Professional Documents
Culture Documents
1 of 63
http://www.labcompliance.com/tutorial/risk/default.aspx?sm=d_a
8/13/2014 10:48 PM
2 of 63
Seminars
Literature
http://www.labcompliance.com/tutorial/risk/default.aspx?sm=d_a
Usersclub
Tutorials
Risk Management
Practices
Computer Validation
Part11
Method Validation
ISO 17025
Lab Equipment Qualification
Good Laboratory Practices
About
Practical Risk
Assessment in
Laboratories:
Step-by-Step
With Risk Master Plan,
SOPs and Case Studies
for Easy Implementation
Recorded, available at
any time
Risk Based Validation
Applications
References
Glossary
About Labcomplian
Tutorials
8/13/2014 10:48 PM
3 of 63
http://www.labcompliance.com/tutorial/risk/default.aspx?sm=d_a
of Software and
Computer Systems
Recorded, available at
any time
Risk Management for
FDA/EU Regulated
Industries
Introduction and
Strategies for
Compliance and
Trouble-free Operation
Recorded, available at
any time
Developing a Risk
Management Master
Plan
A must for efficient and
consistent implementation
of risk management
projects
Recorded, available at
any time
Risk Based Computer
Validation and Part 11
Compliance
Recorded, available at
any time
The person crossing the road does not follow a formal and docume
She or he is using a practical approach which is only based on e
common sense. This way we can define risk management for compli
justified and documented common sense". Official guidelines and stan
ICH Q9, ISO 31000 and others have listed a couple of important prin
management.
Risk Assessment:
8/13/2014 10:48 PM
4 of 63
http://www.labcompliance.com/tutorial/risk/default.aspx?sm=d_a
8/13/2014 10:48 PM
5 of 63
http://www.labcompliance.com/tutorial/risk/default.aspx?sm=d_a
Similarly one can argue that the validation efforts during quality contr
pharmaceutical ingredient (API) can be lower than for finished drugs
quality problems can still be uncovered by the pharmaceutical manuf
the product reaches patients through incoming checks of the API and
control of finished drugs.
8/13/2014 10:48 PM
6 of 63
http://www.labcompliance.com/tutorial/risk/default.aspx?sm=d_a
Literature Overview
8/13/2014 10:48 PM
7 of 63
http://www.labcompliance.com/tutorial/risk/default.aspx?sm=d_a
Medical Devices (1) was one of the first regulatory documents that
eliminate risks as much as possible during the design and manufac
medical devices when weighed against the benefits to the patient.
The US FDA Quality System Regulation (2) requested to validate t
medical devices and that design validation should include risk anal
appropriate.
The EU GMP Annex 15 for "Validation and Qualification" (3) reques
assessment approach to determine the scope and extent of valida
evaluate the impact of the change of facilities, systems and equipm
(medicinal) product including risk analysis.
Risk-based compliance was an important element of the FDA's Pha
cGMP Initiative for the 21st Century in 2002 (4).
Risk-based compliance was also a key component in the FDA's ne
for dealing with electronic records and signatures: 21 CFR Part 11
Probably the single most important document related to risk manag
pharmaceutical industry is the ICH Q9 "Guide on Quality Risk Mana
2005 (6). It describes a systematic approach for risk management
drug development and manufacturing including laboratories.
The World Health Organization Expert Committee on Specifications
Pharmaceutical Preparation published a paper entitled "Hazard and
Analysis in Pharmaceutical Products" (30). It provides general guid
use of Hazard Analysis and Critical Control Points (HACCP) to ens
of pharmaceuticals.
The Pharmaceutical Inspection Convention/Cooperation Scheme (
an example of a methodology for implementing ICH Q9 in the pharm
field (29).
8/13/2014 10:48 PM
8 of 63
http://www.labcompliance.com/tutorial/risk/default.aspx?sm=d_a
8/13/2014 10:48 PM
9 of 63
http://www.labcompliance.com/tutorial/risk/default.aspx?sm=d_a
This regulation was released for medical devices in 1996. The regula
risk-based design validation.
8/13/2014 10:48 PM
10 of 63
http://www.labcompliance.com/tutorial/risk/default.aspx?sm=d_a
In this guidance the FDA documented the new approach for electroni
signatures. They recommended basing the decision on how to i
requirements of Part 11 on a justified and documented risk assessmen
8/13/2014 10:48 PM
11 of 63
http://www.labcompliance.com/tutorial/risk/default.aspx?sm=d_a
European Regulations
8/13/2014 10:48 PM
12 of 63
http://www.labcompliance.com/tutorial/risk/default.aspx?sm=d_a
(24) was developed for inspectors but it is also a good source documen
firms. Risk-based approaches are recommended throughout the life of a
system.
8/13/2014 10:48 PM
13 of 63
http://www.labcompliance.com/tutorial/risk/default.aspx?sm=d_a
ICH Q9: Quality Risk Management (6) is the single most important ref
document for risk management for the pharmaceutical industry. ICH focu
scientific knowledge and the link to the protection of the patients as a p
principle. The guide also gives recommendations for implementation.
ICH Q9 has been adopted by the European Union and PIC/S in Annex
and PIC/S GMP Guides.
8/13/2014 10:48 PM
14 of 63
http://www.labcompliance.com/tutorial/risk/default.aspx?sm=d_a
8/13/2014 10:48 PM
15 of 63
http://www.labcompliance.com/tutorial/risk/default.aspx?sm=d_a
8/13/2014 10:48 PM
16 of 63
http://www.labcompliance.com/tutorial/risk/default.aspx?sm=d_a
In the risk assessment phase the team identifies hazards and harms
severity and probability based on criteria as defined in the co
Management Master Plan.
Questions team members should ask are:
8/13/2014 10:48 PM
17 of 63
http://www.labcompliance.com/tutorial/risk/default.aspx?sm=d_a
The outcome from this phase is a group of risk priority numbers (RP
from severity and probability. Alternatively ICH permits a qualitative
the terms, for example 'high', 'medium' or 'low'. The qualitative desc
number can be compared with risk acceptance criteria as generally
Risk Management Master Plan or by management specifically for the
risk number or corresponding qualitative description exceeds the acce
is reduced. After reduction the residual risk is evaluated again and a
resulting risk is lower than the acceptable risk.
Defining a process and objective criteria for severity (S) and prob
criteria for risk acceptance is most important for risk assess
international standards nor regulatory guidance documents require th
method is used. Severity in general means: How big is the problem
Probability means: What is the likelihood that a problem occurs? For e
hazard the probability and severity factors are estimated and associa
categories. The number of categories is usually 3, 5 or 10 but can be
to or more than 10. ICH does not give any preference. The c
management should give recommendations on how to decide how
should be used. The number can be fixed in the master plan for all p
can allow two or three options. For example, the final number for a s
could be dependent on the confidence of the estimates.
8/13/2014 10:48 PM
18 of 63
Qualitative
http://www.labcompliance.com/tutorial/risk/default.aspx?sm=d_a
Semi-Quantitative
Quantitat
Very high
Frequent
Likely to happen
Every day
High
Probable
Every 3 days
Medium
Occasionally
Every week
Low
Can happen
Every 3 weeks
Very low
Improbable
Every 2 months
Qualitative
Semi-Quantitative
Very high
Catastrophic
High
Critical
Medium
Serious
Low
Minor
Very low
Negligible
8/13/2014 10:48 PM
19 of 63
http://www.labcompliance.com/tutorial/risk/default.aspx?sm=d_a
After values for severity and probability have been assigned, the
determined. This can be done graphically as shown in Figure 5. Seve
medium and high are drawn as columns and probability as rows. All cel
low risk, in yellow medium risk and cells in red are defined as high risk.
8/13/2014 10:48 PM
20 of 63
http://www.labcompliance.com/tutorial/risk/default.aspx?sm=d_a
8/13/2014 10:48 PM
21 of 63
http://www.labcompliance.com/tutorial/risk/default.aspx?sm=d_a
Risk priority numbers (RPNs) are calculated from severity and pro
using the formula:
RPN = Severity (S) x Probability (P)
In the example in Figure 5 the RPN can go from 1 in the left lower cell t
upper cell. RPNs from 1 to 2 are equivalent to low, 3 to 5 are medium
high risk.
8/13/2014 10:48 PM
22 of 63
http://www.labcompliance.com/tutorial/risk/default.aspx?sm=d_a
8/13/2014 10:48 PM
23 of 63
http://www.labcompliance.com/tutorial/risk/default.aspx?sm=d_a
Most critical is the situation for new systems. In this case estim
supplier can be used to judge what could possibly go wrong. Howeve
having a very good relationship based on trust with the supplier.
8/13/2014 10:48 PM
24 of 63
http://www.labcompliance.com/tutorial/risk/default.aspx?sm=d_a
The relationship between the RPN and the RT is shown on two exampl
On a scale of 0 to 10 the risk factor is determined as approximately 6
this RPN is higher than the RT (approximately 3) which means it shou
to below 3. In Example 2 the RPN is lower than the RT, so it is ac
procedure requires that the RPN and RT numbers should be normali
the same range.
8/13/2014 10:48 PM
25 of 63
http://www.labcompliance.com/tutorial/risk/default.aspx?sm=d_a
While these formal tools often proved to be efficient and reliable in ris
and risk control of specific projects, a systematic use of these tools
areas with requirement for risk assessment would generally be inc
existing resources. ICH Q9 also has a comment about using tools
always appropriate nor always necessary to use a formal risk manage
(using recognized tools and/or internal procedures e.g., stand
procedures). The use of informal risk management processes (using
and/or internal procedures) can also be considered acceptable". Wh
more empirical tools have been used there is a tendency nowadays
established formal tools.
All tools, whether they are simple or complex have one disadvantage
replace subject expert knowledge! The output is only as good as th
important is that inputs should not only come from single individuals b
risk management team that has all the required knowledge and expertis
This chapter will describe some of the most frequently used tools. Th
describes examples of informal tools that are mainly used to docume
They include tables, templates, forms and examples and also a Risk
Master Plan, internal procedures, a risk database and software tools.
part of the chapter we describe and move on to more soph
well-established methodologies. Figure 8 lists some of the mo
methodologies with advantages and limitations.
FTA
FMEA /
FMECA
HACCP
Principle
Graphical,
deductive,
structured tool.
Structured
inductive tool,
can be
qualitative and
quantitative.
Prevent known
hazards to
reduce risks at
specific CPs.
Advantages
Visual fault
tree diagrams
with
standardized
symbols to
Very universal
and scalable,
e.g., for high
level and
detailed risk
Full risk
management
process.
Specific and
8/13/2014 10:48 PM
26 of 63
Limitations
http://www.labcompliance.com/tutorial/risk/default.aspx?sm=d_a
show the
pathway from
basic events
to the
undesired
event.
assessment.
Can quickly
become very
complex
because it
looks at one
failure at a
time.
flexible.
Focus on
prevention.
Record
keeping
answers
product liability
and compliance
questions.
Requires
detailed
information on
the product and
process.
Graphics with
standardized
symbols.
Tables.
Tables.
Dedicated
software
recommended.
Main
Application
and Use
Used to define
a particular
undesired
event and
identify its
causes (basic
events).
For potential
problems with
serious
impact.
Detailed
process
diagrams.
Universal use,
e.g., medical
device,
hospitals.
Used to
identify known
and potential
failure modes
and impact on
processes,
facilities and
equipment.
Food and
chemical
industry.
Adapted for
pharmaceutical
industry by
WHO.
Covers full
product chain.
8/13/2014 10:48 PM
27 of 63
http://www.labcompliance.com/tutorial/risk/default.aspx?sm=d_a
Used during
design and
operation.
Informal Tools
Informal tools are simple and easy to use. They are recommended
that are not so complex and if there is not much experience with ris
within a company. They are useful to make all risk assessment and
processes consistent and effective. They are also quite usefu
preliminary documentation which is used when making the decision to
moving a risk management project forward to a more detailed risk man
established methodologies.
The Importance of a Generic Risk Management Master Plan
8/13/2014 10:48 PM
28 of 63
http://www.labcompliance.com/tutorial/risk/default.aspx?sm=d_a
The risk management document is the first and most important docume
be available when starting individual risk management processes. It i
individual Risk Management Project Plans and is the reference docum
management projects, no matter which risk management methodology
This master plan describes:
8/13/2014 10:48 PM
29 of 63
http://www.labcompliance.com/tutorial/risk/default.aspx?sm=d_a
Templates and forms with examples and process flow charts are simp
tools to improve consistency and efficiency for risk identification, e
control. They can be part of SOPs or the Risk Management Master Pl
be individual documents. Examples are specifically important to gi
ranking risk elements such as probability, detectability and severity.
Examples and Case Studies
A corporate database with examples for risk hazards and harms with
helps to facilitate the collection and maintenance of risk data. Relati
numbers for severity and probability and mitigation steps also help
assessment within a company. While initially there may be no or very l
a database will provide increased value over time when databases
with data from more risk management projects.
8/13/2014 10:48 PM
30 of 63
http://www.labcompliance.com/tutorial/risk/default.aspx?sm=d_a
FMEA has the highest impact and should be performed during design o
of a product or process when failures are less expensive to addres
powerful tool to improve product reliability and reduce design, dev
manufacturing costs. FMEA is a bottom up approach to failure mode a
be used to evaluate failures that can occur when designing or running
when designing, developing or operating equipment. FMEA helps
manufacture a trouble-free product. Identified failures in a product o
corrected before they occur to ensure trouble-free functioning and ope
Applications
FMEA and FMECA are the most generic risk management methodologi
applied to a large variety of applications.
For example, they can be used during design and manufacturing of equ
as to set up and optimize qualification and maintenance plans for equ
design FMEA can help to select the best design alternative and impro
of procedures and processes. Both methodologies are also used as
screening method for complex risk management before the project is m
to more time-consuming methodologies.
Advantages and Limitations
FMEA and FMECA have many advantages. They include:
Optimized for single individual failure modes, but they don't work we
combinations of failure modes.
Can be time-consuming for complex systems.
8/13/2014 10:48 PM
31 of 63
http://www.labcompliance.com/tutorial/risk/default.aspx?sm=d_a
Assessment Process
1. Select a team and team leader. All team members must be subject
experts.
2. Select the FMECA form from the company's Risk Management Ma
not available, create one.
3. Train team members on the process and on criteria for ranking like
occurrence and impact of failure when it occurs.
4. Make the team members familiar with the design of the product or p
ensure that all team members have the same understanding. This c
distributing product and process documentation supported by flow d
5. Set up one or more brainstorming meetings. Multiple sessions are
for complex product/process designs. Individual sessions can focu
of the entire product/process.
6. Brainstorm the product or process design for possible failures. Doc
outcome on a flipchart.
7. Sort all suggested failures by categories.
8. Combine or remove similar or duplicate entries.
9. Document potential effects on the system, subsequent operation a
(e.g., patient).
10. Assign rating factors for each identified severity, occurrence and d
Definition and scale of rating factors should be taken from the com
Management Master Plan not only to ensure objectivity and consis
project team but also with other risk management projects. Justify
reference to the plan. For occurrence, historical data from the sam
projects can be used.
11. For each identified effect list all possible causes of failures with jus
and with all uncertainties.
12. Calculate the risk priority number using the formula from the Risk M
Master Plan. The RPN is a measure for the overall risk associated
project.
13. Take actions to reduce potential critical risks.
14. Assign owners, a schedule and deliverables for the actions.
15. After the action has been implemented make a new rating for seve
occurrence and detection and calculate the RPN.
8/13/2014 10:48 PM
32 of 63
http://www.labcompliance.com/tutorial/risk/default.aspx?sm=d_a
time the user of the products and support engineers are excellent re
can not only provide good information on which failures may occur but
predict the likelihood of occurrence and the severity of a failure.
The overall risk number is calculated from the probability and sev
decision is made on which potential failures require risk reduction. Pos
actions could be redesign of products or processes such that either the
occurrence or severity factors are reduced such that the overall risk p
is also reduced.
FTA identifies the potential root cause(s) ('basic events') of the spec
hypothetical event. Problems can be caused by design and engineerin
also by human factors. When it is unlikely that the root cause is not
single-base events, 'cut sets' of all scenarios can be defined which
top event.
Advantages and Limitations
FTA has advantages and limitations.
Advantages are:
8/13/2014 10:48 PM
33 of 63
http://www.labcompliance.com/tutorial/risk/default.aspx?sm=d_a
After team members have acquired all the information about the pr
possible root causes that could lead to the unwanted event. These
are linked through "intermediate" events to the top event in a flow
connection between top and basic events defined logical pathways sh
A basic event can cause the unlikely event (top event) on its own or
with others (cut sets).
4. Evaluate the Fault Tree
This step prioritizes basic events based on probability data. That kind o
is only useful if such data are available.
5. Prepare a Report
The Hazard Analysis and Critical Control Points (HACCP) method ori
food management system. The objective is to ensure food safety thro
and preventing known hazards and risks as they may occur at specifi
food chain. As such it is a systematic method for identification, as
control of safety hazards. The methodology is not limited to the foo
has also been suggested for the pharmaceutical, chemical, aviation an
In the scope of this methodology hazards are defined as biologica
physical agents or operations that are likely to cause illness or
controlled. The purpose of HACCP in the pharmaceutical manufacturing
ensure products with quality as specified that are efficient and safe f
and HACCP are not contradictory but rather complementary. Implemen
8/13/2014 10:48 PM
34 of 63
http://www.labcompliance.com/tutorial/risk/default.aspx?sm=d_a
8/13/2014 10:48 PM
35 of 63
http://www.labcompliance.com/tutorial/risk/default.aspx?sm=d_a
Research,
development,
production,
sanitation,
engineering,
maintenance,
quality control,
laboratories,
quality engineering and
members of other disciplines directly involved in the plan's day-to-d
The team should also include local personnel who are familiar with c
limitations of the operation. Team members should either have k
experience in HACCP methodology and product safety hazards
training. One of the first tasks of the team is to finalize the HACCP plan
The description should include the intended use and end users of the p
distribution method. The intended users of a food or drug product may
public or a particular segment of the population, e.g. infants and elder
product description should include a list of specifications e.g., physica
properties.
After the preparation has been done, the seven HACCP principle
previously are implemented. Steps include:
1. Identify all Potential Hazards
8/13/2014 10:48 PM
36 of 63
http://www.labcompliance.com/tutorial/risk/default.aspx?sm=d_a
The first step, hazard identification, lists all potential hazards. This is
the brainstorming session. The team develops a list of potential biolog
or physical hazards.
After the list of potential hazards is assembled, step two the hazard
conducted. In a workshop the HACCP team decides which potential ha
addressed in the HACCP plan. During this stage each potential hazar
based on the severity of the potential hazard and its likely occ
occurrence factor also takes into account control measures that are a
to reduce the probability of occurrence.
Once the critical hazards are identified the team identifies control
reduction or elimination of each critical hazard. Areas that should be co
Material,
equipment malfunction,
failures of sensors,
human errors,
power failures and
external impacts such as natural forces, e.g., lightning or wind.
Control steps are identified for all critical hazards where no control m
8/13/2014 10:48 PM
37 of 63
http://www.labcompliance.com/tutorial/risk/default.aspx?sm=d_a
If all questions are answered with yes, a critical control is defined for th
8/13/2014 10:48 PM
38 of 63
http://www.labcompliance.com/tutorial/risk/default.aspx?sm=d_a
Before the project moves to the next step, the remaining risk after
CCPs and critical control is evaluated and the team repeats the risk ev
5. Establish a Monitoring Procedure
8/13/2014 10:48 PM
39 of 63
http://www.labcompliance.com/tutorial/risk/default.aspx?sm=d_a
8/13/2014 10:48 PM
40 of 63
http://www.labcompliance.com/tutorial/risk/default.aspx?sm=d_a
8/13/2014 10:48 PM
41 of 63
http://www.labcompliance.com/tutorial/risk/default.aspx?sm=d_a
The plan is created by the team under the supervision of the team lea
background information on why the project has been initiated and
approach the risk project will follow as well as the scope, responsibilit
deliverables. A schedule is also included. The plan follows the rules of
Risk Management Master Plan. The plan also describes the appro
which activities will be analyzed.
3. Describe the Situation
For hazards exceeding the acceptable risk thresholds the team defin
reduce the risk. The residual risks are evaluated again using the sa
before.
7. Prepare a Report
8/13/2014 10:48 PM
42 of 63
http://www.labcompliance.com/tutorial/risk/default.aspx?sm=d_a
In the risk analysis step team members suggest, sort, combine and pri
and harms. Team members then determine the risk using severity and
8/13/2014 10:48 PM
43 of 63
http://www.labcompliance.com/tutorial/risk/default.aspx?sm=d_a
If the risk is higher than the acceptance criteria a risk mitigation plan
implemented. The residual risk is determined using the same procedu
as for the first evaluation.
8/13/2014 10:48 PM
44 of 63
http://www.labcompliance.com/tutorial/risk/default.aspx?sm=d_a
One of the first tasks of the project leader is to recruit a team. The
include members from all affected areas and groups.
Examples are:
Affected operations (product development, manufacturing).
Project management.
Information Services (IS).
Quality Assurance (QA).
Legal department.
Quality Control (QC).
Plant safety, maintenance and engineering.
Regulatory affairs.
Sales and marketing.
Accounting.
Suppliers (optional).
8/13/2014 10:48 PM
45 of 63
http://www.labcompliance.com/tutorial/risk/default.aspx?sm=d_a
8/13/2014 10:48 PM
46 of 63
http://www.labcompliance.com/tutorial/risk/default.aspx?sm=d_a
workaround solutions.
All
Figure 11: Risk Management Master Plan and Risk Management Proje
8/13/2014 10:48 PM
47 of 63
http://www.labcompliance.com/tutorial/risk/default.aspx?sm=d_a
proposals for risk thresholds. The project leader presents the plan to
Management reviews the plan and discusses the suggested st
thresholds with the team in a meeting.
This is the most important step in the entire project. The acceptable
will determine the costs for reducing the risk but also associated c
problems that can arise if risks are not reduced. Functional m
accounting, QA and operations should indicate priorities for how
company can take. Most likely different functions will have different
example, when looking at the graph in Figure 1x QA tends more tow
side of the graph with 100% quality, whereas finance most likely wan
project cost which is only possible if a trade-off is made between risk a
The Risk Management Project Plan should include chapters on:
Purpose
The scope defines what is and what is not covered by the plan. It a
documents constraints and limitations.
Responsibilities
8/13/2014 10:48 PM
48 of 63
http://www.labcompliance.com/tutorial/risk/default.aspx?sm=d_a
Risk Threshold
Documents risk threshold values for the project.
Risk Mitigation
Customer complaints.
Failure investigations.
Corrective and preventive action plans.
Specifications for processes and systems.
Experience with the same process or system already installed and
Experience with similar processes and systems.
Experience with suppliers of the system and suppliers of material u
8/13/2014 10:48 PM
49 of 63
http://www.labcompliance.com/tutorial/risk/default.aspx?sm=d_a
process.
Failure rates of the same or similar systems and processes.
Trends of failures.
System and process validation reports.
Service records and trends.
Internal and external audit results.
FDA inspection reports.
The team prioritizes all risks that are considered for follow-up. The l
risks can be compared with a checklist that has been created from
This should ensure that nothing important has been left out.
Person:
Date:
Risk description, hazard, typical
situations of occurrence
System/Process ID:
Possible harm
8/13/2014 10:48 PM
50 of 63
http://www.labcompliance.com/tutorial/risk/default.aspx?sm=d_a
After information on risks has been collected, the risk evaluation pha
phase compares the identified risks against given risk criteria.
determined which risks are the most important ones to focus on and p
mitigation plan. The output of this phase is a quantitative estimate
qualitative description of a range of risks. Most critical is to use ob
criteria for severity and probability. For more details on how this is
see the section "Approaches for Risk Management" in the chapte
Severity, Probability and Risk Acceptance".
For implementation the project leader calls for a workshop. Each risk
and documented in the identification phase is presented by the risk o
makes a proposal for numerical severity and probability factors to
justification. The proposal is discussed with the team and either acc
accepted after a change of severity and/or probability factors, or rejec
should rarely happen because the risk has been prioritized in a prev
One reason for removing a risk from the list would be if the assu
changed since the risk identification step.
Numbers are associated to the levels and the overall risk priority nu
calculated. Figure 13 shows a template on how to document the impac
non-patient business risk, the impact on patient health and the probabil
The RPN is calculated using the formula:
RPN = S (Business) x S (Patient) x P
On a scale of 1 to 27 the RPN is calculated as 18.
Person:
Date:
System ID:
Risk
description
/ID
Impact on
patient health
(Level 1-3)
Impact on
business
continuity
(Level 1-3)
Occurrence
(Level 1-5)
XYZ423
Location:
8/13/2014 10:48 PM
51 of 63
http://www.labcompliance.com/tutorial/risk/default.aspx?sm=d_a
The impact on each identified risk is evaluated using the same criteria
Step 3. RPNs are calculated and compared with the original risk thres
risks are accepted as long as the risk priority number is below the
Lets assume the RT for the project is defined as 5 on a scale
normalized RPN is:
16/27 x 10 = 6.6
This means the risk is not acceptable.
Factor 9-16:
Code 2
All risks with factors higher than 16 (Code 3 = High Risk) should b
eliminated and all risks with factors higher than 8 (Code 2 = medium r
considered for mitigation and are subject to a cost benefit analysis.
Person:
Date:
System ID:
Location:
8/13/2014 10:48 PM
52 of 63
Risk
description
/ID
http://www.labcompliance.com/tutorial/risk/default.aspx?sm=d_a
Mitigation
strategy
Cost of
mitigation
Cost of
non-mitigation
After the risk is reduced it is evaluated again using the same criteria a
risk was acceptable the project moves along to the last step for d
communication and ongoing review for possible changes.
Estimating Costs vs. Benefits
The initial and ongoing costs for the best alternative should be e
compared with the estimated costs of non-mitigation. For risk codes 2
this comparison should be the basis for the decision whether to mitiga
The rationale behind the decision should be well justified and documen
8/13/2014 10:48 PM
53 of 63
http://www.labcompliance.com/tutorial/risk/default.aspx?sm=d_a
Once the decision to mitigate the risk has been made and the strateg
a mitigation plan should be developed. The plan should describe:
Mitigation options.
How options will be implemented.
Resource requirements.
Tasks.
Owners.
Deliverables.
Schedule.
Performance measures.
Required documentation.
Communication requirements.
After the plan is implemented the residual risk is evaluated and
monitoring.
Once the plan is in place and the system is running, the effectivene
should be monitored, reviewed and adjusted if necessary. The monit
should also help to identify previously unrecognized hazards. These co
introduced by changing processes or introducing new technologies.
The monitoring program should check if risk priority numbers have cha
higher or lower values. Users and IT professionals gain a lot of exper
be used to further optimize the effectiveness. If factors exceed
specified limit, mitigation strategies should be evaluated. If higher va
below the threshold, mitigation may no longer be necessary wh
operating costs.
Contributors use the form in Figure 16 to document observations
recommendations. They should also make a recommendation if the
be implemented urgently if it is time critical.
Person:
Date:
Risk
description
/ID
System ID:
Observation
Location:
Recommendation for change
8/13/2014 10:48 PM
54 of 63
http://www.labcompliance.com/tutorial/risk/default.aspx?sm=d_a
Person:
Date:
System ID:
Locatio
Change/Addition
Urgent
8/13/2014 10:48 PM
55 of 63
http://www.labcompliance.com/tutorial/risk/default.aspx?sm=d_a
Application Examples
Overview
The Risk Management Process can be applied for:
Design and development of a product or process.
Selection and assessment of suppliers.
Training, especially proof of effectiveness.
Risk-based computer validation.
Risk-based qualification of analytical equipment.
Part 11 compliance.
Pharmaceutical manufacturing.
Scheduling internal audits.
Starting material - qualification and handling.
Validation of analytical procedures
Qualification of equipment
Change control to introduce new starting material.
Archiving electronic records.
To be completed later
Glossary
8/13/2014 10:48 PM
56 of 63
http://www.labcompliance.com/tutorial/risk/default.aspx?sm=d_a
Corrective Action
Procedures followed when a deviation occurs (Ref. 32).
Critical Control Point (CCP)
8/13/2014 10:48 PM
57 of 63
http://www.labcompliance.com/tutorial/risk/default.aspx?sm=d_a
HACCP System
The result of the implementation of the HACCP Plan (Ref. 32).
Harm
8/13/2014 10:48 PM
58 of 63
http://www.labcompliance.com/tutorial/risk/default.aspx?sm=d_a
P/I
Probability/Impact equal to RPN (Risk Priority Number).
PIC/S
The Pharmaceutical Inspection Convention and
Co-operation Scheme (jointly referred to as PIC/S).
Pharmaceutic
Risk remaining after protective measures have been taken (ISO 14971
Risk
8/13/2014 10:48 PM
59 of 63
http://www.labcompliance.com/tutorial/risk/default.aspx?sm=d_a
Risk Analysis
8/13/2014 10:48 PM
60 of 63
http://www.labcompliance.com/tutorial/risk/default.aspx?sm=d_a
8/13/2014 10:48 PM
61 of 63
http://www.labcompliance.com/tutorial/risk/default.aspx?sm=d_a
Risk Threshold.
Severity
References
8/13/2014 10:48 PM
62 of 63
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.
23.
24.
25.
26.
27.
28.
29.
30.
31.
32.
33.
http://www.labcompliance.com/tutorial/risk/default.aspx?sm=d_a
8/13/2014 10:48 PM
63 of 63
http://www.labcompliance.com/tutorial/risk/default.aspx?sm=d_a
8/13/2014 10:48 PM