Quality Risk Management (QRM) gives the possibility of determining the impact of a deviation in a process or product in an objective manner, in order to categorise it and facilitate its treatment. ICH Q9 describes in detail a methodology to perform QRM, and defines it as “a systematic process for the assessment, control, communication and review of risks to the quality of the drug (medicinal) product across the product lifecycle”. ICH Q9 recommends the use of this approach for different purposes as described, including the identification of root causes and corrective actions during investigations of out of specification results, quality defects, complaints, trends, deviations, etc.

If there is no documented QRM available, and depending on the type of deviation, the organisation may initiate a QRM analysis to manage the deviation found.

Quality Risk Management Steps:-

Risk is defined as the combination of the probability of occurrence of harm and the severity of that harm, and could be followed by the probability of detection. A risk-based quality management system consists of the identification of hazards and the analysis and evaluation of risks associated with exposure to those hazards through a multidisciplinary approach. QRM consists of three main steps which actually work as a continuous improvement cycle:

  • Risk Assessment
  • Risk Control
  • Risk Review
  • Risk communication

Risk assessment

Risk assessment includes the following sequential activities:

  • Identification of Hazards, based on well-defined process description, and adequate sources of information (e.g. historical data; description of the possible consequences). It addresses the question “What might go wrong?”.
  • Risk Analysis estimates the risk associated with the identified hazards. “It is the qualitative or quantitative process of linking the likelihood (probability) of occurrence and severity of harms; in some risk management tools, the ability to detect the harm (i.e. detectability) also factors in the estimation of risk”.
  • Risk Evaluation “compares the identified and analysed risk against given risk criteria and the strength of evidence for all three of the fundamental questions”.

Risk control

Risk Control is a decision-making process to reduce the risk to an acceptable level. It includes:

  • Risk reduction: mitigation or elimination of the risk when it exceeds a specified level (not acceptable), in terms of severity and probability of harm. “Processes that improve the detectability of hazards and quality risks might also be used as part of a risk control strategy. The implementation of risk reduction measures can introduce new risks into the system or increase the significance of other existing risks. Hence, it might be appropriate to revisit the risk assessment to identify and evaluate any possible change in risk after implementing a risk reduction process”. Any implementation of risk reduction measures should follow the established change control system.
  • Risk acceptance is a formal decision to accept the residual risk or it can be a passive decision in which residual risks are not specified.

 1

Risk Review

The effectiveness of the risk management process should be reviewed periodically based on meaningful information “(e.g., results of product review, inspections, audits, change control) or unplanned (e.g., root cause from failure investigations, recalls). Risk review could include reconsideration of risk acceptance decisions”. Risk Review is an essential QMS activity which is incorporated in the overall lifecycle and continuous improvement approach. New information related to the occurrence of deviations should be incorporated as part of the Risk Review process. The incorporated information related to the deviation is evaluated in terms of possible new Risk Control measures, and, if necessary, back to the Risk Assessment step.

Risk Communication

Sharing of the outcome of the deployment of QRM is a key factor in the involvement of all staff.

The quality or effectiveness of the QRM exercise will largely depend on the level of scientific knowledge, experience on the selected process, and involvement of the process owner. Incomplete knowledge about a process and its expected or unexpected variability will not facilitate the QRM process. Training and identification of required skills including coordination, communication, discussion and leadership are also essential.

Purpose of Quality Risk Management

  • Improve the understanding of processes through identification of hazards in the manufacturing process.
  • Identification of critical points associated to those hazards.
  • Identification of risk reduction actions at critical steps.
  • Evaluation of effectiveness of actions.

Information sources for Quality Risk Management

  • Product Development Reports.
  • Process and analytical technology transfer documentation.
  • Specifications and control methods of finished product, intermediates and raw materials.
  • Specifications and methods of in-process controls (IPC).
  • Process flow diagram of each operation in each process stage, including operational parameters and established ranges.
  • Defined critical parameters with their appropriate justification.
  • Lists of equipment and measuring instruments to be used in the process, with their qualification, maintenance and calibration status.
  • Note: Input from R&D and Technology Transfer teams could be required.
  • For existing processes, the following additional information should be available
  • – Process and analytical data obtained from each of the intermediates and finished product.
  • – List of all Deviations, OOS, and documentation associated to the process under analysis.

Quality Risk Management tools

There are several QRM tools from which Failure Modes Effects Analysis (FMEA) is commonly applied due to its versatility. This tool is used for identifying potential failures and to examine the impact of deviations on product quality, and to propose more adequate corrective and preventive actions. The QRM is ideally performed prospectively.

FMEA includes the following aspects:

  • Probability, or frequency of occurrence.
  • Detectability, includes methods to detect deviations or their associated parameters.
  • Severity or how significant the deviation is in terms of impact of the deviation on
  • product quality and patient ́s safety.

The output of a risk assessment may be a combination of quantitative and qualitative estimation of risk. As part of FMEA, a risk score or “Risk Prioritisation Number or RPN” may be assigned to the deviation or to the stage of the process that is affected; this helps to categorise the deviation. RPN is calculated by multiplying Probability (P) (Frequency is the number of occurrences of a repeating event per unit time. It is also referred to as temporal frequency), Detectability (D) (Ability to discover or determine the existence, presence or fact of a hazard) and Severity (S) (A measure of the possible consequences of a hazard) which are individually categorised and scored.

Possible interpretation of the RPN used to categorise deviations:

  • Critical:- if RPN value is > 216.
  • Major:- if RPN value is > 40 and < 216.
  • Minor:- if RPN value is < 40.

Critical:- RPN between 216 (6 x 6 x 6) and 512 (8 x 8 x 8) is considered a critical risk and must be addressed immediately and treated as a critical deviation. Corrections shall be implemented as applicable. An investigation of the root causes and an in-depth investigation and CAPA process must always be carried out. The decision to release the batch (if applicable) should be made as part of the conclusion of the investigation process; in case the lot is already in the market, a series of actions may be required including product recall. CAPA and QRM should attempt to control or reduce the risk in the future by decreasing the frequency or probability of occurrence, by increasing the detectability or both.

Note: The table is designed to assure that a Severity value of 54 will be categorised as critical regardless of the highest detection level possible (value of 2), and a highly improbable frequency (value of 2); RPN would be of at least 216 (54 x 2 x 2), which is the minimum value for a Critical risk. Consequently, the associated deviation shall be categorised as critical. As an example, it can be mentioned a confirmed positive sterility test of a finished product. If there are deviations that could result in possible death to patient, they should be addressed immediately, especially if the product is in the market.

The investigation process should evaluate if other batches of product or other products manufactured or to be produced could be affected.

Major:- RPN between 64 and 216 is considered major risk and must be addressed in a timely manner as a major deviation. When applicable, the batch could be released depending on the conclusions of the investigation process. An investigation of the root causes as part of CAPA, and QRM if applicable must be initiated to control or reduce the risk by decreasing the frequency or probability of occurrence, by increasing the detectability, or both.

Minor:- RPN between 8 and 64 indicates a low risk and must be addressed in a timely manner as a minor deviation. Minor deviations normally do not interfere with batch release, but need to be closed before that. An investigation of the root causes and a QRM process could be initiated if needed. The necessary corrections and corrective actions shall be implemented as applicable.

11

22

33

44

FIND MORE AT…

Reference links

https://www.ich.org/fileadmin/Public_Web_Site/ICH_Products/Guidelines/Quality/Q9/Step4/Q9_Guideline.pdf

http://www.who.int/medicines/areas/quality_safety/quality_assurance/Annex2TRS-981.pdf