iSpeak Blog

Q&A: Commissioning and Qualification - Quality Unit and System Risk Assessment

Nicholas Haycocks
Steven J. Wisniewski
C&Q Baseline Guide

This blog is the second of four posts addressing questions received during the August 2019 webinar summarizing the introduction of 2nd Edition, ISPE Baseline Guide Vol 5: Commissioning and Qualification. The guide provides a well-defined framework for a lifecycle quality risk management (QRM) commissioning and qualification (C&Q) approach to verification and documentation of fitness for use.

Over the coming weeks, each blog post will cover four key focus areas discussed in the guide. The posts will be followed by a live townhall session, scheduled for Tuesday, 7 July 2020. The townhall will be moderated by the panel of authors with each panelist reviewing and answering your questions on these key areas.

2024 ISPE Annual Meeting & Expo

The four key focus areas covered in this blog series will be:


Quality Unit

The guide describes Good Engineering Practice as a quality system, governed by SOPs that Quality approve; Quality approve the user requirements specifications, System Risk Assessment (SRA) and the Qualification acceptance and release report; Engineering, the suitably trained and experienced experts, are responsible for completing installation and operational verification. But note that the guide also allows the testing that will be used to support qualification to be extracted and put into a separate document that Quality pre-and post-approve as seen in Guide Table 6.1.

Quality Unit FAQ

Quality role identified in the Guide shows Quality is not integrated with C&Q process. I have seen a slowdown of final release of equipment/system when a last minute surprise is found. Note that quality approval of Critical Quality Attributes/Critical Process Parameters reports and C&Q is done by different groups. Could you please comment?

The guide describes Good Engineering Practice as a quality system, governed by SOPs that Quality approve; Quality approve the user requirements specifications, system risk assessment and the Qualification acceptance and release report; Engineering - the suitably trained and experienced experts, are responsible for completing the installation and operational verification - but note that the guide also allows the testing that will be used to support qualification to be extracted and put into a separate document that Quality pre- and post-approve. As seen in Guide Table 6.1.

How does ISPE feel about having an additional approval on qualification protocols from the discipline validation (in addition to QA)?

This is suggested in the guide - As seen in Guide Table 6.1.; Installation Verification/Operation Verification needs to be robust to ensure systems operate reliably, thus the Guide shows the relevant subject matter expert engagement in determining the scope and method to be used for commissioning.

System Risk Assessment

The System Risk Assessment is the application of quality risk management to examine the product quality risk controls for direct impact systems. This assessment identifies the critical design controls (Critical Aspects/Critical Design Elements) and procedural controls that are required to mitigate system risks to an acceptable level. It is important for the project team performing the system risk assessment to include technical SMEs that understand the science behind the process and the risks associated with the critical quality attributes.

System Risk Assessment FAQs

How does this new guide approach alarm classification, assessment and management based on risk / QbD?

One of the deliverables from the Guide system risk assessment process is identification of the critical alarms from a quality perspective - additional processes may be required to define categories for "engineering" alarms.

Is there a scale to rank High medium and low risk systems?

The guide provides definitions for the three risk levels in chapter 4 of the Guide - these are established by the system risk assessment team of subject matter experts considering the severity, occurrence and detection.

How are instruments determined to be critical if the Component Critically Assessment (CCA) is a term that's been retired?

One of the deliverables from the Guide system risk assessment process is identification of the critical alarms from a quality perspective - additional processes may be required to define categories for "engineering" alarms.

Is an example of a System Risk Assessment a PHA?

The system risk assessment is a form of PrHA, it defines the risks (hazards) to system product quality per process step / operational step, the controls - and typically the controls include detection mechanisms.

What replaces the component critically assessment? For example, on a compressed gas system components upstream of a 0.2um header filter can be considered not critical components for calibration and/or maintenance. What are they classified as now?

Component critical assessments are replaced by using the system risk assessment to identify critical aspects and any initial critical design elements. All the critical design elements are available at the completion of the design development process and are documented in the DQ with their acceptance criteria. Critical design elements are the quality risk management determined replacement for component critically assessment.

Note that the system risk assessment does not consider MOC - these are expected to be confirmed following GEP - we don’t do component assessment any more - the system risk assessment defines the risk controls in the design / procedural category - these are verified as part of the qualification using the traceability matrix.

Did you miss the webinar? Members can view Polishing an Old Gem: Commissioning & Qualification Baseline Guide Update webinar. Not a member? Join Today!

Join us next week as we discuss frequently asked questions on the topics of GAMP/IT and Verification (C&Q Execution).