We define RA process as follows with some examples. Does this help in understanding? Do let me know.
(A) GxP Determination
• List down various processes which have been automated.
(B) System Impact
Next step is to identify use of Automated System and find its direct impact on following criteria:
• Impact on generating, manipulating or controlling data supporting regulatory safety and efficacy submissions.
• Impact on control of critical parameters or data used
• Impact on control of data for product release
• Impact on control of data required in case of product recall
• Impact on controlling adverse event or complaint recording
© Functional Risk Assessment
Further, processes are listed and evaluated for assessment of risk to either product quality and data integrity. It involves mainly following steps. These are based on GAMP 5 directly.
- Identifying GxP Risk
- Identifying Risk Scenarios
- Assessing the likelihood of An Adverse Event
- Assessing the severity of impact
- Detection of adverse impact
- Overall priority
These steps are explained below.
Point number 1 & 2 are linked with User Requirement Specification document.
Point no. 3, 4 and 5, ascertains the prioritization of risk in High/Medium/Low categories.
Pt. 6 covers the overall priority on the basis of results obtained in 3,4 and 5 using RPN numbering methodology.
- Identifying GxP Risk
System function parameters are evaluated and identified whether they represent a risk when assessed against a series of GxP criteria.
Following types of risks are mainly identified during risk assessment process for use of automated systems in regulatory environment:
• Risks towards non-availability of required documentation
• Risks towards non-availability of required SOPs
• Risks towards non-availability of system Access Control
• Risks towards abnormal user operation performed at the time of system operation
• Risks towards incorrect configuration of system
• Risks towards Improper and/or inadequate training
• Risks towards implementation of US FDA 21 CFR Part 11 rule
- Identifying Risk Scenarios
Having determined that a particular function may have a GxP risk associated with it, the assessment proceeds to identify the various risk scenarios i.e. the events that identify the risks associated with use of the system.
The functions identified are analyzed by considering possible hazards/adverse effects and what controls may be needed to minimize the potential harm.
2.1 Assessing the Likelihood of An Adverse Event
After identifying hazards / adverse events, determine the likelihood (frequency or probability) of it occurring. User considers the likelihood of the adverse event occurring per number of transactions, and assigns a value to that estimate.
Ranking of likelihood methods are defined as follows:
The processes which are internally controlled by software (user can’t modify) and have been tested thoroughly during software development, may be considered as ‘Low’ risk. Such risks may fall in ranking of likelihood 1 to 3 from the Table – I ( Not attached here) below. For example: Display parameters, print records.
The processes which are controlled by users and are due to possibility of human error and non-availability of system control may be considered as ‘Medium’ risk. Such risks may fall in ranking of likelihood 4 to 6. For example: Change in set parameters, change in recipe.
In many instances adverse events may be as the result of the systematic software faults, such as software bugs and the team may be unable to estimate the likelihood of such an adverse event. In such instances the likelihood ranking should be in range of 7 to 10.
2.2 Assessing the Severity of Impact
After determining likelihood of adverse event, severity of its impact on process is assessed. These effects take into account impact on regulatory compliance, impact on product quality and impact on data integrity.
The impact of risk occurring may be described as follows:
The processes which do not directly affect the final output of the system/software may fall in ranking of severity 2 to 4. For example: Warning messages, reference parameters, etc.
The processes which are used in the initial stage of operation, however it may affect the final output but those are not used for final release of output, may fall in ranking 5 to 6 of severity. For example: System alarms, power failures, communication failure, etc.
The processes which are used in the final stage of operation and are used for final decision for output may fall in ranking 7 to 10 of severity. For example: set parameters, selection of recipe, selection of operation, print record, display record
2.3 Detection of Adverse Event
Next step is to identify if the adverse event can be recognized or detected by other means in the system. Adverse event having high probability of detection, may not pose a serious threat because it can be recognized quickly and suitable corrective action taken to mitigate its impact. If an adverse event has a low probability of detection, then the risk condition needs to seriously consider a review of the design or the implementation of alternative procedures to avoid the event.
Adverse event is detected at final stage of output or after release of output or may not be detected, may fall in ranking 6 to 10 of probability of detection. For example: Non-availability of SOP, usage of SOP, Training, wrong selection of operation etc.
The processes with adverse events are advanced to next stage of operation; however that adverse event can track down before final release of output may fall in ranking 4 to 5 of probability of detection. For examples: wrong selection of set parameters.
The processes with adverse events which are identified by system and highlighted with error message may fall in ranking 1 to 3 of probability of detection. For example: alarm message, trip conditions, etc
- Overall Priority
Overall priority is calculated using RPN number methodology. RPN means Risk Priority Numbering and in it multiplication of the all three assessments are done.
RPN = Severity x Occurrence x Detection
I have not attached any tables as mentioned above, however I hope that this may throw more light on actual assessment.
Based on above, you may create a table having various risk scenarios at left side and columns of impact of failure, point 2.1, 2.2, 2.3 and 3 at right side.
This may help you to quantify the RA process and determine mitigation strategies.
Hope above is useful.
Jaydeep D. Chhatrapati
Epitome Technologies Pvt. Ltd.