There is No Such Thing as Zero Risk

To manage risk properly, industry must understand what it is and how to assess it
Feb 02, 2009
Volume 33, Issue 2

Peter H. Gough
I recently saw a comment in a journal by a former United Kingdom-GMP inspector who concluded that discussion of structured risk management is stupid and dangerous for pharmaceuticals because "no risk is acceptable." I believe the view illustrates a common misunderstanding regarding the nature of risk. Risk is like variability; even though one wishes to reduce risk, it can never be eliminated. Everything we do in life carries some degree of risk.

Outside of the laboratory, for example, some of us take up pastimes such as rock-climbing, free-fall parachuting, or bungee jumping. In doing so, we constantly assess the risks associated with our activities and attempt to control those risks. If we deem the risk too high, we undertake risk-reduction measures. For example, in free-fall parachuting, we might carry an emergency parachute in case the main chute fails to open.

For decades, the pharmaceutical industry and its regulators have labored under the false belief that risk can be entirely eradicated. We have been ignoring helpful tools and techniques such as Failure Modes and Effects Analysis (FMEA) that are widely used in other industries. We have come to accept large numbers of deviations as the norm and, therefore, risk has been managing us.

The advent of the US Food and Drug Administration's Pharmaceutical GMPs for the 21st Century inititaive and the subsequent quality initiatives of the International Conference on Harmonization have placed a spotlight on how we manage quality risks within the pharmaceutical industry. In the past, industry's approach to assessing and controlling quality risks has been largely empirical and, all too often, reactive rather than proactive. This approach, which does not adequately consider risk as part of the preventive component of corrective action and preventive action, has led to recurring deviations. This is not to say that full, structured risk management should be used in every situation. Rather, in more complex or hazardous situations, several helpful tools and techniques should be used.

ICH Q9 Risk Management was written to define structured quality risk management, to explain how it can be applied to pharmaceuticals, and to provide a common language with an agreed-upon process for pharmaceutical manufacturers and regulators. In many structured risk-management models, risk is defined as "the combination of the probability of occurrence of harm and the severity of that harm" (1). Harm is defined in Q9 as "damage to health, including the damage that can occur from loss of product quality or availability."

The first stage of the risk-management process addressed in ICH Q9 is risk assessment, which is subdivided into three steps:

  • Risk identification—identifying potential sources of harm (i.e., hazards).
  • Risk analysis—estimating the risk associated with the identified hazards (i.e., the severity and probability of occurrence).
  • Risk evaluation—comparing the estimated risk against the risk threshold to determine the significance of the risk. If the estimated risk is greater than the threshold, the risk must be reduced.

The second stage is risk control. This stage includes the identification of possible risk-reduction measures and, eventually, acceptance of the residual risk, which can never be zero.

The final stage is risk review, which is the process of reviewing the risk assessment and risk-control decisions based on experience to identify whether the risks have been adequately controlled and to take consequent actions. ICH Q9 makes it clear that other risk-review models can be used (e.g., ISO 14971: Application of Risk Management to Medical Devices) and that the emphasis on each component of the framework is likely to differ on a case-by-case basis.

Annex 1 to ICH Q9 provides details regarding the tools and techniques commonly used in risk management. The most common tool, FMEA, assesses the severity of risk, the probability of its occurrence, and the likelihood of detection. Other similar risk-management tools help to estimate relative risks so that priorities can be set. These tools also help to determine those areas where no action is required because the current level of risk is acceptable.

lorem ipsum