Quality Risk Management
Tony Gould
Introduction



2 |
Risk management is not new – we do it informally
all the time
Military Standard 1629 dated 1974 regarding
formal risk management
Risk management has been used in the medical
device, telecommunications, aerospace and car
industries for many years
PQ Workshop, Abu Dhabi | October 2010
Introduction

Risk management has also been part of the pharma
industry for many years:
– GMP requirements are designed to address risk. For example,
the specific GMP requirements for sterile products are designed
to mitigate the risk of sterility failure
– In some cases, GMP specifies a risk based approach. For
example, "a risk assessment approach should be used to
determine the scope and extent of validation required" (WHO
Annex 4, 5.2.10)
– Specifications in pharmacopoeial monographs include tests for
known potential contaminants
3 |
PQ Workshop, Abu Dhabi | October 2010
Introduction




4 |
Greater use of risk management tools in the future
We must accept this and prepare
From a GMP point of view, we are only concerned
with risks associated with quality, safety and
efficacy – quality risk management
Organisations use risk approaches in other areas,
e.g. to ensure resources are utilised in the most
effective way. Also applicable to inspectorates
PQ Workshop, Abu Dhabi | October 2010
GMP requirement



A system for quality risk management should be included
in the quality assurance system
Quality risk management is a systematic process for the
assessment, control, communication and review of risks
to the quality of the medicinal product. It can be applied
both proactively and retrospectively.
The quality risk management system should ensure that:
– the evaluation of the risk to quality is based on scientific
knowledge, experience with the process and ultimately links to
the protection of the patient; and
– the level of effort, formality and documentation of the quality
isk management process is commensurate with the level of
risk.
1.2 – 1.5
5 |
PQ Workshop, Abu Dhabi | October 2010
QRM - the dangers



There is a desired outcome and risk management
is used to justify it
Invalid assumptions – suit the desired outcome
Cost reduction (increased profits) is often the real
reason that many risk assessments are done
– Cost reduction may be a secondary outcome

Variable tolerance of risk
6 |
PQ Workshop, Abu Dhabi | October 2010
QRM – from an inspectors point of view





7 |
Be prepared so that the process is understood
Have sufficient knowledge to understand what has
been done and challenge assumptions, omissions
etc
Be clear about when QRM is not appropriate
Be flexible and accept the outcome of a
scientifically sound QRM exercise
If done properly there should be increased
assurance of quality (and possibly cost savings)
PQ Workshop, Abu Dhabi | October 2010
What is QRM

8 |
"Quality Risk Management is a systematic process
for the assessment, control, communication
and review of risks to the quality of the medicinal
product across the product lifecycle." (ICH Q9)
PQ Workshop, Abu Dhabi | October 2010
Typical QRM process
Initiate
Quality Risk Management Process
Risk Assessment

Risk Identification
Risk Analysis

Risk Evaluation
Risk Communication
Risk Control
Risk Reduction
Risk Acceptance
Output / Result of the
Quality Risk Management Process
Risk Review
Review Events
9 |
PQ Workshop, Abu Dhabi | October 2010
Risk Management tools
unacceptable


What might go wrong or
has gone wrong?
What is likelihood or
probability?
What are the
consequences (severity)?
What is the level of risk?
Any mitigating factors?
Risk assessment

10 |
"A systematic process of organizing information to
support a risk decision to be made within a risk
management process. It consists of the
identification of hazards and the analysis and
evaluation of risks associated with exposure to
those hazards." (ICH Q9)
PQ Workshop, Abu Dhabi | October 2010
Risk assessment terms

Risk identification
– Use of information to identify hazards or potential risks
– Historical data, theoretical analysis, informed opinions

Risk analysis
–
–
–
–
11 |
Estimation of risk associated with identified hazards
Qualitative or quantitative
Links probability and severity
In some tools, includes detectability
PQ Workshop, Abu Dhabi | October 2010
Risk analysis - probability

A simple qualitative tool:
P – Probability of Occurrence
High
Medium
Low
Remote
12 |
PQ Workshop, Abu Dhabi | October 2010
Likely to occur
May occur
Unlikely to occur
Very unlikely to occur
Risk analysis - severity

A simple qualitative tool:
S – severity level if event occurs
Critical
Moderate
Minor
13 |
Serious GMP non-compliance
Patient injury possible
Significant GMP non-compliance
Impact on patient possible
Minor GMP non-compliance
No patient impact
PQ Workshop, Abu Dhabi | October 2010
Risk assessment terms

Risk evaluation
–
–
–
–
Compares identified and analysed risk against criteria
Considers probability, severity and detectability
Output can be qualitative (high, medium or low)
Output can be quantitative (probability x severity x
detectability)
– Quantitative provides a relative ranking – prioritises
risk
14 |
PQ Workshop, Abu Dhabi | October 2010
Risk evaluation

A simple risk table with risk acceptability criteria:
Risk = P x S
Severity
Probability
Moderate
Critical
Unacceptable risk
Intolerable risk
Intolerable risk
Medium
Acceptable risk
Unacceptable risk
Intolerable risk
Low
Acceptable risk
Acceptable risk
Unacceptable risk
Remote
Acceptable risk
Acceptable risk
Acceptable risk
High
15 |
Minor
PQ Workshop, Abu Dhabi | October 2010
Risk evaluation


Modify evaluated risk according to existing
detection controls
Detectability:
– High – the control is likely to detect the negative event
or its effects
– Medium – the control may detect the negative event
or its effects
– Low – the control is not likely to detect the negative
event or its effects
– Zero – no detection control in place
16 |
PQ Workshop, Abu Dhabi | October 2010
Risk evaluation

Risk definitions:
 Intolerable – work to eliminate the negative event or
introduce detection controls is required as a priority
 Unacceptable – work to reduce the risk or control the
risk to an acceptable level is required
 Acceptable – the risk is acceptable and no risk
reduction or detection controls are required
17 |
PQ Workshop, Abu Dhabi | October 2010
Risk control

"Actions implementing risk management
decisions"
(ICH Q9)
– Includes risk reduction (if applicable) and risk
acceptance
18 |
PQ Workshop, Abu Dhabi | October 2010
Risk control terms

Risk reduction
– Actions taken to lessen the probability of occurrence
of harm and the severity of that harm
– Typically CAPA and change control

Risk acceptance
– The decision to accept risk
– If risk reduction action taken, follows re-analysis and
evaluation
19 |
PQ Workshop, Abu Dhabi | October 2010
Risk Review

"Review or monitoring of output/results of the risk
management process considering (if appropriate)
new knowledge and experience about the risk."
(ICH Q9)
– Ensures nothing has changed to affect the QRM
assumptions, output and conclusions
– Consider during product review
20 |
PQ Workshop, Abu Dhabi | October 2010
QRM tools – some of them!

Basic risk management facilitation methods (flowcharts, check
sheets etc.);

Failure Mode Effects Analysis (FMEA);

Failure Mode, Effects and Criticality Analysis (FMECA);

Fault Tree Analysis (FTA);

Hazard Analysis and Critical Control Points (HACCP);

Hazard Operability Analysis (HAZOP);

Preliminary Hazard Analysis (PHA);

Risk ranking and filtering;

Supporting statistical tools.
21 |
PQ Workshop, Abu Dhabi | October 2010
Potential applications







22 |
Quality Management (e.g. self-inspection, training, complaints,
deviations, change control)
Development (ICH Q8)
Facilities, Equipment and Utilities (e.g. design, qualification,
hygiene, calibration, computers)
Materials Management (e.g. supplier assessment, storage)
Production (e.g. validation, in-process sampling and testing)
Laboratory Control and Stability Studies (e.g. OOS, retest
periods, validation)
Packaging and Labelling (e.g. package design, label control)
PQ Workshop, Abu Dhabi | October 2010