Figure 1: Overview of
a typical quality risk management process
GENERAL QUALITY RISK MANAGEMENT PROCES
Quality risk management is a
systematic process for the assessment, control, communication and review of risks to
the quality of the drug product across the product
lifecycle. A model for quality
risk management is outlined in the diagram (Figure 1). Other models could be used. The emphasis on each component of the framework
might differ from case to case but a robust
process will incorporate consideration of all
the elements at a level of detail that
is commensurate with the specific risk.
Decision nodes are not shown
in the diagram above because decisions
can occur at any point in the process. These
decisions might be to return to the previous
step and seek further information, to adjust the risk models or even to terminate the risk management process based upon information
that supports such a decision. Note: “unacceptable” in the flowchart
does not only
refer to statutory, legislative, or regulatory requirements, but also
to indicate that the risk assessment process should be revisited.
Quality risk management activities
are usually, but not
always, undertaken by interdisciplinary teams. When
teams are formed, they should include experts from the appropriate areas (e.g., quality
unit, business development, engineering, regulatory
affairs, production operations,
sales and marketing, legal,
statistics, and clinical) in
addition to individuals who
are knowledgeable about the quality
risk management process.
Decision makers
should
·
take responsibility for coordinating quality
risk management across various
functions and departments of their organization and
·
ensure that a quality risk management process is defined,
deployed, and reviewed and that adequate resources are available.
Quality risk management should
include systematic processes designed
to coordinate, facilitate and
improve science-based decision making with respect to risk. Possible
steps used to initiate and plan a quality risk management process might include the following:
·
Define
the problem and/or risk question, including pertinent assumptions identifying the potential for risk
·
Assemble
background information and/or data on the potential hazard, harm or human
health impact relevant to the risk assessment
·
Identify a leader and critical resources
·
Specify
a timeline, deliverables, and appropriate level of decision making for the risk management process
Risk assessment consists of the identification
of hazards and the analysis
and evaluation of risks associated with exposure to
those hazards (as defined below).
Quality risk assessments begin with a well-defined problem description
or risk question. When the
risk in question
is well defined,
an appropriate risk
management tool (see examples in section 5) and the types
of information that will address the risk question will be
more readily identifiable. As an aid to clearly
defining the risk(s)
for risk assessment purposes, three
fundamental questions are often helpful:
1. What might go wrong?
2. What is the likelihood (probability) it will go
wrong?
3. What are the consequences
(severity)?
Risk
identification is a systematic use of information to identify hazards referring to the risk question or problem description. Information can include
historical data, theoretical analysis, informed opinions, and the concerns
of stakeholders. Risk identification addresses the
“What might go wrong?” question, including identifying the possible
consequences. This provides the basis for further steps in
the quality risk management process.
Risk
analysis
is the
estimation of the risk associated with
the identified hazards. It is the qualitative
or quantitative process of linking
the likelihood of
occurrence and severity of harms. In
some risk management tools, the ability to detect the harm (detectability)
also factors in the estimation
of risk.
Risk evaluation compares the identified
and analyzed risk against given risk criteria. Risk evaluations consider
the strength of evidence for all three
of the fundamental questions.
In doing an effective risk assessment, the robustness of the data set is important because
it determines the quality of the output.
Revealing assumptions and reasonable sources
of uncertainty will
enhance confidence in this output and/or help identify its limitations.
Uncertainty is due to combination of
incomplete knowledge about a
process and its expected or unexpected variability. Typical sources of uncertainty include gaps in knowledge, gaps in pharmaceutical science and process understanding, sources of harm (e.g.,
failure modes of a process, sources of variability),
and probability of detection of problems.
The output of a risk assessment is either a quantitative estimate of risk or a qualitative description of a range of risk. When risk is expressed
quantitatively, a numerical
probability is used. Alternatively, risk can be expressed using qualitative
descriptors, such as “high,” “medium,”
or “low,” which should be defined
in as much detail as possible. Sometimes a risk score
is used to further define
descriptors in risk ranking.
In quantitative risk
assessments, a risk estimate
provides the likelihood of a specific consequence, given a set of risk-generating circumstances. Thus,
quantitative risk estimation is
useful for one particular consequence at a time. Alternatively,
some risk management tools use a relative risk measure to combine multiple
levels of severity
and probability into an overall estimate
of relative risk. The intermediate
steps within a scoring
process can sometimes employ quantitative risk estimation.
Risk
control includes decision
making to reduce and/or
accept risks. The purpose of risk control
is to reduce the risk to an acceptable level.
The amount of effort used for risk
control should be proportional to the significance of the risk. Decision makers
might use different processes, including benefit-cost analysis, for understanding the optimal level of risk control.
Risk control might focus on the following questions:
·
Is the risk above
an acceptable level?
·
What
can be done to reduce or eliminate
risks?
·
What is the appropriate balance among benefits, risks
and resources?
·
Are
new risks introduced as a result of the identified risks
being controlled?
Risk
reduction focuses
on processes for mitigation or avoidance of quality risk when it
exceeds a specified (acceptable) level (see Fig. 1). Risk reduction might include actions
taken to mitigate
the severity and probability of harm.
Processes that improve the detectability of hazards and quality risks might also be used as part of a
risk control strategy. The implementation
of risk reduction measures
can introduce new risks into the system
or increase the significance of other existing
risks. Hence, it
might be appropriate to
revisit the risk assessment to identify and evaluate any possible
change in risk after implementing
a risk reduction process.
Risk acceptance is a decision to accept risk.
Risk acceptance can be a formal
decision to accept the residual risk or it can be a
passive decision in which residual risks are not specified. For some types of
harms, even the best quality risk management
practices might not entirely eliminate
risk. In these circumstances, it might be agreed that an
appropriate quality risk management
strategy has been applied and that quality
risk is reduced to a
specified (acceptable) level.
This (specified) acceptable level
will depend on
many parameters and should be decided
on a case-by-case basis.
Risk communication is the sharing
of information about risk and risk management between the decision makers and others. Parties can communicate
at any stage of the risk management process
(see Fig. 1: dashed arrows). The output/result of the quality risk
management process should be appropriately communicated and documented (see Fig. 1:
solid arrows).
Communications might include those among interested parties (e.g., regulators and industry; industry and the patient;
within a company,
industry, or regulatory authority). The included information
might relate to the existence, nature, form, probability, severity,
acceptability, control, treatment, detectability, or other aspects of risks to quality. Communication need not be carried out
for each and every
risk acceptance. Between
the industry and regulatory authorities, communication concerning quality risk management decisions might be effected through existing channels as specified in regulations and guidances.
Risk management should be an ongoing part of the quality
management process. A
mechanism to review
or monitor events
should be implemented.
The output/results of the risk
management process should be reviewed to take into account new knowledge and experience. Once a quality risk management process has been
initiated, that process should
continue to be utilized for events that might impact the original quality
risk management decision, whether
these events are planned (e.g.,
results of product
review, inspections, audits,
change control) or unplanned (e.g.,
root cause from failure investigations, recall).
The frequency of any review
should be based upon the level of risk. Risk review
might include reconsideration of risk acceptance decisions.
[Source: Guidance for Industry; Q9 Quality Risk
Management
U.S. Department of Health and Human Services
Food and Drug Administration
Center for Drug Evaluation and Research (CDER)
Center for Biologics Evaluation and Research (CBER)
June 2006
ICH]
