Transcript MWUG Presentation
Developing a Risk Based Approach to Validation for Life Sciences
Presented by Bill Gargano March 20, 2012
Core Definitions Categorizing risks and their respective plans Reduce Testing in a Risk Based Environment Developing a “How To” Guide Developing documentation standards Differentiating tasks that will reduce time and effort Impacting strategies for maintenance Optimizing the Validation Plan
Topics
When and Why?
As far back as August 2002 the Food and Drug Administration (FDA) urged an industry change creating a Quality Systems Framework.
• Encourage implementation of risk-based approaches that focus both industry and Agency attention on critical areas • Ensure that regulatory review, compliance, and inspection policies are based on state-of-the-art pharmaceutical science
Core Definitions
• • • • • • • • Hazard – Potential source of harm; condition that can cause harm or lead to a mishap Harm, mishap – Injury or death to persons, damage to property or the environment, or damage to or loss of data Risk – Combination of the probability, severity, and the likelihood of that harm Hazard Analysis - A technique used to identify conceivable failures affecting system performance, human safety, or other required characteristics.
Risk Analysis - Systematic use of available information to identify hazards and to estimate the risk Risk Assessment - An overall process comprising a risk analysis and a risk evaluation Risk Evaluation - Judgment, on the basis of risk analysis, of whether a risk which is acceptable has been achieved in a given context based on the current values of society Risk Management – Bringing all of the above together in one process
Risk Management
RISK MANAGEMENT
Risk Analysis Risk Evaluation Risk Control Post Production Info
Ask questions – Apply the process
What COULD go wrong?
IDENTIFY what could go wrong How bad is it?
Estimate the: SEVERITY – LIKELIHOOD - DETECTABILITY Can the situation be improved?
Take preventive or corrective actions What have we LEARNED from this?
Check and review actual results!
The Risk Based Approach
• The risk based approach tailors the level of validation activity to the increased complexity or increased impact of the system.
High Low Complexity High
Activities Involved in Risk
Justification
• Test the areas pose the greatest risk to product quality and patient safety • Overall validation costs are reduced and efficiency is increased • Identify all relevant systems that require validation • Determine how to validate, and the extent of validation required, for the systems that have been identified
Biz Considerations
Identifying, evaluating, controlling, and mitigating risk may allow for:
– Shorter development cycle – More robust product/process – Fewer complaints, returns, and warranty claims – Fewer recalls and less subsequent agency attention – Continuous improvement of Risk Assessment techniques and practices
TOC
Total Cost of Ownership using a Risk Based Methodology is lowered.
– Better predictability for Time to Market – ROI based Risk strategies result in almost 99% defect free validated applications – Overall knowledge domain of staff increased by utilizing specialized skill sets and testing methods – Better software quality – reduction in help-desk calls – Consolidation of the enterprise testing infrastructure – A reduction of up to 20% in the Cost of Quality, as defects are identified and corrected earlier in the process
Why?
How / where to initiate a RBV approach?
– Start a new corporate initiative – Enhance and establish a standard or FRAMEWORK for Risk – Perform a part 11 risk assessment to identify remediation targets – Develop a new manufacturing process – Determine the extent of validation needed for new applications
Existing Models
• FTA – Fault Tree Analysis • FMEA – Failure Mode and Effects Analysis • FMECA - Failure Mode and Effects Criticality Analysis • NIST Special Publication 800-30 – Government standard for use with IT systems (National Institute of Standards and Technology) • MIL-STD-882D – Used by DoD • ISO – Standards • HACCP – Hazard Analysis and Critical Control Point -Standard for food products • GAMP 5 – European voluntary standard, pharma automation
How Activities Correlate to Risk
Development Standards Design Code Review Phase Review Safety Impact Activities Failure Analysis Project Coordination Management Data Traceability Management Business Impact Analysis Configuration Management Release Management Vendor Support Training Compliance Impact Activities Core Validation Activities Validation Planning Requirements Management Change Management Testing Validation Reporting
Assign Ratings
Severity /Detectability/Likelihood
How severe can the problem be?
How easy is the problem able to be detected?
What is the likelihood that this problem will occur?
Risk Priority Number
• Assign Risk Priority Number (RPN) • Taking into consideration the severity of the risk, the likelihood of the risk occurring, and the detectability of that risk as it is occurring, a risk priority number can be calculated using the formula:
Severity x Likelihood x Detectability = RPN
• RPN also referred to as a Risk Index (RI)
FMEA Rankings
Ranking
1 2 3
Rating
Low Moderate High
Criteria
Minor negative impact, no long term detrimental impact Moderate negative impact, some short-to medium-term detrimental impact Very significant negative impact, significant long-term effects and potentially catastrophic short-term impacts
Assign Risk Classification • Having assigned the likelihood and business impact, use a matrix to classify the risk • Level 1 is highest • Level 3 is lowest
Risk Classification
Determine Appropriate Measures for Risk Mitigation • By combining Risk Classification with Probability of Detection, prioritize based upon those areas of greatest vulnerability • Modify process or system elements • Modify project strategy • Modify validation approach • Eliminate risk
Risk Mitigation
SYSTEM
HIGH RISK MEDIUM RISK LOW RISK
Example: Vendor Assessment
GAMP
ON SITE VENDOR AUDIT ASSESSMENT VIA MAIL (Checklists) DOCUMENTATION FROM VENDOR, REPUTATION
Example: CSV Validation
COMPUTER SYSTEM
HIGH RISK MEDIUM RISK LOW RISK
DOCUMENTATION
All including SAD, SID, IQ, OQ, PQ, QA Checklist, and more Same as Low – Add IQ and OQ alone, Risk Assessment VMP, URS/FRS, IQ/OQ, Single Summary Report
Plan Testing Mapping
Where to Start and Challenges
• Assess current Risk Model : – Look at standards, validation procedures, previous RA, governance • Establish NEW Risk Model: – Work with client to pinpoint areas of highest concern (Mfg, Lab, Clinical) – Begin with current RCM Framework and modify to client needs • QA: – Need to gain acceptance from this group in a non-threatening way – Typically set in their ways – culture change • “We have a model already”: – Is everyone following that model? – What savings have you seen? In other words, is it working?
“Don’t worry Jim, what’s the worst thing that can happen?”