Department | Quality Management | Document no | QMS-135 | ||
Title | Quality Risk Management Techniques | ||||
Prepared by: | Date: | Supersedes: | |||
Checked by: | Date: | Date Issued: | |||
Approved by: | Date: | Review Date: |
Purpose
This SOP defines the approach to Quality Risk Management (QRM) of a GMP site and gives practical examples for tools which may be used to facilitate the process and to aid personnel performing the assessment.
Scope
Applicable to any process at a GMP site which requires a Risk Management approach. The applicability of QRM methodology and the corresponding level of documentation may vary depending on the individual circumstances. Examples of circumstances to which QRM may be applied in conjunction with existing SOPs include but are not limited to:
Identification and evaluation of the potential quality and compliance impact of product and/or process deviations, including the impact across multiple and/or divergent markets.
Evaluation and determination of the scope of internal and external quality assessments such as quality concern investigation systems, complaint handling, out-of-specification investigation, quality control testing etc.
Evaluation of design of facilities, equipment, materials of construction, utilities and Preventative Maintenance (PM) programs.
Determination of the scope and extent of commissioning, qualification and validation activities for facilities, equipment and production processes.
Risk tools for engineering project evaluation and validation projects are not included in this procedure. References to those tools are made in Appendix 6 and 7 of this procedure.
Responsibility
The extent to which QRM is used and documented shall be consistent with the complexity and/or criticality of the issue to be addressed.
Site Quality Review Team has oversight responsibilities for all QRM activities.
Department Heads, Process and System Owners and Project Leaders are responsible for ensuring that risks to quality, compliance and other site functions are considered, understood and managed to an appropriate level within the GMP site.
They must ensure that a suitable Quality Risk Management process is implemented and that appropriate resources with the necessary competence are involved. They must also ensure the involvement of all stakeholders.
Department Heads, Process and System Owners and Project Leaders are responsible for ensuring that there is a process for reviewing and approving documented quality risk assessments and that appropriate records are retained.
QA Associates and Laboratory Supervisors involved in deviation, complaint and OOS investigation should follow the risk tool “Risk Ranking and Filtering – Method 1” as demonstrated in appendix 1 for a quick turn around in decision making.
QA Associate, Production and Engineering supervisors or anyone who is involved in manufacturing and regulatory change management, in-house rework, supplier quality audit and other analysis of manufacturing processes to identify high risk steps should follow “Risk Ranking and Filtering – Method 2” as demonstrated in appendix 2 of this procedure.
The QA Associates and Laboratory Supervisors are responsible to escalate the critical and serious risk events to management and seek advice for closure.
All Quality Risk Assessments relating to compliance issues requires approval by Quality Assurance (QA) Manager.
For development activities, QA may be involved in the approval process and this will be assessed on a case-by-case basis.
Procedure
4.1 Quality Risk Management Process Overview
QRM processes will broadly follow a process model comprising:
Risk Assessment | Risk Control | Communication | Risk Review |
Risk Identification | Risk Reduction | Documentation and Communication of the outcome / result to stakeholders | Review Events |
Risk Analysis | Risk Acceptance | ||
Risk Evaluation |
A Generic Framework of the Quality Risk Management Process can be depicted in the following diagram.
Figure 1: Generic Framework for Quality Risk Management Process
4.2 Initiating Quality Risk Management (QRM) Process
4.2.1 Risks are multi-dimensional and a shared understanding is a prerequisite for the success of any risk management process. The initiation phase of the QRM process involves understanding the risk event by defining and agreeing the context, the scope and the tolerability criteria for the quality risk assessment, together with any underlying assumptions.
4.2.2 Initiation of QRM process should involve all the stakeholders. All the relevant information is assembled and shared, any gaps are identified and analysis tools are selected.
4.2.3 The scope of the quality risk assessment must be clearly defined both in business and technical terms. The scope should clearly establish the boundaries of the process, system, project or activity being assessed and any inherent assumptions that are made. It should consider possible interactions outside the boundary and their potential impacts.
4.2.4 The risk assessment process evaluates the tolerability of the identified risks against some defined criteria to determine whether any mitigating actions are required. A common approach to establishing criteria is to divide risks into five categories:
A very high risk band where adverse risks are intolerable whatever benefits the activity might bring and risk reduction measures are essential, whatever the cost.
A high risk band where the risk would not be generally acceptable unless there were very significant benefits and where reduction measures are expected as the norm.
A medium risk band area where costs and benefits are taken into account and opportunities are balanced against potential adverse consequences.
A low risk band where positive or negative risks are small and where potential benefits can only be justified at minimum cost.
A very low risk band where positive or negative risks are negligible or so small that no risk treatment measures are necessary.
4.2.5 A team comprising individuals with the education, training and experience relevant to the issue or situation under evaluation should undertake the risk assessment process. A subject matter expert (SME) should also be consulted or involved to ensure that best practice is followed.
4.2.6 Each Risk Assessment is reviewed and approved by appropriate department heads and stakeholders. Consideration should be given to consultation of the EHS team. Quality Assurance Manager or a delegate should review and approve all compliance related Risk Assessments.
4.2.7 Risk Register
For traceability purposes, a reference number is assigned to each Risk Assessment by Quality Assurance personnel.
Risk Assessment conducted for deviation, complaint or out of specification investigations do not need a template to follow due to their adherence with the investigation. An entry to Risk Register is also not required.
Risk Assessment conducted for calibration interval; supplier assessment and external supplier audit frequency; engineering and validation projects do not need a reference number. Hence, an entry to Risk Register is also not required.
All initiated Risk Assessments using the tool “Risk Ranking and Filtering – Method 2” are logged into the Risk Register (Form XXX). The hard copy register is located in the “Risk Assessment and Quality Investigation” folder kept in QA office.
The format of the Risk Assessment reference number must be kept as RISK/YY/XXX where, YY refers to the last two digits of the year the assessment will be carried out and XXX refers to the next sequential integers starting from 001.
The person initiating a Risk Assessment must consult QA personnel, take a risk number, enter required details on the Risk Register and select the relevant blank template of the Risk Tool from the location #:\\QA\RISK ASSESSMENTS\Risk Assessment Templates. (Same as described in the appendices of this SOP)
All completed Risk Assessments using Method-2 risk tool are located with the Quality Assurance Team. The hard copy risk assessment with wet signatures are kept in the “Risk Assessment and Quality Investigation” Folder. All scanned and soft copies are saved in the location #:\QA\RISK ASSESSMENTS by year of completion for future reference.
All supplier related Risk Assessments are kept into individual supplier folder.
Completed Risk Assessment for calibration interval, engineering and validation projects are kept into respective department folders.
4.3 Risk Assessment
4.3.1 Risk assessment is the process of identifying the hazards and evaluating the potential consequences of those hazards. It is critically dependent on the people with the right knowledge being involved.
4.3.2 The assessment process must address the following questions:
a. What might go wrong?
b. What is the likelihood (probability) it will go wrong?
c. What are the consequences for product quality?
d. Will the failure be detected? How?
4.3.3 Risk Identification
Risk Identification shall consist of the systematic use of information to answer the question, “What can, or did, go wrong?” Risks to be considered include, but are not limited to:
a. Patient safety
b. Product non-conformance
c. Fitness for use
d. Specification and Product registration and
e. Adulteration (i.e., non-conformance to GMP).
4.3.4 Information used to identify risk can include historical data, theoretical analysis, informed opinions and the concerns of those impacted by the decision.
4.3.5 The risk assessment process must also seek to identify opportunities to improve processes. The decision to accept an opportunity is generally based on an analysis of the costs, benefits and values.
4.3.6 Risk Analysis
During Risk Analysis, the likelihood (probability) that the identified risk will occur or recur shall be estimated. It also can consider the ability to detect that the issues occurred or recurred
4.3.7 Risk Evaluation
Risk Evaluation shall consist of the determination of the consequences (severity) of the issue (risk) to be addressed and compares the identified and analyzed risk against pre-defined acceptance criteria. A Qualitative or Quantitative process can be used to assign the probability and severity of a risk. Risk evaluations must consider the strength of information used to complete the three phases of the risk assessment.
4.3.8 The Completed Risk Assessment shall result in an overall risk value expressed as either:
A quantitative estimate of risk, expressed numerically, such as a probability scale from 0 to 1 (0 percent to 100 percent), or
A qualitative description of a range of risk, using qualitative descriptors, such as “high”, “medium”, or “low”. The qualitative descriptors shall be defined, with as much detail as possible.
4.4 Risk Assessment Tools
There are many tools and techniques that can be used to help identify risk from hazards and assess the risks. No single tool or technique will meet all requirements. Following is a table with a list of Risk Assessment tools used in Site with description and possible areas of application. Adaptation or combination these methods and other statistical tools, may be applicable for specific event or circumstances.
Table 1: Risk management tools and methods applicable to Site quality systems
Risk Tools / Methodology | Descriptions | Area of Application in Site | References |
Risk Ranking and Filtering – Method 1 | A quick method to compare and rank risks, typically involving evaluation of a unique risk event (i.e. deviation / complaint / OOS) by weighting each risk dimension severity, probability and detectability associated with the event. | Examples: Quality concern investigation such as Deviation handling, Product Complaint investigation, Out of Specification investigation. The tool can also be used for any other quality and compliance issues where a risk event is repetitive and a quality decision is urgent. | The method is demonstrated in Appendix 1. This method is designed to apply quickly in repetitive quality events, as such, use of a formal template each time may not be necessary. |
Risk Ranking and Filtering – Method 2 | A descriptive method to compare and rank risks, typically involving evaluation of multiple diverse quantitative and qualitative factors for each risk, weighting factors and risk scores. | Examples: Manufacturing and Regulatory Change Management; Rework management; Establishing external supplier quality audit frequency. The tool can also be used for analyzing a manufacturing process to identify high risk steps / critical parameters. | The method is demonstrated in Appendix 2 and Appendix 5. Entry to risk register for Method 2 is necessary. Use of a formal template is recommended. |
Failure Mode Effect Analysis (FMEA) | Evaluates potential failure modes for processes, and the likely effects on outcomes and/or product performance. Once failure modes are known, risk reduction can be used to eliminate, reduce or control potential failures. Relies upon product or process understanding. Output is a relative ‘risk score” for each failure mode. | Examples: Change of critical instrument Calibration intervals; evaluation of equipment and facilities; quality risk management for supplier; preventive maintenance; process, cleaning and computer validation projects. | The method is demonstrated in Appendix 3, 4. Entry to risk register for is not necessary. Use of a formal template is recommended. |
4.5 Risk Control
The number of tools which may be used to document and assess risk are many and varied and an appropriate tool should be used for the individual circumstances. These tools are described in brief the table below. The formal risk assessment steps and methodologies are described in appropriate Appendices.
4.5.1 Risk control describes the actions taken to deal with the identified quality risks and the acceptance of any residual quality risks. Risk control must address the following questions:
Is the risk acceptable without further action?
What can be done to reduce, control or eliminate risks.
What is the appropriate balance among benefits, risks and resources?
Are new risks introduced as a result of the identified risks being controlled?
4.5.2 Risk Reduction
Risk Reduction focuses on processes for mitigation or avoidance of quality risk when the risk exceeds an acceptable level. Risk reduction includes:
Actions taken to mitigate the severity and probability of risk; or
Processes or methods that improve the ability to detect risk Implementation of risk reduction measures may introduce new risks into the system or increase the significance of other existing risks. Therefore, the risk assessment must be repeated to identify and evaluate any possible change in the risk profile.
4.5.3 Risk Acceptance
Risk Acceptance is a decision to accept risk. The risk acceptance decision shall be:
A decision to accept known, residual risk;
A decision to accept residual risks, which are partially assessed, based upon limited information; or
A combination of these circumstances.
4.5.4 Optimal QRM strategy is designed to reduce risk to an agreed upon acceptable level. This acceptable level will depend on many parameters, shall be decided on a case-by-case basis and managed through identified mitigation tasks.
4.6 Documentation and Communication of the QRM outcome / result to stakeholders
4.6.1 The results of the QRM process must be communicated to the relevant stakeholders, including management and those operating the process or system who may be affected by those results. This requires that each step of the risk management process be documented at an appropriate level. The purpose of the output from the risk management process is:
To share and communicate information about the risks and how they are controlled.
To obtain the appropriate approval of the decisions taken.
To demonstrate to stakeholders that there has been a properly conducted systematic approach.
To provide a record of the risks that enables decisions to be reviewed and the process to be audited.
To facilitate ongoing monitoring and review and to sustain the process.
4.6.2 The output from the risk assessment must specify a risk owner i.e. a person responsible for ensuring that any actions are entered into CAPA database located in G:\QA\CAPA Database and all identified corrective actions are implemented in full and that the risk is managed.
4.7 Risk Review
4.7.1 QRM is an iterative process that must be sustained throughout the life cycle of the product, A risk assessment only documents the current situation. The nature of quality risks may change with time. Improved knowledge may result in a different view of the risks and may lead to a challenge of the original assumptions.
4.7.2 The risk assessment document should be routed for approval to all impacted system owners and the Quality Assurance. The documentation package should contain all documented aspects of the QRM process.
4.7.3 Implementation of the notification system cannot proceed until all approvals are obtained. The risk assessment process should be repeated any time a change is introduced that impacts the practice, e.g. change in regulations related to investigations, change in direct impact assessment, etc.
Related Documents
Form | Risk Assessment Registry |
QMS-035 | Deviation Report System |
QMS-065 | Manufacturing Rework Procedure |
QMS-045 | Vendor Selection and Evaluation |
QMS-080 | GMP Audit Procedure |
QMS-050 | Vendor Certification Procedure |
QMS-125 | Change Management System |
QMS-055 | Product Complaint Procedure |
LAB-055 | Laboratory Results-Out Of Specification Investigation |
VAL-135 | Risk Assessment for Computer Validation Systems |
Revision History
Date | Replaces | Writer | Role | Change | Reason for change |
None | New Document |
Appendix 1: Risk Ranking and Filtering – Method 1
Appendix 2: Risk Ranking and Filtering – Method 2
Appendix 3: Quality Risk Assessment for Critical Instrument Calibration Frequency
Appendix 4: Supplier Quality Risk Assessment Process
Appendix 5:Risk Assessment Process to Establish External Supplier Quality Audit Frequency
Appendix 6: Engineering Project Evaluation
Appendix 7: Process, Cleaning and Computer Validation Projects