User:Yousufmohammad63/sandbox

Quality Risk Management for Pharmaceutical industries
Background:

Risk management activities extend throughout the product life cycle, from conception and initial development through production and until removal from the marketplace. Risk management activities support the design, development, manufacture, sale, distribution and other functions required for products and can impact decisions and actions outside the assessment of risks for a single product.

Risk Assessment Application: The initiator from any functional department for the new activity, change proposal etc., (to be assessed for risks) shall initiate the QRA process in concurrence with applicable department heads.

Qualification of Personnel: The team performing risk management activities shall include persons with the requisite knowledge and experience to act in identified Risk Management roles within the team. An individual may fulfill multiple roles, relative to his or her knowledge and experience with the product or process, its use, the technologies involved or Risk Management techniques.

The risk assessment shall be prepared and documented as per Quality Risk Management Register and Quality Risk Management Document (Annexure-1 and 2). The equipment / instruments /systems ordered in multiple numbers with same equipment name, make, model and type (i.e. like to like) risk assessment shall be carried out only for one equipment / instrument / system.

The QRM team shall be formed from respective departments but not limited to Production, Research and development, Quality Control, Engineering and QA to perform QRA. The team shall assess the risk to the process that could impact the quality of the product directly or indirectly.

The team shall follow the procedure described in section from 4.4 to 4.7 for evaluation and any impact of risk identified to the current process. ICH Q9 defines the two primary principles of quality risk management as follows:

The evaluation of risk to quality should be based on scientific knowledge and ultimately link to the protection of the patient.

The level of effort, formality, and documentation of the quality-risk-management process should be commensurate with the level of risk.

The uses of quality risk management tools are nearly limitless. A few examples of the uses of these tools include:

Equipment and facility design Equipment and facility qualification Change control Process validation

Equipment and facility design:

QRM tools can be used to identify high-risk equipment and facilities, as well as low-risk equipment and facilities; this will allow risk-control efforts to focus on eliminating the highest risks. Design of high-risk equipment and facilities can be enhanced using input from tools such as failure mode and effects analysis (FMEA) and fault tree analysis (FTA) to identify potential failure modes. This input allows the equipment designer to add preventive measures to the equipment design to reduce the occurrence of, or even eliminate, potential failure modes.

Equipment and facility qualification: QRM tools can be used to identify the critical aspects of the processing equipment or facility that need to be intensively qualified, and the low-risk aspects of the equipment or facility. QRM tools can also be used to determine the extent and frequency of requalification efforts.

Change control: QRM tools can be used to identify high-risk process, product, operation, equipment and facilities that need to be maintained under strict change control, as well as the equipment and facilities that can be placed under a simpler engineering change management program.

Process validation: QRM tools can be used to identify the key inputs, key process parameters, and key outputs that need to be monitored and controlled. This allows for focused process validation that ensures that process parameters that are critical to product quality are appropriately validated.

The Quality Risk Management (QRM) process consists following phases: a)	Initiation of risk management process b)	Risk assessment by identification, analysis and evaluation c)	Risk control by risk reduction and acceptance d)	Risk communication

Initiation of a Quality Risk Management Process:

QRM shall include systematic process designed to co-ordinate, facilitate and improve science-based decision making with respect to risk.

The QRM process include the following steps: Defining the problem and/or risk question, including pertinent assumptions identifying the potential for the risk. Compiling the background information and/or data on the potential impact on product, process and safety relevant to the risk assessment. Identifying the team member(s) to be involved for risk assessment and the resources required if any. Specifying timeline, deliverables and appropriate level of decision making for the risk management process.

Risk Assessment Process: Risk assessment is the first step of the quality-risk-management process. It consists of identifying potential risks, analyzing risks, and results associated with exposure to those risks.

Risk assessments should be performed by a team of qualified and experienced   personnel from concerned departments such as engineering, quality assurance,   quality control, validation, and manufacturing, preferably facilitated by someone familiar with the risk assessment process. This team should clearly define the risk question. A poorly defined risk question can lead to lack of focus in the risk assessment.

Risk assessment shall begin with well defined problem or risk question.

a)	What might go wrong? b)	What is the likelihood (probability) it will go wrong? c)	What are the consequences (severity)? d)	What is the likelihood (Detectability) it will be identified?

The risk assessment shall be well informed and shall be based on verifiable evidences. The risk assessment process shall involve the cross functional team members to ensure that the nature of risk and likelihood of a particular risk is as realistic as possible.

Risk Assessment process broadly divided into 3 segments: a)	Risk Identification b)	Risk Analysis c)	Risk Evaluation

Risk Identification: Risk Assessment is defined as “A systematic process of organizing information to support a risk decision to be made within a risk management process. It consists of the identification of hazards and the analysis and evaluation of risks associated with exposure to those hazards.”

Risk identification addresses the "What might go wrong?" question, including identifying the possible consequences. This provides the basis for further steps in the QRM process. Risk identification shall be a systematic use of information to identify hazards referring to the risk question or problem description.

Information of the process to be assessed shall be collected prior to initiation of risk Identification.

The scope should be defined to ensure focus and appropriate use of resource. This defines what data / information is relevant and / or should be examined to identify potential hazards. The below mentioned forms of Data / information shall be used for risk identification. Quantitative data / information - numbers, figures, measurements and variables Qualitative data / information – Attributes (yes / no, go / no go)

Data/Information to support Risk Identification shall be collected from various sources such as example. a)	Known incidents/deviations / non-conformities b)	Near miss events (valuable source of potential risk areas) c)	Complaints d)	Internal / external audits e)	Components of the process (people, premises, equipment, materials, utilities and environmental factors) f)	Quality system and technical capabilities g)	Management review h)	Opportunities for cross-contamination i)	Inherent process risks j)	Regulatory requirements k)	Process Parameters (CPP) and Quality attributes (CQA) After Risk Identification, known and potential sources of harm (hazards) referring to the risk question and their associated risks shall be listed based on the information available at that time, these shall be categorized prior to analysis as mentioned below. a)	Process risks b)	Product quality risks c)	Business risks d)	Risks associated with raw materials/packing material e)	Risks associated with current qualification/validation state f)	Risks associated with facilities, equipment and instrument g)	Risks associated with Personnel h)	Risks associated with premises and manufacturing environment

Risk Analysis: Risk analysis is defined as "The estimation of the risk associated with identified hazards". It provides an estimate for the level of risk in terms of severity of harm, likelihood of occurrence and detection. It provides a quantitative or qualitative estimate of each risk.

The most appropriate Risk Analysis tool or combination of tools should be chosen. Both qualitative and quantitative input data can be processed using the chosen tools.

Based the tool chosen assign rank or score to each identified risk. The QRM interdisciplinary team, with knowledge of the identified risk areas, should agree ranking or scores for each one, following the rules and guidance for the tool being used.

Risk Analysis information may be obtained from similar marketed products, if it can be demonstrated that the current and new products' uses and processes are similar. Intended Use / Purpose of the product process-related issues, or safety characteristics shall be considered during the Risk Analysis process.

A level or a score for each identified risk should be documented and approved.

Risk Evaluation: Risk evaluation is defined as “The comparison of the estimated risk to given risk criteria using a quantitative or qualitative scale to determine the significance of the risk.”

Risk evaluation shall compare the identified and analyzed risk against given risk criteria. Risk evaluation shall consider the strength of evidence for all three of the fundamental questions mentioned in section 4.5.3.

Risk Evaluation is the process that organizes the information from Risk Analysis to allow the decision making step of Risk Reduction or Risk Acceptance to be made. To achieve this, a level of tolerable risk should be defined against which the Risk Analysis output can be compared.

A tolerance level shall be set at this stage so that the Risk Analysis output can be compared against the “level of tolerable risk” depends on the product and the criticality of its application.

If analysis shows that the identified risks have a high probability of causing patient harm, immediate actions shall be initiated to act on all. Conversely, if none of the risks have more than a low probability of causing a minor non-compliance that would not impact the patient, no further action shall be decided.

The Risk Evaluation process shall be conducted as mentioned below: a)	Rank or sort risks from the Risk Analysis step b)	Check that the data is complete and valid c)	Determine if the “level of tolerable risk” is appropriate d)	Review the Risk Analysis output against the “level of tolerable risk” e)	Compare the output to see if it is acceptable or higher than the “level of tolerable risk” f)	Document the evaluation

The Risk Analysis output should be organized (filtered, ranked etc) to ensure that those of most significance (i.e. above the level of agreed tolerable risk) are identified for Risk Reduction. Those below the level of tolerable risk can go forward as residual risk for the Risk Acceptance stage.

In doing an effective risk assessment, the robustness of the data set is important because it determines the quality of the output. For example, outputs that look too high or too low can be checked for calculation errors, missing data, incorrect data, and then either corrected or verified as being accurate.

The output of a risk assessment is either a quantitative estimate of risk or a qualitative description of a range of risk. When risk is expressed quantitatively, a numerical probability is used. Alternatively, risk can be expressed using qualitative descriptors, such as “high”, “medium”, or “low”, which should be defined in as much detail as possible. In some cases a "risk score" is used to further define descriptors in risk ranking.

Risk Evaluation Criteria: a)	It is necessary to define the criteria through which each process step or system     shall be assessed. b)	The risk evaluation shall be performed through qualitative and/or quantitative Risk Prioritization Ranking (RPR) prior to start the risk assessment to set the risk acceptance criteria. c)	The Risk Prioritization Ranking (RPR) shall be the multiplication factor of     Severity, Occurrence and Detectability. RPR = Severity x Occurrence x Detectability

Defining Severity/Occurrence/Detectability: a)	Severity shall be ranked based on the impact on safety, purity and identity of the product. b)	Occurrence shall be ranked based on the probability. c)	Detectability shall be ranked based on the probability of detection of hazard.

Risk Prioritization Ranking/Numbering (RPR/RPN):

Risk Prioritization Ranking or numbering (RPR/RPN) shall be established for each identified risk from the RPR calculation formula.

Note: Risk evaluation process categorizes the risks into those that are above or below the level of tolerable risk. Failure to perform this step correctly can lead to poor decision making at the Risk Reduction and Acceptance steps.

"Risk Control, Risk Reduction & Risk Acceptance".

Risk control : Risk Control is defined as “Actions implementing risk management decisions” .The purpose of risk control is to reduce risk to an acceptable level. The formality and effort of risk control should be appropriate for the level of risk (i.e. Effort used for risk control shall be proportional to the significance of the risk).

Decision makers shall use different processes, for understanding the optimal level of risk control.

When identifying risk control measures the following types of controls shall be considered in the order listed. a)	Inherent safety by design (e.g., a more robust design or a design with greater safety margins) b)	Protective design measures (fail-safes, warnings or alarms) c)	Protective manufacturing measures, which improve process or test capabilities. Information for safety (labeling, instructions for use, training, etc.); d)	Information for safety (labeling, instructions for use, training, etc.); e)	Communication of warnings about improper use, hazards that can occur, or other information that can help to reduce risk.

Risk control shall focus on the following questions: a)	Is the risk above an acceptable level? b)	What can be done to reduce or eliminate risks? c)	What is the appropriate balance among benefits, risks and resources? d)	Are new risks introduced as a result of the identified risks being controlled?

Risk control should continue throughout the lifecycle of the process.

Risk Reduction (Risk Mitigation): Risk Reduction is defined as “Actions taken to lessen the probability of occurrence of harm and the severity of that harm.” The Risk Reduction step focuses on processes for mitigation or control or avoidance of risks where it exceeds a specified or tolerable level. Appropriate decisions shall be made for all the evaluated risks (most significant risks) as part of the Risk Assessment step (Risk Identification, Analysis and Evaluation). Risk reduction might include actions taken to mitigate the severity and probability of harm. Process that improve the detectability of hazards and quality risks might also be used as part of a risk control strategy. Implementation of risk reduction measures shall not introduce new risks into the system or increase the significance of other existing risks. It is required to revisit the risk assessment to identify and evaluate any possible change in the risk after implementing a risk reduction process. If the calculated RPR is more than acceptable risk RPR, then risk mitigation plan shall include actions to ensure that the risks are either detected or occurrence shall be reduced to minimize the severity. Risk Reduction actions that are identified for implementation should be examined in terms of their impact on the overall Risk Management process. Consider the following questions: a)	Are any new risks introduced as a result of the identified risks being controlled? b)	Is one significant risk being replaced by another? c)	Should a reiteration or part of the Risk Assessment process be performed?

Decisions and actions relating to Risk Reduction should be documented and approved. Approval should endorse resource allocation, timelines and implementation strategy, and be communicated to all relevant stakeholders including any residual risk.

Risk Acceptance: Risk Acceptance is defined as “The decision to accept risk”. Risk Reduction is a decision step to agree to take action, Risk Acceptance is a decision step to accept the level of risk or residual risk or to take no further action. A key part of Risk Acceptance is to formally record the decision by management team and communicate this to the relevant stakeholders.

It may not be practical to try to eliminate all risk. After the process has been analyzed, a decision shall be made either to accept the risk or to consider process changes and continue the analysis of the changed process to further reduce the risk.

Residual risk: The risk remains after process changes, including risks introduced as a result of those changes, are considered residual risks.

After all risk controls have been implemented and verified, the residual risk is reviewed for acceptability and shall be evaluated using the criteria defined in the Risk Management Plan. If the residual risk that remains is not judged acceptable, further risk control measures shall be applied. If new mitigations are incorporated into the original Risk Analysis, residual risk must be reassessed.

In the event residual risk remains, a determination will need to be made to accept this residual risk or the following actions may be considered : •	Modify the process to reduce the risk to an acceptable level. •	Enhance the method of detection to reduce the risk to an acceptable level. •	Employ the new process that has an acceptable level of risk.

RPR acceptance and recommended actions: There is no threshold value for RPRs. In other words, there is no value above which it is mandatory to take a Recommended Action or below which the team is automatically excused from an action. RPR acceptance criteria and recommended actions should be described as part of risk evaluation program.

Risk Communication & Risk Review: Risk Communication: Risk communication shall be sharing of information about risk and risk mitigation between decision makers and others.

The output/result of the quality risk management process shall be appropriately documented and communicated.

Communication shall include between parties; e.g. regulators and industry, industry and the patient, within a company, industry or regulatory authority etc.

Risk communication shall be related to the existence, nature, form, probability, severity, acceptability, control, treatment, detectability or other aspects of risks to quality.

After completion of risk assessment process, the mitigation actions proposed for the risk shall be communicated to the responsible members for implementation of controls.

After successful calculation of RPR, any residual risk identified where the RPR is high shall be communicated to the Senior Management for further levels of action.

Suggested actions by the Senior Management shall be communicated to the risk mitigation team for risk reduction or acceptance with justification. Risk Review: Once a quality risk management process is initiated, that process shall continue to be utilized for events that might impact the original quality risk management decision, whether these events are planned (e.g. results of product review, inspections, audits, change control) or unplanned (e.g. root cause from failure investigations, recall).

Risk review is a periodic review of risks as part of the ongoing quality management process. Example: Risk review includes periodic management review, as part of a change control program or as part of annual product reviews or during the deviation/incident investigation. The performed risk review should be integrated into the applicable quality management system.

The quality risk assessment document shall be forwarded to all the applicable stake holders for review to assess the adequacy of the risk evaluation and action. The Head quality or designee shall approve the QRM document based on the evaluation.

QRM shall provide documented, transparent and reproducible methods to accomplish steps of the quality risk management process based on current knowledge about assessing the probability, severity and sometimes detectability of the risk.

The following are the list of risk management tools: •	Basic risk management facilitation methods (flowcharts, check sheets etc.). •	Failure Mode Effects Analysis (FMEA). •	Failure Mode, Effects and Criticality Analysis (FMECA). •	Fault Tree Analysis (FTA). •	Hazard Analysis and Critical Control Points (HACCP). •	Hazard Operability Analysis (HAZOP). •	Preliminary Hazard Analysis (PHA). •	Risk ranking and filtering. •	Supporting statistical tools.

Note: It is important to note that no one tool or set of tools is applicable to every situation in which a quality risk management procedure is used.

The items contributing the quality risks are categorized as mentioned below.

System Risk (Facility & People): Example: Interfaces, operators risk, environment, components such as equipment, IT, design elements.

System Risk (Organization): Example: Quality systems, controls, measurements, documentation, regulatory compliance

Process Risk: Example: Process operations and quality parameters.

Product Risk (safety & efficacy): Example: Quality attributes, measured data according to specifications.