Risk Analysis in Process Development

Introduction
This document is intended to define a process and approach for performing risk analyses of
manufacturing processes and process equipment. The objective of such risk analyses is to
identify aspects of system or equipment design that have the potential to adversely affect
production or product quality. Having uncovered potential design problems, additional
evaluation can be performed to better quantify the vulnerability to or severity of such problems
and appropriate mitigation methods can be established as needed.
Risk analyses are useful at various stages in the life of a manufacturing process. In the planning
stage, risk analysis can be a useful tool to weigh trade-offs or design options and to identify
issues to be examined during the detailed design process. During the detailed design process,
risk analysis can be used to confirm that potentially adverse effects are adequately resolved such
that the residual risk is acceptable.

Risk Analysis Methods

Three sets of information are key to a risk analysis. They are the functional requirements, the
hazards (or failure effects), and the causes. The quality of the risk analysis is largely determined
by the completeness of these sets of information. The functional requirements are an input to the
analysis; the hazards and causes are outputs.

The functional requirements establish what the system or equipment must do. Each
key function should be carefully examined. Functions can be subdivided to examine
the specific components that support the function.

The hazards are the undesirable effects or consequences of a systems failure to meet
its functional requirements. Built-in safety features, alarms, procedural controls, or
inspections should be considered in assessing the hazard.

The causes are the different ways that the hazards might occur.

Several methods exist for identifying hazards and causes in a systematic manner. A top-down
method such as fault tree analysis looks at the process functional requirements and the functions,
components, etc., needed to support the process. The first step is to review available information
such as process or equipment specifications to identify the functional requirements. The
potential hazards that could adversely affect the required functions are then identified. Finally,
the potential causes of identified hazards, such as component failures, are identified. This topdown approach is useful in the early stages of risk analysis and when comparing several design
alternatives.

Working only from the top down using fault tree analysis can be difficult as seeing fault
relationships and the complete set of potential faults from the top can be hard. When detailed
system or equipment designs exist, a bottom-up method such as failure modes and effects
analysis (FMEA) can be used. The FMEA method works by starting with identified failure
modes, finding causes and the likelihood of the failure, and finally determining the effects of the
failure.
Both methods can be used together and results from both can be identified in a single risk
analysis table. The benefit of using both methods early in the design phase is that with the topdown approach, important hazards can be identified at a high level before the details of a design
are available. At the same time, using the bottom-up method, insights into system design and
operation can be obtained that will improve the understanding of the inter-relationships of
components.

Risk Evaluation
The significance of the identified hazards is evaluated by assessing their risks. The risk is
determined by a combination of the probability of occurrence and the severity of the hazard.
Any rational basis can be established to quantify the severity of the hazard. One example is
shown below. Note that there are generally three critical elements that must be factored into the
hazard severity depending on their relative priority: economic impacts, regulatory compliance
issues, and public health and safety concerns.
Score
1

Category
Negligible

Minor

Moderate

Major

Severe

Description
A hazard that causes no adverse effect on the process or
product safety or efficacy.
A hazard that may cause system shutdown or require
operator intervention (and which therefore could slow
production) but which does not have an adverse effect on
product safety or efficacy.
A hazard that may cause significant economic loss (such
as failure of an entire batch) or may cause the product to
malfunction or to not meet specifications, but that would
not cause permanent injury.
A hazard that may create significant non-compliance or
cause the product to be unfit for use (i.e., could cause
injury requiring medical intervention).
A hazard that could cause death or a significant
permanent injury or medical condition to operators or
patients.

For each cause applicable to a given hazard, the probability of occurrence is also estimated.
Again, any consistent basis can be defined, and an example is shown below.

Score
1
2
3
4
5
6
7

Category
Incredible
Improbable
Remote
Unlikely
Moderate
Occasional
Expected

Probability
< 10-6
10-5 to 10-6
10-4 to 10-5
10-3 to 10-4
10-2 to 10-4
10-1 to 10-2
>10-1

For each potential hazard, the risk can then be determined using the combination of severity and
probability. Risk can be assigned a numerical value based on the product of the two scores or by
using a risk acceptance matrix as shown below. The matrix assigns a risk with one of three
values.

Hazard Severity Score

2
3
4
Minor
Moderate
Major
U
U
U

7 - Expected

1
Negligible
E

6 - Frequent

5 - Occasional

4 - Unlikely

3 - Remote

2 - Improbable

1 - Incredible

Hazard Probability Score

Acceptable (A) a broadly acceptable risk that need not be mitigated.

Evaluate (E) A risk that could be accepted if mitigated to the extent technically and
economically feasible with a documented basis for accepting the risk.
Unacceptable (U) a risk that cannot be accepted. The risk must be mitigated for the
process to be acceptable.

5
Severe
U

Risks that are identified as needing evaluation or as unacceptable should be further examined to
determine how they can be mitigated.
For risks that are identified as being acceptable, the associated hazards and causes should be
reviewed to determine key design features, procedural controls, alarms, etc., that are significant
contributors to controlling risk. These items should be identified as critical parameters or
characteristics for controlling the process.

SAMPLE RISK ANALYSIS TABLE

Component/
Function
Piston pump dispense correct
volume

Failures & Causes

Failure Modes Potential Causes

Parts seize

Improper
assembly,
excessive wear

Effects & Hazards

Probability
Failure Effect
Score

Wear

Wear

Nothing
dispensed
Leakage past
piston
Air
entrainment

Mechanical pump
drive
Loss of
Clogged needle
Suck-back needle vacuum at unit or tubing

Overfill not
removed

Hazard

Hazard
Score

Units not filled

Units
underfilled

Foaming

Built-in
Detection
Empty units
would be
observed

Risk
Assessment

Acceptable

Further
Mitigation

None