• Sana A.

ISO 14971 - Process Risk Assessments (Part 2)

Updated: Apr 21, 2020

Editor's Note: This is part 2 of a 7 part series on Process Risk Assessments.

Last week we defined a common structure and terms for process risk assessments. This was the first article in a series intended to rationalize and standardize the risk assessment discussion to communicate strategies that provide consistency, objectivity, and risk understanding. Over the next few weeks, we’ll be sharing strategies and approaches that explain how to manage these situations.

While there is no single, all-encompassing definition of risk in the biopharma industry (or any other industry for that matter), we put forth definitions designed to work across the industry. Now that we have our terms defined, we will explore how these definitions intersect with ISO 14971. Even though this standard is designed for medical devices, a number of the definitions we just reviewed are found in this standard and are applied to other sectors such as the pharmaceutical/biotech industry via the guidance provided in ICH Q9.

This post covers how to use the concepts of ISO 14971 to create a generalized framework for risk management that works across pharma and is compatible with (and leverages the best parts from) medical devices.

Let’s review!

The ISO 14971 Standard

In 2000, the first edition of ISO 14971 was released as the international standard for risk management of medical devices. In 2007, the second edition of ISO 14971 was released and there have been subsequent branches and revisions since then. Even though this standard is designed for medical devices, a number of the same concepts described in the previous section are found in this standard and are applied to other sectors such as the pharmaceutical/biotech industry (ICH Q9). A brief summary of the ISO 14971 standard is described here along with some additional clarifications necessary to appreciate the nuances of risk assessment. The diagram below provides a flowchart depiction of risk analysis. There is a hazard that leads to a hazardous situation which can then lead to harm. The harm has an estimated severity which is combined with the probability of the occurrence of harm to provide an estimate of the risk. That is, R = S * P.

In the discussion of probability/occurrence/frequency in the last section, we noted that this concept needed a little further explanation. As you can see from the diagram above, the probability of occurrence of harm is actually the product of two probabilities - P = P1 * P2.

P1 = Probability of the hazardous situation occurring (e.g. probability of having a gas leak)
P2 = Probability of hazardous situation leading to harm (e.g. probability of gas leak causing an explosion)

People often miss that P has these two components. So, if P is given a value indicating moderate probability, does a “Moderate” score mean that there is a moderate chance that the hazardous situation (gas leak) will occur and a moderate chance that it will lead to an explosion? Or does it mean that there is a high chance of the gas leak but a very low chance of an explosion? The distinction is important because it will certainly guide where you focus your mitigation efforts and associated control strategies. In some cases, a conservative approach is taken where it is assumed that the hazardous situation will lead to harm (P2 = 1). In this case, P = P1.

Putting all of these concepts together, we have created a table that provides three examples of risk assessment for non-pharma, pharma, and general manufacturing processes.

Risk Assessment Examples for Manufacturing Processes

Pretty simple, right?

Now that we have our terms defined and related them to the ISO 14971, next week we’ll explore how these concepts line up with FMEA/FMECA methodologies. Recent presentations and publications by the FDA related to their knowledge-aided assessment & structured applications (KASA) initiative recommend the use of FMEA/FMECA for the risk assessment of pharmaceutical manufacturing processes. Our next post will cover how these two methodologies can be used in conjunction with the concepts we’ve discussed thus far.

This post is part 2 of 7 in a series on practical risk management for pharmaceutical process development. Tune in next week for a discussion on FMEA/FMECA.


CherryCircle Software, Inc.

2101 E. St. Elmo Road 

Building 1, Suite 100

Austin, TX, 78744


© 2017-2021 CherryCircle Software

  • LinkedIn Social Icon
  • Twitter Social Icon
  • YouTube Social  Icon