Purpose
To Lay down the procedure for Quality Risk Management
at all the level of product life cycle to ensure the product quality and
minimize risk to the patient.
Procedure
Principles of QRM shall be applied to,
Development, manufacturing, distribution of products.
When new regulations, new facility, new product, new
process, new personnel, new equipment and new sources of input materials are
introduced.
When there are any product recalls, major customer
complaints, batch failures, reprocessing and reworks, test failures, inspection
observations and regulatory actions.
Preamble:
Risk is defined as the cumulative effect of the
probability of occurrence of harm and the severity of that harm. This is unlike
uncertainty which considers only the event & where the probability is
completely unknown. Every product and every process has an associated risk.
Risk management can therefore be considered to involve
identification, assessment, & prioritization of risks followed by
coordinated and economical application of resources to minimize, monitor &
control the probability and impact of unwanted events.
Quality Risk Management shall aim at raising the level
of protection for the patient, by the reduction of the risk to which that
patient is exposed at the time he receives a drug product.
Definition:
Quality Risk Management: A systematic
process for the assessment, control, communication and review of risks to the
quality of the drug product across the product lifecycle.
Product Lifecycle: All phases in the
life of the product from the initial development through marketing until the
product’s discontinuation.
Risk: The combination of the probability of occurrence
of harm and the severity of that harm.
Harm: Damage to health, including the damage
that can occur from loss of product quality or availability.
Severity:
A measure of the possible consequences of a hazard.
Detectability: The ability to discover or determine the
existence, presence, or fact of a hazard.
Risk Identification: The systematic use
of information to identify potential sources of harm (hazards) referring to the
risk question or problem description.
Risk Evaluation: The comparison of the
estimated risk to given risk criteria using a quantitative or qualitative scale
to determine the significance of the risk.
Risk Analysis: The estimation of the
risk associated with the identified hazards.
Risk Assessment: A systematic process of
organizing information to support a risk decision to be made within a risk
management process. It consists of the identification of hazards and the
analysis and evaluation of risks associated with exposure to those hazards.
Risk Communication: The sharing of
information about risk and risk management between the decision maker and other
stakeholders.
Risk Control: Actions implementing risk management
decisions.
Risk Acceptance: The decision to accept risk.
Risk Reduction: Actions taken to lessen
the probability of occurrence of harm and the severity of that harm.
Risk Review: Review or monitoring of
output/results of the risk management process considering (if appropriate) new
knowledge and experience about the risk.
Introduction:
An effective quality risk management approach shall
further ensure the high quality of the drug product to the patient in providing
a proactive means to identify and control potential quality issues during
development and manufacturing.
Additionally, use of quality risk management shall
improve the process of decision making if a quality problem arises.
Effective quality risk management shall facilitate
better and more informed decisions.
Two primary principles of QRM are:
The
evaluation of the risk to quality and its link back to the protection of the
patient.
The
level of effort, formality and documentation of the QRM process shall be
commensurate with the level of risk and be based on scientific knowledge.
Quality risk management methods and tools
Quality risk management tools support a scientific and
practical approach to decision making by providing documented, transparent and
reproducible methods to accomplish steps of the quality risk management.
The purpose of this section is to provide a general
overview and references of some of the primary tools that shall be used in
quality risk management. This is not an exhaustive list. i.e.
Failure mode effects analysis (FMEA).
The above mentioned tool shall be used for quality risk
management depending on the situation.
Initiation of Quality Risk process
Quality risk management shall include systematic
processes designed to coordinate, facilitate and improve science-based decision
making with respect
to risk.
Quality risk management shall be implemented in
systematic manner with all levels of documentations.
All quality risk management activities, whether they
are prospective or retrospective in nature, should be adequately planned prior
to initiating any risk assessments.
At manufacturing site QRM shall be applied as
appropriate to following (But not limited to):
Technology
transfer
New
Product Introduction
Cleaning
procedures
Calibrations
/Validations /Qualifications
Finished
Goods
Findings
from internal and external audit reports
Customer
complaint investigation reports
Product
recall investigation reports
Strengths,
Weaknesses, Opportunities and Threats analysis of a process or facility
Rejection
and return of product by customers
Repeated
equipment failures
Repeated
utility failures
Head-QA shall assemble a small team of all departmental
heads or other relevant personnel and nominate the team as risk management
team.
Head QA / designee shall be responsible for all QRM
related co-ordination with other departmental heads.
Individual department head shall act as the risk owner
of their department and taking corrective action for the risk identified at
their department.
Risk assessment in each production process shall be
done by the cross functional team. In case of Manufacturing process risk
assessment shall be done depending on the criticality of the product based
their potency.
The rigor in planning should be commensurate with the
impact of the potential risks on product quality. Planning activities should
include:
Defining
the problem statement, scope (in and out of scope), known assumptions and
expected outcomes.
Identifying
the appropriate team of subject matter experts and an impartial (to the extent
possible) facilitator.
Determining
the level of formality and selecting the appropriate tool to deliver the
expected outcomes.
Determining
how the quality risk management activities will be documented.
Identifying
and collecting relevant background information, reference documents and/ or
data related to the potential risks or product and patient impact relevant to
the risk assessment.
Specifying
a timeline, deliverables and appropriate levels of decision making (and
appropriate decision makers) for the risk management process.
Defining
a reporting and communication plan.
Identification of risk areas:
The Risk Management Team shall consider one or more of
the sources for identification of risks.
The root cause for each and every risk shall be
identified and CAPA shall be done for all the identified causes for the risk.
The root cause analysis shall be done by QRM team and
where ever required the subject matter expert shall be included for the
discussion. The team shall have all the department heads & concern persons.
The Risk Management Team shall deliberate, preferably
in brain storming sessions, for assessing threats to product quality and
typically the following questions shall be addressed (but not limited to);
What
are obvious risks?
What
has changed from the past?
What
could go wrong?
Have
there been any near misses?
What
are customer expectations?
What
are regulator’s expectations?
What
are other legal requirements?
What
are the past trends?
What
are the past happenings?
All the stages in the root cause analysis shall be documented.
Assessment and Prioritization of Risks:
The Risk Management Team assesses and prioritizes the
various causes for the risks.
For each causes of the risks the team should address
questions like -
What
can go wrong,
When,
Where
and
How the
risks likely to occur
What
could be impact on the objective etc.
The team shall then quantify the potential consequences
(also called impact) and the probability (also called likelihood) of these
consequences occurring, how it could affect the company in an overall manner
and what are the control measures exist which can control the risk or detect
the risk before occurring (also called Detectability). Multiply the scores of
severity of consequence, likelihood of the threat taking place and the detect ability
or the control measures available to indicate the level of risk to product
quality to obtain the Risk Priority Number (RPN).
Severity Ratings scales shall range from 1 to 5 with
the higher number representing the higher seriousness or risk as follows,
Severity of occurrence (Impact)
1 –
Insignificant
2 –
Minor
3 –
Moderate
4 –
Major
5 –
Critical
Probability of occurrence (Likelihood)
1 –
Unlikely
2 –
Rare
3 –
Possible
4 –
Likely
5 –
Almost Certain
Probability of detection
1 –
Almost Certain
2 –
Likely to detect
3 –
Possible to detect
4 –
Unlikely to detect
5 –
Rare never detected
After the ratings have been assigned, the RPN for each
identified risk shall have calculated by multiplying Severity X Occurrence X
Detection.
RPN = Severity x Occurrence X Detection
The RPN value for each potential problem can then be
used to compare the issues identified within the analysis.
Corrective action may be recommended or required to
reduce the risk (i.e. to reduce the likelihood of occurrence, increase the
likelihood of prior detection or, if possible, reduce the severity of the
failure effect).
Ranking issues according to their individual Severity,
Occurrence or Detection ratings is another way to analyze potential problems.
Ranking of Risk Priority Number (RPN) in the order of
rating (biggest RPN first). Arrange the failure modes in the descending order.
Listing the failure modes in descending order will help
prioritization. Failure modes with highest RPN will need prioritized attention.
Following Risk factor matrix shall be helpful in
understanding the Risk potential.
The risk score (RPN) shall be used to define risk
ranking as follows.
Sr. No
|
Risk
Priority Number
|
RPN
Category
|
1
|
1 to 25
|
Minor
|
2
|
26 to 75
|
Major
|
3
|
76 to 125
|
Critical
|
The QRM team may determine that corrective action is
required for any issue with an RPN that falls with highest RPN number and also
for any issue with a high severity rating.
For Example, in case, a potential problem may have an
RPN of 20 (Severity = 5, Occurrence = 2 and Detection = 2). This may not be
high enough to trigger corrective action based on RPN but the analysis team may
decide to initiate a corrective action anyway because of the very high severity
of the potential effect of the failure.
Enlist the current control measures for each of the
failure modes. Assess the adequacy of each control measure.
Assessing Existing Control Measures:
For each of the threat identified, review the existing
control measures at the site.
Existing control measures may include robust quality
systems, strict adherence to GMP norms, adhering to regulatory expectations
etc.
Existing control measures shall be verifiable through
audits, records, documents, quality performance indicators etc. Due verification
of effectiveness of existing control measures shall be carried out and
documented.
Identify additional control measures. Generate an
action plan to reduce RPN.
List out the additional control proposed by the team
and communication of the same shall be done to all the persons involved in the
activity in the form of risk control training.
Once the identified control measures are found
appropriate, the time line for its implementation shall be mentioned in the
risk assessment form.
QA Head shall verify the closure of the corrective
action within stipulated time period.
The progress of actions shall be entered in the Risk
Register at periodic intervals.
Impact of all the changes done for additional control
measures shall be evaluated properly so that it shall not include any
additional risk to the process.
QRM team leader shall check the effectiveness of the
control measures initiated.
Check
effectiveness of actions
Progress
the action plan
Document
all actions
Archive
for future references
The QA head shall constitute Risk Review meeting at
regular intervals not less than quarterly to review the various risk management
processes and status of risks identified, mitigation actions taken and progress
of the corrective and preventive actions.
Based on the review process and additional control
measures, RPN of the risks shall be calculated and found that the ratings are
reduced to controlled level. The risk shall be considered as under control.
The risk shall be reduced to the minimum level as
possible.
In case on review it was identified there is still some
residual risk exist in the process same shall be documented and communicated to
all the stakeholders and top management about the risk.
In case risk management concludes that the risk in
“uncontrollable”, it should be referred to the corporate team / higher
management.