Developing a Risk Based Approach to Validation for Life Sciences

Presented by Bill Gargano March 20, 2012

        Core Definitions Categorizing risks and their respective plans Reduce Testing in a Risk Based Environment Developing a “How To” Guide Developing documentation standards Differentiating tasks that will reduce time and effort Impacting strategies for maintenance Optimizing the Validation Plan

Topics

When and Why?

As far back as August 2002 the Food and Drug Administration (FDA) urged an industry change creating a Quality Systems Framework.

• Encourage implementation of risk-based approaches that focus both industry and Agency attention on critical areas • Ensure that regulatory review, compliance, and inspection policies are based on state-of-the-art pharmaceutical science

Core Definitions

• • • • • • • • Hazard – Potential source of harm; condition that can cause harm or lead to a mishap Harm, mishap – Injury or death to persons, damage to property or the environment, or damage to or loss of data Risk – Combination of the probability, severity, and the likelihood of that harm Hazard Analysis - A technique used to identify conceivable failures affecting system performance, human safety, or other required characteristics.

Risk Analysis - Systematic use of available information to identify hazards and to estimate the risk Risk Assessment - An overall process comprising a risk analysis and a risk evaluation Risk Evaluation - Judgment, on the basis of risk analysis, of whether a risk which is acceptable has been achieved in a given context based on the current values of society Risk Management – Bringing all of the above together in one process

Risk Management

RISK MANAGEMENT

Risk Analysis Risk Evaluation Risk Control Post Production Info

Ask questions – Apply the process

What COULD go wrong?

IDENTIFY what could go wrong How bad is it?

Estimate the: SEVERITY – LIKELIHOOD - DETECTABILITY Can the situation be improved?

Take preventive or corrective actions What have we LEARNED from this?

Check and review actual results!

The Risk Based Approach

• The risk based approach tailors the level of validation activity to the increased complexity or increased impact of the system.

High Low Complexity High

Activities Involved in Risk

Justification

• Test the areas pose the greatest risk to product quality and patient safety • Overall validation costs are reduced and efficiency is increased • Identify all relevant systems that require validation • Determine how to validate, and the extent of validation required, for the systems that have been identified

Biz Considerations

Identifying, evaluating, controlling, and mitigating risk may allow for:

– Shorter development cycle – More robust product/process – Fewer complaints, returns, and warranty claims – Fewer recalls and less subsequent agency attention – Continuous improvement of Risk Assessment techniques and practices

TOC

Total Cost of Ownership using a Risk Based Methodology is lowered.

– Better predictability for Time to Market – ROI based Risk strategies result in almost 99% defect free validated applications – Overall knowledge domain of staff increased by utilizing specialized skill sets and testing methods – Better software quality – reduction in help-desk calls – Consolidation of the enterprise testing infrastructure – A reduction of up to 20% in the Cost of Quality, as defects are identified and corrected earlier in the process

Why?

How / where to initiate a RBV approach?

– Start a new corporate initiative – Enhance and establish a standard or FRAMEWORK for Risk – Perform a part 11 risk assessment to identify remediation targets – Develop a new manufacturing process – Determine the extent of validation needed for new applications

Existing Models

• FTA – Fault Tree Analysis • FMEA – Failure Mode and Effects Analysis • FMECA - Failure Mode and Effects Criticality Analysis • NIST Special Publication 800-30 – Government standard for use with IT systems (National Institute of Standards and Technology) • MIL-STD-882D – Used by DoD • ISO – Standards • HACCP – Hazard Analysis and Critical Control Point -Standard for food products • GAMP 5 – European voluntary standard, pharma automation

How Activities Correlate to Risk

Development Standards Design Code Review Phase Review Safety Impact Activities Failure Analysis Project Coordination Management Data Traceability Management Business Impact Analysis Configuration Management Release Management Vendor Support Training Compliance Impact Activities Core Validation Activities Validation Planning Requirements Management Change Management Testing Validation Reporting

Assign Ratings

Severity /Detectability/Likelihood

How severe can the problem be?

How easy is the problem able to be detected?

What is the likelihood that this problem will occur?

Risk Priority Number

• Assign Risk Priority Number (RPN) • Taking into consideration the severity of the risk, the likelihood of the risk occurring, and the detectability of that risk as it is occurring, a risk priority number can be calculated using the formula:

Severity x Likelihood x Detectability = RPN

• RPN also referred to as a Risk Index (RI)

FMEA Rankings

Ranking

1 2 3

Rating

Low Moderate High

Criteria

Minor negative impact, no long term detrimental impact Moderate negative impact, some short-to medium-term detrimental impact Very significant negative impact, significant long-term effects and potentially catastrophic short-term impacts

Assign Risk Classification • Having assigned the likelihood and business impact, use a matrix to classify the risk • Level 1 is highest • Level 3 is lowest

Risk Classification

Determine Appropriate Measures for Risk Mitigation • By combining Risk Classification with Probability of Detection, prioritize based upon those areas of greatest vulnerability • Modify process or system elements • Modify project strategy • Modify validation approach • Eliminate risk

Risk Mitigation

SYSTEM

HIGH RISK MEDIUM RISK LOW RISK

Example: Vendor Assessment

GAMP

ON SITE VENDOR AUDIT ASSESSMENT VIA MAIL (Checklists) DOCUMENTATION FROM VENDOR, REPUTATION

Example: CSV Validation

COMPUTER SYSTEM

HIGH RISK MEDIUM RISK LOW RISK

DOCUMENTATION

All including SAD, SID, IQ, OQ, PQ, QA Checklist, and more Same as Low – Add IQ and OQ alone, Risk Assessment VMP, URS/FRS, IQ/OQ, Single Summary Report

Plan Testing Mapping

Where to Start and Challenges

• Assess current Risk Model : – Look at standards, validation procedures, previous RA, governance • Establish NEW Risk Model: – Work with client to pinpoint areas of highest concern (Mfg, Lab, Clinical) – Begin with current RCM Framework and modify to client needs • QA: – Need to gain acceptance from this group in a non-threatening way – Typically set in their ways – culture change • “We have a model already”: – Is everyone following that model? – What savings have you seen? In other words, is it working?

“Don’t worry Jim, what’s the worst thing that can happen?”

Questions Thank you

THANK YOU FOR YOUR TIME!