Q: We are having internal debates about what tools to use to do more risk analysis of our processes and system validations. Some of my colleagues are arguing that a risk-based approach is too imprecise for the way we do business.
Can you give us some advice and direction?
A: Your choice of a risk analysis tool should be based on two things: 1) the logic of the tool and 2) the amount of information and data you have available.
Let me explain further. The logic of the tool relates to how failure is viewed in the context of time. If the logic of the tool is designed to look forward in time, the tool will help you answer the question, “What would happen if this failure occurred?” This type of reasoning is inductive. Examples of inductive risk analysis tools include Preliminary Hazard Analysis, Failure Mode Effects Analysis (FMEA), and Event Trees.
If, on the other hand, the logic of the tool is designed to look back in time, the tool will help you to answer the question “What caused this issue or failure to happen?” This is called deductive reasoning. An example of a deductive risk analysis tool is Fault Tree Analysis.
In most validation cases, you’ll likely focus on inductive reasoning — looking ahead to assess and mitigate risks. So to select the right tool, the next step is to consider the amount of information and data you have on hand.
[pullquote align=”right” cite=”” link=”” color=”” class=”” size=””]If your risk analysis will be performed on a process that is not well defined, don’t use a tool that requires a lot of detail to execute.[/pullquote]
If your risk analysis will be performed on a process that is not well defined — or if only a small amount of information is available — don’t use a tool that requires a lot of detail to execute, such as FMEA. Instead, a Preliminary Hazard Analysis, which only requires limited information, may be the appropriate tool.
To evaluate a process validation protocol that contains a very detailed level of information — such as one based on extensive process characterization or large-scale shake-down runs of the equipment — use an inductive risk analysis tool designed to handle a well-defined process. Here’s where FMEA would work.
In addition, you would want the tool to be able to capture the known or potential failures for the process and identify the impact of such failures. An example here would be a Functional Failures and Effects Analysis (FFEA), which is considered a form of FMEA.
Whichever tool you select, a risk-based approach to validation will prove to be incredibly valuable in making positive changes to any process, while keeping the risk to the public as low as possible. An important side benefit is that risk analysis enables teams to come together and prioritize risks so that both the public and the company benefit.
Now is the time to implement risk management processes throughout your company. FDA is looking for industry to be more proactive in quality risk management, as evidenced by the Agency’s adoption of the ICH Q9 Quality Risk Management Guidance, its Pharmaceutical Analytical Technology (PAT) initiative, the Medical Device GMP Preamble, and its General Principles of Software Validation Guidance, just to name a few of FDA’s public pronouncements that strongly advocate a risk-based approach.
Answered by Janis Olson, Vice President of Regulatory and Quality Services for EduQuest, who served 22 years at the U.S. FDA as an expert field investigator and as the Director of Information Management Resources in FDA’s Atlanta office. Jan also is the developer and lead instructor of EduQuest’s Quality Risk Management for FDA/ICH Q9 Compliance training class.