How to do the confirmatory risk assessment of equipment in the new version of GMP?

The new GMP specifies: "Quality risk management is a systematic process of assessing, controlling, communicating, and auditing quality risks throughout the product life cycle using a prospective or retrospective approach. Quality risks should be assessed based on scientific knowledge and experience to ensure product quality. The methods, measures, forms, and documentation resulting from the quality risk management process shall be appropriate to the level of risk present."

Because risk management is a highly specialized management approach, risk managers are usually required to have some background knowledge of OE (OperationExcellence) and to be able to properly use risk analysis tools.

For the use of risk management tools, I learned something from Zhang Qiu, a trainer at the State Food and Drug Administration training center. According to his introduction, in the traditional quality management, the assessment and management of quality risks often use an informal approach, that is, relying more on the experience and knowledge of risk analysts to assess the size of the risk. With the development of a number of statistical analysis tools and new methods, and their use in the pharmaceutical industry, the recognized risk management tools in risk assessment cover a wide range of areas such as flowcharts; process diagrams; checklists; failure mode and impact analysis (failure mode, impact and hazard analysis); failure tree diagram analysis; hazard analysis and critical control points; basic hazard analysis; auxiliary statistical tools; and cause and effect diagrams.

Based on foreign experience, the risk management process can usually be divided into three parts - risk assessment, risk control and risk review. And in different processes, risks will be assessed, controlled and reviewed through the use of different analytical tools, so as to achieve the purpose of controlling risks.

Step 1: Finding Potential Risks

Risk assessment is the first step in risk management. It is mainly the identification of potential sources of hazards and the analysis and evaluation of the risks caused by exposure to these sources of hazards. It includes three parts: risk identification, risk analysis and risk evaluation.

1. Risk Identification First, the primary concern should be: what is the problem that will occur in a product or process? This is the basis for quality risk management - that is, the first systematic use of a variety of information and experience, to confirm the process, equipment, systems, operations and other risks in the process, pointing out that the hazards that will occur in where.

Second, identify the process, product, problem area, system, or object of study.

Once again, identify potential sources of risk. Examples include audits, regulatory inspections, validation processes, periodic product reviews, change control, supplier/contractor changes, facility design and parameters, technology transfers, corrective and preventive actions, complaints, product quality risk assessments, and other risk assessments.

Next, it is the use of risk identification tools, including brainstorming, FMEA, SWOT analysis, Kaizen, field surveys (GEMBA), fishbone diagram analysis, flow charts, near misses, internal and external audits, experience, historical data or reviews, etc., that lists all the possible factors that can fail and all the possibilities for errors to occur. For example, equipment downtime and failures can be analyzed using tools such as fishbone diagrams; for production processes, production flow charts can be used.

2. Risk Analysis Risk analysis needs to focus on: how likely is the problem to occur? How serious are the consequences of the problem? How recognizable is the occurrence of the problem? Analysis of identified risks and their hazards must be evaluated on a case-by-case basis once the possible failures have been identified and listed. This includes the severity of the problem; the likelihood of its occurrence; the recognizability and detectability of its occurrence.

To assess the severity of the problem, all problems can be categorized and a scoring scale of 1 to 5 points can be developed for each type of problem, the higher the score the more serious the problem. Then the occurrence of recognizability and predictability of the assessment, for example, the occurrence of recognizability and predictability into five levels, corresponding to 1 ~ 5 points, the higher the score indicates that the more difficult to identify.

In the whole risk assessment process, risk analysis is the most important part, which needs to be accomplished by quite experienced technical personnel as well as quality related personnel***. In addition, it is important to ensure that all relevant departments are involved in the assessment and that all personnel involved in risk analysis understand the process of assessing risk.

3. Risk EvaluationRisk evaluation refers to the evaluation of risks that have been identified and analyzed according to predetermined risk criteria. That is, the level of risk is first recognized by evaluating the severity and likelihood of the risk. In the classification of risk, you can use qualitative descriptions, such as "high", "medium" or "low"; or quantitative descriptions, such as specific values, the higher the value of the risk is greater. The higher the value, the higher the risk.

Step 2: Realize Risk Control

In quality risk management, the purpose of risk control is to reduce the risk to an acceptable level, the focus of risk control is reflected in the following aspects: what measures are taken to reduce, control, or eliminate the risk? Will new risks be created when controlling identified risks? What is the balance between benefits, risks and resources? Are the risks tolerable?

Based on the experience of some foreign companies, the implementation of risk control generally consists of two parts: risk reduction and risk acceptance.

1. Risk ReductionThe so-called risk reduction is the risk reduction measures to be taken for the risks identified in the risk assessment when the quality risk exceeds the acceptable level. This includes reducing the severity and likelihood of the risk, or improving the ability to detect quality risks.

During the implementation of risk reduction measures, it is possible that new risks are introduced into the system or that the likelihood of other risks occurring is increased. Therefore, a risk assessment should be re-conducted after the measures have been implemented to identify and evaluate whether new changes in risk have occurred.

At least four measures can be taken to reduce risk. The first is to eliminate the root cause of the risk; the second is to minimize the outcome of the risk; the third is to reduce the likelihood of the risk occurring; and the fourth is to transfer or share the risk.

Root cause analysis tools can also be used to reduce the likelihood of risk. Root cause analysis tools include "5 whys" analysis, fishbone diagram analysis, and so on.

Implementation of all identified risk mitigation action plans must follow a corrective and preventive action management approach. That is to say, for each action to set a clear action program, responsible person, completion date, completion of the situation, a person regularly track the completion of the action to ensure that all the risk reduction action plan to ensure the completion of high-quality.

If a scheduled risk mitigation action plan needs to be extended, it must be formally approved, and the risk of the extension must be evaluated to assess whether the extension will have an impact on the risk, and whether it will increase the risk's harmfulness or likelihood of occurrence.

2. Risk acceptanceAfter risk reduction, it is necessary to confirm whether the risk can be reduced to an acceptable range. The so-called risk acceptance refers to the decision to accept the residual risk after the implementation of risk reduction measures.

For some types of risks, even the best quality risk management tools cannot completely eliminate them, so the decision of whether to accept the risk is made after considering all factors.

On this premise, we can assume that the best quality risk management strategy has been adopted and that the quality risk has been reduced to an acceptable level without the need for more stringent corrective measures.

Step 3: Summarize in Retrospect

In the final stage of the entire risk management process, the results of risk management should be reviewed. Risk management is an ongoing quality management process, and a regular review check mechanism should be established, with the frequency of review determined based on the appropriate risk level.

Usually, a risk is considered to have been managed correctly if it meets the following eight conditions: the risk is correctly described; the root cause is identified; there is a specific solution for mitigating the risk; remediation, corrective, and preventive action plans have been identified; the action plans are effective; there is a person in charge of the action and a target date for its completion; the action plan's progress is monitored at all times; and the intended action is carried out and accomplished according to the plan. Scheduled actions are performed and completed as planned.

For pharmaceutical companies, risk management should be an ongoing, parallel part of the quality management process, with mechanisms in place to review or monitor events and to hold regular meetings to discuss all risks, including existing ones and to identify new ones. Meeting topics may include: review of existing risks; implementation of risk mitigation action plans; retrospective review of product results; annual review of products; annual review of the environment; and discussion and identification of new risks identified by change control, deviations, audits, and investigations.