Professional Documents
Culture Documents
Standard Operating Procedure Pharmaceutical Quality Risk Management Tools
Standard Operating Procedure Pharmaceutical Quality Risk Management Tools
1.0 Purpose
This SOP defines the approach to Quality Risk Management (QRM) of a GMP site and gives practical
examples for tools which may be used to facilitate the process and to aid personnel performing the
assessment.
2.0 Scope
Applicable to any process at a GMP site which requires a Risk Management approach. The applicability
of QRM methodology and the corresponding level of documentation may vary depending on the
individual circumstances. Examples of circumstances to which QRM may be applied in conjunction with
existing SOPs include but are not limited to:
· Identification and evaluation of the potential quality and compliance impact of product and/or
process deviations, including the impact across multiple and/or divergent markets.
· Evaluation and determination of the scope of internal and external quality assessments such as
quality concern investigation systems, complaint handling, out-of-specification investigation, quality
control testing etc.
· Determination of the scope and extent of commissioning, qualification and validation activities for
facilities, equipment and production processes.
· Risk tools for engineering project evaluation and validation projects are not included in this
procedure. References to those tools are made in Appendix 6 and 7 of this procedure.
3.0 Responsibility
The extent to which QRM is used and documented shall be consistent with the complexity and/or
criticality of the issue to be addressed.
Site Quality Review Team has oversight responsibilities for all QRM activities.
Department Heads, Process and System Owners and Project Leaders are responsible for ensuring that
risks to quality, compliance and other site functions are considered, understood and managed to an
appropriate level within the GMP site.
They must ensure that a suitable Quality Risk Management process is implemented and that
appropriate resources with the necessary competence are involved. They must also ensure the
involvement of all stakeholders.
Department Heads, Process and System Owners and Project Leaders are responsible for ensuring that
there is a process for reviewing and approving documented quality risk assessments and that
appropriate records are retained.
QA Associates and Laboratory Supervisors involved in deviation, complaint and OOS investigation
should follow the risk tool “Risk Ranking and Filtering – Method 1” as demonstrated in appendix 1 for a
quick turn around in decision making.
QA Associate, Production and Engineering supervisors or anyone who is involved in manufacturing and
regulatory change management, in-house rework, supplier quality audit and other analysis of
4.2.1 Risks are multi-dimensional and a shared understanding is a prerequisite for the success of
any risk management process. The initiation phase of the QRM process involves
understanding the risk event by defining and agreeing the context, the scope and the
tolerability criteria for the quality risk assessment, together with any underlying assumptions.
4.2.2 Initiation of QRM process should involve all the stakeholders. All the relevant information is
assembled and shared, any gaps are identified and analysis tools are selected.
4.2.3 The scope of the quality risk assessment must be clearly defined both in business and
technical terms. The scope should clearly establish the boundaries of the process, system,
project or activity being assessed and any inherent assumptions that are made. It should
consider possible interactions outside the boundary and their potential impacts.
4.2.4 The risk assessment process evaluates the tolerability of the identified risks against some
defined criteria to determine whether any mitigating actions are required. A common approach
to establishing criteria is to divide risks into five categories:
· A very high risk band where adverse risks are intolerable whatever benefits the activity
might bring and risk reduction measures are essential, whatever the cost.
· A high risk band where the risk would not be generally acceptable unless there were
very significant benefits and where reduction measures are expected as the norm.
· A medium risk band area where costs and benefits are taken into account and
opportunities are balanced against potential adverse consequences.
· A low risk band where positive or negative risks are small and where potential benefits
can only be justified at minimum cost.
· A very low risk band where positive or negative risks are negligible or so small that no
risk treatment measures are necessary.
4.2.5 A team comprising individuals with the education, training and experience relevant to the issue
or situation under evaluation should undertake the risk assessment process. A subject matter
expert (SME) should also be consulted or involved to ensure that best practice is followed.
4.2.6 Each Risk Assessment is reviewed and approved by appropriate department heads and
stakeholders. Consideration should be given to consultation of the EHS team. Quality
Assurance Manager or a delegate should review and approve all compliance related Risk
Assessments.
· Risk Assessment conducted for calibration interval; supplier assessment and external
supplier audit frequency; engineering and validation projects do not need a reference
number. Hence, an entry to Risk Register is also not required.
· All initiated Risk Assessments using the tool “Risk Ranking and Filtering – Method 2”
are logged into the Risk Register. The hard copy register is located in the “Risk
Assessment and Quality Investigation” folder kept in QA office.
Table 1: Risk management tools and methods applicable to Site quality systems
Risk Tools /
Descriptions Area of Application in Site References
Methodology
A quick method to compare Examples: Quality concern The method is
and rank risks, typically investigation such as Deviation demonstrated in
involving evaluation of a handling, Product Complaint Appendix 1. This
unique risk event (i.e. investigation, Out of Specification method is designed
Risk Ranking
deviation / complaint / investigation. to apply quickly in
and Filtering –
OOS) by weighting each The tool can also be used for any repetitive quality
Method 1
risk dimension severity, other quality and compliance events, as such, use
probability and detectability issues where a risk event is of a formal template
associated with the event. repetitive and a quality decision is each time may not be
urgent. necessary.
A descriptive method to Examples: Manufacturing and The method is
compare and rank risks, Regulatory Change Management; demonstrated in
typically involving Rework management; Appendix 2 and
Risk Ranking evaluation of multiple Establishing external supplier Appendix 5. Entry to
and Filtering – diverse quantitative and quality audit frequency. risk register for
Method 2 qualitative factors for each The tool can also be used for Method 2 is
risk, weighting factors and analysing a manufacturing necessary. Use of a
risk scores. process to identify high risk steps formal template is
/ critical parameters. recommended.
Evaluates potential failure Examples: Change of critical The method is
modes for processes, and instrument Calibration intervals; demonstrated in
the likely effects on evaluation of equipment and Appendix 3, 4. Entry
outcomes and/or product facilities; quality risk management to risk register for is
performance. Once failure for supplier; preventive not necessary. Use of
Failure Mode
modes are known, risk maintenance; process, cleaning a formal template is
Effect
reduction can be used to and computer validation projects. recommended.
Analysis
eliminate, reduce or control
(FMEA)
potential failures. Relies
upon product or process
understanding. Output is a
relative ‘risk score” for each
failure mode.
4.7.2 The risk assessment document should be routed for approval to all impacted system owners
and the Quality Assurance. The documentation package should contain all documented
aspects of the QRM process.
4.7.3 Implementation of the notification system cannot proceed until all approvals are obtained. The
risk assessment process should be repeated any time a change is introduced that impacts the
practice, e.g. change in regulations related to investigations, change in direct impact
assessment, etc.
The second parameter is the “Probability that the event will be detected if it will occur again”. Here the rating
can fall between 0 to 6.
After assigning the weights for both the parameters, total probability could be determined by adding the rate of
“Probability that the risk event will occur again” and “Probability that the risk event will be detected if it will occur
again”.
An Example
For instance after an initial investigation on a deviation if QA would find the,
“Impact on Product Quality and GMP” scored 2,
“Probability that the deviation will occur again’ scored 2 and “Probability that the deviation will be
detected if it will occur again” scored 2. Than, the total probability score will be 2+2 = 4.
Plotting this rating for both the variables will assess the risk as level 2 class. This example is depicted
in the following figure.
Rank Description
1 No Chance of Occurrence
2 Chance of Occurrence is Remote
3 Occurrence is Unlikely
4 Occurrence is Probable
5 Occurrence is Definite
Threshold Interpretation:
Risk
Actions
Score
5 5 10 15 20 25
4 4 8 12 16 20
Probability 3 3 6 9 12 15
Score 2 2 4 6 8 10
1 1 2 3 4 5
1 2 3 4 5
Severity Score
Once the individual risk factors have been ranked, the Total Risk Score is calculated using the values
assigned for probability and severity. The Total Risk Score is calculated as shown below.
The impact of an instrument calibration failure from the standpoint of probability, severity, and detect ability may
be determined through the integration and factoring of multiple parameters associated with each criterion as
illustrated in the following Table.
Probability
Knowledge of the effects of design and construction can be gained through a review of the maintenance history
of the instrument, comparing it to similarly designed instruments, and by knowing the age of the instrument
(period of time in use). For each of these parameters, if the data and relevant information is not known, the risk
should be assumed to be high.
The following criteria may be used to determine risk ranking for failure probability.
1. History
There are three (3) possible scenarios illustrated in table where instrument history may be used
to determine risk ranking for failure probability.
Specifically,
2. Environment
The environmental situation can be divided into sub-categories as illustrated in Table. For
purposes of risk assessment, the environmental sub-category with the highest risk determines
the risk ranking for failure probability.
(EMI)
Instrument is in an
Instrument is in a
exposed, dirty
Instrument is located in a protected cabinet, or
Dust / Dirt / Chemical environment
clean, dry, area that does removed for area wash
Wash down subjected to frequent
not get washed down down. light dust and no
wash downs or
chemical exposure
chemical exposure
Instrument is portable
Instrument is permanently and moved frequently or Instrument is
Vibration and shock mounted in a stable may be exposed to subjected to severe
environment occasional vibration or shock and vibration
shock
Instrument is kept in a Instrument is located in a Instrument is located
Physical Damage segregated or protected moderate traffic area and in a high traffic area
area potentially susceptible to and susceptible to
Maximum Risk
Numerical
Ranking
Score
(Table I) (Table II) (Table III)
Criteria used: Instrument Criteria used: Impact on human Criteria used:
history, environment, range safety, environmental, GMP / Automatic / Manual
of use, & age Product, production, cost, energy operation, Operator
verification
1 Low Low Low 1
2 Medium Medium Medium 8
3 High High High 27
Risk illustration:
To assign the appropriate level of risk, a simple Low, Medium, High model with a corresponding numerical
designation of 1, 2 and 3 will be used. Each criterion (probability, severity, detectability) can therefore have a
numerical rating of 1, 2 or 3 that will determine the risk score. The risk score for each failure mode is obtained
by multiplying the individual scores for each criterion. For example:
Recommended frequency for Instrument Calibration Intervals change – The frequency selected will all be
relative to the risk score resulting from the assessment.
Low score will justify broader or less frequent calibration verification from the established guidance table.
High risk score will require adherence to the calibration table or perhaps Team review to tighter than published
guidance.
The sample risk assessments below are to serve as “examples” only and used as illustration of the approach.
Actual situation requires a team assessment and review of site coordinator.
Severity of Failure
calibration interval:
Instrument Type
Risk
Recommended Since it is low
Y or N
Score
Calibration Period probability and easily
(Failure
(months) from table detected, consider
Mode)
increasing the
calibration interval to
24 months.
Humidity Packout 3
Y 1 3 1 12 months 24 months
Transmitter Room (Low)
The Purchasing team responsible for procurement of the material/product should complete the Supplier Quality
Risk Assessment based on analysis of their quality experience and knowledge of the supplier and supply
chain(s) for the material(s) supplied. All completed supplier Quality Risk Assessment must be reviewed and
approved by Quality Assurance Manager.
For suppliers providing multiple materials, the highest risk category should be assigned. The Supplier Quality
Risk Assessment is completed as described below using the Quality Risk Evaluation Form described in Table
2.
1. Read the questions in sequential order (i.e., a→b→c, etc.) and determine the first lettered
question that can be answered with a "yes".
2. Enter the corresponding quality risk value from the Answer column into the Quality Risk Score
column.
3. After completing all five risk factors, sum the individual Quality Risk Scores to calculate the
Total Quality Risk Score.
4. Complete the Supplier Quality Risk Evaluation by comparing the Total Quality Risk Score to the
following Risk Levels and assign the supplier the corresponding Risk Level:
· Is the supply chain known and how complex is the supply chain for the
material?
· Does the supplier have quality system controls over transportation and
handling?
Non-Conformance · What testing is done by Site on the material?
Detection by Site
· Are there non-conformances detected by the end user that should
have been detected by the supplier?
Answer
1. Intended Purpose
If yes.
a. Is the material a finished Drug Product, Active Pharmaceutical Ingredient (API), High
excipient for a parenteral product or does it have specific tiled regulatory requirements? Risk.
enter 5
If yes.
Medium
b. Is the material a non-sterile excipient, primary packaging, regulated printed packaging,
Risk.
registered starting material or reagent contributing to significant molecule structure?
enter
2.5
If yes.
c. Is the material a solvent used in processes, secondary packaging or non registered
Low Risk,
material?
enter 0.5
Quality Risk Score:
(i.e. medium / high / low)
2. Supply Chain Complexity
If Yes,
High Risk,
Is the material manufactured and/or handled in a region where there is a lack of robust
enter 54
pharmaceutical GMP quality system orientation and/or a lack of robust regulatory oversight?
If No, enter 0
a. Is the supply chain complex with more than three sites involved in the manufacture,
finish and/or handling of the material with limited quality oversight of the supply chain? If yes.
OR High Risk.
enter 20
b. Is the supply chain not completely known?
c. Is the supply chain complex with more than three sites involved in the manufacture,
finish and/or handling of the material with adequate quality oversight of the supply
chain?
OR If yes.
Medium
d. Does the supply chain contain two or three sites involved in the manufacture, finish Risk
and/or handling of the material with limited quality oversight of the supply chain? Enter 10
OR
OR
If yes.
b. Does the supplier Quality System either lack effectiveness or the effectiveness is
High
unknown?
Risk,
OR
enter 25
c Is the supplier new to Site, have no previous Site Audit history or has a Conditionally
Acceptable rating?
OR
b. For Drug Products. API and excipients, is there no specific ID or potency testing
performed by Site (i.e. testing for impurities, identification testing using methods with
high selectivity and specificity, etc.)?
OR
If yes.
c. Do the economics of the material make it subject to fraudulent activities (value of
material, demand exceeds supply, disproportionate pricing)? High Risk
enter 25
OR
d. Is the material subject to the potential contamination with known adulterants to improve
the apparent activity or potency of the pharmaceutical ingredient.
OR
Table 1: Examples of Risk Factors and Severity (this list is not all inclusive)
Severity
Hazard Risk Factor
General / Specific
a. Type of material/component/service
1. APIs
2. Labelling/Inserts
Quality/ 3. Raw Materials (e.g., Excipients, Processing Aids, Solvents,
Regulatory Gases, Lubricants, Cleaning Agents)
Material compliance
Supplier 4. Packaging Materials, Primary and Secondary
5. Service providers such as contract laboratories, calibration,
HEPA certification and gamma
6. Distributors/Warehouses/Brokers
b. Number of products involved/volume of material involved
Business
(quantity and/or cost)
Table 2: Examples of Risk Factors and Probability (this list is not all inclusive)
5. Define the Risk Evaluation Matrix and Determine the Action Thresholds
Prior to completing the risk assessment using the scales established for severity and probability. An
evaluation matrix must be constructed to aid in evaluation of the total risk scores (severity x probability)
derived for each hazard.
An example of a risk evaluation matrix and corresponding action thresholds is shown below. In this
example the values in the green boxes (risk scores 1-4) represent low risk and could be audited every 5
years. The values in yellow (risk scores 5-14) represent medium risk and could be audited every 3
years. And the values in red (risk 15-25) are high risks to be audited annually.