Compliance Risk Assessment in Capital Expansion Projects Julie Lea Lipszyc, Quality Lead/Engineering Services, Therapure Biopharma Inc. September 2015
Share an applied and practical approach to perform quality / compliance risk assessment during engineering / capital expansion projects Share Engineering / capital expansion projects Practical Approach Quality / Compliance risk assessment 2
What are we going to talk about? What is a Risk? Why doing risk assessment from a regulatory perspective? What is a quality/compliance risk assessment? Some GMP requirements related to cross contamination & mixups When to do quality/compliance risk assessment during capital expansion projects? Who should be part of the risk assessment exercise? Approach, Tools & Methodology Typical QRM Developed Excel Tool Report Mitigation implementation/risk review 3
Risk is Quality Risk Management (QRM) is Combination of probability of occurrence of harm, and severity of that harm Process that helps Identify risks Analyse them and then Create an action plan to remediate / mitigate the risks Fact: No process is risk free 4
Why doing Risk Assessment from a regulatory perspective? FDA (1/2) US FDA Quality System Regulation : Request to validate design of medical devices and design validation should include risk analysis (as appropriate) Risk based compliance : important element of the FDA's Pharmaceutical cgmp Initiative for the 21st Century (2002) Guidance for Industry Quality Systems Approach to Pharmaceutical CGMP Regulations This guidance is intended to help manufacturers implementing modern quality systems and risk management approaches to meet the requirements of the Agency's CGMP regulations 5
Why doing Risk Assessment from a regulatory perspective? FDA (2/2) Guidance for Industry Quality Systems Approach to Pharmaceutical CGMP Regulation (cont.) 6 Quality Risk Management: Effective decision making in a quality systems environment is based on an informed understanding of quality issues. It is important to engage appropriate parties in assessing the risk Implementation of quality risk management includes assessing the risks, selecting and implementing risk management controls commensurate with the level of risk, and evaluating the results of the risk ikmanagement efforts. Since risk ik management is an iterative process, it should be repeated if new information is developed that changes the need for, or nature of, risk management..
Why doing Risk Assessment from a regulatory perspective? EU (1/2) Eudralex Volume 4 EU GMP Chapter 1 1.12 Quality risk management is a systematic process for the assessment, control, communication and review of risks to the quality of the medicinal product. 1.13 The principles of quality risk management are that: i) The evaluation of the risk to quality is based on scientific knowledge, experience with the process and ultimately links to the protection of the patient ii) The level of effort, formality and documentation of the quality risk management process is commensurate with the level of risk. 7
Why doing Risk Assessment from a regulatory perspective? EU (2/2) Eudralex Vl Volume 4 EU GMP Chapter 5 A Quality Risk Management process should be used to assess and control the cross contamination risks presented by the products manufactured. Factors including; facility/equipment design and use, personnel and material flow, microbiological controls, physico chemical characteristics of the active substance, process characteristics, cleaning processes and analytical capabilities relative to the relevant limits established from the evaluation of the products should also be taken into account The outcome of the Quality Risk Management process should ldbe the basis for determining the extent of technical and organisational measures required to control risks for cross contamination. 8
Why doing Risk Assessment from a regulatory perspective? ICH Single most important document about risk management: ICHQ9 Guide on Quality Risk Management Describes a systematic approach for risk management I It s THE QRM guide! 9
Regulatory Focus on Sound Risk Assessments 10 Equivalent information mentioned in EudraGMP inspection findings
Ok, Risk assessment is needed but which kind? 11 Basic risk management facilitation methods (Flow charts) Failure Mode Effects Analysis (FMEA) Failure Mode, Effects and Criticality Analysis (FMECA) Fault Tree Analysis (FTA) Hazard Analysis and Critical Control Points (HACCP) Hazard Operability Analysis (HAZOP) Preliminary i Hazard danalysis (PHA) Risk Ranking and Filtering GAMP Kepner Tregoe (KT) Analysis SLIA CLIA What If
Quality / Compliance risk assessment what whatis it? FMEA Failure Mode and Effects Analysis Brainstorms potentialfailure Based on P&ID or operating procedure review Examination of ways that equipment can fail and how each failure affects process Quality & Compliance risk assessment To identify risks related to Microbiological i l contamination i Contamination/mix ups by other products/personnel/material Airborne Contamination Order of activities Layout and equipment design 12
Quality / Compliance risk assessment what whatis it? Mainly review of Equipment designs Layouts Flows (personnel, material (raw material and clean and dirty equipment), waste, product) PFDs Review of project design versus plant current practices 13
Some GMP Requirements related to cross contamination & mixups 14
Crosscontamination & mixups USFDA 21 CFR 211.42(b):" Any such building shall llhave adequate space for the orderly placement of equipment and materials to prevent mixups between different components, drug product containers, closures, labeling, in process materials, or drug products, and to prevent contamination. The flow of components, drug product containers, closures, labeling, in process materials, and drug products through the building or buildings shall be designed to prevent contamination." 21 CFR 211.42(c):"Operations shall be performed within specifically defined areas of adequate size. There shall be separate or defined areas orsuch other control systems for the firm's operations as are necessary to prevent contamination or mixups during the course of the following procedures. 15
Crosscontamination & mixups US USFDA 21 CFR 211.67(a): Equipment and utensils shall be cleaned, maintained, and sanitized at appropriate intervals to prevent malfunctions or contamination that would alter the safety, identify, strength, quality, or purity of the drug product beyond the official or other established requirements. FDA Guidance for Industry Sterile Drug Products Produced by Aseptic Processing Current Good Manufacturing Practice Both personnel and material flow should be optimized to prevent unnecessary activities that could increase the potential for introducing contaminants to exposed product, container closures, or the surrounding environment. It is critical to adequately control material (e.g., in process supplies, equipment, utensils) as it transfers from lesser to higher classified clean areas to prevent the influx of contaminants. 16
Cross contamination & mixups EU GMP Volume 4 EU guidelines GMP Chapter 3 Premises i and equipment must be located, designed, d constructed t to suit the operations to be carried out. Their layout and design must aim to minimise the risk of errors to avoid crosscontamination... Cross contamination should be prevented for all products by appropriate design and operation of manufacturing... The adequacy of the working and in process storage space should permit the orderly and logical positioning of equipment and materials so as to minimise the risk of confusion between different medicinal products or their components, to avoid cross contamination Volume 4 EU guidelines GMP Chapter 5 Operations on different products should not be carried out simultaneously or consecutively in the same room unless there is no risk of mix up or cross contamination 17
Cross contamination & mixups EU GMP Volume 4 EU guidelines GMP Chapter 5 Contamination of a starting material or of a product by another material or product should be prevented. This risk of accidental cross contamination should be assessed Volume 4 EU guidelines GMP Annex 2 Biological active substances: Manufacturing and storage facilities, processes and environmental classifications should be designed to prevent the extraneous contamination of products... Air handling units should be designed, constructed and maintained to minimise the risk of cross contamination between different manufacturing areas and may need to be specific for an area Equipment used during handling of live organisms and cells, including those for sampling, should be designed to prevent any contamination during processing 18
Compliance risk assessment when to do it during capital expansion projects? 1. Start during detailed design 2. Issue first version early during construction or at the latest at the beginning of installation 3. Review (new version) after 1st engineering run to document implementation ofremediation actions andassessassess new potential risks 19
Whoshould be part of the risk assessmentexercise? exercise? Output only as good as the input most important : inputs should not only come from single individuals but from a risk management team Subject mater experts (SME) are the key 20
Whoshould be part of the risk assessmentexercise? exercise? Cross functional team composed of Engineering project SME Designers project SME Facility/Maintenance project SME Future Users (Production) Validation project SME Quality project SME (usually y the leader of the exercise) ) 21
Use Microsoft Word or Excel templates / forms Filled out by risk management team members Valuable tool to improve consistency and efficiency Make the entire risk management process efficient and consistent Approach, Tools & Methodology 22
Typical QRM process Initiate Quality Risk Management Process Risk Assessment Risk Identification Risk Communication Risk Control Risk Analysis Risk Evaluation Risk Reduction Risk Acceptance unacceptable Risk Management tools Compliance risk assessment Excel table (risk identification, analysis, proposal of mitigation measures for risk control) Output / Result of the Quality Risk Management Process Compliance risk assessment report Risk Review Review Events Review/update of risk assessment table and report, review for implementation evidences of mitigation solutions and new potential risks 23
Developed Excel Tool 24
Process Parameter Version Process Parameter : location where the risk is identified Flow (ex. material, personnel, waste, etc.) Room (room number) Process area (ex. pre viral/production, formulation, fill finish, i buffer preparation area, wash up area, etc.) 25
Risk Identification Description of the risk Risk Type (ex. cross contamination, mix ups, product integrity, reconciliation, process control, room control, etc.) = Categorisation of the risk allowing grouping and analysis 26
Identify Risks During brainstorming meeting Review and compare each other Retain only credible risks Do not put a risk in the list if controls are currently in place to reduce the risk to an acceptable level and no additional action is required (i.e. the project does not add any new risk to current practices) Leave in the list only risks without sufficient control 27
Risk Analysis For each risk, establish Severity severity of risk on product quality Probability of occurrence likelihood of the risk to occur Detectability likelihood lih that the risk ikwill be noted before bf harm occurs 28
For each risk identified, analyze Severity (S) severity of risk ikon product quality (1 high, 2 medium, 3 low) Probability of occurrence (P) likelihood of the risk to occur (1 often, 2 occasionally, 3 rarely) Intersection of Severity and Probability = Risk Level 29
Qualitative or semi quantitative rating Rating can be qualitative, quantitative or semi quantitative Unless thorough statistical or other reliable data available, scales = qualitative Ex. qualitative: 'high', 'medium' or 'low Equivalent semi quantitative: 'once a day', 'once a week' or 'once a month'. Ex. qualitative & semi quantitative descriptions for severity Qualitative Semi Quantitative Quantitative 30 Very high Frequent / Likely to happen Every day High Probable Every 3 days Medium Occasionally Every week Low Can happen Every 3 weeks Very low Improbable Every 2 months
Risk evaluation Detectability (D) likelihood that the risk will be noted before harm occurs (1 low, 2 medium, 3 high) Risk Remediation Priority Intersection of Risk Level and Detectability 31
Risk Control Decision to mitigate/remediate/control or accept the risk Priority of risk resolution: When everything is a priority, nothing is a priority! 32
Risk control Risk Remediation Priority Intersection of Risk Level and Detectability Risk Remediation Priority: High (red) Risk: Primary risk to be mitigated Unacceptable risk, must be mitigated Medium (white) Risk: Risk should be mitigated Second priority Low (green) Risk: Risk acceptable (risk threshold) Could be mitigated (third priority) 33
Risk Control Decision i Mki Making Risk reduction / mitigation? or Risk acceptance? Risk reduction Actions taken to lessen the probability of occurrence of risk and the severity of the risk: mitigationsolutions Typically validation activities, engineering studies, SOP/batch production records modifications, design measures Risk acceptance Decision to accept the risk 34 34
Risk control Basis for Judgment Is the risk above the acceptable level? What can done to reduce or eliminate risks? What is the appropriate balance among benefits, risks and resources? Are new risks introduced as a result of the identified risks being controlled? 35
Risk Mitigation Mitigation solutions (list of solutions to mitigate risks) Several solutions may be required to mitigate one risk Mitigation solution type (categorization of mitigation solutions proposed: SOP, batch production records, validation, engineering study, process controls, etc.) Action Required (more detailed action required to implement the mitigation solution) Mitigation status (not yet mitigated, partially mitigated, mitigated) Remaining actions (actions to implement to mitigate the risk) 36
Risk Mitigation Different ways & approaches to mitigate t risks ik Removing the risk source (eliminating the risk) Changing the likelihood (occurrence) Changing the consequences (severity) Ensuring that the risk is detected and can be treated when it occurs (detectability) All risk mitigation options should be considered and can be combined Mitigation ofone one risk to anacceptableacceptable level may createnew other acceptable or unacceptable risks (to mitigate too) or increase existing risks in other areas. Care needs to be taken when identifying mitigation solutions 37
Cross Contamination Contamination Risk Reduction Examples From Mix up Redundant electronic verification of materials Redundant manual checks Color coding Bar coding and RFID of materials & equipment Locked cages to store APIs with chain of custody Process Analytical Technologies Separate dispensing areas Separate raw material staging areas Segregate flows From Mechanical/Airborne Transfer Limit transfer of compounds between suites ie. High Shear Granulation, Milling, and Drying in same suite Segregate work areas to a single product Contain at the Source Close process systems Room airflow Airlock separation to corridor Room differential pressures Gowning procedures Wipe down/decontamination protocols for mobile equipment Cleaning bays with dirty / clean pass throughh 38
Report Critical part of the results of the Risk Assessment : The Report! Provide confidence that risks identified are /will be controlled / mitigated / remediated 39
Report content Report approval Responsibility Scope and purpose Process description Process flow diagram (PFD) / Project production room layout Facility design information Quality system procedures Shared equipment, utilities and production areas Risk assessment methodology and procedure Results & conclusion (graphical analysis of the type of risks identified, their level (remediation priority), their mitigation solutions and mitigation status) Glossary and acronyms 40
Graphical analysis List of rooms/areas where no specific project risks were identified % of risks identified per area Number & Type of Risks per area Type / Categories of Identified Risks Levels of risks identified Categories of risks per risk level Mitigation status per risk levels & categories Mitigation solutions type Risks mitigation solutions 41
Mitigation implementation/risk Review Follow up of implementation (evidence) of solutions Identification of new risks Confirmation mitigation measures are in place AND sufficient to reduce risk to acceptable level "Review or monitoring of output/results of the risk management process considering (if appropriate) new knowledge and experience about the risk." (ICH Q9)
Summary 43 Quality & compliance risk assessment : not an enhanced design review. Regulatory agencies expect to demonstrate using scientifically sound assessment how to prevent cross contamination and to justify the level of controls Piece of advice to perform good risk assessment: do not mix everything together: compliance, hazard analysis, failure analysis Risk becomes : never finish the risk assessment exercise. Do not find risk everywhere and for everything Goal: Identify and mitigate credible and real risks Tool to bridge regulatory/qa/validation focus with engineering/capex: share knowledge, mitigate risks of non compliance
Thank you! 44
Julie Lea Lipszyc, Quality Lead/Engineering Services Master s Degree Quality Assurance of pharmaceutical, cosmetic and dietetic products (Paris, France) ~ 20 years in pharmaceutical, biotech and medical devices sectors: Compliance design reviews Risk assessments Quality systems design and implementation Quality assurance team management Regulatory affairs Cleaning & microbiological method validation Compliance & validation project management Qualification / validation Field of expertise : Canadian, US and European regulations APIs High potency compounds Drugs Laboratories Blood and tissue products Clinical trials 45 Biotech (vaccines) Sterile products Medical devices Natural health products