Risk assessment as a process quality assurance tool in sterile pharmaceutical manufacturing
Environmental contamination control is a crucial part of sterile pharmaceutical manufacturing, and risk management is essential to ensure that appropriate control practices are in place.
The Risk Management process follows a series of steps, such as risk assessment, that enable a greater understanding of the manufacturing environment.
Such assessments may result in the removal, reduction, or monitoring of activities associated with a product or process to mitigate risk. Qualitative risk assessment can help inform the quantitative evaluation by employing contemporary risk analysis tools and procedures.
The following provides a fully documented rationale for the chosen path.
The concept of risk in pharmaceutical production
The released draft of EU GMP Annex 1, Revision 12, highlighted the importance of risk management as a suitable tool for ensuring the quality of a process. The draft clearly states the need for risk management in sterile drug manufacturing and recommends it for other product types as well. In particular, where controlling pyrogen, particle, and microbial contamination is required, for example, in certain creams, ointments, liquids, and low bacterial intermediates.
The production and use of a drug (medicine) and its components necessarily entail some risk. It is crucial that product quality is maintained throughout a product's life cycle. This ensures that the attributes necessary for a drug’s quality (Critical Quality Attributes) remain constant throughout its development and production phases.
As per ICH Q6A, drug quality refers to how suitable a drug substance or drug product is for its intended purpose.
Risk management procedures generally focus on analyzing each process in a product life cycle with the intention of performing an assessment, mitigation, and review of the associated dangers over time. As defined in ICH Q9, risk assessment is a systematic means of organizing information to uphold risk decisions made as part of a risk management process.
When discussing pharmaceutical quality, the term “process” has different meanings. It can refer to each stage of development, production, testing, inspection, distribution, and drug delivery. It can also include the design, qualification, and validation of facilities, instruments, and equipment.
A process, therefore, is any activity that could directly or indirectly impact the final product’s quality. It is immediately evident that pharmaceutical quality risk management is very broad in scope.
Before analyzing different risk management procedures, it is beneficial to reflect on their key distinctions, starting with problems and hazards. Problems are related to a process’s perception or implementation, whereas a hazard is defined as an intrinsic quality or property that could cause damage to the process and, therefore, to the end customer.
Risk is probabilistic, as it combines the probability of a given event occurring and the likelihood that it will cause damage. It is complicated further by the inability to detect risks as they occur.
From a technical standpoint, risk is the product of severity and probability, where detectability – if introduced – should consider the risk of detection system failure. The concept of risk suggests the existence of a danger source and the possibility of it causing harm.
At this stage in the Risk Management analysis process, the risk is effectively realized and documented in a scientific format. From this point, the risk assessment’s evaluations and tests must become quantitative and visual so the source of the risk and the ability to manage it can both be externally understood.
The final stage in risk assessment is identifying hazards and scientifically analyzing and evaluating the risks associated with exposure to them. This includes the severity of damage or harm to health, as well as any logistical damage that could arise from a decline in product quality or availability.
It is essential that a robust quality management system and manufacturing practices are in place to reduce the likelihood of risks to patient safety, product quality, and company reputation to an acceptable level.
There are two key ideas that underpin quality risk management:
- The level of commitment, formality, and documentation of the quality risk management process should be proportional to the risk level
- Risk assessments should be driven by patient protection and based on scientific knowledge
Risk assessment
The risk assessment process comprises steps ranging from identifying hazards to analyzing and evaluating the risks associated with their exposure. Figure 1 shows the steps developed during the analysis.
The risk identification step involves systematically using information to identify potential sources of harm (hazards) and their possible consequences (impact/effect). The identification of these harms and consequences is dependent on theoretical analysis, stakeholder concerns, informed opinions, historical data, brainstorming sessions, etc. This information is crucial to developing process comprehension.
These three basic questions can be helpful as an aid to clearly defining risk:
- What could go differently from expected?
- What is the probability (likelihood) of it going differently from the expected result?
- What are the consequences (severity) of this?
Figure 1. Steps for Risk Identification and Analysis. Image Credit: Particle Measuring Systems
Risk analysis is the estimation of the risk associated with identified hazards. It can be both qualitative and quantitative, linking the probability and severity of harm (with severity defined as a measure of a hazard’s possible consequences) by evaluating the design/measures that control their occurrence and detection.
Analyzing the degree of risk helps to inform the sourcing of the appropriate tools or actions for its management over time. The ability to detect damage (detectability) may also be considered a factor that influences the overall risk estimate in some risk management tools.
Risk assessment then enables the estimated risk to be compared with certain risk criteria. This is performed through either a quantitative or qualitative scale that determines its significance and, later, defines an acceptability threshold.
A numerical probability is used when risk is expressed quantitatively. Alternatively, risk can be expressed using qualitative descriptors, such as "high", "medium", or "low": these should be defined in as much detail as possible. The goal of risk control is to reduce the risk to an acceptable, defined level.
The assessment should therefore either lead to acceptance of the risk (risk control) if the level is acceptable, or to a reduction of the risk if it is not at an acceptable level.
The risk control process may include actions to:
- decrease the likelihood that the identified hazards and risks will occur
- increase the detectability of the identified hazards and risks
- decrease the severity of the identified hazards and risks
It must always be remembered that implementing risk-reduction measures may introduce new risks into the system (induced risk) or increase the significance of pre-existing risks (correlated risk).
Therefore, it is appropriate to review the assessment after a risk-reduction process is implemented to identify and evaluate potential changes. The frequency of conducted reviews should be proportional to the risk level. The risk review may require reconsideration of risk acceptance decisions.
Acceptance is only possible when it is scientifically proven that the final quality of the process is not critically affected by the identified or residual risk. For some types of damage, even the highest-quality risk management practices may not eliminate all risks. In such cases, applying an appropriate risk management strategy reduces the risk to quality to a specified (acceptable) level.
What is deemed acceptable will vary based on many factors and should be decided on a case-by-case basis. A variety of processes, including a cost-benefit analysis, can be used to determine the optimal risk control level while remaining in compliance with normative and regulatory requirements.
Risk management and possible approaches
There are currently several scientific methods available for risk analysis. These can be employed independently or in conjunction with other techniques to achieve the most constructive outcomes. For example, combining the HACCP method with FMEA could yield more comprehensive documents than either method alone. The following section explores these opportunities.
HACCP
The HACCP approach is a proactive, systematic, and preventive tool for ensuring the safety, reliability, and quality of products. Drawing from the development of a ‘Decision Tree’, the HACCP approach enables the identification of critical and non-critical areas of the process under analysis.
FMEA
The FMEA approach systematically analyzes potential failure modes to prevent failures. As a preventive action process, it is implemented before new products, processes, or modifications are introduced.
Ideally, FMEA analysis is conducted in the process/product design or development phases, though it can also be useful when applied to existing products and processes.
This approach is appropriate in many areas, including pharmaceutical manufacturing and assembly.
It is made up of several steps:
- Reviewing the process
- Identifying possible error modes
- Listing the potential impacts of the error modes
- Assigning severity/occurrence and detection to each effect,
- Calculating a Risk Priority Number (RPN) to prioritize mitigating actions that help to eliminate or reduce the risk
Risk Priority Number (RPN)
The Risk Priority Number is calculated from the results obtained following the evaluation of three factors: "Severity" (the severity of the risk), "Detection" (the ability to be able to detect the risk), and "Occurrence" (the probability that the risk could occur and recur within the analyzed process).
For each of these parameters, variables are evaluated and subsequently multiplied to acquire the final evaluation: RPN = Severity x Detection x Occurrence.
After the variables for each parameter are set, the maximum and minimum scores are calculated to define the parameter's range. If the score value falls within the lowest range, a risk value of "low" would be assigned. If it falls in the intermediate range, it would be deemed "medium". It would be considered "high" if the RPN value falls within the highest range.
Establishing and dividing into different risk ranges is necessary for the next risk control step to be completed.
Assigning a risk value to one range rather than another influences the decision-making process for risk reduction or acceptance. If the total identified risk is either medium or high, corrective or preventive risk control actions must be applied to the process to reduce it (i.e., the risk of quality being affected).
When possible, the risk value should be reduced to an acceptable threshold value. Risks in the "low" range are considered acceptable because they fall below the established acceptable threshold and do not require corrective or preventive action, as the risk is already controlled.
Using the filling and finishing of a product as an example, it is essential to have a secure strategy to prevent environmental contamination during the sterile production process to ensure the finished product’s quality.
Risk assessment is, therefore, a fundamental tool for pharmaceutical companies to strengthen their quality assurance processes, combined with their choice of instrumentation, which practically performs what is theoretically assessed. Adequate data representation and good data historicization are potential parameters to be considered to facilitate the risk control and review process.
Appropriate use of quality risk management can facilitate (but does not replace) the industry's obligation to comply with regulatory requirements.
Conclusions
An effective risk management approach can ensure the delivery of high-quality drugs and medicines to patients by providing a proactive means to identify and control potential quality issues during drug development and manufacturing.
The main goal of any risk management system should be the protection of the product’s end-user: product quality is the definitive measure of the success of a quality risk strategy that identifies and maintains the end customer’s safety. A fully documented Risk Assessment allows pharmaceutical companies to acquire high-quality products and comply with regulatory requirements and guidelines.
Product quality is managed through microbiological and particle control of air and surfaces, in accordance with a defined monitoring plan. It is also crucial to consider the interdependence between risk management and risk assessment methods.
It can be helpful to make use of external organizations for guidance. Such experts can help a company define and manage its risks by sharing the information they have gathered in a clear, systematic way. This communication can take place at any point in the process and the shared information may relate to the likelihood, existence, form, severity, nature, control, acceptability, detectability, treatment, or other aspects of the quality risks as required.
