Risk analysis: validation or qualification projects

We review the stages of risk analysis in validation or qualification projects, as well as the adequate tools for identification, analysis and risk assessment, all in accordance with ICH Q9

Validation of processes or systems is used to confirm that the product resulting from a specific process meets the requirements established for that product or system exit. The risk analysis in validation projects provides a rational framework necessary to determine the appropriate scope when carrying out validation activities, focusing on the processes that represent a greater potential risk for the quality of the product.

To make decisions based on risks, it is essential to follow a systematic approach. The ICH Q9 guide – Quality Risk Management – offers a structure to perform risk management applicable to risk analysis in validation projects.

Next, we review the steps to follow, tools and applications of risk analysis in validation projects for computerized systems based on the guidelines of the ICH Q9.

Steps to follow to perform risk analysis in validation projects

The basic flow for a risk analysis program in validation projects consists of four main components:

• Risk evaluation.
• Risk control.
• Review of risks.
• Risk communication.

The four components are essential for risk analysis in validation projects. However, the focus must be on the risk assessment and the activities that lead to it.

In the initiation phase, some activities must be carried out before passing the risk assessment phase. These activities are common to all types of risk analysis tools, and although they are not limited to them, we can mention among the most relevant:

• Define the scope of the evaluation
• Select equipment (multifunctional equipment representing the appropriate areas)
• Establish action thresholds for decision making.
• Define the types of decisions that will be made when the evaluation is completed.

Thus, according to the diagram above, and with the requirements of ICH Q9 in section 4, the quality risk management process is developed in these 4 phases:

Risk evaluation

In this phase, the risks must be assessed by identifying the hazards (description of the problem) and analyzing the effects associated with exposure to these hazards as well as the probability and severity of occurrence. 

There are 3 key questions that can help identify and assess the risks:

• What can go wrong? (risk identification)
• What is the probability that it goes wrong? (risk analysis)
• What are the consequences and what impact would the occurrence of the event have? (risk analysis)

The next step in the risk assessment is to compare each risk identified and analyzed with previously established criteria and obtain a quantitative or qualitative estimate (ranges) of the risk.

For the evaluation of risks to be effective, it is necessary to have robust and reliable data. This determines the reliability of the information, increases confidence in the results and helps determine the limitations.

Risk control

In the risk control phase, we make the decisions that allow us to accept some of them, as well as eliminate or reduce others. In the end, there should not be any risk above the acceptable level.

The importance, severity or high probability of occurrence determine the effort that must be made to control the risk. To exercise effective risk control, we can also consider four questions:

• Does the risk exceed the admissible level?
• What actions can we take to mitigate or eliminate the risks?
• What is the right balance between risks, resources, and benefits?
• By controlling the risks identified, do new risks appear?

Risk communication

It is about the exchange of information about risk and the actions that have been taken to manage it, between decision-makers and other interested parties. Communication, which we mentioned here in third place, can occur at any stage of the risk management process.

According to our guide diagram, communication occurs between various stakeholders: from industry to patients, from patients to regulators, from regulators and from patients to industry, among many others, for example.

Risk review

Risk management is a continuous and cyclical task. Therefore, it is necessary to implement mechanisms to review and control incidents, as well as the effectiveness of the established corrective actions. Whenever there is a piece of new information, knowledge is acquired or new experience is accumulated, it is necessary to review the risk again.

Tools for risk management

Following the above procedure to manage quality risks provides a practical and precise approach for decision making, all within the framework of documented and reproducible procedures based on the assessment of the ability to detect risks, their severity and probability.

There are simple techniques that are normally used in risk management in general, which only require the organization of data and are very useful for decision making:

• Flowchart.
• Checklists
• Process diagrams
• Cause-and-effects diagram, also known as fishbone or Ishikawa

También existen herramientas para la gestión de riesgos que han probado su eficacia en diversos sectores. Sobre ellas, se puede profundizar en el Anexo 1, y el capítulo 8 de la ICH Q9. Las enumeramos a continuación:

There are also tools for risk management that have proven their effectiveness in various sectors. You can find more information about them in Annex 1, and chapter 8 of ICH Q9. We list them below:

• Failure mode and effects analysis (FMEA)
• Failure mode, effects and criticality analysis (FMECA)
• Fault Tree Analysis (FTA)
• Hazard analysis and critical control points (HACCP)
• Hazard and operability study (HAZOP)
• Preliminary hazard analysis (PHA)
• Classification and risk filtering
• Support statistical tools
• Methods for basic risk management (flowcharts, control sheets, etc.)

Possible applications of risk analysis in validation projects in computerized systems

The applications in the pharmaceutical industry are many. But, in practice, we can define six areas of special interests:

• Design of the installation: appropriate zones must be established from the design stage of buildings and facilities. For example, regarding the flow of materials and people, pollution, pests, open and closed equipment, isolation technologies, dedicated or separate equipment, etc.
• Hygiene of the facilities.
• Qualification of facilities, equipment, and services.
• Equipment cleaning and environmental control.
• Calibration and preventive maintenance.
• Computerized systems and computer equipment controlled.

At Oqotech, we have already 11 years of experience in supporting process validation projects for computerized systems and computerization of processes in companies in the food, cosmetic, healthcare, and pharmaceutical sectors.

We are interested in knowing your needs. You can consult one of our advisors or our technical team here.