Limiting Risk in Bio/Pharmaceutical Development

In bio/pharmaceutical regulatory compliance, risk management involves the interactions between people, processes, and technology and how these factors must be managed to meet the quality and compliance needs of a business. Risk assessment involves an evaluation of the risk to patient health, the risk to product quality, and the risk to data integrity associated with the development, manufacture, and release of medicinal products. Mark Stevens, operations director, of Formpipe Life Science, a provider of enterprise quality management software (EQMS), discusses strategies to address risk in bio/pharmaceutical development and manufacturing.

Identifying riskPharmTech: What are the risks associated with patients?

Stevens: When we refer to patient risk we mean that something has gone wrong in the quality supply chain, such that the medicinal product or medical device supplied to the patient is incorrect or sub-standard. For example, if a mixing process in tablet manufacturing does not work properly, it could lead to significant and serious differences in the amount of active drug in each tablet. One tablet could have no drug and another could have 10 times the correct amount. In the context of a high-potency cancer treatment product, there can be serious patient risks either way.

Another example could be incorrect packaging and labeling. When we take a pill from a blister pack, or give a child a spoon of medicine, we assume that what is contained in that medicine is exactly what it says on the box. We implicitly trust every part of the quality supply chain that leads to the consumption of that product. Incorrect packaging could lead to a patient being given the wrong drug or wrong dose, which could cause further harm rather than benefit.

PharmTech: How can risks to health be mitigated?

Stevens: The key to minimizing and controlling patient risk is ensuring all staff are appropriately trained to perform their duties; that work processes are robust, clearly defined, are followed correctly, and have been proven; and that all equipment and systems used have been correctly designed, specified, validated, and maintained.

Making sure this happens consistently through a quality management system--robust enough to deal with all the problems and events that happen in the real world--is more complicated and where the real understanding of potential impact of events on patient safety is crucial. A good starting point is the validation of people, process, and technology within an organization. In addition, the entire quality process should be viewed as a whole, to ensure the system is functional. If you have clear visibility on what is happening, that quality events are being identified and appropriately dealt with in good time, then one can be confident in the system. A growing backlog of issues or trends of repeat issues means it is a strong indication of problem areas that must be addressed.

Validation stepsPharmTech: What is involved in the validation of people, processes, and technology?

Stevens: For a process to be validated the equipment, work process, people, and records must be working as specified and as intended, repeatedly and robustly. There is no point in having validated equipment with an excellent validation history if people are not using the equipment correctly.

Validation of equipment and systems should also, in most cases, be a simple exercise. If the requirements and risk assessment have been properly executed and the real risks identified and understood, the testing needed to demonstrate robust and repeatable compliance with these requirements is generally clear. All too often, time is wasted when functional testing that the supplier has already done is repeated internally, rather than focusing on the specific application, thinking about the end use, and how this could impact patient safety, product quality, or the integrity of data.

Employee behavior and training has the potential to create risk for patients, but conversely, also the ability to resolve issues caused by less-than-perfect processes or equipment. Everyone working within the organization must clearly understand GMP and their responsibilities. The risk of human error, negligence, or deliberate acts of malice cannot be eliminated, but organizations can ensure employees are trained and supported with a culture and work processes that can identify and investigate non-standard events.

An organization that accepts and embraces the principles of GMP knows it is as important to ensure people have comprehended the training they have received, as it is to deliver it in the first place. Messages, training courses, or any other methods for delivering information should include a mechanism to confirm employees have been seen, considered, and understood. This documented evidence demonstrates that the company has done everything possible to mitigate the risk of a system breakdown.

Reducing riskPharmTech: If an organization reduces the risk to patients, will it reduce the risk to product quality?

Stevens: A risk to product quality is often a direct or indirect risk to patients. Product quality, however, generally means that the end product does not meet the defined specifications and parameters for which it was tested and approved. Examples of product quality issues include an abnormal appearance of the product; for example, discoloration of a tablet, cloudiness of a clear liquid, or a tablet breaking or crumbling when removed from a blister pack. The quality issue may or may not have an impact upon the medicinal effect but the fact here is that the product has not been manufactured or preserved to its approved specification.

Understanding product quality risk and making an informed decision is the key. By understanding factors--such as temperature excursion of a critical supply of clinical trial material--an organization can assess whether is it more of a risk not to supply the drug in time to the patient, or whether it can be demonstrated that the product quality impact is not a serious issue and, therefore, can be administered. It is important to determine whether the deviation is a non-compliance issue or whether there is a real risk to the patient that needs to be understood and assessed.

To accurately manage product quality, all participants and processes must work within set parameters. In the event of a deviation there should be alarms, checks, and measures that should identify problems and reject potentially defective outputs to ensure consistent product quality. If a procedure is subsequently changed due to an identified flaw, a corrective and preventive action and any associated investigation and actions should be carried out to eliminate the risk of further similar failures. Where the investigation identifies the need for training, the effectiveness should be evaluated to ensure the training has achieved its objective.

Data integrityPharmTech: Why is data integrity so important?

Stevens: A medicinal product is only considered complete and fit for purpose if records supporting its development, manufacture, or release are accurate and complete. If the integrity of these records has been compromised--intentionally or unintentionally--there is an uncertainty and therefore risk, even if the change to the records has no impact on the drug’s quality. A data integrity non-compliance issue can lead to regulatory agency demands for intense investigations to assess the impact and in extreme cases it can lead to licence suspension, heavy fines, or even site closure.

Data integrity for batch records and quality-control analytical data is coming under increased regulatory scrutiny. Organizations must demonstrate that products are fit for purpose and have met all quality and compliance attributes. When deviations occur, the organization must identify it, understand the impact, conduct a suitable investigation, and determine an appropriate corrective action to address the root cause.  Electronic quality management systems developed for the GxP-regulated industries can assist in these steps.

To achieve a successful and positive audit outcome, an organization must demonstrate that its people, work processes, and technology systems are robust enough to identify and rectify deviations to stay compliant. All data inputs must be traceable, and it must be possible to demonstrate the overall data set has retained its validity and integrity.

Once each piece of information needed to show regulatory compliance has been created and stored, the risk of the data becoming corrupted through an innocent miscalculation, negligence, or malice must be managed. This must be done through security measures (physical and logical security to restrict access and keep full records of those that do access the data) and full audit trails of any changes made to the data at any point during its lifecycle, including the transfer to and from any long- term archiving facilities.

A structured approachPharmTech: How would an organization approach structured risk assessment decisions?

Stevens: A structured risk assessment approach allows a company to make the distinction between usability and essential performance in a consistent way and enables it to document the decision.

One method we like to use is to assign a severity rating based on the potential impact on patient safety and product quality, and a detectability rating based on how easy an issue would be identified. Obviously, the risk associated with an issue that would be easy to identify is much lower than the risk associated with one that may go undetected for weeks or months; requirements with the highest severity and lowest detectability ratings are the ones that need the most attention. Both of these ratings can be combined to provide an overall numerical risk rating, which can be used to generate a prioritized list of risk-limiting -requirements.

Article DetailsPharmaceutical Technology
Vol. 39, No. 8
Page: 50–51
Citation:
When referring to this article, please cite it as “Limiting Risk in Bio/Pharmaceutical Development,” Pharmaceutical Technology 39 (8) 2015.