Understanding the Consequences of Risk-Based Regulation

The FDA has taken the first steps toward implementing a new method of delivering and managing compliance — a risk-based approach.

As the FDA embraces a new method for managing compliance, FDA-regulated manufacturers can gain insight by examining the experiences of the nuclear power industry

‘The move toward risk-informed regulation in FDA-regulated sectors is likely to mean challenging conventional wisdom.’

By Jonathan Coburn and Greg Weddle
Just the Facts About Regulation • The FDA is starting to implement a new risk-based approach for delivering and managing compliance. • The regulated community is grappling with what this risk-based approach might mean and what implications might result. • The precedent set by the nuclear power industry, where industry and regulators faced similar questions, shows what consequences to prepare for when adopting risk-based regulation. • By understanding these consequences, FDA-regulated manufacturers can make faster and more direct progress.
The FDA has taken the first steps toward implementing a new method of delivering and managing compliance — a risk-based approach. These actions have been done in part to respond to the industry, which is dealing with increasing costs and the unknown value of existing compliance methods. Members of the regulated community are now asking, “What exactly does this mean for compliance? And, what are the broader implications for the industry?”

While the answer to the first question is still elusive, the question of broader implications can be answered by considering the precedent provided by the commercial nuclear power industry, where industry and regulators faced similar fundamental questions in developing a risk-based approach. These were: • How will risk-based regulation be seen from outside the industry? • Will risk-based regulation replace existing regulations or create a second regulatory layer? • What is the risk threshold to be “safe enough”? The nuclear industry’s experience in dealing with such questions revealed seven consequences involved in the transition to risk-based regulation. These consequences are based on the principles behind public safety regulation itself, relevant to all FDA-regulated industries. Let’s review each below.
The accident at Three Mile Island overturned basic assumptions about what drives risk in a nuclear power plant.
1. Risk becomes explicit. Agencies such as the FDA and the Nuclear Regulatory Commission (NRC) exist to protect the public against adverse effects from activities that are beneficial but entail risk. The existence of risk is acknowledged but not treated in any systematic way under deterministic rules. Risk sources are not specifically identified, and links between risk sources and risk control measures are not clearly delineated. Plus, there is no provision for different levels of risk. Under risk-based rules, all these things are explicitly considered, possibly giving the impression that they are new or had been overlooked. This may produce a “credibility trap” for both the industry and regulator. Quite simply, the industry is forced to undergo a paradigm shift from “safe/unsafe” to “safe enough” and confront all the implications (regulatory, business, legal) that accompany it. 2. Regulations will be risk-informed, not strictly risk-based.An everyday analogy illustrates the different regulatory approaches. Picture a motorist approaching an intersection. In a deterministic scheme, authorities place a red light at the corner, and the driver must stop, no matter what. In a risk-based scheme, there is no light. The driver continues through the intersection if conditions look safe or stops if the risk warrants it. In a risk-informed scheme, the authorities, recognizing the intersection as risky, install a flashing yellow light and require drivers to slow down and check traffic. The driver gets to consider actual risk but also has to follow rules. In other words, a risk-informed component complements the deterministic regulations. This is an approach with which regulators — by nature conservative — can feel comfortable. 3. Quantification, consistency and adequacy are important.To avoid the potential credibility trap inherent to the transition, a regulatory agency needs a well-considered, defensible scientific approach to risk-informed regulation and a strategy to communicate it consistently and effectively. A regulatory structure built upon qualitative, subjective and non-reproducible risk assessment techniques (for example, the popular “get people in a room and vote” approach) only reinforces the credibility trap. Risk assessments become credible and defensible only by basing regulations on quantifiable results, scientific methodological standards, data adequacy requirements, testing and peer review. 4. Unforeseen risk drivers emerge.The accident at Three Mile Island overturned basic assumptions about what drives risk in a nuclear power plant. Similarly, the move toward risk-informed regulation in FDA-regulated sectors is likely to mean challenging conventional wisdom about where risk exists. The highest risk can often be found in components traditionally viewed as non-critical. It is likely that scientific risk analysis will reveal risks that have been either underemphasized or not considered under the deterministic structure. Some of these methods and performance models will take time to develop. However, today the industry can benefit from implementing more disciplined qualitative analysis. 5. Address absolute and relative risk.Once risk can be quantified through a robust risk analysis process, a next logical step would be to take an absolute risk threshold approach, setting a quantitative threshold that represents an acceptable level of risk. Quantitative risk analysis also can be used to assess the incremental risk impacts of changes in manufacturing operations — a relative risk approach. In the end, the nuclear industry adopted an explicit incremental approach reinforced by an understood, but never codified, implicit absolute risk threshold. This will be fundamental to the final risk-based regulatory approach adopted by the FDA. 6. Expect evolution, not revolution.Risk-informed regulation will not take shape overnight; the transition to risk-based regulation in the nuclear industry evolved over 30 years. In some ways, FDA-regulated industries face a bigger challenge than the nuclear industry did. While there are only 103 nuclear power plants in the U.S. and only two basic reactor designs, there are thousands of chemical and pharmaceutical plants with many distinct manufacturing processes. Framing a risk-informed structure around all this activity will take time and effort. 7. Establish general principles.The nuclear industry developed a set of principles that apply to the use of risk assessment in regulatory matters. These will be different for FDA-regulated industries yet address similar issues. They include the following: • The role of deterministic regulations in the new regulatory structure • Acceptable changes in risk magnitude • Managing the aggregate risk impact of many minor risk changes General principles comprise the rulebook that both the industry and regulator follow. The rules drive regulatory consistency and provide the industry with the confidence to use risk-based approaches while also helping the regulator manage the credibility gap. The ultimate intent should be to establish an industry-specific set of principles. The sooner this is done, the sooner a stable and workable risk-informed regulatory framework can be established. The experience of the nuclear power industry shows that effective risk-based regulation is an achievable long-term goal. By knowing what consequences to expect, FDA-regulated manufacturers can make faster and more direct progress and reduce uncertainty over what risk-based regulation will bring.

Jonathan Coburn is business development director of life sciences and Greg Weddle is global manager of critical environments for Johnson Controls Inc., 507 E. Michigan Street, Box 423, Milwaukee, WI 53201, a global leader in interior experience, building efficiency and power solutions. Additional information is available by visiting www.johnsoncontrols.com or calling 414-524-4129.