The dynamical development of informatization and automation impacts also life and health care areas. It is reflected in constantly updated and comprehensive law regulations. These regulations result in further obligations and demands aiming at controlling activities influencing human health. The pharmaceutical industry must also abide by these regulations. Today there is more to IT technologies in pharmaceutics than controlling systems or computers. Today computerization in pharmaceutics is a complex set of interdependent elements which include, apart from software and computer equipment, realization of functions and tasks, personnel who carries them out, documentation standards etc.
On account of such a complex structure, wider range of activities, and necessity to achieve detailed results, validation processes may be a real challenge. This is especially true in the case of entities which are obliged by law to report the results they have produced.
After a while it was clear that an approach was needed for the process of computer system validation. The conception was to create a tool which would be a compromise between multiplicity of tasks which have to be taken into account and the real gravity of patient’s life and health. In that way the idea to use the notion of risk was conceived.
The aim of risk management, assessment, and analysis is to verify the part of the system which is going to be subjected to validation. Such a verification should extract all the elements which have a real impact on the quality of the medical products which makes them the potential risk factors. That in turn allows to narrow the range of necessary changes. Focusing attention on all of the vital elements (and the careful analysis of their potential risk) leads to a very precise verification of all the crucial components of the system. The undeniable advantage of this method is the possibility to avoid superficial changes on a general level. Consequently, the validation efforts are channelled to the crucial elements which may be worked on in more detail.
The limit to which risk evaluation and analysis may be applied depends on the complexity of the computer system in a pharmaceutical company. In the subsequent paragraphs of this study the focus will be placed on risk related to the integrated system of company’s business processes. Possible solutions and approaches to risk managing will be presented on the example of daily processes taking place in a pharmaceutical company.
The key elements in integrated system implementation are the requirements of the end users of the system’s functionalities and solutions. The users ideas about system’s support are transformed into blueprints and later on to a prototype. That stage is the best moment to initiate activities concerning risk evaluation and analysis in business processes supported by the system.
Technical solutions used at this stage still remain an open question. Failure Mode & Effect Analysis (FMEA) is a widely employed procedure of identifying and averting failures in products and processes. FMEA sets a hierarchy of failure modes and a plan of their elimination. Due to this hierarchy (based on defined criteria such as detectability, probability of occurrence, failure’s severity) a risk priority number (RPN) is given. The received number allows to determine the areas of greatest concern and the gravity of individual risks. Although the FMEA is widely acknowledged in direct production processes, it may not be the best procedure for evaluation and analysis of risks in business processes supported by integrated systems. FMEA requires a step by step detail analysis of all the process functions and sub-functions for a risk of failure occurrence and subsequent hierarchization. FMEA procedure does not give an answer to the question of what system solutions ought to be applied to minimize or eliminate the identified risk.
A panacea for the above difficulties may be an approach to risk management based on experience gained in pharmaceutics. The approach is based on a checklist which is a list comprising of ten to twenty questions and issues allowing to identify the risk by marking either “applies” or “not applies”. The questions and issues are carefully chosen so that they cover an area in which there is a possibility of risk occurrence. Due to specificity of every company, a predefined list based on experience gained in previous validation projects should be verified so that it complies with conditions and requirements in each pharmaceutical company.
The checklist ought to be applied in two steps. The first step is the evaluation on the level of implemented modules. The appointed employee verifies the range of the entire module implementation and on that basis s/he is able to indicate whether potential risk elements exist or not. This primary verification narrows down the area of activities through excluding for example certain strictly financial modules such as Financial Accounting (FI), Assets Accounting (FI-AA), Controlling (CO) etc. The next step is the identification of business processes supported by the integrated system but only for the modules which were selected as a critical from the GMP point of view. Another risk evaluation is carried out; however, now on the process level for every process taking place in a GMP relevant module. The evaluation of process risk is carried out on the basis of the same defined checklist. There are two possible variants of the evaluation:
· no risk in the evaluated process has been detected which means that all the items on the checklist were marked “not applies.” The process is not crucial for GMP and further validation activities and documentation end at this point.
· a validation risk has been detected which means that at least one item on the checklist was marked “applies.” The process is crucial for the GMP; thus, further validation activities are required.
At this stage the validation process has been restricted only to those business processes which may generate risk and that risk must be minimized. The abovementioned activities, related to creating and applying checklists, are referred to as “Risk Evaluation,” aiming at defining whether a system, a functional module, or a process is prone to risk occurrence. Through that only selected crucial elements remain and those elements will receive full attention in the next stage of risk managing that is “Risk Analysis.”
The risk analysis gives us a set of necessary details concerning risk and means of minimizing it that should be employed. Thus, for every process in which validation risk was detected, there comes a time for a detailed analysis. The analysis means specifying every possible consequence of failures from the GMP angle and determining the risk minimizing activities. The risk minimizing (eliminating) activities are usually divided into 3 categories used as a input data for:
· modification of system’s building conception through verification and alternation of programming, configuration, and authorization setup etc. for a given process
· multiple checking and testing of system’s expected operations
· necessary changes in organization (training courses or controls) and possible procedural change in system-related areas
Below an example of a functional risk occurring in Logistics and Materials Management is described including means to minimize risk.
Business process: “Material delivery for the stored materials”
Function: Opening the control sample
Required result: managing the product series
On the basis of risk evaluation an “applies” answer (the risk occurs) was marked in “Does the process influence the series’ tracking?” and “Does the process involve data that decides about the product’s composition or its processing?” items.
The possible consequence (risk description) of the system’s faulty operation may be, in this example, a direct transfer of the product to an unlimited usage supply instead of a transfer to a quality control supply.
In order to minimize the risk in this given example one should:
· (the concept of system prototype)—adapt the system in such a way that the functionality of series management is possible along with selecting automatically the control sample for a given series of products and its transfer to the quality control supply.
· (test)—multiple testing for different variants and cases, e.g. is the control sample created automatically, is a certain part of the products registered in the quality control supply, are only use-approved products released from the storehouse (it is crucial to include also the negative test results)
· (organizational procedures)—in order to be certain that the risk is eliminated the basic material data should be double-checked
Following the above mentioned procedures one may be certain that all risks connected with implementation of integrated system for managing a company will be identified. The system itself was designed in such a way that it minimizes potential risks. That has been proven by a series of tests. The procedures we present are based on a long-term experience gained during system implementations and validations in Poland and abroad. Moreover, the procedure enables to gain full knowledge of and control over risk in business processes. That makes it accepted by authorized pharmaceutical inspectors.
Positive effects were also achieved by compilation of FMEA with the checklists method and analysis of detected risks. The procedure itself is similar—firstly the risk is evaluated, secondly analysed. However, during risk analysis, apart from conclusions concerning input data for modifications, tests, and system-related procedures, there is also a risk priority number assigned. As a result criteria exists which determine priority of the risk and its minimization. Prioritizing allows for flexibility in risk management and focus on the most crucial risks. Additionally, bearing in mind the complexity of a computerised system, it is easier for the person responsible for failures evaluation to make a test-acceptance decisions. Each of the above methods has its advantages; for the FMEA it is a clear notion of risk’s seriousness, while for the checklist method it is the clarity of risk minimizing procedures.
In conclusion, the methods of validity risk management shown above are merely a suggestion of solutions. However, those suggestions are successfully tested as they resulted in a full control of a system operating on validated terms.
Bartłomej Socha—Senior SAP logistics consultant in SI-Consulting S.A. (Inc.)
Bartłomiej Socha has 8 years of experience in SAP logistics projects. He took part in a key pharmaceutical implementation on the Polish market by playing an active role in system validation projects (not only of SAP system). Mr. Socha obtained a GAMP5 certificate. During his career he contributed to a series of dedicated logistic solutions based on SAP system.