Maybe you’ve been there too, you need to take a risk-based approach to determine environmental monitoring, so you go to a HAACP or FMEA and realize those tools just do not work to provide information to determine how to distribute monitoring to best verify that processes are operating under control.
What you want to do is build a heat map showing the relative probability of contamination in a defined area or room| covering six areas:
Amenability of equipment and surfaces to cleaning and sanitization
Personnel presence and flow
Proximity to open product or exposed direct product-contact material
Interventions/operations by personnel and their complexity
Frequency of interventions/process operations.
This approach builds off of the design activities and is part of a set of living risk assessments that inform the environmental monitoring part of your contamination control strategy.
Often characterized by reference
to the potential event
and consequences or combination of these
Often expressed in terms of a
combination of the consequences of an event (including in changes in
circumstances) and the associated likelihood of the occurrence
Hazard, harm and risk
Enabling state that leads to the possibility of harm
Injury or damage
Probability of harm from a situation triggered by the hazard.
Hazard harm and risk
A hazard is defined in ISO 12100 as “The potential source of harm.” This definition is carried through other ISOs and regulatory guidances. The hazard is what could go wrong, our “What If…”, it is when we start engaging the outcome identification loop to query uncertainty about the future.
Harm are those injuries or damages I should care about.
Every risk assessment is really asking “What could go wrong,” and then answering two questions:
If it did go wrong how bad is it – the Harm
And how likely is it to go wrong – Probability.
Risk is then the combination of those things as a magnitude or priority.
Risk assessment tools break down into two major camps. Those that start with the hazards, asking how something can fail; and those that start with the harms, asking what bad things do we want to avoid.
Risk can be associated with a number of different types of consequences, impacting different objectives. The types of consequences to be analyzed are decided when planning the assessment. The context statement is checked to ensure that the consequences to be analyzed align with the purpose of the assessment and the decisions to be made. This can be revisited during the assessment as more is learned.
Methods used in analyzing risks can be qualitative, semiquantitative, or quantitative. The decision here will be on the intended use, the availability of reliable data, and the decision-making needs of the organization. In ICH Q9 this is also the level of formality.
The combination of the probability of the occurrence of the harm
and the severity of that harm.
The effect of uncertainty on objectives
Often characterized by reference to the potential event and
consequences or combination of these
Often expressed in terms of a combination of the consequences of
an event (including in changes in circumstances) and the associated
likelihood of the occurrence
Qualitative assessments define consequence (or severity), likelihood, and level of risk by significance levels, such as “high,” “medium,” or “low.” They work best when supporting analysis that have a narrow application or are within another quality system, such as change control.
Below is a good way to break down consequences and likelihood for a less formal assessment.
Q9 (r1) starts with all the same sections on scope and purpose. There are slight differences in ordering in scope, mainly because of the new sections below, but there isn’t much substantially different.
This is the first major change with added paragraphs on subjectivity, which basically admits that it exists and everyone should be aware of that. This is the first major change that should be addressed in the quality system “All participants involved with quality risk management activities should acknowledge, anticipate, and address the potential for subjectivity.”
Aligned with that requirement is a third bullet for decision-makers: “assure that subjectivity in quality risk management activities is controlled and minimised, to facilitate scientifically robust risk-based decision making.”
Solid additions, if a bit high level. A topic of some interest on this blog, recognizing the impact of subjectivity is critical to truly developing good risk management.
Expect to start getting questions on how you acknowledge, anticipate and address subjectivity. It will take a few years for this to work its way through the various inspectorates after approval, but it will. There are various ways to crack this, but it will require both training and tools to make it happen. It also reinforces the need for well-trained facilitators.
5.1 Formality in Quality Risk Management
“The degree of rigor and formality of quality risk management should reflect available knowledge and be commensurate with the complexity and/ or criticality of the issue to be addressed.”
That statement in Q9 has long been a nugget of long debate, so it is good to see section 5.1 added to give guidance on how to implement it, utilizing 3 axis:
Uncertainty: This draft of Q9 utilizes a fairly simple definition of uncertainty and needs to be better aligned to ISO 31000. This is where I am going to definitely submit comments. Taking a straight knowledge management approach and defining uncertainty solely on lack of knowledge misses the other element of uncertainty that are important.
Importance: This was probably the critical determination folks applied to formality in the past.
Complexity: Not much said on complexity, which is worrisome because this is a tough one to truly analyze. It requires system thinking, and a ot of folks really get complicated and complex confused.
This section is important, the industry needs it as too many companies have primitive risk management approaches because they shoe-horn everything into a one size fits all level of formality and thus either go overboard or do not go far enough. But as written this draft of Q9 is a boon to consultants.
We then go on to get just how much effort should go into higher formality versus lower level of formality which boils down to higher formality is more stand alone and lower formality happens within another aspect of the quality system.
5.2 Risk-based Decision Making
Another new section, definitely designed to align to ISO 9001-2015 thinking. Based on the level of formality we are given three types with the first two covering separate risk management activities and the third being rule-based in procedures.
6. INTEGRATION OF QUALITY RISK MANAGEMENT INTO INDUSTRY AND REGULATORY OPERATIONS
Section 6 gets new subsection “The role of Quality Risk Management in addressing Product Availability Risks,” “Manufacturing Process Variation and State of Control (internal and external),” “Manufacturing Facilities,” “Oversight of Outsourced Activities and Suppliers.” These new subsections expand on what used to be solely a list of bullet points and provide some points to consider in their topic area. They are also good things to make sure risk management is built into if not already there.
The ICH members did exactly what they told us they were going to do, and pretty much nothing else. I do not think they dealt with the issues deeply and definitively enough, and have added a whole lot of ambiguity into the guidance. which is better than being silent on the topic, but I’m hoping for a lot more.
Subjectivity, uncertainty, and formality are critical topics. Hopefully your risk management program is already taking these into account.
ICH Q9 (r1) is in step 2, which means it is out for comments.
Section 5, “Risk Management Methodology” is greatly expanded, with a discussion on just what level of formality means in risk management using three criteria of uncertainty, complexity, and importance. Section 5 then goes into risk based decision making to a greater depth than seen previously in guidances.
Section 6 is greatly expanded as well.
I need to read this in more depth before providing a deeper analysis.