1. Purpose
The purpose of this document is to give guidance on a process for risk identification, assessment, control and review within the area of GxP regulated quality and compliance.
2. Scope and Applicability
This Guideline describes a framework for quality risk management and the responsibilities for ensuring that risks to quality and compliance are understood and managed appropriately. It does not describe specific risk management methodologies.
This Guideline is applicable to any site sites, functions and departments undertaking work, projects or providing support services, required to meet Gape throughout the life of drug, from candidate drug acceptance until withdrawal of the marketed product.
This includes new indications and line extensions.
The International Conference on Harmonization (ICH) guideline “Q9 Quality Risk Management” forms the basis of this document. It is compatible with the Integrated Risk
Management Framework and supports risk management within the Project Management Framework.
The Quality Risk Management framework is also applicable to computerized systems.
3. Definitions
* Harm – damage to health, including the damage that can occur from loss of product quality or availability.
* Hazard – the potential source of harm.
* Quality risk management – a systematic process for the assessment, control, communication and review of risks to the quality of the drug (medicinal) product across the product lifecycle.
* Risk – combination of the probability of occurrence of harm and the severity of that harm.
* Risk assessment – a systematic process of organizing information to support a risk decision to be made within a risk management process. It consists of the identification of hazards and the analysis and evaluation of the risks associated with exposure to those hazards.
* Risk control – actions implementing risk management decisions.
* Risk review – review or monitoring of the output/results of the risk management process considering (if appropriate) new knowledge and experience about the risk.
* Uncertainty – the inability to determine, or the ambiguity in, the true state of a system caused by a combination of variability and incomplete knowledge.
4. Responsibilities
Heads of Function, Process and System Owners and Project Leaders are responsible for ensuring that risks to quality and compliance are considered, understood and managed to an appropriate level within their organization, projector area. They must ensure that a suitable Quality Risk Management process is implemented and that appropriate resources with the necessary competence are involved. They must also ensure the involvement of all stakeholders.
The approach to managing quality risks should be as simple as possible commensurate with the level of risk.
Quality Risk Management activities may be undertaken by teams dedicated to the task. These teams will vary in size dependent on the issue being addressed but should include experts from the appropriate areas involved and stakeholder representation. They should also include an individual who is knowledgeable of the quality risk management process and has the necessary competence to apply any specific tools used.
Heads of Function, Process and System Owners and Project Leaders are responsible for ensuring that there is a process for reviewing and approving documented quality risk assessments and that appropriate records are retained.
Risk assessments relating to compliance issues will always require approval by Quality Assurance (QA). For development activities, QA may be involved in the approval process and this will be assessed on a case-by-case basis.
5. Guideline
5.1 The Quality Risk Management Process
Quality Risk Management is an integral part of the quality assurance and control system. A systematic approach to quality risk management is required.
Quality Risk Management involves the art and science of identifying, analysing, assessing and managing uncertain events that can impact product quality or compliance with registered dossier throughout the life of a product. It requires a balanced approach, weighing the costs of avoiding threats or enhancing opportunities and the benefits to quality that can be gained. It supports more effective and consistent risk based decisions and makes the decision making process more transparent.
The generic framework for quality risk management accepted by ICH is shown in Figure1 and is followed in the subsequent text. The framework is supported by tools that can facilitate the identification and assessment of quality risks.
The elements of the generic framework must be visible in any quality risk management process but need not be formalized.
Figure 1 Generic Framework for Quality Risk Management Process
Quality Risk Management Process
5.2 Formal and Informal Quality Risk Management
The risks associated with processes, systems and projects that have the potential to impact product, safety, efficacy, quality or compliance must be managed effectively.
However, the level of effort, formality and documentation associated with managing those risks should be appropriate to the level of risk to quality and be based on scientific knowledge. It is neither appropriate nor necessary to carry out formalized risk assessments for all quality risk decisions. Three broad areas can be defined that can help make an informed decision:
Quality and Compliance decisions made within a framework of defined rules (Yes/No decisions) will not normally require any consideration of risk. (But note that establishing the decision rules may need an evaluation of the associated risks).
Decisions on Quality and Compliance that require judgment, but where there is sufficient knowledge to answer the following questions:
* What might go wrong?
* What is the likelihood that it will go wrong?
* What is the consequence if it does go wrong?
* Will it be detected?
Risk management is limited to evaluating the options and recording the decision made, together with any assumptions and actions to be taken.
When there is insufficient information to answer the above questions, then formal assessment of the risks to Quality and Compliance is required before any decisions are taken. This should be fully documented.
Appendix 1 summarizes the decision process diagrammatically. The use of quality risk management can facilitate but does not replace the obligation to comply with regulatory requirements and does not replace appropriate communications between industry and regulators.
5.3 Implementing the Quality Risk Management Process
Functions and projects must implement a quality risk management process as a logical and systematic method for understanding, identifying, assessing, managing and communicating the risks to the quality of the drug product across relevant parts of the product lifecycle.
The generic elements of the quality risk management process defined by Q9 are described in sections 5.3.1 to 5.3.5.
5.3.1 Initiate Quality Risk Management Process
Risks are multi-dimensional and a shared understanding is a prerequisite for the success of any risk management process. The initiation phase of the process establishes that understanding by defining and agreeing the context, the scope and the tolerability criteria for the quality risk assessment, together with any underlying assumptions. It should involve all the stakeholders. All the relevant information is assembled and shared, any gaps are identified and analysis tools are selected.
The scope of the quality risk assessment must be clearly defined both in business and technical terms.
The scope should clearly establish the boundaries of the process, system, projector activity being assessed and any inherent assumptions that are made. It should consider possible interactions outside the boundary and their potential impacts.
The risk assessment process evaluates the tolerability of the identified risks against some defined criteria to determine whether any mitigating actions are required.
The criteria that are used for determining the tolerability of the quality risks being considered must be agreed by the stakeholders and documented prior to identifying and assessing the risks.
A common approach to establishing criteria is to divide risks into five categories:
* A very high risk band where adverse risks are intolerable whatever benefits the activity might bring and risk reduction measures are essential, whatever the cost.
* A high risk band where the risk would not be generally acceptable unless there were very significant benefits and where reduction measures are expected as the norm.
* A medium risk band or grey area where costs and benefits are taken into account and opportunities are balanced against potential adverse consequences.
* A low risk band where positive or negative risks are small and where potential benefits can only be justified at minimum cost.
* A very low risk band where positive or negative risks are negligible or so small that no risk treatment measures are necessary.
The likelihood and consequence components may be defined quantitatively e.g. likelihood of an event of 1/100 years could be a medium value. It is also common, and often more useful to use word models e.g. an event never experienced in the industry could describe a low likelihood.
5.3.2 Risk Assessment
Risk assessment is the process of identifying the hazards and evaluating the potential consequences of those hazards. It is critically dependent on the people with the right knowledge being involved.
The assessment process must address the following questions:
* What might go wrong?
* What is the likelihood (probability) it will go wrong?
* What are the consequences for product quality?
* Will the failure be detected? How?
The risk assessment process must also seek to identify opportunities to do things better. The decision to accept an opportunity is generally based on an analysis of the costs and benefits. There are many tools and techniques that can be used to help identify hazards and assess the risks. No single tool or technique will meet all requirements.
5.3.3 Risk Control
Risk control describes the actions taken to deal with the identified quality risks and the acceptance of any residual quality risks. Risk control must address the following questions:
* Is the risk acceptable without further action?
* What can be done to reduce, control or eliminate risks.
* What is the appropriate balance among benefits, risks and resources?
* Are new risks introduced as a result of the identified risks being controlled?
Risks are controlled by either eliminating the hazard, reducing the consequences, reducing the likelihood of occurrence (or by some combination of these). Quality risk controls must be documented.
The acceptability of residual risks must be determined by making informed decisions on the criticality of the parameters involved. The acceptable level of risk is not an absolute but will depend upon, amongst other things, the potential benefit to be gained by accepting the risk weighed against the possible harm.
5.3.4 Output/Results of Quality Risk Management Process
The results of the quality risk management process must be communicated to the relevant stakeholders, including management and those operating the process or system who may be affected by those results. This requires that each step of the risk management process be documented at an appropriate level. The purpose of the output from the risk management process is:
* To share and communicate information about the risks and how they are controlled.
* To obtain the appropriate approval of the decisions taken.
* To demonstrate to stakeholders that there has been a properly conducted systematic approach.
* To provide a record of the risks that enables decisions to be reviewed and the process to be audited.
* To facilitate ongoing monitoring and review and to sustain the process.
The output from the risk assessment must specify a risk owner i.e. a person responsible for ensuring that any actions are implemented and that the risks managed.
5.3.5 Risk Review
Quality risk management is an iterative process that must be sustained throughout the life cycle of the product, from candidate drug acceptance until withdrawal of the product from the market. A risk assessment only documents the current situation. The nature of quality risks may change with time. Improved knowledge may result in a different view of the risks and may lead to a challenge of the original assumptions.
There must be on-going review at each stage of the risk management process, checking data, assumptions and understanding. Risks must be monitored and tracked. A process must be in place to assess the impact to quality risk if changes or deviations occur.
6 Appendix 1: Understanding the Level of Formality