Standard Operating Procedure (SOP) & Guideline for Quality Risk Management (QRM) i.e. risk identification, analysis, evaluation, reduction/ mitigation, communication and conclusion of risk in order to ensure the quality, safety, integrity and purity (SISPQ) of the drug product.
Quality Risk Management (QRM)
1.0 Objective :
- To lay down the procedure for risk identification, analysis, evaluation, reduction/ mitigation, communication and conclusion of risk in order to ensure the quality, safety, integrity and purity of the drug product.
2.0 Scope :
- This guideline is applicable to identify the quality risks involved in any process, equipment, facilities and system.
|Quality Risk Management (QRM) Team||:||Identifying all perceived failures with respect to process, equipment, facilities and system.|
|:||Preparation of action plan in case of higher RPN and communication to Head – QA, department Head.|
|Officer – QA||:||Responsible for assigning Risk Assessment Document No.|
|Technical staff/ Officer/ Executive/ Manager – All departments||:||Responsible for identification of risk and communication of risk to Quality Risk Management (QRM) team.|
|Head – QA||:||Formation of Quality Risk Management Team and team leader.|
|:||Responsible for approval of documents after analysis and conclusion.|
|:||Responsible for effective implementation of this SOP.|
4.0 Procedure: Quality Risk Management (QRM) :
- Failure Mode, Effects And Criticality Analysis (FMECA):
- A systematic method of identifying and preventing product and process problems.
- Critical Quality Attribute (CQA):
- A physical, chemical, biological or microbiological property or characteristic that should be within an appropriate limit, range, or distribution to ensure the desired product quality.
- Quality Critical Process Parameter:
- A process parameter which could have an impact on the critical quality attribute.
- Failure Mode:
- Different ways that a process or sub-process can fail to provide the anticipated result.
- Probability of negative events within a fixed time frame.
Quality Risk Management (QRM):
- A systematic process for the assessment, control communication, and review of risks to the quality of the pharmaceutical product across the product life-cycle.
- Risk: Combination of the probability of occurrence of harm and severity of the harm.
- Risk Analysis:
- The estimation of the risk associated with the identified hazards.
- Risk Assessment:
- A systematic process of organizing information to support a risk decision to be made within a risk management process.
- It consists of the identification of hazards and the evaluation of risk associated with exposure to those hazards.
- Risk Control:
- The sharing of information about risk and risk management between the decision maker and other stakeholders.
- Risk Evaluation:
- The comparison of the estimated risk to given risk criteria using a quantitative or qualitative scale to determine the significance of the risk.
- Risk Identification:
- The systematic use of information to identify potential sources of harm (hazards) referring to the risk question or problem description.
Risk Priority Number (RPN):
- A numeric assessment of risk assigned to a process, or steps in a process, as part of failure mode effects and criticality analysis (FMECA).
- Each failure mode gets a numeric score that quantifies likelihood of occurrence, likelihood of detection and severity of impact.
- The product of these three scores is the RPN for that failure mode.
RPN = severity rating × occurrence rating × detection rating.
- Risk Review:
- Review or monitoring of output or results of the risk management process considering (if appropriate) new knowledge and experience about the risk.
- The means of detection of the failure mode by maintainer, operator or built in detection system, including estimated dormancy period (if applicable) or it is also sometimes termed EFFECTIVENESS.
- It is a numerical subjective estimate of the effectiveness of the controls to prevent or detect the cause or failure mode before the failure reaches the customer.
- The assumption is that the cause has occurred.
- A measure of the possible consequences of a hazard.
- Remarks / mitigation / actions:
- Additional info, including the proposed mitigation or actions used to lower a risk or justify a risk level or scenario.
Principles of Quality Risk Management (QRM):
- The two primary principles of Quality Risk Management (QRM) are that:
- The evaluation of the risk to quality should be based on scientific knowledge and ultimately linked to the protection of the patient
- The level of effort, formality and documentation of the Quality Risk Management (QRM) process should be commensurate with the level of risk
- A typical quality risk management process is given below.
Quality risk management (QRM) process:
- Initiating a Quality Risk Management (QRM) process:
- Quality Risk Management (QRM) activities shall include systematic processes designed to coordinate, facilitate and improve science-based decision-making with respect to risk.
- The possible steps to be taken in initiating and planning a Quality Risk Management (QRM) process might include the following:
- Define the problem and/or risk question, including pertinent assumptions identifying the potential for risk;
- Assemble background information and/or data on the potential hazard, harm or human health impact relevant to the risk assessment;
- Identify a leader and the necessary resources;
- Specify a timeline, the deliverables, and an appropriate level of decision-making for the risk management process
- In case of major and Critical Risk CAPA shall be logged within 3 days and closure of the same shall be done within 30 days.
- If the CAPA of the Risk demand investment it shall be closed within 6 month of CAPA logging.
- Output/result of the formal risk assessment process shall be communicated to concerned department through risk assessment report, for implementation of action recommended.
- Risk review shall be done after the recommended action taken.
Quality risk management (QRM) Principle – primary principle of quality risk management (QRM) process are:
- The evaluation of the risk to quality should be based on scientific knowledge and ultimately link to the protection of the patient; and
- The level of effort, formality and documentation of the quality risk Assessment (QRA) process should be commensurate with the level of risk.
Personnel involved in Quality Risk Management (QRM)
- The Head QA shall form a Quality Risk Management (QRM) Team comprising of team leader.
- Head QA should assure that personnel involved in Quality Risk Management (QRM) team must be having appropriate product-specific knowledge and subject matter expert from QA, QC, Production, Engineering & Stores etc.
- The personnel appointed should be able to:
- Conduct a risk analysis.
- Identify and analyse potential risks.
- Evaluate risks and determine which ones should be controlled and which ones can be accepted.
- Recommend and implement adequate risk control measures.
- Devise procedures for risk review, monitoring and verification.
- Consider the impact of risk findings on related or similar products and/or processes.
Risk Assessment :
- Risk assessment consists of the identification of hazards and the analysis and evaluation of risks associated with exposure to those hazards.
- The steps include risk identification, risk analysis and risk evaluation.
- As an aid to clearly defining the risk(s) for risk assessment purposes, four fundamental questions shall be addressed –
- What might go wrong?
- The nature of possible risks?
- The probability of their occurrence and how easy is it to detect them?
- What are the consequences (the severity)?
- Risk identification is a systematic use of information to identify hazards referring to the risk question or problem description.
- Information shall include historical data, theoretical analysis, informed opinions, and the concerns of stakeholders.
- Risk identification addresses the “What will go wrong?” question, including identifying the possible consequences.
- Risk analysis is the estimation of the risk associated with the identified hazards.
- Risk evaluation compares the identified and analyzed risk against given risk criteria.
- A quantitative process will be used to assign the severity, probability and detectability of a risk.
- Severity is defined as a measure of the possible consequences of a hazard.
- Assessment Severity the effect of failure on the product or process.
- The effect of the severity criteria is given below.
|1||Irrelevant||No impact on patient safety|
|3||Important||Noticeable impact to product quality|
|5||Disastrous||Batch failure, birth defect, can cause death or severe disabilities to the patient|
- Identify the possible causes of each failure mode.
- Quantify the probability of occurrence of each of the causes of a failure mode.
- The probability of occurrence evaluates the frequency that potential risk will occur for a given system or situation.
- The probability score is rated against the probability that the effect occurs as a result of a failure mode is given below
|1||An unlikely probability of occurrence||Failure has never been seen but it is theoretically possible|
|3||An occasional probability of occurrence||Failure potential has been noted. If procedures are followed the failure potential is minimal|
|5||A high probability of occurrence||Failure potential has been noted. An active non-standard feedback control loop may be required|
- Identify all existing controls (current controls) that contribute to the prevention of the occurrence of each of the causes of a failure mode.
- Determine the ability of each of listed controls in preventing or detecting the failure mode or its cause. Assign a ranking score to indicate the detection effectiveness of each control.
- The ability to discover or determine the existence, presence or fact of a hazard.
- The detectability score is rated against the ability to detect the effect of the failure mode or the ability to detect the failure mode itself is given below
Calculation of Risk Priority Number (RPN):
- The composite risk for each unit operation step is the product of its three individual component ratings: severity, probability and detectability.
- This composite risk is called as risk priority number (RPN).
RPN = Severity(S) x Probability (P) x Detection (D)
|1 – 25||Minor|
- Identify actions to address perceived failure modes that have a high RPN
- In case the calculated RPN rating is greater than 25 that particular failures are not acceptable and necessary controls and procedures shall be implemented based on the area to reduce the severity of risk.
- The procedure and control shall be defined based on the outcome of risk assessment evaluation by respective Risk assessment team.
- If the risk priority number obtained is higher than 75, formal risk assessment shall be done (Refer to Annexure-I).
- If the risk index is between 26 and 75, formal risk assessment shall be considered if the detectability low or no detectability.
- In case the risk priority number is lower than 25, no further formal risk assessment shall be required.
- Risk control includes decision making to reduce and/or accept risks.
- The purpose of risk control is to reduce the risk to an acceptable level.
- The amount of effort used for risk control shall be proportional to the significance of the risk.
- During risk control activities the following key questions should be asked:
- What can be done to reduce or eliminate risks?
- What is the appropriate balance between benefits, risks and resources?
- Are new risks introduced as a result of the identified risks being controlled?
- Risk control can include:
- Not proceeding with the risky activity;
- Taking the risk;
- Removing the risk source;
- Changing the likelihood of the risk;
- Changing the consequences of the risk;
- Sharing the risk with another party (e.g. Contractor);
- Retaining the risk by informed decision.
- Risk reduction will focus on processes for mitigation or avoidance of quality risk when it exceeds an acceptable level.
- Risk reduction will include actions taken to mitigate the severity and probability of harm.
- Processes that improve the detectability of hazards and quality risks will also be used as part of a risk control strategy.
- Risk reduction measures, may introduce new risk into the system or increase existing risk.
- Therefore it shall be continuous process to evaluate any possible change in risk.
- Risk acceptance is a decision to accept risk.
- Risk acceptance shall be a formal decision to accept the residual risk.
- Wherever it will not be possible to entirely eliminate risk, in these circumstances, it will be ensured that optimal quality risk management strategy is applied and that quality risk is reduced to an acceptable level.
- This acceptable level will depend on many parameters and shall be decided on a case-by-case basis.
- After assessment of risk, same shall be concluded and communicated to concerned department head /designee.
- Communication might include those among interested parties, e.g. regulators and industry, industry and the patient, within a company, industry or regulatory authority.
- The information related to existence, nature, form, probability, severity, acceptability, control, treatment, detectability or other aspect of risk to quality.
- Communication need not be carried out for each and every risk acceptance.
- The output/results of the risk management process shall be reviewed to take into account new knowledge and experience.
- Once a quality risk management process has been initiated, that process shall continue to be utilized for events that will impact the original quality risk management decision whether these are planned (e.g., results of annual product review, inspections, audits, change control) or unplanned (e.g., root cause from failure investigations, recall).
- Risk management shall be an ongoing quality management process and a mechanism to perform periodic review of events shall be implemented.
- The frequency of the review shall be based upon the level of risk.
- Risk review will include reconsideration of risk acceptance decisions.
Verification of Quality Risk Management (QRM) process and methodologies
- The established Quality Risk Management (QRM) process and methodologies need to be verified.
- Verification and auditing methods, procedures and tests, including random sampling and analysis, can be used to determine whether the QRM process is working appropriately.
- The frequency of verification should be sufficient to confirm the proper functioning of the QRM process. Verification activities include:
- Review of the Quality Risk Management (QRM) process and its records;
- Review of deviations and product dispositions (management control);
- Confirmation that identified risks are being kept under control.
- Initial verification of the planned Quality Risk Management (QRM) activities is necessary to determine whether they are scientifically and technically sound, that all risks have been identified and that, if the Quality Risk Management (QRM) activities are properly completed, the risks will be effectively controlled.
Mitigation Plan/Risk reduction
- Identify the current control measure available for the identified risk. If the risks are not accepted, the proposed mitigation/control measure to reduce the risk to an acceptable level.
- Risk reduction focuses on processes for mitigation or avoidance of quality risk when the risk exceeds an acceptable level.
- Risk reduction includes:
- Action taken to mitigate the severity and probability of risk:
- Processes or methods that improve the ability to detect risk implementation of risk reduction measures may introduce new risks into the systems or increases the significance of other existing risks
Risk Management Methods and Tools
- The tool which is used for risk management is Failure Mode, Effects and Criticality Analysis (FMECA)/Risk Assessment.
- FMECA is a systematic method of identifying and preventing product and process problems before they occur.
- List all perceived failure modes for each item (product component or process step) under the “failure mode” column in Annexure–I.
- Identify all potential failure modes associated with the product component or process step.
- Describe the effects of each of listed failure modes and assess the severity of each of these effects on the product or process.
- Head QA shall form the Quality Risk Management (QRM) team leader and QRM team subject matter expert from concern departments.
- Quality Risk Management (QRM) which are triggered from deviation, change control or any QMS activity shall be assessed as per attached Annexure- VII (Risk assessment for the quality events) which shall be issued along with the quality events.
- A formal risk assessment shall be prepared as per above on Annexure–I and copy of same shall be enclosed along with that document.
- All employees working in the area can identify the risk and shall communicate to Quality Risk Management (QRM) team on Annexure-II.
- Quality Risk Management (QRM) team shall evaluate and analyze the risk.
- List all the perceived failure modes for each item, process, product, equipment etc. under the failure mode.
- Describe the potential effect of each of listed failure modes and assess the severity of each of these effects on the product or process.
- Assign the quantitative value of severity to potential effect of each failure.
- List the potential causes of failure.
- Assign the quantitative value of probability of each failure.
- List the current control measures of failure.
- Assign the quantitative value of detectability to each failure.
Calculate the RPN No. and assign the category.
- If the risks are not accepted then Quality Risk Management (QRM) team shall assign the new control measures for the unaccepted risks, along with responsibility and target date of completion of action.
- After assigning new control, Quality Risk Management (QRM) team shall again do the risk analysis using above process, shall calculate the RPN No. and assign category.
- After compilation of the Quality Risk Management (QRM), QRM team leader shall review the Quality risk management and after review shall forward the QRM to Head QA for approval.
- The accepted risks and additional monitoring plan shall be communicated to concerned department on Annexure-V.
- The corrective and preventive actions, reference documents, abbreviations and relevant attachments associated with the particular risk shall be enclosed with the risk assessment documents.
- Training to concerned personnel shall be imparted upon analysis and evaluation of the risk management for the particular process / system / equipment / instrument.
- It shall be ensured that the recommended corrective and preventive actions for the identified risks are in place, before closing the particular Risk Management documents.
Quality Risk Management (QRM) integration with Key quality system elements
- If the risk assessment is initiated from any change control or deviations shall be treated as standalone documents, copy of the same shall be kept along with respective change control or deviations.
- Example of some Quality Risk Management (QRM) in respect of operation and covered area for risk assessment are given below but not limited to:
|S. No.||Area of Operation||Area Covered|
|Integrated Quality Management||
|Quality Risk Management (QRM) as part of Regulatory Operations||
|Quality Risk Management (QRM) as part of development||
|Facilities, Equipment and Utilities – Quality Risk Management (QRM)||
|Quality Risk Management (QRM)as part of material management||
|As part of production Quality Risk Management (QRM)||
|Quality Risk Management (QRM) as part of Laboratory control and stability studies||
|Quality Risk Management as part of Container Closer System||
5.0 Reference :
- ICH-Q9: Quality Risk Management (QRM)
- TRS-923: Annex-2 WHO guidelines on Quality Risk Management (QRM)
- The Rules Governing Medicinal Products in the European Union: Volume 4, EUGMP
Medicinal Products for Human and Veterinary Use. Chapter 9: Quality Risk Management
6.0 Glossary :
|FMECA||:||Failure Mode and Effect Criticality Analysis|
|RPN||:||Risk Priority Number|
|GMP||:||Good Manufacturing Practices|
|QRM||:||Quality Risk Management|
|TRS||:||Technical Report series|
|ICH||:||International conference harmonization|
|WHO||:||World Health Organization|
|SOP||:||Standard Operation Procedure|
7.0 Annexure :
Annexure – I : Failure Mode and Effect Critical Criticality Analysis (Risk assessment)
|Risk Status as on perceived|
|Sr. No.||Process Function||Perceived Failure Mode||Severity||Probability||Detectability||RPN
Yes / No
|Potential Effect (Process/ End users or consequences)||
|Current control measures||
|Risk after corrective action|
|Recommended Action||Responsibility & Target date of completion||
S – Severity rating, P – Probability rating, D – Detection rating, RPN – Risk Priority Number
|QRM TEAM||REVIEWED BY||APPROVED BY|
Annexure – II : Identification and communication of risk
|Risk identified by:|
|Comments of QRM Team leader:|
Annexure – IV : FMECA Log
|Risk Assessment No.||Date of initiation||Issued to Dept.||Risk Related to||Risk Triggered from||Logged By||Ref. CC or Deviation No.||Status||Completion Date||
Annexure – V : Risk conclusion and communication
|FMECA Document no. :|
|Risk assessment conclusion:|
|Review the Risk:|
Annexure – VI : Process flow chart for risk assessment
Formation of QRM Team
Identification and communication of risk
Initiation risk assessment process
Risk reduction/ mitigation
Risk communication and conclusion
Annexure – VI : Risk assessment for the quality events.
Risk initiated by:
Subject of issue (√): Equipment/system/utility/product/procedure/facility/other
Source of issue: Deviation/Change control/market complain/CAPA/Recall/Others
|Risk assessment by QRM team (QRM team to be filled by Head –QA/Designee)|
|Risk assessment by FMECA (Tick the Appropriate)|
|Assessment of probability Detection (D)|
|5 (low or no detectability)||3 (likely to detect)||1(High detectability)|
|Assessment of risk likelihood (Occurrence) (O)|
|5(High)||3(An occasional)||1(unlikely probability)|
|Assessment of risk severity (S)|
|RPN = D x O x S =||76-125 (Critical) 26-75(Major) < 25( Minor)|