SOP for Quality Risk Management Plan

Purpose

This Master Plan defines how the Quality Risk Management (QRM) program will be conducted through the integration of knowledge gained from formal risk assessments, operational alerts, change controls, and inspections as required by ICH Q9 Quality Risk Management. Information on higher risks will be communicated to management and the quality unit through a risk register intended to increase visibility and provide focus in discussions on risk control and mitigation.

Scope

This plan applies to all personnel involved in the delivery of results in the evaluation of quality attributes of starting materials, excipients, components, API, and drug products intended for investigative medicine testing. Risk management will also be applied to the systems used to enable testing, including instruments and equipment qualification, and to the design of analytical methods for use in support of commercial manufacturing. The following risk management programs are not in the scope of this plan and are addressed by other guidance:

• Risk management for IT-supported applications
• Risk management of spongiform encephalopathies to our API and products
• Safety risk assessments
• Testing activities conducted at contract facilities
• Testing of research materials.

Roles and Responsibilities

Roles	Responsibilities
Management	Provide the resources necessary to support the implementation of this Master Plan for Quality Risk Management. Ensure that employees complete any required training regarding risk assessment. Ensure that related Standard Operating Procedures and Work Instructions are aligned with this Master Plan. Ensure periodic assessments are conducted to verify that related activities are in compliance. Ensure risk assessments, when they are appropriate, are performed, and that they are properly documented and approved by the Quality Unit as needed. Review risk assessments. Perform periodic review of the risk register.
Quality Unit	Assist in identifying and evaluating sources of risk and in establishing appropriate controls. Review and approve risk assessments on activities governed by procedures. Perform periodic review of the risk register.
Personnel	Utilize risk tools and perform risk assessments where appropriate. If in the role of risk assessment facilitator: study the features of the tool to use. identify subject matter experts to participate in the assessment. document the assessment. Submit formal risk assessments to the Functional Area Management and Quality Unit for review and approval. Comply with this management plan.

Background

• The principles of QRM in the preparation of medicinal products are described in ICH Guidance for Industry Q9 -Quality Risk Management. In alignment with ICH Q9 recommendations, this QRM plan is built around the following steps: Risk Assessment, Control, Communication, and Review.
• QRM is a critical component of quality systems and feeds from the investigations and inspections program and is leveraged to guide change management. Risk management is implemented with practices appropriate to the stage of project development.

ALSO READ: SOP for Quality Risk Management

Risk Assessment

Risk Identification

• ICH Q9 defines risk as the combination of the probability of occurrence of harm and the severity of that harm for the intended patients. As an organization developing analytical knowledge and methods, another fitting definition for risk is that of the ISO 31000 Risk Management Standard which defines risk as uncertainty in reaching objectives. This QRM intends to both address potential harm to patients and uncertainty in objectives. The primary focus of risk management is to control the risk to data on product attributes, as this data is used to both determine the suitability of products for clinical programs and to propose specifications utilized in the evaluation of manufacturing process control. Other objectives include accurate data for the proposal of labeling information; development and validation of robust methods, and testing in support of manufacturing activities (e.g., water testing).
• Risks are proactively identified in deliverables by conducting risk assessments to the type of tests that evaluate product quality attributes used in the decision for batch release. Failure modes are identified by experts in the technique and ranked. Multiple sources are used for further identification of risks to be evaluated as well as to trigger a review of processes for risk assessment. These sources include Quality Unit and regulatory inspections, benchmarking, internal self-inspections, investigations on operational alerts, and trend evaluations. These risks are analyzed and evaluated for inclusion in the Risk Register.

Risk Analysis & Evaluation

• Multiple tools will be used for the estimate of the risk posed by the hazards identified. Subject matter experts will consider the risk to be evaluated and select a tool appropriate to the complexity of the system or activity under evaluation. Informal risk management may be used, including empirical evaluations where appropriate, flow charts, checklists, and procedures.
• For the analysis and evaluation of data for batch release, Failure Mode and Effect Analysis were chosen as it can guide the evaluation of numerous failure modes, summarizing the effect and quantitative ranking for guiding control efforts. For the FMEA risk analysis of tests for the release testing activity, the table presented below outlines the starting point. A team using this tool can further refine this table to suit the risk question and should capture the analysis table in the documentation of the risk assessment.

Score	SEVERITY	OCCURRENCE	DETECTION
10	Passing a failing product can result in the release of an adulterated product	Frequent	Cannot be detected
7	Not used to ensure the assessment of severity is most conservative.*	Moderate, occasional	Very Low
3	The additional introduction of error expands the uncertainty of the method while still meeting the specification	Infrequent or has occurred **	Moderate
1	Data representative of product attribute	Remote or unlikely	Almost Certain

*  False OOS/OOA were not included in the judgment of severity as these are investigated and resolved without impact to the product release timeline and consequently no impact on product availability to patients

**  In an effort to address the uncertainty on failure mode occurrence, any observation of a failure mode was given a raised value occurrence value (3) recognizing limitations in detecting some failure modes.

• Each failure mode is assigned a Risk Priority Number 

(RPN) = Severity X Occurrence X Detectability

For example, for Severity=10, Occurrence=3, and Detectability=10 the calculated RPN is 300. 

These RPNs are then categorized as Low 1-100, Medium 101-500, and High 501 -1000.

ALSO READ: SOP for Rework/Reprocessing Procedure

Risk Control

• The purpose of a risk management program is to decide, for the hazards identified, what controls are possible and when they should be sought and implemented. Evaluation of risk controls will consider the following questions:

1. Is the risk currently managed at an acceptable level?
2. What can be done to reduce or eliminate the risk?
3. Is there other data that helps manage the process and evaluation and can be used in place of a control?
4. What is the appropriate balance among benefits, risks, and resources?
5. Does implementation of the control introduce new risks?

Final Risk Level	Decision Guidance (10)
High	Risk is unacceptable and action to reduce risk is required. Design New Controls:  Actively work to mitigate these through design, systems, procedures and other controls.
Medium	The decision required accepting risk or taking action to reduce risk. Take action: If detectability of risk is poor (e.g, 7-10), consider whether action is required and seek to develop a clear understanding on how to recognize when this failure mode occurs. An action might include awareness/training or the development of new controls. Observe/Accept:  If detectability of risk is good (e.g., 1-3) or severity is low (1-3), maintain vigilance (operational alerts program).
Low	Residual risk is acceptable, the risk is detectable and of low severity, and no further action is required. Knowledge of the actual process is well understood.

Risk Communication

• The goal of risk communication is to, by way of sharing information on risks identified and their controls, increase risk awareness and promote controls that support quality. This means that personnel in different roles have different needs regarding the communication of risk.
• Personnel conducting activities will need to be informed of risks so that they maintain behaviors that support best practices sustain vigilance and understand processes to help control risk. These communications are achieved through training, method details, formal procedures, and aides such as checklists to enhance their ability to control risk. Management is responsible for allocating resources for activities; therefore, they must support the identification of risks and stay informed of risks that require additional controls.
• Management is also responsible for committing resources to the development of those controls or accepting residual risk. This communication will be achieved and documented through their approval of plans, procedures, formal change controls, and the risk register.

Documentation of Risk Assessments

• Formal documentation of risk assessment and other risk management activities will be at the discretion of management and the Quality Unit observing the guiding principle of documentation effort commensurate with the impact of the risk. Formal risk assessments will utilize a template that will include the following elements:

1. Contain a unique number
2. Define the risk assessment method /tool and rationale for selection
3. Conducted by appropriately trained personnel
4. Discuss controls and risk acceptance (if appropriate)
5. Define periodic review cycle
6. Include approval by the Quality Unit when analyzing a process for the purpose of a buildup of the risk register or used to justify changes to procedures.

• Low-impact risk assessments for easily understood or specific situations/processes may be analyzed and documented by an SME. These will be managed informally, documented in the process tools (e.g. TrackWise record, instrument qualification document, notebook record), or incorporated into a procedure

Establishment of a Risk Register

• A risk register(s) will be maintained to be comprised of a ranking of risks identified through risk assessment of the major deliverables and processes. The Business Unit and the Quality Unit will review the risks identified and decide which risks should be managed through the risk register based on the potential impact on patients and the quality of deliverables.
• Each risk listed in the register will:

a.  Have a number assigned as per the following scheme:

1. SEQUENTIAL NUMBER / SITE
2. SEQUENTIAL NUMBER = 1, 2, 3, etc (individual risk within the risk assessment)

b.  SITE

c.  Classify the risk listed qualitatively (e.g., Medium or High).

d.  Address how the risk is managed or controlled.

e.  Document the decision on whether the risk is acceptable under current controls or new controls should be developed.

f.  Contain a reference to an issued risk assessment or other references.

• It is intended that the register will list high risks and can include medium risks agreed upon during the review as requiring remediation.
• The risk register will be approved by Management and the Quality Unit.

Risk Review

• To remain effective, the risk register review will consider the impact of trends in quality events, change controls, and lessons learned from audits/inspections, and its review documented at a minimum once every 3 years. This review will also document the removal of risk from the register due to risk reassessment.

Annexure

Nil

Revision History

Nil

ALSO READ: SOP for Handling of Incidents in Pharmaceuticals