Hi all,
In which stage we can do Risk Assesment - URS / DQ / IQ/ OQ / PQ.
Plz clarify me.
For all validation software, it is good to follow a risk based approach. So, once all the Plan and design phase is complete. Before the Software code is written, the risk assessment must be made.
The purpose of doing a risk assessment is not only to determine if you
need to conduct a validation but if so, to help focus your validation
effort, which is why you’d want to do it before writing your validation
plan.
A Risk Assessment should be completed when all the design documents have been completed i.e. URS,FDS,HDS,SDS, I always complete a risk assessment before FAT.
Ideally risk assesment should start after completing user requirement specification and should be the basis for the validation planning.
[quote=vamsemicro]Hi all,
In which stage we can do Risk Assesment - URS / DQ / IQ/ OQ / PQ.
Plz clarify me.[/quote]
Dear Vamse,
Risk Assessment should start with DQ and continue upto PQ. Because, we do the Risk Assessment for each stage i.e. Design, Installation, Operation & Performance.
URS talks about only the requirements of USER and it doesn’t talk about the risk.
Risk assessment shall be done for the following, but not limited to…
Risk at DQ - Design, GMP
Risk at IQ - Installation of Major Components & Systems
Risk at OQ - Operation, Safety, Interlocking Systems, Alarm Systems
Risk at PQ - Critical Parameters of PQ
With Best Regards,
Sudarshan Reddy
ys.sudarsan@gmail.com
I feel that the risk assessment could be treated more as a QA activity meaning that there is no definite stage at which this activity is to be done. It may have to be done throughout the life cycle of implementation of the application.
On the other hand, this may be a lot more comprehensive than required. As such the ideal thing to do would be to carry out the risk assessment uptil the stage of the design of the appilcation being finalized.
By this stage it would be possible to identify most of the risks that the user will face by implementing the solution provided by that design.
Regards,
Phani
Hi forum members
I think risk assessment should be done after functional specification and before design.Risk assessment takes into account the potential risk that may arise due to improper software specs. Fault tree analysis and risk mitigation should be considered keeping in mind the various regulatory requirements such as 21 CFR part 11, GAMP4 and FDA’s" General principles of software validation".
Regards
Amudha
Lots of good answers - all really show that there are several points at which risk assessment can be done, and maybe should be done!
In my company we encourage people to use risk assessment at several stages of validation, depending on what they are doing. Taking the example of a new piece of equipment:
We risk assess the URS document. We highlight or emphasise those aspects of the equipment which will (or may) be validated - eg speed, temperature. The URS may include lots of other things which we want, but won’t validate - such as time to change between product sizes. These are business (not quality) requirements.
We risk assess the product / equipment interactions. The temperature controllers are product quality critical, so will be validated, calibrated etc. The equipment needs guards for safety reasons, and these will be tested - but not validated.
We risk assess the supplier - hardware and software. This drives the kind of audit we will do (if any), and what effort (if any) we will make to keep the supplier within our desired quality standards.
In short, do it whenever it makes sense - and will help to determine exactly what efforts should be made, and when you are doing either too much, or too little.
Hope that helps!
Dear all
Let me clarify one thing about risk management process, Risk assessment is a not qualification/validation process. I will explain the brief methodology of risk management process.
Quality risk management is a systematic approach for the assessment, control, communication and review of risks to the quality of the drug substance across the product life cycle.
It is not necessary or appropriate to always use a formal risk management process (e.g., standardized tools); the use of informal risk management processes (e.g., empirical assessment) is acceptable for areas of less complexity and lower potential risk
The complexity of the events surrounding each decision and the potential risk involved are important inputs in determining the appropriate risk assessment methodology and corresponding level of analysis required to ensure the appropriate risk decision is made.
For the less complex and/or those decisions involving little risk, a qualitative analysis (e.g. decision tree) of the options may be all that is required.
Generally, as the complexity and/or risk increases, so should the sophistication of the risk assessment tool used to facilitate the corresponding analysis.
The level of documentation of the risk management process to render an appropriate risk assessment should be commensurate with the level of risk as mentioned in the figure-1.
1.0 General Quality Risk Management Process
A model for quality risk management is outlined in the diagram.The emphasis on each component of the framework might differ from case to case but a robust process will incorporate consideration of all the elements at a level of detail that is commensurate with the specific risk.
Figure 1: Overview of a quality risk management process
Decision nodes are not shown in the diagram above because decisions can occur at any point in the process.
These decisions might be
To return to the previous step and seek further information,
To adjust the risk models or even to terminate the risk management process based upon information that supports such a decision.
Note: “Unacceptable” in the flowchart does not only refer to statutory, legislative or regulatory requirements, but also to the need to revisit the risk assessment process.
2.0 Initiating a Quality Risk Management Process
Quality risk management should include the Systematic processes designed to coordinate, facilitate and improve science-based decision making with respect to risk.
Possible steps used to initiate and plan a quality risk management process might include the following:
Define the problem and/or risk question, including pertinent assumptions identifying the potential for risk;
Assemble background information and/ or data on the potential hazard, harm or human health impact relevant to the risk assessment;
Identify a leader and necessary resources;
Specify a timeline, deliverables and appropriate level of decision making for the risk management process.
3.0 Risk Assessment
Risk assessment consists of the identification of hazards and the analysis and evaluation of risks.
Quality risk assessments begin with a well-defined problem description or risk question. When the risk in question is well defined, an appropriate risk management tool and the types of information needed to address the risk question will be more readily identifiable.
As an aid to clearly defining the risk(s) for risk assessment purposes, three fundamental questions are often helpful:
- What might go wrong?
- What is the likelihood (probability) it will go wrong?
- What are the consequences (severity)?
3.1 Risk identification is a systematic use of information to identify hazards referring to the risk question or problem description. Risk identification addresses the “What might go wrong?” question, including identifying the possible consequences. This provides the basis for further steps in the quality risk management process.
3.2 Risk analysis is the estimation of the risk associated with the identified hazards. It is the qualitative or quantitative process of linking the likelihood of occurrence and severity of harms
3.3 Risk evaluation compares the identified and analyzed risk against given risk criteria. Risk evaluations consider the strength of evidence for all three of the fundamental questions.
The output of a risk assessment is either a quantitative estimate of risk or a qualitative description of a range of risk.
Risk can be expressed using qualitative descriptors, such as “high”, “medium”, or “low”, which should be defined in as much detail as possible. Sometimes a “risk score” is used to further define descriptors in risk ranking. Refer QA-XXfor risk analysis in qualitative descriptors.
When risk is expressed quantitatively, a numerical probability is used. In quantitative risk assessments, a risk estimate provides the likelihood of a specific consequence, given a set of risk-generating circumstances. Thus, quantitative risk estimation is useful for one particular consequence at a time. Refer SOP No.20-XXX-XX for FMEA.
4.0 Risk Control
Risk control includes decision making to reduce and/or accept risks. The purpose of risk control is to reduce the risk to an acceptable level. The amount of effort used for risk control should be proportional to the significance of the risk.
Risk control might focus on the following questions:
Is the risk above an acceptable level?
What can be done to reduce or eliminate risks?
What is the appropriate balance among benefits, risks and resources?
Are new risks introduced as a result of the identified risks being controlled?
4.1 Risk reduction focuses on processes for mitigation or avoidance of quality risk when it exceeds a specified (acceptable) level (see Fig. 1).
Risk reduction might include actions taken to mitigate the severity and probability of harm. Processes that improve the detectability of hazards and quality risks might also be used as part of a risk control strategy.
4.2 Risk acceptance is a decision to accept risk. Risk acceptance can be a formal decision to accept the residual risk or it can be a passive decision in which residual risks are not specified.
The specified acceptable level will depend on many parameters and should be decided on a case-by-case basis.
5.0 Risk Communication
Risk communication is the sharing of information about risk and risk management between the decision makers and others. The included information might relate to the existence, nature, form, probability, severity, acceptability, control, treatment, detectability or other aspects of risks to quality.
Communication need not be carried out for each and every risk acceptance can be based on importance of the information
6.0 Risk Review
Risk management should be an ongoing part of the quality management process.
The output/results of the risk management process should be reviewed to take into account new knowledge and experience.
Once a quality risk management process has been initiated, that process should continue to be utilized for events that might impact the original quality risk management decision, whether these events are planned (e.g., results of product review, inspections, audits, change control) or unplanned (e.g., root cause from failure investigations, recall).
The frequency of any review should be based upon the level of risk. Risk review might include reconsideration of risk acceptance decisions
7.0 RISK MANAGEMENT METHODOLOGY
Quality risk management supports a scientific and practical approach to decision-making. It provides documented, transparent and reproducible methods to accomplish steps of the quality risk management process based on current knowledge about assessing the probability, severity and sometimes detectability of the risk.
A key early step in the execution of a risk analysis is to determine the appropriate Risk assessment tool (or methodology).
A list of generally well-recognized risk management tools is as below
Common Risk Management Tools,
Basic risk management facilitation methods (flowcharts, check sheets etc.);
Failure Mode Effects Analysis (FMEA);
Failure Mode, Effects and Criticality Analysis (FMECA);
Fault Tree Analysis (FTA);
Hazard Analysis and Critical Control Points (HACCP);
Hazard Operability Analysis (HAZOP);
Preliminary Hazard Analysis (PHA);
Risk ranking and filtering;
I think all are clarified
Thanks and regards
Prasad.Velicheti
Very informative quotes by many members which covers almost everything. I would like to make it more clear.
Once we got detailed design & functional specs of equipment, we need to review it in view of user requirements & cGMP. At this stage we need to identify potential risk to product quality, environment, personnel in case something goes wrong. This is what we attempt to find out through FMEA. After analysis we may propose mitigation action to reduce the risk to acceptable level which may include design modification or procedural controls. It means primary risk assessment is considered during finalization of DQ & before system build.
To assess the effectiveness of risk assessment done at this stage, it may also necessary to carry out it again at post qualification stage so that it can finally be concluded the risk level is at acceptable level & in control.
Ravi Dhanbhar
The main purpose of risk assessment is to reduce the risk in the existing system or process by systematic approach as.
-
To evaluate the risk [ With the help of fish bone tool]
- Risk identification - Risk analysis - Risk evaluation -
To control the risk
-
To review the risk
Regards
Hope my earlier posts as under shall be of use on this topic.
I think we all are on same grid but difference is in understanding & interpretation.
As FMEA tool is applied specially to know potential risk of failure in quality, process, equipment or method, we need to assess risk based on severity of failure, occurrence & detectibility of failure. Here I would like to emphasize on detectibility. Magnitude of Detectibility needs to be considered before occurring the harm rather than detection after occurring the harm.
So far as scale for assessment is concerned, I feel it shall be quite realistic to categorise harm/occurrence & detectability as follow.
Very Low
Low
Moderately High
High
Very High
We can very easily mould it in scale of 1 - 5 with reasonable rationales.
Herein we need to consider scale 5 -1 for detectbility. If the probability of detection before causing harm is low, shall be ranked as 5.
Further it shall be well justified to set acceptability level below 50% i.e. considering mean value of the scale adapted but it may have influence of criticality.
Our efforts should be to arrive at precise risk factor which represent realistic magnitude of harm.
It can be ranged from 1 to 3 , 1 to 5 or may it be 1 to 10.
Rgds
Ravi Dhanbhar