Scientific principles
In ICH Q9, it is stated that the evaluation of risk to quality should be based on scientific knowledge. By this, scientific knowledge concerns what we learn from the scientific process, and this involves assessing, experimenting and collecting data. This means we need to be less focused on presumption or supposition and more driven by data. Of course, interpreting data requires a method – a theoretical framework, an established approach for statistical analysis and so on.
We also need to capture the knowledge that we gain within some form of internal library so that mistakes are not repeated. Where knowledge needs to pass between sites or people, an effective process for knowledge transfer is also important.
Use of knowledge management and quality risk management are enablers for the Pharmaceutical Quality System (PQS). In turn, these enablers provide the means for science- and risk-based decisions related to product quality.
The essential message is that regulators expect to see data used to support the Quality Risk Management process.
Patient safety
When considering risks, everything must always be linked – ultimately – to the risk presented to the patient, with any measures put in place connected to their protection.
Quality risk assessments require a degree of formality
To ensure consistency, a standardised approach should be followed when implanting Quality Risk Management, using established methods and defined templates.
Use of the correct risk tool
As mentioned, there are a variety of risk assessment tools available. In terms of selecting the appropriate tool, the level of effort, formality and documentation of the Quality Risk Management process should be commensurate with the level of risk.
In other words - Do not use the most complex tool where there is no need.
We should also recognise that many of the more commonly used tools can lead us into very reductive thinking strategies far too early in the problem definition phase. Take this quote from Einstein: ‘If I had an hour to solve a problem, I'd spend 55 minutes thinking about the problem and 5 minutes thinking about solutions.’
Einstein knew that problems themselves are full of clues to their own successful solution.
Sometimes where there is too much certainty at the outset, important data or events may be overlooked, or when the scope is too narrow, something important can be inadvertently excluded. This can undermine root cause analysis and therefore the assessment of all hazards that require assessing when undertaking a risk assessment.
Uncertainty exists
Many of the approaches we use for risk assessment, most notably Failure Modes and Effects Analysis (FMEA), use some form of numerical scoring approaches - not all problems lend themselves well to be defined numerically. At other times, we can find that the choice of ‘formal’ tool can attempt to force our deliberations and decisions into a numerical or even binary value, as is required with FMEA.
Sometimes we need to account for uncertainty, whether this relates to events, differences between people, a lack of data and so on. Here ‘fuzzy logic’ can be considered. This stems from the fact that people generally make decisions based on imprecise and non-numerical information. It also recognises there are different experts, opinions and data sets, as well as opportunities for human error.
Fuzziness
There is also a situational issue to consider – something that might present a different risk in one situation compared with another. Fuzzy logic is normally expressed using a scale of 0 to 1, but this is continuous and what might be a given value on one day under one set of conditions might differ on another day.
When considering ‘fuzziness’, the ‘fuzzy’ is not about the outcome being that way - it is in recognition of uncertainty. In science, uncertainty is something that is part and parcel of research and inquiry – we learn something, we go back, we re-test and may come to a different conclusion. At the end of the process there is the process of defuzzification, enabling us to reach a consensus.
This means there are times when we need to deploy fuzzy models to represent this vagueness and concerns about imprecise information (or what is said to be ‘fuzzy’). Sometimes it is appropriate to provide a mathematical means to manage this within the model.
The real advantage of fuzzy logic is that it provides this very valuable flexibility for reasoning by considering the uncertainties of the situation. With fuzzy logic, the outcome of an operation can be expressed as a probability rather than as a certainty. This approach can assist in solving a particular problem by considering all the available data and then taking the suitable or ‘best-available’ decision. In that sense, a fuzzy logic approach is designed to emulate the human way of decision making. This involves considering each of the possibilities that fall between the seemingly absolutes of True and False.
Let’s take an everyday question as an example – ‘Is it cold outside?’ Boolean logic has only two possible answers:
Whereas fuzzy logic can provide answers such as:
- Very cold
- Little cold
- Moderately cold
- Not at all cold
The answers for the fuzzy logic outcomes can be displayed with the help of values between 0 and 1.
Let’s transfer this to a pharmaceutical setting. If I were to ask, ‘is that piece of equipment generating airborne particles?’, what aspects would need to be considered?
- Does the equipment generate particles in all situations?
- Are the particles always of the same concentration?
- Is there a time factor?
- Does the grade of cleanroom influence the particle concentration?
Here the opinions of engineers, production personnel and microbiologists will need to be sought. Each will be approaching the problem from a different starting point and a different consideration of risk. They will also have different data sets and these may be quantitative (e.g. microbial count) or qualitative.
Risk management is a continuous process
Quality Risk Management is a continuous process for the identification, evaluation, prioritisation, control and communication of risks. This means risk assessments may need to be reviewed and revised as other signals from the PQS may indicate ‘change’. For example, information arising from deviations or as part of the impact assessment for change controls.