|

Risk Assessment for CPP and CQA Identification

1. Purpose and Scope

Risk assessment is used to identify and prioritize process parameters and product attributes that impact product quality. It provides a structured, science-based method to distinguish between critical and non-critical elements and to justify the level of control applied.

This article defines how risk assessment is applied to:

  • identify Critical Quality Attributes (CQAs)
  • identify Critical Process Parameters (CPPs)
  • evaluate parameter impact and uncertainty
  • support DOE planning and control strategy development

The approach aligns with expectations from FDA and principles described in ICH Q9.

2. Role within Process Validation Lifecycle

Risk assessment is performed early and updated throughout the lifecycle. Within the lifecycle:

  • product and process knowledge define potential risks
  • risk assessment identifies attributes and parameters of concern
  • DOE and studies confirm or refine criticality
  • control strategy is based on assessed and verified risk
  • continued process verification reassesses risk over time

Risk assessment bridges development knowledge and validation execution.

3. Identification of Critical Quality Attributes (CQAs)

CQAs are physical, chemical, biological, or microbiological properties that must be controlled to ensure product quality. Identification is based on:

  • product intended use
  • clinical or therapeutic relevance
  • regulatory expectations
  • prior knowledge and development data

Typical CQAs include:

  • assay or potency
  • purity and impurity levels
  • sterility or bioburden
  • moisture content
  • physical characteristics

A CQA is defined by its impact on safety, efficacy, or quality.

4. Identification of Process Parameters

Process parameters are variables that can influence CQAs. Examples include:

  • temperature
  • time
  • pH
  • mixing speed
  • material attributes

Not all parameters are critical. Risk assessment determines which require further evaluation.

5. Risk Assessment Methodology

Risk assessment follows a structured approach consistent with ICH Q9.

5.1 Risk Identification

Identify potential relationships between process parameters and CQAs. This is based on:

  • prior knowledge
  • scientific rationale
  • process understanding
  • subject matter expertise

5.2 Risk Analysis

Evaluate the level of risk using defined criteria. Common factors:

  • Severity — impact on product quality if failure occurs
  • Occurrence — likelihood of parameter variability
  • Detectability — ability to detect failure before release

Tools may include:

  • Failure Modes and Effects Analysis (FMEA)
  • risk ranking and filtering
  • cause–effect matrices

5.3 Risk Evaluation

Combine risk factors to prioritize parameters. Outcomes:

  • high-risk parameters → candidate CPPs
  • medium-risk parameters → require further study
  • low-risk parameters → non-critical

Risk ranking must be justified and documented.

6. Link between CQAs and CPPs

Risk assessment establishes the relationship between CQAs and process parameters. The relationship between CQAs and process parameters is evaluated using a structured risk assessment matrix based on severity, occurrence, and detectability.

Process ParameterCQA Impact (Severity)OccurrenceDetectabilityRisk ScoreClassification
TemperatureHighMediumMediumHighCPP
Mixing SpeedMediumMediumMediumMediumKPP
pHHighLowMediumHighCPP
TimeLowLowHighLowNon-Critical


Risk Score is derived from the combination of Severity, Occurrence, and Detectability using a predefined scoring methodology.

A parameter becomes a CPP when:

  • it has potential to impact a CQA
  • variability in the parameter can lead to unacceptable quality
  • risk is supported by scientific rationale

This relationship is preliminary and must be confirmed through DOE or experimental studies.

7. Use of Risk Assessment in DOE Planning

Risk assessment defines:

  • which parameters to include in DOE
  • parameter ranges to be evaluated
  • expected interactions
  • focus of experimentation

This ensures DOE is targeted and efficient rather than exploratory without direction.

8. Risk-Based Classification of Parameters

Parameters are classified based on risk:

  • Critical Process Parameters (CPPs)
    Parameters with demonstrated impact on CQAs requiring control
  • Key Process Parameters (KPPs)
    Parameters with potential impact but lower risk or wider acceptable range
  • Non-Critical Parameters
    Parameters with no meaningful impact on CQAs within studied ranges

Classification is refined as more data becomes available.

9. Documentation and Traceability

Risk assessment must be documented and traceable. Requirements include:

  • clear linkage between CQAs and parameters
  • defined scoring criteria
  • justification of risk ranking
  • documented assumptions
  • linkage to DOE and control strategy

Traceability ensures that decisions are reproducible and defensible.

10. Acceptance Criteria

Risk assessment is acceptable when:

  • methodology is defined and justified
  • CQAs are clearly identified
  • parameter–CQA relationships are documented
  • risk ranking is consistent and justified
  • outputs support DOE and control strategy

11. Limitations

Risk assessment:

  • is initially based on assumptions and prior knowledge
  • may not capture all interactions
  • requires periodic update as new data becomes available

Incorrect assumptions can lead to misclassification of parameters.

12. Integration with Control Strategy

Risk assessment defines the foundation for control strategy. The progression from risk assessment through experimental confirmation to control strategy is illustrated below.

Flow diagram showing risk identification, analysis, and evaluation leading to CPP identification, DOE confirmation, and final control strategy definition.

It determines:

  • which parameters require control
  • level of monitoring required
  • need for alarms and interventions
  • focus of continued verification

Risk-based control ensures resources are applied where impact is highest.

13. Lifecycle Approach

Risk assessment is not a one-time activity. It must be:

  • updated after DOE and validation studies
  • refined based on manufacturing data
  • reviewed during periodic assessment

This supports continuous process understanding and control.

14. Summary

Risk assessment provides a structured method to:

  • identify CQAs
  • prioritize process parameters
  • define candidate CPPs
  • guide experimental design
  • support control strategy

It ensures that validation activities are focused, justified, and aligned with product quality risk.