What is risk?

Rating: +0

Positive Negative

Risk-based approach is a buzzword. Validation shall be done according to a risk-based approach. This means that instead of validating everything to the same level, one shall first assess the risks, and then validate the high-risk areas thoroughly, the medium-risk areas less thoroughly, and the minimal/no risk areas little, if anything at all. In order to know the risks, one must do a risk-assessment.

Risk Assessment

There are several risk assessment tools, and which is the correct one to use, depends on what you want to achieve. The two most common ones are HAZardous Operations (HAZOP) and Failure Mode Effect and Criticality Analysis (FMECA; see table below). ICH Q9 and ISO 14971 have more information on these.

The assessment covers how big an impact the risk has (normally stated as high/medium/low) and the risk likelihood (high/medium/low). The risk classification is a function of these (see table 12x01 FMECA below). The risk classification is and the probability of detection will give a high/medium/low risk altogether.

From a regulatory point of view the risks to the product / patient in case of pharmaceutical products) are the ones to assess and manage. But also a business point of view can be important for the company. There may be risks for adverse publicity, loyalties, manufacturing/process equipment and personnel.

Risk Management

Once the risks have been identified and classified, we can start mitigating the risks, i.e. managing them. This may mean modification of product/process designs, validate/verify/qualify/test the processes, to mention a few. Sometimes it is even possible to eliminate the risk altogether. When the risks have been mitigated, another risk assessment should be made to show what the risks are now. Also changes in the processes, and even time, may create a need for reassessing risks.

In order to do a risk assessment, one must understand the process that is assessed. First the risks need to be identified and defined. The next step is to manage the risks, i.e. where we decide how to handle them.

Table 12x01: FMECA Risk Classification. (C) Siri H. Segalstad

FMECA Risk Classification