Risk Based Approach to Validation

Risk Based Approach to Validation

When we talk about validation and the requirement to validate even the simplest of software solutions, there is nearly always a negative, resistant atmosphere created straight away. Furthermore, even though the art of validation has evolved as have rules, regulations, best practices and various methodologies. Validation is a lifecycle which is living and breathing, it has matured with age and doesn’t have to be cumbersome anymore.

Click here
http://www.askaboutvalidation.com/risk-based-approach-to-validation/
to read the entire article

Hi gokeeffe,

Thanks for sharing such a good article with us.

I do agree with you that the validation is approach of well planning & execution. In addition to this the risk involved in the project execution assessment is also provide us the breathing space [“Design Space”]. One can utilize the different available tools for risk assessment.

The concept of Validation remians same even for a simple process validation to a complex network / SCADA system validations. By utilizing the Risk Assessment approach we can reduce or increase the extent of validation of desired project.

FMEA, FMECA, PHA, HAZOP, HACCP, FTA etc. are few approved & agreed approaches for Risk assessment.

Replies invited for “Which approach most suits to Complex Computer System risk assessments”.

Happy Reading !

Regards’

Here’s an article that is relevant to risk management. Part 2 to follow soon…

http://www.askaboutvalidation.com/astm-e2537-standard-guide-for-application-of-continuous-quality-verification-to-pharmaceutical-and-biopharmaceutical-manufacturing-part-1/

There are three practical motivations behind the drive toward a risk-based approach to validation:

1.By taking a risk-based approach companies can more rigorously test the areas of the software system that pose the greatest risk to product quality and patient safety

2.Overall validation costs are reduced and efficiency is increased not just within the organization adopting a risk-based approach but throughout the entire industry

3.The outcome of an industrywide shift toward risk-based validation, according to The Society for Life Science Professionals, would be the propagation of innovation in manufacturing and new technological advances without having to sacrifice product quality or patient safety.

It’s crucial to note that risk isn’t dependent in principle on the software system itself. Rather, risk is dependent on those processes the system facilitates with the records it’s managing. These specific processes that must be assessed include:

Creating records
Record assessment
Record transmission
Archiving of records

The FDA employs risk-assessment practices and recommends that industry should follow suit. The FDA guidance for industry Part 11, “Electronic Records; Electronic Signatures—Scope and Application” recommends that software validation be focused on “a justified and documented risk assessment and a determination of the potential of the system to affect product quality and safety, and record integrity.” Logic dictates that such documentation should include a formal risk management plan that details the risk assessment and risk mitigation activities during the implementation of the system and during installation qualification, operational qualification, and performance qualification testing phases.

Risk assessment can be useful in determining system elements that are fundamental to meeting the terms outlined by the FDA in the guidelines :

Critical risk factors
The need for validation and the extent of testing that will be required
The need to implement audit trails (or equivalent controls) in the system and structure the audit will ultimately take
A strategy for maintaining records’ integrity and reliability throughout their retention period

The next step in the risk assessment process then becomes classifying and prioritizing the identified risks using any number of risk factors. Factors often used to assess risk include:

Impact
Probability
Detection

Good Sharing Mr. Durga.

Hi - I’m a new member.

I do not like risk assessments at all. They are purely subjective and are mostly as a result of the vivid imagination of the author.

In CSV, you can never have “NO RISK” - only “LOW RISK” as a minimum and therefore everything has to be validated - it’s hardly a good entry point for a LEAN Project.

In some cases, (groooan) numbers are used to indicate the level of risk - but there is no clear definition of the additional validation effort required for a risk level of (say) 45 to a risk level of (say) 51. Even more subjective are the terms “Medium”, “Low” and “High” - horrible horrible horrible.

Do we ever just accept the risk without mitigation ? In 99% of the time we can’t - and thats another reason why I hate risk assessments.

What do you think ?

Many things we hate in the industry and really do not look into a deeper importance and impact before any event occurs which cuases failures, deaths and recalls.ICHQ9 is one document which speaks and its implemented by USFDA, EU, PI/Cs & very recently WHO.
We have to perform this and as far as regulators are concern there is no escape for new facilities and especially in Aseptic manufacturing and Biological Manufacturing.

Heparin is a best example which shook the globe and the regulators have to take a drastic mesaures so that such event never happens any where across the globe even a product is manufactured any where in so called 3rd world nations what EU/US feel cheaper manufacturing zones.

Regulators now feel prevention is better than cure. Things will go out of hands suddenly even where a Risk Mapping or Risk plan is implemented. A popular case of contamination is surfacing now through the wooden pallets which we use from TBP preservative.

So risks is around industry which we cannot avoid and the guideline speaks in a broader prespective.

[quote=Bread]Hi - I’m a new member.

I do not like risk assessments at all. They are purely subjective and are mostly as a result of the vivid imagination of the author.

In CSV, you can never have “NO RISK” - only “LOW RISK” as a minimum and therefore everything has to be validated - it’s hardly a good entry point for a LEAN Project.

In some cases, (groooan) numbers are used to indicate the level of risk - but there is no clear definition of the additional validation effort required for a risk level of (say) 45 to a risk level of (say) 51. Even more subjective are the terms “Medium”, “Low” and “High” - horrible horrible horrible.

Do we ever just accept the risk without mitigation ? In 99% of the time we can’t - and thats another reason why I hate risk assessments.

What do you think ?[/quote]

I have to say, I am laughing here and I agree with you 100%

I have been part of some risk assessment meetings, where people get bored and just assign everything a high risk and validate everything.

For risk assessments to work correctly you have to get the SME’s involved who understand exactly the application and the process, those that don’t will always lean on the side of caution.

This is an interesting discussion and its good to see that others are also frustrated!!!

Regards

The European Parliament has approved the falsified medicines directive and described it as a “huge step” in efforts to protect patients.

Development of the directive has taken several years but yesterday the European Parliament quickly, and overwhelmingly, approved the document. Despite some misgivings, speakers in Parliament were very supportive of the directive and the safety benefits for European patients.

"Falsified medicines are silent killers, either because they are devoid of effect or because they contain toxic substances that may harm, or even kill, those who take them”, said Marisa Matias, a member of the European Parliament (MEP) who had a key role drafting the directive.

Now, with a legal framework, recognising the falsification of medicines as a crime, in place and preventative measures in the pipeline Matias, and other MEPs, believe a “huge step” has been taken.

Industry response

Industry is also broadly supportive of the directive. Brian Ager, director general of the European Federation of Pharmaceutical Industries and Associations (EFPIA), welcomed the directive and called on all key stakeholders to commit to making it a success.

Others, while welcoming the directive, raised concerns about the specifics. For instance, the European Generic medicines Association (EGA) called on the Commission to adopt a risk-based approach to avoid placing “unnecessary burden on low risk products, such as generic medicines”.

The Pharmaceutical Group of the European Union (PGEU) also has concerns about details the Commission is still to determine, in particular the electronic verification system. PGEU will work with the Commission to ensure the verification system is comprehensive and efficient.

[quote=DURGA PRASAD]The European Parliament has approved the falsified medicines directive and described it as a “huge step” in efforts to protect patients.

Development of the directive has taken several years but yesterday the European Parliament quickly, and overwhelmingly, approved the document. Despite some misgivings, speakers in Parliament were very supportive of the directive and the safety benefits for European patients.

"Falsified medicines are silent killers, either because they are devoid of effect or because they contain toxic substances that may harm, or even kill, those who take them”, said Marisa Matias, a member of the European Parliament (MEP) who had a key role drafting the directive.

Now, with a legal framework, recognising the falsification of medicines as a crime, in place and preventative measures in the pipeline Matias, and other MEPs, believe a “huge step” has been taken.

Industry response

Industry is also broadly supportive of the directive. Brian Ager, director general of the European Federation of Pharmaceutical Industries and Associations (EFPIA), welcomed the directive and called on all key stakeholders to commit to making it a success.

Others, while welcoming the directive, raised concerns about the specifics. For instance, the European Generic medicines Association (EGA) called on the Commission to adopt a risk-based approach to avoid placing “unnecessary burden on low risk products, such as generic medicines”.

The Pharmaceutical Group of the European Union (PGEU) also has concerns about details the Commission is still to determine, in particular the electronic verification system. PGEU will work with the Commission to ensure the verification system is comprehensive and efficient.[/quote]

Nice - but how do we define “low risk” to reduce this burdon. Also - notice how the regulators don’t define it either - so what are we supposed to do - add risk by defining it ourselves ?

None of the regulatory bodies will define what they mean by low risk and if they do, it will be very vague. They tend to lean towards the industry to drive the true meaning and definition.

Here’s a revelation for you from my meeting today. I told QA (bless them) that if we have a risk that they consider “Low” - we will accept the risk without mitigation. If, they can justify why the risk should be a medium (reclassified) then :

1. They are bad at risk assessments in the first place becuase they keep getting the classifications wrong.
2. They should stop using risk assessments becuase of point 1.

They didn’t like it, but they accepted my suggestion

Yes - first prize goes to the regulators by passing the burdon onto the industry and therefore covering their arsses.

Second prize goes to industry for covering their arsses by validating everything

It’s a win win with risk assessments

There is a great deal of misleading information in this thread. The use of risk assessments in validation is very straight forward and reasonably simple. Below is a copy of recent correspondence with a multinational client.

…

Customer Query: After purchasing a VRA document on line.

In the Validation Risk Assessment, Document I felt that the work was only half done. It was very well laid out and very intuitive to follow. But while I was able to determine the Risk Category and Validation extent I felt that it did not deal with any of the Business process or system risks. Is that a separate document? From everything I had read till now it seemed that once you determine if you need to validate you then need to determine your risk with using the system and the system risks.
Some articles even talk about initiating the Risk process prior to buying the system and starting to identify the risks with the current process or old system being updated.
Thanks
xxxxxxxxxxxxxxxxxxx

Validation Online Reply:
The FDA (along with EC and WHO) realized a long time ago that the scope of any validation task must be allowed to be adjusted to avoid over burdening companies with repetitive and or unnecessary tasks. However this adjusted validation scope must be reviewed to verify that all applicable aspects of the task will be adequately validated. This review must be justified and document.
As we are all aware risk assessment’s come in many forms. We have on our site a fully approvable FMEA which we use ourselves for all aspects of concept development and design development. However our Validation Risk Assessment (VRA) is a very different document and was specifically authored to assess and set the appropriate scope of any validation task. It is a very important document since it is mandated by the FDA and regularly reviewed by them. Is the scope of your validation adequate? Is probable the most important question in validation and the VRA is intended to give assurance that it is.
The rationale given in the VRA document has stood up to regulatory review many times. The pit-fall(s) of using multiple event Risk Assessments (such as FMEA’s) is simply that there are not (in validation) multiple variations or answers available. At the validation stage the system / process / equipment / program has been bought / built / written / installed and commissioned. All aspects of design / functionality / safety / operability will have been fully debated and integrated at the URS stage and reviewed and approved at the DQ stage.
Hope this explains the use and importance of the VRA. We always call this document a Validation Risk Assessment; simply because it is the risk of inadequate validation that the regulators require the use of a VRA to inhibit.
Regards[/b]
Alex

Customer Response:
Thank You for your response, I do understand and see the value of the Validation Risk Assessment, it was money well spent and I also agree with your comments about doing risk Assessments after the product is in the door and we in validation are only told after the fact. “By the way we need you to validate this next week” is a usual user response.
The FMEA is it a protocol and Spreadsheet or just a spreadsheet? Is there instructions on how to use it like the VRA? Is it possible to get a preview? I will need more information in order to receive authorization to purchase it.
Thanks
xxxxxxxxxxxxxxxxxxxxxxxxxxx

Regards
Alex