A Different Approach to GxP Risk Assessments


A Different Approach to GxP Risk Assessments


Starting FMEA’s is easy, doing them properly takes effort and time.

First things first: one must understand that a FMEA is actually a tool to harmonize different approaches towards risk identification and analyzing the identified risks. Additionally, a FMEA harmonizes the language used during this exercise.

Secondly: performing an FMEA properly requires discipline and a high level of sincerity from the team responsible for creating the FMEA. The (senior) management of any organization plays a key role in this aspect. And last but not least, the subject, scope and purpose of the study should be clearly defined. 

Defining the subject, scope and purposes help you in defining the required resources which are attached to a FMEA. A resource which is often forgotten or underestimated; allocating sufficient time to perform the FMEA.

 It is advisable to ensure that the first step of a FMEA study is the assessment of the subject, scope and purpose. You could include this in your FMEA procedure as filling in a separate, formal, document. Make sure you include resources and boundaries.

The reason for establishing boundaries is that there might be different teams performing the assessment and risk mitigation

FMEA – Example

For the purpose of this example we are purchasing a new label printer for our primary packaging system. A URS must be created and assessed. The focus of our study is the computerized system controlling the label printer, more specifically; the possibility of printing incorrect labels.

As I just explained, our first step (step #1) should be to identify the subject, scope and purpose. Preferably in a separate, formal, document. Additional stipulations might be included such as the members that make up the FMEA team and the frequency of meetings 

It is key to have senior management sign off on this document after debating it. This ensures management commitment and ensures that the rationale for the FMEA has been well-defined. QA-managers must be aware that success is measured not only by adherence to regulations but that financial factors also weigh in.

 With this in mind, presenting your “FMEA plan” to senior management, pull out your calculator and clearly define the financial losses for the most major risks. After all, how many hours are lost when incorrect labels are printed? Think of root-cause investigations, deviations reports, liaising with the vendor, hours spent processing documentation, etc. etc.

 All too often I see QA managers present their plan and rationale for performing a FMEA utilizing only regulatory arguments. This weakens your position, especially when presenting to senior management.

 When defining your scope and subject, try to determine on which level you want to risk-assess. Are you defining the risks on a component level or a system level? On the component level, you are defining the risks for individual machines / products. On the system level you are looking at the process itself (e.g. man, machine, method, material, environment, etc.). But other approaches are possible as well, for example, solely assessing microbiological proliferation or endotoxin risk during processing.

 The example I’ve worked out above has a lot of similarities with the “old fashioned” life-cycle approach, where the well-designed process is key to success. A well-designed FMEA-process, like in our example, is equally important to success.

FMEA – Key Considerations

When you start the FMEA (step #2), make sure all parties involved are trained in the FMEA technique. Don’t train (on the job) while working on the FMEA with the team. In general, you should be correcting the contents of the FMEA, not your team members.

Be aware that a FMEA is a detailed study approach. I have seen companies using FMEA techniques for procedural checks, the subject of the study being; “what if we don’t have a procedure?”. That’s way too high level for a FMEA to cover. You should use different techniques for such high-level assessments.

 Another issue I observe quite often is where a process (e.g. an Ultra Filtration) is studied and the failure mode is described as “what if the pH is out of range”. I don’t see an issue with studying the pH being out of range, since it will affect the performance of the UF, but it should be studied deeper: which failure modes will cause the pH out of range.

 The latter is one of the most common mistakes I observe during my audits/inspections and during my consultancy work. The mix-up of cause-and-effect, resulting in stopping too early with studying the process-step.

 So again, to emphasize, it’s key to understand the process (or activity) itself in full. And to understand, in full, the purpose, scope and functioning of an FMEA study itself to avoid wasting people’s time (and subsequently the company’s money) on inefficient studies.


So, to conclude: it’s important to understand the strengths and purposes of FMEA studies as one of your key tools for performing risk-assessments. As with so many things: the start and preparation are key to success. Be aware that a FMEA study is just one approach, you may combine other techniques to make your FMEA more efficient, or you may perform split-studies amongst teams to make it more doable for example.

Key for QA departments is to not only understand the compliance part of a FMEA study as it is of the utmost important to be able to explain the benefits to the business of performing any specific FMEA, preferably with cost examples emphasizing; “what-if we fail”.

Kind regards,

Jaap Koster

About the author


Add Comment