Quality Risk Management (QRM) is the formal process where we identify, evaluate, and mitigate risks that are encountered when we manufacture and distribute medicines. We do this using ICHQ9, which is the industry standard for QRM, and it was first introduced back in November 2005. The latest revision – ICHQ9(R1), was adopted just last month and this addressed several deficiencies in the original text which are covered in this article.
A good Quality Risk Management process will identify all possible risks associated with the product or the manufacturing process being assessed. This should be systemic and designed in such a way as to utilize science-based decision-making with respect to risk. Typically, there will be a procedure or SOP that describes how we determine the need for risk assessments and how to decide the level of formality and type of assessment to be used.
This will be broken down into 3 main steps:
- Risk Identification: determining what the risks are and the scope of the risk assessment.
- Risk Analysis: quantifying the level or severity of the risks.
- Risk Evaluation: determining whether to accept risks or whether risk mitigation activities must occur.
Firstly, you must tabulate all the risks, i.e., create a full list of what could go wrong in a process. This can be based on a process flow with one or more potential failure modes for each step and the risks should be tabulated to allow for further analysis. Each risk is then assessed to give a qualitative or quantitative measure of the severity, likelihood of occurrence and detectability of the failure mode. In classic FMEA this is known as SOD scoring (Severity x Occurrence x Detectability). Typically, each of these three measures will have different levels ‘High’, ‘Medium’ and ‘Low’’, if a qualitative scoring method is used. Or the procedure can utilise a quantitative ranking, such as a numerical scale (typically either 1 to 6 or 1 to 10).
One of the key things to bear in mind is to avoid subjectivity and bias when describing and scoring these risks.
We should be careful not to score severity as “low” or to assign a low numeric score just because there are downstream detectability controls in place. Yes, the detectability will affect the overall SOD score, but the severity might still be high if the failure mode is something that could harm a patient.
Another pitfall we must avoid is to be unscientific in how we score, we could have a team member assess a severity, and possibly an entire risk as “low risk”, because they have never observed the failure mode. However this just means that Occurrence (or frequency that we see the failure mode) is low. The severity of the risk however, is still high if the failure could harm a patient and the detectability score may also be high if there are no mechanisms in place to detect the failure should it occur. In this scenario the overall risk is high.
The next step is Risk Control, where we must evaluate each risk across the organisation and decide to either accept the risks or take steps to mitigate against them. Again, here we must be careful not to cherry pick the risks we want to mitigate. If our process is systematic then the procedure will drive a requirement to mitigate if a certain overall SOD score is exceeded or depending on the final category (High or Medium and High) if using a qualitative score.
Finally, there should be as part of the process mechanisms for risk communication and risk review. If the risk assessment determines several high risks that must be mitigated, they should be communicated effectively to all key stakeholders. These stakeholders may be unaware of the risks and could have valuable input as well as a requirement to implement interim controls to ensure that the risks are properly controlled straight away. The risks should also be periodically reassessed to ensure that the risk mitigation activities have been effective and to ensure that no new risks have been introduced due to changes to the equipment, process or personnel.
The use of a risk-based decision making in pharmaceutical operations and quality assurance provides a consistent and scientific basis for ensuring patient safety and is a key tool that drives continuous improvement and supports our organisations to meet goals and achieve regulatory compliance.
If you need assistance with Quality Risk Management processes or with preparing individual Risk Assessments to ensure your company meets all regulatory expectations, then please feel free to reach out and one of our experts will be ready to assist.
Contact us via our LinkedIn page, website or feel free to give us a call.