When a potential hazard has been recognized in a GMP environment, several things need be determined to engage proper management, control, and correction. As part of a risk assessment, severity and probability need to be evaluated to establish the risk class. This is the first step of the risk assessment. In the second stage, the risk class is plotted against the possibility of the fault being detected before harm occurs; thus, the risk priority is determined. The following are the two phases of a functional risk assessment to determine risk priority.
The severity of a fault is any impact on patient safety, product quality, or data integrity. Probability is the likelihood of the fault occurring at all. The relationship between the severity and probability is the risk class.
There are numerous faults that can, and do, occur in a GMP environment that can be considered to have a low severity. Cosmetic effects, occasional rejection of good product, and momentary operator intervention required to correct non-critical function are some examples.
Low severity risks are not expected to have long-term effects, with no medical consequences and small damage to the business.
A medium severity risk will be defined as an alarmed, readily recoverable failure of a key system function, non-critical data loss, or failure of a minor specification. A medium severity risk is expected to have a moderate impact. Any damage from the risk would be expected to have short to medium-term detrimental effect. The fault could directly result in moderate injury to the patient or operator and/or could indirectly affect the patient such that delayed or incorrect information could result in moderate injury to the patient. From a business sense, a medium severity risk will cause considerable business or image damage, but will not endanger the company.
A fault that is considered to have a high severity occurs when there is unrecoverable or extended failure of primary system function(s), severe regulatory impact, or critical data loss. The high severity risk is expected to have very significant negative impact. The impact could be expected to have significant long-term effects and potentially catastrophic short-term effects. The hazard directly results in the death or serious injury of the patient or operator or indirectly affects the patient such that delayed or incorrect information could result in the death or serious injury to the patient. Not only does the hazard endanger people, but its presence is contrary to law or regulation and will cause damage to the company with unforeseeable consequences.
The risk can be determined to have a low probability of occurring if:
- It occurs less than once per month.
- Is perceived to be once per ten thousand transactions.
- Not expected to, or will rarely occur during the life of the product/system under normal operating conditions.
- The fault will only occur if several events happen at the same time.
The risk can be determined to have a medium probability of occurring if:
- The incident occurs less than once per week, but more than once per month.
- Frequency of the event occurring is perceived to be once per thousand transactions.
- The event is likely to occur infrequently or several times during the life of the product/system under normal operating conditions.
- The fault couldn’t really be excluded for a long time, even under normal conditions.
The risk can be determined to have a high probability of occurring if:
- The incident occurs once or more per day.
- Frequency of the event occurring is perceived to be once per hundred transactions.
- The fault is likely to occur regularly or many times during the life of the product/system under normal operating conditions.
- Failure will happened at regular intervals.
Using these criteria, a risk matrix can be used to determine the risk class.
After determining the risk class, the risk priority can be determined by comparing the risk class with the detectability of the risk. The detectability can be defined as the likelihood that the fault will be detected prior to any harm occurring. Low detectability can be considered low when it is very difficult or nearly impossible to capture the error. Detectability will be considered medium when some automated error checking processes exist. Furthermore, one-over-one review may be required; it is likely that the error will be captured in review of outputted information. Detectability can be considered high if high level of error checking processes exists, one-over-one review is required, and the missed error will be obvious in review of outputted information.
Once the detectability has been determined, a matrix can be used to determine the risk priority.