The regulatory bodies continue to be vigilant where customers' lives are threatened. This is all the more crucial where the customer has to place absolute trust in the product. In most consumer situations, the customer is normally able to determine whether the product is suitable for use. This is not the case in the medical and pharmaceutical industries where the consumer has no alternative but to place absolute faith in the product. Errors such as product mix ups, or non-sterilisation will go undetected by the consumer. Such a high level of trust places complete reliance upon the manufacturer, a reliance that can only be met through GMP, process and product control and validation.

Validation has been an evolutionary process for most companies in the medical device and pharmaceutical industry. Companies have generally taken a responsible stance in ensuring that the act of validation, and therefore the robustness of their processes and products, is assured. In this process a large number of companies have followed guidelines on testing and qualifying machines and there is no doubt that the process of validation has substantially improved the design, quality and performance in manufacturing machines and processes. Yet in the drive for near zero defects, and the need for absolute control of the process, questions are being raised on the likelihood of the processes operating with undetected faults, but at a frequency so potentially low they will be undetected. Since such faults potentially impact the integrity of the product, they must be addressed, but if they are potentially undetectable in the production process, how can this be achieved.

To address this drive for improved reliability of the process, a growing concept and requirement in the field of machine and process design is redundancy or mistake proofing. In this process, the risks of undetected errors occurring are carefully examined to ensure that systems are modified so that either the mistakes cannot occur, or there is zero risk of them being undetected. However many medical and pharmaceutical companies and their machinery suppliers fail to realise the need or consequences of not embracing mistake proofing and redundancy in their manufacturing processes.

The need for mistake proofing and redundancy in the medical and pharmaceutical industries emerges as a result of two basic factors in industry as a whole.

Statistics and Process Control will not predict aberrations

Sample inspection or statistical controls will not detect spurious machine events or aberrations in the process. A well recognised and perfectly legitimate method of controlling a process or machine is to apply statistical tools to predict the standard deviation of the whole batch. With such tools it is possible to predict to a high probability, from a reasonable sample, whether the entire batch is going to be within the specification. Of course, such statistical tools must be applied with care (the incorrect use of statistical tools in applications where there are multiple variables can be dangerous and should only be approached with absolute care). But, they are an essential and valuable requirement in the field of validation, and a sound mathematical basis for ensuring process stability and capability. Statistical systems assume stable conditions, and the potential aberrations in modern machines are such that statistics will not be able to predict the errors from such events. Further such statistical tools rely upon the sample being representative of the population. Therefore, it is clear that any spurious events or aberrations in the process will not be predicted with the measurement of a supposed representative sample batch unless the sampler was lucky enough to include the fault in one of the sample batches. In validation you cannot rely upon luck.

The second factor that is impacting mistake proofing is the rise in machine complexity. 30 years ago, machines were primarily mechanically driven and most processes were linked from a single drive motor through drive shafts drives, cams and belts. On these machines, if there were any failures, almost all were mechanical in nature. Mechanical failures (in other words breakages) by their nature are unlikely to be spasmodic since the failure would be permanent and the machine could not be run without intervention and repair. Such failures simply did not repair themselves, and the fault would be certain to be detected through normal GMP batch inspections.

Today, with the need for flexibility and controls that allow rapid changeover, machines are designed in a much more complex manner. Instead of the central drive system with cams and pulleys, machines now have servo motors, pneumatic systems and other devices that are linked through computer systems to provide the synchronisation necessary to make each element of the machine work in harmony. Such machines have the essential benefits of greater flexibility (since almost all changeovers are electronic), higher speed, lower maintenance and better reliability overall. They have the added benefit of improved GMP since there is a significant reduction of lubrication (as there is no central drive system), and fewer wear parts. This flexibility and speed inherent in modern machines essentially relies upon the control system ensuring all independent elements are acting in concert. The coordinating element in such machines is typically a PLC (Programmable Logic Controller). Properly applied, the PLC controls and ensures commands are given to each element in the correct sequence and at the correct time.

If the PLC fails to detect the correct performance of any element for which it has sent a command and the fault remains in place, then using GMP and the normal sample inspection systems, there is little risk that the fault will go undetected. Normal batch quarantine prior to sample inspection and subsequent release will detect the fault and eliminate the risk of releasing that product to the market.

Transient faults or aberrations in modern machinery

All machine manufacturers try to build reliable machines. But there is no such thing as perfection. It is possible with new systems for machine faults to be transient (in other words the fault is only present for a small number of machine cycles) and, in effect correct themselves. There is little chance that such transient faults will be detected and eliminated from the batch to be released to market.

The application of redundancy

There are excellent examples in general industry where mistake proofing is introduced as a regular feature where lives are threatened. The general industry cases include dual break circuitry on cars, dual control systems on aircraft, and perhaps the simplest case of all is a back-up parachute. There has long been a need for dual circuits in machine safety systems where there is potential risk to life or of amputation. An acceptance prevails that no matter how careful the design, quality and assembly procedures, and ensuring the system is fit for purpose, errors still occur. Where lives are directly at risk, redundancy or mistake proofing becomes mandatory. Since errors in the medical and pharmaceutical industries threaten lives, redundancy and mistake proofing methods are becoming equally relevant.

For many years, Doyen have recognised this risk and have developed a well proven system of determining risks of aberrations or transient errors. The following flowchart shows the system used by Doyen. The first requirement is that validation is specified as a primary requirement. In this way the machine or process is designed to be validated, rather than validation being applied as an afterthought. This simple stipulation immediately improves the robustness and repeatability of the machine. The second step is to remove weaknesses in design that lead to transient faults or aberrations.

It is Doyen's view that process design for the medical and pharmaceutical industries must include mistake proofing and elimination of potential faults, and it is a policy that has been adopted by Doyen for more than 10 years. The process used to identify faults is one of failure mode effect analysis (FMEA) or risk analysis. The process involves the minute analysis of each machine element and the consequences of failure. If failure is possible and will give rise to an undetected faulty product, then either the machine is re-designed or redundancy is added to ensure independent monitoring system check the correct machine operation each cycle. Such elements are termed "system defect". These elements do not contribute to the overall machine performance, but are solely put in place to ensure what is expected to happen actually happens in every case.

In considering mistake proofing the objective should first be to make it impossible for the error to occur. If this cannot be achieved, then it is necessary to ensure the error does not go undetected. In most cases, in the event that the error is detected, the only sure method is to stop the machine and display a message for the reason for the stop. Such a stop normally requires purging of the machine and careful control of the products within the system.

Under the Doyen system, any single event that is likely to lead to an undetected reduction in product integrity is therefore designed out. Single event possibilities are monitored by independent systems such that two independent errors have to occur in a way that produces a plausible result before undetected errors can occur. If this concept is applied with positive failsafe philosophy, the chances of two such failures arising in this manner are as close to impossible as can realistically be achieved.

Mistake proofing and FMEA analysis is also applied to software. Such analysis dictates the use of "positive failsafe" philosophy throughout the software design - especially on elements such as inspection systems or shift registers that sequence faults through the machine.

A further benefit of the Doyen system is that the areas desirable for an appropriate test are readily identified. Further, maintenance issues that can impact validation are identified as a result of the process, as are standard operating procedures necessary to maintain pack integrity. Part of the Operation Qualification of the machine involves challenging such "system defect" devices. Each element that has been designated as a risk is artificially induced with an error and the correct machine response observed. Under all circumstances the machine or process is expected to detect the fault and either stop the process immediately, or reject the offending product. These tests are an essential part of the validation process and should always be performed to demonstrate that mistake proofing methods, designed to detect or prevent such errors, are in fact working. It is Doyen's experience that, if mistake proofing methods are used, then a significant proportion of the validation testing procedures are directed to ensuring the redundancy systems are working.

The process of determining whether a machine is likely to fail in this way is called mistake proofing or positive failsafe. The act of designing out the mistake is termed redundancy. The process advocated by Doyen to identify whether transient mistakes can lead to a reduction in product integrity is termed risk analysis or FMEA (Failure Mode Effect Analysis).

In endeavouring to determine whether or not mistakes can be made it is best to assume that if it can happen it probably will. The following elements are simple examples of components included in most machines. Just reflect on your existing processes and machines. Could this happen to you?

Pneumatics

Pneumatics are widely used and are often critical to the integrity of the pack or process. This especially applies in the case of sealing machines. Yet, pneumatics are prone to wear and can often work intermittently. It is possible for solenoid valves to stick for one cycle or for a cylinder to spasmodically fail to reach its desired position. The result could be a single faulty pack, or a single missed reject. If such events occur infrequently, they are most likely to go undetected, and then even an ostensibly validated process will fail. The risk can be designed out by ensuring that the correct position of the pneumatic components are independently monitored and this information is sent back to the control system. Such a system will require the failure of both components (the primary device and the secondary sensing device) before product integrity is impacted. In designing such a system the secondary element must be positive failsafe. The controlling system should monitor the status of the secondary element such that this, in itself, cannot be over ridden. The validation test should challenge both the operation of the secondary element, and its positive failsafe nature.

Servo Motors

Servo motors operate by receiving instructions from a motion controller to move to a pre- determined position. The controller observes the motor's position from a feedback, usually in the form of pulses from an independent motion detector known as a resolver or shaft encoder. Information is constantly updated so that the controller always knows the position of the motor and sends constant commands for it to move to the correct position at the correct time. However, if not robustly designed and the return signals suffer partial failures, the servo will move to the wrong position. Depending upon the nature of the design of the machine, it is possible for such a fault to rectify itself during the next machine cycle, leaving just one potentially faulty product. This potential element can be addressed by either the choice of an inherently failsafe servo motor and control system, or by adding secondary monitoring systems to separately detect the correct position of the unit every cycle. Again, the testing procedure should challenge the robustness of such systems under the fault conditions that have been identified in the risk analysis.

Temperature Controllers

Most temperature control systems are considered to be robust. It is only when risk analysis or FMEA is applied that the scope for potential errors is realised. A machine not being able to operate unless it is within its operating range is an obvious feature, and again machines should be thoroughly tested to ensure this cannot happen. In the case of single heating systems with multiple heater cartridges, there is a risk that a single element can fail without being detected. Ensuring that all heaters are connected in series, such that if one heater fails, all will fail, can eliminate this. Alternatively current monitoring devices for each cartridge can be used.

Mistake proofing methods and redundancy in design are becoming essential features of the validated environment. Properly applied and embraced, they will further increase the reliability of machines and the quality of the products emerging from the medical device and pharmaceutical industries. More importantly they will help focus validation on machine enhancement and reliability and reduce the dependence upon operator intervention and vigilance in ensuring desired quality levels are achieved. They are the only way of eliminating the transient fault and aberration in performance that has arisen from the complexity of modern machine design.