a process). DeSain and Sutton describe using HACCP in a biopharmaceutical context.²²

EVALUATING RISKS

Once hazards and risks have been identified, decisions need to be made as to whether or not the risks must be controlled or mitigated in some way. Risk evaluation uses the information generated by risk assessment, whether it is qualitative or quantitative, and overlays it upon societal, business, regulatory, and financial realities to answer, "How much risk are we prepared to take?" As shown in Figure 5, some risks are simply unacceptable — the probability of a serious outcome is too high and must be modified or the product or process must be abandoned. Other risks are acceptable — either the consequences are so minimal or the chance of them happening are so remote that the risk is negligible.

Figure 5. Conceptual Model Used in Risk Evaluation

Other risks, however, may be accepted if the benefits outweigh the risks or if the risks can be controlled or reduced so that the benefit-to-risk ratio is acceptable. Risks that are "as low as reasonably practicable" (ALARP), are evaluated on the basis of technical and economic practicability.

WAYS TO CONTROL OR MITIGATE RISKS

After risks are identified, their impact characterized, and the decisions made as to which risks need to be reduced or eliminated, controlling them is often a creative, technological, and economic challenge. Before a change is made, perform an evaluation to assure that the proposed change does not create any new or unexpected risks. Some of the standard ways of reducing or controlling risks include:

• Substitution — using a safe solvent instead of a potentially toxic one
• Uncoupling or loosely coupling a process — breaking apart a process so there are inherent stops to prevent a process from "running away" and getting out of control
• Process simplification — reducing the number of steps or "risk exposures" that could occur
• Isolation — moving or enclosing an activity so it presents fewer potential risks
• Elimination — removing a potential risk
• Changing conditions — modifying the temperature, pressure, or time
• Providing more information — giving those involved more useful information regarding prevention or response to a problem
• Decreasing the frequency of an event happening — reducing the number of times a potentially hazardous material is used
• Decreasing the consequences should an event occur — providing protective equipment to workers or using an assay that tests for the presence of a known potential contaminant
• Duplicating assets — creating redundancy or increasing inventories
• Changing the source — using a vendor or material source that is potentially more reliable or consistent
• Implementing procedures — instituting procedures that prevent an accident or a failure
• Engineering controls — designing and implementing electronic, mechanical, or other controls to prevent the problem
• Training — providing personnel with knowledge and skills so they better understand the process and how to effectively mitigate the risk
• Validation — demonstrating (and documenting) that a process or system consistently performs according to its defined requirements

Risk monitoring and reevaluation are an important part of a risk management program, ensuring that the identified risks have been controlled and mitigated as planned. Monitoring should be instituted to see if additional, previously unpredicted risks appear. This can be done with information generated from incident investigations or product complaints. If an incident does occur, it is useful to examine the earlier risk assessment to discover if it was considered.

Important concepts and terms

James L. Vesper, MPH is president ofLearningPlus, 1140 Highland Ave., Rochester, NY14620, 585.442.0170, fax 585.442.0177, jvesper@learningplus.com

REFERENCES

1. A survey of risk: be prepared.

The Economist

. 2004 Jan. 22;12-14.

2. FDA: Pharmaceutical cGMPs in the 21st century: A risk-based approach. 2002 August 21. Available at www.fda.gov/cder/gmp.

3. FDA. Quality system regulation: Design validation. Code of Federal Regulations 21CFR Part 820.30(g). 2004 April 1.

4. FDA. 21 Hazard analysis and hazard analysis critical control point (HACCP) plan (for seafood). Code of Federal Regulations 21CFR Part 123.6. 2004 April 1.

5. FDA. Hazard analysis and critical control point systems (for juices). Code of Federal Regulations 21CFR Part 120. 2004 April 1.

6. FDA. Thermally processed low-acid foods packaged in hermetically sealed containers. Code of Federal Regulations 21CFR Part 113. 2004 April 1.

7. FDA: Guidance for industry: Q7A good manufacturing practice for active pharmaceutical ingredients. 2001 August. Available at www.fda.gov/cder/guidance/4286fnl.pdf.

8. US Occupational Health and Safety Administration (OSHA). Process safety management of highly hazardous chemicals. Code of Federal Regulations 29CFR Part 1910.119(e). 1993.

9. US Environmental Protection Agency (EPA). Hazard Assessment. Code of Federal Regulations 40CFR Part 68 Subpart B. 1996 June 20.

10. Health Canada. Quality management in good manufacturing practices guidelines. 2002 Edition, Version 2. Ottawa. 2003 Jan. 20.

11. ICH6. ICH meeting report. 2003 Nov. 15. Osaka, Japan. Available at www.ich.org.

12. ISPE GAMP Forum. The good automated manufacturing practice (GAMP) guide for validation of automated systems in pharmaceutical manufacture, 4th Edition. Tampa (FL): ISPE; 2001.

13. ISPE. Guideline for risk assessment. GAMP4 Appendix M3. Tampa (FL): ISPE; 2001.

14. International Standards Organization. Medical devices — Application of risk management to medical devices. ISO 14971:2000. Geneva Switzerland: ISO; 2000.

15. FDA. Guidance for industry: Immediate release solid and oral dosage forms scale-up and post approval changes. FDA/CDER. Bethesda MD. 1995 November. Available at www.fda.gov/cder/guidance/cmc5.pdf.

16. Columbia Accident Investigation Board, Report, Volume I, Chapter 7. US Government Printing Office. 2003 August.

17. Battele Columbus Division for The Center for Chemical Process Safety of the American Institute of Chemical Engineers. Guidelines for hazard evaluation procedures. New York: AIChE; 1985.

18. Henley EJ, Kumamoto H. Probability risk assessment. New York: IEEE Press; 1992.

19. Ibid.

20. Kieffer RG, Bureau S, Borgmann A. Applications of failure mode effect analysis in the pharmaceutical industry. Pharmaceutical Technology Europe. 1997 Sept. (vol 9, no 8.) :36-49.

21. FDA/USDA/NACMCF: HACCP principles and application guidelines, Adopted 1997 Aug. 14. Available at http://vm.cfsan.fda.gov/~comm/nacmcfp.html.

22. DeSain C, Sutton, C. Process hazard analysis and critical control point identification. BioPharm Int'l. 2000; 13(10):36-40.

23. US Air Force. Air Force Safety Agency. System safety handbook (Revised July 2000). Kirkland AFB New Mexico: US Air Force; 2000.

24. Canadian Standards Association. Risk management: guideline for decision-makers. CAN/CSA -Q850-97, Rexdale Ont. 1997 Oct.