Abstract
This paper presents a practical way in which current approaches to quality risk management (QRM) may be improved, such that they better support qualification, validation programs, and change control proposals at manufacturing sites. The paper is focused on the treatment of good manufacturing practice (GMP) controls during QRM exercises. It specifically addresses why it is important to evaluate and classify such controls in terms of how they affect the severity, probability of occurrence, and detection ratings that may be assigned to potential failure modes or negative events. It also presents a QRM process that is designed to directly link the outputs of risk assessments and risk control activities with qualification and validation protocols in the GMP environment.
LAY ABSTRACT: This paper concerns the need for improvement in the use of risk-based principles and tools when working to ensure that the manufacturing processes used to produce medicines, and their related equipment, are appropriate. Manufacturing processes need to be validated (or proven) to demonstrate that they can produce a medicine of the required quality. The items of equipment used in such processes need to be qualified, in order to prove that they are fit for their intended use. Quality risk management (QRM) tools can be used to support such qualification and validation activities, but their use should be science-based and subject to as little subjectivity and uncertainty as possible.
When changes are proposed to manufacturing processes, equipment, or related activities, they also need careful evaluation to ensure that any risks present are managed effectively.
This paper presents a practical approach to how QRM may be improved so that it better supports qualification, validation programs, and change control proposals in a more scientific way. This improved approach is based on the treatment of what are called good manufacturing process (GMP) controls during those QRM exercises. A GMP control can be considered to be any control that is put in place to assure product quality and regulatory compliance. This improved approach is also based on how the detectability of risks is assessed. This is important because when producing medicines, it is not always good practice to place a high reliance upon detection-type controls in the absence of an adequate level of assurance in the manufacturing process that leads to the finished medicine.
- Quality risk management
- Qualification
- Validation
- Change control
- Good manufacturing practice
- Controls
- Subjectivity
- Uncertainty
Introduction
In the United States, the European Union, and elsewhere, the regulatory requirements governing the manufacture of medicinal products have been changing in recent years to reflect increased risk-based provisions. This change represents an increasing emphasis on risk-based thinking among regulators.
In the EU, not only has the International Conference on Harmonization (ICH) Q9 (1) been formally incorporated into the European Commission's Eudralex Guidelines—see Part III of Eudralex Vol. 4 on Good Manufacturing Practice (GMP) (2), it has also led to focused efforts to update various other parts of these GMP guidelines with new risk-based provisions. In 2008, for example, Chapter 1 of the EU guidelines was revised to formally require manufacturers to apply the principles of quality risk management (QRM) as per ICH Q9. Similar changes were made in July 2010 in relation to the GMPs for active substances (2). Other parts of the EU GMPs are currently undergoing similar revisions, such as Chapter 3 on premises and equipment. Thus, the concepts underpinning QRM are now a firm and formalized part of the EU GMPs, and work in this regard is continuing via the Inspectors Working Group at the European Medicines Agency.
In relation to qualification, validation, and change control activities, the EU GMPs require that a risk assessment approach be used to determine the scope and extent of validation (2). In relation to change control, the guidelines state that the likely impact of changes should be evaluated, including risk analysis. The 2011 Food and Drug Administration (FDA) process validation guideline is also important, as it encourages the use of modern pharmaceutical development concepts, QRM, and quality systems at all stages of the product lifecycle (3). While ICH Q9 reflects this way of thinking, too, stating for example that QRM may be used to determine appropriate actions preceding the implementation of a change, for example, additional testing, (re)qualification, (re)validation, or communication with regulators, it provides little guidance on which tools (if any) might be the most beneficial to use to achieve this, or on how the use of any one QRM tool best relates to this and other activities.
At a practical level, underpinning effective risk-based qualification, validation, and change control activities must be the identification of GMP controls that mitigate risks. The conclusions of risk assessment exercises, that certain risks require reduction while others do not, are usually related to the risk-reducing GMP controls, if any, that have been identified during those assessments.
Examples of the types of controls that may be encountered during QRM exercises for managing risks are presented in Table I (4⇓⇓–7).
Examples of GMP Controls that May Be Relevant during QRM Exercises
Increased scrutiny and evaluation of GMP controls during QRM activities has several advantages. When risk-reducing GMP controls are identified during risk assessment and risk control activities, their qualification and validation requirements, if any, should be assessed. For each risk-reducing GMP control identified, it is important to determine if the control has a critical process parameter associated with it. The scope of any required qualification or validation of those parameters can then be readily documented, either in the QRM exercise itself or in another way. (It should be noted that some commonly identified risk controls, such as staff training, may not have any critical process parameters associated with them. However, those types of controls will often have some other kind of measurable acceptance criteria or required outcomes, such as, in the case of training, evidence of satisfactory completion of the training and a demonstrated competency in performing the tasks covered by the training event.) If not previously addressed, such qualification or validation requirements can then be included in qualification and validation protocols for the process or item under study.
This paper presents a practical way in which current approaches to QRM can be improved so that they directly support qualification and validation programs and change control activities at manufacturing sites. It focuses on the treatment of GMP controls during QRM activities and on why it is important to evaluate and classify such controls in terms of how they affect the probability of occurrence, severity, and detection ratings that may be assigned to potential risks or negative events. It also discusses how the outputs of risk assessments and risk control activities can be directly translated into risk-based qualification and validation protocols.
Exploring the Control of Risk
Risk control is one of the four main elements that make up the QRM process as per ICH Q9. It is an activity designed to reduce risks to acceptable levels and it usually occurs after the risk assessment stage (1).
During risk control activities, the following key questions are usually asked:
What can be done to reduce or eliminate risks?
What is the appropriate balance among benefits, risks, and resources?
Are new risks introduced as a result of the identified risks being controlled (1)?
Risk control, however, is not only concerned with the reduction of risks; it also concerns the maintenance of risks at acceptable levels. In GMP environments, risk control activities usually involve identifying controls and measures that may reduce or control the risks associated with failure modes or potential negative events. These controls may be referred to as GMP controls.
There are many types of controls that can be considered for controlling risks. Vesper categorizes these into two broad categories: controls that prevent and controls that protect (5). Preventative controls are the preferable of the two options—with emphasis on the hazard (potential source of harm) and on those factors that contribute to realizing its effects. Vesper explains that situations can arise in which a hazard cannot be entirely eliminated or its probability of occurrence adequately diminished; in these circumstances protection becomes an important risk control strategy. In circumstances necessitating protective control(s), the risk is openly and actively acknowledged and risk managers take the position that protective measures should be implemented to reduce the effects of that risk.
It is important to recognize that some types of controls may be less effective than others, and that some may also be adversely affected by external factors and influences (5). For example, Stamatis discusses how visual inspection-based controls may only be 79% effective in some cases and how the effectiveness of such controls can be affected by who is performing the inspection and by the conditions provided for the inspection (4). This is not a new phenomenon; as far back as 1949, Bristol Laboratories challenged in court an FDA investigator's findings regarding particulate contamination controls. This resulted in a visual inspection test involving a blinded test group of 150 ampoules that contained 1.5 mL of sterile saline, 38 of which had been rejected by the FDA investigator as being contaminated with particulates. During the trial, an FDA expert witness, replicating the visual inspection test, actually passed 36 out of the 38 previously rejected ampoules (8, 9).
While the examples of risk controls in Table I are largely self-explanatory, some types of risk control activities are not so obvious. One such activity is that which reduces the extent of complexity and the stringency of coupling (the relative degree of tight association between contingent elements) in a manufacturing process or other item under study. This is a risk control strategy that is often overlooked in existing QRM methodologies, but it can provide for effective risk reduction when used correctly (10, 11).
NASA, the U.S. National Aeronautics and Space Administration, has much experience in taking this approach. It has focused efforts in ensuring that, when its staff are performing risk management activities, they understand and can identify high levels of complexity and coupling in NASA spacecraft and related systems and reduce them where possible (11).
At NASA, complex systems are regarded as systems with
Design features such as branching and feedback loops
Unfamiliar, unplanned or unexpected sequences that are not visible or not immediately comprehensible
Opportunities for failures to jump across subsystem boundaries (11).
Tightly coupled systems often demonstrate the following characteristic features:
Time-dependent processes that cannot wait
Rigidly ordered processes (as in Sequence A must follow B)
Only one path has a successful outcome
Very little slack in the system, as the system requires precise quantities of specific resources for successful operations (11).
With highly complex and tightly coupled systems, accidents may occur via combinations of events that are practically limitless, and cascading failures can accelerate out of control, confounding human operators and denying them a chance of recovery (11). In response to this, NASA developed strategies to reduce the risks presented by highly complex and tightly coupled systems (11).
In the GMP environment, the concept of highly complex and tightly coupled processes and systems is neither well recognized nor widely considered during QRM activities. Despite this, significant opportunities exist for improvements to be realized in this area. Advances in the application of process analytical technology (12), for example, as well as the current drive toward the development and use of more formalized QRM activities, present an opportunity for the industry to begin identifying which systems and processes are highly complex and tightly coupled.
Applying QRM principles during the development of complex and coupled processes can help achieve robust and reliable processes. Doing so can be particularly important when delays or problems experienced in one part of a process may have a significant impact on the performance of subsequent process steps, such as during continuous processing. Understanding how such interactions occur and addressing them via QRM activities, particularly during process development work, can help prevent problems later on.
Rigorous process mapping studies, which can visually indicate where system complexities and couplings occur, are one practical means of addressing complexity and coupling. Such mapping work can help QRM efforts to be directed at the most highly complex and stringently coupled systems first. Furthermore, it may help ensure that risk control strategies are not invalidated by unforeseen system characteristics, complexities, and couplings.
Current Problem Issues in Relation to the Use of QRM Tools in Pharmaceutical Manufacturing
While ICH Q9 has been very important in promoting the use of formalized QRM tools in the GMP environment, it can reasonably be regarded as being a fairly high-level and conceptual guidance document. It offers limited guidance on how to apply, at a practical level, the principles of QRM within the GMP environment.
Various QRM tools are described in ICH Q9. These include fault tree analysis (13), failure modes and effects analysis (FMEA) (14, 15), failure modes, effects, and criticality analysis (FMECA) (15), and hazard analysis and critical control points (HACCP) (16, 17), among others. None, however, is described in ICH Q9 in any level of detail and none was specifically designed for GMP applications, much less as solutions for facilitating risk-based qualification, validation, and change control activities. Thus, when using such tools for these purposes, it is often unclear how risk-related qualification and validation requirements can be derived from the outputs of QRM exercises.
For example, with methodologies such as preliminary hazard analysis (PHA) and hazard and operability studies (HAZOP) (1, 5), there is no formal requirement to identify qualification and validation requirements for controls that are relevant to the risks or hazards in question. There is also usually no provision made within those methodologies for identifying and documenting critical process parameters for such controls.
Furthermore, none of the standard tools was designed with a means to identify if critical process parameters might be associated with designated risk controls, or what their qualification or validation requirements should be. This shortcoming also extends to assessing risks associated with change control activities, where it is vital to identify and manage the risks that may be presented by a proposed change. Few of the currently available QRM tools are applied in a manner that facilitates the identification of existing (or proposed) risk-reducing GMP controls that help reduce or control risks to an acceptable level for a given change control proposal.
Of the QRM tools that are GMP-specific, such as the early approaches developed by the International Society for Pharmaceutical Engineering (ISPE) (18) and its Good Automated Manufacturing Practice (GAMP) (19), their focus tends to be somewhat narrow, being tailored for equipment/systems qualification and computerized systems validation, respectively. While there are many examples of GAMP-based risk assessments described in the literature, these are usually information technology (IT) driven and are generally aimed at computerized systems validation work. As a result, the day-to-day practicalities of how to apply QRM more broadly within a GMP environment remain somewhat underdeveloped.
As a result of these shortcomings, the customization of existing QRM tools can be required before they can be effectively used for such activities.
The availability of tailor-made QRM tools for use in the pharmaceutical industry may help alleviate some of these problems. Such tools could find applications in many different areas, such as qualification, cleaning validation, occupational health and safety, etc. (20).
The lack of documentation relating to risk-reducing GMP controls is a specific issue that has arisen during QRM research performed by the authors. In the authors' experience, with the majority of currently available QRM tools, the identification of risk-reducing GMP controls that are linked with qualification/validation activities is not so readily achieved. This is compounded by the fact that there is little official guidance available on how risk controls identified during risk assessments may be translated into risk-based qualification and validation protocols for manufacturing processes and equipment/systems. There is also a lack of guidance on how change control activities can be directly linked with the GMP control outputs of QRM exercises.
One specific example of where the role played by existing GMP controls is not adequately addressed with current approaches relates to risk estimation activities. Most applications of FMEA-based methodologies, as described by Vesper (5), Stamatis (4), and others, do not involve any formal consideration of the existing controls that may affect the severity of the effects (and in some cases the probability of occurrence or the detectability) of failure modes before risk ratings are assigned to failure modes. This is also often the case following the completion of risk control activities with FMEA-based methodologies, when severity, probability of occurrence, or detection ratings are being re-assessed. (The emphasis at this phase tends to often be on detection-type controls.) With respect to fault tree analysis methodologies (13), there is usually no formal or documented consideration given as to how the controls that may currently be in place may affect or reduce the risks presented by the fault under consideration.
We suggest that, when there is a lack of procedural rigor in relation to how negative events/failure modes and their related GMP controls are identified and considered during QRM exercises, the results that are obtained from such exercises can be subject to high levels of subjectivity and uncertainty. See References (21) and (22) for a discussion about workshop examples that demonstrate this and Reference (23) for a useful discussion on uncertainty with respect to risk management work. Psychological factors and heuristic-related biases can also come into play during QRM activities, and these also have the potential to adversely influence the outcomes of such exercises (24). The human factor influence should never be underestimated (25).
Indeed, a fundamental shortcoming of some QRM methodologies, in particular those based on FMEA and FMECA (14, 15), is that there can be a high degree of subjectivity and guesswork involved in the assignment of severity, probability of occurrence, and detection ratings. This is especially the case in methodologies that require either semi-quantitative or quantitative derivations of risk, in the form of risk priority numbers (RPNs), to be determined.
Issues of subjectivity and guesswork have been raised a number of times with the authors when discussing the application of QRM with both industry groups and GMP inspectors (22, 26). There has also been some discussion in the literature suggesting that relative assessments of risks might be more useful than quantitative assessments (27). Tidswell somewhat addresses this issue via the development of pre-risk assessment criteria that can be used to dictate the assignment of risk factor values (28). Risk factor values are therefore not/less influenced by subjective or informed opinions but rather by facts/data. In this case, the scope of validation is governed by an assessment of risk.
A further issue relating to the use of RPNs in tools based on FMEA and FMECA is where they are used to determine which risks are to be reduced and which are not. RPN cut-off values are often used for this, but there is sometimes a lack of rigor and scientific basis in the selection of such cut-off values (29⇓⇓–32). For example, the selection of such RPN thresholds can be lacking a clear rationale, with no consideration being given to the confidence levels that may be associated with the RPN threshold value selected (4). In addition, the actual generation of RPN numbers by this method is through the multiplication of three ordinal scale numbers (probability, severity, and detection), which is not strictly a mathematically valid operation and which may simply create the illusion of being scientifically sound (30, 31).
In relation to uncertainty, the International Organization for Standardization (ISO) 31000 standard on risk management, published in 2009, identifies that a core principle underpinning effective risk management is the principle that risk management explicitly addresses uncertainty—that it explicitly takes account of uncertainty, the nature of that uncertainty, and how it can be addressed (33). ICH Q9 describes uncertainty as being due to a combination of incomplete knowledge about a process and its expected or unexpected variability (1). Differences in risk perception may also lead to problems of subjectivity and uncertainty during QRM activities (1, 24).
Taking account of the sources of uncertainty when performing QRM activities is important, but it does present challenges, especially when dealing with a diverse group of stakeholders and subject matter experts (SMEs). This is especially the case when attempting to assess the risks associated with novel processes, where there is an acknowledged lack of experience and process knowledge within the stakeholder group. In such cases, ICH Q9 identifies that typical sources of uncertainty will include gaps in knowledge, gaps in pharmaceutical science and process understanding, a lack of knowledge about sources of harm (e.g., failure modes of a process, sources of variability), and in the ability to assess the probabilities of detection of potential problems (1).
Addressing such challenges requires skilled facilitators. Experience is required not only in the execution of QRM activities, but also in dealing with issues relating to uncertainty and how they may arise, as well as in other disciplines associated with QRM such as teamwork and decision-making.
Facilitators should also ensure that key assumptions made during QRM exercises are well documented, as doing so can support effective risk communication and risk review activities later on. In all cases, but especially when dealing with novel processes, it is imperative that regular risk reviews are undertaken as knowledge about the process increases, and facilitators can help ensure such reviews occur.
Finally, the way detection is dealt with in some tools is an area in which problems can arise. Improving the detectability of a potential failure mode or negative event is of course useful, but as McDermott et al. point out (6), this is often costly and does not improve the quality of the product manufactured. Some tools, such as the GAMP risk assessment methodology (19), allow for a risk to be considered controlled when a high detection rating can be assigned to certain risks. In GMP environments, however, it is not always good practice to place such a high reliance upon detection-type controls in the absence of an adequate level of assurance in the manufacturing process that leads to the finished product.
In the authors' opinion, there is currently an opportunity with the quality by design, design space, and process analytical technology (PAT)–based initiatives of the ICH and FDA (12, 34) to move away from such a high reliance upon end-product or end-process detection-type testing and to move toward increased process understanding and process control, but many of the currently available QRM tools are not being applied effectively to facilitate this. The FDA's January 2011 guidance for industry on process validation, Process Validation: General Principles and Practices, highlights the need for increased process understanding and control (3).
The Classification and Evaluation of GMP Controls during QRM Exercises
In addressing the above problems, particularly those in relation to using QRM exercises to support qualification, validation, and change control activities, there are several easy-to-implement design solutions. These can be effectively and easily incorporated into QRM tools and have proven helpful to date (22, 35). For example:
The classification and critical evaluation of GMP controls in terms of how they may control risk can be made central to the design of the QRM process that is being used.
This feature should not only be built into the design of the risk assessment stage of the QRM process, it should also be reflected in the design of the risk control stage, particularly to support any subsequent qualification or validation work that may follow the QRM exercise. It should be noted that the relatively recent ISO 31000 Standard on Risk Management (33) also promotes this way of thinking—it promotes an evaluation of current controls before risks are estimated. Also, the value of implementing newly proposed controls should always be considered, even when the risk in question has been assessed as being low/acceptable using a QRM methodology.
To illustrate this by way of an example, consider an active pharmaceutical ingredient (API) manufacturing process in which inorganic salts are filtered off after a reaction and the substance in the mother liquor undergoes the next reaction without any further purification. A risk assessment exercise performed on such a process revealed that the inorganic salts had no influence on the subsequent reaction from a batch quality perspective—as any traces of those salts can be removed at a later step in the process—and the risks presented by this part of the process were considered acceptable. It also revealed that controlling the temperature of the salt precipitation step before filtration had no influence on batch quality (36).
However, the risk assessment exercise identified that there was merit in implementing additional controls in this part of the process. First, removing material (as occurs during the filtration step) decreases the overall batch volume that requires handling. Second, controlled temperatures in the salt precipitation step leads to more reproducible precipitates (in terms of mass) and thus facilitates a more reproducible and robust mass-balance for the process (36).
Before any severity, probability of occurrence, or detection ratings are assigned to potential failure mode or negative event, the QRM process should ensure that GMP controls are identified, documented, individually classified, and assessed for how they may influence those ratings. (In this regard, QRM worksheets can be designed to ensure that this happens.)
For example, in relation to controls that may influence the severity rating that is assigned to the effects of a potential failure mode or negative event, the QRM process can be designed to require the team to document any current back-up systems or redundancy controls that may counteract or eliminate those detrimental consequences, should the negative event occur. This should be done before any severity rating is assigned. The QRM team can then not only critically evaluate the usefulness of those controls, in terms of how they may serve to reduce the effects of the potential negative event, but it can also ensure that the harm/effect of that event is appropriately and accurately described and documented. The team can concomitantly assign the severity rating to the potential negative event in a far more scientific and objective manner. Similar requirements can be put in place with respect to the GMP controls that may influence the probability of occurrence and the detectability of the potential negative event or its causes (see Reference (22) for further information in this regard). QRM worksheets can be designed to ensure that the team identifies and documents GMP controls that are relevant to all of the risks under assessment, including those that may be deemed low/acceptable. The idea here is that, before any risks are estimated and assessed, the team should critically evaluate the usefulness of any GMP controls that are currently in place for the manufacturing process or other item under study. This allows the influence of those controls on the probability, severity, and detection ratings for the potential negative event to be taken into account before any such ratings are assigned to it. The end result of this approach is as follows:
The severity rating for each potential negative event is assigned only after the controls that exist that might reduce the severity of the consequences of the potential negative event have been identified and evaluated for their likely effectiveness.
The probability of occurrence of the potential negative event is determined only after its potential causes have been determined and the controls that are in place that influence its probability of occurrence have been identified and evaluated for their likely effectiveness. (In fact, it is useful to assign a probability rating to each causal event that may give rise to the potential negative event.) Where possible, actual data for the occurrence of the negative event should be used to further support the probability of occurrence rating.
The detection rating for the potential negative event is assigned only after the controls that are in place that influence its detectability have been identified and evaluated for their likely effectiveness. Where possible, actual data for the negative event should be used to further support the detection rating. It is also useful to go further than just considering whether the control can, or will, detect the negative event in question, as different types of detection controls serve different functions. For example, some detection controls act on precursors to an unwanted event and ultimately prevent the negative event from occurring. Other types of controls detect the problem before the batch gets released. To illustrate this point, see Table II for simple examples of different types of detection controls.
Examples of Detection Controls That Serve Different Functions
The above approach has been found to help ensure that more scientifically based severity, probability of occurrence, and detection (S, P, and D) ratings are assigned to potential negative events (21, 22). This in turn has allowed the level of the risk that is estimated for potential negative events to be based on an informed evaluation of the components contributing to the risk and to its control, taking into account the value of the current controls that are in place. This approach has helped reduce the level of guesswork and subjectivity in the risk assessment process overall.
A GMP-Tailored QRM Tool
Research work by this team has shown that this kind of classification approach to GMP controls, in terms of how it can facilitate assigning less subjective severity, probability of occurrence, and detection ratings to potential negative events, can be extremely useful (21, 22). This applies not only to the initial risk assessment stages of the QRM process but also to the subsequent risk control activities and evaluating the effectiveness of risk control measures.
To put the above concepts into practice, a formal GMP-tailored QRM tool was developed that was directly designed around the above concepts. It is based on a ten-step QRM process that is shown in Table III. An early version of this tool was described in 2006 (35), but a more detailed and more recent description of it is identified in Reference (22).
The Ten Step Quality Risk Management Process
This QRM tool has been applied to a number of GMP-related case studies. These are described in detail (see Reference (22) and include those listed below:
A change control proposal to introduce a new starting material for an API manufacturing process
A recall procedure at a medicinal product manufacturer that supplied products directly to end-users and hospitals
A tablet film coating process at a medicinal product manufacturer
A change control proposal to install a filter dryer in an API manufacturing process
The final mixing and filling steps in a paracetamol suspension manufacturing process
The early stages of a fermentation process used in the manufacture of an antibiotic medicinal product
A change control proposal to introduce inductively coupled plasma mass spectroscopy (ICP-MS) analytical methodology to an API manufacturing site for the analysis of a new API, and to switch over from atomic absorption spectroscopy to ICP-MS for the analysis of metals in an existing API.
These case studies are directly based on the classification approach to GMP controls that is described above, and they demonstrate in a practical way how risk decisions can be made that are based on S, P, and D ratings that are science-based, less subjective, and capable of clear justification. When this approach was used, there was greater confidence seen in the S, P, and D ratings that were assigned to potential negative events.
Case Study: Classifying GMP Controls
The aforementioned 10 step QRM process (see also Table III) requires, via steps 5 through 7, all relevant GMP controls to be classified in terms of how they control the risk issue in question. This case study demonstrates how such classification activities can be achieved. In it, the different GMP controls that are in place and relevant to the failure mode or potential negative event of concern are classified in terms of how they may influence the severity of the effects of the potential negative event, its probability of occurrence, or its detectability.
The idea here is that having knowledge of the GMP controls that may be in place for a potential negative event can help the team performing the QRM exercise to assign more science-based and less subjective S, P, and D ratings.
A particular focus of this case study is to demonstrate how there are some types of controls that can affect the potential severity of the effects of negative events, as opposed to their probabilities of occurrence or their detectability. (For simplicity, such controls can be termed severity-related controls.)
This has been an area of focus in this research work because, during QRM workshops and presentations run by one of the authors, this aspect of QRM work often proved problematic (21, 22, 37). During those events, it was evident that some attendees had difficulty understanding the concept that the rating of the severity of the effects of a potential negative event is not fixed—it can be influenced by the presence of certain types of controls. Several case studies have been developed as part of this research work to help facilitate an understanding of this aspect of QRM, and the case study presented here is based on one of those.
The case study relates to an API manufacturing process. An extraction is required to be performed using methanol following the final synthetic step and before the isolation and drying of the API. The extraction is required to be performed at between 5.0 °C and 10.0 °C and within a pH range of 4.8–5.2.
Developmental data for this manufacturing process show that, in order to achieve a full extraction of the active substance into methanol with minimal impurities being carried over, it is critical that the original solution is within a pH range of 4.8–5.2 at the start of the extraction. Thus, the pH of the solution before the extraction commences is regarded as a critical process parameter.
Prior to commencing the extraction, the pH reading of the solution is checked by an operator and recorded onto the batch record. If the pH is within the required range, the extraction step is started.
Table IV presents a potential failure mode for this process together with its associated potential causes and consequences.
Case Study: Potential Failure Mode, Causes, and Effects
Table V lists a number of controls that could be in place to control the risks presented by this failure mode. The table also provides a classification for each control, in terms of whether it may influence the severity of the effects of the failure mode (S), its probability of occurrence (P), or its detectability (D). The table also provides examples (in italics) of the qualification or validation requirements associated with those controls, where relevant.
Case Study: Applicable Controls & their Classification, Together with Examples of Qualification or Validation Requirements
What are Severity-Related Controls—Are They the Same as Detection-Related Controls?
As illustrated in the case study above, there are some types of GMP controls that may influence the severity rating that is assigned to the effects of potential negative events. These are controls that act by changing the effects of negative events, so that they are either reduced or eliminated entirely.
These controls allow one to say: if the negative event does occur, its effects are either reduced or eliminated, because there are controls in place that counteract those effects. They can therefore be viewed as contingency controls. They provide assurance that, in the event that the negative event occurs, there are controls in place that ensure that its effects are either reduced or eliminated.
Such controls do not prevent the negative event from occurring, but, as illustrated in the case study above, they may sometimes also serve to detect the negative event or its effects. The second operator check referred to in the above case study is one example. This kind of check is usually performed just after an action is taken by an operator during a manufacturing process. The second operator check can influence the severity rating that is assigned to the negative event, because it essentially serves to eliminate or reduce the effects of the negative event. But the way that this control works is through detection; the second operator check is designed to detect failures to perform certain actions. As a result, the error gets corrected before its consequences are realized. It is as if the negative event never actually occurred. Therefore, this type of risk control may be viewed both as a severity-related control and a detection-related control.
Finished-product impurity testing on a batch of an API or drug product is another example of this type of control. Such testing serves both to detect unacceptable levels of impurities in the batch (i.e., detection-related) and to ensure that the effects of such high impurity levels are not experienced by patients (i.e., severity-related). During QRM exercises, this type of control can arise frequently.
However, there are several important types of risk controls that can reduce the severity rating of the effects of potential negative events but which have no element of detection associated with them. These controls can be considered to be back-up, or redundant, in nature.
To illustrate this point, consider the example below. It concerns a type of control that is frequently used in the pharmaceutical industry and which influences the severity of the effects of potential failure modes, yet it has no element of detection associated with it.
A drug product manufacturer has a policy of having at least two qualified and registered suppliers for the APIs it uses in its manufacturing processes. This provides assurance that, if problems are encountered with one of the API suppliers, there are alternative suppliers available.
This policy is a type of GMP control that can limit the potential effects of problems with any one API supplier. (Such problems may relate to quality issues with the API or to difficulties at the API manufacturer in maintaining its supply.) If something goes wrong with the main API supplier that is used by a drug product manufacturer, this type of control means that a redundant supplier is in place and that the potential consequences of the problem are either reduced or not realized.
It is important to note that this type of control is not preventative in nature. It does not prevent the problems with the API supplier from happening, nor does it influence the probability of occurrence of the failure mode.
Also, this type of control has no element of detection associated with it—it does not influence the detectability of the problems at the main API supplier.
Essentially, this type of control serves to limit the effects of potential negative events (i.e., it can reduce the potential severity of those effects). If a second API source had not been qualified, the effects of the negative event could be significant, both to patients using the drug product of concern and to the business. Thus, this kind of control influences the severity rating that is assigned to the effects of the potential negative event. It can be termed a severity-related control.
Are All Detection-Type Controls a Subset of Controls that Affect the Severity of the Effects of Potential Negative Events?
It is probably correct to regard most detection-type controls as a subset of controls that affect the severity of the effects of potential failure modes, but as illustrated above, the reverse is not the case. This gives rise to an interesting question. If the above is true, what is the value in assigning detection ratings at all during QRM exercises?
One could argue that, if most detection-type controls are really just a type of control that affects the rating of the severity of the effects of potential negative events, should they not all simply be regarded as severity-related controls, and should assigning detection ratings be entirely removed from QRM exercises? After all, the definition of risk provided in ICH Q9 and in other official publications makes no reference to detection—risk is defined here as the combination of the probability of occurrence of harm and the severity of that harm.
While there may be some merit in taking such an approach, these authors do not recommend it. This is because it is still useful to formally view some controls as detection-related controls and to rate the detectability of the potential negative event on the basis of those controls. The advantage of doing this is that one can then obtain information on how much the manufacturing and control processes are relying upon detection-type activities to assure quality and control risks. For example, in the case study presented earlier (See Tables IV and V), it is immediately evident that most of the controls are detection-related. Only two out of the seven controls listed are preventative in nature. When it is found during risk assessment work that most of the controls in place are detection-related, this information is useful as it can alert one to the fact that there may be an over-reliance upon detection in place within the manufacturing process as a means of addressing risks. This may help staff to realize that an increased focus on prevention (rather than on detection) may be warranted. After all, prevention is better than cure!
Conclusions
While ICH Q9 has been in place for approximately six years now, insufficient work has been performed to date to improve how QRM is applied within the GMP environment. As a result, problems of subjectivity and uncertainty and the lack of good science in the outputs of QRM exercises are still a significant issue and are preventing the full benefits of ICH Q9 from being realized.
In particular, when QRM exercises are used to support qualification, validation, and change control activities, it is imperative that as much subjectivity and uncertainty be removed from the outputs of such exercises as possible, because these activities are vital in ensuring that the medicines we manufacture or regulate are safe. The identification of GMP controls to manage risks and their classification are important science-based starting points in achieving this goal.
As part of this overall research work (22), a new QRM methodology was developed that was specifically designed for application in the GMP environment. It serves as an aid to qualification, validation, and change control activities. Previously described in 2006 (35), the methodology is explained in detail in the work cited by Reference (22), and it provides a practical, science-based, and rigorous approach to QRM for GMP applications. It demonstrates how the concepts set out in this paper in relation to GMP controls can be put into practice, thus showing how GMP controls can be classified in terms of how they may influence the severity, probability of occurrence, and detection ratings associated with failure modes. It also demonstrates how risk controls can be formally linked with qualification and validation activities via the identification of risk-based critical process parameters.
It is hoped that this QRM methodology, in conjunction with the concepts put forward in this paper, will serve as a means to demonstrate how the principles of QRM can be applied in a more scientific manner to qualification, validation, and change control activities within the GMP environment.
Conflict of Interest Declaration
The authors declare that they have no competing interests.
Acknowledgments
The authors would like to thank Dr. Edward Tidswell for assistance and useful suggestions during the finalization of this paper. Kevin O'Donnell would like to thank Dr. J. Michael Morris and Dr. Caitríona Fisher at the Irish Medicines Board, Dublin, for reviewing this paper and for their helpful suggestions.
- © PDA, Inc. 2012