by - OBJECTIVE
To lay down the procedure for risk identification, analysis, evaluation, reduction/ mitigation, communication and conclusion of risk in order to ensure the quality, safety, integrity and purity of the drug product.
2. SCOPE
This SOP is applicable to identify the quality risks involved in any process, equipment, facilities and system.
3. RESPONSIBILITY
| QRM Team | : | Identifying all perceived failures with respect to process, equipment, facilities and system. |
| : | Preparation of action plan in case of higher RPN and communication to Head – QA, department Head. | |
| Officer – QA | : | Responsible for assigning Risk Assessment Document No. |
| Technical staff/ Officer/ Executive/ Manager – All departments | : | Responsible for identification of risk and communication of risk to QRM team. |
| Head – Quality | : | Responsible for formation of Quality Risk Management Team and team leader. |
| : | Responsible for approval of documents after analysis and conclusion. | |
| : | Responsible for effective implementation of this SOP. |
- 4. ACCOUNTABILITY:
Head – Quality : For Compliance.
5. PROCEDUR
5.1 DEFINITION:
5.1.1 Failure Mode, Effects and Criticality Analysis (FMECA): A systematic method of identifying and preventing product and process problems.
5.1.2 Critical Quality Attribute (CQA): A physical, chemical, biological or microbiological property or characteristic that should be within an appropriate limit, range, or distribution to ensure the desired product quality.
5.1.3 Quality Critical Process Parameter: A process parameter which could have an impact on the critical quality attribute.
5.1.4 Failure Mode: Different ways that a process or sub-process can fail to provide the anticipated result.
5.1.5 Occurrence: Probability of negative events within a fixed time frame.
5.1.6 Quality Risk Management: A systematic process for the assessment, control communication, and review of risks to the quality of the pharmaceutical product across the product life-cycle.
5.1.7 Risk: Combination of the probability of occurrence of harm and severity of the harm.
5.1.8 Risk Analysis: The estimation of the risk associated with the identified hazards.
5.1.9 Risk Assessment: A systematic process of organizing information to support a risk decision to be made within a risk management process. It consists of the identification of hazards and the evaluation of risk associated with exposure to those hazards.
5.1.10 Risk Control: The sharing of information about risk and risk management between the decision maker and other stakeholders.
5.1.11 Risk Evaluation: The comparison of the estimated risk to given risk criteria using a quantitative or qualitative scale to determine the significance of the risk.
5.1.12 Risk Identification: The systematic use of information to identify potential sources of harm (hazards) referring to the risk question or problem description.
5.1.13 Risk Priority Number (RPN): A numeric assessment of risk assigned to a process, or steps in a process, as part of failure mode effects analysis (FMEA). Each failure mode gets a numeric score that quantifies likelihood of occurrence, likelihood of detection and severity of impact. The product of these three scores is the RPN for that failure mode.
RPN = severity rating × occurrence rating × detection rating.
5.1.14 Risk Review: Review or monitoring of output or results of the risk management process considering (if appropriate) new knowledge and experience about the risk.
5.1.15 Detection: The means of detection of the failure mode by maintainer, operator or built in detection system, including estimated dormancy period (if applicable) or it is also sometimes termed EFFECTIVENESS. It is a numerical subjective estimate of the effectiveness of the controls to prevent or detect the cause or failure mode before the failure reaches the customer. The assumption is that the cause has occurred.
5.1.15.1 Severity: A measure of the possible consequences of a hazard.
5.1.15.2 Remarks / mitigation / actions: Additional info, including the proposed mitigation or actions used to lower a risk or justify a risk level or scenario.
5.1.16 Principles:
5.1.16.1 The two primary principles of QRM are that:
5.1.16.2 The evaluation of the risk to quality should be based on scientific knowledge and ultimately linked to the protection of the patient
5.1.16.3 The level of effort, formality and documentation of the QRM process should be commensurate with the level of risk
5.2 Quality risk management process:
5.2.1 Initiating a QRM process:
QRM activities shall include systematic processes designed to coordinate, facilitate and improve science-based decision-making with respect to risk. The possible steps to be taken in initiating and planning a QRM process might include the following:
5.2.1.2 Define the problem and/or risk question, including pertinent assumptions identifying the potential for risk;
5.2.1.3 Assemble background information and/or data on the potential hazard, harm or human health impact relevant to the risk assessment;
5.2.1.4 Identify a leader and the necessary resources;
5.2.1.5 Specify a timeline, the deliverables, and an appropriate level of decision-making for the risk management process
5.2.2 Personnel involved in QRM
The Head QA shall form a QRM Team and team leader with the consultation of Head Quality, also should assure that personnel with appropriate product-specific knowledge and subject matter expert from QA, QC, Production, Engineering & Stores etc.
The personnel appointed should be able to:
5.2.2.1 Conduct a risk analysis.
5.2.2.2 Identify and analyze potential risks.
5.2.2.3 Evaluate risks and determine which ones should be controlled and which ones can be accepted.
5.2.2.4 Recommend and implement adequate risk control measures.
5.2.2.5 Devise procedures for risk review, monitoring and verification.
5.2.2.6 Consider the impact of risk findings on related or similar products and/or processes.
5.2.3 Risk assessment
5.2.3.1 Risk assessment consists of the identification of hazards and the analysis and evaluation of risks associated with exposure to those hazards. The steps include risk identification, risk analysis and risk evaluation. As an aid to clearly defining the risk(s) for risk assessment purposes, four fundamental questions shall be addressed –
What might go wrong?
What is the nature of possible risks?
What is the probability of their occurrence and how easy is it to detect them?
What are the consequences (the severity)?
5.2.3.2 Risk identification is a systematic use of information to identify hazards referring to the risk question or problem description. Information shall include historical data, theoretical analysis, informed opinions, and the concerns of stakeholders. Risk identification addresses the “What will go wrong?” question, including identifying the possible consequences.
5.2.3.3 Risk analysis is the estimation of the risk associated with the identified hazards.
5.2.3.4 Risk evaluation compares the identified and analyzed risk against given risk criteria. A quantitative process will be used to assign the severity, probability and detectability of a risk.
5.2.4 Severity:
Severity is defined as a measure of the possible consequences of a hazard. Severity assesses the effect of failure on the product or process. The effect of the severity criteria is given below.
| Value | Description | Criteria |
| 1 | Irrelevant | No impact on patient safety |
| 2 | Important | Noticeable impact to product quality |
| 3 | Disastrous | Batch failure, birth defect, can cause death or severe disabilities to the patient |
- Identify the possible causes of each failure mode.
- Quantify the probability of occurrence of each of the causes of a failure mode.
- 5.2.5 Probability/Occurrence
- The probability of occurrence evaluates the frequency that potential risk will occur for a given system or situation. The probability score is rated against the probability that the effect occurs as a result of a failure mode is given below
| Value | Description | Criteria |
| 1 | An unlikely probability of occurrence | Failure has never been seen but it is theoretically possible |
| 3 | An occasional probability of occurrence | Failure potential has been noted. If procedures are followed the failure potential is minimal |
| 5 | A high probability of occurrence | Failure potential has been noted. An active non-standard feedback control loop may be required |
- Identify all existing controls (current controls) that contribute to the prevention of the occurrence of each of the causes of a failure mode.
- Determine the ability of each of listed controls in preventing or detecting the failure mode or its cause. Assign a ranking score to indicate the detection effectiveness of each control.
- 5.2.6 Detectability (likelihood):
- The ability to discover or determine the existence, presence or fact of a hazard. The detectability score is rated against the ability to detect the effect of the failure mode or the ability to detect the failure mode .
- 5.2.7 Calculation of Risk Priority Number:The composite risk for each unit operation step is the product of its three individual component ratings: severity, probability and detectability. This composite risk is called as risk priority number (RPN).
RPN = Severity(S) x Probability (P) x Detection (D)
| Rating | Risk Priority |
| 1 – 25 | Minor |
| 26-75 | Major |
| 76-125 | Critical |
- Identify actions to address perceived failure modes that have a high RPN
- In case the calculated RPN rating is greater than 25 that particular failures are not acceptable and necessary controls and procedures shall be implemented based on the area to reduce the severity of risk. The procedure and control shall be defined based on the outcome of risk assessment evaluation by respective Risk assessment team.
- If RPN is up to 25, action plan is required based on review of risk assessment team and if require necessary controls shall be applied for appropriate area.
- 5.2.8 Risk control
- Risk control includes decision making to reduce and/or accept risks. The purpose of risk control is to reduce the risk to an acceptable level. The amount of effort used for risk control shall be proportional to the significance of the risk.
During risk control activities the following key questions should be asked:
- What can be done to reduce or eliminate risks?
- What is the appropriate balance between benefits, risks and resources?
- Are new risks introduced as a result of the identified risks being controlled?
- Risk control can include:
- Not proceeding with the risky activity;
- Taking the risk;
- Removing the risk source;
- Changing the likelihood of the risk;
- Changing the consequences of the risk;
- Sharing the risk with another party (e.g. Contractor);
- Retaining the risk by informed decision.
- Risk reduction will focus on processes for mitigation or avoidance of quality risk when it exceeds an acceptable level. Risk reduction will include actions taken to mitigate the severity and probability of harm. Processes that improve the detectability of hazards and quality risks will also be used as part of a risk control strategy. Risk reduction measures, may introduce new risk into the system or increase existing risk. Therefore it shall be continuous process to evaluate any possible change in risk.
- Risk acceptanceis a decision to accept risk. Risk acceptance shall be a formal decision to accept the residual risk. Wherever it will not be possible to entirely eliminate risk, in these circumstances, it will be ensured that optimal quality risk management strategy is applied and that quality risk is reduced to an acceptable level. This acceptable level will depend on many parameters and shall be decided on a case-by-case basis.
- 5.2.9. Risk review
- The output/results of the risk management process shall be reviewed to take into account new knowledge and experience.
- Once a quality risk management process has been initiated, that process shall continue to be utilized for events that will impact the original quality risk management decision whether these are planned (e.g., results of annual product review, inspections, audits, change control) or unplanned (e.g., root cause from failure investigations, recall).
- Risk management shall be an ongoing quality management process and a mechanism to perform periodic review of events shall be implemented. The frequency of the review shall be based upon the level of risk. Risk review will include reconsideration of risk acceptance decisions.
- 5.3 Verification of QRM process and methodologies
- The established QRM process and methodologies need to be verified. Verification and auditing methods, procedures and tests, including random sampling and analysis, can be used to determine whether the QRM process is working appropriately. The frequency of verification should be sufficient to confirm the proper functioning of the QRM process. Verification activities include:
- Review of the QRM process and its records;
- Review of deviations and product dispositions (management control);
- Confirmation that identified risks are being kept under control.
- Initial verification of the planned QRM activities is necessary to determine whether they are scientifically and technically sound, that all risks have been identified and that, if the QRM activities are properly completed, the risks will be effectively controlled.
- 5.4 Mitigation Plan/Risk reduction and communication
- Identify the current control measure available for the identified risk. If the risks are not accepted, the proposed mitigation/control measure to reduce the risk to an acceptable level.
- Risk reduction focuses on processes for mitigation or avoidance of quality risk when the risk exceeds an acceptable level. Risk reduction includes:
- Action taken to mitigate the severity and probability of risk:
- Processes or methods that improve the ability to detect risk implementation of risk reduction measures may introduce new risks into the systems or increases the significance of other existing risks
- After assessment of risk, it shall be concluded and communicated to concerned department head /designee.
- 5.5 Risk Management Methods and Tools
- The tool which is used for risk management is Failure Mode, Effects and Criticality Analysis (FMECA)/Risk Assessment. FMECA is a systematic method of identifying and preventing product and process problems before they occur.
- List all perceived failure modes for each item (product component or process step) under the “failure mode” column in Annexure–I.
- Identify all potential failure modes associated with the product component or process step. Describe the effects of each of listed failure modes and assess the severity of each of these effects on the product or process.
- 5.6 Documentation:
- Head QA with consultation of Head Quality shall form the QRM team leader and QRM team subject matter expert from their departments.
- The QRM team shall identify the risk and QRM which are triggered from deviation, change control or any QMS activity, shall be prepared and copy of same shall be enclosed along with that document.
- All employees working in the area can identify the risk and shall communicate to QRM team .
- QRM team shall evaluate and analyse the risk.
- List all the perceived failure modes for each item, process, product, equipment etc. Under the failure mode.
- Describe the potential effect of each of listed failure modes and assess the severity of each of these effects on the product or process.
- Assign the quantitative value of severity to potential effect of each failure.
- List the potential causes of failure.
- Assign the quantitative value of probability of each failure.
- List the current control measures of failure.
- Assign the quantitative value of detectability to each failure.
- Calculate the RPN No. and assign the category.
- If the risks are not accepted then QRM team shall assign the new control measures for the unaccepted risks, along with responsibility and target date of completion of action.
- After assigning new control, QRM team shall again do the risk analysis using above process, shall calculate the RPN No. and assign category.
- After compilation of the QRM, QRM team leader shall send the QRM to head operations or department head for review, Head QA shall finally approve the QRM.
- The accepted risks and additional monitoring plan shall be communicated to concerned department.
- The corrective and preventive actions, reference documents, abbreviations and relevant attachments associated with the particular risk shall be enclosed with the risk assessment documents.
- Training to concerned personnel shall be imparted upon analysis and evaluation of the risk management for the particular process / system / equipment / instrument.
- It shall be ensured that the recommended corrective and preventive actions for the identified risks are in place, before closing the particular Risk Management documents.
- The numbering pattern for Failure Mode and Effect Criticality Analysis (Risk assessment) is given below and shall be maintain by QA department.
QRM/DD/YY-NNN
Where –
QRM – Quality risk management followed by slash (/)
DD– department code followed by slash (/)
YY – Last two digit of current calendar year followed by dash (-)
NNN – Document no. starting from 001 in calendar year
- QRM which are triggered from deviation, change control or any QMS activity, shall be prepared on Annexure–I and copy of same shall be enclosed along with that document.
- 5.6.1 QRM integration with Key quality system elements
- If the risk assessment is initiated from any change control or deviations shall be treated as standalone documents, copy of the same shall be kept along with respective change control or deviations. Example of some QRM in respect of operation and covered area for risk assessment are given below but not limited to:
| S. No. | Area of Operation | Area Covered |
| 1. | Integrated Quality Management | DocumentationTraining & EducationQuality DefectsAuditing & InspectionsChange Management & CAPA |
| 2. | Facility Equipment & Utilities | Design & QualificationManufacturing CalibrationEnvironment ControlsEquipment CleaningPreventive MaintenancePLC Controlled equipment |
| 3. | Contract Services & Suppliers | Vendor EvaluationStarting MaterialsStorageContract Services |
| 4. | Product &Mfg. Process | Mfg. ProcessValidationsIn-Process sampling & TestingDeviation Change controlPacking Process & Labels ControlNew Product Introduction |
| 5. | Laboratory Controls | OOS RecordsStability (Retest Period & Shelf Life)Methods Transfer |
| 6. | Miscellaneous Activities | Activity which are not Covered by the Above |
- 5.6.2 QRM application in product manufacturing operations
- QRM methodology can support the following actions to assess and control quality risks:
| S. No. | Area of Operation | Area Covered |
| Production | Manufacturing process risks Validation In-process sampling and testing controls Production planning Deviation and investigation management Change management | |
| Laboratory control and stability studies | Out-of-specification results Retest period and expiry date Method transfers | |
| Packaging and labeling | Design of packages Selection of container-closure system Label controls | |
| Storage, transport and distribution | Cold chain |
6.0 TRAINING
Trainer : Head – Quality Assurance
Trainees: Staff of all the departments
7.0 DISTRIBUTION
Master Copy : Quality Assurance
Controlled Copy : Quality Assurance
- 8.0 ATTACHMENT
| Sr. No. | Annexure No. | Title | Format No. |
| 1 | NA | NA | NA |
9.0 REFERENCES
In-house
10.0 ABBREVIATION
| Abbreviation | Extended Form |
| EG | Engineering |
| SOP | Standard Operating Procedure |
| QA | Quality Assurance |
| WH | Warehouse |
| NA | Not Applicable |
| MB | Microbiology |
11.0 REVISION HISTORY OF CHANGE
| Sr. No. | Date | Revision Details | Revision No. |
| 1 | NA | New SOP | 00 |
