Search This Blog

Monday, July 12, 2010

Considerations for Risk Based Validation


“Risk based validation” is now a commonly heard expression in the pharmaceutical industry, but the methodology to implement it is unclear. The consensus is that an effective risk based validation process will reduce the overall time and effort spent on validation, thereby increasing productivity and profitability within the company.  However, if you are unaware on how to implement such an approach, chances are the real benefits will not be seen.

The Food and Drug Administration (FDA) and others are actively embracing the advantages of a “risk based” approach to validation. The guidance on General Principles of Software Validation states: “The selection of validation activities, tasks, and work items should be commensurate with the complexity of the software design and the risk associated with the use of the software for the specified intended use.”  The FDA’s Part 11 Scope and Application guidance document states: “We recommend that you base your approach (to implement Part 11 controls, e.g., validation) on a justified and documented Risk Assessment and a determination of the potential of the system to affect product quality and safety, and record integrity.”

If there is one area of focus that is worthy of the time spent, it is in conducting the Risk Assessment.  A Risk Assessment can be used to guide the scope of the entire validation effort, allowing you to target more intensive testing in high risk areas while minimizing testing in lower risk areas.  Risk based validation also presents the opportunity for significant cost savings since comprehensive validation testing may be reduced or eliminated in low risk areas of the application.  Another thing to remember about risk based validation is that “if it’s not documented, it didn’t happen.”  It is not enough to simply assess the risk and make the decisions based on that risk. The process of assessing risk must be documented as well.  A validation approach that is based on an undocumented analysis would be difficult to defend in an audit.  The approach taken, the findings uncovered, the decisions made, and the justification for those decisions must be documented and available for inspection during an audit.

When assessing risk, the level of effort, formality and documentation should commensurate with the level of risk.  There are several key factors to consider when evaluating the risk of a system:

1.     Risk
What is the impact on product efficacy and safety?  What is the GxP criticality?  What is the business criticality and impact on business continuity? What is the risk of inspection by a regulatory agency? 

2.     Complexity
How complex is the system? What is the level of networking and influence on other systems?

3.     Novelty
How new is the technology?  How mature is the system?  What is the level of customization?

Once the critical risk factors are documented, the next step in assessing risk is a comprehensive evaluation of the risk and its associated impact.  A Risk Assessment will examine three fundamental questions:
1.    What might go wrong?
2.    What is the likelihood (probability) it will go wrong?
3.    What are the consequences (severity)?


The classification and prioritization of risks can then be used to help determine the need for and/or extent of validation.  An effective and efficient risk based validation process will result in less validation work, faster system deployment and a reduction in overall validation costs.

For more information on risk based validation, please contact us at 888-742-7620, and ask to speak to Robert Finamore - Director, Professional Services.

11 comments:

  1. Validating for intended use and focus on critical functions that pose high risk to the quality of the product, patient safety and Data integirty is what Risk based validation all about... You can refer GAMP 5 Risk-Based Approach to Compliant GxP Computerized Systems... (LinkedIn)

    ReplyDelete
  2. Risk based validation approach can start with assigning criticality factors to each functionality based on how the failure of that functionality will affect the patient safety, product quality and data integrity. Higher the criticaliy, deeper should be the depth of validation required for that functionality.

    ReplyDelete
  3. If you are unsure as to how to carry out a risk based assessment there is plenty of information on the web, white papers,ISPE web site,GAMP & baseline guides

    The basic prinicples apply within other industries , Financial,Medical and 6 sigma material production testing.

    In princlpe there are two parts to a risk strategy and "scoring system" , how likely is the activity to fail , and if it fails how critical it is?
    Most schemes I have seen and used use High,Med and low for both parts and the scoring is one multoplied by the other.

    eg
    A =activity = a proceedure - not followed correctly ( a common FDA 483 citation)
    rf= risk or failure = if the proceedure is not followed correctly , how likley if this to be picked rp= up risk to process failure = and if not how critcal is this in the process?

    high = 3 med = 2 low = 1 for each
    risk factor = A x rf x rp

    hope this helps

    (LinkedIn)

    ReplyDelete
  4. The white paper on your blog is useful as well. I would just like to add one thing to this discussion, and that is, you must have the RIGHT PEOPLE involved in your risk assessment process.

    From my experience of having conducted risk assessments for many types of systems, I suggest that you involve the following people: (1) A Subject Matter Expert who knows the system; (2) a representative from QA who knows the predicate rules and the regulatory records that are required; (3) a Manager from the business unit who understands the business processes and business-related risks; and (4) a person from the IT department who knows how to install and configure software. It is also a good idea to have someone appointed as the Scribe, to records key decisions and action items from the discussion.

    ReplyDelete
  5. Previously in my project , whenever we felt any risk , we will find out the mitigation too. so we need to follow approach not only in risk and mitgation and also in Preventive action (CAPA). this may one of the best practices to improve on quality and compliance. (LinkedIn)

    ReplyDelete
  6. Having done a fair number of validation projects I often wonder why the validation effort turns out to be so burdensome. I've found the policies mostly driven by the history of the company, no matter the approach, and if they had a previous bad experience that cost them money and time and bad publicity.

    If people got fired then the validation effort went way up, and stayed that way for years, no matter the relative value of the system. Over time the pendulum swings back into a more reasonable (less effort) approach but that's usually driven by fewer resources available and turnover in the management ranks responsible for validation.

    I do think risk based is a good idea but any approach depends on a company pain threshold and interpretation of the procedures. Usually the people making the decision are not the ones having to write up, execute, rectify, and retest the results. (LinkedIn)

    ReplyDelete
  7. Does anyones company make risk assessment a REQUIREMENT as part of EVERY validation effort? I realize the value of risk assessment and have been teaching it for over 20 years....but am trying to determine if there is anywhere this tool MUST be taken out of the toolbox for absolutely every job. (LinkedIn)

    ReplyDelete
  8. True risk analysis was officially introduced to our industry just a couple of years ago, so this is still somewhat new territory for pharma. A period of uncertainty and adjustment is to be expected, but the best preparation is to study simple risk assessment methods such as PHA and FMEA. Anything is possible, but not everything is equally probable so risk analysis allows one to spend resources on the likely problems.

    The beauty of risk analysis is that it forces one to use structured thinking. Classify what could go wrong, how it can go wrong and what the impact is to product quality and more importantly patient safety. Once risk analysis is well understood, and performed appropriately (with process experts as someone already noted above), it’s really not difficult. ICH Guidance lists several structured risk analysis methods that spell out clearly what to work on and why, focusing concentration on the more important issues.

    When I was at Lonza in the 1990’s, we explored parameter ranges and characterized processes with factorial design before transferring them to manufacturing. We went into manufacturing equipped with reports and process data, and then committed to follow the process performance once in manufacturing.
    Some firms today practicing in principles such as PAT, risk analysis, and Quality by Design have a head start, and this is where the business benefits case should be made. A bigger consideration or question is more likely, how much does the new guidance and/or future guidance raise the bar? And just as significantly, does it raise it out of reach for small companies?

    ReplyDelete
  9. Right. However, the people making the decisions are putting the CEO at risk, not just themselves. (LinkedIn)

    ReplyDelete
  10. I am seeing this a requirement more and more with my clients. (LinkedIn)

    ReplyDelete
  11. Our company uses a risk assessment to determine the scope of the validation effort. That means the RA is very close to the first step in most projects.

    That's not to say the concept of our risk assessment matches everyone else's. We don't fine tune it and break it down as much as might be done. We are doing a gross assessment of regulatory risk, business risk, and part 11 applicability. Sometimes gaps are uncovered and those get bridged in the validation lifecycle.

    Ideally we might some day introduce a second type of RA that really digs into the separate system components or functions, but we aren't there yet.

    ReplyDelete