You are on page 1of 63

Tutorial - Risk Management in (Bio)Pharmaceutical and Device Industry

1 of 63

Home | Contact Us | Newsletter | Usersclub | Books | Audio Seminars

8/13/2014 10:48 PM

Tutorial - Risk Management in (Bio)Pharmaceutical and Device Industry

2 of 63


Risk Management in the (Bio)Pharmaceutical and D


Risk Management
Computer Validation
Method Validation
ISO 17025
Lab Equipment Qualification
Good Laboratory Practices

Twelve 2-day In-person

Interactive GMP and
Validation seminars
available in America,
Europe and Asia
delivered by Dr. Ludwig

Practical Risk
Assessment in
With Risk Master Plan,
SOPs and Case Studies
for Easy Implementation
Recorded, available at
any time
Risk Based Validation

Links to specific sections of the


Other information in the

Introduction and Literature

Regulations and Guidelines
Approaches for Risk
Tools and Methodologies
Steps for Risk Management

About Labcomplian

Forward this tutorial

Introduction and Literature Overview

Risk-based compliance is expected by regulatory agencies

recommended by industry task forces and private authors to balanc
efforts and costs vs. product quality and patient safety. Risk managem
history in the industry. For example, when car manufacturers have a q
with specific models in the market they will go through a thorough ris
process to decide whether to recall the cars or not. The cost of reca
the problem will be balanced against the cost that may potentially occ
doing anything and the effect this would have on the company imag
liability issues.

Risk assessment is also nothing new in our private life. We experie

day long before we start our daily work. Before we cross a busy road
our workplace, we look left and right because there is a risk that a ca
and run us over. By observing car traffic and stopping until the car h
looking for a pedestrian crossing or traffic lights we can eliminate th
car will hit us.
Objectives and Principles of Risk Management

Risk management is the process that helps to identify problems, ana

then to create an action plan to avoid or manage these problems. Th
risk management during pharmaceutical device and drug deve

8/13/2014 10:48 PM

Tutorial - Risk Management in (Bio)Pharmaceutical and Device Industry

3 of 63

of Software and
Computer Systems

manufacturing is to provide drugs and devices that are efficient and

spending too many resources, for example, for validating processes an

Strategies for FDA/EU

Compliance and Tools for

All recommendations from official guidelines, from industry task for

private authors basically follow the same principles for risk assessmen

Recorded, available at
any time
Risk Management for
FDA/EU Regulated
Introduction and
Strategies for
Compliance and
Trouble-free Operation
Recorded, available at
any time
Developing a Risk
Management Master
A must for efficient and
consistent implementation
of risk management
Recorded, available at
any time
Risk Based Computer
Validation and Part 11
Recorded, available at
any time

1. Identify the risks: What can go wrong?

2. Analyze the risks: What is the likelihood or probability that somethi
and what are the consequences or what is the severity if somethin
3. Estimate the risk priority number (RPN) and assess if the risk is ac
too high.
4. If the risk is too high develop and implement control steps to reduc
the risk.
5. Analyze the residual risk and assess if it is acceptable.

Let's look at the road traffic example we mentioned at the beginnin

same steps as above.

1. Risk or unwanted event: Car runs over a pedestrian crossing the r

2. Probability of occurrence: Depends on the road traffic - low for cou
medium for town roads and high for city streets.
Severity: Always high, because the accident may lead to permanen
3. Risk level expressed by the risk priority number (RPN): Always high
high severity and some probability. The RPN increases from the co
the city street due to increasing probability.
4. Control steps to reduce probability: Depends on the risk priority nu
- Country road: Look left and right before crossing the road.
- Town road: Use pedestrian traffic lights or a pedestrian crossing.
- City street: Use pedestrian overpass or underpass.
5. Residual risk: Is acceptable because probability of occurrence has

The effort to reduce the risk to an acceptable level increases with t

number. This is a simple example, but illustrates the steps that are r
safely across the road. The principles can be applied to most risk scen

The person crossing the road does not follow a formal and docume
She or he is using a practical approach which is only based on e
common sense. This way we can define risk management for compli
justified and documented common sense". Official guidelines and stan
ICH Q9, ISO 31000 and others have listed a couple of important prin
Risk Assessment:

8/13/2014 10:48 PM

Tutorial - Risk Management in (Bio)Pharmaceutical and Device Industry

4 of 63

Is an integral value of all organization processes, e.g., for complian

health and safety.
Is part of decision making, for example, whether to implement chan
Is systematic, structured and timely.
Is based on the best available information, for example, on historic
Has the health and safety of patients in mind.
Is aligned with a company's culture, strategies, risk profile and perf
Decisions should always be justified, documented and communicat
everybody affected by the project.
Is an ongoing process to improve the efficiency of the organization

Benefits and Issues for the Regulated Industry

The value of risk assessment for the regulated industry becomes ob

diagram in Figure 1. On the x-axis it shows the level of quality,
compliance of a product or process. The y-axis shows decreasing ris
additional value and increasing costs for validation and compliance.

Figure 1: Risk Optimization vs. Quality and Cost

8/13/2014 10:48 PM

Tutorial - Risk Management in (Bio)Pharmaceutical and Device Industry

5 of 63

Doing nothing about compliance, quality or validation is a high risk, for

may receive warning letters from the FDA, or when looking at equipm
have high failure rates. Or even worse, patients may get sick if a drug
adverse impurities because of insufficient quality or validation of p
systems. Of course, the advantage is that in this case there are no c
When going to the right side of the diagram everything is validated
stringent interpretation is used for compliance and the costs get expo
The risk decreases but so does the additional value, for example, f
validation efforts. One of the tasks of a risk management project
optimum which should be somewhere in the middle.

For each process or piece of equipment the company should decide

can be taken. General recommendations should come from the Risk
Master Plan or directly from management for a specific project. The q
much risk a company can or will take, or what is the acceptable risk
answer depends on which direct impact equipment or a process has
device product. For example, when looking at the drug value cha
research through preclinical and clinical development to manufactur
impact on consumers increases. Therefore, assuming everything is
validation effort for equipment used in manufacturing will be higher
same equipment is used in early development.

Similarly one can argue that the validation efforts during quality contr
pharmaceutical ingredient (API) can be lower than for finished drugs
quality problems can still be uncovered by the pharmaceutical manuf
the product reaches patients through incoming checks of the API and
control of finished drugs.

The main benefit of quality risk management is that the regulated

optimize resources towards high risk products, equipment and proces
resources for low or no risk systems. This increases the overall
improves product quality and patient safety. While in the past the reg
hesitated in applying risk management, this changed since the United
and Drug Administration (FDA) started promoting quality risk managem
its 21st century cGMP initiative along with some follow-up activities.
the word compliance can be eliminated from the x-axis in Figure 1
compliance is not always proportional to validation because with st
'The type and extent of validation depends on the risk on the drug p
compliance can be achieved at less than 100% validation.

The example used to illustrate the benefits of quality risk management

issues. QA and other professionals may disagree that development
manufacturing of API's don't require the highest focus on quality and v
is a good point as long as we understand that risk management is a
with objective criteria such as direct impact on product quality and
When looking at relative risks, quality control of finished products bear
than equivalent measures of API products or test samples from pre-clin

8/13/2014 10:48 PM

Tutorial - Risk Management in (Bio)Pharmaceutical and Device Industry

6 of 63

Objectives of the Tutorial

This tutorial addresses risk management in the (bio)pharmaceutica

device industry. It is intended to give project managers and other prof
the (bio)pharmaceutical and medical device industry a good unders
objectives and principles of risk assessment and to guide them th
management process. Quality managers and staff as well as reg
professionals will also benefit through extensive discussions of releva
quality standards and guidelines. The tutorial will discuss tools and g
and specific recommendations for all steps of risk management
identification, risk evaluation, risk assessment and mitigation controls.
In less than one day readers will get:

An overview of regulatory and quality standard requirements and

Tools and common practices available for risk assessment and ma
Strategies for implementation with practical help on how to docume
Recommendations for special applications, e.g., for laboratory sys
software and computer validation, equipment maintenance and qua
for process validation.

From our experience in attending risk management workshops and rea

and Risk Management Master Plans and procedures we realized tha
practical information available on how to identify, evaluate and d
together with documentation of failures, hazards, possible harms and
risk priority numbers based on severity, probability of occurrence and
detection. It seems that most authors describe conceptual steps with
help. Also, official documents such as ICH Q9 don't give detailed inf
tutorial tries to fill this gap.

Literature Overview

Risk management for the (bio)pharmaceutical and device industry ha

documented in regulatory guidance, by industry task forces and by pr
This chapter lists some literature publications with relevance to risk as
management in the (bio)pharmaceutical and medical device industry.

The European Council Directive 93/42/EEC of June 14 1993 Conc

8/13/2014 10:48 PM

Tutorial - Risk Management in (Bio)Pharmaceutical and Device Industry

7 of 63

Medical Devices (1) was one of the first regulatory documents that
eliminate risks as much as possible during the design and manufac
medical devices when weighed against the benefits to the patient.
The US FDA Quality System Regulation (2) requested to validate t
medical devices and that design validation should include risk anal
The EU GMP Annex 15 for "Validation and Qualification" (3) reques
assessment approach to determine the scope and extent of valida
evaluate the impact of the change of facilities, systems and equipm
(medicinal) product including risk analysis.
Risk-based compliance was an important element of the FDA's Pha
cGMP Initiative for the 21st Century in 2002 (4).
Risk-based compliance was also a key component in the FDA's ne
for dealing with electronic records and signatures: 21 CFR Part 11
Probably the single most important document related to risk manag
pharmaceutical industry is the ICH Q9 "Guide on Quality Risk Mana
2005 (6). It describes a systematic approach for risk management
drug development and manufacturing including laboratories.
The World Health Organization Expert Committee on Specifications
Pharmaceutical Preparation published a paper entitled "Hazard and
Analysis in Pharmaceutical Products" (30). It provides general guid
use of Hazard Analysis and Critical Control Points (HACCP) to ens
of pharmaceuticals.
The Pharmaceutical Inspection Convention/Cooperation Scheme (
an example of a methodology for implementing ICH Q9 in the pharm
field (29).

Risk management is well known and practiced in many industries

industry task forces have developed guidance documents that

In 2001 GAMP published the "Guide for Validation of Automated Sy

(GAMP 4)" (7). Appendix M3 was dedicated to risk assessment. It
focuses on risk-based validation of computer systems.
Its successor GAMP 5 was released in 2008 (8). The title: 'A RiskApproach to Compliant GxP Computerized Systems' indicates that
guide is focused on risk-based compliance of computerized system
The Global Harmonization Task Force (GHTF) has published a risk
guidance for the medical device industry titled: 'Implementation of R
Management Principles and Activities within a Quality Managemen
In 2000 ISO published a standard 14971:2000: 'Application of Risk
to Medical Devices'. Even though it was developed for medical dev
also recommended the approach for pharmaceutical applications. T
was updated in 2007 (10).
In 2009 ISO released two more standards: ISO 31000 on "Risk Ma

8/13/2014 10:48 PM

Tutorial - Risk Management in (Bio)Pharmaceutical and Device Industry

8 of 63

Principles and Guidelines" (11) and ISO 31010 on "Risk Assessme

Techniques" (12). Both standards are applicable to all industries.

Private authors and professional service providers have published

general recommendations for risk management which are also relat

R. Jones (13) gave an overview of risk management for pharmace

development and manufacturing with an introduction to risk assess
techniques and with focus on probabilistic risk assessment (PRA).
Campbell (14) discussed how quality risk management principles c
to achieve a practical equipment verification strategy.
Several authors contributed to a book: "Risk Management in the Ph
Industry" (34). The book includes introductory chapters on regulato
requirements and risk management tools followed by a total of six c
J.L. Vesper (33) authored a book titled: "Risk Assessment and Ris
in the Pharmaceutical Industry: Clear and Simple". The book gives
of the risk management process and some of the more commonly u
assessment methods and tools. It also examines how the various t
applied to identifying hazards and evaluating their potential impact
Huber (15) applied the concepts of risk management to the validati
commercial off-the-shelf computer systems.
K. O'Donnel and A. Green described a risk management solution d
facilitate risk-based qualification, validation and change control act
GMP and the pharmaceutical regulatory compliance environment in
two parts. Part I (35) gave an overview on fundamental principles a
criteria outlined in the process and Part II (36) focused on tools, st
limitations, principle findings and novel elements.

Most literature publications give a general overview on risk managem

and also offer tools that help for easy implementation. For example, L
offers a "Risk Management Master Plan" (16), several SOPs (17studies (20).

Regulations, Guidelines and Quality Standards

Regulatory agencies expect (bio)pharmaceutical risk management to

associated with development and manufacturing of medicinal products
other task forces have developed guidelines and standards that he
understand and implement risk management processes. This cha
overview of the most important regulations, guidelines and quality stan

8/13/2014 10:48 PM

Tutorial - Risk Management in (Bio)Pharmaceutical and Device Industry

9 of 63

United States Food and Drug Administration (FDA)

FDA 21 CFR 820: Quality System Regulation (2)

This regulation was released for medical devices in 1996. The regula
risk-based design validation.

30(g): Design validation. Each manufacturer shall establish and

procedures for validating the device design. Design validation shal
under defined operating conditions on initial production units, lots, b
their equivalents. Design validation shall ensure that devices confo
user needs and intended uses and shall include testing of productio
actual or simulated use conditions. Design validation shall include s
validation and risk analysis, where appropriate.

FDA Guidance: General Principles of Software Validation (2002) (21

The guidance was developed for validation of software used in medica

FDA clearly spelled out the basic idea of risk-based compliance:
efforts should be commensurate with the complexity of the software d
risk associated with the use of the software.

This guidance recommends an integration of software life cycle ma

and risk management activities. Based on the intended use and the
associated with the software to be developed, the software develo
determine the specific approach, the combination of techniques to
the level of effort to be applied.
The selection of validation activities, tasks and work items should
commensurate with the complexity of the software design and the r
associated with the use of the software for the specified intended
For lower risk devices, only baseline validation activities may be c
the risk increases additional validation activities should be added t
additional risk.

Pharmaceutical cGMPs for the 21st Century: A Risk-Based Approa

With this document the FDA introduced risk management to the p


Risk-based orientation: In order to provide the most effective publi

protection, the FDA must match its level of effort against the magn
Resource limitations prevent uniformly intensive coverage of all ph
products and production. Although the agency has already been im
risk-based programs, a more systematic and rigorous risk-based a
be developed.

8/13/2014 10:48 PM

Tutorial - Risk Management in (Bio)Pharmaceutical and Device Industry

10 of 63

FDA Guidance: Part 11, Electronic Records; Electronic Signatures

Application (2003) (5)

In this guidance the FDA documented the new approach for electroni
signatures. They recommended basing the decision on how to i
requirements of Part 11 on a justified and documented risk assessmen

We recommend that you base your approach on a justified and doc

assessment and a determination of the potential of the system to a
quality and safety and record integrity.
We recommend that your decision on whether to apply audit trails
based on "a justified and documented" risk assessment.

FDA Guidance: Quality Systems Approach to Pharmaceutical CGM

Regulations (2006) (22)

Risk management is one of the focuses of this guidance. Risk-base

are expected to be used for setting specifications and process
qualification of personnel, selection of quality unit (QU) personnel an

Quality risk management is a valuable component of an effective q

framework. Quality risk management can, for example, help guide t
specifications and process parameters for drug manufacturing, ass
mitigate the risk of changing a process or specification and determ
of discrepancy investigations and corrective actions.
In a quality system, personnel should be qualified to do the tasks th
assigned to them in accordance with the nature of, and potential ris
operational activities.
Although QU personnel should not take on the responsibilities of ot
the organization, these personnel should be selected based on the
and technical understanding, product knowledge, process knowledg
assessment abilities to appropriately execute certain quality functio
quality systems feature is also found in the cGMP regulations, whic
specific qualifications, such as education, training and experience
combination thereof (see 211.25 (a) and (b)).
The quality systems approach also calls for periodic auditing of sup
on risk assessment.
Although the cGMP regulations (211.180(e)) require a product revi
annually, a quality systems approach calls for trending on a more fr
as determined by risk.
As with other procedures, audit procedures should be developed a
documented to ensure that the planned audit schedule takes into a
relative risks of the various quality system activities, the results of
audits and corrective actions, and the need to audit the complete s

8/13/2014 10:48 PM

Tutorial - Risk Management in (Bio)Pharmaceutical and Device Industry

11 of 63

European Regulations

The Council Directive 93/42/EEC of 14 June 1993 Concerning Med

(1) requires a risk-based design and manufacture validation and reducin
acceptable levels.

The devices must be designed and manufactured in such a way tha

under the conditions and for the purposes intended, they will not co
clinical condition or the safety of patients, or the health and safety
where applicable, other persons, provided that any risks which may
associated with their use constitute acceptable risks when weighe
benefits to the patient and are compatible with a high level of prote
and safety.
The solutions adopted by the manufacturer for the design and cons
devices must conform to safety principles, taking account of the ge
acknowledged state of the art.
In selecting the most appropriate solutions, the manufacturer must
following principles in the following order:
- Eliminate or reduce risks as far as possible (inherently safe desig
- Where appropriate take adequate protection measures including
- In relation to risks that cannot be eliminated, inform users of the r
due to any shortcomings of the protection measures adopted.

Annex 15 to the EU GMPs Validation and Qualification (3) has legal

risk-based approaches to validation and for changes to facilities, system

A risk assessment approach should be used to determine the scop

of validation.
The likely impact of the change of facilities, systems and equipmen
product should be evaluated, including risk analysis.

Annex 11 to the EU GMPs Using Computerized Systems (23)

controls for computerized systems on a justified and documented risk as
Once finalized the Annex will have legal status.
Extent of validation and data integrity controls should be based on
documented risk assessment.

Pharmaceutical Inspection Convention/Cooperation Scheme (PIC/

The PIC/S Good Practices Guide on using Computers in GxP Envir

8/13/2014 10:48 PM

Tutorial - Risk Management in (Bio)Pharmaceutical and Device Industry

12 of 63

(24) was developed for inspectors but it is also a good source documen
firms. Risk-based approaches are recommended throughout the life of a

For GxP regulated applications it is essential for the regulated use

requirement specification prior to selection and carry out a properly
risk analysis for the various system options.
The inspector will consider the potential risks as identified and doc
the regulated user, in order to assess the fitness for purpose of the
This risk-based approach is one way for a firm to demonstrate that
applied a controlled methodology to determine the degree of assur
computerized system is fit for its purpose. It will certainly be useful
consideration by an inspector.
Regulated users should be able to justify and defend their standard
acceptance criteria, procedures and records in the light of their ow
risk and complexity assessments, aimed at ensuring fitness for pur
regulatory compliance.
The business/GxP criticality and risks relating to the application wi
the nature and extent of any assessment of suppliers and software
The URS should also form the basis for a risk assessment of the s
compliance requirements, in addition to other risks such as safety.
analysis may be based on the FS, which is related to the URS (e.g
systems). The risk assessment and the results including the reaso
ranking as either: 'critical' or 'non-critical' should be documented. T
any GxP risks should be clearly stated.
The risk analyses and the results, together with reasoning for critic
non-critical classifications should be documented. Risks potentially
GxP compliance should be clearly identified.
Inspectors will be interested in the company's approach to identifyi
and the criteria for assessing the fitness for purpose of the system

An informal Working Group within PIC/S has developed an objective

example of methodology for implementing ICH Q9 (29). The documen
training purposes and will not have an impact on PIC/S inspections.

United States Pharmacopeia (USP)

USP develops methodology for specific applications and genera

different analytical aspects for FDA regulated industry. Most recently
and draft chapters recommend risk benefit approaches for testi

<232> Elemental Impurities (Proposal)

The presence of unexpected elemental contaminants, as well as th

8/13/2014 10:48 PM

Tutorial - Risk Management in (Bio)Pharmaceutical and Device Industry

13 of 63

impurities likely to be present, should be considered in determining

and planning the risk-based extent of testing.
<467> Residual Solvents
Solvents that are known to cause unacceptable toxicities should be
the production of drug substances, excipients or drug products unle
can be strongly justified in a risk benefit assessment.

International Conference for Harmonization

ICH Q9: Quality Risk Management (6) is the single most important ref
document for risk management for the pharmaceutical industry. ICH focu
scientific knowledge and the link to the protection of the patients as a p
principle. The guide also gives recommendations for implementation.

Two primary principles of quality risk management are:

- The evaluation of the risk to quality should be based on scientific
and ultimately linked to the protection of the patient; and
- The level of effort, formality and documentation of the quality risk
process should be commensurate with the level of risk.
It is neither always appropriate nor always necessary to use a form
management process (using recognized tools and/or internal proce
standard operating procedures). The use of informal risk managem
(using empirical tools and/ or internal procedures) can also be cons

ICH Q9 has been adopted by the European Union and PIC/S in Annex
and PIC/S GMP Guides.

International Organization for Standardization (ISO)

ISO currently has three standards related to risk management: 1497

devices and 31000 and 31010 which are for general purpose risk
projects. ISO 31000 describes principles and guidelines and 31010 ris

ISO 14971:2007 - Application of Risk Management to Medical Devi

This document was developed for medical devices but has also been
by FDA officials for pharmaceutical industry.

This International Standard specifies a process for a manufacturer

hazards associated with medical devices (including in vitro diagnos
medical devices), to estimate and evaluate the associated risks, to
risks and to monitor the effectiveness of the controls.
The requirements of this International Standard are applicable to a
life cycle of a medical device.

8/13/2014 10:48 PM

Tutorial - Risk Management in (Bio)Pharmaceutical and Device Industry

14 of 63

This International Standard does not apply to clinical decision maki

This International Standard does not specify acceptable risk levels
This International Standard does not require that the manufacturers
quality management system in place. However, risk management c
integral part of a quality management system.

ISO 31000:2009 - Risk Management - Principles and Guidelines (11

This International Standard provides principles and generic guidelin

management. It can be used by any public, private or community e
association, group or individual. Therefore, this International Stand
specific to any industry or sector.
This International Standard can be applied throughout the life of an
and to a wide range of activities, including strategies and decisions
processes, functions, projects, products, services and assets.
This International Standard can be applied to any type of risk, wha
nature, whether having positive or negative consequences.
Although this International Standard provides generic guidelines, it
intended to promote uniformity of risk management across organiza
design and implementation of risk management plans and framewo
to take into account the varying needs of a specific organization, it
objectives, context, structure, operations, processes, functions, pr
products, services or assets and specific practices employed.
It is intended that this International Standard be utilized to harmoniz
management processes in existing and future standards. It provide
approach in support of standards dealing with specific risks and/or
does not replace those standards.
This International Standard is not intended for the purpose of certif
ISO 31010:2009 - Risk Assessment Techniques (12)

This International Standard is a supporting standard for ISO 31000

guidance on selection and application of systematic techniques for
Risk assessment carried out in accordance with this International S
contributes to other risk management activities.
The application of a range of techniques is introduced, with specifi
to other International Standards, where the concept and application
techniques are described in greater detail.
This International Standard is not intended for certification, regulato
contractual use.
This International Standard does not provide specific criteria for id
need for risk analysis, nor does it specify the type of risk analysis
required for a particular application.

8/13/2014 10:48 PM

Tutorial - Risk Management in (Bio)Pharmaceutical and Device Industry

15 of 63

This International Standard does not refer to all techniques and om

technique does not mean it is not valid. The fact that a method is a
particular circumstance does not mean that the method should nec

Approaches for Risk Management


Risk management can be very simple and straightforward but it can

complex. For example, risk assessment of equipment can be documen
paragraph with a simple statement such as: The risk level is low
equipment does not have any impact on the quality of the finished p
more complex computer system used in pharmaceutical manufactur
management may require an assessment of the criticality of each f
need for testing if the function has a high impact on the system perform

Similarly the vendor risk can be justified and documented on a sing

vendor meets all criteria as required for low risk vendors. This does
than five to ten minutes. On the other hand a full risk mana
pharmaceutical development or manufacturing process can take quite
can fill one hundred pages or more. Whether the process and doc
simple or complex it is always most important that it follows a formal
that the outcome and conclusion are justified and documented. The ris
process as applicable to the (bio)pharmaceutical and device indus
described in several official publications, for example ICH, GHTF and
10) and by private authors. All proposals for risk management include
risk initiation, risk assessment and evaluation, risk mitigation and co
communication and review. This chapter outlines the ICH Q9 proce
recommendations for estimating severity and probability.

The ICH Process

ICH Q9 is the most authentic document for risk manage

(bio)pharmaceutical industry. The guide describes quality risk mana
systematic process from the assessment, control, communication
risks to the quality of the drug along the product life cycle. The guide a
example model for quality risk management but includes a statem
models are also possible. The example model is illustrated in Figure 2.

Risk management projects can be proposed by anybody in an

whenever there is a need for such a project and the proposal is
proposal should describe any problem with background information and
data on potential hazards and harms.

8/13/2014 10:48 PM

Tutorial - Risk Management in (Bio)Pharmaceutical and Device Industry

16 of 63

Figure 2: Risk Management Process According to ICH Q9

The project is reviewed, approved and supported by management. Ma

identifies a project owner who, with the help of affected departme
assembles a risk management project team. The team develops a ris
project plan with information on process steps, required reso
deliverables and responsibilities. The plan should also include a prelimi

In the risk assessment phase the team identifies hazards and harms
severity and probability based on criteria as defined in the co
Management Master Plan.
Questions team members should ask are:

What might go wrong?

What is the likelihood (probability) that it will go wrong?
What are the consequences (severity) if something does go wrong

8/13/2014 10:48 PM

Tutorial - Risk Management in (Bio)Pharmaceutical and Device Industry

17 of 63

The outcome from this phase is a group of risk priority numbers (RP
from severity and probability. Alternatively ICH permits a qualitative
the terms, for example 'high', 'medium' or 'low'. The qualitative desc
number can be compared with risk acceptance criteria as generally
Risk Management Master Plan or by management specifically for the
risk number or corresponding qualitative description exceeds the acce
is reduced. After reduction the residual risk is evaluated again and a
resulting risk is lower than the acceptable risk.

The outcome of the risk management process is communicated t

makers and any others who might be affected by this process. T
reviewed for existing and possible new hazards on an ongoing basis
new hazards may be identified or the defined level for probability
Everybody affected by the project is encouraged to actively monitor th
give feedback for possible updates.

Criteria for Severity, Probability and Risk Acceptance

Defining a process and objective criteria for severity (S) and prob
criteria for risk acceptance is most important for risk assess
international standards nor regulatory guidance documents require th
method is used. Severity in general means: How big is the problem
Probability means: What is the likelihood that a problem occurs? For e
hazard the probability and severity factors are estimated and associa
categories. The number of categories is usually 3, 5 or 10 but can be
to or more than 10. ICH does not give any preference. The c
management should give recommendations on how to decide how
should be used. The number can be fixed in the master plan for all p
can allow two or three options. For example, the final number for a s
could be dependent on the confidence of the estimates.

The first part of this chapter suggests a procedure to estimate seve

and the overall risk of an identified hazard. The second part has rec
on how to define objective criteria and a process for assigning levels
and severity.
Procedure for Estimating Probability and Severity

The scales can be qualitative, quantitative or semi-quantitative. Unl

thorough statistical or other reliable data available, the scales should
qualitative. An example for a qualitative description of probability w
'medium' or 'low'. Equivalent semi-quantitative expressions would be
'once a day', 'once a week' or 'once a month'. Figure 3 shows more
qualitative and semi-quantitative descriptions for severity and Fig
equivalent examples for probability.

8/13/2014 10:48 PM

Tutorial - Risk Management in (Bio)Pharmaceutical and Device Industry

18 of 63




Very high

Likely to happen

Every day



Every 3 days



Every week


Can happen

Every 3 weeks

Very low


Every 2 months

Figure 3: Examples for Qualitative, Semi-Quantitative and Qua

Categories for Probability



Very high

Death or permanent injury

Loss > $50 million


Injury for up to 1 month

Loss $10-50 million


Temporary injury for 2 days requiri

professional medical treatment
Loss $2-10 million


Temporary injury for 2 days not req

professional medical treatment
Loss $500 thousand / $2 million

Very low

Temporary discomfort for 2 days

Loss < $500 thousand

8/13/2014 10:48 PM

Tutorial - Risk Management in (Bio)Pharmaceutical and Device Industry

19 of 63

Figure 4: Examples for Qualitative and Semi-Quantitative Risk C


Probability of detection has also been suggested as a risk measu

option but it is not a must. One can argue that severity factors in
probability of detection is low. It should be considered under specific
decide whether the risk could be included or not.

It is most important to make the risk analysis and evaluation as

possible. A frequent mistake is that individual members tend to rate
high risk. One way to ensure objectivity across an organizatio
assessment criteria and examples for severity from the corporate Ris
Master Plan. The probability data should be derived from available em
the same or similar systems or processes. If such data are not ava
most unfavorable situation should be used for the initial risk assessme

Documentation of the severity factors should include a scientific just

all the risks have been discussed and rated, the team reviews the
comparison. Adjustments should be made for RPNs that are considere

Graphical Determination of the Overall Risk

After values for severity and probability have been assigned, the
determined. This can be done graphically as shown in Figure 5. Seve
medium and high are drawn as columns and probability as rows. All cel
low risk, in yellow medium risk and cells in red are defined as high risk.

8/13/2014 10:48 PM

Tutorial - Risk Management in (Bio)Pharmaceutical and Device Industry

20 of 63

Figure 5: Graphical Determination of Risk

The equivalent graph including detectability is shown in Figure 6. Risk

Figure 5 is drawn using detectability as columns starting with high on th

8/13/2014 10:48 PM

Tutorial - Risk Management in (Bio)Pharmaceutical and Device Industry

21 of 63

Figure 6: Graphical Determination of Risk including Detectability

Determination of the Overall Risk with Risk Priority Numbers

Levels for severity as described before can be converted to number

'low' becomes a 1, 'medium' a 2 and 'high' a 3. This is especially
assigning the risk for routine applications for the determination of the o

Risk priority numbers (RPNs) are calculated from severity and pro
using the formula:
RPN = Severity (S) x Probability (P)

Risk (RPN) is expressed as the multiplication of severity with occurren

RPN = S x O.

In the example in Figure 5 the RPN can go from 1 in the left lower cell t
upper cell. RPNs from 1 to 2 are equivalent to low, 3 to 5 are medium
high risk.

This procedure is much more flexible than the graphical determination

for specific situations weight factors can be added to probability and
this case the formula could look like:
RPN = 2S x P
This means the impact is double weighted compared to probability.

Another advantage of using numerical values is that multiple risk types

8/13/2014 10:48 PM

Tutorial - Risk Management in (Bio)Pharmaceutical and Device Industry

22 of 63

combined. For example, non-patient related business risk can be c

patient risk using the formula:
RPN = S x (P (Business) + S x P (Patient))
Again weight factors can be added, for example, if the patient risk is
be more important than non-patient related business risks.

This procedure also easily allows using detectability as a contributin

overall risk. But first, categories for the detectability have to be a
categories have to be converted to numbers. The resulting formula is:
RPN = S x P x 1/D

Working with calculated numbers is very easy but unless there is a go

about the meaning they don't tell us anything about the absolute ri
cause problems when values for severity, probability and detectabil
assigned. Therefore, a good practice is using qualitative or quantitativ
during initial ranking and then allocating numbers to the descriptions.
Estimating Severity of Potential Harms

There are several factors that contribute to the severity of potentia

(bio)pharmaceutical and device industry. The final ranking is derived
factors. ICH Q9 recommends using patient safety as the main criteri
the decision on estimating levels on a scientific judgment.
Factors contributing to severity typically include:
Impact on Product Quality

The question here is if the potential harm has a direct impact on p

which means that any failure cannot be corrected before a new dru
product is approved for marketing or before a batch is released for sh
case the probability of detecting the problem is low or zero. An e
analysis system used in a quality control laboratory where analysis re
as criteria whether to release a batch or not.
Impact on People's Health and Safety

Poor product quality as discussed in the previous paragraph only play

role if the poor quality can have an adverse impact on consumers. Thi
into health effects for patients. An example for high severity is when
quality can cause sickness that requires treatment in a hospital.
Impact on Business Continuity

This is related to a company's ability to timely market a new product a

the system and process uptime for continuous shipment of products. T
the level comes from the question: How big is the loss in $ due to
product approval or shipment stoppages?
Impact on Compliance

8/13/2014 10:48 PM

Tutorial - Risk Management in (Bio)Pharmaceutical and Device Industry

23 of 63

This is related to the risk of failing regulatory inspections and rece

multiple warning letters or inspectional observation reports. Consequ
shipment stops, substantial amounts of reengineering to fix problems
to implement corrective actions.

There are other indirect factors like claims by end-users, product l

product recalls and a company's reputation, e.g., if problems with pro
compliance become public.
Estimating Probability of Potential Harms

Probability should answer the question: What is the likelihood tha

hazard occurs? Probability should be expressed in occurrence per t
source for reliable probability data is experience with the same or sim
system. One important point is that we should look at the circu
complete sequence from the occurrence of the hazard through to the
the harm. A specific hazard may not always cause harm.

The probability should be estimated by subject matter experts. Possi

data are:

Historical data from using the same process or system.

Historical data from using a similar process or system.
For equipment and systems: Information from the vendor, for exam
estimates, costs for guaranteed uptime and extended warrantee.
Initial production data.

Sources can be used individually or jointly. Preferably multiple sour

used to increase the confidence level.

Estimates are very difficult to make when no historical data are a

workaround you can ask if within the same company either at the s
sites adequate data are available. Even if the information cannot be
you can look at similarities and differences and add uncertainties acco

Most critical is the situation for new systems. In this case estim
supplier can be used to judge what could possibly go wrong. Howeve
having a very good relationship based on trust with the supplier.

If no data are available the probability level should be based on th

Risk Threshold

The risk threshold is a measure on how much risk a company is willin

expressed on a scale of very low risk tolerance to very high risk to
risk threshold means a company is not willing to take a risk and a
means the company is willing to accept a lot of risk. The RT is pro
project team for each risk management process and should be
management. For example, when looking at computer system valid

8/13/2014 10:48 PM

Tutorial - Risk Management in (Bio)Pharmaceutical and Device Industry

24 of 63

threshold is higher for a system used in early product development

same system is used in manufacturing control. Similarly processes
manufacturing can take higher risk factors than processes for manufac
because of additional quality control of finished drugs that can also r
problems of APIs. Recommendations on how to apply the RT and ex
be documented in the Risk Management Master Plan.

Figure 7: Risk Priority Number vs. Risk Threshold

The relationship between the RPN and the RT is shown on two exampl
On a scale of 0 to 10 the risk factor is determined as approximately 6
this RPN is higher than the RT (approximately 3) which means it shou
to below 3. In Example 2 the RPN is lower than the RT, so it is ac
procedure requires that the RPN and RT numbers should be normali
the same range.

Tools and Methodologies for Risk Management

Tools are important to make the entire risk management process

consistent. They can be as simple as templates in Microsoft Word or
be filled out by risk management team members and other individu
hazards and harms and to justify and document risk priority numbers
steps. Tools can also include software to guide risk management

8/13/2014 10:48 PM

Tutorial - Risk Management in (Bio)Pharmaceutical and Device Industry

25 of 63

through the full risk assessment process. The most well-established f

risk assessment are: Failure Mode Effect Analysis (FMEA), Fault
(FTA), Preliminary Risk Analysis (PRA), Hazard, Hazard Opera
(HAZOP) and Hazard Analysis and Critical Control Points (HACCP). Fo
be categorized into deductive and inductive tools. Inductive techniqu
question: What if something bad happens? Deductive techniques loo
problem and answer the question: What caused it to happen? An e
inductive tool is FMEA and an example for a deductive tool is FTA.

While these formal tools often proved to be efficient and reliable in ris
and risk control of specific projects, a systematic use of these tools
areas with requirement for risk assessment would generally be inc
existing resources. ICH Q9 also has a comment about using tools
always appropriate nor always necessary to use a formal risk manage
(using recognized tools and/or internal procedures e.g., stand
procedures). The use of informal risk management processes (using
and/or internal procedures) can also be considered acceptable". Wh
more empirical tools have been used there is a tendency nowadays
established formal tools.

All tools, whether they are simple or complex have one disadvantage
replace subject expert knowledge! The output is only as good as th
important is that inputs should not only come from single individuals b
risk management team that has all the required knowledge and expertis

This chapter will describe some of the most frequently used tools. Th
describes examples of informal tools that are mainly used to docume
They include tables, templates, forms and examples and also a Risk
Master Plan, internal procedures, a risk database and software tools.
part of the chapter we describe and move on to more soph
well-established methodologies. Figure 8 lists some of the mo
methodologies with advantages and limitations.





structured tool.

inductive tool,
can be
qualitative and

Prevent known
hazards to
reduce risks at
specific CPs.


Visual fault
tree diagrams
symbols to

Very universal
and scalable,
e.g., for high
level and
detailed risk

Full risk
Specific and

8/13/2014 10:48 PM

Tutorial - Risk Management in (Bio)Pharmaceutical and Device Industry

26 of 63


show the
pathway from
basic events
to the


Can quickly
become very
because it
looks at one
failure at a

Tool does not

issues or

Focus on
product liability
and compliance
information on
the product and

Does not show


Graphics with



and Use

Used to define
a particular
event and
identify its
causes (basic
For potential
problems with


Universal use,
e.g., medical
Used to
identify known
and potential
failure modes
and impact on
facilities and

Food and
Adapted for
industry by
Covers full
product chain.

8/13/2014 10:48 PM

Tutorial - Risk Management in (Bio)Pharmaceutical and Device Industry

27 of 63

Used during
design and

Figure 8: Formal Risk Management Methodologies

Informal Tools

Informal tools are simple and easy to use. They are recommended
that are not so complex and if there is not much experience with ris
within a company. They are useful to make all risk assessment and
processes consistent and effective. They are also quite usefu
preliminary documentation which is used when making the decision to
moving a risk management project forward to a more detailed risk man
established methodologies.
The Importance of a Generic Risk Management Master Plan

One of the biggest challenges in risk management is to make assess

which means make it independent from subjective opinions of individ
look at risk from just one angle. Legislation does not give any solution
problem and different risk methods as well as private authors give diff
to the problem.

For example, recommended numbers for probability range from 0 to 1

and severity can vary from 1 to 3, 5 or 10. Some methods include "d
"discovery probability" in the formula and there is even inconsistency i
used for calculation. The subjectivity problem has also been brought
Each stakeholder might perceive different potential harms, plac
probability on each harm occurring and attribute different severities to

However, while it may be very difficult to get a common understandi

industry on the formal process and criteria to assess a risk, it should
get this understanding within a company. The outcome of the same ris
process should be consistent within a company, no matter who is doing

Master plans in general are excellent tools to get a common und

specific topics. For example, validation master plans are well
frequently used to ensure consistency and effectiveness of validation
Management Master Pans with specific examples are even more imp
ensure objectivity for criteria such as severity and probability. As
Management Master Plan provides a framework and practices for ris
of processes and equipment. It also ensures that risk assessment an
carried out efficiently and consistently throughout the organizatio

8/13/2014 10:48 PM

Tutorial - Risk Management in (Bio)Pharmaceutical and Device Industry

28 of 63

meeting regulatory, customer, quality and business requirements. Th

ensure that the company's risk management procedures are based o
that they are understood and followed throughout the organization.

The risk management document is the first and most important docume
be available when starting individual risk management processes. It i
individual Risk Management Project Plans and is the reference docum
management projects, no matter which risk management methodology
This master plan describes:

The company's risk management policy.

The links between the company's organizational objectives and pol
risk management policy.
Relationship of the risk management plans with other documents, e
master plans or quality manual.
The approach to the company's risk management process.
Members of risk management teams (by function).
Responsibilities of the project leader and team members.
Products and processes that should be covered by risk manageme
Contents of individual Risk Management Project Plan.
Detailed steps for risk management.
How the likelihood is defined.
How to identify risk levels.
Factors contributing to high and low severity.
Definition and determination of RPNs with examples.
Criteria and examples for acceptable risk thresholds.
How to make a high-level risk assessment.
Communication of project status and outcome of risk management
Frequency and procedures for ongoing review.

The Risk Management Master Plan should be developed by a cross-f

at the highest level possible. Preferably the corporate QA department s
project and also ensure that the concepts are implemented for individ
management projects.

Step-by-step procedures should be developed for initiating, impl

updating individual application-specific risk management projects.
risk-based supplier assessment, risk-based computer system
risk-based testing of starting materials for drug manufacturing. Develop
of such procedures should be controlled by corporate quality assura
consistent use throughout the organization.

8/13/2014 10:48 PM

Tutorial - Risk Management in (Bio)Pharmaceutical and Device Industry

29 of 63

Templates and Forms

Templates and forms with examples and process flow charts are simp
tools to improve consistency and efficiency for risk identification, e
control. They can be part of SOPs or the Risk Management Master Pl
be individual documents. Examples are specifically important to gi
ranking risk elements such as probability, detectability and severity.
Examples and Case Studies

As organizations gain experience with risk management projects and

projects have been executed, a library with representative examp
developed. The examples help risk management project managers
identify, evaluate and control risks. The library should include both
examples. Each example should include recommendations on how to
similar projects.

Checklists are lists of hazards, possible harms and controls tha

developed from experience either as a result of previous assessment
a result of past failures or from daily product or process support. For e
help desk can generate such a list for various computer systems.
checklists is not to forget common important hazards and control steps
Risk Database

A corporate database with examples for risk hazards and harms with
helps to facilitate the collection and maintenance of risk data. Relati
numbers for severity and probability and mitigation steps also help
assessment within a company. While initially there may be no or very l
a database will provide increased value over time when databases
with data from more risk management projects.

Software for Risk Assessment and Risk Manageme

To be added later

Failure Modes, Effects and Criticality Analysis (FMECA)

Failure Modes and Effects Analysis (FMEA) evaluates a produc

8/13/2014 10:48 PM

Tutorial - Risk Management in (Bio)Pharmaceutical and Device Industry

30 of 63

strengths and weaknesses, for potential problem areas, risks or failu

prevents failures before they occur. FMECA adds evaluation of
including severity, occurrence and detectability and tries to answer the

How can a product or process fail?

What is the likelihood that it fails and if so, what is the likelihood th
will be detected? and,
What will be the effect on the rest of the process or system if a fa
and is not detected such that it can be corrected?

FMEA has the highest impact and should be performed during design o
of a product or process when failures are less expensive to addres
powerful tool to improve product reliability and reduce design, dev
manufacturing costs. FMEA is a bottom up approach to failure mode a
be used to evaluate failures that can occur when designing or running
when designing, developing or operating equipment. FMEA helps
manufacture a trouble-free product. Identified failures in a product o
corrected before they occur to ensure trouble-free functioning and ope

FMEA and FMECA are the most generic risk management methodologi
applied to a large variety of applications.

For example, they can be used during design and manufacturing of equ
as to set up and optimize qualification and maintenance plans for equ
design FMEA can help to select the best design alternative and impro
of procedures and processes. Both methodologies are also used as
screening method for complex risk management before the project is m
to more time-consuming methodologies.
Advantages and Limitations
FMEA and FMECA have many advantages. They include:

Wide applicability from design to manufacturing, servicing and mai

mechanical and electronic equipment.
Identifies failure modes, their causes and effects on the system.
Ideal for simple to medium complex systems.
Limitations include:

Optimized for single individual failure modes, but they don't work we
combinations of failure modes.
Can be time-consuming for complex systems.

8/13/2014 10:48 PM

Tutorial - Risk Management in (Bio)Pharmaceutical and Device Industry

31 of 63

Assessment Process

FMEA and FMECA require a very good knowledge of the product or

assessment process is the same as described in Figure 10.

1. Select a team and team leader. All team members must be subject
2. Select the FMECA form from the company's Risk Management Ma
not available, create one.
3. Train team members on the process and on criteria for ranking like
occurrence and impact of failure when it occurs.
4. Make the team members familiar with the design of the product or p
ensure that all team members have the same understanding. This c
distributing product and process documentation supported by flow d
5. Set up one or more brainstorming meetings. Multiple sessions are
for complex product/process designs. Individual sessions can focu
of the entire product/process.
6. Brainstorm the product or process design for possible failures. Doc
outcome on a flipchart.
7. Sort all suggested failures by categories.
8. Combine or remove similar or duplicate entries.
9. Document potential effects on the system, subsequent operation a
(e.g., patient).
10. Assign rating factors for each identified severity, occurrence and d
Definition and scale of rating factors should be taken from the com
Management Master Plan not only to ensure objectivity and consis
project team but also with other risk management projects. Justify
reference to the plan. For occurrence, historical data from the sam
projects can be used.
11. For each identified effect list all possible causes of failures with jus
and with all uncertainties.
12. Calculate the risk priority number using the formula from the Risk M
Master Plan. The RPN is a measure for the overall risk associated
13. Take actions to reduce potential critical risks.
14. Assign owners, a schedule and deliverables for the actions.
15. After the action has been implemented make a new rating for seve
occurrence and detection and calculate the RPN.

In the brainstorming meeting the risk management team identifie

failures. Most important for new products and processes is informa
engineers who have designed the product or process even though they
in admitting that failures may occur. For products that have been in

8/13/2014 10:48 PM

Tutorial - Risk Management in (Bio)Pharmaceutical and Device Industry

32 of 63

time the user of the products and support engineers are excellent re
can not only provide good information on which failures may occur but
predict the likelihood of occurrence and the severity of a failure.

The overall risk number is calculated from the probability and sev
decision is made on which potential failures require risk reduction. Pos
actions could be redesign of products or processes such that either the
occurrence or severity factors are reduced such that the overall risk p
is also reduced.

Fault Tree Analysis (FTA)

Fault Tree Analysis is a deductive tool that assumes a failure of the fu

product or process. It can be used as a qualitative and quantitative str
is used to define a particular event and identify its causes. Results a
visualized in a tree of fault modes and this is where the name com
diagrams can be used to identify the pathways from the base
undesired events. The methodology is particularly useful to examine
equipment, facilities and operational conditions.

FTA identifies the potential root cause(s) ('basic events') of the spec
hypothetical event. Problems can be caused by design and engineerin
also by human factors. When it is unlikely that the root cause is not
single-base events, 'cut sets' of all scenarios can be defined which
top event.
Advantages and Limitations
FTA has advantages and limitations.
Advantages are:

Highly systematic but also flexible.

The 'top-down' approach focuses attention on the failure effects wh
directly related to the top event.
Useful for analyzing systems with many interfaces.
Pictorial representation helps to easily understand the system beh
Limitations are:

Uncertainties in the probability of the base events are included in t

calculations of the probability of the top event.
The static model does not address time interdependencies.
Fault trees can only deal with binary states (failed/not failed).

Steps for FTA Analysis

8/13/2014 10:48 PM

Tutorial - Risk Management in (Bio)Pharmaceutical and Device Industry

33 of 63

Steps for FTA analysis include:

1. Form a Team and Determine a Team Leader

Team members should be experts in the application, and either have k

experience in FTA methodology or get trained; with emphasis on ho
standardized symbols used in a flow chart.
2. Definition of a Problem and Justification of the Project

Define the event or describe what it is that should be prevented.

amount of work for a complex FTA analysis can be significant, the prim
the project should be well justified. The definition should also clearly
scope and boundaries of the project. Most important is to clearly
event and to keep it in line with the project scope.
3. Construction of the Fault Tree

After team members have acquired all the information about the pr
possible root causes that could lead to the unwanted event. These
are linked through "intermediate" events to the top event in a flow
connection between top and basic events defined logical pathways sh
A basic event can cause the unlikely event (top event) on its own or
with others (cut sets).
4. Evaluate the Fault Tree

This step prioritizes basic events based on probability data. That kind o
is only useful if such data are available.
5. Prepare a Report

The report should include a description and scope of the proje

description, all relevant process flow diagrams, fault tree analysis li
FTA flow chart. It should also include a conclusion of the analysis
original question.

Hazard Analysis and Critical Control Points (HACCP)

The Hazard Analysis and Critical Control Points (HACCP) method ori
food management system. The objective is to ensure food safety thro
and preventing known hazards and risks as they may occur at specifi
food chain. As such it is a systematic method for identification, as
control of safety hazards. The methodology is not limited to the foo
has also been suggested for the pharmaceutical, chemical, aviation an
In the scope of this methodology hazards are defined as biologica
physical agents or operations that are likely to cause illness or
controlled. The purpose of HACCP in the pharmaceutical manufacturing
ensure products with quality as specified that are efficient and safe f
and HACCP are not contradictory but rather complementary. Implemen

8/13/2014 10:48 PM

Tutorial - Risk Management in (Bio)Pharmaceutical and Device Industry

34 of 63

Manufacturing Practices is facilitated through HACCP methodology wh

environment with well-structured procedures facilitates implementation
HACCP Principles and Methodology

HACCP principles and methodology are very well standardized wh

training and applying the HACCP system. The system addresses all s
material production, procurement and handling, to manufacturing, d
consumption of the finished product. HACCP principles were defined b
Advisory Committee on Microbiological Criteria for Foods (NACMCF)
document was reviewed and updated by the Committee in 1997 (32) a
HACCP was defined as a "systematic approach to evaluate, identi
food safety hazards". The HACCP system is based on seven principles

Conduct a hazard analysis.

Determine critical control points (CCPs).
Establish critical limits for each CCP.
Establish a monitoring system for the CCPs.
Establish corrective actions when the CCP is not under control.
Establish verification procedure to confirm HACCP is working effec
Establish documentation concerning all procedures and records on
principles and their application.

Figures 9 show a flow diagram with steps for implementation of the HA

Some preparation work is needed before the hazard identification and
Preliminary Task
1. Develop a HACCP Plan

After the project has been initiated by management and after ma

defined a project leader a preliminary plan is drafted by the project le
be product or process specific to address specific situations in the
should also be in line and derived from a company's generic Risk
Master Plan or HACCP Master Plan to ensure efficiency and consisten
the company. The plan should include:
The scope of the project,
steps, tasks,
responsibilities and
a time line.
2. Assemble a HACCP Process Team and Define a Team Leader

Team members should include subject matter experts with specific k

8/13/2014 10:48 PM

Tutorial - Risk Management in (Bio)Pharmaceutical and Device Industry

35 of 63

expertise in pharmaceutical engineering. Preferably team members sh

all affected disciplines, e.g.

quality control,
quality engineering and
members of other disciplines directly involved in the plan's day-to-d

The team should also include local personnel who are familiar with c
limitations of the operation. Team members should either have k
experience in HACCP methodology and product safety hazards
training. One of the first tasks of the team is to finalize the HACCP plan

3. Describe the Product or Process and Develop a Flow Diagram o


The description should include the intended use and end users of the p
distribution method. The intended users of a food or drug product may
public or a particular segment of the population, e.g. infants and elder
product description should include a list of specifications e.g., physica

A flow diagram should be developed with the purpose of providing a

outline of the steps in the process which are under the control of the
It should include all process steps such as mixing, drying, cleaning, ble
packaging, labeling, storing and distribution.
4. Verify the Flow Diagram Onsite

This step compares in a walk-through, the actual operation with th

process documentation, such as product description and flow diagra
objectivity the verification should not be done by the same people
developed the flow diagram. Deviations should be corrected in the flo
Implementing HACCP Principles

After the preparation has been done, the seven HACCP principle
previously are implemented. Steps include:
1. Identify all Potential Hazards

All potential hazards and associated control measures, if available, are

8/13/2014 10:48 PM

Tutorial - Risk Management in (Bio)Pharmaceutical and Device Industry

36 of 63

documented for each operational step from receipt of raw materia

release and distribution of the finished product.
2. Conduct a Hazard Analysis

The purpose of the hazard analysis is to develop a list of hazards whi

significance that they are reasonably likely to cause injury or illness if
controlled. Hazards that are not reasonably likely to occur would not
consideration. Potential hazards include:
chemical and
physical compounds.

The analysis is done by the HACCP team in a brainstorming meet

identification followed by a workshop on hazard evaluation.
The process of conducting a hazard analysis involves two steps.

The first step, hazard identification, lists all potential hazards. This is
the brainstorming session. The team develops a list of potential biolog
or physical hazards.

After the list of potential hazards is assembled, step two the hazard
conducted. In a workshop the HACCP team decides which potential ha
addressed in the HACCP plan. During this stage each potential hazar
based on the severity of the potential hazard and its likely occ
occurrence factor also takes into account control measures that are a
to reduce the probability of occurrence.

The outcome of this exercise is to decide which identified hazard

enough that they are defined as critical control points (CCPs) and co
then implemented to reduce the risk to an acceptable level. If there a
that need to be controlled there is no need to establish critical con
project moves directly to establishing monitoring procedures.
3. Determine Critical Control Points

Once the critical hazards are identified the team identifies control
reduction or elimination of each critical hazard. Areas that should be co
equipment malfunction,
failures of sensors,
human errors,
power failures and
external impacts such as natural forces, e.g., lightning or wind.

Control steps are identified for all critical hazards where no control m

8/13/2014 10:48 PM

Tutorial - Risk Management in (Bio)Pharmaceutical and Device Industry

37 of 63

Complete and accurate identification of CCPs is fundamental to contr

The information developed during the hazard analysis is essential fo
team in identifying which steps in the process are CCPs. One strate
the identification of each CCP is the use of a CCP decision tree. Figu
example of such a decision tree with three questions to answer.
Important questions to ask are:

Does this step involve a hazard of sufficient risk and severity to wa

Does a control point for the hazard exist?
Is control at this step necessary to prevent, eliminate or reduce the
hazard to consumers?

If all questions are answered with yes, a critical control is defined for th

Figure 9: Decision Tree to Identify Critical Control Points (From Ref. 32

4. Establish Critical Limits for Each Control Point

Critical limits should be established for each control point. A crit

maximum and/or minimum value to which a biological, chemica
parameter must be controlled at a CCP to prevent, eliminate or

8/13/2014 10:48 PM

Tutorial - Risk Management in (Bio)Pharmaceutical and Device Industry

38 of 63

acceptable level, the occurrence of a food safety hazard. Critical

based on:
salt concentration,
pH or
sensory parameters.
The limits should be scientifically justified.

Before the project moves to the next step, the remaining risk after
CCPs and critical control is evaluated and the team repeats the risk ev
5. Establish a Monitoring Procedure

Monitoring is a planned sequence of observations or measuremen

whether a CCP is under control and to produce an accurate record fo
verification. The monitoring system must be able to detect loss of cont
It should be either continuous or done at a sufficient frequency that th
available in time to ensure that corrections are possible before any ha
avoid violation of limits as much as possible, tighter control limits sho
where corrective actions are initiated before the critical limit is exceed
and documents associated with CCP monitoring should be dated
initiated by the person doing the monitoring. Examples of monito
Visual observations and
measurement of temperature, time, pH and moisture level.
6. Establish Corrective Actions

For each observed limit violation a corrective action should be init

matter experts should determine the root cause for the violation
corrective actions. Corrective actions should include the following elem
Determine and correct the cause of non-compliance.
Determine the disposition of a non-compliant product.
Record the corrective actions that have been taken.

Specific corrective actions should be developed in advance for e

included in the HACCP plan. As a minimum, the HACCP plan should spe

What is done when a deviation occurs,

who is responsible for implementing the corrective actions, and
that a record will be developed and maintained of the actions taken

8/13/2014 10:48 PM

Tutorial - Risk Management in (Bio)Pharmaceutical and Device Industry

39 of 63

The corrective action should be extended to similar CCPs to avoid fu

of limits. The action plan should be verified for efficiency.
7. Establish Verification Procedures

Verification is defined as those activities, other than monitoring, that

validity of the HACCP plan and ensure that the system is operating ac
plan. Another important aspect of verification is the initial validation
plan to determine:

That the plan is scientifically and technically sound.

That all hazards have been identified and that the HACCP plan is p
That these hazards will be effectively controlled.

Verification procedures should be implemented to determine whethe

system is working effectively or not. Examples for verification act
review of the HACCP plan for completeness, CCP monitoring recor
and corrections, validation of critical limits to confirm that they are
control significant hazards and confirmation that CCPs are kept
Verification should be conducted, e.g., routinely or on an unannoun
confirm that changes have been implemented correctly after the HA
been modified and to assess whether a HACCP plan should be mod
change in the process equipment. Verification records can include, fo
HACCP plan and the person(s) responsible for administering and
HACCP plan, certification that monitoring equipment is properly cal
working order and training and knowledge of individuals responsible
8. Document and Communicate all Activities

Accurate documentation and communication is essential for the su

HACCP project. Documentation should be developed according to th
the project and not just at the end. Important steps should be com
everybody who is affected by the project throughout the development
of the project.

Records should be retained to document that the HACCP proje

conducted according to documented HACCP requirements. They are u
demonstrate compliance in case of any product liability issues. Re
retained in any format, e.g., paper and electronic versions. Example
that should be retained include:

A summary of the hazard analysis, including the rationale for determ

and control measures.
The HACCP plan.
Training records of the key project leader and HACCP team membe
Records generated during the operation of the plan.

8/13/2014 10:48 PM

Tutorial - Risk Management in (Bio)Pharmaceutical and Device Industry

40 of 63

Hazard and Operability Studies (HAZOPs)

HAZOP examines a planned or existing product, process, procedure

identifies risks to people, equipment and environment. HAZOP also
for risk mitigation. The HAZOP team identifies failure modes of a proc
and possible causes and consequences similar to FMEA. While FM
identifying failure modes, HAZOP considers unwanted outcomes and d
intended outcomes and works back to possible causes.
Characteristic for a HAZOP process is the use of guide words such
More, Less, Part of and Compatible".

HAZOP was initially developed to analyze chemical process syst

extended to other complex mechanical, electronic and software system
undertaken during the design stage of software and hardware developm
Steps of HAZOPs include:

1. Appointment of project leader and project team. The team should in

personnel not directly involved in the design of the project or proce
2. Definition of objectives.
3. Establishing a set of guide words.
4. Collection of the required documentation.
5. Splitting the system or process into smaller pieces and subsystems
reviewing the relevant documentation.
6. Defining and recording deviations, possible causes, actions to add
identified problem and person(s) responsible for the corrective acti
7. Evaluating the remaining risk for deviations that cannot be address

Preliminary Hazard Analysis (PHA) and

Preliminary Risk Analysis (PRA)

Preliminary Hazard Analysis (PHA) is a qualitative, inductive tool for

Sometimes PRA and PHA are interchangeably used where PRA
evaluation of impact and probability. PRA/PHA are based on
experience or knowledge of hazards to identify future hazards. They
useful to identify and reduce risks early in a new or changed process.
of this chapter we also mean PHA when we talk about PRA.
Steps of a PRA methodology include:
1. Form a Project Team

As the success of the method relies on experience with historical kn

members should include subject matter experts with experience in sim
such information is not available external consultants should be hir
leader should have experience in FTA projects.

8/13/2014 10:48 PM

Tutorial - Risk Management in (Bio)Pharmaceutical and Device Industry

41 of 63

2. Create a Project Plan

The plan is created by the team under the supervision of the team lea
background information on why the project has been initiated and
approach the risk project will follow as well as the scope, responsibilit
deliverables. A schedule is also included. The plan follows the rules of
Risk Management Master Plan. The plan also describes the appro
which activities will be analyzed.
3. Describe the Situation

The situation is described by the teams technical subject matter exper

information is collected and distributed to other team members in prep
hazard identification step. The package also includes a proposal on wh
project will be covered by the PRA methodology. Furthermore th
package also includes forms and recommendations on how to com
preparation for the hazard identification meeting. For complex proje
training should be organized to ensure that the process is well unde
that the team members can give meaningful inputs.
4. Identify Hazards

Hazards are best identified in a brainstorming meeting. All suggestion

hazards are collected and documented. The suggested hazards are
categories, for example, product characteristics, processing steps
phases, such as start-up or normal operation. When all potential haza
identified and categorized they are reviewed and compared with ea
team leader will put all suggested potential hazards up for discussion
decides to leave them or remove them from the list. This should en
credible failures are retained. An important criterion on whether to leav
the list or not is if there are currently controls in place to reduce the r
hazards without sufficient control will stay on the list.
5. Estimate the Probability of Occurrence and Severity

The final risk is estimated through looking at the probability of occur

severity of identified hazards. For probability and severity assess
already in place are considered. Results are either expressed qua
high, medium and low or through more specific descriptions or q
sufficient data are available.
6. Prioritize Risks for Control

For hazards exceeding the acceptable risk thresholds the team defin
reduce the risk. The residual risks are evaluated again using the sa
7. Prepare a Report

The report should include a description of the process, the study o

scope, the methodology and the identified hazards with justification

8/13/2014 10:48 PM

Tutorial - Risk Management in (Bio)Pharmaceutical and Device Industry

42 of 63

should also include the result of risk assessment with justifications

controls put in place for hazards with too high risks.

Steps for Effective Risk Management

Previous chapters of this tutorial gave an overview on regulatory requ

also described the ICH Q9 process for risk management. In addition
and methodologies have been presented on how to implement risk as
risk management for various situations. While most tools have advan
limitations this chapter describes a generic approach and recommen
risk management. The overall process and individual steps are outline
with more details on each step following in this chapter.

Figure 10: Risk Management Process and Steps

The process is initiated by management based on inputs from functio

Management also appoints a project leader who drafts a preliminary
The project leader assembles a project team that finalizes the project p

In the risk analysis step team members suggest, sort, combine and pri
and harms. Team members then determine the risk using severity and

8/13/2014 10:48 PM

Tutorial - Risk Management in (Bio)Pharmaceutical and Device Industry

43 of 63

optional detectability as criteria. If the risk is below the acceptanc

project goes into the monitoring phase or is discontinued. This is
process for some time to verify that the risk level was correctly determ
check if new hazards arise.

If the risk is higher than the acceptance criteria a risk mitigation plan
implemented. The residual risk is determined using the same procedu
as for the first evaluation.

The outcome of the risk assessment and management is doc

communicated during and at the end of the process.

Step 1: Project Preparation and Planning

The risk management process requires detailed preparation and plann

includes project initiation and identification of a project manager and a
Project Initiation

A risk management project can be proposed by anybody. The propo

forwarded to functional managers who review it and then forwar
management. The proposal should include:

Description of the potential risk management project.

Definition of potential problems with some examples for hazards an
Background information.
Benefits of the proposed project.
List of departments that should be part of the project.

Identification of the Project Manager and Team

Once the decision is made to initiate a risk management project

identifies a project leader. Selection criteria for the project owner are:

Experienced in risk management.

Project management skills.
Excellent communication skills.
Knowledge of the organization, system, process or application bein
Ability to manage people without direct reporting.
Tasks of the project owner include:

With the help of functional managers selects a risk management te

Manages the entire process.
Ensures necessary resources.
Organizes and chairs team meetings.

8/13/2014 10:48 PM

Tutorial - Risk Management in (Bio)Pharmaceutical and Device Industry

44 of 63

Drafts the risk management project plan.

Represents the team in management meetings.
Communicates the status and outcome of the project to manageme

One of the first tasks of the project leader is to recruit a team. The
include members from all affected areas and groups.
Examples are:
Affected operations (product development, manufacturing).
Project management.
Information Services (IS).
Quality Assurance (QA).
Legal department.
Quality Control (QC).
Plant safety, maintenance and engineering.
Regulatory affairs.
Sales and marketing.
Suppliers (optional).

Team members should be subject matter experts with at least five o

experience in the related subject. General responsibilities of the risk
team are defined for each function in the Risk Management Master Pla
Define Team Responsibilities

Risk management involves several departments, functions and pe

requires good organization. For example, tasks and responsibilities
defined for everybody. The Risk Management Master Plan can b
guideline where the master plan allocates responsibilities only to job
not to individual persons. For a specific project, responsibilities can
individuals by name in addition to functions.

Provides evidence of their commitment to the risk management pro

Provides necessary resources.
Defines and documents the policy for determining criteria for risk a
Approves the Risk Management Master Plan.
System User Departments

Contribute to development and maintenance of Risk Management P

Create and maintain equipment inventory.

8/13/2014 10:48 PM

Tutorial - Risk Management in (Bio)Pharmaceutical and Device Industry

45 of 63

Give inputs on potential hazards with estimation on severity and pr

initial RM.
Monitor efficiency of ongoing RM and give inputs on new hazards.
Plant Safety/Maintenance/Engineering

Advises the facility/laboratory on possible hazards and harms relat

environment and staff safety.
Information Services (IS)

Advises the facility on possible hazards and harms related to IT, e.

Participates in risk assessment and mitigation.
Reviews Risk Management Project Plans related to networks.
Risk Management Team

Develops and maintains the Risk Management Project Plan.

Provides expertise to develop and implement RM for processes an
during development and during initial and ongoing use.
Responsible for risk assessment and the final decision on if and ho
Quality Assurance (QA)

Provides quality assurance expertise in the creation of the risk ma

Monitors regulatory requirements and develops and updates compa
for RM.
Develops and coordinates a training program on RM.
Validation Team
Gives inputs for risk analysis and participates in risk assessment.
Reviews and approves individual Risk Management Project Plans

Some of the activities can be outsourced to consultants, e.g., iden

classification of risks.

Inform users on potential risks arising from known software bugs a

8/13/2014 10:48 PM

Tutorial - Risk Management in (Bio)Pharmaceutical and Device Industry

46 of 63

workaround solutions.

Get trained on risk assessment and management.

Provide inputs on hazards and possible harms for new and ongoing
management projects.

Create a Risk Management Project Plan

Using the company's Risk Management Master Plan as a source

project leader with the help of the team creates the Risk Managemen
While the Risk Management Master Plan (RMMP) is a framework and
all projects, individual projects should be covered by the Risk Manag
Plan (RMPP). The relationship between both these plans is shown in F

Figure 11: Risk Management Master Plan and Risk Management Proje

The project plan outlines how risk assessment is conducted, th

procedures the project team will implement and who is doing what. It a
time schedule and defines deliverables for each step. The draft

8/13/2014 10:48 PM

Tutorial - Risk Management in (Bio)Pharmaceutical and Device Industry

47 of 63

proposals for risk thresholds. The project leader presents the plan to
Management reviews the plan and discusses the suggested st
thresholds with the team in a meeting.

This is the most important step in the entire project. The acceptable
will determine the costs for reducing the risk but also associated c
problems that can arise if risks are not reduced. Functional m
accounting, QA and operations should indicate priorities for how
company can take. Most likely different functions will have different
example, when looking at the graph in Figure 1x QA tends more tow
side of the graph with 100% quality, whereas finance most likely wan
project cost which is only possible if a trade-off is made between risk a
The Risk Management Project Plan should include chapters on:

The purpose should be specific to the system and should include a


The scope defines what is and what is not covered by the plan. It a
documents constraints and limitations.

This section describes responsibilities of corporate management, t

manager and staff, IT managers and staff and the risk managemen
the master plan the project plan lists responsible people by name A
rather than by function only.
Describes the approach taken for managing the risk.
Risk Identification

Describes how risks, hazards and potential harms are identified an

documented. Includes tables with risks, hazards, harms and sugges
Risk Evaluation

Describes how risks are evaluated, categorized, prioritized and do

includes matrices with risks, categories for probability and severity

8/13/2014 10:48 PM

Tutorial - Risk Management in (Bio)Pharmaceutical and Device Industry

48 of 63

Risk Threshold
Documents risk threshold values for the project.
Risk Mitigation

Evaluates alternatives of risk mitigation versus costs. Describes a

mitigations are required. It also includes a time schedule for action
estimates and documents residual risk priority numbers after mitiga
Risk Acceptance

Compares risk threshold as originally defined with the RPN obtaine

mitigation. Based on the outcome the residual risk is accepted reje
Ongoing Monitoring

Describes how risks are monitored, reported and documented durin

system. Describes the actions in case new hazards are reported o
level has changed.
Project Schedule
Outlines action items with owners.

Step 2: Risk Identification

Step 2 in the risk management process is risk identification. It shou

question: What are the potential problems that could occur? All
process under consideration are documented. Potential risks are ide
project team under the leadership of the project leader. If there
experience with risk identification within a company, outside resourc
worked on similar projects should be invited to give their opinion. The
identify or discover potential problems based on experience with si
The output of this phase is the input for risk evaluation.
Inputs for risk identification are:

Customer complaints.
Failure investigations.
Corrective and preventive action plans.
Specifications for processes and systems.
Experience with the same process or system already installed and
Experience with similar processes and systems.
Experience with suppliers of the system and suppliers of material u

8/13/2014 10:48 PM

Tutorial - Risk Management in (Bio)Pharmaceutical and Device Industry

49 of 63

Failure rates of the same or similar systems and processes.
Trends of failures.
System and process validation reports.
Service records and trends.
Internal and external audit results.
FDA inspection reports.

Inputs can come from engineers, operators of equipment and p

validation group, IT administrators or from QA personal, e.g., as a re
and external audits or inspections.

The project team collects inputs on potential hazards with po

Information is collected during a brainstorming meeting. All inputs shou
and documented. The project leader should make sure that all id
understood by team members. Initial documentation can be made on
self adhesive notes that can be easily moved around to group sim
categories and to eliminate double-quoted identical risks or combine si
single ones.

The team prioritizes all risks that are considered for follow-up. The l
risks can be compared with a checklist that has been created from
This should ensure that nothing important has been left out.

For final documentation a form as shown in the table in Figure 12 or

be used with entry fields for the person who made the entry, risk desc
on system availability, data integrity, compliance, typical situations
and suggestions for mitigation.

Risk description, hazard, typical
situations of occurrence

System/Process ID:
Possible harm

Figure 12: Form for Risk Identification

At this point typical situations of occurrence, possible harms and sugge

control are described expressing everybody's thoughts and experien
thinking about categories. For example, contributors should describe
time intervals and special circumstances under which the process or s

8/13/2014 10:48 PM

Tutorial - Risk Management in (Bio)Pharmaceutical and Device Industry

50 of 63

Step 3: Risk Evaluation

After information on risks has been collected, the risk evaluation pha
phase compares the identified risks against given risk criteria.
determined which risks are the most important ones to focus on and p
mitigation plan. The output of this phase is a quantitative estimate
qualitative description of a range of risks. Most critical is to use ob
criteria for severity and probability. For more details on how this is
see the section "Approaches for Risk Management" in the chapte
Severity, Probability and Risk Acceptance".

For implementation the project leader calls for a workshop. Each risk
and documented in the identification phase is presented by the risk o
makes a proposal for numerical severity and probability factors to
justification. The proposal is discussed with the team and either acc
accepted after a change of severity and/or probability factors, or rejec
should rarely happen because the risk has been prioritized in a prev
One reason for removing a risk from the list would be if the assu
changed since the risk identification step.

Numbers are associated to the levels and the overall risk priority nu
calculated. Figure 13 shows a template on how to document the impac
non-patient business risk, the impact on patient health and the probabil
The RPN is calculated using the formula:
RPN = S (Business) x S (Patient) x P
On a scale of 1 to 27 the RPN is calculated as 18.


System ID:


Impact on
patient health
(Level 1-3)

Impact on
(Level 1-3)

(Level 1-5)



Figure 13: Form for Risk Evaluation

Step 4: Risk Acceptance

8/13/2014 10:48 PM

Tutorial - Risk Management in (Bio)Pharmaceutical and Device Industry

51 of 63

Risk acceptance is a formal decision to accept a risk. In this step w

countermeasures that we put in the risk response table based on
Starting point is the risk priority number as calculated from probabilit
and the risk threshold as defined for the project. The risks should be
categories as defined in Figure 14.

The impact on each identified risk is evaluated using the same criteria
Step 3. RPNs are calculated and compared with the original risk thres
risks are accepted as long as the risk priority number is below the
Lets assume the RT for the project is defined as 5 on a scale
normalized RPN is:
16/27 x 10 = 6.6
This means the risk is not acceptable.

Factor 8 and Lower:

Code 1

Routinely accepted, no action taken.

Factor 9-16:
Code 2

Operation requires written, time-limited

endorsed by management. Mitigation su
cost/benefit analysis.

Factor Higher than 16:

Code 3

Not accepted. Mitigation required. Altern

approaches should be evaluated.

Figure 14: Definition of Risk Codes and Consequences

All risks with factors higher than 16 (Code 3 = High Risk) should b
eliminated and all risks with factors higher than 8 (Code 2 = medium r
considered for mitigation and are subject to a cost benefit analysis.

Step 5: Risk Mitigation

When the risk as evaluated in the previous step is not acceptable, a

how to mitigate risks should be evaluated. This phase is also called Ris
Figure 15 is used to document the mitigation strategy, costs for
non-mitigation and the decision whether to mitigate the risk or not.


System ID:


8/13/2014 10:48 PM

Tutorial - Risk Management in (Bio)Pharmaceutical and Device Industry

52 of 63



Cost of

Cost of

Figure 15: Form for Risk Mitigation

Possibilities to Mitigate Risks
There are different ways and approaches to mitigate risks.
All risk mitigation options should be considered and can be combined.
They include:

Removing the risk source (eliminating the risk).

Changing the likelihood.
Changing the consequences.
Ensuring that the risk is detected and can be treated when it occu
Sharing the risk with other parties.

Care should be taken that mitigation strategies do not introduce new

process or increase existing risks in other areas.

After the risk is reduced it is evaluated again using the same criteria a
risk was acceptable the project moves along to the last step for d
communication and ongoing review for possible changes.
Estimating Costs vs. Benefits

The initial and ongoing costs for the best alternative should be e
compared with the estimated costs of non-mitigation. For risk codes 2
this comparison should be the basis for the decision whether to mitiga
The rationale behind the decision should be well justified and documen

It is important to estimate the cost for mitigation as well as potential l

non-mitigation. Losses for non-mitigation should include real or dir
tangible or indirect costs. Real costs are loss of revenue and are rela
estimate. Tangible costs are more difficult to estimate. They can includ
company's reputation or appearing on the FDA's radar after one or m
Risk Mitigation Plan

8/13/2014 10:48 PM

Tutorial - Risk Management in (Bio)Pharmaceutical and Device Industry

53 of 63

Once the decision to mitigate the risk has been made and the strateg
a mitigation plan should be developed. The plan should describe:
Mitigation options.
How options will be implemented.
Resource requirements.
Performance measures.
Required documentation.
Communication requirements.
After the plan is implemented the residual risk is evaluated and

Step 6: Ongoing Monitoring, Reviews and Updates

Once the plan is in place and the system is running, the effectivene
should be monitored, reviewed and adjusted if necessary. The monit
should also help to identify previously unrecognized hazards. These co
introduced by changing processes or introducing new technologies.

The monitoring program should check if risk priority numbers have cha
higher or lower values. Users and IT professionals gain a lot of exper
be used to further optimize the effectiveness. If factors exceed
specified limit, mitigation strategies should be evaluated. If higher va
below the threshold, mitigation may no longer be necessary wh
operating costs.
Contributors use the form in Figure 16 to document observations
recommendations. They should also make a recommendation if the
be implemented urgently if it is time critical.


System ID:

Recommendation for change

8/13/2014 10:48 PM

Tutorial - Risk Management in (Bio)Pharmaceutical and Device Industry

54 of 63

Figure 16: Form to Recommend Changes

The risk management team evaluates the recommendations made b

The team meets monthly if there are no recommendations for change
'urgent'. In the case of an urgent recommendation for a change the te
evaluates the change within a week. Changes or additions are docu
the form in Figure 17.


System ID:


Risk description /ID



Figure 18: Form to Document Changes

Step 7: Documentation and Communication

Regulatory agencies strongly suggest basing decisions for details

with GxP on a justified and documented risk assessment. Therefore
is very important. Documentation is also important to justify investm
may be required to meet business and compliance requiremen
documentation for risk management should include:

Risk Management Master Plan - This shows your company's appro

risk assessment and risk management.
Risk Management Project Plan - This shows the plan for specific s
mitigation strategies.
Lists with description of risk categories, ranking criteria and results
Justification for not mitigating risks with high factors.
Risk mitigation plans.
Mitigation actions taken
Review reports.

The information should be communicated with everybody who may b

the project. The information should not only be shared toward the end
but this should be ongoing from the start. Most important is to op
information that leads to decisions about factors for probability and s
and whether to mitigate certain risks or not.

8/13/2014 10:48 PM

Tutorial - Risk Management in (Bio)Pharmaceutical and Device Industry

55 of 63

Application Examples

The Risk Management Process can be applied for:
Design and development of a product or process.
Selection and assessment of suppliers.
Training, especially proof of effectiveness.
Risk-based computer validation.
Risk-based qualification of analytical equipment.
Part 11 compliance.
Pharmaceutical manufacturing.
Scheduling internal audits.
Starting material - qualification and handling.
Validation of analytical procedures
Qualification of equipment
Change control to introduce new starting material.
Archiving electronic records.
To be completed later


Some of the risk-based definitions are original or derived from either I

51:1999 or ANSI/AAMI/ISO 14971:2000.
CCP Decision Tree

A sequence of questions to assist in determining whether a control p

(Ref. 32).
Critical Control Limit (CCL)

A maximum and/or minimum value to which a biological, chemica

parameter must be controlled (Ref. 32).
Control Measure

Any action or activity that can be used to prevent, eliminate or reduc

hazard (Ref. 32).

8/13/2014 10:48 PM

Tutorial - Risk Management in (Bio)Pharmaceutical and Device Industry

56 of 63

Corrective Action
Procedures followed when a deviation occurs (Ref. 32).
Critical Control Point (CCP)

A step at which control can be applied and is essential to prevent

(pharmaceutical) quality hazard or reduce it to an acceptable level (Re
Termination of the ability of an item to perform a required
Failure Mode
Manner in which an item fails (IEC 60812:20067).
FMEA - Failure Modes and Effects Analysis

Used to identify failure modes and their consequences or effects

bottom-up technique: What can go wrong on a low level component
impacts the system or application.
FMECA - Failure Modes, Effects and Criticality Analysis

Adds evaluation of the criticality including severity, occurrence and d

the FMEA.
FTA - Fault Tree Analysis

Top-down technique. The analyst looks at the high-level system failure

down into the system to trace failure paths.
HACCP Hazard Analysis and Critical Control Points
A systematic approach to the identification, evaluation and control
hazards (Ref. 32).

The written document which is based upon the principles of HACC

delineates the procedures to be followed (Ref. 32).

8/13/2014 10:48 PM

Tutorial - Risk Management in (Bio)Pharmaceutical and Device Industry

57 of 63

HACCP System
The result of the implementation of the HACCP Plan (Ref. 32).

Physical injury or damage to the health of people, or damage to p

environment (ISO 14971).

Potential source of harm (ISO 14971).

In the context of HACCP: Any circumstance in the production, control a
of a (pharmaceutical) product which can cause an adverse health effec
Hazard: A biological, chemical or physical agent that is reasonably l
illness or injury in the absence of its control (Ref. 32).
Hazard Analysis

The process of collecting and evaluating information on hazards asso

food under consideration to decide which are significant and must be
the HACCP plan (Ref. 32).
Hazard Monitoring

To conduct a planned sequence of observations or measuremen

whether a CCP is under control and to produce an accurate record fo
verification (Ref. 32).
Validation (related to HACCP)

That element of verification focused on collecting and evaluating

technical information to determine if the HACCP plan, when properly
will effectively control the hazards (Ref. 32).
Verification (related to HACCP)

Those activities, other than monitoring, that determine the validity of th

and that the system is operating according to the plan (Ref. 32).
National Institute of Standards and Technology.

8/13/2014 10:48 PM

Tutorial - Risk Management in (Bio)Pharmaceutical and Device Industry

58 of 63

Probability/Impact equal to RPN (Risk Priority Number).
The Pharmaceutical Inspection Convention and
Co-operation Scheme (jointly referred to as PIC/S).


PHA - Preliminary Hazard Analysis

Can be used to identify hazards and to guide development of counte

mitigate the risk posed by these hazards.
PRA - Preliminary risk analysis
Probabilistic risk assessment.
Probability of Detection

Evaluates the probability of realizing that the hazard has occurre

resultant harm to the patient has occurred.
QRAS - Quantitative Risk Assessment System
Developed for NASA by the University of Maryland.
Quality Unit.
Residual Risk

Risk remaining after protective measures have been taken (ISO 14971

Combination of the probability of occurrence of harm and the severity

Combination of the probability of harm and the severity of tha
Risk Acceptance
The decision to accept risk (ISO Guide 73).

8/13/2014 10:48 PM

Tutorial - Risk Management in (Bio)Pharmaceutical and Device Industry

59 of 63

Risk Analysis

Systematic use of available information to identify hazards and to es

(ISO 14971:2007).
Risk Assessment

A systematic process of organizing information to support a risk decisi

within a risk management process. It consists of the identification o
and the analysis and evaluation of risks associated with the expo
hazards (ICH Q9).
Overall process of risk identification, risk analysis and evaluation (ISO
Risk Communication

The sharing of information about risks and risk management betwee

maker and the stakeholder.
Risk Control

The process through which decisions are reached and implemente

risks to, or maintaining risks within, specified limits.
Process in which decisions are made and measures implemented by w
reduced to, or maintained within, specified levels (ISO 14971:2007).
Risk Criteria

Terms or reference against which the significance of a risk is evaluat

Risk Estimation
Process used to assign values to the probability of occurrence of
severity of that harm (ISO 14971:2007).
Risk Evaluation

Process of comparing the estimated risk against given risk criteria to

acceptability of the risk (ISO 14971:2007).
The comparison of the estimated risk to given risk criteria using a
qualitative scale to determine the significance of risk.
Risk Identification

8/13/2014 10:48 PM

Tutorial - Risk Management in (Bio)Pharmaceutical and Device Industry

60 of 63

The systematic use of information to identify potential sources of h

referring to the risk question or problem description.
Risk Index

A semi-quantitative measure of risk which is an estimate derived us

approach using ordinal scales (IEC/ISO 31010).
Risk Level

A quantitative estimate that describes the level of degree of risk. The

based on quantitative values assigned for public health (severity),
and business risk. For the purpose of this standard the risk is expre
medium or low based on the degree of regulatory risk and patient/user
Risk Management

Systematic application of management policies, procedures and pr

tasks of analyzing, evaluating, controlling and monitoring risks (ISO 149
Risk Reduction

Actions taken to lessen the probability of occurrence of harm and the s

Risk Review

Review of monitoring of output/results of the risk management proces

(if appropriate) new knowledge and experience with the risk.
Risk Priority Number

Measure of overall risk. It is obtained by multiplying the rating of severi

(and probability of non-detection). The higher the number the more seri
Risk Treatment
Process of selection and implementation of measures to modify risk.
Risk Rating.

8/13/2014 10:48 PM

Tutorial - Risk Management in (Bio)Pharmaceutical and Device Industry

61 of 63

Risk Threshold.

Measure of the possible consequences of a hazard (ISO 14971:2007)

Tolerable Risk

Risk that is accepted in a given context based on the current values of

RMMP - Risk Management Master Plan
Framework which is applicable to all projects. Used as a source
Management Project Plans.
RMPP - Risk Management Project Plan

While the Risk Management Master Plan (RMMP) is a framework and

all projects, individual projects should be covered by a Risk Manag
Plan (RMPP). It outlines risk management activities specific to the pr
Master Plan should be used to draft this plan.
Person or organization that can affect, be affected by, or perceived
be affected by, a decision or activity (ISO Guide 73:2009).


1. The European Council Directive 93/42/EEC of 14 June 1993 Conc

Medical Devices.
2. FDA 21 CFR 820: "Quality System Regulation (for Devices)".
3. EU GMP, Annex 15: "Validation and Qualification", 2010.
4. FDA: Pharmaceutical cGMPs for the 21st Century: "A Risk-Based
Second Progress. Report and Implementation Plan", 2003.
5. FDA Industry Guidance: "Part 11, Electronic Records; Electronic S
Scope and Application", 2003.
6. ICH Q9: "Quality Risk Management", 2005.
7. GAMP 4: "Guide for Validation of Automated Systems", 2001.
For ordering go to:
8. GAMP 5: "A Risk-Based Approach to Compliant GxP Computerized
2008. For ordering go to:
9. GHTF: "Implementation of Risk Management Principles and Activiti

8/13/2014 10:48 PM

Tutorial - Risk Management in (Bio)Pharmaceutical and Device Industry

62 of 63





Quality Management System", 2005.

ISO 14791:2007: "Application of Risk Management to Medical Dev
ISO 31000: "Risk Management" Principles and Guidelines", 2009.
ISO 31010: "Risk Assessment Techniques", 2009.
R. Jones, Pharmaceutical Manufacturing: "How to Understand the
Assess the Risks to Patient Safety", Pharmaceutical Engineering,
2009, 16.
I. Campbell: "Applying Quality Risk Management Principles to Achie
Practical Verification Strategy", Pharmaceutical Engineering, Nove
L. Huber (15): "Risk-Based Validation of Commercial Off-the-Shelf
Systems", Journal of Validation Technology, 11(3), 2005.
Labcompliance: "Risk Management Master Plan", 2010.
Labcompliance SOP: "Risk Assessment Used for Systems Used in
Labcompliance SOP: "Risk Assessment for Laboratory Systems",
Labcompliance SOP: "Risk-Based Qualification of Network Infrastr
Labcompliance Case Studies: "Risk-Based Methodologies for Labo
FDA Guidance: "General Principles of Software Validation", (2002)
FDA Guidance for Industry: "Quality Systems Approach to Pharma
CGMP Regulations", (2006).
EU GMP, Annex 11: "Using Computerized Systems".
Pharmaceutical Inspection Convention/Cooperation Scheme (PIC/
Practices for Computerised Systems in Regulated 'GxP' Environme
United States Pharmacopeia: <232> Elemental Impurities (Proposa
USP Chapter <467> Residual Solvents.
FDA Guidance: "FDA Reviewers and Compliance on Off-The-Shelf
in Medical Devices", 1999.
FDA Guidance: "Inspections of Quality Systems" (Medical Devices
Inspectional References.
PIC/S Quality Risk Management: "Implementation of ICH Q9 in the
Pharmaceutical Field", 2010.
Report by WHO Expert Committee on "Specifications for Pharmac
Preparation", Annex 7, Application of HACCP Methodology to Phar
FDA Guidance: "Fish and Fisheries Products Hazards and Controls
National Advisory Committee on Microbiological Criteria for Foods
Principles and Application Guidelines", 1997.
J.L. Vesper: "Risk Assessment and Risk Management in the Pharm
Industry: Clear and Simple", Davis Healthcare International Publish
ISBN 1-930114-94-X, 2006.

8/13/2014 10:48 PM

Tutorial - Risk Management in (Bio)Pharmaceutical and Device Industry

63 of 63

34. Concept Heidelberg: "Risk Management in the Pharmaceutical Indu

Cantor Verlag, 2008, ISBN 978-3-87193-370-7.
35. K. O'Donnel and A. Greene: "A Risk Management Solution Designe
Risk-Based Qualification, Validation and Change Control Activities
and Pharmaceutical Regulatory Compliance Environments in the E
Fundamental Principles, Design Criteria, Outline of Process, Journ
Compliance, 10 (4) 12-25 (2006).
36. K. O'Donnel and A. Greene, "A Risk Management Solution Designe
Risk-Based Qualification, Validation and Change Control Activities
and Pharmaceutical Regulatory Compliance Environments in the E
Tool Scope, Structure, Limitation, Principle Findings and Novel Ele
GXP Compliance, 10 (4) 26-35 (2006).
37. ISO/IEC Guide 73:2002: "Risk Management - Vocabulary", Guidelin

8/13/2014 10:48 PM