Audit trail requirements on GxP computerized systems
August 30, 2021
Trevalco fun day at Jesco Driving School
November 24, 2021
If you’re working in the life sciences industry you have probably been involved in risk assessments, maybe more often than you would have liked to. Whether you are working in a clinical development or pharmaceutical production environment, on drug products or medical devices, risk management has to be in place. This article will give you tips to make your risk assessments even better.
One of the main reasons why risk assessments are so omnipresent is because in most cases they are a legal requirement. Good manufacturing practices (GMP) guidelines for medicinal products from FDA, EMA, PIC/S and WHO all provide reference to the ICH guideline Q9 on quality risk management.
The new EU Medical Device Regulation (MDR) adopts a universal risk-based approach with explicit requirements regarding a risk management program and life-cycle risk management. Quality risk management is also a legal obligation when conducting clinical trials under the EU clinical trials regulation and ICH guideline E6 for good clinical practice.
Common issues with risk assessments
In some life sciences organizations risk assessments are treated purely as a regulatory requirement or “a document” imposed by the quality system: making sure the paperwork gets done, so that quality assurance can tick the box. This is of course not a good starting point for a creative exercise in which people should be encouraged to think out of the box.
The outcome of risk assessments is often criticized for being subjective, not based on facts and data but on the participants gut feeling. Although regulatory guidance from for example the pharmaceutical GMP guidelines requires risk management based on scientific knowledge. This is often hard to put into practice due to insufficient data being available.
ICH Q9 for medicinal products and ISO 14971 for medical devices do provide some standardized methodologies, but there are often big differences on how methodologies are applied in between companies and teams within the same organization. This makes it even more difficult to compare risk assessments for different studies or projects, and to guarantee an objective outcome.
And of course, a risk assessment requiring multiple sessions with a multidisciplinary team is time intensive.
Tips to get more value from risk assessments in the life sciences, pharmaceutical industry
When you are facilitating a risk assessment, here are some tips to help you getting more value out of them.
1) Set a clear scope and define the purpose of the risk assessment
There’s a multitude of situations that could trigger a risk assessment, have a look at just these examples:
- Evaluate the risk involved with different functionalities of a new GxP critical software to focus validation effort on the most critical functions.
- Reduce the risk to participants in a phase 1 clinical trial.
- Identify potential causes and impact of a power failure on a GMP manufacturing facility.
- Execute a risk assessment on a medical device, which must be kept up-to-date throughout the product lifecycle and meet the requirements of the EU MDR.
Make sure at the beginning that the goal is clear for all stakeholders and participants to the risk assessment. When during the meeting you notice the team is no longer working towards those goals or the scope is involuntarily extended, redirect the team by explaining again the scope and purpose of the risk assessment.
Also clarify any regulatory requirements, being GMP, GCP or MDR, this can help getting the team aligned to the same goals.
2) Assemble the right team
Gather the right people. Leave people out that don’t have anything to contribute. If you need approval from specific functions or someone higher up in the company, they don’t really need to be there in the meetings because they can always review your report. Try to keep people that don’t contribute out of your risk assessment meetings.
Aim for a multidisciplinary team. Level in the organization is less important what counts is having as much as possible the different stakeholders to the project, product or process represented.
3) Select the right risk assessment method
Depending on the purpose of your exercise you might want to try a specific method. I know FMEA is very popular, especially because everyone knows how this works, but there are other risk assessment methods as well!
FMEA stands for “Failure Mode and Effects Analysis”. To use FMEA first you should be able to identify what the “failure modes” are for your process, software, equipment or product. A failure mode is a possible way in which something can fail. Secondly, for FMEA to be successful you should be able to attach scores to likelihood of occurrence, impact and detectability. If you cannot (yet) define failure modes and you cannot (yet) quantify the risks then steer away from FMEA.
There are many alternatives, ICH Q9 provides a good overview, but here are some of my favorites.
Fault-tree analysis is a deductive, top-down analysis. The idea is to start from an event or undesired outcome, for example “I have a power failure on my GMP plant”, and then dig down into the possible causes even combining them with “OR” and “AND” Boolean logic. Of course, Ishikawa or fishbone diagrams can serve a similar purpose.
When you don’t have sufficient data to do a quantitative analysis such as FMEA, a Preliminary Hazard Analysis might be a good methodology to use. The output of a Preliminary Hazard Analysis can be, when more data is available, valuable input to an FMEA. The advantage of a Preliminary Hazard Analysis is that it allows to do a risk assessment without having all the data yet.
4) Don’t be overzealous
A common mistake with many risk assessments is that people try to be overly detailed: covering even the most unlikely risks, trying to include every minor system functionality or all user requirements.
Risk assessment methods or tools are intended to help your team in identifying, evaluating and mitigating risks. They are not meant to do a full accounting of functionalities or to cover every possible scenario that might occur. Try to focus on uncovering new risks, on documenting and evaluating the known risks which actually pose a threat, and try not to be 100% complete.
Also, there are situations where you want to do a risk assessment on one specific functionality or on a very specific part of a process. Not every risk assessment needs to cover a complete process or product, and not every risk assessment needs to be updated for eternity. Again, it is important to define such things upfront and to document a clear scope and purpose in your report.
5) Be prepared
At your first risk assessment meeting, after presenting scope and purpose, it is useful to have a technical presentation or demo of the subject. For example a demo of the software, a presentation with drawings and pictures of the new equipment to be purchased, or a technical presentation showing the current plan for a new clinical trial. Make sure this is done by one of the best experts on the subject matter.
Needless to say that as a facilitator you should have a (document) template for the risk assessment method, and you can readily explain the team on how template and method are to be used.
Doing research on similar risk assessments executed in the same company can be very useful, but be wary of bad examples and try to keep an open mind even if you know the conclusions of earlier risk assessments.
6) Look at what is really going on
Try not to make it a theoretical exercise. Take your risk assessment team on a small adventure: go for a walk in production seeing the processes in action, visit the supplier of your new equipment and have a look at an equipment prototype, ad-hoc invite experts or end-users to your meetings. You can even send people away during the meetings to collect some data or crucial information needed by the team.
Of course good coffee and chocolates also help in making your risk assessment meetings more fun and interactive.
If you know more tips for risk assessments, don’t hesitate to share them in the comments section. Good luck on your next GMP / GCP / GxP / MDR or whatever risk assessment exercise!
If you need support of a consultant for your risk assessments or in setting up a good approach to risk management, don’t hesitate to contact us.
