To provide a procedure for carrying out Risk assessment, evaluation, mitigation and review of risk by employing appropriate tool of Quality Risk Management Process.
Applicable to different aspects of pharmaceutical quality like development, manufacturing, testing, distribution, inspection and submission/review processes throughout the life cycle of drug substance, drug products including equipment, facilities, system, raw material, solvents, packaging, labelling and process and any other activity which is directly or indirectly affecting product quality.
3.1 Initiator/ Concern Department shall be responsible for:
3.1.1 Initiation of Quality Risk Management Process and facilitation of further action proposed at every stage of Quality Risk Management Process.
3.2 Head QA/ Designee shall be responsible for:
3.2.1 Approval of risk assessment proposal.
3.2.2 Formation of Quality Risk Management Team and Team leader.
3.2.3 Review, evaluation, advice and approval of Quality Risk Management and corrective action and preventive action generated by Quality Risk Management Team.
3.2.4 To assure that a Quality Risk Management process is defined, deployed & reviewed and that adequate resources are available.
3.2.5 To acknowledge risk communication, action plan in case of higher RPN and finding of the risk assessment report by signing as noted by.
3.2.6 Coordinating Quality Risk Management across various functions and departments of organization.
3.3 Quality Risk Management Team shall be responsible for:
3.3.1 Identifying all potential failures with respect to risk question / risk subject such as equipment, facilities, manufacturing process, packing, system and personnel etc. including relevant assumptions identifying the potential cause for the risk.
3.3.2 Preparation of action plan in case-of higher RPN and risk communication to all concern and further approval from Head Quality.
3.3.3 Assessing the adequacy of existing control measures.
3.3.4 Identifications and implementation of additional or new control measures as appropriate.
3.3.5 Specify timelines, deliverables and appropriate level of decision making for the risk management process.
4.0 Accountability: Head-Quality shall be accountable for ensuring compliance of this standard operating procedure.
ICH Q9 Quality risk management
WHO TRS 908 Annexure 7
EU GMP Annexure 20 Quality Risk Management.
6.1 Quality Risk Management process overview:
6.1.1 Quality risk management is a systematic process for the assessment, control, communication and review of risks to the quality of the drug product across the product lifecycle, systems, utilities, facility and other associated aspects.
6.1.2 Risk to product quality, patient safety and company reputation should be controlled through the implementation of robust quality management system and good manufacturing practices. These should include management controls, validation, internal audits and risk assessment etc.
6.1.3 The scope of quality risk management is limitless, following are a few examples which include but are not limited to:
22.214.171.124 Equipment/ Instrument and facility design.
126.96.36.199 Equipment/ Instrument and facility qualification.
188.8.131.52 Change management
184.108.40.206 Validation/ Revalidation
220.127.116.11 Assessments of the procedure / provision for their suitability etc.
6.1.4 In general, the below mentioned flow of the risk management cycle shall be followed while risk management of the process.
6.2.1 As per definition, risk assessment is a systematic process of organizing information to support a risk decision to be made within a risk management process.
6.2.2 It consists of the identification of hazards and the analysis and evaluation of risks associated with exposure to those hazards.
6.2.3 In general, the risk assessment process involves three fundamental question to assess risk which are:
a) What might go wrong? (Hazard)
b) What is the likelihood it will go wrong? (probability)
c) What are the consequences? (severity/ impact)
6.2.4 These give overall assessment in three initial steps of Quality Risk Management Process:
Step-I: Risk Identification
Step-II: Risk Analysis
Step-III: Risk Evaluation
6.2.5 Risk Identification:
The systematic use of information to identify potential sources of harm (hazards) & possible consequences (Impact/ Effect). It shall be assessed on the basis of:
• Historical data
• Theoretical analysis
• Informed opinions
• Concerns of stakeholders
• Brain storming sessions etc.
6.2.6 Risk Analysis:
Risk analysis is the estimation of the risk associated with the identified hazards. A qualitative or quantitative process of linking the likelihood and severity of harm by assessing the design / measures having control over their occurrence and detection.
6.2.7 Risk Evaluation:
The comparison of the estimated risk to given risk criteria using a quantitative or qualitative scale to determine the significance (i.e. acceptability on the risk criteria) of the risk.
6.2.8 Formal or Informal communication shall be given to concerned departments at each stage of the Quality Risk Management Process.
6.3 Risk Control:
6.3.1 The purpose of risk control is to reduce the risk to an acceptable level. The amount of effort used for risk control should be proportional to the significance of the risk.
a) Risk Reduction
b) Risk Acceptance
6.3.2 Risk Reduction:
Risk reduction focuses on processes for mitigation or avoidance of quality risk when it exceeds a specified (acceptable) level. Risk reduction process focuses to:
• Mitigate the probability of harm
• Improve delectability of hazards& risks
• Take care not to introduce new risks
• Revisit the risk assessment process for new risks or increased significance of existing risks
6.3.3 Risk Acceptance:
In all cases we might not entirely eliminate risk. For such cases risk may be accepted and consideration for the acceptance of risk shall be based upon significance of the risk on the product and scientific judgment. This shall be decided by Person(s) with the competence and authority to make appropriate and timely decisions
6.3.4 Risk Communication:
This aspect of Quality Risk Management Process is formal or informal process of risk communication to all stakeholders or concerns about the outcome of each stage of Quality Risk management process.
6.4 Risk Review:
6.4.1 Review or monitoring of output results of the risk management process considering (if appropriate) new knowledge and experience about the risk.
6.5 In conducting Risk Assessment, the basic steps are:
6.5.1 Risk Question / Subject Identification (Item/ Equipment/ Process/ Product/ System/ Facility/ Procedure/ Studies/ QMS Applications etc.)
6.5.2 Justification shall be provided for carrying out Quality Risk Management for Risk Subject as per Annexure-VII which shall be approved by Head Quality.
6.5.3 Formation of risk management team and team leader by Head Quality / Designee. The team should essentially include concern department representative and other members from quality assurance, production, engineering, QC, stores as applicable based on the topic under consideration. They should be experienced, acquainted with the subject and have adequate training on risk assessment. Team can be reassigned as and when required by Head-Quality/ Designee.
6.5.4 Explain the methodology to the team.
6.5.5 Prepare a flow chart or detailed process flow of the process under analysis. All steps in the process should be included. Attach the same to the risk assessment as an annexure (if required).
6.5.6 Risk Assessment number shall be issued by Quality Assurance
18.104.22.168 Log of Risk Assessment shall be maintained as per Annexure-IV with QA.
6.5.7 Risk Assessment shall be considered closed when all the risks are mitigated as per action plan up to a desired level of acceptance and reviewed after mitigation.
6.5.8 Whenever risk review shall be performed for logged risk assessment, then version number shall be increased as 01, 02, 03, ……… and so on.
6.6 Risk Management Methodology:
6.6.1 Risk management shall be performed by using any of the tool given in ICH Q9, for example,
• Failure Mode Effects Analysis (FMEA)
• Failure Mode, Effects and Criticality Analysis (FMECA)
• Fault Tree Analysis (FTA) etc.
6.6.2 Failure Mode Effect Analysis (FMEA)
FMEA is one of the most useful and effective methodology to ensure that potential problems have been considered and addressed throughout the product and process development stages. The goal of FMEA is to align the risks as closely as possible with its source.
Failure Mode: It is the way in which the process could fail to meet the requirements.
Following are the example of failure modes:
• Product not meeting specification
• Process not meeting yield requirements
• Critical process parameters not met
• Malfunctioning equipment
• Software problems
• Not meeting customer requirements
• Non compliance to Regulatory requirements
Failure Effect: It is the consequence of the failure.
Failure cause: It is what induces the failure-indication of how the failure could occur.
6.6.3 FAILURE MODE, EFFECT AND CRITICALITY ANALYSIS (FMECA):
FMECA methodically breaks down the analysis of complex processes into manageable steps. The FMECA is a formalized, systematic and analytical approach to failure prevention.
It can identify places where additional preventive actions might be appropriate to minimise risk. The aim of FMECA is:
• To create an awareness of potential failures.
• Establish a baseline for process knowledge and process effects.
• Identify, analyse and ultimately prevent potential failures as well as their effects and causes.
• Defines measures aimed at preventing and identifying (i.e. investigating) potential causes of failure and to monitor and demonstrate the effectiveness of such measures. Application of FMECA methodology helps quality controlling by specifying test parameters for any remaining risks to the product or process. FMECA is suitable for developing knowledge databases and, therefore, helps in preventing recurring failures. The output of an FMECA is a relative risk “Score” for each failure mode, which is used to rank the modes on a relative risk basis.
Note: FMECA is similar to FMEA. The C in FMECA indicates that the criticality (or severity) of the various failure effects, are considered and ranked. Today, FMEA is often used as synonym for FMECA.
22.214.171.124 List down the functions and malfunctions of product/ process/ system/ item/ equipment/ facility for which Risk Assessment needs to be performed. To gather maximum information, brainstorming sessions can be useful.
126.96.36.199 Designate which of the steps in the process constitute “Function” and identify elements of variation in equipment, methods, materials, control and management.
188.8.131.52 Determine which function represent potential “Failure Modes” or points of potential failure and record in Annexure-I.
184.108.40.206 Determine the worst potential “Effect” consequences of each of the failure modes.
220.127.116.11 Determine the “Contributory Factors” for each failure mode.
18.104.22.168 Identify and “Control” in the process. Controls are components of the process which:
(a) Reduce the likelihood of a contributory factor or a failure mode.
(b) Increase the detection level of failure before it leads to the adverse outcome (Effect).
Example of control measures are: procedural controls, engineering controls, supervisory controls, manual controls, training etc.
22.214.171.124 Rate the severity of each effect on a scale of 1-5. The impacts of controls that improve the severity of an effect are reflected in this rating as well.
1. No effect on output
2. Minor effect on output
3. Moderated effect on output.
4. Serious effect on output
5. Hazardous effect on output.
126.96.36.199 Rate the occurrence (likelihood of each contributory factor on a scale of 1-5. The impacts of controls that reduce the likelihood of occurrence of a failure mode or contributory factor are reflected in this rating as well.
1. Unlikely (doubtful)
2. Very rare
5. Almost certain (every time)
188.8.131.52 Based on the control measures, rate the effectiveness of each “Detection Control” on a scale of 1-5.
1. Always detected
2. Will detect failure
3. Might detect failure
4. Almost certain not to detect failure
5. Lack of detection control
• Prepare scale table for each Risk Assessment study individually for severity, occurrence and detection.
• Individual contributory factor for each potential failure mode should be rated.
• Available control measures in the process of risk assessment should be assessed by Risk Assessment team prior to determining the likelihood of occurrence.
• Historical data like maintenance record, complaints, deviations, and other applicable records should be reviewed for assigning risk rating i.e. severity, occurrence and detection of individual potential failure mode.
184.108.40.206 The product of the three rating is the risk priority number (RPN) for that contributory factor. For example: If severity rating is 3, occurrence rating is 2 and detection level is 1, then RPN = 3 x 2 x 1= 6
220.127.116.11 Depending on RPN rating, following decision should be made:
a) Failure shall be accepted if RPN is within the specified acceptable level i.e. ≤25.
b) Depending on the type of failure, appropriate action plan shall be implemented to control or reduce the occurrence to an acceptable level, if not, detection system shall be improved or both can be marked out.
c) In some cases, failure should be totally eliminated.
18.104.22.168 Rank the ‘Contributory Factor’ according to the Risk Priority Numbers. To determine RPN rank, RPN of individual contributory factors should be rated from high to low so that higher risk elements can be identified easily and same is illustrated in following example in which the higher RPN (here 20) shall be given Rank 1, below 20 (here 18) shall be given Rank 2, below 18 (here 14) shall be given Rank 3 and so on. If the same RPN is observed for more than one contributing factor then the same rank shall be allotted to all such RPN (here 10).
22.214.171.124 The ‘RPN’ determines the criticality of the failure mode which helps to determine whether the risk of failure should be accepted (No action may be required for the potential failure), controlled (take action to enhance detection or reduce the occurrence of the risk of the potential failure) or eliminated (prevent the potential failure).
126.96.36.199 Risk Assessment should be used to analyze the current process and evaluate the potential impact of change under consideration. For example: New equipment/ process, major modification. Calculate the estimated RPN each time you consider a change to the process, to evaluate the impact of the change. If RPN is high, then priority should be given to such items and based on the current control measures, action plan for additional measures require shall be made.
188.8.131.52 Acceptance criteria: In case the calculated RPN rating is greater than 50 those particular failures shall not be acceptable. Following is the risk matrix;
184.108.40.206 For RPN ratings ≤25, no action plan is required. However for the improvement purpose, action plan can be proposed for RPN rating ≤25, if required.
220.127.116.11 Action plan may be required if any of individual severity and occurrence is high (even if RPN is within Acceptance criteria).
18.104.22.168 Considering acceptance criteria, detailed action plans shall be drawn with responsibility and target completion date as per Annexure-II (Action Plan Sheet). In this annexure, tabulate the failure modes in the decreasing order of RPN and maximum RPN failure modes shall be addressed on priority wherever feasible. The reference of CAPA number for proposed action plan can be mentioned in description section of Annexure-II, (if required).
22.214.171.124 The effectiveness of the action plan shall be reviewed and discussed by the Quality Risk Management Team (and with the support of senior management, if required).
126.96.36.199 New risks introduced due to corrective action shall be analysed and taken care of after drawing action plans.
188.8.131.52 Closure date of action Plan, documented in the Annexure-II, shall be provided by the concern responsible person/ department / QMS Team (if, concerned) and same shall be verified by QA.
184.108.40.206 Whenever risk assessment is performed in response to any non conformance like complaints, deviations etc., existing risk assessment (if applicable) shall also be reviewed to evaluate the impact of risk associated with the reported non conformances. This review shall be recorded in the Annexure-II.
220.127.116.11 Examples of risk that may be identified include, but are not limited to:
a) Risk to manufacturing equipment such as equipment downtime, equipment damage, cost of replacing equipment parts and any potential for injury.
b) Quality of the finished product.
c) Incorrect composition
d) Raw material/ packaging material errors.
18.104.22.168 Examples of mitigation strategies that may be used to modify risk levels (RPN) are:
a) Modify process design such as additional data verification checks.
b) Introduce external procedures such as double checking to counter possible failures.
c) Increase the scope and level of testing applied during various stages of validation.
Note: Validation and In-process control requirement should be reviewed.
22.214.171.124 If any action plan require some change in the established procedure etc. then implementation shall be done as per change control procedure.
126.96.36.199 Risk communication is information sharing session between Quality Risk Management Team and other concerned departments/ senior management involved with different functions. The outcome/result of the risk assessment process should be appropriately communicated and documented as per Annexure-V.
188.8.131.52 Risk Assessment shall be reviewed after closure of action plan until all RPN are reduced to acceptable level. If required it can be reviewed meanwhile.
184.108.40.206 If action plan is not closed within the proposed TCD, Extension Form shall be filled by the initiator/concerned department as First review of risk assessment with proper justification for non-completion of the action plan and new TCD. In case the risk assessment exceeds the TCD from first review then the status and new TCD shall be filled as second review of risk assessment with proper justification. Further if activity is not closed within stipulated timeline of second review then it shall be reported to Head-Quality/Designee for further advice. The same shall be recorded in Annexure-X.
220.127.116.11 A review is also necessary in case of changes of product, process and specifications.
18.104.22.168 This review should be recorded in Annexure-VI where-enhanced control measures implemented from initial Risk Assessment need to be addressed and based on the additional or implemented control measures, RPN of individual contributory factor should be reviewed and Risk Assessment review conclusion to be drawn. In cases, where nature of risk may or may not be changed after-implementing enhanced control measures, depending upon the nature of the risk the same shall be escalated to management. During ‘Review of Risk Assessment’ any new failure modes and contributory factors can be assessed.
22.214.171.124 Whenever existing Risk Assessment is reviewed, the same Risk Assessment No. should be continued with change in Version Number.
|RPN||Risk Priority Number|
|ICH||International conference on Harmonization|
|QMS||Quality Management System|
|QRM||Quality Risk Management|
|≤||Less than or equal to|
|≥||Greater than equal to|
|S. No.||Serial Number|
|WHO||World Health Organization|
|TRS||Technical Report Series|
|GMP||Good Manufacturing Practices|
|CAPA||Corrective and Preventive Action|
|TCD||Target Completion Date|
8.0 Change History:
Annexure-I : Failure Mode Effect (And Criticality) Analysis – FME(C)A
Annexure-II : Action Plan Sheet
Annexure-IV : Risk Assessment Log
Annexure-V : Risk Communication
Annexure-VI : Risk Review
Annexure-VII : Justification for Risk Assessment Selection
Annexure-X : Extension Form
10.0 Distribution List: