SOP for Quality Risk Management

Objective

To provide a procedure for carrying out Risk assessment, evaluation, mitigation, and review of risk by employing appropriate tools of the Quality Risk Management Process.

Scope

Applicable to different aspects of pharmaceutical quality like development, manufacturing, testing, distribution, inspection, and submission/review processes throughout the life cycle of drug substance, and drug products including equipment, facilities, system, raw material, solvents, packaging, labeling and process and any other activity which is directly or indirectly affecting product quality.

Responsibilities

The initiator/ Concern Department shall be responsible for:

• Initiation of the Quality Risk Management Process and facilitation of further action proposed at every stage of the Quality Risk Management Process.

Head QA/ Designee shall be responsible for:

• Approval of risk assessment proposal.
• Formation of Quality Risk Management Team and Team Leader.
• Review, evaluation, advice, and approval of Quality Risk Management and corrective action and preventive action generated by the Quality Risk Management Team.
• To assure that a Quality Risk Management process is defined, deployed & reviewed and that adequate resources are available.
• To acknowledge risk communication, action plan in case of higher RPN, and finding of the risk assessment report by signing as noted by.
• Coordinating Quality Risk Management across various functions and departments of the organization.

Quality Risk Management Team shall be responsible for:

• Identifying all potential failures with respect to risk questions/risk subjects such as equipment, facilities, manufacturing process, packing, system, personnel, etc. including relevant assumptions identifying the potential cause for the risk.
• Preparation of action plan in case of higher RPN and risk communication to all concerns and further approval from Head Quality.
• Assessing the adequacy of existing control measures.
• Identifications and implementation of additional or new control measures as appropriate.
• Specify timelines, deliverables, and appropriate level of decision-making for the risk management process.

Accountability

• Head-Quality shall be accountable for ensuring compliance with this standard operating procedure.

Reference

• ICH Q9 Quality risk management
• WHO TRS 908 Annexure 7
• EU GMP Annexure 20 Quality Risk Management.

ALSO READ: SOP for Handling of Deviation

Procedure

Quality Risk Management Process Overview:

• Quality risk management is a systematic process for the assessment, control, communication, and review of risks to the quality of the drug product across the product lifecycle, systems, utilities, facility, and other associated aspects.
• Risks to product quality, patient safety, and company reputation should be controlled through the implementation of a robust quality management system and good manufacturing practices. These should include management controls, validation, internal audits risk assessment, etc.
• The scope of quality risk management is limitless, following are a few examples which include but are not limited to:

1. Equipment/ Instrument and facility design.
2. Equipment/ Instrument and facility qualification.
3. Change management
4. Deviations
5. Validation/ Revalidation
6. Investigations
7. Assessments of the procedure/provision for their suitability etc.

• In general, the below-mentioned flow of the risk management cycle shall be followed while risk management of the process.

Risk Assessment

• As per definition, risk assessment is a systematic process of organizing information to support a risk decision to be made within a risk management process.
• It consists of the identification of hazards and the analysis and evaluation of risks associated with exposure to those hazards.
• In general, the risk assessment process involves three fundamental questions to assess risk which are:

1. What might go wrong? (Hazard)
2. What is the likelihood it will go wrong? (probability)
3. What are the consequences? (severity/ impact)

• These give an overall assessment in three initial steps of the Quality Risk Management Process:

1. Step-I: Risk Identification
2. Step-II: Risk Analysis
3. Step-III: Risk Evaluation

Risk Identification

The systematic use of information to identify potential sources of harm (hazards) & possible consequences (Impact/ Effect). It shall be assessed on the basis of:

• Historical data
• Theoretical analysis
• Informed opinions
• Concerns of stakeholders
• Brainstorming sessions etc.

Risk Analysis

Risk analysis is the estimation of the risk associated with the identified hazards. A qualitative or quantitative process of linking the likelihood and severity of harm by assessing the design/measures having control over their occurrence and detection.

Risk Evaluation

The comparison of the estimated risk to given risk criteria using a quantitative or qualitative scale to determine the significance (i.e. acceptability on the risk criteria) of the risk.

• Formal or Informal communication shall be given to concerned departments at each stage of the Quality Risk Management Process.

Risk Control

The purpose of risk control is to reduce the risk to an acceptable level. The amount of effort used for risk control should be proportional to the significance of the risk.

• Risk Reduction
• Risk Acceptance

Risk Reduction

Risk reduction focuses on processes for mitigation or avoidance of quality risk when it exceeds a specified (acceptable) level. The risk reduction process focuses to:

• Mitigate the probability of harm
• Improve the delectability of hazards& risks
• Take care not to introduce new risks
• Revisit the risk assessment process for new risks or increased significance of existing risks.

ALSO READ: SOP for Data Integrity

Risk Acceptance

In all cases, we might not entirely eliminate risk. For such cases risk may be accepted and considered for the acceptance of risk shall be based upon the significance of the risk on the product and scientific judgment. This shall be decided by Person(s) with the competence and authority to make appropriate and timely decisions

Risk Communication

This aspect of the Quality Risk Management Process is a formal or informal process of risk communication to all stakeholders or concerns about the outcome of each stage of the Quality Risk management process.

Risk Review

Review or monitoring of output results of the risk management process considering (if appropriate) new knowledge and experience about the risk.

In conducting a Risk Assessment, the basic steps are:

• Risk Question / Subject Identification (Item/ Equipment/ Process/ Product/ System/ Facility/ Procedure/ Studies/ QMS Applications etc.)
• Justification shall be provided for carrying out Quality Risk Management for Risk Subjects as per Annexure-VI which shall be approved by the Head of Quality.
• Formation of the risk management team and team leader by Head Quality / Designee. The team should essentially include concerned department representatives and other members from quality assurance, production, engineering, QC, and stores as applicable based on the topic under consideration. They should be experienced, acquainted with the subject, and have adequate training in risk assessment. The team can be reassigned as and when required by the Head-Quality/ Designee.
• Explain the methodology to the team.
• Prepare a flow chart or detailed process flow of the process under analysis. All steps in the process should be included. Attach the same to the risk assessment as an annexure (if required).
• The risk assessment number shall be issued by the Quality Assurance

1. Log of Risk Assessment shall be maintained as per Annexure-III with QA.

• Risk Assessment shall be considered closed when all the risks are mitigated as per the action plan up to a desired level of acceptance and reviewed after mitigation.
• Whenever risk review shall be performed for logged risk assessment, then the version number shall be increased as 01, 02, 03, ………, and so on.

Risk Management Methodology

Risk management shall be performed by using any of the tools given in ICH Q9, for example,

1. Failure Mode Effects Analysis (FMEA)
2. Failure Mode, Effects, and Criticality Analysis (FMECA)
3. Fault Tree Analysis (FTA) etc.

1. Failure Mode Effect Analysis (FMEA)

• FMEA is one of the most useful and effective methodologies to ensure that potential problems have been considered and addressed throughout the product and process development stages. The goal of FMEA is to align the risks as closely as possible with its source.

FMEA Definitions:

Failure Mode: It is the way in which the process could fail to meet the requirements.

Following are the examples of failure modes:

• Product not meeting specification
• Process not meeting yield requirements
• Critical process parameters not met
• Malfunctioning equipment
• Software problems
• Not meeting customer requirements
• Non-compliance to Regulatory requirements

Failure Effect: It is the consequence of failure.

Failure cause: It is what induces the failure indicating how the failure could occur.

2. Failure Mode, Effect And Criticality Analysis (FMECA)

FMECA methodically breaks down the analysis of complex processes into manageable steps. The FMECA is a formalized, systematic, and analytical approach to failure prevention.

It can identify places where additional preventive actions might be appropriate to minimize risk. The aim of FMECA is:

1. To create an awareness of potential failures.
2. Establish a baseline for process knowledge and process effects.
3. Identify, analyze, and ultimately prevent potential failures as well as their effects and causes.
4. Defines measures aimed at preventing and identifying (i.e. investigating) potential causes of failure and monitoring and demonstrating the effectiveness of such measures. The application of FMECA methodology helps quality control by specifying test parameters for any remaining risks to the product or process. FMECA is suitable for developing knowledge databases and, therefore, helps in preventing recurring failures. The output of an FMECA is a relative risk “Score” for each failure mode, which is used to rank the modes on a relative risk basis.

Note: FMECA is similar to FMEA. The C in FMECA indicates that the criticality (or severity) of the various failure effects are considered and ranked. Today, FMEA is often used as a synonym for FMECA.

• List down the functions and malfunctions of the product/ process/ system/ item/ equipment/ facility for which Risk Assessment needs to be performed. To gather maximum information, brainstorming sessions can be useful.
• Designate which of the steps in the process constitute “Function” and identify elements of variation in equipment, methods, materials, control, and management.
• Determine which function represents potential “Failure Modes” or points of potential failure and record in Annexure-I.
• Determine the worst potential “Effect” consequences of each of the failure modes.
• Determine the “Contributory Factors” for each failure mode.
• Identify and “Control” in the process. Controls are components of the process which: 

1. Reduce the likelihood of a contributory factor or a failure mode. 
2.  Increase the detection level of failure before it leads to an adverse outcome (Effect).

ALSO READ: SOP for Handling Out of Specification (OOS)

Examples of control measures are procedural controls, engineering controls, supervisory controls, manual controls, training, etc.

• Rate the severity of each effect on a scale of 1-5. The impacts of controls that improve the severity of an effect are reflected in this rating as well.

1. No effect on output
2. Minor effect on output
3. Moderated effect on output.
4. Serious effect on output
5. Hazardous effect on output.

• Rate the occurrence (likelihood of each contributory factor on a scale of 1-5. The impacts of controls that reduce the likelihood of occurrence of a failure mode or contributory factor are reflected in this rating as well.

1. Unlikely (doubtful)
2. Very rare
3. Possible
4. Likely
5. Almost certain (every time)

• Based on the control measures, rate the effectiveness of each “Detection Control” on a scale of 1-5.

1. Always detected
2. Will detect failure
3. Might detect failure
4. Almost certain not to detect failure
5. Lack of detection control

Note:

1. Prepare a scale table for each Risk Assessment study individually for severity, occurrence, and detection.
2. The individual contributory factors for each potential failure mode should be rated.
3. Available control measures in the process of risk assessment should be assessed by the Risk Assessment team prior to determining the likelihood of occurrence.
4. Historical data like maintenance records, complaints, deviations, and other applicable records should be reviewed for assigning risk ratings i.e. severity, occurrence, and detection of individual potential failure modes.
5. The product of the three ratings is the risk priority number (RPN) for that contributory factor. For example: If the severity rating is 3, the occurrence rating is 2 and the detection level is 1, then RPN = 3 x 2 x 1= 6

• Depending on the RPN rating, the following decision should be made:

1. Failure shall be accepted if RPN is within the specified acceptable level i.e. ≤ 25.
2. Depending on the type of failure, an appropriate action plan shall be implemented to control or reduce the occurrence to an acceptable level, if not, the detection system shall be improved or both can be marked out.
3. In some cases, failure should be totally eliminated.

• Rank the ‘Contributory Factor’ according to the Risk Priority Numbers. To determine RPN rank, the RPN of individual contributory factors should be rated from high to low so that higher risk elements can be identified easily and same is illustrated in the following example in which the higher RPN (here 20) shall be given Rank 1, below 20 (here 18) shall be given Rank 2, below 18 (here 14) shall be given Rank 3 and so on. If the same RPN is observed for more than one contributing factor then the same rank shall be allotted to all such RPN (here 10).
• The ‘RPN’ determines the criticality of the failure mode which helps to determine whether the risk of failure should be accepted (No action may be required for the potential failure), controlled (take action to enhance detection or reduce the occurrence of the risk of the potential failure) or eliminated (prevent the potential failure).
• Risk Assessment should be used to analyze the current process and evaluate the potential impact of the change under consideration. For example: New equipment/ process, major modification. Calculate the estimated RPN each time you consider a change to the process, to evaluate the impact of the change. If RPN is high, then priority should be given to such items, and based on the current control measures, an action plan for additional measures required shall be made.
• Acceptance criteria: In case the calculated RPN rating is greater than 50 those particular failures shall not be acceptable. Following is the risk matrix;

ALSO READ: SOP for Handling of Out of Trend (OOT)

• For RPN ratings ≤25, no action plan is required. However, for improvement purposes, an action plan can be proposed for RPN rating ≤25, if required.
• The action plan may be required if any of the individual severity and occurrence is high (even if RPN is within Acceptance criteria).
• Considering acceptance criteria, detailed action plans shall be drawn with responsibility and target completion date as per Annexure-II (Action Plan Sheet). In this annexure, tabulate the failure modes in the decreasing order of RPN and maximum RPN failure modes shall be addressed on priority wherever feasible. The reference of the CAPA number for the proposed action plan can be mentioned in the description section of Annexure-II, (if required).
• The effectiveness of the action plan shall be reviewed and discussed by the Quality Risk Management Team (and with the support of senior management if required).
• New risks introduced due to corrective action shall be analyzed and taken care of after drawing action plans.
• The closure date of the Action Plan, documented in Annexure-II, shall be provided by the concerned responsible person/ department / QMS Team (if, concerned) and the same shall be verified by QA.
• Whenever risk assessment is performed in response to any nonconformance like complaints, deviations, etc., existing risk assessment (if applicable) shall also be reviewed to evaluate the impact of risk associated with the reported non-conformances. This review shall be recorded in the Annexure II.
• Examples of risk that may be identified include, but are not limited to:

1. Risk to manufacturing equipment such as equipment downtime, equipment damage, cost of replacing equipment parts, and any potential for injury.
2. Quality of the finished product.
3. Incorrect composition
4. Raw material/ packaging material errors.

• Examples of mitigation strategies that may be used to modify risk levels (RPN) are:

1. Modify process design such as additional data verification checks.
2. Introduce external procedures such as double-checking to counter possible failures.
3. Increase the scope and level of testing applied during various stages of validation.

Note: Validation and In-process control requirements should be reviewed.

• If any action plan requires some change in the established procedure etc. then implementation shall be done as per the change control procedure.
• Risk communication is an information-sharing session between the Quality Risk Management Team and other concerned departments/ senior management involved with different functions. The outcome/result of the risk assessment process should be appropriately communicated and documented as per Annexure-IV.
• Risk Assessment shall be reviewed after the closure of the action plan until all RPNs are reduced to an acceptable level. If required it can be reviewed meanwhile.
• If an action plan is not closed within the proposed TCD, the Extension Form shall be filled by the initiator/concerned department as the First review of risk assessment with proper justification for non-completion of the action plan and new TCD. In case the risk assessment exceeds the TCD from the first review then the status and new TCD shall be filled as the second review of risk assessment with proper justification. Further, if the activity is not closed within the stipulated timeline of the second review then it shall be reported to the Head-Quality/Designee for further advice. The same shall be recorded in Annexure-VII.
• A review is also necessary in case of changes in product, process, and specifications.
• This review should be recorded in Annexure-V where enhanced control measures implemented from the initial Risk Assessment need to be addressed and based on the additional or implemented control measures, the RPN of individual contributory factors should be reviewed and a Risk Assessment review conclusion to be drawn. In cases, where the nature of risk may or may not be changed after implementing enhanced control measures, depending upon the nature of the risk the same shall be escalated to management. During the ‘Review of Risk Assessment’ any new failure modes and contributory factors can be assessed.
• Whenever existing Risk Assessment is reviewed, the same Risk Assessment No. should be continued with a change in Version Number.

ALSO READ: SOP for Quality Management System

Abbreviations

RPN: Risk Priority Number

F: Format

ICH: International Conference on Harmonization

QMS: Quality Management System

QRM: Quality Risk Management

%: Percentage

≤: Less than or equal to

≥: Greater than equal to

WHO: World Health Organization

TRS: Technical Report Series

GMP: Good Manufacturing Practices

QC: Quality Control

CAPA: Corrective and Preventive Action

TCD: Target Completion Date

Annexure

Annexure-I: Failure Mode Effect (And Criticality) Analysis - FME(C)A

Annexure-II: Action Plan Sheet

Annexure-III: Risk Assessment Log

Annexure-IV: Risk Communication

Annexure-V: Risk Review

Annexure-VI: Justification for Risk Assessment Selection

Annexure-VII: Extension Form

Revision History

Nil

ALSO READ: SOP for Change Control in Pharmaceuticals