Pda TR 54

Machine Translated by Google
PDA Technical Report No.54

Implementation of quality risk management in pharmaceutical and biologics manufacturing
Technical Report No. 54

Implementation of Quality Risk
Management For Pharmaceutical
and Biotechnology Manufacturing
Operations
Paradigm
Change in
Manufacturing
OperationsSM
PDA
Parenteral Drug Association
2012
Provided by Beijing Qilijia Consulting 1

1.0Introduction
1.0 Introduction
This technical report provides detailed guidance for the application and implementation of quality risk management (QRM) principles
throughout the product lifecycle. The report emphasizes QRM application during commercial manufacturing and integrating QRM into
the Pharmaceutical Quality System (PQS).
Companion documents provide detailed examples of characteristic operations and how QRM principles and tools can be applied for
biotechnology and sterile manufacturing of APIs, drug product (liquids and solids) manufacturing, packaging and labeling (eg, this
technical report provides information on the entire product life cycle Detailed guidance on applying and implementing quality risk
management is highlighted PDA Technical Report No.44).
in the report.
Use quality risk management in the commercial production of pharmaceutical products and integrate quality risk management with the pharmaceutical quality system
body. Similar documents (e.g. PDA Technical Report 44, etc.) provide detailed operational guidance on the aspects of quality risk management.
Principles and tools in biotechnology, production of sterile drug substances, production of pharmaceutical dosage forms (liquid and solid), packaging and
Labeling.
QRM is integral to an effective Pharmaceutical Quality System. Per ICH QlO, QRM is an "enabler" (along with knowledge
Pharmaceutical Quality System, management) that can provide a proactive (while also supporting a reactive)
approach to identifyingÿscientifically evaluating, and controlling potential risks to product quality and patient safety. QRM facilitates
continual improvement of process performance and product quality throughout the product lifecycle (1).
Quality risk management is necessary for an effective pharmaceutical quality system. According to the ICH Q10 phased report, pharmaceutical
Quality system: Quality risk management (together with knowledge management) can provide active and effective identification, scientific evaluation, and
and control potential risks to product quality and ensure patient safety. Throughout the product life cycle, quality risk management can
Promote continuous improvements in process performance and product quality (1).
Per ICH Q9, "Risk management

Quality Risk is
Management,
the systematic application of quality management policiesÿ proceduresÿ and practices to the tasks
of assessing, controlling, communicating, and reviewing risk."(2)

It is important to
understand that risk assessment is not synonymous with risk management. To be effectiveÿ
risk management should holistically encompass the entire product lifecycle. QRM is a living process and should be managed based
on knowledge gained throughout the product lifecycle. ICH Q9 specifically provides guidance on the principles and tools of QRM(2).
ICH Q9 Phased Report, Quality Risk Management: “Risk management is the systematic application of quality management policies, procedures, and
Assess options to control, describe, and review risks." It is important to understand that risk assessment is not synonymous with risk management.
important. To be effective, risk management should occur throughout the entire product life cycle. Quality risk management is a
Dynamic processes should be managed based on knowledge of the entire product life cycle. ICH Q9 clearly provides guidance on quality risk management
Implementation principles and tools are provided.
Implementation of QRM offers many benefits to industry and regulators. When applied effectively,these tools and principles enable
more effective and consistent risk-based decision-making (by regulators and industry') regarding the quality of drug substances and
drug (medicinal) products across a product's lifecycle. When successfully integrated into a company’s PQS ÿ QRM may reduce the
level of regulatory oversight that is applied to a company. This idea is further developed in ICH Q10, which discusses the potential
opportunities to be gained from the use of

QRM in terms of risk-based approaches. Effective risk management ensures better understanding of the product and process by identifying gaps in
knowledge and can enable a company to prioritize and focus resources appropriately.
Implementing quality risk management can bring many benefits to industry and regulators. Apply risk management throughout the product life cycle
management tools and principles for making risk-based decisions (regulatory and supervisory) regarding the quality of medicinal substances and medicines
produce a positive effect. For a company, when quality risk management can be organically integrated with the company’s quality management system,
Together, they can reduce the level of supervision of the company by quality regulators. Discussed further in ICH Q10
There are potential benefits from using a risk assessment-based approach. Through effective risk management, the company realizes the product and
Prioritize processes and realign resources more rationally.
QRM has been well established in the device and other non-pharmaceutical industry sectors. Over the last few years, the pharmaceutical and
biotechnology industries have begun to implement the principles and tools laid out in ICH Q9 in order to ensure that safe and efficacious drug products
are consistently delivered to every patient.
Quality risk management is already used in the mechanical industry and other non-pharmaceutical industrial sectors. Over the past few years, pharmaceutical and biotech
The medical industry has used the principles and tools of ICH Q9 to ensure that safe and effective medicines are available to every patient.
Realization of QRM is an evolutionary process. It requires a paradigm shift in mindsetÿbehaviors and in the way people work. Figure 1-1 depicts an
example of a maturity model for QRM.
Quality risk management is continuously improved and developed. There needs to be a change in mindset and behavior in people's work. Figure 1-1 Description
The development and maturity process of quality risk management model.
Figure 1-1 An example of a complete quality risk management model

Process Maturation
process improvement
1.1Purpose and Scope
1.1 Purpose and Scope
The task force that developed this report was comprised of experienced professionals from risk managementÿ manufacturing,
technology, quality, and regulatory authorities. The broad diversity in experience and expertise in the task force enabled rich,
balanced discussions from industry and regulatory perspectives; therefore, the content in this report does not represent the QRM
practices of any one particular organization.
This report is authored by leading authorities with expertise in risk management, manufacturing, technology, quality, and regulation.
composition. The authors' broad experience and opinions enable an insightful and balanced discussion between industry and regulatory perspectives: therefore, this newspaper
The contents of this report do not represent the quality risk management practices of any particular organization.
The task force recognizes that there are many approaches that can be used for implementation of the ICH Q9 guideline. This report
is intended to align with ICH Q9 and presents information that can be helpful to the reader on how to implement QRM. .The objective
is not to represent or replace regulatory requirements and guidance; nor does it establish legally enforceable requirements.
The Working Group recognizes that there are many approaches that can be taken to implement the ICH Q9 guidelines. The purpose of the report is to
be consistent with ICH Q9 and to present information to help readers implement quality risk management.
This technical report was distributed for public review and comment prior to publication to ensure its suitability as a valuable guide
for QRM implementation.
This technical report is distributed to the public for review and interpretation prior to publication to ensure that it serves as the basis for implementing quality risk management
A valuable guide.
2.0 Glossary of Terms
2.0 Glossary
The glossary of terms is based on definitions provided in current ICH, FDA, EU, ISO, and other regulatory guidelines, standards, or
industry publications. In some instances, two definitions are provided where both are applicable. Where definitions are not available
in such sources, the best available definition has been adopted or developed by the task force. Refer to ICH Q9 for a summary of
the common risk management tools. The following terms and definitions have been used in this technical report:
Glossary definitions are based on current ICH, FDA, EU, ISO, and other regulatory guidance, standards, or industry
publication. In some cases, two applicable definitions are provided. Some definitions are not applicable in some sources and the working group will adopt
Accept or develop the most appropriate definition. Summary of common risk management tools applicable to ICH Q9. Terms and definitions below
As used in this technical report:
As Low As Reasonably Practicable (ALARP)
As reasonably practicable (ALARP)
The ability to reduce risk. ALARP has two facets: technical and economic. Technical
practicability refers to the ability to reduce risk regardless of cost. Economic
practicability refers to the ability to reduce risk without making the product too

costly to produce. (ISO 14971)
Ability to reduce risk. There are two aspects to what is reasonably practicable (ALARP): technical and economic. Technical feasibility is not considered
Cost refers to the ability to reduce risk. Economic feasibility refers to the ability to reduce product manufacturing costs and reduce risks.
(ISO 14971)ÿ
Commissioning
debug
A well planned, documented, and managed engineering approach to the start-up and turnover of facilities, systems, and equipment to
the end user that results in a safe and functional environment that meets established design requirements and stakeholder expectations.
(ISPE Active Pharmaceutical Ingredients Baseline Guide Second Edition [June 2007])
Use an orderly plan, well-documented, and rigorous management method for the start-up and operation of facilities, systems, and equipment to
Enable end users to operate in a safe, functional environment. This environment meets established design requirements and system responsibilities
Anyone’s Expectations (ISPE Guide to APIs, Second Edition, June 2007)
Continual Improvement
keep improve
Recurring activity to increase the ability to fulfill requirements. (ICH Q10, ISO 9000:2005)
Recurring activities that improve the ability to meet needs (ICH Q10, ISO 9000:2005).
Control Strategy
Control Strategy
A planned set of controls, derived from current product and process understanding that ensures process performance and product
quality. The controls can include parameters and attributes related to drug substance and drug product materials and components,
facility and equipment operating conditions, in-process controls, finished product specifications, and the associated methods and
frequency of monitoring and control.(ICH Q10 )
A planned set of controls derived from current product and process understanding to ensure process performance and product quality. These controls
May include information related to drug substance and drug substances and components, facility and equipment operating conditions, process controls, finished product quality standards, and
Related parameters and attributes of monitoring and control methods and frequency (ICH Q10).
Corrective ActionCorrective Action
Action to eliminate the cause of a detected non-conformity or other undesirable situation.
NOTE: Corrective action is taken to prevent recurrence whereas preventive action is taken to prevent occurrence. (ISO 9000:2005)
Actions taken to reduce the causes of discovered nonconformities or other undesirable conditions.
NOTE: Corrective actions are used to prevent recurrence rather than preventive actions to prevent occurrence (ISO 9000:2005).
Criticality
critical
A classification of an item (e.g., process, equipment,parameter) that expresses the significance given to the impact of that item, and
should therefore be controlled or monitored to ensure product quality, safety or efficacy.
The classification of the project (e.g. process, equipment, parameters) is used to express the importance of its impact, in order to ensure product quality,
Safety or efficiency should be controlled or monitored.
Critical Process Parameter (CPP)

Critical Process Parameters (CPP)
A process parameter whose variability has an impact on a critical quality attribute and therefore should be monitored or
controlled to ensure the process produces the desired quality.(ICH Q8[R2])
A variable process parameter has an impact on quality critical attributes and should be monitored or
Control (ICH Q8[R2]).

Critical Quality Attribute (CQA)
Critical Quality Attributes (CQA)
A physical, chemical, biological, or microbiological property or characteristic that should be within an appropriate limit,
range, or distribution to ensure the desired product quality. (ICH Q8[R2])
A physical, chemical, biological, or microbiological property or characteristic that ensures that the
Desired product quality (ICH Q8[R2]).

Current Good Manufacturing Practices(cGMPs):
Current Good Manufacturing Practices (cGMPs)
Practices and systems that are required to be followed for pharmaceutical manufacturing to ensure that the products
produced meet specific requirements for identity, strength, quality, and purity.
Specifications and systems required by the pharmaceutical industry to ensure that products are manufactured to meet specific requirements for identity, strength, quality and purity.
Decision Maker(s)
decision maker
Person(s) with the competence and authority to make appropriate and timely quality risk management decisions. (ICH
Q9)
A person who has the ability and authority to make appropriate and timely quality risk decisions.
Detectability
Detectability
The ability to discover or determine the existence, presence, or fact of a hazard.
(I Q9)
The ability to detect or determine the presence, occurrence or fact of a hazard.
Enabler
supporter
A tool or process which provides the means to achieve an objective. (ICH Q10)
A tool or program that provides a means for achieving a goal.
Event Tree Analysis (ETA)

Event tree analysis (ETA)
A systematic technique that employs forward logic to construct a graphical representation of consequences resulting
from an initiating event.
A systematic technique for illustrating logical relationships arising from initiating events.
Failure Mode and Effects Analysis (FMEA)
Failure Mode and Effects Analysis
A systematic method for identifying, analyzing, prioritizing and documenting potential failure modes, their effects on
system, product and process performance, and the possible causes of fai1ure in order to prevent defects from
occurring.
A systematic approach to identifying, analyzing, sequencing and documenting potential failure effects on
System, product, and process performance are affected and the likelihood of failure is prevented.

Fault Tree Analysis (FTA)

fault tree analysis
A deductive technique used to analyze the causes of faults (defects). The technique visually models how logical
relationships between failures,human errors, and external events can combine to cause specific faults.
A deductive method used to analyze the cause of a failure (defect). This technical model vividly demonstrates the
The logical relationship between failure causes, human errors and external events.
Harm
harm
Damage to health, including the damage that can occur from loss of product quality or avai1ability. (ICH Q9)
Damage to health, including damage resulting from reduced quality or effectiveness of the product.
Hazard
Danger
The potential source of harm. (ISO/ IEC Guide51, ICH Q9)

Potential sources of harm (ISO/IEC Guide 51, ICH Q9).
Hazard Analysis and Critical Control Points(HACCP)
Hazard Analysis and Critical Control Points (HACCP)
A systematic, proactive, and preventive tool for assuring product quality, reliabilityÿ and safety.(WHO Technical
Report Series No 908, 2003Annex 7)
A systematic, forward-looking and preventive tool to ensure product quality, reliability and safety.
Hazard and Operability Analysis (HAZOP)
Process Hazard Analysis
A structured, systematic and qualitative technique for examination of a planned or existing process or operation
in order to identify and evaluate problems that may represent risks to personnel or equipment,or prevent efficient
operation.
Inspect plans, existing processes or operations in order to identify and assess risks to personnel or equipment, or to work more efficiently.
A structured, systematic, and quantitative technique for work.
Intended Use/Intended Purpose

Intended use/intended purpose
Use for which a product, process or service is intended according to the specificationsÿ instructions and
information provided by the manufacturer.
(ISO14971:2007)
Conform the product, process or service to its intended use in accordance with instructions, operating instructions, and information provided by the manufacturer.
(ISO14971:2007).
Knowledge Management
knowledge management
Systematic approach to acquiring, analyzing,storing, and disseminating information related to products,

manufacturing processes and components.(ICH Q10)
Systematically acquire, analyze, store and disseminate information related to products, manufacturing processes and components (ICH Q10).
Lifecycle
life cycle
All phases in the life of a product from the initial development through marketing until the product's discontinuation
(ICH Q8).
Occurrence in all stages of a product's life, from initial design to launch, until product retirement
possibility
Probabi1ity that an event potentially leading to harm will occur.
The likelihood that an injury will occur as a result of a potential event.
Pharmaceutical Quality System (PQS)
Pharmaceutical quality management system
Management system to direct and control a pharmaceutical company with regard to quality.(ICH Q10 based upon ISO
9000:2005)
A management system for pharmaceutical companies that guides and controls quality.
Preliminary Hazard Analysis (PHA)

Preventive Hazard Analysis
A tool of analysis based on applying prior experience or knowledge of a hazard or failure to identify future hazards, hazardous
situations and events that might cause harm, as well as to estimate their probability of occurrence for a given activity,
facility,product or system. (ICH Q9)
Based on the experience and knowledge related to previous hazards and failures, use the PHA analysis tool to determine the possible future consequences.
The risk of harm, hazardous situations, events, and the estimate of their likelihood of occurring in a given activity, equipment, product, or system
capability. (ICH Q9)

Preventive Action
Precaution
Action to eliminate the cause of a potential non-conformity or other undesirable potential situation.
NOTE: Preventive action is taken to prevent occurrence whereas corrective action is taken to prevent recurrence. (ISO
9000:2005)
Actions taken to eliminate the cause of a potential nonconformity or other undesirable situation.
Note: Preventive actions are used to prevent occurrence, while corrective actions are used to prevent recurrence (ISO 9000:2005).
Process Qualification
Process confirmation
Confirming that the manufacturing process as designed is capable of reproducible commercial manufacturing. (FDA
Guidance on Process Validation,January 2011)
Confirm that the designed commercial manufacturing process is reproducible during the commercial manufacturing phase (FDA Process Validation Guidance, 2011
January of the year).
Process Validation
Process Validation
Collection and evaluation of data, from the process design stage through commercial production, which establishes scientific
evidence that a process is capable of consistently delivering quality products.
(FDA Guidance on Process Validation, January 2007)

Collect and evaluate data from process design stage to commercial production to establish scientific evidence that the process can be continuously
Produce products of consistent quality (FDA Process Validation Guidance, January 2007).
Product Lifecycle
Product Lifecycle
All phases in the life of a product from the initial development through marketing until the product's discontinuation. (ICH Q8[R2])
All life stages from initial product development to launch to product withdrawal.

Qualification
confirm
Action of proving and documenting that equipment or ancillary systems are properly installed,work correctly and
actually lead to the expected results.
Qualification is part of validation, but the individua1 qualification steps alone do not constitute process validation. (ICH
Q7)
Activities performed to demonstrate that equipment or auxiliary systems are suitable for installation, work properly, and achieve expected results. Confirm it is verified
part of the certification, but the validation steps alone do not constitute process validation (ICH Q7). Quality
quality
The degree to which a set of inherent properties of a product, system or process fulfills requirements. (ICH Q9)
The extent to which a product, system, or process has a set of intrinsic attributes that meet requirements.
The suitability of either a drug substance or a drug product for its intended use.
This term includes such attributes as the identity, strength,and purity. (ICH Q6A)
The medicinal substance or drug is suitable for its intended use. These items include properties such as identity, concentration, purity, etc.
(ICH Q6A).
Quality Risk Management (ORM):

Quality risk management
A systematic process for the assessment, control,communication and review of risks to the quality of the drug
(medicinal) product across the product lifecycle.
(I Q9)
A systematic process for assessing, controlling, communicating and reviewing drug quality risks throughout the product life
cycle. Quality Target Profile (OTP)
Quality target attributes
A target product profile is a prospective and dynamic summary of the quality characteristics of a drug product that
ideally will be achieved to ensure that the desired quality, and hence the safety and efficacy, of a drug product is
realized.
The target product profile forms the basis of design for the development of the product. (ICH Q8[R2])
Anticipate and dynamically summarize the quality characteristics of drugs to theoretically ensure the expected quality, safety, and effectiveness. Product Catalog
Standard quality attributes are based on product development and design (ICH Q8[R2]).
Residual Risk
risk residual
Risk remaining after risk control measures have been implemented. (derived from ISO14971:2007)
Risks remaining after risk control measures have been taken (from ISO14971:2007)
Risk
risk
The combination of the probability of occurrence of harm and the severity of that harm.(ISO/EC Guide 51)
Combination of probability and severity of harm (ISO/EC Guide 51)
Risk AnalysisRisk
Analysis
The estimation of the risk associated with the identified hazards. (ICH Q9)
Evaluate risks in relation to identified hazards.
Risk Assessment
risk assessment
A systematic process of organizing information to support a risk decision to be made within a risk management process. It
consists of the identification of hazards and the analysis and evaluation of risks associated with exposure to those hazards.
(I Q9)
A risk management process that systematically applies information to make risk decisions. It includes the identification of hazard factors, as well as analysis and evaluation
The relationship between price risk and hazard factors.
Risk Acceptance
risk acceptance
The decision to accept risk. (ISO Guide 73)
Decide to accept the risk (ISO Guide 73)
Risk Communication
risk communication
The sharing of information about risk and risk management between the decision maker and other stakeholders. (ICH Q9)
Share information on risks and risk management among decision makers and relevant stakeholders.
Risk Control
risk control
Actions implementing risk management decisions.(ISO Guide 73)
Actions to implement risk management decisions (ISO Guide 73)
Risk Decision
risky decisions
A determination of acceptance or rejection of risk.

A decision to accept or reject a risk.
Risk Evaluation
risk assessment
The comparison of the estimated risk to given risk criteria using a quantitative or qualitative scale to determine the
significance of the risk.(ICH Q9)
Use a quantitative or qualitative scale to evaluate risk against a given risk standard to determine the significance of the risk
sex.
Risk Identification
Risk identification
The systematic use of information to identify potentia1 sources of harm (hazards) referring to the risk question or problem
description. (ICH Q9)
The systematic use of information to identify potential sources of risk problems or harms (hazards) described by risks.
Risk Management
Risk Management
The systematic application of quality management policies, procedures, and practices to the tasks of assessing, controlling,
communicating and reviewing risk.
(I Q9)
Systematically apply quality management policies, procedures and practices to risk assessment, control, communication and review tasks.
Risk Management Report
risk management report
Report that summarizes the outcomes of the QRM process.
A report summarizing the results of the risk management process.
Risk Reduction
risk reduction
Actions taken to lessen the probability of occurrence of harm and the severity of

that harm.(ICHQ9)
Actions taken to reduce the probability and severity of harm.
Risk Review
risk review
Review or monitoring of output/results of the risk management process considering (if appropriate) new
knowledge and experience about the risk. (ICH Q9)
Consider (if possible) applying new knowledge and experience about risk to review or monitor the outputs/results of the risk management process.
Senior Management
Senior Management
Person(s) who direct and control a company or site at the highest levels with the authority and responsibility
to mobilize resources within the company or site. (ICH Q10 based in part on ISO 9000:2005)
The highest-level personnel who guide and manage the company or factory and have the authority and responsibility to allocate resources (partially) within the company or factory
ICHQ10 based on ISO 9000:2005)

Severity
severity
A measure of the possible consequences of a hazard. (ICH Q9)
A measure of the likely consequences of a risk factor.
Stakeholder
Stakeholders
Any individual, group or organization that can affectÿ be affected by, or perceive itself to be affected by a risk.
Decision makers might also be stakeholders. For the purposes of this guideline, the primary stakeholders are
the patient, healthcare professional, regulatory authority. and industry.(ICH Q9)
Any individual, group or organization that can influence, be affected by, or recognizes that it will be affected by a risk. Decision makers may also
are stakeholders. The main stakeholders of this guideline are patients, healthcare professionals, regulatory authorities and industry.
boundary.
Trend
trend
A statistical term referring to the direction or rate of change of a variable(s). (ICH Q9)
A statistical term that refers to the direction or rate of change in a variable.

3.0 General Principles On Quality Risk Management ApplicationQuality Risk Management Application
Basic principles to use
A combined application of ICH Q8[R2] (Pharmaceutical Development), Q9 (Quality Risk Management) and QI0 (Pharmaceutical Quality System)
results in an enhanced knowledge of product performance over a range of material attributes, manufacturing process options, and process
parameters to further support the science and risk-based management of the product lifecycle.
The joint application of ICH Q8 (drug development), Q9 (quality risk management) and Q10 (pharmaceutical quality system) to a certain extent
It has greatly improved the understanding of product performance including material properties, production process selection and process parameters to further improve
Step by step support for product life cycle management based on science and risk management.
3.1 When, Where , and How to Apply Quality Risk Management

Apply quality risk management
One of the characteristics of a mature PQS is the effective integration of QRM into relevant processes throughout the product and process lifecycles.
At each phase in the lifecycle, QRM should be applied at a level that is commensurate with the knowledge available during that phase, and
complexity of the process. QRM should start with product design and progress to process design as the product advances to clinical and commercial
production. Risk assessments should be revisited throughout the product lifecycle (Figure 3.1-1) as additional process and product knowledge
become available. Additionally, QRM can be useful in identifying and managing similar risks for other products to facilitate continual improvement.
One of the characteristics of mature PQS is the effective integration of quality risk management throughout the entire product and process life cycle.
Integrated into relevant process management. At each stage of the life cycle, the degree of application of quality risk management should be consistent with that stage.
The available process knowledge of the segment is commensurate with the complexity of the process. Quality risk management should start at the drug development stage,
Quality risk management should be incorporated into the process design when products are used in clinical studies and commercial manufacturing. When getting extra work
When developing process and product knowledge, the risk assessment should be re-applied throughout the life cycle (Exhibit 3.1-1). besides,
Quality risk management is useful in identifying and managing similar risks for other products and can help achieve continual improvement.
3.1.1Quality Risk Management Application During Pharmaceutical Development
Quality risk management application in drug development stage
Per ICH QI0, the intent of the Pharmaceutical Development phase is to "design a product and its manufacturing process to consistently deliver the
intended

performance and meet the needs of patients, healthcare professionals, regulatory authorities, and internal customers."(1) This phase
provides the basis for scientific knowledge and understanding of the product.
According to ICH Q10, the purpose of the drug development phase is to “design a product whose manufacturing process can
properties to consistently produce medicines that meet the needs of patients, health care professionals, regulatory agencies and domestic customers." (1) This
The first stage provides the basis of scientific knowledge and understanding of the product.
During development, the application of QRM can support the development of systematic understanding of products and processes
beginning early in the lifecycle. The appropriate use of QRM principles can serve the following objectives:
During the development phase, the application of quality risk management can support the understanding of product systems and the development of processes early in the production cycle.
hair. Proper application of quality risk management principles can achieve the following goals:
•Design the product and process to reduce risk to product quality and to the patient.
Design products and processes based on reducing risks to product quality and to patients.
•Prioritize the pharmaceutical development studies needed to collect and enhance product knowledge.
Prioritize necessary drug development to gather and improve product knowledge.
•Establish a robust control strategy to adequately manage risks to Critical Quality Attributes (CQA) (per ICH Q8[R2]).
Establish a stable control strategy to achieve adequate risk management of critical quality attributes (CQA). (according to ICH Q8[R2])
Examples of how to apply QRM principles during the development phase include:
Examples of how to apply quality risk management principles during the drug development phase include:
•Developing a process that routinely meets critical quality attributes (CQA).

Develop a process that typically achieves critical quality attributes (CQAs).
•Developing a suitable drug delivery system.

•Develop a suitable drug delivery system.
•Identifying critical process parameters (CPP) and material attributes.
•Identification of critical process parameters (CPP) and material attributes
•Identifying appropriate ranges for CPP, material attributes and manufacturing controls.
•Identification of critical process parameters, material attributes and reasonable ranges of process control
•Supporting the selection and subsequent qualification of suppliers.

„Support subsequent selection of qualified suppliers
Risk management tools such as Risk Ranking and Filtering or Ishikawa diagram (also known as a Fishbone diagram) may be used to
identify variables that may have an impact on a critical quality attribute. These identified variables can then be further analyzed using
a qualitative/ semi-quantitative risk management tool such

as a Preliminary Hazard Analysis (PHA). Failure Mode and Effects Analysis (FMEA) may also be useful, particular1y during the later stages of
development.
Risk management tools such as risk ranking and screening or Ishikawa diagrams (also known as fishbone diagrams) can be used to identify
variables to critical quality attributes. These identified variables can be used as early as quantitative or semi-quantitative risk management tools
Perform further analysis using a step hazard analysis (PHA). Failure Mode and Effects Analysis (FMEA) may also be useful,
Especially in the later stages of drug development.
3.1.2 Quality Risk Management Application during Technology Transfer

Quality risk management application in the mobile stage
Per ICH QI0ÿthe goal of Technology Transfer is to "trasfer knowledge between development and manufacturing or between manufacturing
sites to achieve product realization . "(1) QRM application during thetechnology transfer phase can serve the following objectives:
According to ICH Q10, the purpose of technology transfer is "between the drug development department and the production department or in a different production position
"Carry out knowledge transfer to achieve the final production of drugs". (1) The application of quality risk management in the technology transfer stage can
To achieve the following purposes:
•Assess and manage risks to process and product quality as a result of the transfer or manufacturing scale-up.
•Assess and manage risks to process and product quality to achieve technology transfer and scale-up production outcomes.
•Facilitate knowledge transfer.

•Assist in the transfer of knowledge.
•Drive decisions for control strategies to reduce risk during commercial manufacturing.
Drive control strategy decisions to reduce risk during commercial production.
The outcomes of the QRM process can be used to implement corrective and preventive actions to appropriately manage identified risks and
provide timely management of process controls during the technology transfer process. QRM can be used to develop a risk based validation
master plan to determine the extent of the qualification and validation activities. During the technology transfer phaseÿ
detailed risk management tools such as an FMEA or Hazard and Operability Analysis (HAZOP) are Often used.
During the technology transfer process, the results of the quality risk management process can be used to implement corrective and preventive actions to properly manage
Identify risks and provide timely management of process controls. Quality risk management can be used to develop a risk-based
The certification owner plans to determine the extent of validation and verification activities. During the technology transfer stage, detailed risk management tools such as
FMEA or Hazard and Operability Analysis (HAZOP) is often used.

Per ICH Q10, the goal during Commercial Manufacturing is to "achieve product realization with suitable processperformanceÿ establish and
maintain a state of control, faciliitate continual improvement and expand the body of knowledge."(3)
QRM application during the Commercial Manufacturing phase can serve the following objectives:
According to ICH Q10, the purpose of the commercial production phase is to “achieve production of products with appropriate process performance, establish and maintain
Maintain control status to help continuously improve and expand knowledge capacity. “Applying quality risk management during the commercialization phase can achieve
The following goals:
•Proactively assess and manage risks to process and product quality during commercial operations.
•Proactively assess and manage process and product quality risks during commercial operations.
•Establish robust control strategies and adjust (as needed) through continual improvementÿ to ensure consistent process performance and
product quality as intended.
• Establish stable control strategies and adjustments (if necessary) through continuous improvement to ensure expected continued performance
performance and product quality.
During commercial manufacturing, QRM can be a useful process for effective decision-making as-sociated with change control, discrepancies,
failures, or investigations related to product quality or patient safety events. QRM is also useful in the selection and management of suppliers
and vendors, and managing risks related to internal and contract manufacturing operations, to ensure a state of control is maintained at all
times.
During the commercial manufacturing phase, quality risk management addresses change control, deviations, and changes related to product quality or patient safety events.
This process is useful when failing or investigating for effective decision-making. Quality risk management in supplier or supplier selection and management
It is also useful to ensure that the entire phase remains under control by managing the risks associated with in-house or commissioned production operations.
QRM may also be applied to effectively manage risks in the supply chain. Risks to product availability throughout the product lifecycle relate
to product storage, distribution, transportation, chain of custody, counterfeiting, diversion, theftÿ
geopolitical issues, compliance, and disaster recovery activitiesÿ amongst others.
(See Section 5.4, QRM Application in Materials Management.)
Quality risk management can also be effectively applied in supply chain risk management. Maintain products throughout their lifecycle
Risks to the effectiveness include product storage, distribution, transportation, chain of custody, counterfeiting, diversion, theft, regional political
governance issues, compliance, disaster recovery activities, and other aspects. (For details, see Section 5.4, Quality Risks in Materials Management.
risk management)
Per ICHQlO, the goal of Product Discontinuation activities is to "manage the terminal stage of the product lifecycleeffectively."(1) QRM
application during product discontinuation activities can serve the following objectives:
According to ICH Q10, the purpose of product delisting activities is to "effectively manage the final stage of the product life cycle." In product
Applying quality risk management during the delisting activity phase can achieve the following goals:
• Ensure risks to patients and product quality continue to be managed while

product remains on the market.

•Ensure risks to patients and product quality remain manageable while the product remains on the market.
• Identify and manage risks related to transitioning patients to alternate therapies.

•Identify and manage risks associated with transferring patients to alternative therapies.
3.2 Proactive and Reactive Application of Quality Risk ManagementQuality Risk Management
Active and passive applications of
QRM should ideally be proactive because its greatest value is in early identification and management of risks. Retrospective or reactive
application of QRM may also be appropriate and add value.
Quality risk management should ideally be applied proactively because early identification and management of risks is extremely valuable.
The retrospective and reactive application of quality risk management can also adaptively increase its value.
ln general, the earlier risks are identified, the more effective their management can be. For example, if a risk is identified during the
development of design specifications for a system, the system can be designed to reduce or even eliminate the risk. However, if the same
risk is not identified until routine commercial operation of the system, the redesign of the system can be challenging and likely be more costly
than if the system had initially been designed to manage the risk appropriately. This would be in addition to the cost of managing potential
harm to product quality that might occur due to that risk during commercial operation.
Generally speaking, the earlier risks are identified, the more effective risk management measures will be. For example, if the design criteria for a system are being developed
Once the stages are identified, the system can be designed to reduce or eliminate risk. However, if the same risk occurs until the system
are not recognized until routine commercial production, system redesign can be challenging, and is likely to be much worse than in
Properly managing risk in the early stages of system design is more expensive. In addition, during commercial operation, due to the risk
Potential harm to product quality may incur additional administrative costs.
There are ÿ however, some instances where not all risks can be identified prospectively and risk assessments
may need to be performed retrospectively.Examples would be new potential risks identified through a deviation
or introduced due to a change such that it impacts the validated status of an existing manufacturing process. ln
these instancesÿdeductive risk management tools like Fault and Event Tree Analysis (FTA/ ETA), FMEA, or
Fishbone Analysis may be used to determine the contributing cause(s) of the eventÿ and any risks impacting
product quality will consequently need to be managed retrospectively.
However, in some cases, not all risks can be identified as expected, and a retrospective risk assessment needs to be performed.
estimate. For example, new potential risks are introduced through the identification of deviations or due to changes affecting the validation status of existing production processes. exist
In these examples, deductive risk management tools such as failure and event tree analysis (FTA/ETA), FMEA, or fishbone diagram analysis
Analysis can be used to determine factors related to the event, and any subsequent risks affecting product quality will require retrospective risk analysis.
Evaluate.
QRM is not an independent Quality System elementÿ but should be integrated into

existing operations and appropriate parts of the PQS. QRM should never be used to deviate from regulationsÿ justify bad practicesÿ defend
practices that need to be correctedÿ or as a substitute for sound science. Compliance with current Good Manufacturing Practices (cGMPs) is a
mandate.
Quality risk management is not an independent element of the quality system but should be integrated into existing procedures as a PQS appropriate
a part of. Quality risk management should not deviate from regulations and maintain poor operations, but should maintain necessary correct operations,
Or synonymous with science and science. Compliance with current Good Manufacturing Practices (cGMPs) is mandatory.
3.3Formality of the Quality Risk Management ProcessThe formal process of the quality risk
management process
One of the principles of QRM as per lCH Q9 is that the level of effortÿformality and documentation of the QRM process should be commensurate
with the level of risk. lt is neither always appropriate nor always necessaryto use a formal risk management process (2). The use of informal risk
management processes (using empirical tools or internal procedures) is also considered acceptableÿ as long as they meet the intent of lCH Q9.
Since QRM provides a suitable knowledge management and documentation framework for previously undocumented or historical knowledgeÿ
even simple informal risk management processes can support this objective. Thereforeÿ a risk-based approach can range from a documented
scientific rationale to a formal risk assessment methodology (See Figure 3.3-1).
According to ICH Q9, one of the principles of quality risk management is the evaluation results, formality and documentation of quality risk management procedures
Sex should be appropriate to its level of risk. Suitable or formal risk management procedures are not always required. (2)As long as
Able to comply with the requirements of ICH Q9, as well as using informal risk management procedures (e.g. using empirical tools or internal procedures)
considered acceptable. Because quality risk management only provides an appropriate
knowledge management and documentation framework, so simple informal risk management procedures can also serve this purpose. Therefore, the wind
Risk management methods can start from documentation of scientific principles to formal risk assessment methods (see Exhibit 3.3-1 for details).
Figure 3.3-1 Rigor and Formality of QRM Approaches Figure 3.3-1 Rigor
and Formality of QRM Approaches

Technical/Scie
ntific
Rationale
Process/Scientific Principles
The degree of risk management rigor and formality required is influenced by a combination of many
factors, including (but not limited to):
• Criticality (eg, impact on patient safety or product quality) of the risk question
Complexity of the issue, process, or system Complexity

of the issue, process, or system
Availability of relevant historical data and related literature
The usefulness of relevant historical data and relevant literature
Level of available process knowledge and experience

Degree of practicality of process knowledge and experience
The risk assessment formality spectrum can range in the rigor and formality of facilitation, subject
matter experts (SMEs), team structure, tool and documentation as shown in Figure 3.3-2 . The rigor
and formality of the organizational structure, tools,
and file systems are shown in Figure 3.3-2.
Figure 3.3-2 Rigor and Formality Spectrum for QRM Activities (adapted from ICH Q9 Briefing Pack)
Figure 3.3-2 Rigor and
formal scope of quality risk management activities (adapted from ICH Q9 pre-meeting preparation
materials)

More Formal Less Formal
more formal" ^ informal
Required Helpful but not required

Useful but not required
Customized team of SMEs May be existing team,group,
Form a dedicated expert group for relevant committee, etc.

projects There may be groups, groups, committee members
Will wait
Will wait
Recongnized Recongnized method optional
Method
Method(s) or may be customized
method
recognized methods Feel free to select or customize recognized methods
Law
Stand-alone report, or May integrate into

Documented
Linked
on
to othercontrolled GMP existingcontrolled GMP
File system
documents documents(ex: change control
package)
stand-alone reports, or linked to
other controlled GMP documents Possible integration into existing controlled GMP
Documentation (excluding: Change Control
plan)
3.4 Establishing a Quality Risk Management Policy Establishing a Quality Risk Management Policy
ICH QI0 describes the importance of QRM being integrated into the Quality System as an enabler. The integration process has
to begin at the top of the organization. A QRM policy establishes the company's QRM philosophy and guides the incorporation
of QRM requirements and principles into the Quality System related to:
ICH Q10 addresses the importance of quality risk management as a useful tool incorporated into quality systems. The integration process must be
Initiated by the company's upper management. The quality risk management policy determines the quality risk management concept of the enterprise and guides the enterprise to manage quality in the following aspects:
Integrate the requirements and principles of quantity risk management into the quality system
• Applicability of risk management

„The scope of application of risk management
• Accountability and responsibility for managing and determining risk acceptability

••Accountability and responsibility for risk management, determining acceptable levels of risk
Risk scales
measure of risk
• Risk control
„Risk control
• Risk reviews and communication

„Risk review and communication
• Documentation
„Preparation of risk documentation
3.5Management Commitment Management Responsibilities
Top-level management support and commitment for the risk management program is essential.
Top management endorses the incorporation of QRM into the organization's Quality System and routine operationsÿ including establishing
processes for effective implementation of QRM principles and activitiesÿand providing adequate resources. This includes ensuring those
involved in QRM activities are qualified and have received the applicable training.
Senior management support and commitment are important to the functioning of risk management. Senior management agrees with the integration of quality risk management into the organization’s
The quality system and routine procedures include establishing procedures for the effective implementation of quality risk management principles and activities and providing adequate resources. Still here
This includes ensuring that personnel involved in quality risk management activities are qualified and appropriately trained.
Management has the accountability to create a structure or framework in which the use of QRM is encouragedÿ its benefits understoodÿ its
tools applied appropriatelyÿ and users trained adequately on its concepts and application. The organization should identify and train
facilitators who take responsibility for coordinating QRM across various functions and departments of their organization.The ultimate goal is
to incorporate QRM into everyday practicesÿ similar to how risk management is integrated into the safetyÿ healthÿ environmentÿ and
financial processes.
It is the responsibility of management to create an organizational structure or framework in which quality risk management is encouraged and its benefits are known.
Risk management tools are applied appropriately and users are adequately trained in the concepts and applications of quality risk management. Responsible for the company
Each functional department communicates quality risk management facilitators, and managers should be able to identify and train these facilitators. Its ultimate goal is to
Integrate quantitative risk management into various daily operations, just like integrating risk management into safety, health, environmental and financial processes.
To facilitate achieving this goal the organization should identify individuals who:
To enable facilitators to fulfill this mission, managers should identify individuals who:
•Have the responsibility to create and maintain the QRM system.

• Have responsibility for creating and maintaining a quality risk management system.
Can perform risk assessments.
Ability to perform risk assessments.
• Can review and approve the assessments, and have the authority to make risk reduction and risk acceptance decisions.
•Ability to review and approve assessments and authority to make decisions to reduce risks to acceptable levels.
• Are responsible for communicating the output of the risk assessments.

Responsible for communicating risk assessment results.
3.6Understanding the Organization and How it Contextualizes RiskUnderstanding the Organization

and know how to consider risks
To develop a shared understanding of the application of QRM among diverse stakeholders, organizations need to develop a full understanding of the requirements and regulatory
expectations for QRM.
In order to build understanding of the application of quality risk management among different stakeholders, managers need to first establish the requirements for quality risk management
and comprehensive understanding of regulatory standards.
An evaluation of the current understanding of QRM in the organization will deliver the baseline from which progress can be measured. The evaluation should include written policies
and procedures, practices, and personnel skills and knowledge. Any existing or related QRM activities should be reviewed for evidence of the integration of QRM into the company's
Quality System (e.g., auditing processes, change control, deviation managementÿ product development activities).
Assessing the current organization's understanding of quality risk management can help determine the baseline for risk program development. The assessment should include documented methods
Needles, procedures, operations, personal skills and knowledge. Any existing or related quality risk management activities (e.g. self-test processes, change
control, deviation management, process improvement activities) should all be reviewed as evidence of the integration of quality risk management into the company's quality system.
according to.
3.7Integration into Organizational ProcessesIntegration into the company's procedures
Integration of QRM into an organization is a multi-step process that begins with an assessment of existing practices and ends with a fully deployed and realized QRM process.
Practical recommendations related to implementation of QRM may include the following:
Integrating quality risk management into the organizational structure is a complex process that begins with an assessment of existing procedures and ends with full implementation and
Implement quality risk management procedures. Feasible recommendations regarding the implementation of quality risk management may include the following:
• Performing a gap analysis on current guidelines, procedures, and practices to identify where systems are currently employing QRM. This will allow the measurement of the level
of risk maturity in an organization. See Table 3.7-1 Risk Management Maturity Level, for a guide to maturity level and expected attitudes and behaviors.
•Performing a gap analysis of current guidelines, procedures and operating procedures can identify what systems currently require quality risk management. this
This can measure the maturity of enterprise risk management. See Table 3.7-1 for details. Risk management maturity level is a maturity level and expectation.
Guidance on opinions and conduct.
• Creating QRM policies and procedures based upon the gap analysis findings, including QRM methods and supporting statistical tools.
•Establish quality risk management policies and procedures based on the results of gap analysis, including quality risk management methods and related statistical tools.
• Piloting the policies and procedures to ensure the risk scales, residual risk acceptability process, and reporting mechanisms fit the needs of the organization.
• First pilot the risk policy and procedures to ensure that risk levels, risk acceptance levels and reporting mechanisms are established that meet the needs of the enterprise.
• Deploying the policies and procedures within the organization by creating a multi-level training strategyÿ
•Promote risk management policies and procedures within the enterprise through multi-level training.
• High-level awareness / QRM overview training for general employee population.

•Train the general employee population in high-level risk awareness or quality risk management audits.
• Focused policy, procedure, and risk management tools-based training. This would include hands-ontraining with reallife applications.
•Intensive training on policies, procedures and basic tools of risk management. This includes training on risk assessment based on real-life cases.
• Creation of internal audit programs to verify that QRM activities and resulting decisions comply with the established standards and procedures.
• Establish internal audit procedures to identify quality risk management activities and obtain decisions consistent with established standards and procedures
Plan.
Table 3.7-1 Risk Management Maturity level (adapted from: A Guide to Supply Chain Risk Management for the Pharmaceutical
and Medical Device Industries and Their Suppliers 2010)
Table 3.7-1 Risk management maturity levels (Adapted from: Supply Chain Risk Management for Pharmaceutical and Medical Device Companies and Their Suppliers
management guidance)
Risk Processes Attitude Behavior

Risk Maturity Risk Skills &
Procedure manner Behavior
Level Knowledge
risk maturity level skills and knowledge

Skepticism Unconscious
No Formal Accidents WiII Fear Of Blame
doubt stage Incompetence
Processes Happen Culture
not aware of invincibility
no formal procedures Accidents happen fear of being blamed
appoint

Awareness Suspended
Ad Hoc Use of ReactiveÿFire Conscious
consciousness stage Belief
Stand Alone Fighting Incompetence
Have faith
Processes Passive, processing state aware of incompetence
Standalone for temporary use condition
procedures
Understanding Conscious
Tick Box Passive Complianceÿ
& Competence
Approach Acceptance Reliance On
Application aware of being competent
Mark the square of the box Take the initiative to accept Registers
understand and apply stage
Law Reliance on regulatory compliance
sex
Active Risk-Based
Embedding & Risk Unconscious
Engagement Decision
Integration Management Competence
Positive response
Embedded In
Inclusion and Integration Phase Making unconscious competence
Decision based on risk
Business
Risk management incorporated
business
Robust Risk Champion Innovationÿ Expert

Regular
winner Expert level
Management Review & Confident &
Stable risk management Improvement Appropriate

Regular review and revision
stage Risk
good
Management
innovative, confident and
appropriate risk
manage
3.8 Establishing Communication and Reporting MechanismsEstablish communication and reporting mechanisms
To fully integrate QRM into the PQSÿorganizations need to have effective risk communication and reporting processes. Companies will only fully benefit
from the implementation of QRM when they are able to quickly respond to residual risks that develop. There needs to be robust information flow through
internal and external feedback loops to identify and communicate new risks as they develop. There are many ways to accomplish thisÿ including the
use of risk dashboards and internal memoranda. Companies should consider the addition of risk management as an agenda topic for their periodic
management meetings at all levels.
In order to fully integrate quality risk management (QRM) into PQS, organizers must have effective risk communication and reporting mechanisms. when
Only when an enterprise has the ability to respond quickly to residual risks that arise can it fully benefit from the implementation of quality risk management. This requires
A strong information flow must be used to identify and communicate the development of new risks through internal and external feedback mechanisms. There are many ways to do it
To this point, include the use of risk dashboards and internal memos. Companies should consider making risk management a regular part of their
Regular topics in management meetings.
Feedback loops are two-way in that as new risks are identified they are communicated internally and that products and processes will be evaluated and
modified as needed based upon that information. Policies and procedures should be in place to facilitate external
communications with the public and regulataory agencies, if required.
Feedback loops are two-way, as new risks are identified resulting in internal communications, and products and processes are evaluated based on the communicated information.
Evaluate and revise (if necessary). Additionally, if external communication is required, policies and procedures should be in place to facilitate communication with the public and legal
regulatory agency’s external communications.
There should be a method to capture product and process risk throughout the company so that over-all residual risk can be assessed. The vehicle the company
chooses to capture the overall
residual risk should be based upon the organization's culture, documentation practices and the
potential impact of product and process failures.
Companies should have a method of capturing all product and process risks so that all residual risks will be assessed. Automobile companies choose to use
The approach to capturing all remaining risks should be based on the organization's documentation, written procedures and the potential impact of product and process failures.
3.9 Roles and ResponsibilitiesRespective responsibilities
Formal QRM activities are usually undertaken by multi-disciplinary teams and should include SMEs representing relevant functions (e.g.quality unit, business
development, engineering, regulatory affairs, production operations, sales and marketing, legal, statistics, clinical safety).
A single person may satisfy more than one function or role. Typical QRM roles include:
Formal quality risk management activities are typically performed by multidisciplinary teams and should include representatives of relevant functions of the SMEs (e.g., quality group,
Business Development, Engineering, Regulatory Affairs, Manufacturing, Sales and Marketing, Regulation, Statistics, Clinical Safety). A single person can bear many
to a function or role. Typical quality risk management roles include:
• Facilitators who are knowledgeable about, and will facilitate the QRM process.
•A facilitator is a knowledgeable person who can facilitate the quality risk management process.
•As much as possible, facilitators should be independent from the process being risk assessed in order to maintain objectivity in facilitation (i.e. subject matter
or technical experts should not facilitate if possible in order to maintain objectivity). Knowledge of cognitive and other factors, such as human heuristics,
mayaffectdecision-makingduringQRMactivities(suchasbrains torming and probability of estimation);thisunderstandingandabilitytomanageitappropriatelycanbeparticula
rlyusefulforfacilitators.
occurrence
•When conducting process risk assessments, the facilitator should remain as independent as possible to maintain objectivity during the facilitation process (e.g., to maintain objectivity,
If possible, subject matter or technical experts should not serve as facilitators). Cognitive knowledge and other factors, such as human inspiration, may
Influence decision makers in quality risk management activities (e.g. brainstorming and assessing likelihood of occurrence); facilitators who understand and
Manage it properly and it will be extremely useful.
• QRM Lead who may be independent from the facilitator and is responsible for:
•The quality risk management leader should be independent of the facilitator and his responsibility is to:
• Leading the development and completion of QRM deliverables such as risk management plans and reports.
•Guide the development and conclusion of specific quality risk management work, such as risk management plans and reports.

• Ensuring that the outcomes of the QRM process are approved by the appropriatedecision makers and implemented.
•Ensure that the results of the quality risk management process are approved and implemented by appropriate decision makers.
• Ensuring that riskreview is performed and that QRM documents are updated and maintained
current.
• Ensure risk reviews are performed and quality risk management documents are current and current.
• Subject matter experts who are responsible for providing technical expertise to support QRM activitiesÿ including risk assessmentÿ determination
of appropriate risk control measures and their implementation.
•Relevant subject experts are responsible for providing subject expertise for quality risk management activities, including risk assessment, identifying and executing appropriate
Quality control technology.
• Decision Makers who have the competence and authority to make timely QRM decisions (2).
Decision makers should be accountable for:
•Decision makers are competent and authoritative persons with the authority to make timely quality risk management decisions. Decision makers should bear the following responsibilities:
• Ensuring that a QRM process is definedÿdeployedÿand reviewed.

•Ensure quality risk management procedures are defined, deployed and reviewed for quality risks.
• Ensuring that adequate resources are available to complete QRM activitiesÿ including the implementation of identified risk control measures.
• Ensure adequate resources are provided to complete quality risk management activities, including implementation of identified risk control measures.
• Reviewing and approving the outcomes of risk management activitiesÿincluding making risk control (risk reduction and risk acceptance) decisions.
•Review and approve the results of risk management activities, including making risk control (risk reduction and risk acceptance) decisions.
3.10 Heuristics and Biases in Quality Risk Management Deviation and exploration of quality risk management
Heuristics are cognitive behaviors that come into play when people make judgments in the presence of uncertainty.How these behaviors are manifested
is still the subject of much researchÿ but there is evidence in literature that heuristics are a source of significant bias and errors in judgment. Human
heuristics greatly influence a person's perception of risk (4) and inevitably their opinion of the magnitude of the contributing probabilities and severities.
A great deal of research has been performed by experimental psychologists into how risks are perceived. In this respect, three main factors (5) seem to
contribute to the operation of this heuristic and influence the output of risk analysis exercises:
Exploration is a cognitive behavior that occurs when people need to make judgments about uncertain processes. How these behaviors are manifested remains the subject of much research
scientific research topic, yet exploration has been documented as a source of significant bias and error in judgment. Human exploration greatly affects a
People's risk perceptions (4) and inevitably influence their judgments about the probability and severity of risks. experimental psychologists on risk
A lot of research has been done on how to be perceived. In this regard, three main factors (5) appear to contribute to this exploratory operation and influence risk
Analyze the output of the exercise:
1. Degree of "dreadfulness" associated with the risk.

1. The harm (or horror) of the risk.
2. Degree to which the risk was understood.

2. Knownness of risks.
3.Number of people exposed to the risk in question.

3. The amount of human exposure to the risk.
Human heuristics also play an important role in both how risks are assessed and perceived.
There are various types of heuristics, but three of them are:
Human exploration also plays an important role in how risk is assessed and perceived. There are many types of exploration, but three types are as follows:
1. Availability
1. Effectiveness
2. Representativeness
2.Typicality
3.Anchoring andAdjustment
3. Fixation and Adjustability
The heuristic of availability relates to the fact that people tend to judge the likelihood of an event in terms of how easily they can recall (or imagine)
examples of that event. A person's judgment concerning an event (in terms of its probability of occurrence and its severity) may therefore be influencedby
how that person imagines or recalls similar scenarios (6,7).This may lead to a systematic bias andother errors in judgment. Research has shown that
people tend to underestimate the frequency of very common hazards and overestimate the frequency of very rare hazards (6 8).
The exploration process is related to the fact that people tend to judge events based on how easily they can remember (or imagine) examples of that event.
possibility of life. A person's judgment about an event (in terms of its likelihood and severity) may be affected by how
the impact of imagining or recalling similar situations (6,7). This can lead to systematic biases in judgment and other errors. Research shows that humans tend to
Underestimating the frequency of very common hazards and overestimating the frequency of very rare hazards.
The heuristic of representativeness is related to a person's probability judgment being influenced by their "expecting in the small behavior that which one
knows exists in the large." In this instance one can pay more attention to specific details, while ignoring or paying insufficient attention to important
probability-related information that is relevant to the problem (8).
Typical representations of exploration relate to the probabilistic judgments of those affected, such as when they "expect a certain low-probability behavior to be regarded as a high-probability behavior." Here
In this situation, humans will spend too much energy on special details and ignore or pay too little attention to the significant possibilities related to the problem.
information.
The heuristic of anchoring and adjustment comes into play when people's judgment can be heavily influenced by the first approximation of the value or
quantity that they think of or hear (anchor), or is based on "group think." The "anchor" value can then lead to influencing and "adjusting”any subsequent
values to be biased towards the "anchor" (6,7).
Initiation occurs when human judgment is heavily influenced by the nearest value or quantity they have thought of or heard (broadcast), or based on "groupthink"
Fixation and adjustment of hair will appear. The "target value" then influences or "adjusts" subsequent values towards the "target value"
Bias and variability in risk perception are inherently human traits and can be broadly categorized into three recognizable anthropomorphic behavior s.
Each of these perceptions should be

recognized, and appropriate bias-mitigation strategies and processes established within the QRM system.
Biases and variations in risk perception are essentially human characteristics and can be roughly divided into three types of cognitive anthropomorphic behaviors. These three cognitions are important in quality
Risk management systems can all be identified and appropriate bias transfer strategies and processes established.
It is well accepted that we are inherently more comfortable or willing to accept risks that could be considered voluntary(i.e.under our own volition)
than involuntary risks (i.e.without our own decision) (9). This seemingly maintains true for voluntary risks, which are calculated to be significantly
lower than involuntary risks (10).
It is generally accepted that we are inherently more comfortable or willing to accept being recognized as opposed to involuntary risks (i.e., those we cannot decide ourselves).
as a voluntary risk (e.g. under our own volition) (9). This remains true for voluntary risks, which are calculated as
Voluntary risks have received less attention (10).
The phenomenon of human heuristics (unconscious rules of thumb) has profound capacity to bias risk management processes. One human
heuristic relates to the fact that people tend to assign likelihood in terms of how easily they can recall (or imagine) that or examples of that
event.Generallyÿpeople tend to underestimate the frequency of very common hazards and overestimate the frequency ofvery rare hazards (6
8). From a GMP perspective this is important to knowÿ because these humanheuristics may influence how the outputs of QRM exercises
performed in GMP environments may be judged and accepted by decision makersÿ
stakeholders and regulatory inspectors.

Human exploratory phenomena such as the unconscious rule of thumb have profound scalar implications for biased risk management processes. One person's exploration
Formal thinking relates to facts involved, i.e. people tend to make decisions based on how easily they can recall (or imagine) examples of related events.
the possibility of certain events. In general, humans tend to underestimate the frequency of common hazards and overestimate the frequency of rare hazards.
From a GMP perspective, this is important. Because these human explorations may affect quality risk management in a GMP environment
The results of rational exercises may be judged and accepted by policy makers, stakeholders and regulatory regulators.
An expert's perception of risk can differ markedly from that of a layperson or those personnelless familiar with the specific processÿtechnology
or circumstance (11). Generallyÿ
laypeople tend to regard as "risky" any technology that is newÿimposed on themÿunfamiliarÿ
or beyond their control. Suchfindings are probably important to consider when performing GMP-related QRM exercisesÿ given the different
groups and stakeholders to whom risk information may be communicated and the highly technical nature of GMP activities in general.
An expert's perception of risk will be significantly different from that of a layperson or a group of people unfamiliar with a particular process, technology, or environment (11).General
In general, laypeople tend to view technology that is new, imposed on them, unfamiliar, and beyond their control as dangerous. when executing
These findings may be important to decision makers when conducting quality risk management operations related to GMP, and risk information needs to be related to different
Communicate to groups and stakeholders and generally this information relates to highly technical GMP nature activities.
The human cognitive and behavioral originsÿ which may bias and adversely affect our judgment in this respectÿ together with detailed means
of addressing QRMÿ have been previously described (11ÿ12). Effective communication with stakeholders is particularly important because
stakeholders form judgmentsabout risks based on their own perceptionsÿ
and those perceptions may differ from those who executed risk analysis. In the GMP environmentÿmany existing QRM tools and programs fail
to incorporate strategies to address risk perception biases.

As the various aspects of quality risk management have been discussed in detail in the previous chapters, the origins of human cognition and behavior in this regard may have important implications for our
Judgments are biased and adversely affected. Effective communication with decision-makers is particularly important because decision-makers base their own perceptions on
Ability to make judgments about risk, and these perceptions may not be the same as those of the person performing the risk analysis.
While using relevant historical and real-time data such as complaints, investigations, non-conformances and trends contribute greatly in reducing
subjectivity and uncertainty in risk assessments, it is also important to counteract the adverse effects that heuristics may exert on QRM activities.
To address risk perception bias, a number of features should exist within a company's Quality System. See Table 3.10-1 for a list of several simple,
practical strategies that are designed to improve the outcomes of QRM exercises and that should be featured in QRM programs.
When using historically relevant and current data such as complaints, investigations, non-conformances and trends to effectively reduce the focus of risk assessments
When faced with uncertainty and uncertainty, it is also important to prevent heuristic thinking from adversely affecting quality risk management activities.
Speaking of risk perception biases, a company's quality system may have a range of characteristics. Table 3.10-1 shows several simple
A list of easy-to-implement strategies designed to improve the results of quality risk management activities in quality risk
Can play a very important role in project management.
Table3.10-1StrategiestoManageCommonPerceptionBiasesTable 3.10-1 Strategies for managing common cognitive biases

Risk PerceptionlBias Management Strategy
Risk of Cognitive Bias Control Strategy
•Training and education of stakeholders recognizing this bias;

Voluntary-Involuntary Bias
include case studies and examples illustrating how this heuristic
Conscious and unconscious bias
operates.
•Training and education can make decision-makers aware of this bias, including case studies and demonstrations of this inspiration
Examples of how sex works.
• Multi-disciplinary team with some stakeholders unfamiliar with the risk scenario (e.g. clinical medical, marketing, human
factors personnel).
•If some decision makers are not familiar with risk scenarios (such as clinical pharmacy, sales science, individual human characteristics)
Multidisciplinary team decision-making can be used.
• Several decision-makers involved.

Human HeuristicsHuman „Multiple decision makers involved
• Training and education of stakeholders recognizing the main heuristics that may come into play; include case studies
Inspiration
and examples illustrating how those heuristics are manifested.
•Training and education can make decision-makers aware of the emergence of key inspirations, including case studies and demonstrations of inspiration
Examples of how hair can be mastered.
•Multi-disciplinary team with some stakeholders unfamiliar with the risk scenario (e.g. clinical medical, marketing, human
factors personnel).
•If some decision makers are not familiar with risk scenarios (such as clinical pharmacy, sales science, individual human characteristics)
Multidisciplinary team decision-making can be used.

•A range of risk analysis and risk evaluation tools being available for
use.
•A range of risk analysis and risk assessment tools are effectively used.
•Emphasis placed upon data-rich information for risk assessment.
•Focus risk assessment on data-rich information.
•Favoring quantitative risk management tools furnished as much as possible with data driven approachesÿ
as long as the data are
considered reliable.
• Support quantitative risk management tools by providing as much data as possible as long as the data is considered reliable
driving method.
•Pre-defined rules for brainstorming activities that are designed to minimize the adverse influences of the
main heuristics (e.g. when brainstorming as part of risk assessment exercisesÿno member of the team
should verbalize his or her score of a probability estimate until every contributor has time to think and
record their own estimate).
„Brainstorming that adopts predefined rules designed to minimize the adverse effects of elicitation
(e.g., when brainstorming is practiced as part of a risk assessment, members of the team should not
Verbalize his or her estimated score probability until each participant has had time to think and record himself or herself
Expert-Lay Bias Expert- •Training and education of stakeholders recognize this bias; own estimate)
Lay Bias include
case studies and examples illustrating bias.
•Training and education to make decision-makers aware of this bias: includes learning cases and examples of bias demonstrations
Child.
•Multi-disciplinary team with some stakeholders unfamiliar with the risk scenario (e.g. clinicalÿ medicalÿ
marketingÿhuman factors personnel).
•If some decision-makers are not familiar with risk scenarios (such as clinical pharmacy, sales, individual
human characteristics) can employ multidisciplinary team decision-making.
• Several decision makers involved.

„Multiple decision makers involved
4. Implementation Of The Quality Risk Management Process
Implementation of quality risk management
Per ICH the main

Q9, steps in the QRM process include:
According to ICHQ9, the main steps of the quality risk management process include:
• Initiating a quality risk management process (Section 4.1)
Initiate quality risk management process (section 4.1)
• Risk assessment (Section 4.2)
Risk Assessment (Section 4.2)
• Risk control (Section 4.3)
Risk Control (Section 4.3)

• Output/ result of the QRM process (Section 4.4)

Outputs/results of the quality risk management process (section 4.4)
• Risk review (Section 4.5)
Risk Review (Section 4.5)

• Risk communication (Section 4.6)
Risk communication (section 4.6)
4.1 Initiating a Quality Risk Management ProcessInitiating a Quality Risk Management Process
QRM should include systematic processes designed to coordinate, facilitate and improve science based decision making with respect
to risk. All QRM activities, whether they are prospective or retrospective in nature, should be adequately planned prior to initiating any
risk assessments. The rigor in planning should be commensurate with the impact of the potential risks on product quality. Planning
activities should include (depending on formality of assessment):
Quality risk management should include a systematic process for coordinating, promoting and improving scientific decision-making related to risks. All quality risk management activities,
Adequate planning should be carried out before initiating any risk assessment, regardless of whether it is prospective or retrospective in nature. rigor of planning
Should be consistent with the impact of potential risks on product quality. Planning activities should include (depending on the level of formality of the assessment):
• Defining the problem statement, scope (in and out of scope), known assumptions, and expected outcomes
Determine problem description, scope, known assumptions, and expected results
• Identifying the appropriate team of SMEs and an impartial (to the extent possible) trained facilitator
Identify an appropriate team of experts and an impartial (possibly) trained facilitator
• Determining the level of formality and selecting the appropriate tool(s) to deliver the expected outcomes
Determine the degree of formality of risk management and select appropriate tools to achieve desired results
• Determining how the QRM activities will be documented

Determine how to document quality risk management activities
• Identifying and collecting relevant background informationÿ reference documents and data related to the potential risks or product and
patient impact relevant to the risk assessment
Identify and collect relevant information, references and data on potential risks or their impact on products and patients
• Specifying a timeline, deliverables and appropriate levels of decision making (and appropriate decision makers) for the risk
management process
Specify the duration, expected objectives and appropriate decisions for the risk management process
• Defining a reporting and communication plan
It is also important to appropriately document these planning elements and obtain management support for the QRM
activities, including resource(s) allocation.
It is also important to appropriately document these program elements and obtain management support for quality risk management activities, including resource allocation.
4.2Risk AssessmentRisk Assessment
Risk assessment is a part of QRM and an essential component of managing risks throughout the product lifecycle. The risk assessment
process comprises risk
identification, risk analysis, and risk evaluation.

Risk assessment is part of quality risk management and is a fundamental component of managing risk during the product life cycle. The risk assessment process is driven by the wind
It consists of risk identification, risk analysis and risk evaluation.
A risk assessment exercise may take a number of different forms, such as a technical or scientific rationale developed for a problem statement, an impact
assessment, or the detailed application of a formal risk management tool or methodology. Irrespective of the type of risk assessment performed, the assessment
should be documented, approved, archived, and retrievable from the Quality System.
A risk assessment activity can take different forms, such as the development of a technical or scientific theory on a problem, an impact assessment or a formal risk assessment
Detailed implementation steps for risk management tools or methods. Regardless of the type of risk assessment undertaken, the assessment should be documented, approved and maintained
And can be traced through the quality system.
The level of rigor and type of risk assessment should be commensurate with the potential impact and knowledge of risk associated with a risk question,
problem description or problem statement.
The level of rigor and type of risk assessment should be consistent with the potential impacts and understanding of the associated risks.
Broadly, rigor and formality of the risk assessment should be commensurate with a
combination of the potential for a direct adverse impact to the patient or product quality and the level of process and risk understanding. A direct and critical patient
or product quality impact coupled with an incomplete or uncertain understanding of the hazard, process and risk, demands the highest level of rigor and formality.
In general, the level of rigor and formality of a risk assessment should be proportional to the potential direct impact of the risk on patients or product quality and the impact on the process and risk.
corresponding to the level of understanding. Have a direct and critical impact on patients or product quality and have an incomplete or inaccurate understanding of hazards, processes and risks
If the risk assessment is determined, the level of rigor and formality of the risk assessment should be the highest.
Conversely, with no or minimal potential patient impact coupled with a very comprehensive and contemporary knowledge of hazard, process and risk can be
supported by a lower level of rigor and formality. Where it is not possible to estimate the specific clinical implications of a risk to patient safety, evaluating the risk
to product quality becomes an important surrogate.
In contrast, where there is no and minimal potential impact on patients and a very comprehensive understanding of hazards, processes and risks, the rigor required
and lower levels of formality. Assessing the impact of a risk on product quality becomes difficult when the specific clinical impact of the risk on patient safety cannot be estimated.
important.
4.2.1Execution of Risk AssessmentsExecution of Risk Assessments
Irrespective of the product, process, risk question, problem description, or problem statement all risk assessments require the same fundamental activities in a
common sequence of events:
Regardless of the product, process, risk question, problem description, or problem statement, all risk assessments require a common set of basic
Activity:
• Identify the owner of the QRM process.
Identify the owners of the quality risk management process
• Identify the stakeholders of the QRM exercise, and the individuals responsible for its execution.
The stakeholders should assist with identifying the audiences for
subsequent risk communication activity, the actual content of the risk communication and the technical level at which to deliver the risk communication
message.
Identify relevant parties and specific implementation personnel of quality risk management activities. Relevant parties should assist in identifying those who will participate in subsequent risk communication activities
personnel, the actual content of risk communication and the technical level of risk communication information delivery.
• Identify the areas of expertise required for the exercise and build the risk assessment team.
Ensure that the team members are credible and have the necessary level of expertise and
risk management training. For formal risk assessments, it is essential to have a trained facilitator guide the risk management process and cross-
functional SMEs involved in assessing and managing the risks.
Determine the professionals involved in risk assessment and form a risk assessment team. Ensure that team members are credible, have the necessary expertise, and are experienced
Received risk management training. For formal risk assessments, a trained coordinator guides the risk management process and participates in the assessment
and cross-functional teams of experts to manage risk are essential.
• Describe the product, process, recipient, and mode of administration of product (where appropriate).
Describe the product, process, formulation, and route of administration of the product (when appropriate).
• Define the risk question, problem description, or problem statement.

Ask risk questions, problem descriptions or problem statements.
• Determine the appropriate risk management tools to employ. A variety of tools exist, each with a range of suitability for risk identification, risk analysis and
risk evaluation. Table 4.2-1 compares a selection of the most commonly employed tools to assist in tool selection.
Determine the risk management tools to be used. There are different risk management tools. When conducting risk identification, risk analysis and risk evaluation, each
Each tool has its scope of application. Table 4.2-1 compares the selection of the most commonly used tools.
• Decide the means and criteria employed to assign values or surrogate descriptors to probabilities and severities for risk factors and the derivation
of overall risk during risk analysis. It is valuable at this point to determine any pertinent assumptions or uncertainty associated with data used in the risk
assessment process.
Determine the methods and standards for assigning values to the likelihood and severity of risk factors or determining levels and estimating the size of risks during the risk analysis process
• Identify criteria for risk evaluation.

Determine the criteria for risk assessment.
• Assemble background information and data on the potential hazard, harm, or human impact relevant to the risk assessment (e.g., design documents including
drawings and specifications, supplier documentation, complaints, investigations, CAPA, trend analyses of monitoring and testing, audit
results, information from related products, etc.).
Collect information and data on potential hazards, injuries or effects on humans relevant to risk assessment (e.g. including drawings and design requirements)
Design documents, supplier documents, complaints, investigation reports, CAPA, trend analysis of monitoring and testing, audit results, relevant product information
interest, etc.).
All these elements should be formally documented.

All of these elements should be formally documented.
A risk assessment may range from a documented simple scientific rationale to a formal risk assessment methodology. A wide variety of tools and techniques
are available to facilitate risk assessmentsÿ as recognized in ICH Q9 such as:
Risk assessment can be a documented simple scientific principle or a formal risk assessment method. As stated in ICH Q9, it can
Risk assessment is performed using different tools and techniques such as:
• Process mapping techniques flow chart
• Fishbone (Ishikawa) analysisCausal analysis
• Risk ranking and filtering (RRF) risk ranking and filtering
• Fault tree analysis (FTA) fault tree analysis
• Failure mode and effects analysis (FMEA) failure mode and effects analysis
• Failure mode effects and criticality analysis (FMECA) Failure mode, impact and critical points analysis
analyze
• Hazard analysis and critical control points (HACCP) Hazard risk and critical control points

• Hazard operability analysis (HAZOP)

• Preliminary hazard analysis (PHA) preliminary hazard source analysis
Each of these tools and techniques exhibits a number of inherent features that should be consideredÿtogether with the level of rigor
and formality when choosing the most appropriate tool for a particular risk assessment exercise. Even simple informal risk tools can
support particular objectives and their use may be considered acceptable. Table 4.2-1 provides a comparison of the features and
characteristics for some of the common risk management tools.
The inherent characteristics, rigor, and formality of each tool and technique should be considered when choosing the most appropriate tool. Even simple informal risk workers
Tools can also be used for specific risk assessments. Table 4.2-1 compares the characteristics of some risk management tools.
Table. 4.2-1 Comparison of Common Risk Management Tools Comparison of Common Risk Management Tools
Comparing common risk assessment tools Comparing common risk assessment tools
Fault Tree Analysis (FTA) fault tree Preliminary Hazard Analysis (PHA) Failure Mode and Effects (and Hazards Analysis and Critical Hazards and Operability Studies
Preliminary hazard source analysis Control Points (HACCP)
Criticality) Analysis (FMEA/FMECA) (HAZOP)
analyze
Hazard Analysis and Critical Control Points Hazard Operation Analysis
Failure mode, impact (and key points) analysis
Tool Concept Qualitatively identify all probable Preliminary identification and ranking pathways for faults to occur, and of risks based Assess failure modes and then determine Identify and implement process Identify all possible process or design controls that consistently and
Tool definition
on prior experience or then identify how to prevent the knowledge. whether the failure could be detected and deviations and assess if controls are effectively prevent hazard adequate.
whether prevention, detection,
fault pathways from occurring. Preliminarily identify risks based on past experience or knowledge and response controls are adequate. conditions from occurring. Identify all possible process or design deviations, evaluate
Qualitatively identify all possible paths for failure to occur, and sorted. Identify and implement process control measures to consistently Adequacy of control measures.
Then determine how to prevent it from happening. Evaluate the failure mode and decide if it can be detected and effectively prevent hazards from occurring.
Failure, prevention, detection and response controls are
No, it's not enough.
Tool Approach Top-down approach that considers Prospective bottom-up approach that Bottom-up approach that considers Bottom-up approach that considers Bottom-up approach that considers what causes a failure. Deductive and considers potential hazards,what could go wrong and what the how to prevent hazards
method
from what could go wrong, the possible logical approach and outputs can also hazardous situations and events that relatedrisks are. Methodically occurring and / or propagating. causes, and what the related risks or be used as a tool for deviation may cause potential harm to product divides the analysis of
complex Better for preventative applications consequences are.
quality and / or patient safety. root-cause analysis. processes into smaller manageable rather than reactive. Emphasizes a bottom-up approach that considers what can go wrong,
A top-down approach that considers what caused the problem Approach identifies potential considerations to facilitate the strength of preventative controls possible causes and what are the associated risks or consequences
While
barrier. Reasoning, logical methods and output can also be used negative events and remedial assessment. essentially rather than ability to detect. What is the result?
measures for consideration. Identical to the FMEA, FMECA has a bottom-up approach that considers how to prevent hazards
Tools for root cause analysis of deviations.
A forward-looking bottom-up approach that considers possible additional capability to rank the occurrence and/or proliferation. Best used preventatively
criticalities of failure modes.
Causing potential harm to product quality and/or patient safety Rather than passive use.
A bottom-up approach, considering what could go wrong,
hazards, environmental hazards and incidents. Can identify potential
and what are the associated risks. Complex processes can be
Adverse events and corrective actions
Give.
Break it down for evaluation. Although basically the same as
Same as FMEA, FMECA has additional functions,
That is, ranking the criticality of failure modes.
Risk Focus faults Negative events-any combination

(ex: deviation Process that typically include hazards, faults, failure Failure Modes (similar to faults)
of conditions Hazards (contaminants, adventitious Deviations from standard (design, agents, dangerous conditions, etc.)
Risks of concern modes, terms such as “not”,
“without”, specification, procedure, etc.)
deviations, etc. Deviation from standards (design, metrics, procedures, etc.)
Hazards (pollutants, foreign agents, hazardous conditions
“doesn’t”, “won’t”, etc.) Negative events - hazards, malfunctions, failure modes, deviations situation, etc.)
Process faults (e.g. deviation situations typically such as "no", Any combination of differences.
"Have not", "must not", "will not", etc.)
Similar Tools or Methods Fishbone/Ishikawa/Cause & Effect Failure Mode, Effect FMEA PHA, HAZOP FMEA
Similar tools or methods Analysis Preliminary hazard source analysis and hazard operation analysis Failure mode and impact analysis
diagrams
Fish Assassin Diagram/Ishikawa Diagram/Cause and Effect Diagram

Stand-Alone vs Used Often used in conjunction with other Typically supplemented later by Typically used alone, though Typically used alone, though HACCP Typically used alone, though HAZOP FMEA/FMECA inputs may be with Other Tools
tools since FTA has no capability to more detailed analyses with other inputs may be identified using other inputs may be identified using other tools (ex: FMEA) once risks are ÿÿÿÿÿÿÿÿÿ ÿÿ
assess effectiveness of risk control. identified using other tools such as tools such as FTA. tools such as FTA.
Usually used in conjunction with other tools because FTA cannot better understood. FTA or PHA. Usually used alone, although other tools can be used Usually used alone, although others such as FTA are available
combined use
Used to evaluate risk control measures are After further understanding of the risks, we usually adopt Usually used alone, although other tools may be used For example, FTA recognizes the input of HACCP. The tool recognizes HAZOP input.
effectiveness.
other tools (e.g. failure modes, effects analysis) Tools such as FTA or PHA to identify FMEA/FMECA with
for a more detailed analysis enter.
Quantitative vs Typically qualitative (May be used Semi-quantitative, Typically Either depending upon application. Either depending upon application. Either depending upon application, quantitatively if fault
Qualitative
occurrence qualitative risk ratings leading to Risk Prioritization Number (RPN) Critical control points typically have though most applicationsare rates are well-known)
Quantitative or qualitative
simple RPN calculations. concept is favors quantitative quantitative control limits. qualitative.
usually qualitative (can also be quantitative if it is clear Semi-quantitative, often qualitative risk rankings enable RPN calculations approaches to risk rating. Qualitative or quantitative, depending on the application. Qualitative or quantitative, depending on the application. although
Frequency of failure) The calculation is simpler. Qualitative or quantitative, depending on the application. Quantitative Critical control points usually have quantitative control Most applications are qualitative.
This method is more conducive to RPN calculation. limit.
Key Assumptions some other tool or Failure modes are intuitive, well Assumes
Assume SME
comprehensive
input and /or
Assumes
prior Assumes
that riskthat
events are caused process will be used to determine experience is adequate to support known, or have been previously understanding of the process and by
key assumptions
deviations from established design successful assessment.
effectiveness of risk controls for the identified. controls used for the process. or operating intentions.
fault conditions identified in the FTA. Assume that expert opinion and/or experience is sufficient to help The failure mode is intuitive, familiar, or known Assume a comprehensive understanding of processes and process control measures Assume that risk events result from deviations from design or operations
Suppose some other tool or process is used to determine Evaluate the performance. Don't pass it. untie. become.
The effectiveness of risk control measures, these risk control measures
Countermeasures are in place to address faults identified in the FTA
state.
Key Strengths considered effort accordingly. Wide acceptance Able to be used when information is Ability to rank risks and appoint Tool ensures that critical points in Systematic and flexible tool that has Effective at showing how multiple limited. Allows risks to be
The main advantage
the process can be identified and much of the power of FMEA, but factors may contribute to a given very early in the lifecycle. Useful to in the industry, with many case
Best tool for ability to detect (a risk aspect that is adequately controlled. Great without heavy reliance on rating the fault condition.
define scope of a complex system or studies available. Best method for precursor or complement to process accommodating human elements such process and for prioritizing hazards.
SOPs, can be used under conditions of limited information.

prioritizing and ranking risks. validation. Typically challenging in complex as non-compliance with
Effectively summarizes modes of ensuring key points in the process are identified and adequately implemented processes and when dealing with training, etc. Excellent
tool for human factors). Risk identification failure, the factorsCan be alive
causing the risk assessment early in the life cycle. Can be used as
defining the scope of a large risk failure, and their effects. Tools of control. A good prerequisite for process validation or
brainstorming is built into the HAZOP Determining the scope
assessment. Effective in determining Ability to rank risks of a complex system or process and its use Replenish.
and allocate resources accordingly methodology.
the root causes of faults or observed Systematic Ranking of hazards.
and flexible features similar to those of FMEA source. Widely used in industrial production, there are many cases
risk conditions. Ability to effectively display multiple
Example study. The best way to rank risks. Tools for live applications, but not too dependent on detection
How factors lead to a specific failure condition.
Can effectively summarize failure modes, influencing factors and Capacity (an aspect of risk, often used in complex
Processing involves personnel elements (such as failure to comply with SOP,
training, etc.). Identify large risks its role. complex process, as well as handling personnel factors)
Excellent tool for assessing scope. can be effectively determined class. Brainstorming for risk identification is
The root cause of the failure or observed risk condition Part of HAZOP.
because.
Key Limitations No means to assess effectiveness of Generally requires additional Forces the user to rate risks in terms Analysis is not effective or feasible No risk ranking or prioritization that may not be well understood (ex: risk reduction activities. Larger follow-up analysis. Quality of results unless the subj ect process and capability since probability of hazard assessments can be difficult to may
Main shortcomings
associated controls are well typically occurrence format and communicate effectively. input rather than data. be highly dependent on SME human factors or process anomalies
is not
are difficult to rate for probability of understood and well defined. Difficult considered. No means to evaluate occurrence or the ability to detect).
The qualitative nature of FTA often requires additional tracking analysis. quality of results to apply to new processes or rapidly hazards involving interactions requires it to be paired with another
Analysis can be highly detailed and evolving / developing
on the processes.
contribution of experts rather than the number between different parts of a system the quantity may depend
tool that has quantitative analysis tedious for complex systems having unless the process and associated controls are well understood or process.
according to.
capabilities. No risk ranking or multiple components. solution and clearly defined, the analysis will not be valid or Because the possibility of harm occurring is usually not considered,
prioritization capability. Forces users to determine risk levels, even for
feasible. Difficult to use with new processes or rapidly evolving Therefore, risk ranking or prioritization cannot be performed.
The effectiveness of risk reduction measures cannot be assessed Risks that are not well understood (e.g., for personnel
process. Unable to evaluate the relevance of different parts of a system or process
estimate. Difficulty conducting large-scale assessments efficiently and effectively Factors or processes are abnormal and it is difficult to determine the possibility of occurrence Hazards of interactions.
communicate. The qualitative nature of FTAs generally requires level of performance or detection capabilities). For multiple components
Used in conjunction with tools capable of quantitative analysis. No For complex systems, analysis may be very specific,
Can be used for risk ranking or prioritization. tedious.
Scope Management Scope must be actively managed-Scope must be actively managed-Scope must be actively managed-Easier to manage- scope is Scope must be actively managed -
scope management
team must put assumptions and / or team must put assumptions and / team must put assumptions and / or determined by the process being team must put assumptions and / or limitations in place to manage scope assessed.
limitations in place to manage scope limitations in place to manage scope limitations in place to manage scope from becoming unnecessarily easy to manage - scope can be evaluated according to the
process
from becoming unnecessarily from becoming unnecessarily from becoming unnecessarily detailed.
detailed or broad. Must actively control the scope detailed. Must actively control scope-group Sure. detailed. Scope must be actively controlled - the team must
Scope must be actively controlled - teams must be established Scope - The team must establish the assumptions and/or scope management Assumptions and/or limitations for scope management must be established, Scope management assumptions and/or limitations shall be established to
scope management assumptions and/or limitations to avoid excessive or limitations to avoid being too detailed or broad. to avoid being too detailed. Avoid being too detailed.
in detail.
Risk Ranking Capability None if tool is used qualitatively- all Yes- Risk Prioritization Numbers Yes- Risk Prioritization Number Partial- Hazards are classified into Optional. A pseudo- RPN approach faults are treated equally. For (RPN) commonly used to determine (RPN) commonly
Risk prioritization ability used to correlate significant non-significant. could be applied if desired. vs.
quantitative ranking, data is needed needs for subsequent risk controls risk level to required mitigation Controls are classified as critical vs. optional. When needed, an RPN class can be applied
for rating probability of all faults. and further risk assessment. effect. non-critical.
similar method.
None, if the tool is used qualitatively - equal treatment Yes - usually RPN is used to determine whether it is necessary to take Yes - RPN is usually used to combine the risk level and the required Section - Classifies hazards into significant and non-significant. control
All malfunctions. For qualitative ranking, data is required Follow-up control measures and further risk assessment Risk reduction effects are associated. Control measures are divided into critical and non-critical.
used to determine the probability of occurrence of all faults, etc. estimate.
class.
Optional Yes Yes Yes

Considers Probability of optional Partial- a deviation Credibility decision is required.
Yes Yes Yes
Occurrence?
Consider the possibility? Part - requires establishing the plausibility of the deviation.
Considers Ability to Optional Yes

Not traditionally, but may be added as ÿÿ an optional No- emphasis is on hazard Yes, but not explicitly- if detectionis prevention, not necessary detection
Detect? Optional consideration
used in the process control scheme, and remediation.
Thinking about detectability?
Usually not, but available as an option then it lowers the risk probability and/or severity. Detection
also No - the focus is on preventing harm, not on
sometimes credited as a HAZOP detection and correction.
“safeguard”.
Yes, but not clear - if process control

detection is used, it can reduce the risk of

Likelihood and/or Severity. Testing can sometimes be done
It is a HAZOP security measure.
Considers Severity of ÿ No Yes Yes Yes Yes

Yes Yes Yes Yes
Impact?
Considering the severity?
Ability to Process Yes (by design) No

Not without creating significant Not without creating significant ÿ Not without creating significant complexity.
Yes (by design) of
Interrelationships complexity. complexity.
Multiple Fault Modes No, otherwise it would be extremely complicated No, otherwise it would be extremely complicated No, otherwise it would be extremely complicated
Able to handle multiple failure modes

interrelationship
Ability to Handle Human Ability to More capable More capable More capable
Less capable Less capable
Handle Human more able more able
Factors/ Dynamics
Ability to handle people factors/dynamics
Output Format Graphical depiction Tabular Tabular Tabular Tabular

Output format Graphic description sheet sheet sheet sheet
Key IEC international Standard 1025 (also Limited. Brief overviews can be WHO Guideline, Quality Assurance of IEC International
IEC International Standard
Standard 812 (also Guidance
61882 IEC
Reference(s) referred to as Standard 6025 IEC ÿ found in ISO 14971 and IEC 60300 ÿ referred to as Standard 60812) Pharmaceuticals, Chapter International Standard 61882
Main guidance documents
1025 (also refer to Standard 6025 limit. Overviews can be found in ISO14971 and IEC International Standard 812 (also refer to the standard 5-NACMCF, Principles and International Standard
IEC60300. 60812) Applications Guidelines for HACCP
WHO Guidelines, Quality Assurance of Pharmaceutical Products, Chapter 5
-NACMCF, HACCP Principles and Application Guide

4.2.2 Risk IdentificationRisk Identification

Identifying potential hazards and harms, which may elicit an adverse impact on product quality or patient safety, is
one of the most important activities in any risk assessment process. All subsequently performed risk assessment
activities will relate to these identified hazards. Although a number of risk management tools are recognized,
process mapping, fault tree analysis, and fishbone analysis are simple and structured techniques that are especially
suited to risk identification.
Identifying potential hazards and harms that may adversely affect product quality or patient safety is the most important activity in any risk assessment process
One of the moves. All subsequent risk assessment activities relate to these identified hazards. Although there are many risk management tools, flowcharts,
Fault tree analysis and cause and effect analysis are simple, methodical risk management techniques that are particularly suitable for risk identification.
Risk identification is the systematic use of information to identify hazards and potential harms relevant to the risk
ÿ
question or problem description. Risk identification addresses the question What might go wrong?"and it includes
identifying the possible consequences of hazards.
Risk identification is the systematic use of information to identify risk issues or problem descriptions related hazards and
potential harm. Risk identification answers the question “what could go wrong?” including identifying the consequences that hazards may cause
fruit.
Production processes typically involve six main components (13):

The production process usually consists of 6 main parts (13):
1. Equipment
2. People
3. Methods
4. Environment
5. Materials
6. Measurements
When the likely causes of potential adverse events are being identified, it is useful if each of these
components is considered and taken into account. Salient information from which to identify hazards includes
historical data, theoretical analysis, technical analysis, advice from technical experts and the concerns of
stakeholders (including customers or their surrogates). ÿÿÿÿÿÿÿÿÿÿÿÿ
After identifying the causes, it is helpful to consider the role of each part. Information used to identify hazards includes historical data
data, theoretical analysis, technical analysis, suggestions from technical experts, concerns of relevant parties (including customers or other
agent).
4.2.3 Risk AnalysisRisk Analysis

Typically, risk analysis consists of estimating the risk associated with the identified hazards. It uses either a
qualitative or quantitative process of linking the likelihood of occurrence (probability) andthe severity of harms. In
some QRM tools, the ability to detect the hazard (detectability) also factors into the estimation of risk. Derivation
of the values (qualitative or quantitative) assigned to probability, severity and detectability can be prone
tobias, errors in judgment, and problems of misperception.
Risk analysis typically involves estimating the risks associated with the identified hazards. Use qualitative or quantitative methods to discover
The likelihood (likelihood) of life is combined with the seriousness of the injury. Using some risk management tools
When estimating risk, the detection ability (detectability) of the hazard is also considered. Calculate the possibility, severity
The values of gravity and detectability (qualitative or quantitative) are prone to bias, leading to errors in judgment.
Risk analysis is beneficial when conducted with a multi-functional team of SMEs. This assures that risks are
analyzed from multiple perspectives. Team discussion is particularly useful so that different perceptions of the risk
can be surfaced.
Risk analysis is best conducted by a multi-departmental team of experts. This ensures that risks are viewed from different angles
Perform analysis. Team discussions are particularly useful so that different perspectives on risk can be understood.
It isalso important to recognize that an SME's perception of risk may differ markedly from that of other team
members who may be unfamiliar with the process or product under study in the risk assessment.
An expert's view of risk may differ from that of other group members who are unfamiliar with the process or product being studied.
Obvious difference. It's also important to realize this.
Generally, people tend to regard as "risky" any technology that is new, imposed on them, unfamiliar or

beyond their control. Given the highly technical nature of pharmaceutical manufacturing, these are important considerations to
ensure that an effective risk analysis occurs. Appropriate strategies to combat these inherently human biases are detailed in the risk
communication section.
Generally, people tend to treat any technology that is new, imposed on them, unfamiliar or beyond their control as
Classified as "risky". Given the highly technical nature of pharmaceutical production, taking this into account is important to ensure effective
Risk analysis is very important. Steps to address these inherent cognitive biases are detailed in the risk communication chapter.
Pick
appropriate strategy.
Numerical values (oralternative surrogate descriptors) (14) for probability, severity, and detectability are typically designated as singular
discrete values (e.g., 1, 5, 10) or as qualitative descriptors (e.g., high, medium, low). While useful, these surrogate descriptors fail
to encompass known variability or perceived uncertainty. The adoption of probabilisticdescriptors based on historical, process capabilityÿor
other relevant real-time data represents a more accurate but more complex means of accounting for this (15).
Numerical values (or alternative descriptors) (14) representing likelihood, severity, and detectability are often specified as a single
Scatter values (such as 1, 5, 10) or qualitative descriptions (such as high, medium, low). Despite their role, these
Alternative descriptive values cannot incorporate known changes or expected uncertainties. In this regard, based on historical data,
Logical descriptions of process capabilities or other relevant real-time data are more accurate, but also more complex (15).
It is important also to recognize that probability of occurrence risk factor values are usually assigned numerical estimates that are expressed
using ordinal scales, such as a scale of 1 through 5, where a value of "1" may represent a very low probability and "5" may represent a very high
probability. The magnitude of the individual values is not necessarily meaningful in a numerical sense (16, 17). For example, an event with a
probability of occurrence of "4" on an ordinal scale has of course a higher probability of occurring than an event with a probability of "2", but it is
not necessarily twice as likely to occur. Furthermore, it is not strictly mathematically permissible to multiply ordinal scale values, and numerical
operations such as (Risk = 3 x 4) or (Risk = 3 x 4 x 2) (18) have questionable validity. In this respect, surrogate descriptors (e.g., high, medium,
low) may be more valid than numerical descriptors.
Usually a numerical value is assigned to the probability of a risk factor occurring, represented by an ordinal number such as 1 to 5, where 1 represents possible
Probability is low, while 5 represents high likelihood. The size of a single numerical value does not necessarily have mathematical meaning
(16,17). For example, an event with a probability of 4 is certainly more likely than an event with a probability of 2.
It's higher, but that doesn't mean it happens twice as often. Moreover, from a strictly mathematical perspective, no
Allows for multiplying ordinal values, mathematical operations such as (risk = 3 x 4) or (risk = 3 x 4 x 2) The validity of (18) is
Questionable. In some sense, alternative qualitative descriptions (e.g., high, medium, low) may be more useful than numerical values.
Plus effective.
4.2.4 Risk EvaluationRisk Evaluation
During a risk evaluation, the identified and analyzed risks are compared against given risk acceptability
criteria.
During the risk assessment process, identified and analyzed risks are compared with given risk acceptance criteria. —
Risk is typically categorized as broadly acceptable, as low as reasonably practicable (ALARP), or intolerable (See Figure 4.2.4-1). Broadly
acceptable risks are those for which the severity of harm or likelihood of occurrence of harm (or both) is sufficiently low that adverse
impacts are minimal. Broadly acceptable risks are considered acceptable with no further risk reduction.
Figure 4.2.4-1 Classifications of RisksClassification of risks

Risks are usually classified as generally acceptable, required to be as low as possible (ALARP) or unacceptable (see Figure 4.2.4-1).
Generally acceptable risks are those where the severity or likelihood of occurrence (or both) of the hazard is low,
Causes minimal risk of adverse effects. This risk is acceptable and no further risk reduction is required
measure.
Intolerable risks are those for which the combination of severity of harm and likelihood of occurrence of harm is so great that a significant impact to the quality of the product or to
patient may result. The combination of possibilities is large and could result
in a significant impact on product quality or patient safety.
Risks categorized as ALARP or Intolerable should be assessed from a risk / benefit perspective. Risk / benefit analyses answer a basic question: Does the activity inquestion
providebenefits tothe user such that any residual risks are acceptable bycomparison? These analyses should be performed by individuals who are knowledgeable and experienced and
are able to evaluate the technical, clinical, regulatory, and economical aspects of the decision to be made. The benefit of the activity in question should have been estimated (at an
earlier point in time, by medical professionals) considering the expected
performance during clinical use, as well as, other potential treatment options. Examples of information used in this analysisinclude process / product data, literature searches, and
survey information. Once completed, the risk / benefit analysis should be documented in a report, which is typically reviewed and agreed to by the company's senior management.
Risks classified as lowest possible or unacceptable should be assessed from a risk/benefit perspective. Risk/benefit analysis answers a basic question
Question: Does the activity in question bring benefits to users and are residual risks acceptable? These analyzes should be conducted by knowledgeable, experienced and able
This can be done by persons who are able to evaluate the proposed decision from a technical, clinical, regulatory and economic perspective. The benefits of the activity in question should be assessed (by
completed in advance by medical professionals), taking into account expected performance in clinical and other therapeutic applications. The information used in the analysis includes work
technology, product data, literature searches and survey information. Once completed, the risk/benefit analysis should be documented in a report and reviewed by company senior management
and approval.
Note that the quality of the outputs of a risk assessment exercise usually depend on the robustness of the data and on the assumptions and sources of uncertainty related to the
exercise, such as gaps in the level of knowledge about the sources of harm and in product and process understanding.
Note that the output of risk assessment activities often depends on the tolerance of the data and the assumptions and sources of associated uncertainties, such as the source of hazards and
Gap between product and process understanding levels.
The output of a risk assessment is usually a semi-quantitative estimate of risk (if a numerical probability factor is used), or a qualitative description of risk (eg, high, medium, or low), when
qualitative factors are used. These should be defined in as much detail as possible. The output of a risk assessment is usually a semi-quantitative estimate of the risk (if the
likelihood is expressed numerically) or a qualitative description of the risk (e.g., medium, low) ÿ
(When qualitative expressions are used). These should be specified in as much detail as possible.
Sometimes a "risk score" is used to further define descriptors in risk rankings. When comparing risks associated with differentscenarios,
clearly defined risk acceptance thresholds should be employed. This demands that the same number of risk factors should be employed in
each assessment along with using a consistent means of scoring. Evaluation of risk using scores based upon representative numerical
values provides a suitable frame of reference and means of assessment, but the designation of a numerical level above which the risk is
deemed "intolerable" (19) and requires responsive risk reduction, is often quite subjective. Riskis never zero nor is it an absolute certainty;
rather, it exists along a continuum extending from a very low level of possibility through to a high level of certainty (20). Therefore, the
selection of risk acceptance thresholds should be based on a clear scientific rationale, with consideration given to the confidence levels
associated with the threshold value selected.
Sometimes a "risk score" is used in risk ranking to further define the risk representation. When comparing the risks of different options, it should be clearly identified
Risk acceptance limits. This requires that assessments be conducted using the same analytical representation and consistent scoring methods. According to typical numbers
Risk assessment using a value score provides an appropriate frame of reference and assessment method, but unacceptable risk limit levels are determined (19) and adopted
Taking risk reduction measures is often subjective. Risk is not zero, nor is it an absolutely certain value; in fact, risk can be
a continuum from very low likelihood to very high certainty (20). Therefore, the selection of risk acceptance limits should be based on clear scientific principles and take into account
Consider the confidence level for the selected limit.
4.2.5 Supporting tools
Statistical tools can support and facilitate QRM activities. They can enable effective data assessment, aid in determining the significance of the data set(s), and facilitate more reliable
decision-making.
Statistical tools can be used in quality risk management activities to effectively perform data assessments, help determine the significance of data groups, and facilitate
Reliable decision-making. Statistical tools commonly used in the pharmaceutical industry include:
one
Statistical tools commonly used in the pharmaceutical industry
include: „ Control Charts, such as:

one
Control charts
such as: Acceptance Control ChartsAcceptance Control Charts
Control Charts with Arithmetic Average and Warning LimitsControl Charts with Arithmetic Average and Warning Limits
Cumulative Sum ChartsShewhart Control ChartsWeighted Moving AverageWeighted Average
„ Design of Experiments (DOE) Experimental design
„ Histograms
„ Pareto ChartsPareto charts

„ Ishikawa diagrams (fishbone or cause-and-effect diagrams)ÿÿÿ

„ Process Capability Analysis Process Capability Analysis
4.3 Risk ControlRisk Control
Risk control activities attempt to reduce risk to acceptable levels by implementing controls based on risk scores. Risk control focuses on two activities: risk reduction and risk acceptance.
After the completion of risk reduction activities the residual risks should be reviewed in a formal risk acceptance process where a risk /benefit analysis may be performed to answer the
question, "Does the overallbenefit to the user outweigh the risks associated with the use of this product, process?”
Risk control activities are the implementation of control measures based on risk scores to reduce risks to acceptable levels. Risk control focuses on two activities:
Risk reduction and risk acceptance. After risk reduction activities are completed, the residual risk is reviewed through a formal risk acceptance process.
Risk/benefit analysis answers the following questions: “Does the overall benefit to users outweigh the risks of using this product or process?”
4.3.1 Risk Reduction Risk reduction
Risk reduction focuses on reducing the severity and probability of occurrence by implementing appropriate product, process, and system controls. Each identified risk should be
assessed to determine if it is broadly acceptable, as low as reasonably practicable,or unacceptable / intolerable. For unacceptable / intolerable risks, the risk reduction strategy
should define the corrective and preventive actions to attempt to reduce the risks to an acceptable level. Risk reduction activities may be initiated and guided by addressing the
following questions:
Risk reduction focuses on reducing severity and likelihood of occurrence through appropriate product, process and system controls. Each identified risk should be
Conduct an assessment to determine whether it is an acceptable risk, the lowest possible risk, or an unacceptable risk. For unacceptable risks, risk reduction
The strategy should identify corrective and preventive actions to reduce risks to acceptable levels. Risk reduction activities can be initiated and directed by answering the following questions:
move:
„ Is the risk above an acceptable level?

Is the risk above an acceptable level?
„ Were the appropriate controls considered to reduce or eliminate the risk?

Have appropriate controls been considered to reduce or eliminate risks?
„ Were unacceptable risks managed and / or reduced to acceptable levels?

Have unacceptable risks been reduced to acceptable levels?
„ How do we know the new controls are (or will be) effective?
How do we know that new controls are (will be) effective?
„ Have proposed risk controls been examined for new risks?

Will the proposed risk control measures introduce new risks?
Risk elimination may not always be possible or practical. For example, a company that manufactures hospital scanners (medical devices) may decide to not market their products
in countries with unreliable power supplies. Their scanners may be resilient to spikes in the electrical grid, but technical safeguards may be either too costly or the risk of malfunction
is considered unacceptable. Consequently the risk is avoided by not selling the product in these markets.
It is not always possible or feasible to completely eliminate risk. For example, a company that produces hospital scanners (medical devices) may decide
It does not sell its products in countries where electricity supply is unreliable. Their scanners may be somewhat resilient to grid spikes, but either the technology is
The cost of corrective measures is too high, or the risk of failure is unacceptable. As a result, the company avoided risk by not selling products in these markets.
Risk reduction should first focus on reducing harm. This can be achieved, for example, by developing a contingency plan that will be executed should the risk materialize. In these
circumstances it is essential to monitor and review the situation regularly or even continuously.
However, it may not always be possible to reduce a risk by reducing harm. In such instances, reducing the probability of occurrence by adding preventive controls and increasing the
detectability of hazard(s) by adding detection controls can provide other strategies for reducing risk. Risk reduction should preferentially focus on prevention rather than detection.
Prevention can be achieved in several ways such as:
Risk reduction should first consider harm reduction. This can be achieved, for example, by establishing contingency plans in the event of a risk. in these circumstances
In this case, the situation must be monitored and reviewed regularly or even continuously. But it’s not always possible to reduce risk by reducing harm. at this time,
The possibility of occurrence can be reduced by adding preventive control measures, and the detectability of hazards can be improved by adding inspection controls, which can also
reduce risk. Risk reduction should prioritize preventive measures over improving detectability. Preventive measures can be considered in the following ways:
„ Build in safety by design Improve safety through design
„ Add protective measures in product or manufacturing processAdd protective measures in product or manufacturing process
„ Add safety warningsAdd safety warnings
A reduction in the probability of occurrence can be affected by removing or controlling the cause(s) of the hazard or failure mode through a product, process or system design
change. Design and process changes can bring about a reduction in risk ranking by addressing either the occurrence of the cause of failures or the occurrence of the failure itself.
Adesign / process change, in and of itself, does not imply that the risk will be reduced. Any changes(s) should be reviewed to determine the effect on the product and process. For
maximum effectiveness and
efficiency, changes to the design / process should be implemented early in the development process. Studies to understand the sources of variation using statistical methods may be used;
the knowledge gained may assist in the identification of appropriate controls including ongoing feedback of information to the appropriate operations for continual improvement and problem
prevention.
Reduce or control the source of a hazard or failure mode through design changes to a product, process, or system to reduce the likelihood of occurrence. design
And process changes can reduce the risk level by targeting the root cause of the failure or the occurrence of the failure itself. A design/process change in itself is not
This means that the risk will definitely be reduced. Any changes should be reviewed to determine their impact on the product or process. In order to maximize the effects and benefits
To avoid this, design/process changes should be made as early in the development process as possible.
Even. Statistical methods can be used to study the sources of variation; the knowledge gained helps identify appropriate controls, including continuation of operations
Provide feedback for continuous improvement and prevention of problems.
Improvement of detection mechanisms can also be useful in reducing risks especially where prevention controls are insufficient. In general, improving/ enhancing detection requires
knowledge and understanding of the significant/ dominant causes of process variation and any special causes. Increasing the frequency of inspections is usually not an effective risk
reduction action and should only be used as a temporary measure to collect additional information on the process so that permanent corrective / preventive actions can be implemented.
Improvements in detection mechanisms can also reduce risks, especially when preventive measures are inadequate. Often improving detection capabilities requires significant/significant changes to the process
Have some knowledge and understanding of the main causes and any special causes. Increasing the frequency of inspections is generally not an effective risk reduction measure;
Use as a temporary measure to gather additional process-related information so that permanent corrective/preventive actions can be implemented.
Consider, for example a vial stopper application in which the failure mode is "vial not stoppered correctly." A preventive approach to precluding the failure mode would be to control
the cause(s) of the failure. Some preventive actions could include improving the set-up procedure, and performance of annual preventive maintenance on the feed screws and
universal joints and bearings. The incorporation of detection controls might include controls such as a periodic in-process inspection of vials, a 100% visualinspection at the conclusion of
stoppering, monitoring of occurrence rates, or incorporating a qualified vision system with a feedback loop such that improperly stoppered vials would be removed from the process
stream.
One failure mode in vial stopper applications is "not properly corked." Preventive measures to eliminate this failure mode can be to control the failure
The root of life. Part of the preventive measures include improving installation procedures and performing annual preventive maintenance on feed screws, universal joints, and bearings. check
Monitoring control may include regular in-process control inspections of vials, 100% visual inspection at the end of stoppering, monitoring the probability of occurrence, or using belt
Automatic light inspection system with feedback loop to reject improperly corked vials.
Often these preventive and detective activities are implemented in a step-wise manner, reducing the risks incrementally untilan acceptable level can be reached. Risk reduction does not
necessarily remove the probability of harm entirely; it limits negative consequences of a particular event.
Typically these corrective and preventive activities are implemented in a step-by-step manner, gradually reducing risk until an acceptable level is reached. Risk reduction measures do not
It must completely remove the possibility of a hazard occurring; it limits the negative impact of a particular event.
4.3.2 Risk AcceptanceRisk Acceptance

Risk acceptance is a formal process in which decision makers review the risks associated with a specific activity, and determine whether the risks are acceptable or need to be reduced
further. Risk acceptance reviews occur after all reduction strategies have been implemented and verified for effectiveness and the process have been evaluated to identify residual risks.
Residual risks are those risks that remain after all control measures have been implemented or which may result from the implementation of a reduction strategy. For example, in the
case of a vial not being stoppered properly a risk reduction measure might be to increase the force used to place the stopper. However,the increased force may result in an unanticipated new
risk of cracked vials. This would be a risk that originated from the implementation of a reduction strategy.
Risk acceptance is a formal process by which decision makers review the risks associated with a specific activity and decide whether the risks are acceptable or require further
reduce. A risk acceptance review is conducted after all risk reduction strategies have been implemented, their effectiveness has been confirmed, and the remaining risk to the process has been assessed. left
Residual risk is the risk that remains after all controls have been implemented or that results from the implementation of a risk reduction strategy. For example, when the vial is empty
With correct plugging, one possible risk reduction measure may be to increase the plugging pressure. But increased pressure can lead to unexpected new
Risk - vial rupture. This is the risk that results from implementing risk reduction strategies.
Risk acceptance levels are determined by an organization's policy on QRM, and may be influenced by many factors (e.g., societal, regulatory, scientific) typically unique to the organization and
situation. It is essential that there is adequate documentation that describes what the acceptable levels are and who is empowered to set them. Preferably, there should also be
documented rationale for the decisions.
Risk acceptance levels can be determined based on an organization's quality risk management policy and are influenced by a variety of factors specific to the organization and environment (e.g.,
social,
regulatory, scientific). There must be adequate documentation describing the acceptable levels and who established them. Ideally, there should be a written basis for the decision.
It is widely acknowledged that risk is rarely completely eliminated. Risk management practitioners attempt to reduce risk as much as possible and practical but recognize that a point of
diminishing returns may be reached where further controls have a minimal impact on risk reduction.
Thus a low level of risk may remain that does not significantly impact the activity being analyzed and therefore the quality of the product being produced. These risks are categorized as ALARP
and may be accepted contingent on an acceptable risk /benefit analysis. High risks should normally be reduced without consideration of cost while those risks closer to the acceptable region
offer greater flexibility to balance

the technical and economic aspects. Intolerable risks should not be accepted without further control measures being implemented or without a formal risk / benefit analysis being performed. It is
generally accepted that risks can rarely be completely eliminated.
Risk managers try to reduce risk as realistically as possible, knowing that a point of diminishing returns may be reached, and more
Multiple control measures have minimal impact on risk reduction. This results in lower risk, but does not significantly impact the activity being analyzed, and
The quality of the products produced. These risks are classified as likely to be low and occasionally acceptable based on a risk/benefit analysis. high risk pass
Often must be reduced without regard to cost, although those risks closer to the acceptable zone have greater flexibility in balancing technology and cost.
Unacceptable risks should not be accepted without implementing controls or conducting a formal risk/benefit analysis.
Risk acceptance decisions affecting patient safety and product quality must be made by appropriate decision makers and associated justification must be documented. These decisions may be
made and/ or reviewed as part of a periodic management review meeting.
Risk acceptance decisions affecting patient safety and product quality must be made by an appropriate decision-maker and justified in writing. These decisions can be taken as
Developed and/or reviewed as part of periodic management reviews.
4.4 Output/Result of the Quality Risk Management Process
Outputs/outcomes of the quality risk management process
For expedient execution of formal QRM activities, relevant supporting data, salient information, and facts should be clearly documented and communicated. Risk assessment outcomes including
risk reduction and risk acceptance decisions, level of residual risk and their acceptability; and risk review requirements should be documented and approved by the appropriate decision makers.
QRM documents should be archived appropriately, and should be recoverable and accessible to ensure a com- In order to facilitate the implementation of a formal quality risk management activity,
relevant supporting data, salient information and facts should be clear records and in
Communicate between relevant parties. Appropriate decision-makers should document and approve risk assessment results including risk reduction and risk acceptance decisions, residual risk
risk levels and their acceptance, as well as risk review requirements. Quality risk management documentation should be appropriately maintained and accessible to ensure
4.4 Output/Result of the Quality Risk Management Process
4.4 Outputs/outcomes of the quality risk management program
For expedient execution of formal QRM activities, relevant supporting data, salient information, and facts should be clearly documented and
communicated.Risk assessment outcomes including risk reduction and risk acceptance decisions, level of residual risk and their acceptability; and risk review requirements should be documented
and approved by the appropriate decision makers. QRM documents should be archived appropriately, and should be recoverable and accessible to ensure a communicated continuity of learning and
continual improvement. The documents should also be current and actively maintained with respect to best available science, engineering, and product and process data accompanying the product
and process lifecycle.
Expedients for conducting formal QRM activities, relevant supporting data, salient information and facts should be clearly documented and communicated. Risk assessment results
Includes decisions on risk reduction and risk acceptance, residual risk levels and their acceptability; and risk review needs should be documented and approved by the appropriate decision maker
approve. QRM documentation should be appropriately archived and should be recoverable and accessible to ensure continuous communication of learning and continuous improvement. This document should remain
Current version and actively maintained during the life cycle of the product and process in compliance with the best available scientific, engineering, product and process data.
4.4.1 Risk Register

4.4.1
risk register
Subsequent to the publication of ICH Q9, the concept of a risk register has been adoptedfor the pharmaceutical industry. While these documents are common outside the pharmaceutical industryÿ
they have not been commonly used within it. The expectation for these risk registers was created in mid-2010 within the United Kingdom's Medicines and Healthcare Products Regulatory Agency
(MHRA) in their "GMP-Quality Risk Management: Frequently Asked Questions" document. The MHRA laid out an expectation that every manufacturing site should have a formal risk register, which is
a list that provides for planning and remediation of the manufacturing site's high-level risk items. Most regulatory agencies have explicit or implicit requirements for the use of risk management, so the
requirement for a risk register may be seen as a natural progression in the maturity of the use of risk management in our industry.
With the publication of ICH Q9, the concept of registration risk has been adopted by the pharmaceutical industry. Although these documents are common outside the pharmaceutical industry,
But these documents are not commonly used. Expectations for these risk registrations were established in the mid-2010s by the UK Medicines and Healthcare products Regulatory Agency
Agency (MHRA) first appeared in their "GMP Quality Risk Management: Frequently Asked Questions" document. The MHRA has set out an expectation that every manufacturing company should
There should be a formal risk register, which is a list of high-level risk items that provide planning and remediation for the production site. Most regulatory agencies have made it clear
or an implicit requirement to use risk management, so the requirement to register risk may be seen as a reflection of the mature use of risk management in our industry.
the result of natural development.
While most companies have collections of risk assessments performed at their sites, many of them do not have a system to manage all these risk assessments in such a way that an overall view of
the risks and hazards are clearly

laid out.
While most companies have collected information to perform risk assessments within their companies, many of them do not systematically manage these risks.
A risk assessment is a comprehensive review that clearly lists risks and hazards.
The risk register summarizes significant risks at a manufacturing site in a high-level document; it also provides an explanation of the remediation of those risks. The risk register should also point
to or list out the individual risk assessments that identified the significant risks for that site.
The risk register summarizes the significant risks at the production site with high-level documentation; it also provides an explanation for remediation of these risks. The risk register should also
This identifies or lists case-by-case risk assessments that identify significant internal risks.
The benefit in the use of a risk register is two-fold:

The benefits of using a risk register are twofold:
1. It provides a summary document for the regulators to review during inspections.
1. It provides regulators with a review summary document during an inspection.
It provides site management a fairly dynamic view of the overall risk for the site and a communication tool to share with the site in general.
2. 2. Generally speaking, it provides a fair and dynamic view of the overall risk management of the site and is a tool for sharing and communicating with the site.
A risk register is a great tool to incorporate into your risk management program to facilitate and encourage risk review and risk communication.
The risk register is a useful tool incorporated into the risk management process and can facilitate and encourage risk review and risk communication.
4.5 Risk Review
4.5 Risk review
Risk review is the review or monitoring of output /results of the risk management process considering (if appropriate) new knowledge and experience about the risk (2). The QRM process is not
complete once the outcomes of the risk assessment have been summarized and reported, and risk reduction measures have been implemented. Risk management is an ongoing process
whereby risk assessments are reviewed and monitored to determine if any new risks or changes have been introduced.It is important that risk assessments are an integral part of a company's
Quality System to continuously assess whether current controls are satisfactory for existing processes or if original risk management decisions have been impacted by new risks or changes to
existing risks or risk control mechanisms.
A risk review is the review or monitoring of the outputs/results of the risk management process in light of new knowledge and experience with risk (if applicable) (2).
The QRM process is not complete when the results of the risk assessment have been summarized and reported, and risk reduction measures have been implemented. Risk Management
Is an ongoing process that relies on risk assessment and monitoring to determine if any new risks or changes have been introduced. It is important that risk assessment
It is an integral part of a company's quality system that continuously evaluates whether current control measures meet the requirements of the existing process or the original risk.
Whether risk management decisions are affected by new risks or changes in existing risks or risk control mechanisms.
Risk assessments should be current and reviewed throughout the lifecycle of a product, process, or system. To keep risk management "living," there are two types of triggers that might require
review and updates to existing risk management measures and decisions: 1) event-based reviews or 2) schedule-based reviews.
Risk assessments should be current and audited throughout the life cycle of a product, process or system. In order to make risk management "active", there are
Two types of events may cause a review and update of existing risk management measures and decisions: 1) event-based review or 2) daily-based review
Process review.
4.5.1 Event-Based Reviews
4.5.1 Event-based auditing
There are a number of event-based, incidental triggers that would present an opportunity for a riskreview. Examples of these event-based drivers
and a brief discussion followsÿ
There are many accidental triggers based on events, which provide an opportunity for risk assessment. For these event-driven examples, there is a simple discussion below.
Argument.
4.5.1.1 Deviations or Non-Conformances 4.5.1.1
Deviations or nonconformities
Deviations in processes and systems should be an immediate trigger to review a risk assessment. One should evaluate and determine the root cause for the deviation as well as those controls
that should be put in place to prevent the event from recurring. Additionally, deviation trends are an indication that the risk profile may have changed. A current and up-to-date risk assessment
is one of the fundamental tools for an effective CAPA system.
Process and system deviations should immediately trigger a risk assessment review. Companies should assess and identify the root causes of deviations and these controls
Measures should be put in place to prevent recurrence of the incident. Additionally, bias trends indicate that the risk profile may have changed. current and latest
Risk assessment is one of the basic tools of an effective CAPA system.

4.5.1.2 Product Complaints, Returns, or Patient Safety Related Events 4.5.1.2ÿÿ

Complaints, Returns or Incidents Related to Patient Safety
Though product complaints, returns, or patient safety related events are lagging indicators that represent failure of some element of the Quality System, they should be used as key input
in ensuring that a risk review activity is triggered both at initial knowledge of the event and when the root cause has been identified. The risk management activities that follow suchan
event should:
Although product complaints, returns, or patient safety-related incidents are lagging indicators of failure of certain elements of the quality system, they should be used as
The main inputs to ensure that risk assessment activities are triggered in two situations, namely at the initial stage of an incident and when the root cause is identified.
Risk management activities following such an event should include the following:
„ Determine controls to immediately protect the patients who may have been exposed to the defective product.
•Identify controls to promptly protect patients who may have been exposed to defective products.
„ Evaluate impact to other lots of product that may be available in the market.
•Assess the impact on other products on the market that may use the batch number.
„ Evaluate whether the risk is common to similar products or activities.
•Assess whether the risk is common among similar products or activities.
„ Use information from the root cause analysis toidentify controls that should be established to prevent recurrence.
•Use information from root cause analysis to identify controls and establish controls to prevent recurrence.
4.5.1.3 Data Trends 4.5.1.3
Data Trends
The regulatory requirement for process monitoring and annual reporting provides an opportunity for continual improvement. This has been codified in the guidance and statements on
Process Validation by regulatory authorities. Concurrent with this process, when unexpected data trends are detected a proactive response is not only necessary but also a wise business
practice. A risk assessment and risk control strategy is useful to troubleshoot and identify any new or modified process controls necessary for remediation.
Regulatory requirements for process monitoring and annual reporting provide an opportunity for continuous improvement. This is prepared by regulatory authorities into guidance and process validation
Mingzhong. As with process requirements, when unexpected data trends are discovered, a proactive response is not only necessary, but a smart business decision
Convention. Risk assessments and risk control strategies are useful in diagnosing and identifying process controls, i.e. any new or improvements necessary to remediate
process control.
4.5.1.4 Change Control
4.5.1.4 Change Control
Continual improvement via effective changes to our processes is a key element of the PQS. Changes are inevitable and a part of the lifecycle of a product from initial development
through marketing to divestureÿ A best practice is to develop the risk assessment early in development and transition to the next lifecycle phase with appropriate updates. The risk
assessment then becomes a powerful knowledge management tool that is kept alive throughoutthe life of the product.
Continuous improvement of our processes through effective change is a key element of PQS. Change is inevitable and a product changes from
Part of the entire life cycle from initial development to market entry to delisting. The best way to operate is to introduce risk assessment early in development and
Update appropriately when moving to the next life cycle stage. Risk assessment will then become a powerful knowledge management tool that enables
Products remain viable throughout their life cycle.
For existing processes, a risk assessment provides value in the management of ongoing operational risks, and can be created retrospectively
after validation. These assessments have the added benefit of being built from historical data and real experience as data-based inputs into the
process.
For existing processes, risk assessment provides value in managing ongoing operational risks and can establish retrospective reviews following validation.
These assessments can add value based on the establishment of historical data and actual experience, that is, actual experience is input into the process flow in the form of data.
Process.
Once the process is qualified, the process transitions to one of continuous verification and improvement. Changes are implemented with the intent to improve and evolve into more
robust processes. For each change it is important to assess the process and determine the following:
Once the process is qualified, the process moves to the next step of continuous verification and improvement activities. Change as improvements and evolution into more stable work
The purpose of art is carried out. For every change, it is important to evaluate the process and determine the following:
„ Does the change introduce a new risk or change the profile of an existing risk?
•Do the changes introduce new risks or change the profile of existing risks?
„ Are there sufficient controls in place with the implementation of the change or do new controls need to be introduced?
•Are the changes implemented with effective controls in place or will new controls need to be introduced?
„ Does the change eliminate or reduce the effectiveness of existing controls?
•Do the changes eliminate or reduce the effectiveness of existing controls?
„ Does the change impact the validated state of the equipment or process?
•Does the change affect the validation status of the equipment or process?
Assessment of changes and review of the risk assessment should be an integrated part of the change control process throughout the product lifecycle.
Evaluating changes and reviewing risk assessments throughout the product lifecycle should be part of a comprehensive change control process.
4.5.1.5 Audits and Inspections 4.5.1.5

Audits and Inspections
Audits, internally or externally driven, provide an opportunity for an outside and independent assessment of the Quality System and compliance with regulatory requirements.It is also
an excellent time to assess the completeness of risk management activities (and documents,
if applicable), and identify any potential gaps that could lead to potential audit or inspection observations.When challenged, therisk assessment would be an excellent tool to
demonstrate that sufficient controls are in place and that the risks associated with the gaps are acceptable.Conversely, audits and inspections may identify a new or previously
unrecognized hazard that needs to be addressed.Again, the risk assessment can be used as a tool to systematically address the observation and required controls. Potential regulatory
commitments will be focused only on the hazard and required controls, avoiding unnecessary and excessive non-value work.
Audits, internally or externally driven, provide an external opportunity to independently assess whether the quality system complies with regulatory requirements. This is also a
This is a good opportunity to assess the completeness of risk management activities (and documentation, if applicable) and identify any issues that may lead to potential audit or inspection observations.
Potential loopholes in inspection. When challenged, a risk assessment will be a good tool to demonstrate that adequate controls are in place and that relevant risks
Risk gaps are acceptable. Conversely, audits and inspections may identify a new or previously unrecognized risk that needs to be addressed. same,
Risk assessment can be used as a tool to systematically discuss observed conditions and required controls. Potential regulatory commitments will only
Focus on risks and required controls and avoid unnecessary and excessive work of no value.
Some caution should be taken when committing to doing risk assessments in response to audit or inspection observations. QRM is not a substitute for good science and data. A risk
assessment should never be used to deviate from regulations, justify bad practices, or defend practices that need to be corrected. Compliance with current Good Manufacturing
Practices (cGMPs) is a mandate. Risk assessments provide the tools to proactively align with clear regulatory expectations and industry standards, and appropriately direct / prioritize
efforts and resources based on impact of the risks.
When responding to audit or inspection observations, risk assessments should be submitted in a cautious manner. QRM is not a substitute for good science
and data. Risk assessments should not be used to deviate from regulations, demonstrate poor operation, or protect operations that require correction. Comply with current good manufacturing quality
Quantity management specifications
(cGMPs) are mandatory requirements. Risk assessments provide tools to proactively incorporate clear regulatory expectations and industry standards and, based on the impact of risks,
Direct/prioritize efforts and resources appropriately.
Additionally, regulatory intelligence is important to identifyÿnew and emerging regulations. It can also serve to identify observations and gaps found at other facilities that may be similar
to one's own operations. Use of these external triggers is another proactive way to update risk assessments and avoid unnecessary regulatory observations.
Additionally, it is important to identify new and emerging regulatory intelligence. It can also do this by identifying other companies that may operate similarly to its own.
The company's inspection results and gaps are obtained. Taking advantage of these external triggering events is another way to update risk assessments and avoid unnecessary regulatory inspections
positive way.
4.5.2 Scheduled Reviews 4.5.2
Scheduled Reviews
Periodic, scheduled reviews provide another mechanism for integrating QRM into the PQS, operations and supporting business processes.
Worldwide, several regulatory agencies require a periodic review of processes, systems, and operations. The principle is thatsome review and assessment is required periodically to
ensure that these systems remain in a validated state (e.g. , facilitiesÿ equipment, and processes).
Additionally, Annual Product Reviews / Product Quality Reviews are a regulatory expectation. Incorporating a review of the corresponding risks assessments and risk control strategies
in these reviews provides efficiencies, a more effective review process, and ensures ongoing risk management. Furthermore, the frequency of these reviews may be varied and
established basedupon the level of risk and the product lifecycle

phase. The early lifecycle phase may require more frequent reviews of data gathered after launch of the commercial process incomparison to a mature process.
Periodic planned reviews provide another mechanism for integrating QRM into PQS, operating procedures and supporting business processes. world-wide,
Several regulatory agencies require periodic review of processes, systems and operating procedures. The rationale is that certain checks and assessments need to be carried out regularly to ensure that these
Systems are still in a validated state (e.g. facilities, equipment and processes). In addition, the annual product review/product quality assessment is a regulatory pre-
Expect. Integrating reviews of appropriate risk assessments and risk control strategies into these reviews increases efficiency and leads to a more effective process review.
nuclear form to ensure ongoing risk management. Additionally, the frequency of these reviews can vary and can be based on the level of risk and product production.
Determined by the stage of the life cycle. Compared with the mature production process stage, the early stage of the life cycle, after the start of commercial production, may require
Review data more frequently.
4.6 Risk Communication
4.6Risk communication
Risk communication is the sharing of information about risk and risk management between the decision makers and other stakeholders.
Effective communication through the correct vehicle and means enables effective riskmanagement decision-making.
Risk communication refers to the sharing of risk and risk management information among decision makers and other stakeholders. through the right tools and means
Effective communication enables the risk management decision-making process to run effectively.
Communication of the exact systems, processes, individual and collective roles and responsibilities should be clear; systematic, disciplined, methodical, and timely conveyance of information is
imperative. Equally, the processes and exercise of communications should be effective and
an essential componentÿ bridging each step of QRM. Effective communication in this context permits rational, factual and science-based
,
decision-making, permitting an organization to take the appropriate actions commensurate with the evaluated risk.
Determining systems, processes, individual and collective roles and responsibilities in communication should be clear; systematic, disciplined, organized and timely
The message conveyed is necessary. Likewise, communication processes and activities should be effective and are important to stitch together every step of QRM.
component. Effective communication in this situation allows for sound, fact-based and science-based decision-making, allowing the organization to take action related to
Risk assessment is equally important as appropriate behavior.
Communication activities are recognized as fundamentally important to the risk management process outlined in the ISO Risk Management Standard, ISO 31000(21). This is underlined by the
recognition that a high performance in risk management activities is associated with organizations that have a high level of regard for continual and timely communications with external and internal
stakeholders(21).
The risk management process listed in the ISO risk management standard, ISO 31000(21), communication activities is recognized as the most important in risk management. Everyone agrees
It is recognized that organizations with high execution capabilities in risk management activities are also high in continuous and timely communication with internal and external stakeholders.
Horizontal(21).
The communication of responsibilities, information, activities and data is implicit in ICH Q9, which defines risk communication as "the sharing
of information about risk and risk management between the decision makers and others." (2) It is considered to be the exchange of information
about risk and its management. It can be regarded as a two-way process in which properly informed decisions can be made about the level of
risks and the need for risk control against properly established and comprehensive risk criteria(21). Ultimately risk communication should
culminate in decisions and disclosure of residual risks.
The responsibility for communicating information, activities and data is implicit in ICH Q9, which defines risk communication as “the communication between decision-makers and other stakeholders”
share risk and risk management information. "(2) This sentence is considered as the mutual exchange of risk and its management information. Risk communication can be regarded as
It is a two-way process, and correct and informed decisions depend on the classification of risk levels and the need to formulate risk control measures, that is, based on the previous
Control measures derived from established comprehensive risk criteria (21). Final risk communication should culminate in decisions being made and residual risks uncovered.
ICH Q9 does not give definitive description for how risk communications should be executedÿ but does recognize that "parties can communicate at any stage of the [quality] risk management process"
and that "the output / result of the QRM process should be appropriately communicated and documented. "(2) It is imperative that risk communication begins during the early phases of development
in order to design products and processes with inherent safety features embedded in the product's design. ICH Q9 provides some examples of originators, recipients and stakeholders, and states
that the information that might be communicated might relate to the “existenceÿnature, form, probabilityÿ
severity, acceptability, control, treatmentÿdetectabilityÿor other aspects" of risks to quality (2).
ICH Q9 does not explicitly describe how risk communication should be performed, but recognizes that “stakeholders can communicate at any stage of the [quality] risk management process.
"Communicate during this period", and "The outputs/results of the QRM process should be communicated and documented appropriately". (2) Risk communication is best done in the early stages of the research
Start by embedding inherent safety features into product design during the product and process design stages. ICH Q9 for initiators, recipients and interests
Stakeholders provided some examples and said that information to be communicated could include the risk quality’s “existence, nature, form, probability,
severity, acceptability, controllability, handling, detectability, or other aspects” (2).
4.6.1 Essential Elements of Risk Communication 4.6.1ÿ

important factors in risk communication
There is probably no single vehicle or mode of communication sufficient to cover all communication requirements throughout the QRM process. Similarly, there is no single toolÿ process or technique that
mitigates inherent human bias associated with communication. Quality System elements (as defined in ICH Q10) and QRM documentation (as defined by ICH Q9) should operate in concert to ensure that
all information between each step is exchanged expediently, ensuring minimal human bias and no gaps or miscommunication leading to an erroneous decision. An effective QRM program should clearly
document and inform all stakeholders and their management of their individual and collective responsibilities.
There may be no single medium or communication method that is sufficient to cover all communication needs throughout the QRM process. Likewise, there is no single tool or process
Or technology can mitigate inherent human biases in relevant communications. Quality system elements (as defined in ICH Q10) and quality risk management QRM
Documentation (as defined in ICH Q9) should be coordinated to ensure that all information at every step is easily exchanged, ensuring a minimum of human
Biases and no gaps or misunderstandings lead to a bad decision. An effective QRM program should clearly document and communicate all benefits
Stakeholders have individual and collective responsibilities under their management.
The risk register provides a mechanism to drive periodic review of risks and can ensure that the content is reappraised as anessential vehicle for sustaining risk communication. Any scheduled risk review
cycles and non-scheduled event triggers for risk review (see Section 4.5ÿ Risk Review) should be clearly established within the Quality System and appropriately communicated as part of QRM activities to
ensure timely administration of these activities. Risk communication should also include the incorporation of salient information, risk assessment output and decisions into the management review processes
and schedules. See Table 4.5.1-1 for a summary of essential communication elements to describe the processes and responsibilities within a QRM program.
The risk register provides a mechanism to drive regular risk reviews and ensure that its content serves as an essential tool for maintaining risk communication
was re-evaluated. Any planned risk review cycles and unusual events that trigger a risk assessment (see Section 4.5: Risk Review)
This should be clearly defined in the quality system and communicated appropriately as part of QRM activities to ensure that these activities are managed in a timely manner.
Risk communication should also include integrating salient information, risk assessment results and decisions into risk review process management and timelines. See table for details
4.5.1-1 Summary of important communication elements describing processes and responsibilities within the QRM program.
Table 4.6.1.1 Summary of Essential Information Conveyed to Ensure an Effective and Sustainable QRM Program ÿ 4.6.1.1ÿÿÿ
Summary of key messages that an effective and sustainable QRM program needs to convey

QRM process Step Information Conveyed Information Recipient Purpose

Information to be conveyed information recipient Purpose
Steps in the QRM process
Risk Management Initiation „ Owner of the QRM „ Ensure the right „ Stakeholders
Problem statement and scope
process in the initiation phase of risk management
" Stakeholders
•QRM process owner are identified.
„ Decision makers • decide
„ Description of the product or process • Make sure you describe the problem correctly and
policy maker
type Scope of recognition
„ Risk assessment „ Ensure best
•Describes a product or process use of Participants
type resources in conducting risk •Risk
assessment participants
„ Who resources makes management. This includes Originators of but is not limited
„
to:
available
information for risk
•Who provides resources „ Ensure risk management is being carried out
assessment
„ Stakeholders •Interests Make the best use of resources.
•Distribution of risk assessment information
Closer This includes but is not limited to the following

Starter
„ Who makes decisions Inside
•Who makes decisions Allow
„ Who monitors process

Set expectations
Define expected goals
•Who monitors the process roles/responsibilities
„ Plan Define roles/responsibilities Ensure
" plan preparation activities are

executed
„ Scope Ensure preparation activities are executed
•scope OK
Ensure personnel are
„ Assumptions
•Assumptions
adequately trained
ensure that personnel are adequately
„ Methods
training
" method
Gather data
Data collection
Ensure QRM process is

executed
Ensure QRM processes are implemented
OK
Risk Assessment • Description of the risk participants „ Risk assessment •The systematic application of
risk assessment participants in identification, risk analysis
•Risk assessment tools and techniques to make
and risk evaluation tools. obj ectiveÿdata driven assessment
•Describe risk identification, risk „
Originators
and record the of risk assessment.
analysis and risk assessment work information for ingredients
assessment •Systematic application of tools and techniques
•Means of assembling breath •Original letter of risk assessment techniques to do objective, numerical-based
background information and/ evaluate the data and record the evaluation
or data on the potential evaluation process.
hazard, harm ÿ or human • Ensure decision makers are advised
impact relevant to the risk and make decisions.
assessment. This may •Ensure decision makers are advised

include background
and make decisions.
information from related
products.


Steps in the QRM process
• Gather information about risk assessment
potential dangers, hazards, or
impact on human beings, etc.
Background information and/data. Bag
Include background information on related products
breath.
„ Titles, roles and areas of expertise of
the assessment
team.
•Experts from the assessment team
length, role and area

„ Who defines competencies
and competent personnel.
•Who defines the conditions of competence?
and competent candidates

„ Criteria for
categorizing risk
„ Criteria for risk classification
•Means of communication
of the risk analysis output.
•Communication of risk analysis results
pass way
Risk Control •Alternative means for „ Stakeholders •Profit •To ensure that stakeholders
controlling risk. understand how risks are reduced or

risk control relevant person
•Risk controls optional controlled to an

„ Decision makers
Way acceptable level. •Ensure benefits
•Decision maker
•Balance between risk Other relevant Stakeholders understand how to reduce
Less
„ risk or control to one
reduction cost and the benefit/
management •Other related
magnitude in risk reduction. acceptable level
management party
• Balance risk reduction fees • To ensure reductions are benefits
and risk reductions implemented and to enable / magnitude
• informed decision-making.
Reduction plan, acceptance •Measures to ensure risk reduction
decision, justification, residual The action was carried out and the decision was notified
risk profile. policy maker
• Risk reduction plans that can
decision to accept, reasons, residuals
Overview of residual risks
Risk Review •Frequency of planned/ „ Stakeholders •Interests • Ensure that a lifecycle

risk audit scheduled review. relevant person approach is sustained and
•Plan/daily risk review „ Decision makers
that all risk management
Frequency of
activities are maintained in a state of
•Decision maker
•Triggers for initiating repeat currency.
„ Risk assessment
risk analysis.
•Ensure life cycle is maintained
participants
•Initiate another risk analysis Law, all risk management
•Participants in risk assessment
event „ Activities remain in the current version
Originators of status
•Means of communication of information for risk
assessment
•Initiation letter for risk assessment



Steps in the QRM process breath
the risk review. • Ensure risk profile has not
•How to communicate risk audit changed based on monitoring of
Mode
post-production data streams.
•Based on monitoring early products
data flow to ensure risk overview
The situation has not changed
4.6.2 Difficulties with Risk Communication 4.6.2
Difficulties in risk communication
Risk perceptionÿ and the management of risk perception, plays a significant role during QRM activities. Risk perception issues can lead to subjectivity and uncertainty in the outcomes of QRM
exercises, because, as ICH Q9 statesÿ "each stakeholder might perceive different potential harms, place a different probability on each harm occurring and attribute different severities to each harm.
"(2)
Risk perception and the management of risk perception play an important role in QRM activities. Risk perception issues may result during QRM operations
yield subjective and uncertain results because, as ICH Q9 describes, “Each stakeholder may perceive potential hazards differently,
There are different opinions on the probability of each hazard occurring, as well as different opinions on the severity of each hazard. "(2)
Traditionally, communication has been behavioral in nature, driven by the individual, and dialoguebased; verbal communication therefore presents inherent opportunities for failure, and should not be
overly relied upon when performing formal QRM activities. Furthermore, in the context of regulated environments, the communication of information throughout and along the QRM process should:
Traditionally, communication behavior is an individual's natural behavior, initiated by the individual and based on conversation; when performing QRM activities, it should not
Overreliance on verbal communication because oral communication has properties that lead to communication failure. Furthermore, within the context of the regulatory environment, throughout QRM
During the process, the communication of information should achieve the following points:
„ Be clear and unambiguous.
•Be clear and unambiguous.
„ Be intuitive enough to avoid misunderstanding (heuristics).
•(Heuristic) Intuitive enough to avoid misunderstandings.
„ Facilitate unbiased and objective risk analysis and evaluation.
•Promote unbiased and objective risk analysis and assessment.
„ Convey the appropriate amount of detail and content to facilitate its purpose.
•Convey the appropriate amount of detail and content to further its purpose.
„ Possess defined and recognizable originator and recipient(s).
•Have defined and identifiable initiator and receiver(s).
„ Be traceable and auditable based upon GMP expectations.
•Traceable and auditable according to GMP requirements.
„ Permit recipients to execute their responsibilities and duties.
•Allow recipients to carry out their responsibilities and obligations.
„ Ensure preservation of institutionalized knowledge.
•Ensure institutional content is retained.
ISO 31000 states that confidence in the determination of the level of risk and its sensitivity to preconditions and assumptions should be considered in the analysis and communicated effectively to
decision makers and, as appropriate, other stakeholders(21). It is imperative that the correct decision makers and stakeholders are informed to be fully aware of any insensitivity or bias of the risk
assessment process. Risk perception is an important issue acknowledged in ICH Q9, which may result in stakeholders perceiving different origins of risk, levels of harm, probabilities of occurrence,
and severities. ISO 14971, which sets out risk management activities for the design and manufacture of medical devices, also recognizes that different viewsÿ
65
opinionsÿ and values associated with probability of occurrence, and severity (i.e. , risk perception) have the potential to bias, and should be taken into account especially when deciding
acceptability of risk (22).

ISO 31000 says that the prerequisites and assumptions that determine the level of confidence in risk levels and severity are that analytical capabilities should be considered and communicated with the decision-maker,
Effective communication with other stakeholders, if applicable (21). It is important that the right decision makers and stakeholders are adequately informed
Recognize any insensitivity or bias in the risk assessment process. Perceived risk is an important point in ICH Q9, which may allow
Stakeholders perceive risks from different sources, the level of harm, probability of occurrence and severity. ISO 14971, which provides standards for the design and manufacture of medical devices
risk management activities, recognizing that different perspectives, comments and values differ in relation to the probability and severity of risks (e.g.
Assessments of risks (risk perception) are subject to potential bias and therefore particularly need to be taken into account when making risk acceptance decisions.
5.0 How To Use Quality Risk Management As An Enabler
Risk management used as an enabler
QRM is most valuable when fully integrated into the product lifecycle and its supporting systems (2). QRM should beapplied throughout the supply chain for a product from raw materials
through manufacturing, release, distribution, and delivery to the patient. Effective integration of QRM provides improved decision-making based on sound science for the entire Quality
System and enables continual improvement of Quality System processes such as:
Quality risk management is most valuable when it is fully integrated into the product life cycle and its supporting systems. Quality risk management should be applied from raw materials
Throughout the supply chain a product is produced, released, distributed and then delivered to patients for use. The effective integration of quality risk management provides the entire
The quality system provides improved decision-making based on complete science and drives continuous improvement in the following aspects of the quality system process:
„ Quality System Elements (e.g., documentation, training, quality defects, auditing, periodic review, change control, continual improvement)
Quality system elements (e.g. documentation, training, quality defects, audits, periodic reviews, change control, continuous improvement)
„ Product Design and Development (eg, Quality by Design, process validation, continual improvement activities, documentation of product and process knowledge) Product Design and
Development (eg, Quality by
Design, process validation, continual improvement activities, documentation of product and process knowledge)
„ Facilities, utilities, and equipment (e.g., design of facilities / equipment, housekeeping, qualification of facility / equipment/utilitiesÿcleaning of equipment and environmental control,
calibration /preventive maintenance)
Plant, facilities and equipment (e.g. plant/equipment design, plant/equipment/facility qualification, equipment cleaning and environmental control, calibration/preventive maintenance)
„ Materials management (eg, assessment of suppliers and contract manufacturers, starting materials, storage, logistics , and distribution conditions) Materials management (eg,
assessment
of suppliers and contract manufacturers, starting materials, storage, logistics, and distribution conditions)
„ Production (e.g., validation, in-process sampling and testing, production planning)

Production (e.g. validation, process sampling and testing, production planning)
„ Laboratory control and stability studies (e.g., out-of-specification results, periodic retesting)
Laboratory control and stability studies (such as out-of-standard results, regular retests)
„ Packaging and labeling (e.g., design of packages, selection of container closure system, label control, instructions for use (IFU), medication guide, Risk Evaluation and Mitigation
Strategy [REMS])
Packaging and labeling (e.g. package design, selection of container closure systems, labeling controls, instructions for use, medication guides, risk assessment and reduction
Strategy[REMS].
Many processes already incorporate a risk-based approach that is inherent in the process principles. Other processes can gain from the addition of proper application of QRM. In each
case, application of risk management activities that are relevant to the type and level of risk inherent in each process will enable product realization, establish and maintain a state of
control, and facilitate process improvement.
Many processes already incorporate risk-based approaches into their own right. Other processes can benefit from additional appropriate application of quality risk management.
In each case, the implementation of risk management activities related to the type and level of risk inherent in each process will drive product realization, establishment
and maintain control status and promote process improvements.
5.1 QRM Application during Process Validation Lifecycle

The FDA guidance entitled process validation: General Principles and Practices embraces international harmonized guidance published in ICH Q7, ICH Q8 (R2), ICH Q9, and ICH Q10.
FDA's guidance proposes a three stage lifecycle approach to Process Validation (23):
FDA issued a guidance entitled "Process Validation: General Principles and Implementation Methods", which includes ICHQ7, ICHQ8(R2), ICHQ9
and ICHQ10 content. FDA guidance proposes a three-stage approach to the process validation life cycle (23):
1. Process Design Process Design
2. Process Qualification process confirmation

3. Continued Process VerificationContinuous process verification
Though this terminology is specific to this guidance document, the lifecycle concept is generally accepted worldwide by regulatory agencies. It advocates for more emphasis on process
development, defining process boundaries, and better use of statistical tools to monitor and assess process performance. As defined in the guidance, process validation is "the collection
ÿ
and evaluation of datafrom the process design stage
65
'
through commercial production, which establishes scientific evidence that a process is capable of consistently delivering quality productsQRM provides the tool to define what really is critical ÿ
to patient safety and product quality, gain process knowledge and understanding throughout the product lifecycle, and focus resources. As discussed in Section 5. 1.4, QRM Applied to Stage 3
Continued Process Verification, validation strategies have historically incorporated elements of risk, recognized or not.
Although the term is specific to this guidance document, the life cycle concept is generally accepted by regulatory authorities around the world. The guideline
It advocates greater emphasis on process development, identification of process boundary points, and better application of statistical tools in process performance monitoring and evaluation. in this finger
Process validation is defined in the Guidelines as “certification used to establish scientific evidence that a process can consistently produce products that meet quality requirements.
"The collection and evaluation of data from the process design stage to the industrial production stage". Quality risk management provides tools to determine what is
is truly critical to patient safety and product quality, acquiring process knowledge and process understanding throughout the product life cycle and focusing resources (on
on key points). As discussed in Section 5.1.4, quality risk management is applied to the third stage of continuous process validation and the validation strategy has
Historically integrate elements of perceived or unrealized risk.
5.1.1 Quality Risk Management Applied to Stage 1 Process Design
In the plan
Every manufacturing process begins in a developmental mode during which the system/ equipment design and process parameters are examined. The objective of process development is to
define the commercial process that will consistently deliver a safe and efficacious drug product. The outputs are the master production and control records and a control strategy that will ensure
product is consistently produced to meet all of its required quality attributes.
Every production process begins in development mode, during which system and equipment design and process parameters should be checked. The goal of process development is to
Identify industrial manufacturing processes that can consistently produce safe and effective medicines. Its output is the master production and control record and a
A control strategy that ensures that the product consistently produces all of its required quality attributes.
The first step in the process is to define the Quality Target Product Profile (QTPP) (3). An early risk assessment is instrumental in defining the product with respect to its potential CQAs and the
acceptable ranges for those attributes that provide targets for process design and optimization.
The first step in the process is to determine the Quality Target Product Profile (QTPP) (3). Early risk assessment helps establish the risk factors that can be designed and optimized for the process
Provide potential critical quality attributes (CQAs) of the target product and their acceptable ranges.
Based on this assessment, effective and efficient developmental studies (e.g., Design of Experiments) can be executed to develop knowledge regarding the process boundaries and estimate the
likelihood of process failures. These risks can either be removed by design or reduced through processing controls. Based on these experimentsÿ CPPs and their ranges are defined to ensure
CQAs are maintained within appropriate limits.
This information is then used to update the risk assessment and finalize the CQAs and CPPs that define the commercial process. The control strategy provides the rationale and blueprint for
ensuring process control and how each lot will conform to these CPPs and CQAs.
Based on this assessment, effective and efficient development studies (e.g., design of experiments) can be implemented to develop knowledge about process boundaries and to determine
Possibility of process failure. These risks can not only be removed through design, but also reduced through process control. Based on these experiments,
Critical process parameters and ranges are determined to ensure critical quality attributes are maintained within appropriate limits. This information is then used to update the risk assessment
Evaluate and finalize the critical quality attributes and critical process parameters of the industrial production process. The control strategy is to ensure process control and each batch e.g.
Provides the rationale and blueprint for how to meet these critical process parameters and critical quality attributes.
Development is customarily performed on a small scale so the transition to commercial operations may not be predictable. Uncertainties and risks such as variability associated with commercial
quantities of raw materials and components, mixing and heat transfer may occur during scale-up(23).These risks can be better understood and reduced by developmental studies but never fully
eliminated. Prior knowledge and engineering principles can increase our understanding of scale-up and reduce these risks.
Process development is often carried out on a small scale so the move to industrial scale production can be unpredictable. Uncertainties and risks such as raw materials and auxiliary materials
Changes related to industrial quantities of materials, mixing and heat exchange may occur during the process scale-up phase. These risks can be studied through process development
Be better understood and reduced but cannot be completely eliminated. Existing knowledge and engineering principles can increase our understanding of process scale-up and reduce this
some risks.
Risk management tools such as a process FMEA, risk ranking and filtering, decision trees, or Ishikawa diagrams may be useful to assess these potential uncertainties and their effect on product
quality. An FMEA can help the team make the most optimal decisions about where and what controls are necessary to reduce risks. It also helps the team understand the residual risks that are
acceptable and that cannot be eliminated.
Risk management tools such as process failure modes and effects analysis, risk ranking and screening, decision trees or fishbone diagrams are useful in assessing these potential uncertainties.
Qualitative and its impact on product quality is useful. Failure mode and effects analysis can help teams decide where to use what to reduce risk
These control measures are necessary for optimal decision making. It can also help the team understand that residual risks can be accepted but not eliminated.
5.1.2 Quality Risk Management Applied to Stage 2 Process QualificationQuality Risk
Management is applied to the second stage of process qualification
According to the FDA guidance, Stage 2 Process Qualification is the step where the process design is evaluated to confirm whether the process is robust and suitable for commercial processing.
QRM has a critical role in the evaluation, which encompasses two elements:
65
In accordance with FDA guidance documents, the second stage of process qualification is that the process design is evaluated to confirm whether the process is durable and suitable for industrial large-scale production processes.
Stable steps. Quality risk management plays a key role in the assessment and consists of two elements:
1. Qualification of the facility design, utilities and equipment ÿÿÿ
Confirmation of plans, facilities and equipment
2. Process Performance Qualification (PPQ)

Process performance confirmation
During the execution of utility and equipment qualification,QRM may be used to assist in differentiating criticality and achieving efficiencies by eliminating redundant or non-value added testing. The
extent and scope of testing and documentation during qualification should be appropriate and commensurate with thelevel of risk (See Section 5.2, QRM Application during Facilities, Manufacturing
and Control Systems Lifecycle) .
During the implementation of facility equipment qualification, quality risk management can be used to help differentiate between critical and non-critical by eliminating redundant or non-added value
Testing wins efficiency. The extent and scope of testing and documentation of the validation process should be appropriate and commensurate with the level of risk present. (See 5.2
section, quality risk management is applied throughout the life cycle of plant, production and control systems)
ASTM E2500-007 provides guidance on a risk-based approach to commissioning and qualification activities, designated as verification (24). Per the guidance, risks to product quality and patient
safety should govern the scope and extent of verification activities for manufacturing systems.
SMEs have the responsible for these verification activities; ownership is not just defined organizationally. Verification activities are defined initially and updated throughout the system lifecycle to
assure robust manufacturing controls.
ASTM E2500-007 provides guidance for structuring operations and qualification activities to validate a risk-based approach. In accordance with this guidance document, product quality and
Risks to patient safety determine the scope and extent of validation activities for production systems. Experts in the relevant fields are responsible for these verification activities; the owner does not
Just an organizational definition. Validation activities are defined first and updated throughout the system lifecycle to ensure robust production
control.
Subsequent to utilities and equipment qualification, Process Performance Qualification (PPQ), formerly known as process validation, should be performed. PPQ covers the initial demonstration of
process / product performance and again incorporates the principles and practices of QRM.
Following facility and equipment qualification, process performance qualification (PPQ), formerly known as process validation, should be performed. Process performance confirmation includes both
It contains the initial proof of process and product performance, and integrates the basic principles and methods of quality risk management.
The control strategy and previous process risk assessments serve as inputs for determining the scope and required number of batches for PPQ.
However, it should be noted that some Health Authorities still require three consecutive batches for each drug product image, independent of process understanding, development activities, or risk
assessments.
The control strategy and previous process risk assessments serve as inputs in determining the scope and number of batches required for process performance qualification. However, it should be noted
Unfortunately some health authorities still require three consecutive batches per drug product process and are not subject to process understanding, process development activities or risk assessment
Domination.
PPQ deliverables include the validation protocol and the validation report. Analytical testing, in-process monitoring, and demonstration of critical process controls should be linked to the process risk
assessment. PPQ provides the opportunity to verify that controls are effective and process CPPs and product CQAs will be consistently met.
The deliverables of process performance qualification include verification plan and verification report. Demonstration of analytical testing, process monitoring and critical process controls should be consistent with
Process risk assessment is associated. Process performance qualification provides the opportunity to demonstrate that controls are effective, process critical process parameters and product critical quality
Properties will be consistent.
Many protocols contain "worst case" scenarios (e.g., hold times, microbial control) in order to learn more about the limits of the process so that risks can be better predicted and reduced by
implementing proper controls. PPQ activities may include increased sampling frequency over routine sampling requirements. Multiple samples are typically taken across the manufacturing lot to
demonstrate intra-lot consistency.
Additionally, the protocol may include criteria for acceptance of the process that are more stringent than the product release criteria. Examples of this practice include content uniformity during
blending, mixing and filling, and weight control during compression and filling. The rationale is demonstration that tighter than minimally required values during the PPQ effort, reduces risk in route
operations.
To learn more about process limits many scenarios include "worst case" scenarios (e.g. storage duration, microbial control)
To be able to better predict risks and reduce them by implementing appropriate controls. Process performance qualification activities can include more than routine sampling requirements
Increase sampling frequency. Multiple sampling is often chosen in large production to demonstrate batch-to-batch consistency. In addition, the plan can also include stricter than
Process acceptance criteria for product release criteria. Practical examples include content uniformity in mixing, dosing and filling and tableting and filling processes.
weight control during the process. The basic principle is to prove that if the value is stricter than the minimum required value in the process performance confirmation stage, it can be reduced in daily production.
risk.
5.1.3 Quality Risk Management Applied to Sterilization and Cleaning Validation
Quality risk management applied to sterilization and cleaning validation
During Stage 2, other processes are qualified including sterilization and cleaning. Both processes include application of risk management principles with respect to validation study design and
testing. Many sampling regimens for sterilization are designed to examine areas of the equipment or batch that represent potentially "worst case" scenarios. Typically, penetration thermocouples
and biological indicators are placed in the coldest locations during the sterilization studies. Also, biological indicators utilize organismsthat are the most resistant and most likely to
65
survive the specific sterilization process that is being challenged. Use of these resistant biological indicators as "worst case" surrogates for process bioburden is incorporated into the design of the sterilization
process. Demonstrating their inactivation during PQ essentially reduces the risk of bioburden survival during routine sterilizations of the equipmentÿprovided that the same operating conditions are maintained.
Other processes such as sterilization and cleaning processes are validated in the second phase. Both processes incorporate basic principles of risk management regarding
Applications to validation study design and testing. Many sampling rules for sterilization are designed to be used in inspection areas of equipment or to represent potential “worst case conditions”.
"Parts" scenario batch. Typically in sterilization process studies both the penetration thermocouple and the biological indicator are placed at the coldest point. In addition, the biological indicator
Microorganisms that are most resistant and most likely to survive the specific sterilization process challenged need to be used. Alternative process bioburden as "worst case"
The use of these resistant biological indicators is part of the sterilization process design. Demonstration that the biological indicators can be inactivated during process validation
Qualitatively reduces the risk of bioburden surviving during routine sterilization of equipment providing the same operating conditions.
Sampling regimens and locations selected for cleaning validation can also be risk-based with respect to identifying area that pose a higher risk for residue carry-over after cleaning. Locations selected for PQ
sampling are locations that are at high risk for process residuals to accumulate (i.e., "worst case" locations that are the most difficult to clean and dry in the processing equipment). Criteria for site selectioncan
also be expanded to include detection and the likelihood that process residues will be detected by routine visual inspections. One may improve detection via use of boroscopes, cameras, viewing mirrors, or
disassembling the equipment where feasible (e.g., piping elbows and transfer panels). Consideration of both the probability of residue soil accumulation and the likelihood of detecting it on routine inspection
will help to focus resources on sampling areas that pose the greatest risk to residual carryover. Finally, one could also include the concept of severity in this assessment by considering the toxicity/potency of
the drug product. For highly potent compounds, more sample locations may be selected for testing, particularly those of moderate risk for product accumulation and limited visibility during routine inspection.
The sampling rules and sampling points selected in cleaning validation can also be risk-based in selecting identified areas with the highest risk relative to residual residue after cleaning.
Performance qualification sampling points should be those at the highest risk for process residue accumulation (e.g., “worst case conditions” in process equipment that are hardest to clean and hardest to dry
Point) Criteria for sampling point selection can also be expanded to include detectability and the likelihood that process residues will be monitored during routine visual inspections.
One way to improve detectability is through the use of bore surface testers, cameras, sight glasses or removable equipment for disassembly inspection (e.g. pipes
elbows and transition plates). Consideration of the likelihood of residue accumulation and detection during routine inspections will help focus resources on creating residue risks
Largest area sampled. Finally, severity can be taken into account in the assessment by considering the toxicity and biological activity of the drug product. For highly active chemicals
For compounds, more sampling points can be selected for monitoring, especially in areas where there is a moderate risk of product accumulation and where visibility is limited for routine inspections.
Prior to qualification, emphasis should always be to reduce the risks of residue carryover through process design. Clean-In-Place (CIP) systems should be considered versus manual cleaning processes. If
there are areas in the piping system where water or residues can accumulate and cannot be thoroughly removed by flushing (dead legs), design and piping changes should be made to remove them from
the system. Risk is best managed through elimination in process design; increased samplingshould not be the operative control for poor design.
Prior to validation, the focus should be on reducing residue risk through process design. Compared with manual cleaning process, the online cleaning system (CIP) should be better
Think first. If there are places in the piping system where water or residue accumulation cannot be removed at all by flushing (dead ends), this should be done by design.
and changes in piping to avoid. Risks are best eliminated during the process design phase, and increased sampling should not be used as an effective control for poor design.
5.1.4 Quality Risk Management Applied to Stage 3 Continued Process VerificationQuality Risk Management Applied to Stage 3 Continued Process Verification
The longest segment of the product lifecycle is typically the commercial production phase. The goal of Continued Process Verification is to assure that a processremains in a state of control during this
commercial phase. Once a process has gone through Process Qualification, an ongoing program should be established to collect and analyze product and process data that relate to product quality. The
process risk assessment should be updated with the data from the PPQ, when necessary, and serve as an input to developing an on-going monitoring program.
The longest stage in the product life cycle is usually the industrial mass production stage. The purpose of continuous process verification is to ensure that the process is in the mass production stage
under control. Once the process has passed process qualification, an ongoing program should be established to collect and analyze product quality-related manufacturing
and process data. When necessary, the process risk assessment should be updated based on data obtained from process performance qualification and used as an ongoing development monitoring item.
purpose basis.
Fundamental to process control is identifying the sources of variation, detecting this variation, understanding the impact ofthe variation, and then controlling variation in a manner commensurate with the risks
it represents. Statistical tools such as Statistical Process Control (SPC), control charts, and multivariate analysis can be used to assess this process variation and monitor process performance. Subsequent
tocompleting Process Qualification, heightened testing and sampling of process parameters and quality attributes is expected until statistically significant estimates of variability can be established. Statistical
techniques are also used to identify trend limits, alert limits, action limits, and rejection limits; however, identification and response to these limits should also be based on a good understanding of risks and
controls.
The fundamentals of process control are to identify the sources of variation, detect the variation, understand the impact of the variation, and then use controls appropriate to the risks associated with them.
way to control change. Statistical tools such as statistical process control (SPC), control charts, and multivariate analysis can be used to evaluate process variation
and monitoring process performance. Following completion of process qualification, increased scrutiny of process parameters and quality attributes precedes establishing statistically significant assessment of variation
Testing and sampling are expected. Statistical techniques are also used to determine trend limits, alert limits, action limits and rejection limits. However this
The identification and response to these limits should also be based on a good understanding of risks and controls.
Prior to the new guidance, process evaluations were generally limited to the Annual Product Review (US)/Product Quality Review (EU).
65
Additionally, periodic assessments of equipmentÿ utilities, and other process systems were based on an organization' s particular needsÿ risk threshold, and regulatory requirements (e.g., sterilization processes
re-qualified at least annually, as a minimum). Depending upon process changes, criticality, and a firm's risk tolerance, the interval and the extent of the assessment (also called re-qualification or re-validation
assessments) varied for these other systems. Under the new guidance, product reviews are more frequent with the expectation that controls are in place for more immediate actions. The goal is to detect and
correct adverse process shifts sooner, before product quality is impacted.
Before the introduction of the new guidance document, process assessment was generally limited to annual quality reviews (US)/product quality reviews (EU). In addition, suppose
Periodic assessments of equipment, facilities, and other process systems were previously based on the specific requirements of other organizations. Depends on process changes, criticality and enterprise
The assessments of these systems (also called revalidation or revalidation assessments) are also diverse depending on the industry's risk tolerance. Under the new guidance document, production
Product reviews are more frequent and process control is expected to be online and immediate. The goal is to detect errors faster and fix them before product quality is affected.
correct errors when necessary.
Monitoring of CPPs and CQAs would continue throughout the lifecycle as documented in the control strategy. However, process monitoring is intended to provide assurance that aprocess is operating in a
validated state and is not solely dependent upon monitoring process parameters and attributes. The process risk assessment and process capability data are important inputs to determine the scope and
frequencyof monitoring. For example, parameters that are high risk due to their impact on product quality may have more frequent process monitoring than other parameters.
Monitoring activities would also include facilities and equipment controls, the manufacturing environment, and critical utilities. Decisions related to within or between batch monitoring could be supported by
understanding the level and scopes of risks. Process monitoring should also include identification of adverse trends, enhancing process knowledge and supporting process improvements. ÿÿÿÿÿÿÿÿÿÿÿÿÿ
Monitoring will continue throughout the lifecycle in accordance with the control policies documented in the document. However, the purpose of process monitoring is to ensure that the process is in a validated state
Continuous operation without relying solely on monitoring process parameters and quality attributes. Process risk assessment and process capability data are important in determining monitoring scope and
important basis for frequency. For example, parameters with a high risk of impact on product quality should be subject to more frequent process monitoring than other parameters. Monitoring activities will also
Includes plant and equipment controls, production environment and critical facilities. An understanding of the level and scope of risk can inform decisions about within-batch or between-batch
Provide support for implementation of monitoring. Process monitoring should also include identification of undesirable trends, optimization of process knowledge and support of process improvements.
The data gathered during Stage 3 should be used to improve and optimize the process. When warranted, the knowledge gained should drive updates to risks assessment and the control strategy. When
approved, the knowledge gained should drive updated risk assessments

and control strategies
slightly.
System performance will always vary, but the overall goal in manufacturing should be to strive for excellence. Incorporating risk assessments and risk reviews into a firm's Quality System, business processes,
whether event-based or scheduled, helps provide the mechanism to achieve this goal of manufacturing excellence.
System performance will always vary, but the overall goal of production should be to strive for excellence. Whether it is event-based or plan-based, risk assessment
The integration of assessment and risk review into quality systems and business processes provides a mechanism to help achieve production excellence.
5.2 QRM Application during Facilities, Manufacturing and Control Systems Lifecycle Quality Risk Management should
Used throughout the life cycle of plant, production and control systems
As part of implementing a lifecycle strategy it is important to evolve from "evidence-based" compliance to include "science- and risk-based" compliance. This enables continual control and improvement through
focus on those aspects of the manufacturing operations that are deemed critical for process control and product quality (24). QRM should be applied iteratively throughout the lifecycle of facilities, manufacturing,
and control systems for the following activities:
Evolution from evidence-based regulatory compliance to inclusion of science- and risk-based regulatory compliance as part of an implementation lifecycle strategy
is important. Drives continuous control and improvement by focusing on aspects of manufacturing operations considered critical to process control and product quality. quality
Quantity risk management should be applied throughout the life cycle of plant, production and control systems in the following activities:
„ Facilityÿmanufacturing and automated control systems planning, design, build, verification / qualification, maintain, and retire phases.
Plant, production and automatic control system planning, design, construction, verification/validation, maintenance and decommissioning phases;
„ Consideration of dedicated vs. multi-product risks and controls in designing facility, equipment, and cleaning
validation.
Consideration of dedicated vs. multi-product risks and controls in designing facility, equipment, and cleaning validation .
„ Development of equipment commissioning and qualification plans.
Development of equipment operations and qualification plans;
„ Assurance of controlof the qualified state and drive for continual improvement.
65
Confirm assurance of condition control and strive for continuous improvement.
5.2.1 Lifecycle Strategy Lifecycle Strategy
Risk assessments should be initiated as early as the planning phase during development of user requirements and should be revisited / updated during the design, build, test and routine operation
phases to ensure that risks in the design and operation of a process or system are either eliminated (mainly during design) or reduced such that a continued state of control is maintained (See
Figure 5.2.1-1). Roles and responsibilities should be clearly defined for system owners, manufacturing, engineering, and quality / validation leads to ensure appropriate risk-related decision-
making throughout the lifecycle. ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
Review and update during testing and daily operations to ensure risks in process or system design and operation can be eliminated (mainly during the design phase)
or lowered to maintain a continuous control state (see figure
5.2.1 ). The roles and responsibilities of the system owner, production, engineering and quality/validation departments should be clearly defined to ensure that
be able to make appropriate risk-related decisions.
Figure 5.2.1-1 Systems LifecycleFigure 5.2.1-1 System Lifecycle
Figure 5H1 Systems Lifecycle
Plan
Figure 5.2.1-1 System life cycle plan

design Construction and testing operations and repairs out of service
Quality risk management
good engineering practice
change control
During the early conceptual or planning phase of the lifecycle, risk assessments are mostly qualitative in nature. This initial risk assessment is typically applied to the development of User
Requirement Specifications (URS). The objective of the risk assessment is to identify potential hazards that may need to be addressed during the design phase of the project. Performing risk
assessments early in the lifecycle allows significant opportunities to design the system with appropriate controls such that risks can be eliminated or reduced to the lowest possible level.
Risk assessments are inherently of the highest quality during the early concept or planning stages of the life cycle. The initial risk assessment generally focuses on user needs
Application in the development of instructions. The purpose of risk assessment is to identify potential hazards that can be addressed during the design phase of the project. early in
Performing risk assessments during the life cycle means there is a greater chance of eliminating or reducing the risk to the system to the lowest possible level by designing appropriate controls.
lowest level.
During the design phase of the project, both qualitative and semi-quantitative risk assessment approaches may be considered. As more information is developed by SMEs and stakeholders, the
risk assessments can become more detailed. The objectives of risk assessments during design are to ensure the identification of risks directly related to critical aspects, to eliminate or reduce
these risks to an acceptable level through system design, and to identify other procedural risk control mechanisms (e.g., operational SOPs, maintenance procedures). Design controls are preferred
over procedural controls whenever feasible. It is important to ensure that the requirements specifications and requirements traceability matrix incorporate relevant controls for management of any
identified potential risks to product CQAs and CPPs.
During the design phase of a project, qualitative and semi-quantitative risk assessment methods may be considered. Once experts and stakeholders in relevant fields find out
As more information is developed, the risk assessment can become more detailed. The goal of risk assessment during the design phase is to ensure that risks directly related to key aspects
Identify risks, eliminate risks or reduce risks to acceptable levels through system design, and determine other procedural risk control mechanisms (such as operational
SOPs, maintenance procedures). Whether feasible or not, design control is considered better than procedural control. It is important to combine the requirements statement with the requirements
The tracking matrix integrates controls related to potential risks identified by management related to product critical quality attributes and critical process parameters.
Design reviews should provide assurance on how the system design effectively meets the user, functional, and design requirements for the system including critical aspects by providing a
structured framework to evaluate and manage risks to acceptable levels. Risk assessments should be approved at the end of design to signify that the design and risk control measures identified
have been implementedinto the design of the system. Outcomes from the risk assessment should also be used to determine testing requirements for the system.
The design review should demonstrate how the system design effectively satisfies the requirements by providing a structural framework for assessing and managing risks to acceptable levels.
Meet user needs, system functions and design requirements. A risk assessment should be approved at the end of design to represent the design and identified risk controls
Measures have been implemented in the system design. The results of the risk assessment should also be used to determine the testing requirements for the system.
65
Risk assessments should be conducted and updated throughout the operational phase of the system lifecycle, especially to evaluate the impact
of events such as deviations, investigations, CAPAs, unplanned maintenance activities, and proposed changes to ensure that a validated state
of control is maintained.
Risk assessments should be performed and continuously updated during the operational phase of the system life cycle, in particular to assess the impact of events such as deviations, inspections,
Corrective preventive actions, unscheduled maintenance activities, and proposed changes to ensure the validated status of controls is maintained.
There should be an appropriate flow of information between QRM and other facilities / equipment project activities to ensure that any impact to the risks, risk controls, system design, project budget,
or schedule are identified in a timely manner and communicated to and approved by the appropriate parties. For example, a value engineering decision may create a new risk or increase an existing
risk. Conversely; quality risk assessments may identify the need for a previously unforeseen risk control measure, which may impact the project budget or schedule.
Appropriate information flows between quality risk management and other plant and equipment related project activities should be used to ensure that any impact of risks, risk control
system design, project budget or project scheduling. For example, value engineering decisions may create new risks or add additional risks. on the contrary
Quality risk assessments can identify previously unanticipated control requirements that may pose risks to project budgets or project schedules.
Risks should also be assessed when decommissioning or retiring a system. The risk assessment can be used to address potentialimpact such as data migration and long-term retention of data or
other records that support system operations and the products that were produced from that system. System lifecycle documents including risk assessments should be under appropriate change
management and updated as needed throughout the lifecycle.
Risks should also be assessed when equipment is taken out of service or decommissioned. Risk assessment can be used to address the operation of support systems and the products produced by that system
potential impact on data transfer and long-term retention of data or other records. System life cycle documentation including risk assessment should be in place
Under change management and updated as needed throughout the lifecycle.
5.2.2 Quality Risk Management Application to System Qualification ActivitiesQuality Risk Management Application to System
Confirm activity
QRM can provide the basis for determining the level of rigor necessary for system lifecycle deliverables including testing. Risk assessment and risk control considerations should be included in the
preparation, review, and execution of equipment commissioning, qualification or verification test plans, and test scripts. These should also be compared against the requirements / acceptance criteria
that should have already incorporated the risk considerations appropriately. Testing therefore becomes a means to verify that risk control measures are implemented and effective. The rigor and
extent of qualification should be commensurate with the level of risk. See Figure 5.2.2-1 for an approach that can be used for incorporating QRM in the determination of testing requirements.
Quality risk management can provide the basis for determining the necessary level of rigor for system life cycle delivery, including testing. Risk assessment and risk control
Should be considered during the preparation, review and execution of equipment operations, validation or verification test plans and test scripts. These should also be integrated with
Compare to requirements/acceptability standards for appropriate risk considerations. Testing thus becomes a method of verifying that risk control measures can be implemented effectively.
The rigor of validation should be commensurate with its risk. See 5.2.2-1 for an approach that can be used to integrate quality risk management in determining testing requirements.
Figure 5.2.2-1 Approach for QRM Application to Determine System Testing Requirements
Figure 5.2.2-1 The method used by quality risk management to determine system testing requirements
65
5.2.3 QRM Application to Facility and Equipment Operation, Maintenance and Continual improvement
No system or its environment remains stagnant and unchanged for prolonged periods of time. QRM should be applied throughout the
operational phase of the system lifecycle to monitor and assess system performance and changes, to ensure that the system and
associated operations are maintained under a state of continuous control. The level of risk control activities should be balanced with the
level of residual risk.
No system or environment can remain stagnant for long. To ensure that the system and its associated operations are maintained under continuous control
State quality risk management should be used to monitor and evaluate system performance and changes throughout the operational phase of the system life cycle. risk control activities
The level of activity should be balanced with the level of residual risk.
The approach to demonstrating ongoing control of the validated state through periodic review or requalification has not been well understood past initial
delivery, installation and qualification of systems. Requalification of systems typically involves repeating the qualification test protocols and comparing the
results to the original data. "Over time, the industry has been moving towards primarily relying on periodic review of discrepancies, changes, unplanned
maintenance, and ongoing monitoring trends to assure maintenance of the validated state, with
65
requalification only being performed when required by regulatory expectations. Understanding the criticality of systems and their robustness to
change are fundamental in the application of QRM to periodic review and requalification. Effective calibration and maintenance programs are
additional preventive measures to ensure that the facility and systems are continuously maintained to specifications. The risk assessmentcan
be used to identify critical instruments or components for a system and the appropriate maintenance and/ or calibration frequency for these
critical elements.
The method of demonstrating ongoing control of the verification status through periodic reviews or revalidations no longer fully understands the original delivery of the previous system,
Install and confirm. System revalidation typically involves repeating the validation test protocol and comparing raw data and results. Outdated, the industry has tended to
Relies primarily on accurate periodic reviews of discrepancies, changes, unscheduled repairs and ongoing monitoring to ensure that the validation status is maintained, only when
Revalidation is only carried out to meet the expectations of the drug regulatory authorities. Understanding the criticality of a system and its durability to change is the key to regular review and re-
Identify the basis for applying quality risk management. An effective calibration and maintenance program is an additional precaution to ensure that plants and systems continue to meet standards.
precautionary measures. A risk assessment can be used to identify critical instruments or components for a system and determine the appropriate maintenance and/or calibration frequency for these critical elements.
Rate.
The Quality System should ensure robust and effective management of deviations, investigations, changes, CAPAs, unplanned maintenance events, or adverse data trends to ensure that the existing profile of risks
for the system does not reach an unacceptable level. Incorporating QRM in these instances can help define criticality, acceptabilityÿ resolution timing, and review frequency. The outcomes of the risk assessment
should be used to drive appropriate control of any potential new risks or changes to existing risks or risk control measures that may be associated with the deviation, investigation, change, CAPA, unplanned
maintenance activities, or adverse data trends. Low-risk changes may require little to no additional testing or evaluation, whereas high risk changes are likely to require sufficient testing to verify the suitability and
effectiveness of the change.
To ensure that the risks present in the system do not reach unacceptable levels, the quality system should ensure deviations, investigations, changes, corrective and preventive actions,
Unplanned maintenance events or adverse data trends are managed powerfully and effectively. Integrating quality risk management into these events can help identify
Determine criticality, admissibility, resolution time and review frequency. The results of the risk assessment can be used to drive appropriate assessment of each potential new risk.
Appropriate controls or drives for risks associated with deviations, investigations, changes, corrective and preventive actions, unplanned maintenance activities, or adverse data trends
or changes in risk control measures. Low-risk changes may not require additional testing or evaluation at all, whereas high-risk changes may require
Adequate testing is required to demonstrate the suitability and effectiveness of changes.
65
See Figure 5.2.3-1 for an example of how QRM can be integrated into the operation and maintenance activities for facilities and equipment.
See Figure 5.2.3-1 for an example of how quality risk management can be integrated into the operation and maintenance activities of plant and equipment.
SubFigure 5.2.3-1 QRM Application during Operation and Maintenance ActivitiesFigure 5.2.3-1 Quality Wind
Risk management in operation and maintenance activities
Applications in
confirm system
Events that occur during daily operations (such as deviations, investigations, corrections
Positive preventive measures, changes)
Assessing the impact of an event on system requirements includes a risk assessment.
Whether the event introduces a new risk that is unacceptable
level?
Need to confirm again?
Determine and implement appropriate risk control measures including revalidation testing.
Update all affected system lifecycle files if necessary
Including risk assessment, system requirements, standards, drawings, design
planning and procedures
5.2.4 Facility and Equipment Design: Dedicated Versus Multi-Product Facilities and multi-variety factories factory Room and equipment design: single
Per ICH Q7, Good Manufacturing Practice for Active Pharmaceutical Ingredients, "Building and facilities used in the manufacture of intermediates and
APIs should be located, designed, and constructed to facilitate cleaning, maintenance, and operations as appropriate to the type and stage of
manufacture. Facilities should also be designed to minimize potentia1 contamination. Where microbiological specification have been established for
the intermediate or API, facilities should also be designed to limit exposure to objectionable microbiological contaminantsas appropriate." (25)Product
and process requirements
ÿ should drive the design strategy for facilities, manufacturing, control, and support systems.
65
According to CHQ7, Good Manufacturing Quality Practice for APIs, “Buildings and workshops used for the production of intermediates and APIs should be based on the type of production.
be sited, designed and constructed in such a way as to facilitate cleaning, maintenance and operation. Plants should also be designed to minimize potential contamination. when necessary,
Where microbiological indicators are established for intermediates or APIs, the plant should also be designed to limit exposures that can cause microbial contamination. products and processes
Requirements should drive the design strategy for plant, production, control and support systems.
QRM can be used to proactively identifyÿ and manage multi-product risks as a product is being transferred to a facility. A risk- and science-based evaluation of a process takes into account the potential
for cross-contamination, the impact on product quality, and the intended use of the product(26).This includes addressing risks for highly potent/ sensitizing (e.g., cytotoxic) materials. These risks are
managed by conducting manufacturing operations in a control1ed environment. This approach is especial1y critical for multi-product facilities and equipment trains that are used to produce different APIs,
intermediate products, or finished products.
Quality risk management can be used to proactively identify and manage multi-product collinear risks when a product is moved to a plant. Based on risk and
A scientific process evaluation considers potential cross-contamination, impact on product quality, and the intended use of the product. This also includes looking for highly active
or highly allergenic (such as cytotoxic) materials. These risks are managed by performing production operations in a controlled environment. This approach is useful for applications
Multi-product common plants and equipment groups that produce different types of APIs, intermediate products or final preparations are particularly critical.
The concepts of segregation and contamination control practices to manage multi-product risks are described in regulations, guidance, and reference standards such as ICH Q7 and EudraLex Volume 4
Chapter 3 "Premises and Equipment." These concepts include:
The concept of segregation and contamination control methods used to manage multi-species risks is described in regulations, guidance documents and related standards, such as ICHQ7 and
Eudralex Volume 4 Chapter 3 "Plant and Equipment". These concepts include:
„ Understanding of the process, biohazard and contamination issues and related concerns
Understanding of processes, biohazards and contamination events and their related concerns.
„ Segregation of APIs and intermediates by design (spatial) or practice (temporal). Segregation is further delineated as primary, secondary, environmental, or process design; some examples include:
Design isolation of APIs and intermediates in space or temporary isolation during operation. Isolation measures can further be described as primary, secondary,
Environmental or process design. Examples include:
Primary: Separate clean rooms that are dedicated to specific process equipment and process steps including equipment arrangement.
Primary: Separate clean rooms dedicated to special process equipment and process steps containing the equipment layout
Secondary: A multi-product environment where each product is campaigned and separated with a rigorous / validated change-over cleaning, or many products at once in separated trains, or
separating upstream from downstream process steps.
Secondly: each product in a multi-product collinear environment is produced in stages and strictly verified. Change products for cleaning or many products are produced separately at once.
production or separation of upstream and downstream process steps.
Environmental: Clean room pressure cascade from the most critical operating zone to the least critical zone (ie, clean to dirty). Environment: Clean room pressure cascade from
the most critical operating zone to the least critical zone (ie, clean to dirty zone ) )
Process Design: Closed versus open system.
Process Design: Closed vs. Open Systems
„ Controlling process, material, waste, and personnel flows to reduce the impact of cross-contamination
Control process, material, waste and people flows to reduce cross-contamination
„ Designing, constructing, and operating control 1ed (eg, clean room) environments that are suitable for the type of manufacturing activities being performed. Design, construction, and operating control
1ed (eg, clean room)
environments that are suitable for the type of manufacturing activities being performed.
„ Cleaning, decontamination, and disinfection practices ÿÿÿ
Purification and disinfection activities
„ Steam /water sanitization and sterilization procedures ÿÿ/
Water disinfection and sterilization procedures
„ Changeover procedures
transfer procedure
„ Viral clearance by reduction and inactivation
Low or inactivated to clear the virus
„ Gowning and hygiene practices more
clothing and hygienic behavior.
„ Environmental controls and monitoring practices to detect and control potential contaminants
Environmental control and monitoring measures used to monitor and control potential contaminants.
Proactive QRM will ensure that appropriate multi-product controls exist not only for the product that is being transferred to the facility but also for products that are already produced in that facility.
65
Proactive quality risk management ensures that the products being transferred to the factory and the original products in the factory have appropriate controls on multi-product collinearity.
5.3 Quality Risk Management Application During Technology Transfer
application
Technology transfer includes transfer of product, process, technology, or analytical methods throughout a product lifecycle (until discontinuation) including: Technology transfer includes transfer of product,
process,
technology, or analytical methods throughout a product lifecycle (until discontinuation) including:
„ New product transfers from development to ful1-scale commercial manufacturing

Transfer of new products from development to large-scale industrial production
„ Transfers of clinical and marketed products within or between manufacturing and testing sites ÿÿÿÿ
Transfer of clinical and commercially available products between or within experimental sites
The developmentof a new product and the associated manufacturing process requires the acquisition and management of process and product knowledge. The transfer of processing technology from
development to production is a critical step in the product lifecycle. Technology transfers for existing processes are also common as many products are manufactured at multiple sites or outsourced.
Process development of new products and their associated manufacturing companies require the acquisition and management of process and product knowledge. Process technology transfer from development to production in
is a critical step in the product life cycle. The same goes for technology transfer of existing processes when many products are produced at different locations or are outsourced.
Knowledge management is a key supporting enabler for effective QRM. It supports the development of a robust and reliable production process that will reproducibly deliver product that is safe, pure, and
efficacious. Such knowledge needs to be transferable and thus requires tools for managing data, information, and ultimately knowledge. Even risk assessments performed at an early stage in the product
lifecycle will haveto be understood and interpretable years later when the commercialization step is reached. QRM thus requires forward planning, so processes, methods, and knowledge can be safely
transferred.
Knowledge management is a key driver for effective quality risk management. It supports a stable, reliable and repeatable production of safe,
Development of production processes for pure and effective products. This knowledge needs to be transformable, so tools are needed to manage data, information and basic knowledge.
knowledge. Actual risk assessments carried out early in the product life cycle will have to be understood and interpreted when industrialized many years later. Therefore the quality
Risk management requires advance planning so processes, methods and knowledge can be safely transferred.
Technology transfers are generally associated with potential risks for incomplete transfer of knowledge and would need to be managed adequately where the company is not directly in control of
manufacturing (e.g., use of a contract manufacturing organization [CMO]). A successful technology transfer will result in each process step being fully understood, controlled and largely optimized, with
potential risks being controlled to acceptable levels prior to the transfer. The participation of SMEs such as va1idation, production, development, engineering, and quality personnel is crucial to the success
of the transfer.
In order to complete the transfer of knowledge, technology transfer is usually associated with potential risks and occurs in places where the enterprise does not directly control production (such as contracts).
Production Organization [CMO]) will require adequate management. A successful technology transfer will result in each process step being fully understood, controlled and
Most have been optimized and potential risks have been controlled to acceptable levels before transfer. Experts in relevant fields such as validation, production, process
Involvement of development, engineering, and quality personnel is critical to the success of the transfer.
QRM can be app1ied throughout the technical transfer process starting with the site selection. A risk assessment should be performed to
determine the risk with choosing a particular site to ensure that the best sourcing decision is made (e.g., evaluate risks with the options of
contract manufacture, a new company owed facility; or retrofitting an existing company owed facility). Each site has separate risk profiles,
which should be taken into consideration.
Quality risk management can be applied throughout the technology transfer process, starting with site selection. In order to ensure that the best supply decisions are made (e.g. review
Evaluate the risk of choosing contract production for a new company that lacks factory buildings or renovate an existing company that lacks factory buildings) and determine the choice of a specific production site.
A risk assessment should be carried out when considering risks. Each production site has different risk scenarios that should be considered.
After the site has been chosen a risk assessment can be performed to assess the risks associated with a particular site (e.g., types of equipment, scale, raw materials, and personnel). For instanceÿif a
contract manufacturer has been chosen questions arise such as:
After the production site has been selected a risk assessment can be carried out to assess the risks associated with the specific production site (e.g. type of equipment, size,
materials and personnel). For example: If you choose a contract manufacturer, you can ask the following questions:
. What are the differences or similarities between the donor and recipient sites in the facilities and equipment that is used to produce the product?
How are the plant and equipment used to produce this product different or the same between the supplier and the recipient?
. What is the level of manufacturing experience with a particular product class (e.g., recombinant protein versus small molecule)?
What is the level of manufacturing experience for specific product categories such as recombinant proteins and small assays?
Assessment of risks associated with these differences or changes as part of change control activities can ensure that unacceptable risks are not introduced due to the differences or changes.
The assessment of these different or change-related risks as part of change control activities can ensure that unacceptable risks are not introduced.
some differences or changes.
Another factor to consider is the type of facility (i.e., is it a multi-product or multi-host facility?). If so, then special considerations should be made for cleaning and change-over procedures, managing cross-
contamination or material/product mix-up risks (see Section 5.1.3,QRM Applied to
65
Steri1ization and Cleaning Validation and Section 5.2.3, Facility and Equipment Design: Dedicated versus Multi-Product Facilities for more information). Risks for storage and transportation, especially if
manufacturing is divided among multiple sites, should also be assessed and appropriate risk control measures identified.
Another factor to consider is the type of factory building (e.g. will it be shared by multiple products or customers?). If yes, in the clean and convert variety
Special considerations need to be made in procedures, managing the risk of cross-contamination or mix-up of materials and products (see Section 5.1.3 Quality Risk Management for more information
Applied to sterilization and cleaning validation and Section 5.2.3, Plant and equipment design: dedicated and multi-variety shared plants). Storage and transportation risks are particularly
Appropriate risk control measures should also be assessed and determined even when production is split across multiple production sites.
The technology transfer should not only ensure a successful transition from product development to product operations or a new site, but should do so in a manner that results in a process that can be
validated to reliably produce high quality product. The more comply the process is, or the higher the level of residual quality risk is inherent to the process, the more appropriate it will be to conduct
additional evaluative studies to ensure that the process is in an adequate state of control. QRM can be used to identify, how much validation is required, or where revalidation is not necessary, including
assessment of the number of batches required for validation.
Technology transfer should not only ensure a successful transfer from product development to product manufacturing or new production sites, but should also result in a process that can be validated
It is indeed done in a way that can produce high quality products. The more consistent the process is or the higher the risk of residual quality inherent in the process, in order to ensure that the process
The more appropriate it would be to conduct additional evaluation studies in a state of adequate control. Quality risk management can be used to identify how much verification is needed or where it is not
Revalidation is required, including evaluation of batches required for validation.
Conducting engineering studies or production of test batches prior to conducting validation activities can be an effective method to identify, and appropriately manage risks that were not identified during
development or transfer planning. During the transfer of an existing manufacturing process, there is the added benefit of historical data availability (including an understanding of CQAs, CPPs and process
controls) that provides a knowledge baseline useful for QRM application during the technology transfer. Risk assessments should be completed and high /unacceptable risks reduced to acceptable levels
prior to producing qualification lots that support the technology transfer.
In order to identify and appropriately manage unrecognized risks during development and transfer plans an effective approach may be in implementing verification activities.
Perform engineering studies or experimental batches prior to operation. Historically available data (including critical quality attributes) during the transfer of a manufactured process
properties, critical process parameters and process controls) in providing a knowledge base for the application of quality risk management in technology transfer.
Multiple benefits. Risk assessments should be completed and high and unacceptable risks reduced to acceptable levels prior to production of validation batches supporting technology transfer.
level of acceptance.
Finally, QRM can be applied during technology transfer to assess considerations for bridging stock and support appropriate management of the overall plan and logistics for the transfer. As emphasized
throughout this document, QRM is an iterative process and the risk assessments performed in support of the technology transfer should be reviewed and revised as appropriate.
Finally, the application of quality risk assessments during technology transfer can be used to assess considerations for inventory matchmaking and to support the entire process for the transfer.
Proper management of planning and logistics. As emphasized throughout this document, quality risk management is an iterative process that supports
Technology transfer risk assessments should be continually reviewed and updated as necessary.
5.4 Quality Risk Management Application in Materials ManagementQuality Risk Management Application in Materials
Management
The globalization of the pharmaceutical industry has increased the complexity and challenges of vendor qualification including assurance of materials quality and integrity. A dependable source for active,
inactive, and other raw materials and components is oneof the prerequisites for successful manufacturing. While globalization has increased the number of available suppliers, it has also increased quality
risks. Thus, pharmaceutical companies need to invest in improved supplier qualification and materials management programs in order to manage the risk of assuring quality of materials from all suppliers.
Selection of suppliers should primarily be based on their ability to consistently deliver material per specifications. Cost may be a factor but should not be the primary driver.
The globalization of the pharmaceutical industry has increased the complexity and challenges of supplier qualification including ensuring material quality and integrity. active, inactive and
Reliable sources of other raw materials and excipients are one of the prerequisites for successful production. While globalization has increased the effective number of suppliers, quality
Quantity risks have also increased. Therefore, in order to manage the risks involved in ensuring the quality of materials from all suppliers, pharmaceutical companies need to
Invest in projects to improve supplier qualification and materials management. The selection of suppliers should first be based on consistently achieving each quality of the material
standard. Cost can be a factor in selection but should not be the main factor.
QRM helps pharmaceutical manufacturers assure the safety of their active, inactive, and other raw materials through the establishment of a
risk-based effective supplier assessment and qualification program. The supplier qualification program has to be part of the Quality System
in order to provide assurance that the drug substance / drug product and services that are purchased will consistently meet specifications
and expectations for compliance with the regulations. This process builds quality into the supply chain and the manufacturing process, and
reduces the likelihood of producing a nonconforming product. QRM can help prevent recalls, health authority enforcement actions, bad
publicity, damage to a company's integrity and reputation, and most importantly negative impact to patient health. QRM aids manufacturers
in being knowledgeable about their suppliers in order to build control systems to prevent the purchase of materials from unscrupulous re-
packagers or wholesalers.
Quality risk management helps pharmaceutical manufacturers ensure that their active, inactive
65
safety of sex and other raw materials. In order to provide assurance that the purchased drug substance/drug product and its services will always meet its quality standards and
regulatory compliance expectations, a supplier validation program must be part of the quality system. This process builds quality into the supply chain and production process
and reduces the possibility of producing substandard products. A quality risk assessment will help prevent recalls, enforcement actions by health authorities, negative publicity,
damage to company integrity and reputation and most importantly negative impacts on patient health. Quality risk management helps manufacturers to be smart about their
suppliers in order to establish control systems to prevent purchasing materials from unreasonable subcontractors or wholesalers.
5.4.1 Supplier Selection and ManagementSee Figure 5.4.1-1 for an example

of the lifecycle of supplier assessment and qualification .
5.4.1 Supplier Selection and ManagementSee Figure 5.4.1-1 for an
example of the lifecycle of supplier assessment and qualification. Figure 5.4.1-1 is an example of supplier
assessment and qualification.
Bodhisattva
and i
materials
Yes. V degree
(confirm i>
permission is
required): Release inspection
Add this to
the key
65
Are you satisfied with the result?

65
5.4.2 Risk Controlfor Suppliers

5.4.2 Supplier risk control
Ideally.vendor selection begins with the establishment of the raw material attributes and specifica-tions_ Manufacturers need to clearly de
understand how those requirements contribute specification requirements and
to the quality of the product and differ-ent standards of components may be necessa to understand the _ Experiments with different sources
effects on the finished product.
Ideally, supplier selection starts with the establishment of material attributes and standards. Producers need to clearly define standard requirements and understand
Understand its effect on product quality. Experiments using materials from different sources and different standards are essential for understanding their impact on the final product.
necessary.
While most companies rely on API or cipients that have speccations recognized by compendial monographsit may be necessary to investigate the need for tighter or
additional specmcations for these materials due to their performance in the specific dosage form being developed.The risks of these raw materials should be
assessed right om the start with a view to product development and commercialization.
Although most companies rely on API or excipients themselves to have standards that comply with statutory individual monographs, due to their impact on formulation performance,
Investigation is necessary to tighten or add standards. In the process of product development and commercialization, material risks must be addressed from the beginning
Just make an assessment.
While it may be preferable to deal with a manufacturer of the APIraw materialsor components directlymost companies have to purchase om a distributor
or wholesaler network.
Some of the factors that should be considered when evaluating risks and selecting a supplier (le.manufacturers and distributors) include:
Although it is better to purchase API, materials or components directly from the manufacturer, most companies have to purchase them from distributors or wholesalers.
purchase. The following factors need to be considered when evaluating risks and selecting suppliers (e.g. manufacturers, distributors):
„ Quality of raw materials i.e. compendial monograph material and the ability of the supplier to provide Certificates
of Analysis [COAsavailability of material with different specmcations).
Material quality (legal standard materials, supplier’s ability to provide analytical certificates, ability to provide different standard materials)
„ Consistency of supply (e.g.reliance of the vendor on secondary or tertiary suppliers).

Continuity of supply. (such as dependence on second- and third-tier suppliers)
„ Registration inspection and compliance status of supplier_

Supplier registration, inspection and compliance status
„ Willingness of the supplier to enter into an agreement or contractincluding willingness to be audited.

Supplier’s willingness to enter into agreements and contracts, including willingness to be audited
„ Willingness of supplier to share information (e.g.Quality System containers closures and distribution channels).
Supplier's willingness to share information (e.g., quality systems, containers, closures, and distribution channels)
„ Uniqueness of Material (e.g. considerations for biotechnology raw materials such as bovine spon giform
encephalopathy [BSE] and transmissible spongiform encephalopathy [TSE]virus,micro-biological contamination,
endotoxin levels,leachable/extractable ,variability risks etc.).
Uniqueness of the material (biotech materials have considerations such as mad cow disease [BSE] and transmissible spongiform encephalopathy [TSE],
Viruses, microbial contamination, endotoxin levels, leaching/extraction, risk of mutation)
Counterfeiting potential of the material.

Possibility of counterfeiting
„ Country of origin and location of manufacturing plant

Country of origin and factory address
„ Black market sources of the materials.

Black market sources of materials
In addition to the quality and compliance of vendors manufacturers need to assess the manufac-turer /supplier's reliabty to provide the material on a timely and dependable basis.
QRM looks at the lifecycle of the productnot just the immediate need during a particular step in the lifecycle. The geo-political and geophysical environment impacts the potential risk to
drug substance / drug product
availabtyand quality.Regulatory oversight is an important aspect of supply chain integrity especially as it relates to assuring that
counterfeit and substandard materials do not enter the supply chain.
In addition, manufacturers need to evaluate the reliability and basis for suppliers to provide materials on time. QRM observes the entire life cycle of a product,
Not just the special needs of one step. The geopolitical and geographical environment has the potential to affect the availability and quality of pharmaceutical materials and products.
at risk. Regulatory compliance is an important aspect of supply chain integrity, especially when it comes to ensuring that counterfeit and substandard materials cannot enter the supply chain.
See Table 5.4.2-1 for an example of how risk management can help determine the audit equency for a supplier. This example illustrates a modelwhich can
present varied audit frequencies based on variations in supplier risk rating.
Table 5.4.2-1 is an example of how risk management is used to determine the frequency of supplier audits. The frequency of audits is determined based on the supplier’s risk level.
Rate
Table 5.4.2.1 Example of Risk Management Application to Determine Supplier Audit Frequency
Material and Supplier Criticality Assessment 1
Low Medium High

Supplier Excel Audits every 4 years
nt
performance
This
Rating
In the above example suppliers are evaluated based on the two parameters of past performance and criticaty of suppliers/ materials.
The resulting cell in the 9-block diagram provides the recom-mended equency for supplier audits.
Disagree with
importance assessment
suppliers Middle to high
Excellent every four years every four years every three years
past performance Well every four years every three years every two years
Generally every three years, every two years, every year
In the above case, suppliers are evaluated through two indicators: past performance and material and supplier importance assessment. in matrix
Recommended frequency of supplier audits is provided in .
The first parameter Supplier Performance Rating is determined based on objective criteria of past performance. A performance level of Excellent Good or
Standard is determined based on a pre-defined check list risk assessment with scoring for various elements such as quality of supplier's past performance
percentage of non-conformances per lot on-time deliveryetc.

The first indicator: past performance is determined by objective criteria of the supplier's previous performance. Excellent, good, average are different from the previous definitions
It is determined based on the risk assessment scores of various aspects, such as the rate of defective products in each batch, on-time arrival, etc.
The second parameter across the top is determined based on the criticality of the material and the supplier's delivery of that material.The criticality level of Low Medium or
High is determined based on a pre-defined checklist risk assessment of criticality of the material and the supplier's ability to provide the material.Elements that contribute to
the criticality assessment inc1ude aspects such as where the material is used in the process the supplier's ability to provide material of the quality level that meets requirement
supplier's internal Quality System their technical capabilities etc.
The second indicator: material and supplier importance assessment is determined by the importance of material and supplier logistics. Low, medium, high from before
The defined importance risk assessment score is used to determine the importance of the material and the supplier's ability to provide the material. Influencing factors include: work
The place where Yizhong materials are used, the supplier's ability to provide materials that meet the quality requirements, the supplier's quality system, the supplier's technical capabilities, etc.
This model can be defined in procedures within a company's Quality System. Inputs to determine the levels should be provided from across multiple functionswith quality
parametersbeing weighted the highest. The resulting level should be refreshed periodical1y (e.g.annual1y)incorporating the most recent data and
experience.
54 47
The model can specify processes within a company's quality system. By interacting with multiple functions to provide data to determine the level, quality indicators are considered
is the most important. Proficiency results should be updated regularly (e.g. annually) based on the latest data and experience.
Audit frequency is illustrated but the tool can be applied for other cross-functional purposes as well. For examplenew business could onybe given to suppliers with "excellent" or "good"
performance rating. New suppliers can be given an initial rating of "standard" until data becomes available to incorporate in the annual refesh. For suppliers that have significant
open CAPAs there should be a focused effort applied to move the suppliers up in their rating or out of the list of approved suppliers.
The audit frequency is shown in the figure, and the tool can also be used for other interactive functions. For example, new business can only give excellent or good reviews
level supplier. New providers may be given an initial rating of "Standard" until data is available for annual updates. Suppliers have large significant
When applying for CAPA, you should focus on improving the supplier's rating or removing it from the approved supplier list.
Risk control measures should apply to the entire supply chain not just testing on receipt. Incoming material need to be in accordancewith a statistically based sampling scheme and the
samples tested without compositing.
Risk controls should be applied throughout the supply chain rather than just checking invoices. Newly arrived materials should be sampled according to a statistically designed sampling plan.
and tested before synthesis.
One of the greatest risks is receiving a material that has been contaminated with a substance that can cause serious harm to the patient and is not identified during incoming inspection. If
QRM is used to evaluate every aspect of the supply chain risks could be managed earlier during the selection of suppliers. As testing and specifications can onIy address and lookfor
ingredients and lmpurities that are either knOW11 or expected there is always the risk of an unknown substance going undetected. For that reason it is necessayto consider the entire
supply chain when considering the risk to product quality.QRM appliedas a holistic approach can reduce the risk of substandard or harmful materials being purchased through the supply
chain.
Receiving material that is contaminated with ingredients that could be extremely harmful to patients and not detected during inspection is the greatest risk. If the quality wind
Risk management is applied to evaluate every aspect of the supply chain and can be effectively managed during the supplier selection phase. Because testing can only detect confirmed
Ingredients or impurities, and the mixing of unknown ingredients are always risks. When considering product quality risks it is necessary to consider the entire supply chain, quality
Quantity risk management can be applied holistically to reduce the risk of introducing non-standard or hazardous substances from the supply chain.
5.4.3 Quality Agreements
Quality and Supply Agreements can function as useful and integral elements of a supplier risk man agement program. In some countriesÿ Quality Agreements are
required by regulation. These agreements are considered contracts between suppliers and manufacturer that dearly define roles and responsibilities and quality
requirements. The fd1owing are elements of a typical Quality Agreement that help provide greater assurance of product quality and supply continuity:
Quality and supply agreements are an important part of the supplier risk management program. In some countries, regulations require quality agreements. A
quality agreement is a contract that defines the roles and responsibilities of suppliers and producers. The following are typical quality agreement elements to
ensure continuity of product quality and supply:
„ Identity of the suppliersupplier
identity
„ Identity of the deliverables

Deliverable ingredients
„ Intended use of the component or service component or service
Allspecifications for the component or
service
Standards for components or services
„ Description of the roles and responsibilities of the contract giver and contract receiver:
The contract gives a description of the recipient's roles and responsibilities
Responsibilities as they relate to cGMPs cGMP
Related responsibilities
„ Responsibility related to validation (e pre-approval of validation protocols by the contract giver)
Verification related responsibilities (e.g. contract giver provides pre-approval verification plan)
„ Responsibilities related testing and release
54 47
Inspection and release responsibilities
„ Responsibilities for the supplier to inform the manufacturer of any proposed changes such as changes to the manufacturing
processequipment facility analytical methods standard operating procedures key personnel and any key secondary or tertiary supplier
Supplier's responsibility to notify producers of changes (such as production processes, equipment, facilities, analytical methods, standard operating procedures,
key personnel and second- and third-tier distributors)
„ Responsibilities for the supplier to inform the manufacturer of any errors deviations and out-of-spedfoation results that did or may have impacted the product quality
„ Possibility to participate in supplier's investigationsPossibility to

participate in supplier's investigations
„ Description of the manufacturing storage and distribution processesDescription of the

manufacturing storage and distribution processes
„ Requirements for product release quarantine and potential destruction Product release
requirements and potential destruction
„ Requirements for shipment conditions
„ Requirements for the contract giver to audit the contract receiver Requirements
for the contract giver to audit the contract receiver
„ Requirement for the supplier to share the results of regulatory agency inspections. Requirement for the
supplier to share the results of regulatory agency inspections .
The task of controlling risks to drug substance / drug product is not over once the supplier has been identified and qualified. There still remains the activity of
protecting the components during shipment and storage to ensure that quality is not compromised priorto being received at the manufacturer. The extrapolation of
these measures to non-product components would increase the confidence in the materials received through the global supply chain.
Pharmaceutical manufacturers can increase their confidence in the shipment of their drug substance / drug product by working with their suppliers in the fol1owing methods: Pharmaceutical manufacturers can increase their confidence in the shipment of their drug substance /
drug product by working with their suppliers in the fol1owing methods:
Pharmaceutical manufacturers can increase their confidence in the shipment of their drug substance / drug product by working with their suppliers in the fol1owing methods: Pharmaceutical manufacturers can increase their confidence through drug
and product risk control tasks not only supplier confirmation, but also during transportation and during storage, the quality of the material before it is received by the producer is not affected. Measurements of these sub-product ingredients can increase
confidence in delivering materials through international supply chains.
Work with suppliers to increase their confidence in the shipment of
pharmaceutical products: „ Incorporation of anti-counterfeiting measures in packaging and labeling „ Use of tamper evident
seals on containers
„ Use of unit level identification systems (egRadio Frequency Identification [RFID] tags2D-bar codes)Use of unit level identification
systems (egRadio Frequency Identification [RFID] tags2D-bar codes )
„ Use of seals Use

seals
„ Use of common carriers that do not bear the branding of the manufacturer „ Container level
tracking and data collection (eg Global Positioning System
[GPS]) Container level tracking and data collection (eg Global Positioning System GPS) )
„ Temperature /humidity data loggersTemperature

and humidity data
Increased confidence impacts the risk level and indirectly the risk to product quality. Purchasing sub stances locally does not assure that the material
was manufactured locally or even in the same country '.Purchasers can take an active role in reducing this risk by establishing: Confident
Enhancement affects risk levels and
indirectly affects product quality. Purchasing materials locally does not guarantee that the materials were produced locally, or even in the country.
Traders can take an active role in reducing risk by establishing:
54 47
„ Origin of the material Material source
„ Integrity and compliance status of the original manufacturer

Integrity and compliance status of original producer
„ Distribution route of the material

Material distribution route
„ Integrity and compliance of the links in the distribution chain

Distribution chain integrity and compliance
„ Manner in which the material was shipped and handled until its receipt by the manufacturer
Transportation and disposal methods before material receipt
5.5 Quality Risk Management Application for Contract Services
5.5 Quality risk management applied to contract services
Contract services is a broad term that can refer to many different steps in the overall manufacturing process from raw material manufacturing laboratory testing contract
sterilization calibration /maintenance services packagingfinished dosage form or device manufacturing. The use of CMOs in some part of the drug manufacturing process
has become increasingly prevalent in recent years. With the increasing complexity of products and processes specialization is sometimes necessary as manufacturers
seek out specific skillstechnology experience or a means to reduce costs or improve efficiency. while the decision to use a contract supplier can be highly advantageous
the risk associated with the loss of direct control should be considered and controlled adequately through a risk-based lifecycle approach that emphasizes the need for
communication and clarity on roles and responsibilities. The selection process for a supplier and the qualification process of the supplier are key elements for
adequately controlling the associated risk. See Section 5.5.1Supplier Selection Initiation and Technology Transfer.
In production, contract services are applied to raw material production, laboratory inspection, contract sterilization, calibration/maintenance services, final product packaging, equipment
Prepare for production. The application of CMO in production processes has become more and more widespread in recent years. As product and process complexity increases, sometimes
Producers are required to find special skills, technologies, and experiences to reduce costs and improve efficiency. Although there are obvious advantages to using contract services, it should
This considers risks that cannot be directly controlled and emphasizes adequate risk control through communication and clear roles and responsibilities. supplier
The selection and confirmation are important factors in controlling related risks. See Section 5.5.1: Supplier Selection, Onboarding and Technology Transfer.
When a supplier is utilized by a sponsor company for any or all portion(s) of the activity which are undertaken within the product and process lifecycle it is critical to ensure that all parties
involvedparticipate in executing a comprehensive QRM strategy. The sponsor and supplier(s) should clearly define and apply QRM.
When a supplier is used by the sponsoring company to participate in part of the product and process life cycle, ensure that all parts have the same QRM
Strategy. Initiators and suppliers need to define and apply QRM.
Use of a supplier or a contract factory also follow a lifecycle concept(see Figure 5.5-1) which provides opportunities for the application of QRM at each stage as discussed
in the following sections.
The use of suppliers or contract factories needs to follow the life cycle concept (see Figure 5.5.1 below). This QRM provides opportunities for use at each step.
ÿ ÿ
Figure 5.5-' Lifecycle for Control of Contract Manufacturing Organizations
5.5.1 Supplier SelectionInitiation and Technology Transfer
5.5.1 Supplier selection, appointment and technology transfer
Selection of the supplier should be a systematic process that assesses the capabilities and experience of staff to support product quality.
To apply a risk-based approach to supplier selection the initial asessment should take into account at a minimum the following supplier attributes:
Supplier selection is a systematic process that requires the assessment of employee capabilities and experience to support product quality. will be based on risk management
The method should be applied to supplier selection, and the evaluation should at least consider the following aspects of the supplier:
„ Availability per critical selection parameters
feasibility
54 47
„ Physical facty and equipment including geographic proximity to sponsor

Physical facilities and equipment, including geographical proximity to sponsors
„ Quality System and inspection history

Quality System and Inspection History
„ Experience with process or similar complexity of process

Experience in craftsmanship or crafts of the same complexity
„ Applicability and transfer of previous regulatory commitments (e.g. post-marketing commitments)

Application and transfer of previous regulatory commitments (e.g. post-market commitments)
„ Initiation and technology transfer considerations including comparabty of product(s) between manufacturing sites. See Section 5.3 QRM Application
During Technology Transfer
Project initiation and technology transfer considerations, including comparison of production site products. For details, see 5.3 Quality Risk Management in Technology Transfer
„ Hazards from other manufacturing processes (eg cross contamination in a multi-product facility)Hazards from other manufacturing processes ( eg cross contamination in a multi-product facility)
such as cross-contamination in multi-product facilities)
„ Control of suppliers
Supplier control
„ Communication (linguistics considerations between all affected parties)

Communication (language considerations for each affected department)
The supplier 'sQuality System and how it encompasses QRM is of particular interest. Lack of open two-way communication between the supplier and the contract giver may
result in increased risks due to incomplete information and incorporation of feedbackon Quality Systemelements.
The most important thing to pay attention to is the supplier's quality system and the implementation of QRM. Lack of two-way communication between suppliers and contract givers may result in incorrect information.
Feedback from weighing and quality system factors leads to increased risk.
5.5.2 Routine Oversight of Supplier

5.5.2 Daily monitoring of suppliers
Many suppliers have a long-term relationship with the contract giver and this is also where QRM and the lifecycle approach should be applied. Oversight is a risk-reducing
activity and is directly linked to the actual risk posed. As the inputs to the risk assessment change (e.g. history of compliance change of deliverables)the control measure(s) may
also need to change.
Many suppliers have long-term relationships with contract givers and both QRM and lifecycle should be used. Monitoring is risk reduction
activities that are directly related to actual risks. Changes in risk assessment inputs (e.g. compliance history, material changes), controls
Needs to change accordingly.
The example in Table 5.5.2-1i11ustrates the concept of utilizing a more robust strategy and controls as the risk and complexity level of operations performed by a CMO
increase. It is not intended to define the exact strategy to be used during routine oversight of the CMO's operations. The exact method and controls to be used by the sponsor
company should be defined appropriately on a case-by-case basis based on the overall risk and complexity of the product process and relationship with the CMO(s).
As shown in Table 5.5.2-1, as the risks and complexity of CMO operations rise, the application of more durable policies and controls is required. Define CMO instructions
A precise monitoring strategy is not the intention. The sponsor's exact approach and controls should be determined by the total risk, complexity of the product process, and the CMO's
to specifically determine the relationship
Table 5.5.2-1 Example of QRM Application to Ensure Sufficient CMO Oversight 5.5.2-1 QRM is used to ensure
Examples of adequate CMO monitoringRisk /

Complexity Oversight Method (Controls)
Level
High In addition to medium and low risk controls, routine sponsor Person in Plant (PIP|, review b approval of
manufacturing Medium records prior to release.
In addition to low risk controls, periodic audits conducted by sponsor and increased testing frequency.
Low Use of shared quality metrics, key performance indicators

(KPIs), and reduced inspection frequency.
54 47
Detection method (control)

Risk/Complexity
high
On the basis of low and medium, arrange daily personnel in the factory to conduct batch record inspection and
release
mid On the basis of low level, increase periodic audits and increase the frequency of inspections
Lo
Use the shared quality matrix and key performance indicators KPI to reduce the frequency of inspections
In addition to the oversight methods noted in Table 5.5.2-1 the sponsor and CMO(s) should define in writing the routine methods and frequencies to be used to facilitate sufficient and
timely communications and exchange of required information and data to jointly manage and control the GMP operations.
In addition to what is shown in Table 5.5.2-1, sponsors and CMOs should clarify the method and frequency of daily monitoring and conduct adequate and timely communication.
Communication, exchange of required information and data to manage and control Gmp operations.
For examplea Quality Agreement can be used to define a schedule and participants roles to ensure exchange of data and documentation (such as change control records
deviations complaints adverse events CAPA). In some instances change control oversight for certain critical changes or deviations may require the sponsor's pre-approval (See
Section 5.4.3 Quality Agreements).
For example, a quality agreement can be used to define the day-to-day exchange of data and documentation (change logs, deviations, complaints, adverse events, CAPA).
Process and role. In some cases, significant changes and detection of deviations require sponsor approval (see 5.4.3 Quality Agreement)
5.5.3 Continual lmprovement
5.5.3 Continuous improvement
In line with ICH QI0 a contract giver should encourage continual improvement in the supplier's process The supplier's ability to continue improve feeds
into the QRM approach. Measurement
of KPIs or other quality metrics may be needed to manage and control this process. Systems that facilitate continual improvement include:
54 47
In sync with ICH Q10, contract givers should encourage suppliers to continuously improve their processes. The supplier's
ability to continuously improve is fed back into quality risk management. Measurement of KPIs or other quality matrices to
manage and control the process. Continuous
improvement of the system includes: Annual Product
Reviews / Product Quality Reviews
Management review of Quality System Trending /
monitoring of internal and
external factors that can affect product or process Monitoring and trending of internal and
external parameters „ Periodic trending of process data to
establish control levels and process capability „ Change control „ Deviations and investigations
„ CAPA effectiveness monitoring CAPA effective Performance monitoring
„ Process Analytical
Technology (PAT) improvement
opportunities
Online monitoring of technology improvement opportunities Review
of Key Performance Indicators (KPI) and irnprovement metrics KPI reporting
and improvement matrix „ Assessments
by external parties (regulators third party auditors) External assessments
(regulators, regulatory
authorities, third party)
5.5.4 Supplier Decommissioning
5.5.4 Supplier
Decommissioning When a product or process is to be retired QRM should be employed to develop a strategy to suitably
manage the proper steps to be taken to avoid impact to product quality supply and continuity. When
decomrnissioning/retiring a product or process from a facility it is important to first determine if the product or process
will be ceased all together (eg withdrawn from market) transferred to another facility. or have a new generation of
product or process implemented in lieu of the previous. Based on this, a suitable strategy can be deployed utilizing
knowledge management and QRM. When a product or
process is to be discontinued, quality risk management should be applied to arrange appropriate strategic steps to avoid
affecting product quality and ensure continued supply. When a product or process is discontinued from a facility, the first step
is to decide whether the product will be consolidated (i.e. withdrawn from the market), transferred to another facility, or replaced
by a new generation of product and process. Based on these, appropriate strategies can be arranged using knowledge
management and quality management risks.
For transfer of product or process to another facility see Section 5.3QRM Application During Tech-nology Transfer. When
transferring product or process to a new facility, refer to Section 5.3, Quality Risk Management of Technology Transfer.
The following are some key points to consider when developing a joint QRM strategy for retiring a product and/or transferring
from a CMO(s) organization:

„ Avoid a disruption in supply of a medically necessary product or material.

Avoid interruptions in the supply of medically necessary products or materials.
„ Communicate findings that could impact the quality or safety of previously distributed material or products (e.g.
records complaints failed validations).
Records of communications affecting the quality or safety of previously distributed materials or products (e.g., records, complaints, failed verifications)
„ Transfer key information to support product quality at the newfacility.
Key information to support product quality in new facilities
„ Re-execute specific qualification studies e.g. sterilization to meet annual revalidation requirements.
Perform special validation studies, such as sterilization required for annual revalidation
5.6 Knowledge Management 5.6
knowledge management
During the execution of risk assessment exercises .it is essential to obtain accurate data informed opinion and expert judgment to identify potential negative events evaluations.
Orderly logical comprehensive documentation and ready accessibility , failure modes, their probabilities, Severities and subsequent risk
to information benefits the decision and assessment processes. Generally the more information that is communicated to participants, the less likely they are to exhibit
overconfidence in making accurate decisions and judgments (8,27). The clear communication by documentary evidence and preservation of such information is imperative
to assist not only in accurate decision-making but also to record for future reference and other related risk assessment activities. Three important factors that
might influence the ability of experts to make reliable assessments on subject areas or issues with a high level of uncertainty are:
In the implementation of risk assessment practices, obtaining accurate data, opinions and expert evaluations are essential for identifying potential negative events.
The occurrence, failure mode, likelihood, severity and subsequent risk assessment are all very important. orderly logic detailed
Exhaust documentation and readily available information can be helpful in both decision-making and evaluation procedures. Provide more participants
information, the less likely they are to be overconfident in making decisions and judgments (8, 27). through written evidence and preservation of these letters
Clear communication of information is necessary not only to facilitate accurate decision-making but also for future reference and other relevant
risk assessment activities. Three important factors that may affect an expert's ability to make reliable assessments of a subject area or problem
The factors are:
Availability of a well-developed and established scientific theory for the area under study
The availability of well-established scientific theories in the field of study
Availability of precise measuring techniques in that area of study.
Precise measurement technology in the field of research
Availability of pre-specified procedures, criteria and guidelines for decision-making.
Availability of clear procedures, criteria and guidance for decision-making
To ensure expert opinion is of the highest caliber, data-based and as free from conjecture as possible the science and engineering information associated with the area of risk
assessment should be clearly documented. Equally important, all information regarding measurement certainty, accuracy and precision, togetherwith clearly communicated and
documented decision criteria should be achieved.
In order to ensure that the opinions of experts are the best, based on data and exhaustive conjectures, relevant science and technology in the field of risk assessment
Scientific and engineering information should be clearly documented. It is also important to achieve the relevant measurement certainty, accuracy and precision
nature, and clearly communicating and documenting decision-making criteria.
6.0Conclusions 6.0Conclusions
QRM is fast becoming an expectation in the pharmaceutical industry and justifiably so.
Patient protection is paramount and the ultimate goal of QRM. While risk management practices and risk-based decision-making are not novel
concepts doing so in a structured documented and practical manner is novel for the pharmaceutical industry. This represents a paradigm change
in behavior and approach used for proactively identifying and preventing risks as early in the lifecycle as possible. Implementation of
QRM is still a young field for the pharmaceutical industry and canbe established in many ways. The information presented in this report and the
cases studies provided in companion documents is based on practical experience and is not intended to be either all
inclusive or exclusive.
Quality risk management has quickly become popular in the pharmaceutical industry. Patient protection is paramount and application
The ultimate goal of QRM. Although the practice of risk management and risk-based decision-making are not entirely new concepts,
A structured, documented, and practical approach to risk management is new in the pharmaceutical world. This represents life
Changes in behavior and practices used to proactively identify and prevent risks as early as possible in the life cycle. The implementation of QRM is
This is still an immature area in the pharmaceutical industry and can be established in a number of ways. The information provided in this report,
The case studies provided in the relevant documents are based on practical experience and are not intended to be all-inclusive or exclusive.
Effective management of product quality risks and patient protection throughout the product fe- cycle including manufacturing operations requires
integration of QRM into the PQS and routine operations. QRM cannot be managed as a separate element or process of the Quality System, but
integration is not easy to accomplish. QRM requires a mindset shift building quality in as early as reasonably possible effective transition and
knowledge management between the different product lifecycle phases adequate resources and the entire organization's commitment to implement.
Additionally, therole of decision makers
and senior management in ensuring effective implementation of QRM cannot be overemphasized.
Effective quality risk management throughout the product life cycle including in production operations, in PQS as well as in daily operations
A complete QRM is required. QRM cannot only be used as an isolated element or process in the quality system. Integration is not easy.
Easy to do. QRM requires a change in mentality, introducing quality construction as early as possible, and different product life cycle stages
between sound and effective transition and knowledge management, adequate resources and commitment across the organization for execution. In addition, decision-making
The important role of managers and senior managers in ensuring the effective implementation of quality risk management cannot be overemphasized.
The broad practical range and flexibility in QRM application provided by ICH Q9 can become a double edged sword; that is, the utility and
benefits of QRM can be lost when activities are completed as "check the box" exercises(i.e. used to justify non-compliance with
regulatory expectations or as a substitute for science / data)or if outcomes from quality risk assessments cannot be acted upon in a timely
manner. The ultimate objective of allQRM activities must remain patient safety by producing safe efficacious and pure pharmaceutical products
The breadth and adaptability of practical application of QRM provided by ICH Q9 is a double-edged sword when the action is reduced to a "box-checking" exercise (e.g. used to demonstrate
does not meet regulatory expectations or is used as a substitute for science/data), or the results of the quality risk assessment cannot be acted upon in a timely manner, the effectiveness of quality risk management
Use and revenue may be lost. The ultimate goal of quality risk management must be to produce safe, effective and high-purity drugs to ensure patient safety.

Pda TR 54

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Pda TR 54

Uploaded by

Copyright:

Available Formats

Machine Translated by Google

PDA Technical Report No.54

Technical Report No. 54

Provided by Beijing Qilijia Consulting 1

the Pharmaceutical Quality System (PQS).

management is highlighted PDA Technical Report No.44).

Promote continuous improvements in process performance and product quality (1).

Per ICH Q9, "Risk management

of assessing, controlling, communicating, and reviewing risk."(2)

Implementation principles and tools are provided.

opportunities to be gained from the use of

Provided by Beijing Qilijia Consulting 3

Prioritize processes and realign resources more rationally.

are consistently delivered to every patient.

example of a maturity model for QRM.

The development and maturity process of quality risk management model.

Figure 1-1 An example of a complete quality risk management model

1.1Purpose and Scope

1.1 Purpose and Scope

practices of any one particular organization.

for QRM implementation.

2.0 Glossary of Terms

As used in this technical report:

As Low As Reasonably Practicable (ALARP)

As reasonably practicable (ALARP)

practicability refers to the ability to reduce risk regardless of cost. Economic

Provided by Beijing Qilijia Consulting 5

costly to produce. (ISO 14971)

Anyone’s Expectations (ISPE Guide to APIs, Second Edition, June 2007)

frequency of monitoring and control.(ICH Q10 )

Corrective ActionCorrective Action

Action to eliminate the cause of a detected non-conformity or other undesirable situation.

should therefore be controlled or monitored to ensure product quality, safety or efficacy.

Safety or efficiency should be controlled or monitored.

Critical Process Parameter (CPP)

Critical Process Parameters (CPP)

Control (ICH Q8[R2]).

Desired product quality (ICH Q8[R2]).

Event Tree Analysis (ETA)

Provided by Beijing Qilijia Consulting 7

Fault Tree Analysis (FTA)

The potential source of harm. (ISO/ IEC Guide51, ICH Q9)

A structured, systematic, and quantitative technique for work.

Intended Use/Intended Purpose

Systematic approach to acquiring, analyzing,storing, and disseminating information related to products,

Preliminary Hazard Analysis (PHA)

facility,product or system. (ICH Q9)

capability. (ICH Q9)

Guidance on Process Validation,January 2011)

January of the year).

evidence that a process is capable of consistently delivering quality products.

(FDA Guidance on Process Validation, January 2007)

Provided by Beijing Qilijia Consulting 9

Quality Risk Management (ORM):

Combination of probability and severity of harm (ISO/EC Guide 51)

The relationship between price risk and hazard factors.

A determination of acceptance or rejection of risk.

Provided by Beijing Qilijia Consulting 11

ICHQ10 based on ISO 9000:2005)

A statistical term that refers to the direction or rate of change in a variable.

3.1 When, Where , and How to Apply Quality Risk Management

3.1.1Quality Risk Management Application During Pharmaceutical Development

Quality risk management application in drug development stage