Title: Quality Risk Management (QRM) Application to Identify Deviations vs. Events | |||||
Guidance Number: 83 | |||||
Prepared by: | Date: | Supersedes: | |||
Checked by: | Date: | Date Issued: | |||
Approved by: | Date: | Review Date: |
Quality Risk Management (QRM) Application to Identify Deviations vs. Events
Introduction
Often times, deviations that occur during the handling, manufacturing, testing or distribution of materials/products have little or no impact on product quality or to its registration filing. The purpose of this guidance is to provide a process for assessing if a deviation does or does not impact the product quality or its filing through the use of a Quality Risk management (QRM) tool.
A deviation with no impact to product quality or to regulatory filings is classified as an event and thus does not require to be investigated while those that impact product quality or regulatory filings are classified as deviations.
Accordingly, the following definitions for Events and Deviations apply:
Deviation – A departure from approved procedures, formulas, specifications, or parameters that has an impact or potential impact to product quality, GMP regulated systems, or regulatory filings. These are typically documented in a Quality Assurance Report (QAR).
Event – A departure from approved procedures, formulas, standards, or parameters that has been determined to have no potential impact to product quality, GMP regulated systems, or regulatory filings. These are typically documented in a Notice of Events (NOE).
This document provides guidance on two approaches to assess the risks associated with identifying deviations vs. events.
The first approach is the generic systems assessment approach where the site completes a risk assessment of the most common types of issues and determines in advance which are deviations and which are events. The second approach is the individual assessment approach where the site completes a questionnaire for each issue to determine if it is a deviation or an event.
Through application of a simple tool coupled with requisite background knowledge, it is expected that this assessment will serve as a model to a GMP site to standardize the evaluation of deviations vs. events. With either approach, a few basic questions will need to be answered to gather enough information to determine whether the issue is an event or a deviation.
Approaches to assessing risk
Approach 1
System assessment approach
The following factors should be evaluated through a series of risk questions:
- Regulatory requirements and cGMPs
- Direct impact system
- Direct product quality impact
- Risk to patient
The quality risk management approach as applied to the identification of deviations vs. events
illustrated in this guidance not only identifies the different risk factors to consider when performing the evaluation but also demonstrates a simple tool (depicted in tabular format) for determining how to group potential risks into low, moderate, or high categories. For the purpose of this evaluation, two risk factors, probability and severity, will be examined for each perceived risk associated with the defined risk scenario.
Recommendations and Rationale
Risk Question
In this case the criticality of an issue drives the creation of the risk question. Our risk question becomes, “what are the potential risks associated with identifying an issue as a deviation which requires investigation vs. event which requires notification only”?
Risk Assessment Tool
Given the nature of the data to be used for the assessment, the Risk Ranking and Filtering method has been selected to aid in the assessment of risks associated with categorizing the issues. Risk Ranking and Filtering (RRF) focuses on two separate risk factors, probability and severity, associated with each potential risk relevant to an issue.
Risk Assessment
Identification, analysis, and evaluation of potential risks. The potential risks associated with the identification of deviations vs. events were derived through completion of a brainstorming exercise and are listed below:
Regulatory expectations– the formalized requirements pertaining to investigations should be reviewed and understood to determine the potential risk of non-compliance. Risks may vary from one market to another, it is suggested that the expectations for the most stringent market served be used for the assessment of a minor regulatory deviation when multiple markets are involved. Note that repeat deviations, albeit minor in nature, may require a variation to be submitted as recommended by EMEA position paper on QP discretion.
cGMP expectations – the unwritten expectations that are generally accepted as “standard practice” should be considered. Many times these expectations are verbally expressed by regulatory inspectors during facility inspections. As with Regulatory expectations the assessment should be based on the most restrictive GMP expectations.
Direct impact system – it is expected that the site has performed and documented an assessment of all systems. The impact classification is utilized in this assessment.
Direct product quality impact – this encompasses all factors that could have a direct impact on product quality such as out of specification result, stability failures, foreign matter, etc.
Risk to patient – this encompasses all factors that could be harmful to the patient such as cross contamination of product, mislabeling, etc
For each of the above stated risks related to the identification of deviations vs. events the individual risk factors or components must be assessed. As identified previously, each potential risk has an associated probability and a severity. The probability represents the likelihood of the risk being realized while the severity is a measure of how much impact it would have if it did occur.
Each risk component is assigned a ranking based on a defined scale for the issue. The probabilities and severities are ranked using separate scales due to their different characteristics. The suggested scales for use in assessing the performance testing scenario are shown in Table I. All rankings are equated to numbers to allow for greater objectivity in the final assessment. It is important to have an understanding of the cut-off between acceptable and unacceptable risk levels and is dependent on the product under consideration, the markets, served, etc.
Once the individual risk factors have been ranked, the Total Risk Score is calculated using the values assigned for probability and severity. The Total Risk Score is calculated as shown below.
Probability x Severity = Risk Score
Risk Acceptance
After the Total Risk Score has been calculated for each individual potential risk it must be assessed against an evaluation matrix to determine the acceptability of the existing risk or, conversely, identify the need for reduction of the risk through implementation of controls, where possible. The evaluation matrix is to be devised based on a site’s willingness to accept different levels of risk.
Table II and the related Interpretation section represent an example evaluation matrix.
Increasing Probability | 5 | 5 | 15 | 25 |
3 | 3 | 9 | 15 | |
1 | 1 | 3 | 5 | |
1 | 3 | 5 | ||
Increasing Outcome Severity |
Interpretation:
- Score 1-3 are low risk (Yellow)
- Score 5-9 are moderate risk (Orange)
- Score 15-25 are high risk (Red)
Risk ranking results and reporting of events
Low risk events only require notification (event). Moderate risk events could require notification or investigation (event or deviation). High risk events require investigation (deviation).
Risk Control
For those moderate risks that are deemed to exceed the site’s risk acceptance threshold, mitigation must be implemented in order to categorize the risk type as an event. This should be accomplished through discussion of the issue with stakeholders and technical experts to establish the appropriate mitigation strategy. The Risk Assessment process should be repeated on the residual risk after completion of corrective actions. Alternately, all moderate risks events can be categorized as deviations and investigated.
Risk Review
The risk assessment document should be routed for approval to all impacted system owners and the Site Quality Team. The documentation package should contain all documented aspects of the Quality Risk Management process. Implementation of the notification system cannot proceed until all approvals are obtained. The risk assessment process should be repeated any time a change is introduced that impacts the practice, e.g. change in regulations related to investigations, change in direct impact assessment, etc. Example of a site risk assessment for a Systems Assessment Approach:
Approach 2
Individual risk assessment approach
Depending on the individual site preference, the system could be designed in a manner that assesses each issue to determine the criticality.
Risk Assessment
This can be achieved by creating a list of questions to be answered for each issue. The questions should be formulated using the same areas that the System Assessment described above used, i.e. regulatory expectations, cGMP expectations, system impact, product quality impact, risk to patient
- This encompasses all factors that could affect the safety, purity, or identity of the product.
Risk Control and Review
It is important to word the questions in a way that will allow Yes or No answers and only situations where all answers are ‘No’ are classified as events. If any of the answers is ‘Yes’, the event is classified as a deviation and an investigation is required. Examples of risk assessment questions under each of the headings listed above follow:
Regulatory: Is the event outside the registered parameters?
cGMP expectations: Does the event impact a critical process parameter or yield of a critical process step?
System impact: Is the system where the issue occurred a direct impact system? (see Site Impact Assessment to determine the system impact)
Product quality: Was there an error in manufacturing that could have a direct impact on product quality; e.g. wrong material charge, a critical manufacturing step not completed or completed incorrectly?
Risk to patient: Has any foreign matter been introduced to the batch?
Risk Review:
Once the assessment has been completed and the criticality determined, the appropriate action can be taken i.e. notification in case of events and investigation in case of deviations.
Although classified as events, recurring minor issues should be discussed at the Quality Team Meetings. As indicated earlier, recurring regulatory deviations, even minor in nature, may require submission of a variation.