Compliance Risk Assessment
Compliance Risk p
Assessment
in Capital Expansion Projects
Julie‐Lea Lipszyc, Quality Lead/Engineering Services, Therapure Biopharma Inc.
September 2015
Share an applied and practical approach to perform quality / compliance risk assessment /
during engineering / capital expansion projects
Quality / Compliance risk
risk assessment
Share
Practical Approach Engineering / capital expansion projects
2
Wh
What are we going to talk about?
i
lk b ?
• What is a “Risk”?
Wh t i “Ri k”?
• Why doing risk assessment from a regulatory perspective? • What is a quality/compliance risk assessment?
• Some GMP requirements related to cross contamination & mixups
• When to do quality/compliance risk assessment during capital expansion projects?
i
j
?
• Who should be part of the risk assessment exercise?
3
• Approach, Tools & Methodology
• Typical QRM
• Developed Excel Tool
• Report
• Mitigation implementation/risk review
Ri k i
Risk is…
Combination of probability of occurrence of harm, and severity of that harm
of that harm
Fact: No process is risk‐free
p
f
4
Quality Risk Management y
g
(QRM) is…
Process that helps
• Identify risks • Analyse them and then
A l
th
d th
• Create an action plan to remediate / mitigate the risks
Why doing Risk Assessment from a regulatory perspective? FDA (1/2)
 US FDA Quality System Regulation : Request to validate design of medical devices and design validation should include risk analysis (as appropriate)
(as appropriate)
 Risk‐based compliance : important element of the FDA's Pharmaceutical cGMP Initiative for the 21st Century (2002)
 Guidance for Industry Quality Systems Approach to Pharmaceutical CGMP Regulations
• “This guidance is intended to help manufacturers implementing modern quality systems and risk management approaches to d
l
d k
h
meet the requirements of the Agency's CGMP regulations” 5
Why doing Risk Assessment from a regulatory perspective? FDA (2/2)
 Guidance for Industry Quality Systems Approach to Pharmaceutical CGMP Regulation (cont.)
• “Quality
Quality Risk Management: Effective decision‐making in a quality Risk Management: Effective decision making in a quality
systems environment is based on an informed understanding of quality issues…. It is important to engage appropriate parties in assessing the risk Implementation of q alit risk management
assessing the risk… Implementation of quality risk management includes assessing the risks, selecting and implementing risk management controls commensurate with the level of risk, and evaluating the results of the risk management efforts. Since risk l ti th
lt f th i k
t ff t Si
ik
management is an iterative process, it should be repeated if new information is developed that changes the need for, or nature of, risk management. ….”
k
”
6
Why doing Risk Assessment from a regulatory perspective? EU (1/2)
 Eudralex Volume 4 ‐
EU GMP‐ Chapter 1
• “1.12 Quality risk management is a systematic process for the assessment, control, communication and review of risks to the
assessment, control, communication and review of risks to the quality of the medicinal product… .”
• “1.13 The principles of quality risk management are that: i) The evaluation of the risk to quality is based on scientific knowledge
evaluation of the risk to quality is based on scientific knowledge, experience with the process and ultimately links to the protection of the patient ii) The level of effort, formality and documentation of the quality risk management process is commensurate with the f
q
y
g
p
level of risk”.
7
Why doing Risk Assessment from a y
g
f
regulatory perspective? EU (2/2)
 Eudralex
E d l Volume 4 ‐
V l
4
EU GMP Chapter 5
EU GMP‐
Ch t 5
• “A Quality Risk Management process… should be used to assess and control the cross‐contamination risks presented by the products manufactured. Factors including; facility/equipment /
design and use, personnel and material flow, microbiological controls, physico‐chemical characteristics of the active substance, process characteristics cleaning processes and analytical
process characteristics, cleaning processes and analytical capabilities relative to the relevant limits established from the evaluation of the products should also be taken into account…” • “Th
“The outcome of the Quality Risk Management process should be f h Q li Ri k M
h ld b
the basis for determining the extent of technical and organisational measures required to control risks for cross‐
contamination ”
contamination.
8
Why doing Risk Assessment from a y
g
f
regulatory perspective? ICH
 Single most important document about risk management: ICH Q9 ICH
Q9 “Guide
Guide on Quality Risk Management
on Quality Risk Management”
Describes a systematic approach for risk management I ’ THE QRM id !
It’s THE QRM guide!
9
Regulatory Focus on Sound Risk Assessments
Regulatory Focus on Sound Risk Assessments
Equivalent information mentioned in EudraGMP inspection findings…
10
Ok, Risk assessment is needed but which kind ?  Basic risk management facilitation methods (Flow charts)
 Failure Mode Effects Analysis (FMEA)
 Failure Mode, Effects and Criticality Analysis (FMECA)
 Fault Tree Analysis (FTA)
Fault Tree Analysis (FTA)
 Hazard Analysis and Critical Control Points (HACCP)
 Hazard Operability Analysis (HAZOP)
 Preliminary Hazard Analysis (PHA)
P li i
H
d A l i (PHA)
 Risk Ranking and Filtering
 GAMP
 Kepner‐Tregoe® (KT) Analysis
 SLIA – CLIA
What‐If
 What
If
11
Quality / Compliance risk assessment what is it?
Quality / Compliance risk assessment…what is it?
FMEA – Failure Mode and Effects Analysis
• Brainstorms potential failure
Brainstorms potential failure
• Based on P&ID or operating procedure review • Examination of ways that equipment can fail and how each failure affects process
12
Quality & Compliance risk assessment • To identify risks related to
Mi bi l i l
i i
• Microbiological contamination
• Contamination/mix‐ups by other products/personnel/material
• Airborne Contamination
• Order of activities
• Layout and equipment design
y
q p
g
Quality / Compliance risk assessment what is it?
Quality / Compliance risk assessment…what is it?
Mainly review of
Mainly
review of
• Equipment designs
• Layouts
• Flows Flows
(personnel, material (raw material and clean and dirty equipment), waste, product)
• PFDs
• Review of project design versus plant current practices 13
Some GMP Requirements related to cross contamination & mixups
cross contamination & mixups
14
Cross contamination & mixups…US FDA
Cross contamination & mixups…US FDA
• 21
21 CFR 211.42(b):" Any such building shall have adequate space for the CFR 211 42(b) " A
h b ildi
h ll h
d
f h
orderly placement of equipment and materials to prevent mixups
between different components, drug product containers, closures, labeling in process materials or drug products and to prevent
labeling, in‐process materials, or drug products, and to prevent contamination. The flow of components, drug product containers, closures, labeling, in‐process materials, and drug products through the building or buildings shall be designed to prevent contamination." building or buildings shall be designed to prevent contamination.
• 21 CFR 211.42(c):"Operations shall be performed within specifically defined areas of adequate size. There shall be separate or defined areas or such other control systems for the firm'ss operations as are necessary or such other control systems for the firm
operations as are necessary
to prevent contamination or mixups during the course of the following procedures ….”
15
Cross contamination & mixups US FDA
Cross contamination & mixups…US FDA
• 21
21 CFR 211.67(a): CFR 211 67(a): “Equipment
Equipment and utensils shall be cleaned, maintained, and and utensils shall be cleaned maintained and
sanitized at appropriate intervals to prevent malfunctions or contamination that would alter the safety, identify, strength, quality, or purity of the drug product beyond the official or other established requirements.” • FDA Guidance for Industry ‐ Sterile Drug Products Produced by Aseptic Processing — Current Good Manufacturing Practice
• “Both personnel and material flow should be optimized to prevent
unnecessary activities that could increase the potential for introducing contaminants to exposed product, container‐closures, or the surrounding environment.” • “It
It is critical to adequately control material (e.g., in‐process supplies, is critical to adequately control material (e g in process supplies
equipment, utensils) as it transfers from lesser to higher classified clean areas to prevent the influx of contaminants.” 16
Cross contamination & mixups…EU GMP
p
• Volume 4 EU guidelines GMP ‐ Chapter 3
• “Premises and equipment must be located, designed, constructed… “P
i
d
i
t
tb l t d d i
d
t t d
to suit the operations to be carried out. Their layout and design must aim to minimise the risk of errors … to avoid cross‐
contamination ...”
• “Cross‐contamination should be prevented for all products by appropriate design and operation of manufacturing...”
q y f
g
p
g p
• “The adequacy of the working and in‐process storage space should permit the orderly and logical positioning of equipment and materials so as to minimise the risk of confusion between different medicinal products or their components, to avoid cross contamination ”
contamination …
• Volume 4 EU guidelines GMP ‐ Chapter 5
• “Operations on different products should not be carried out simultaneously or consecutively in the same room unless there is no
simultaneously or consecutively in the same room unless there is no risk of mix‐up or cross contamination”
17
Cross contamination & mixups…EU GMP
p
• Volume 4 EU guidelines GMP ‐ Chapter 5
• “Contamination of a starting material or of a product by another material or product should be prevented. This risk of accidental cross‐contamination … should be assessed”
• Volume 4 EU guidelines GMP‐ Annex 2 –Biological active substances:
• “Manufacturing and storage facilities, processes and environmental classifications should be designed to prevent the extraneous contamination of products ”
contamination of products...
• “Air handling units should be designed, constructed and maintained to minimise the risk of cross‐contamination between different manufacturing areas and may need to be specific for an area…”
manufacturing areas and may need to be specific for an area…
• “Equipment used during handling of live organisms and cells, including those for sampling, should be designed to prevent any contamination during processing”
18
Compliance risk assessment…when to do it p
during capital expansion projects?
1.
Start during detailed design
2
2.
Issue first version early during construction or at the latest Issue
first version early during construction or at the latest
at the beginning of installation
3.
Review (new version) after 1st engineering run to document implementation of remediation actions and assess new
implementation of remediation actions and assess new potential risks
19
Who should be part of the risk assessment exercise?
Who should be part of the risk assessment exercise?
Output only as good as the input… most important : inputs should not
most
important : inputs should not only come from single only come from single
individuals but from a risk management team
Subject mater experts (SME) are the key
20
Who should be part of the risk assessment exercise?
Who should be part of the risk assessment exercise?
• Cross – functional team composed of
• Engineering –
Engineering project SME
project SME
• Designers – project SME
• Facility/Maintenance – project SME
• Future Users (Production)
• Validation– project SME
y p
project SME (usually the leader of the exercise)
j
(
y
f
)
• Quality–
21
Use Microsoft Word or Excel templates / forms Filled out by risk management
management team members Valuable tool to improve consistency p
y
and efficiency
Make the entire risk management
management process efficient and consistent
Approach, Tools & Methodology
22
Typical QRM process
Initiate
Quality Risk Management Process
Risk Assessment
Risk Identification
Risk Analysis
Risk Evaluation
Risk
k Communication
Risk Control
Risk Reduction
Risk Acceptance
Output / Result of the
Quality Risk Management Process
Risk Management ttools
unacceptable
Compliance risk assessment Excel table (risk identification, analysis, proposal of mitigation measures for risk control)…
Compliance risk assessment report… Risk Review
Review Events
23
Review/update of risk assessment table and report, review for implementation
evidences of mitigation solutions and new potential risks… p
Developed Excel Tool
Developed Excel Tool
24
Process Parameter
V i
Version
Process Parameter : location where the risk is identified
• Flow (ex. material, personnel, waste, etc.)
• Room (room number)
• Process area (ex. pre‐viral/production, formulation, fill finish, buffer P
(
i l/ d ti
f
l ti
fill fi i h b ff
preparation area, wash up area, etc.)
25
Risk Identification
Risk Identification
• Description of the risk
• Risk Type (ex. cross contamination, mix‐ups, product integrity, reconciliation, process control, room control, etc.)
= Categorisation of the risk allowing grouping and analysis
26
Identify Risks
Identify Risks
• During brainstorming meeting
Review and compare each other
and compare each other
• Review
• Retain only credible risks
• Do not put a risk in the list if controls are currently in place to reduce the risk to an acceptable level and no additional
reduce the risk to an acceptable level and no additional action is required (i.e. the project does not add any new risk to current practices)
• Leave in the list only risks without sufficient control
Leave in the list only risks without sufficient control
27
Risk Analysis
Risk Analysis
For each risk, establish
• Severity – severity of risk on product quality • Probability of occurrence ‐ likelihood of the risk to occur • Detectability ‐
D
bili
lik lih d h h i k ill b
likelihood that the risk will be noted before harm occurs db f
h
28
For each risk identified analyze
For each risk identified, analyze
• SSeverity (S) –
it (S) severity of risk on product quality it f i k
d t
lit
(1‐high, 2‐medium, 3‐low)
y
( ) likelihood of the risk to occur • Probability of occurrence (P)‐
(1‐often, 2‐occasionally, 3‐rarely) • Intersection of Severity and Probability = Risk Level
29
Q
Qualitative or semi‐quantitative rating
q
g
• Rating can be qualitative, quantitative or semi‐quantitative • Unless thorough statistical or other reliable data available, scales = qualitative g
,
q
• Ex. qualitative: 'high', 'medium' or 'low‘
• Equivalent semi‐quantitative: 'once a day', 'once a week' or 'once a month'. Ex. qualitative & semi‐quantitative descriptions for severity 30
Qualitative Semi‐Quantitative
Quantitative Very high Frequent / Likely to happen
Every day High Probable Every 3 days Medium Occasionally Every week Low
Low Can happen
Can happen Every 3 weeks
Every 3 weeks Very low Improbable Every 2 months Risk evaluation
Risk evaluation
• Detectability (D) ‐ likelihood that the risk will be noted before harm occurs (
(1‐low, 2‐medium, 3‐high)
,
,
g )
• Risk Remediation Priority ‐ Intersection of Risk Level and Detectability 31
Risk Control
Risk Control
Decision to mitigate/remediate/control or accept the risk
Priority of risk resolution:
When everything is a priority,
priority nothing is a priority!
32
Risk control
Risk control
• Risk Remediation Priority ‐ Intersection of Risk Level and Detectability • Risk Remediation Priority:
 High (red) Risk: Primary risk to be mitigated Unacceptable risk, must be mitigated
p
,
g
 Medium (white) Risk: Risk should be mitigated Second priority
 Low (green) Risk: Risk acceptable (risk threshold)
Could be mitigated (third priority)
33
Risk Control
Risk Control
Decision Making
D
i i M ki
 Risk reduction / mitigation? or
 Risk acceptance?
Risk reduction
• Actions taken to lessen the probability of occurrence of risk
and the severity of the risk: mitigation solutions
• Typically validation activities, engineering studies, SOP/batch
production records modifications, design measures
Ri k acceptance
Risk
t
• Decision to accept the risk
34
34
Risk control
Risk control
Basis for Judgment
B
i f J d
t
 Is the risk above the acceptable level?
 What can done to reduce or eliminate risks?
What can done to reduce or eliminate risks?
 What is the appropriate balance among benefits, risks and resources?
 Are new risks introduced as a result of the identified risks being controlled?
35
Risk Mitigation
•
•
•
•
•
Mitigation solutions
(list of solutions to mitigate risks) – Several solutions may be required to mitigate one risk
Mitigation solution type (categorization of mitigation solutions proposed: SOP, batch production records, validation, engineering study, process controls, etc.)
Action Required (more detailed action required to implement the mitigation solution)
Mitigation status (not yet mitigated, partially mitigated, mitigated)
Remaining actions (actions to implement to mitigate the risk)
36
Risk Mitigation
Risk Mitigation
• Diff
Different ways & approaches to mitigate risks t
&
h t
iti t i k
• Removing the risk source (eliminating the risk) • Changing the likelihood (occurrence)
• Changing the consequences (severity)
• Ensuring that the risk is detected and can be treated when it occurs (detectability)
• All risk mitigation options should be considered and can be combined
• Mitigation
Mitigation of one risk to an acceptable level may create new of one risk to an acceptable level may create new
other acceptable or unacceptable risks (to mitigate too) or increase existing risks in other areas. Care needs to be taken when identifying mitigation solutions
when identifying mitigation solutions
37
Cross Contamination Risk Reduction Examples
Cross‐Contamination Risk Reduction Examples
From Mix up
From Mix‐up
From Mechanical/Airborne Transfer
From Mechanical/Airborne Transfer
• Redundant electronic verification of materials
• Limit transfer of compounds between suites
• Redundant manual checks
•
ie. High Shear Granulation, Milling, and Drying in same suite • Color coding
C l
di
• Segregate work areas to a single product
• Bar coding and RFID of materials & equipment
• Contain at the Source
• Locked cages to store APIs with chain of custody y
• Close process systems
• Process Analytical Technologies • Separate dispensing areas
• Separate raw material staging areas
Separate raw material staging areas
• Segregate flows
• Room airflow
• Airlock separation to corridor
• Room differential pressures
• Gowning procedures
• Wipe down/Decontamination protocols for mobile equipment
• Cleaning bays with dirty / clean pass through
Cl i b
ith di t / l
th
h
38
Report
Critical part of the results of the Risk Assessment : The Report!
Provide confidence that risks identified are /will be controlled / mitigated / remediated
39
Report content
Report content
Report approval
Responsibility
ibili
Scope and purpose
Process description
• Process flow diagram (PFD) / Project production room Process flow diagram (PFD) / Project production room
layout
• Facility design information
• Quality system procedures
Quality system procedures
• Shared equipment, utilities and production areas
• Risk assessment methodology and procedure
• Results & conclusion (graphical analysis of the type of risks (g p
y
yp
identified, their level (remediation priority), their mitigation solutions and mitigation status)
• Glossary and acronyms
•
•
•
•
40
Graphical analysis
Graphical analysis
•
•
•
•
•
•
•
•
•
41
List of rooms/areas where no specific project risks were identified
% of risks identified per area
Number & Type of Risks per area
Type / Categories of Identified Risks
Levels of risks identified
Levels of risks identified
Categories of risks per risk level
Mitigation status per risk levels & categories
Mitigation solutions type
Risks mitigation solutions
Mitigation implementation/Risk Review
Mitigation implementation/Risk Review
• Follow up of implementation (evidence) of solutions
• Identification of new risks
• Confirmation mitigation measures are in place AND sufficient to reduce risk to acceptable level
"Review or monitoring of output/results of the risk management process considering (if appropriate) new knowledge and experience about the
considering (if appropriate) new knowledge and experience about the risk." (ICH Q9)
Summaryy
• Quality & compliance risk assessment : not an
enhanced design review …. • Regulatory agencies expect to demonstrate using “scientifically sound assessment” how to prevent cross contamination and to “justify the level of controls”
• Piece of advice to perform good risk assessment: do not mix everything together: compliance, hazard analysis, failure analysis… analysis
Risk becomes : never finish the risk assessment exercise…. • Do not find risk everywhere and for everything • Goal: Identify and mitigate credible and real risks
Tool to bridge regulatory/QA/validation focus with to bridge regulatory/QA/validation focus with
• Tool
engineering/CAPEX: share knowledge, mitigate risks of
43
non compliance
Thank you!
Thank you!
44
Julie‐Lea Lipszyc, Quality Lead/Engineering Services
Master’s Degree Quality Assurance of pharmaceutical, cosmetic and dietetic products (Paris, France)
~ 20 years in pharmaceutical, biotech and medical devices sectors:
20 years in pharmaceutical biotech and medical devices sectors:
• Compliance design reviews
• Risk assessments
• Quality systems design and implementation
Quality systems design and implementation
• Quality assurance team management
• Regulatory affairs
• Cleaning & microbiological method validation Cleaning & microbiological method validation
• Compliance & validation project management • Qualification / validation
• Field of expertise : Canadian, US and European regulations
f p
p
g
APIs High potency compounds
Drugs
Laboratories
Blood and tissue products
Clinical trials
Biotech (vaccines)
Medical devices
45
Sterile products
Natural health products