Why Pharmaceutical And Medical Device Risks Must Be Analyzed By Their Risk Mechanisms

By Mark F. Witcher, Ph.D., biopharma operations subject matter expert

The pharmaceutical and medical device industries are composed of a wide variety of systems, equipment, instruments, procedures, people, and processes that must be designed and operated to have a very high probability of successfully achieving their objectives for safely and effectively treating patients.

Current risk analysis methods focus on the possibility and severity of bad events (hazards, harm, threats, etc.) instead of focusing directly on analyzing and improving the performance of systems and processes that might produce the bad events. Current guideline definitions like “the impact of uncertainty on objectives” and “the combination of probability of occurrence and severity of harm” provide a very incomplete, event-centric view of the industry’s many risks.^1,2 The use of event-based risk analysis methods such as FMEA, HACCP, etc., have resulted in the debilitating and widely acknowledged failure to effectively or efficiently analyze and manage many risks.

As a result, compliance with regulations and industry best practices as stated in regulations, guidance, and guidelines (RGGs) over the last few decades have become the dominant method of managing pharmaceutical and medical device risks. But what do RGGs do? They specify how things must be done by the systems and processes that might produce the events that need to be prevented.

The weakness of RGGs is that they are based on past experience for prescribing industrywide, semi universal solutions for a wide variety of generalized situations and problems. While RGGs provide a reasonable start, the solutions are frequently suboptimal or inadequate because they do not address specific situations or unique risks. Sometimes they provide solutions leading to excessive capital and operating costs that in the long run are not in the patients’ best interests. RGGs also struggle to address novel products and their processes created by revolutionary scientific innovations and new technologies, resulting in an ever-increasing number of RGGs.

The Future Of Risk Analysis

If you extensively review the vast body of risk literature, the current approach is to view and treat risks as events. The recognition of the underlying processes and systems that produce the events is superficial at best. Often described as control systems, protective barriers, or even slices of Swiss cheese, their role is always vaguely treated as secondary to the analysis of the risk’s events. Instead of viewing risks from an event-centric viewpoint, perhaps risk analysis should be defined so the analysis starts and focuses on the processes and systems.

If you search outside of the risk literature, you will find a rich source of articles and books describing how the world really works. How one event leads to other events. How a threat might turn into a harm, or an opportunity might become a benefit. You discover Salmon’s “causal process” that proposes that the world is connected by definable systems and processes.³ If you keep searching, the causal processes can be described as mechanisms that can be used to explain how one event produces other events.^4,5 With mechanisms comes the opportunity to view risks as a science and engineering discipline with the associated goal of achieving the universal aims of a science: explanation, prediction, and control.

If you continue to research the literature on mechanistic explanation, you will find the profound progress that has been made in recent medical advances are the result of seeking, elucidating, and exploiting biological mechanisms to explain, predict, and control biologic phenomenon to achieve therapeutic treatment of many conditions and diseases.^6,7

The logical extension of the success of using mechanisms in many fields is using the same mechanism-centric approach for analyzing and managing all risks, including the many risks associated with manufacturing and using pharmaceuticals and medical devices.

Risk Mechanisms: What Are They And How Do They Work?

Although risk mechanisms are everywhere, they are the “dark matter” of the risk universe nobody sees. The harm, benefit, threat, and opportunity events are what everyone observes and tries to analyze. But no event occurs spontaneously. Every event is produced by a process, system, or mechanism. All the uncertainty of every event comes from the uncertainty of the mechanism that produces it.

All risks can be modeled as cause–mechanism–effect relationships. The probability of an effect event (consequence or objective) occurring L_E is the mathematical product of the probability of the initiating cause event (threat or opportunity) occurring L_C and the probability L_P of the connecting mechanism propagating the cause to produce the effect. Thus L_C * L_P = L_E is a fundamental relationship for describing a risk.

The mechanisms are the combination of actions and activities of mechanical, electrical, procedures, processes, including human contributions, or anything else that explains how input events or situations result in output events. Most current risk analysis methods usually call the mechanism a “control.” While some mechanisms control the occurrence of events, other mechanisms simply have a probability L_P of propagating the cause to produce the output effect.

When you start to view risks as potentially bad mechanisms instead of just bad events, risks take on a much more robust meaning. While events have a severity and a likelihood of occurrence, mechanisms have a rich causal structure containing a great deal of information from many sources for estimating L_P. The mechanism also can be analyzed in detail to identify failure modes that might adversely impact L_P, sometimes significantly, to change the probability of the consequence L_E occurring.

Managing Both Threats And Opportunities

The cause–mechanism–effect relationship describes two different types of risk mechanisms that have different objectives. Harm risk mechanisms minimize the occurrence of harmful events while benefit risk mechanisms maximize the probability of achieving beneficial outcomes.

Harm risks are the classic view of risks because they prevent harmful events. Harm risk mechanisms are modeled as a sequence of independent barriers that collectively block the flow of an initial cause event from producing the output harm consequence. A useful example is viewing a medical device as a risk mechanism, where the device must be both designed and operated to minimize the possibility of harm to a patient.⁸ Harm risk models can be used to describe the role of risk management plans (RMPs) protecting patients from the uncertainty of new therapies.⁹ They also can be used to describe contamination control strategies (CCSs) blocking the flow of contaminants that might lead to contamination of products.¹⁰

However, a more useful type of mechanism also can be identified. Benefit risks describe a sequence of processes or systems that must have a high probability of resulting in a beneficial objective or outcome. Benefit risks are a sequence of dependent mechanisms where the entire sequence or chain must be successful for the beneficial objective to be achieved.

Two excellent examples of benefit risks are supply chains and procedures.^11,12 Both can be modeled as sequences of steps or sub-mechanisms where the success of the overall risk mechanism depends on the success of each element. Supply chains, as well as procedures, are truly chains that are limited by their weakest links.

Another important application of the benefit risk approach is controlling human errors.^13,14 The benefit risk approach builds systems, such as procedures, that support the success of human activities thus avoiding the counterproductive “blame game” by providing a method of making people part of a highly successful benefit mechanism.

Using the relationship that the probability of success and the probability of failure sum to one, many complex risk mechanism sequences can be effectively modelled as a combination of harm risks (equipment described by failure rates) and benefit risks (procedures and supply chains described by sequences of successful actions).

Managing The Many Risks Of A Risk Analysis

Consistent with the viewpoint of risks being potentially unsuccessful mechanisms, all risk analyses have three separate mechanisms that need to be understood and managed for an analysis to be successful. The first is the mechanism that produces the consequence of the risk being analyzed. The second is the mechanism of the analysis method (FMEA, HACCP, FTA, LOPA, ReRA, etc.) used to analyze, manage, and communicate the first mechanism.

The third is the analysis team that executes the second mechanism. The success of every analysis relies heavily on the analysis team having the experience and expertise to evaluate and execute the first two mechanisms while objectively identifying, understanding, and controlling their inevitable biases and prejudices.

Summary And Conclusions

All of the industry’s risks are produced by risk mechanisms that describe the industry’s many systems and processes. Thus, risks must be analyzed as relationships between events and mechanisms. The fundamental reason that event-based risk analysis methods are both difficult to use and minimally effective is that a risk’s events are merely the symptoms of an underlying problem with the mechanism that produced it. However, mechanism-based strategies quickly identify and begin analyzing the risk’s systems, processes, and mechanisms and directly evaluate and estimate their performance with respect to the events they may produce.

Switching risk analysis from event-based approaches to a mechanism-centric approach will be required if the industry’s many risks are to be quickly, efficiently, and effectively analyzed, managed, and communicated.

References

1. ISO 31000:2018 – Risk Management Guidelines – Principles and Guidelines, International Organization of Standardization, 2018.
2. ICH Q9 (R1) – Quality Risk Management, FDA, May 2023.
3. Salmon, W., Scientific Explanation and the Causal Structure of the World, Princeton University Press, 1984.
4. Machamer, P, L. Darden, & C. Carver, “Thinking About Mechanisms”; Philosophy of Science, University Chicago Press, 2000.
5. Glennan S., “Rethinking mechanistic explanation”, Philosophy of Science 69.3 (2002)
6. Bechtel, W., Discovering Cell Mechanisms – The Creation of Modern Cell Biology, Cambridge Studies I Philosophy and Biology, Cambridge University Press, 2006.
7. Humphreys, P. The Chances of Explanation – Causal Explanation in the Social, Medical, and Physical Sciences, Princeton Legacy Library, 1989.
8. Witcher, M., A New Approach To ISO 14971 For Better Medical Device Risk Analysis, Med Device Online, October 23, 2024. https://www.meddeviceonline.com/doc/a-new-approach-to-iso-for-better-medical-device-risk-analysis-0001
9. Witcher, M., Understanding The Impact Of An RMP On Patient Risks Using Rational Risk Analysis, May 5, 2025. https://www.pharmaceuticalonline.com/doc/understanding-the-impact-of-an-rmp-on-patient-risks-using-relational-risk-analysis-0001
10. Witcher, M., Managing Contamination Risks In The Pharmaceutical And Medical Device Industries Using Relational Risk Analysis, February 18, 2025. https://www.pharmaceuticalonline.com/doc/managing-contamination-risks-in-the-pharmaceutical-and-medical-device-industries-using-relational-risk-analysis-0001
11. Witcher, M., Using Relational Risk Analysis to Control Procedure Failures in the Bio/Pharma & Medical Device Industry, February 15, 2024. https://www.bioprocessonline.com/doc/using-relational-risk-analysis-to-control-procedure-failures-in-the-bio-pharma-medical-device-industry-0001
12. Witcher, M. Managing Supply Chain Risks Using Relational Risk Analysis, April 5, 2024. https://www.bioprocessonline.com/doc/managing-supply-chain-risks-using-relational-risk-analysis-0001
13. Witcher, M., A new Approach for Minimizing Human Errors In Biopharmaceuticals and Medical Devices, February 3, 2025. https://www.meddeviceonline.com/doc/a-new-approach-for-minimizing-human-errors-in-biopharmaceuticals-and-medical-devices-0001
14. Witcher, M., Controlling Human Errors using Relational Risk Analysis, Pharmaceutical Online, August 4, 2025. https://www.pharmaceuticalonline.com/doc/minimizing-the-impact-of-human-errors-using-relational-risk-analysis-0001

About The Author:

Mark F. Witcher, Ph.D., has over 35 years of experience in biopharmaceuticals. He currently consults with a few select companies. Previously, he worked for several engineering companies on feasibility and conceptual design studies for advanced biopharmaceutical manufacturing facilities. Witcher was an independent consultant in the biopharmaceutical industry for 15 years on operational issues related to: product and process development, strategic business development, clinical and commercial manufacturing, tech transfer, and facility design. He also taught courses on process validation for ISPE. He was previously the SVP of manufacturing operations for Covance Biotechnology Services, where he was responsible for the design, construction, start-up, and operation of their $50-million contract manufacturing facility. Prior to joining Covance, Witcher was VP of manufacturing at Amgen. You can reach him at witchermf@aol.com or on LinkedIn (linkedin.com/in/mark-witcher).