Quality Risk Management in Analytical Laboratory

Quality Risk Management in Analytical Laboratory

The Quality of the Product Drugs or Drug Product is evaluated in Quality Control analytical laboratories, So It is important to understand that the “services” and “output” of a Quality Control / Analytical Laboratory is directly related to Safety, Identity, Strength, Purity (efficacy), Quality of a Drug Product, and Patient safety. An effective Quality Risk Management approach in Analytical Laboratory can further ensure the high quality of the drug product to the patient by providing a proactive means to identify and control potential quality issues during the development and manufacturing of Drug Products and thus ensuring the health of the consumer.

Purpose of Quality Risk management in Analytical Laboratory

Identify the different Risk Areas which Analytical Laboratories can have in compliance with the GLP Requirements, cGMP / Quality System

  1. Requirements and Safety requirements of Laboratory
  2. Identify the technical requirements for assuring Compliance of Analytical Laboratory functions with regulations and procedures under the GLP OR ISO global standard for accreditation OR NABL accreditation of Analytical Laboratory.
  3. Identify the most commonly used tool for Risk assessment.
  4. Review the industrial guidance for rating severity, occurrence, and detectability.
  5. Recognize the basic requirement of the infrastructure, resources, facilities, and Quality System implementation in the Analytical Laboratory
  6. Identify the Risks and areas of development/improvement in the Analytical Laboratory and prepare the Quality Circle plans based on Risk Management principles.
  7.  Assess opportunities to improve Quality Management through defining Quality goals and implementing a quality design process.

Quality Risk Management Road Map

1. Step 1: Plan
The Quality Risk Management project – For Planning QRM in Analytical Laboratory, it is important to discuss and decide –

  • Strategy for Implementation ( Risk-based Approach), Organization of QRM- The laboratory must have a general plan/strategy for how they will deal with risks and opportunities in relation to THEIR types of activities, in relation to THEIR clients, and types of analytical tasks.
  • Relevant, procedure(s) and tools must be in place in accordance with a plan.
  • The staff must have the necessary knowledge/ trained (and responsibility) about who does what, when, and how.

2. Step-2. Identify risks and opportunities for Improvement.
✓ There are several Guidance on Quality Risk Management used in Industry – ICH Q9, WHO Guidance on Risk Management ( working document QAS 10.376 R.2), the Orange Book on management of Quality Risk Management or ISO/IEC 17025 Risk management process. The Most commonly used Guidance are ICH Q9 and ISO 17025, any of the two should be considered.

A dedicated Risk Management Team should be identified and trained to take up the risk assessment, which may include members like Laboratory manager, Quality Assurance, subject matter experts, business development member,s and other experts of statistics, IT and administrator of Computerized system may be considered as team members.

Step 3: Assess and Evaluate the risk.

Depending on the complexity of operations in the Laboratory. The Risk Assessment may have to be methodical and all the potential problems ( Non-conformances, and Indicators of Improvement opportunities) that can arise from laboratory activities should be considered.
4. Step 4: Rank the risks and opportunities

to evaluate the extent of influence of Risk on Laboratory Performance and Quality of the output , So that Risk Priority for Corrective and Preventive Action could be decided .

5. Step 5: Determine CAPA to be taken.

The QRM team will have to recommend and decide on the actions to be taken to reduce or mitigate the Risk.

6. Step -6 Effectiveness of Risk mitigation/ risk reduction

Risk mitigation/ risk reduction actions should be monitored and residual risk should also be assessed if that is Acceptable.

7. Step-7 The communication

related to identified Risks, opportunities for improvement, Risk assessment & Risk ranking, CAPA for Risk Reduction must be made with all team members as well as all stakeholders.

8. Step-8 The Life cycle of Quality Risk Management

can be supplemented by an initiative like Quality culture, Quality Circle, so that the opportunities for improvement are identified well before they become a Risk area,

QRM Road Map- Identify risks and opportunities

1. Listing of Risk Areas and Risk Factors: The identification of hazards and the analysis and evaluation of risks associated with exposure to those hazards should be listed

I. Listing of identified non-conformances –

  1. discovered in Audits ( Internal Audit/Regulatory / Third Party audits,) or
  2. Periodic internal assessment Laboratory Projects ,
  3. Routine Analytical Work using the Quality metrics –
  • Invalidated Out-of-Specification (OOS) Rare (IOOSR),
  • The Percentage of attempted lots pending disposition beyond
    standard testing date,
  • The number of OOS results for lot release and stability tests for the product is invalidated due to lab error.
  • The percentage of reported complaints on Analytical test results by FDA may also be a meaningful metric.

II. Listing of Opportunities identified in the review of Quality System Indicators –

  • Laboratory Deviations,
  • Instrument Calibration Failures,
  • Equipment Break downs,
  • Repeated system connectivity issue ( network),
  • Repeated Power interruptions, etc.

III. Listing of improvement opportunities related to productivity metrics

The productivity metric is a measure of a unit of work as compared to a unit of time, and it can be utilized to determine department efficiency.

IV. Listing of the Improvement areas identified for Laboratory Performance KPIs ( Ley Performance Indicators ) such as –

a) Total Activity hours (The time your staff spends at the bench),

b) Turn-around-time for the analysis,

c) Uptime of devices,

d) Total space and free space on ELN or LIMS storage,

e) Uptime of ELN or LIMS

V. Listing of Improvement area identified for Efficient Laboratory functioning ( means working with efficient consumption of resources)

  • Monthly consumable use
  • Amount of wasted consumables
  • Consumable use per analysis
  • Consumables inventory control within budget.

Risk Evaluation

2. Risk Assessment ( Risk Priority Number = S*O*D)

– Evaluate the Consequences (Severity ) of the individual identifies Risk or risk Factor for example –

  • Impact on Quality of work,
  • Quantity of Output,
  • Impact on Patient safety,
  • Impact on Customer Satisfaction,
  • impact on finance/cost of the work per unit etc.

Critical – If the hazard is Critical (High )(Score -5),

Major – If the hazard is  Medium ( score 3) or

Minor – If the hazard is  Low ( Score 1)

– Evaluate Likelihood of occurrence-,

frequency of observed non-conformance in audit, or listed opportunity in internal assessments or observations in Quality Matrices, KPIs, or Performance measurement in a Time interval such as frequency of occurrence in 6 months/year, or frequency of in a bunch of Work Units say – in 10000 tests, or in 1000 test samples So categories are as

– Mostly Frequent (High)( 1 in 10 tests ),

Frequent (Medium)(1 in 100 test),

unlikely (Low) to occur( 1 in 1000),

– Evaluate the Detectability of Occurrence:

Evaluate if the Quality System and Practices in Analytical Laboratory has Controls to identify the Non-Conformances.

– This evaluation will have varying degrees of detectability, Hence should be evaluated case by case. So categories Most likely to be detected (High)( Score 1), Likely to be detected ( Medium) ( Score 3) Unlikely to be detected (LoW) ( Score 5)

Quality Risk Management

Quality Risk Management Tools in Analytical Laboratory

1. Process Flow Mapping of Analytical Work and applying HACCP principle to identify the Risk Area, evaluate the impact on Performance of Analytical Laboratory
2. Applying FMEA to investigate, Deviations, Invalidated OOS, Invalidated Chromatograms , Analytical Errors .
3. Applying Fault Tree Analysis in poor Performance of analytical Methods
4. Investigation Lab Deviations: Fish Bone analysis, Histogram, Control Charts
5. Quality Tools – Histogram, Cause and Effect, Pareto to Identify the assess the Risk observed by Quality Metrics analysis, KPI achievement Analysis, Laboratory Productivity analysis, Laboratory work efficiency KPI
6. Applying Quality Circle for Continuous identification, Improvement, and control of Risk.

Critical Risks Area in Analytical Laboratory

The Analytical Laboratories whether it is a Research Laboratory, Quality Control Laboratory or commercial Testing Laboratory, the Risk is always associated with –
1. Analytical Sample / Work Management- Pre Analytical Stage, Analytical Stage and Post Analytical Stage
2. Compliance with Regulatory, Quality System ( Gxp Requirements ), Safety, Statutory Requirements, and Budgetary Requirements.
3. Quality of the Output, Performance of Laboratory.
4. Safety of the Personnel’s working in Analytical Laboratory, Safety of the Environment.
5. Resources and Facilities – with respect to match with the demand of Work and nature of work.

Risk Areas in Analytical Laboratories – Compliance with Gxp & Quality System

The Risk of Compliance with Gxp and Quality System is mainly in the following Areas –

1. System and Procedures for examples –

Inadequate Procedures – deficiencies in SOPs with respect to regulatory guidance by FDA, ICH, WHO, ISO, and other standing notifications and published articles, Acts, and Rules of Nation.

2. Standards – Inadequate or poor Implementation of Gxp – current Good Manufacturing Practices, Good Laboratory Practices, Good Computer System Practices ( e.g. Compliance with GAMP 5 )

3. Deficiencies in Compliance with Requirements published by Accrediting Bodies for Laboratory Certification – ISO/IEC 17025 Accreditation, Local FDA’s GLP certification ( USFDA 7/93), Indian Schedule L1

Reference of Regulatory ( Gxp) and Statutory Guidance for Risk assessment of Compliance

1. Good Laboratory Procedure – The GLP Requirement are well defined in various regulatory Guidance – US FDA’s 21 CFR Part 58, WHO’s Guideline on GLP – Quality Practices for non-regulated non-Clinical research and development, Pics – Good Laboratory Practices, OECD – Good Laboratory Practices, CDSCO GLP Guide Line
2. 21 CFR – 11, Annexure -11 for Electronic Data and Records
3. PICs Guidance on Computerized system Validation,
4. Compliance with GAMP -5 ( Good Automated Practiced –version5)
5. ISO -17025 – Quality System For Analytical Laboratory
6. NABL – Quality System Certification and Accreditation of Analytical Laboratory
7. WHO Checklist for Compliance Inspection of Analytical Laboratories Annexure-1
8. Indian Schedule -1 in D&C Act 1945 and amendments
9. OSHA ( Occupational Safety and Health Administration (US ) Guidelines of Safety –

  • Laboratory safety,
  • Analytical Method,
  • Chemical Hazard, and Toxic Substances – Handling,
  • Material Safety Data Sheet and
  • adequate Laboratory infrastructure and procedure.

Laboratory Out Put and Performance – Quality Matrices and Risk Identification

1. Uncertainty Analysis

  • When it comes to measurement, quality is important. In scientific measurement, it is customary to include a quantified estimate of measurement uncertainty when reporting measurement results.
  • The amount of uncertainty reported is perceived as an exhibition of the quality and confidence in the measurement result. It is commonly inferred that lower uncertainty equates to better measurement quality.
  • Therefore, it is important to identify the measurement capabilities that your laboratory specializes in and focus on reducing the measurement uncertainty for these disciplines.

2. Turnaround Time ( TAT):-

  • Turnaround time is a critical factor that directly influences customer satisfaction. Many customers claim they are searching for the best price.
  • However, every customer wants their equipment or test results returned to them as quickly as possible.
  • By reducing your turnaround time, you are more likely to create repeat customers and attract new clients.
  • Knowing your turnaround time allows you to gauge the performance of your laboratory throughput.
  • If you know where you currently perform, you can identify ways to improve laboratory processes that reduce turnaround time.
  • Calculating and tracking turnaround time will allow you to identify problems and indicators that decrease throughput, allocate resources to compensate workloads, and increase customer satisfaction.

3. Nonconformities & Complaints rate

  • Non-conformities and complaints are important metrics for evaluating the quality of your laboratory processes.
  • However, many laboratories do not want to admit that these events have ever occurred.
  • The result is most of these events go undocumented and unrecorded.
  • Not reporting and investigating nonconformities and complaints does not allow you to identify the problems that caused these events.
  • By identifying problems, we identify the Risk factors and can perform the Risk assessment.
  • Hence following matrices may be a means for Risk identification In absence of any evaluation of non-conformity and complaint processes continue to operate while continually repeating the same nonconformities.
  • These practices diminish the quality of work and the reputation of the laboratory.

4. Laboratory Equipment Usage Hour and Down Time Analysis

The Key Equipment Usage Hours – Percentage of hours when Equipment is in Use (= Running hours / 24 hours *100 – assuming the system can be operated for 24 hours ) can give meaningful data for Risk Identification,

Compliance Risk – A risk assessment by Internal Audit relationship

1. Internal auditors can be responsible for carrying out regular ‘ annual, in many cases ‘ assessments of an organization’s risk management program, particularly as they relate to regulatory compliance.
2. The audit compliance report produced forms the basis of continuous improvement, identifying any shortcomings and enabling compliance teams to put in place remedial actions while developing an effective compliance audit strategy should be a central part of any compliance program.
3. Having this level of compliance monitoring gives the business assurance that the risks they face are being tackled, and that appropriate steps are being taken to identify and manage the full range of business risks.
4. Key to this is the ability of compliance and internal audit teams to work together in order to deliver a 360-degree solution to Problems and non-conformances.

A 3 -

Risk-Based Approach

• Risk-based thinking allows organizations to;
I. Ensure that all the risks are considered from the very beginning itself and kept into consideration throughout the process approach.
II. Be proactive with their actions as a part of their strategic planning.
III. Identify the opportunities to improve, eliminating the existing loopholes from the system, processes, and workflows.
• Having a risk-management process imbibed into Quality Management helps organizations to have a smoother shift to the proactive strategy than purely reactive and preventive, encouraging an environment of continuous
• The most recent approach towards risk management is the PDCA cycle i.e. Plan, Do, Check, Act implementation:

A 4 -


Key risk areas must be identified and efforts focused only on the point of risk.
1. Risk Management Goals: Systematic process for identifying, assessing, mitigating, controlling, and communicating risk, based on Process and product understanding Recognize that zero risk is impractical and unattainable Aim is for acceptable risk Consistent with a risk-based approach based on ISO14971 (and ERES GPG) as well as other contemporary risk based tools.
2. Identify the Risk of compliance by periodic Inspection of Computerized systems and Quality System Software tools such as LIMS, Documentum, Trackwise, Lab notebook, Quality Module-SAP for Validation which can be part of Internal audit.
3. A detailed Checklist for compliance with Pics Guidance on Computerized system Risk Management should be implemented in the development phase, Qualification Phase , Implementation Phase, and Post Launch Phase for each individual IT Project.
4. The Functional Risk Assessment should be conducted and the risk in system controls should be identified
5. Risk assessment should be followed by Risk Reduction and Risk control strategies in form of CAPA actions

A 5 -

A 6 -

Common – Non-Conformances

• Calibration: Calibration overdue, No control to prohibit Equipment due for Calibration, Calibration failure, Repetitive calibration issues
Validation – No Validation or inadequate Validation of Analytical Laboratory Equipment,
Data Integrity Reported: Equipment Non-Compliance with 21CFR11, Poor Document and Data Control, Inadequate implementation of access control or poor control system privileges, Computerizes System Validation issues unresolved, Absence of or inadequate Training of Chemists, Managers, Lab Administrators, and Project Directors
• Inadequate CAPA Implementation, Repetitive occurrence of the Issues related to compliance with Document and data Control -SOPs, Analysis Process and procedures, Method Development, Analytical method performance.
• Equipment Malfunctioning unreported, inadequate investigation of Equipment Errors and analysis obstructions or discontinuation.
• Quality System Inadequacy with respect to published guidance of Gxp , ISO 17025, ICH , WHO or any other.

Benefits of Risk Management

• Risk Management offers organizations:
1. A proactive culture that encourages improvement.
2. Assurance for the products and service quality consistency
3. Improved customer satisfaction and loyalty
4. Platform to have a stronger knowledge base
5. An opportunity to improve operational efficiency
6. An opportunity to build confidence amongst stakeholders with improved risk handling techniques
7. The better system controls for risk analysis and lowered losses.
8. Improved system performance and resilience
9. To have an effective change management system as they grow.


Two primary principles of Quality Risk Management are:
1. The evaluation of the risk to quality should be based on scientific knowledge and ultimately link to the protection of the patient; and
2. The level of effort, formality, and documentation of the quality risk management process should be commensurate with the level of risk.

A 7 -

• Quality risk management activities are usually, but not always, undertaken by interdisciplinary teams. When teams are formed, they should include experts from the appropriate areas (e.g., quality unit, business development,
engineering, regulatory affairs, production operations, sales, and marketing, legal, statistics, and clinical) in addition to individuals who are knowledgeable about the Quality Risk Management process.

• Decision-makers should take responsibility for coordinating quality risk management across various functions and departments of their organization and ensure that a quality risk management process is defined, deployed, and
reviewed and that adequate resources are available.

Initiating a Quality Risk Management Process ( ICH Q9) in Analytical Laboratory

Quality Risk management Principles Quality risk management should include systematic processes designed to coordinate, facilitate and improve science-based decision making with respect to risk. Possible steps used to initiate and plan a quality risk management process might include the following:

I. Define the problem and/or risk question, including pertinent assumptions identifying the potential for risk.
II. Assemble background information and/or data on the potential hazard, harm, or human health impact relevant to the risk assessment.
III. Identify a leader and critical resources
IV. Specify a timeline, deliverables, and appropriate level of decision-making for the risk management process as per ICH Q9.

Risk Assessment- in Analytical Laboratory
1. Risk assessment consists of the identification of hazards and the analysis and evaluation of risks associated with exposure to those hazards (as defined below). Quality risk assessments begin with a well-defined problem
description or risk question.
2. When the risk in question is well defined, an appropriate risk management tool and the types of information that will address the risk question will be more readily identifiable. As an aid to clearly defining the risk(s) for risk assessment purposes, three fundamental questions are often helpful:
1) What might go wrong?
2) What is the likelihood (probability) it will go wrong?
3) What are the consequences (severity)?

Risk Assessment
1. Risk identification is a systematic use of information to identify hazards referring to the risk question or problem description. Information can include historical data, theoretical analysis, informed opinions, and the concerns of stakeholders. Risk identification addresses the “What might go wrong?” question, including identifying the possible consequences. This provides the basis for further steps in the quality risk management process.

2. Risk analysis is the estimation of the risk associated with the identified hazards. It is the qualitative or quantitative process of linking the likelihood of occurrence and severity of harm. In some risk management tools, the ability to detect the harm (detectability) also factors in the estimation of risk.

3. Risk evaluation compares the identified and analyzed risk against given risk criteria. Risk evaluations consider the strength of evidence for all three of the fundamental questions. In doing an effective risk assessment, the robustness of the data set is important because it determines the quality of the output. Revealing assumptions and reasonable sources of uncertainty will enhance confidence in this output and/or help identify its limitations.

Risk Control
1. Risk control includes decision-making to reduce and/or accept risks. The purpose of risk control is to reduce the risk to an acceptable level. The amount of effort used for risk control should be proportional to the significance of the
risk. Decision-makers might use different processes, including benefit-cost analysis, for understanding the optimal level of risk control.
2. Risk control might focus on the following questions:
✓ Is the risk above an acceptable level?
✓ What can be done to reduce or eliminate risks?
✓ What is the appropriate balance among benefits, risks, and resources?
✓ Are new risks introduced as a result of the identified risks being controlled?

Risk Control – Risk Reduction, Risk Acceptance

• Risk reduction focuses on processes for mitigation or avoidance of quality risk when it exceeds a specified (acceptable) level (see Fig. 1). Risk reduction might include actions taken to mitigate the severity and probability of harm.
Processes that improve the detectability of hazards and quality risks might also be used as part of a risk control strategy. The implementation of risk reduction measures can introduce new risks into the system or increase the significance of other existing risks.
• Risk acceptance is a decision to accept risk. Risk acceptance can be a formal decision to accept the residual risk or it can be a passive decision in which residual risks are not specified. For some types of harms, even the best quality
risk management practices might not entirely eliminate risk. In these circumstances, it might be agreed that an appropriate quality risk management strategy has been applied and that quality risk is reduced to a specified
(acceptable) level.

Systems and procedures-Risk Areas
• Critical SOPs which are mainly focused for review during the Risk Analysis –

  1. SOP of Sample/ Work management, (Testing of samples, Reporting of results, evaluation and assessment of data, reporting of results, Usage decision ) and conformance of SOP.
  2. SOP on Document and Data control – Creation of Standard Test procedure, Review approval, revisions, Management of Clients Standard Test procedure specific to sample.
  3. SOP on Qualification and Maintenance of Equipment and Calibration and conformance of SOP.
  4. SOP on Management of Computerized Systems Qualifications and assessment of the analytical system with 21 CFR Part 11.
  5. Management of Electronic Data and Electronic Records ( including Electronic signatures).
  6. SOP on Data management – Management of Records of Analysis – Data Creation, Review and Inferences on Data Review, Reporting of Results on Protocols and Reports (Certificate of Analysis).
  7. SOPs on handling Laboratory Reagents, Chemicals, Solvents, Hazardous Chemicals, and conformance of SOP.
  8. SOPs of handling Lab Deviations, Out of Specifications, Out of Trend, and conformance of SOP.
  9. SOP on operation and Analysis of Equipment – HPLC, GC, FTIR, FTNIR, TOC, HPLC-MS, GC-MS, NMR, Particle size analyzer, UV Spectrophotometer, Flame Photometer, Operation of Analytical and Micro-analysis balances, Autoclave, etc.
  10. Sops on handling storage of reference and working standards Sops on Handling of microbiological media and Cultures, Microbiological analysis – MLT, Sterility, BET, and Microbiological assays.
  11. SOP on Internal audit, investigation of Non-conformance, and implementation of CAPA.
  12. SOPs on Method Development, Method Qualification, and Method Verification (Pharmacopeial Methods) and Method Transfer.
  13. SOP in Impurity Profiling and Characterization of Impurity.
  14. SOP on development of Specifications of New Drug Substances and New Drug Products.
  15. SOP on Investigation of Product Testing Failures, (OOS), Instrument Failures Reported Product Quality issue’s Investigation.
  16. SOP On Quality Performance Review – Management Review, Quality Matrices review, and CAPA actions.
  17. SOP on the application of Statistical Quality Analysis – ANOVA, Control Charts, percentage Relative standards Deviations, Process Capability, Process Capability Indices.
  18. SOP on the safety of Laboratory- Handling, Toxic, Hazardous, Poison, Narcotic, and controlled substances.
  19. SOP on Stability Management – Registration, sample withdrawal, analysis, Result reporting, evaluation and assessment, reporting of unexpected spikes, an increase of impurity, and OOS.
  20. SOP on Investigation of Product Testing Failures, (OOS), Instrument Failures Reported Product Quality issue’s Investigation.
  21. SOP On Quality Performance Review – Management Review, Quality Matrices review, and CAPA actions.
  22. SOP on Document and Data control – Creation of Standard Test procedure, Review approval, revisions, Management of Clients Standard Test procedure specific to sample.
  23. SOPs on Method Development, Method Qualification, and Method Verification ( Pharmacopeial Methods) and Method Transfer.
  24. SOP on the safety of Laboratory- Handling, Toxic, Hazardous, Poison, Narcotic, and controlled substances.

As per GAMP-5, The following category of software is there-

• Category 1: Infrastructure Software (includes operating systems, database managers, middleware, and any other tools for network monitoring, batch job scheduling tools, etc.)

• Category 2 ( omitted)

Category 3: Non-Configured Software (includes all COTS software that comes with a default configuration)

Category 4: Configured Software (includes COTS systems that can be configured as per business processes as well as customized)

Category 5: Custom Software Note: “Firmware” was earlier classified as “Category 2” under GAMP 4.

This classification was removed under GAMP 5. GAMP suggests the identification and evaluation of risks
throughout the life cycle of the software.


For More Pharma Post and Jobs – Click Here

About Abha Maurya

Ms. Abha Maurya is the Author and founder of pharmaceutical guidance, he is a pharmaceutical Professional from India having more than 18 years of rich experience in pharmaceutical field. During his career, he work in quality assurance department with multinational company’s i.e Zydus Cadila Ltd, Unichem Laboratories Ltd, Indoco remedies Ltd, Panacea Biotec Ltd, Nectar life Science Ltd. During his experience, he face may regulatory Audit i.e. USFDA, MHRA, ANVISA, MCC, TGA, EU –GMP, WHO –Geneva, ISO 9001-2008 and many ROW Regularities Audit i.e.Uganda,Kenya, Tanzania, Zimbabwe. He is currently leading a regulatory pharmaceutical company as a head Quality. You can join him by Email, Facebook, Google+, Twitter and YouTube

Check Also