82
Quality risk management is a systematic process for the assessment, control, communication
83
and review of risks to the quality of the drug (medicinal) product across the product lifecycle.
84
A model for quality risk management is outlined in the diagram (Figure 1). Other models could
85
be used. The emphasis on each component of the framework might differ from case to case but
86
a robust process will incorporate consideration of all the elements at a level of detail that is
87
commensurate with the specific risk.
88
Figure 1: Overview of a typical quality risk management process
89
90
Decision nodes are not shown in the diagram above because decisions can occur at any point
91
in the process. These decisions might be to return to the previous step and seek further
92
information, to adjust the risk models or even to terminate the risk management process based
93
upon information that supports such a decision. Note: “unacceptable” in the flowchart does not
94
only refer to statutory, legislative or regulatory requirements, but also to the need to revisit the
95
risk assessment process.
96
4.1 Responsibilities 97
Quality risk management activities are usually, but not always, undertaken by interdisciplinary
98
teams. When teams are formed, they should include experts from the appropriate areas (e.g.,
99
quality unit, business development, engineering, regulatory affairs, production operations,
100
sales and marketing, supply chain, legal, statistics and clinical) in addition to individuals who
101
are knowledgeable about the quality risk management process.
102
Subjectivity can impact every stage of a quality risk management process, especially the
103
identification of hazards and estimates of their probabilities of occurrence, the estimation of
104
risk reduction and the effectiveness of decisions made from quality risk management activities.
105
Subjectivity can be introduced in quality risk management through differences in how risks are
106
assessed and in how hazards, harms and risks are perceived by different stakeholders.
107
Risk Assessment Initiate
Quality Risk Management Process
Hazard Identification Risk Analysis
Risk Evaluation
Risk Management tools
Risk Communication Risk Control
Risk Reduction
Output / Result of the Quality Risk Management Process
Risk Review
Risk Acceptance
unacceptable
Review Events
Subjectivity can also be introduced through the use of tools with poorly designed risk scoring
108
scales. While subjectivity cannot be completely eliminated from quality risk management
109
activities, it may be controlled by addressing bias, the proper use of quality risk management
110
tools and maximising the use of relevant data and sources of knowledge (see ICH Q10, Section
111
II.E.1).
112
All participants involved with quality risk management activities should acknowledge,
113
anticipate, and address the potential for subjectivity.
114
Decision makers should
115
• take responsibility for coordinating quality risk management across various functions and
116
departments of their organization; and
117
• assure that a quality risk management process is defined, deployed and reviewed and that
118
adequate resources and knowledge are available;
119
• assure that subjectivity in quality risk management activities is controlled and minimised,
120
to facilitate scientifically robust risk-based decision making.
121
4.2 Initiating a Quality Risk Management Process 122
Quality risk management should include systematic processes designed to coordinate, facilitate
123
and improve science-based decision making with respect to risk. Possible steps used to initiate
124
and plan a quality risk management process might include the following:
125
• Define the problem and/or risk question, including pertinent assumptions identifying the
126
potential for risk;
127
• Assemble background information and/ or data on the potential hazard, harm or human
128
health impact relevant to the risk assessment;
129
• Identify a leader and necessary resources;
130
• Specify a timeline, deliverables and appropriate level of decision making for the risk
131
management process.
132
4.3 Risk Assessment 133
Risk assessment consists of the identification of hazards and the analysis and evaluation of
134
risks associated with exposure to those hazards (as defined below). Quality risk assessments
135
begin with a well-defined problem description or risk question. When the risk in question is
136
well defined, an appropriate risk management tool (see examples in Section 5) and the types
137
of information needed to address the risk question will be more readily identifiable. As an aid
138
to clearly defining the risk(s) for risk assessment purposes, three fundamental questions are
139
often helpful:
140
1. What might go wrong?
141
2. What is the likelihood (probability) it will go wrong?
142
3. What are the consequences (severity)?
143
Hazard identification is a systematic use of information to identify hazards referring to the risk
144
question or problem description. Information can include historical data, theoretical analysis,
145
informed opinions, and the concerns of stakeholders. Hazard identification addresses the “What
146
might go wrong?” question, including identifying the possible consequences. This provides the
147
basis for further steps in the quality risk management process.
148
Risk analysis is the estimation of the risk associated with the identified hazards. It is the
149
qualitative or quantitative process of linking the likelihood of occurrence and severity of harms.
150
In some risk management tools, the ability to detect the harm (detectability) also factors in the
151
estimation of risk.
152
Risk evaluation compares the identified and analyzed risk against given risk criteria. Risk
153
evaluations consider the strength of evidence for all three of the fundamental questions.
154
In doing an effective risk assessment, the robustness of the data set is important because it
155
determines the quality of the output. Revealing assumptions and reasonable sources of
156
uncertainty will enhance confidence in this output and/or help identify its limitations.
157
Uncertainty is due to combination of incomplete knowledge about a process and its expected
158
or unexpected variability. Typical sources of uncertainty include gaps in knowledge gaps in
159
pharmaceutical science and process understanding, sources of harm (e.g., failure modes of a
160
process, sources of variability), and probability of detection of problems.
161
The output of a risk assessment is either a quantitative estimate of risk or a qualitative
162
description of a range of risk. When risk is expressed quantitatively, a numerical probability is
163
used. Alternatively, risk can be expressed using qualitative descriptors, such as “high”,
164
“medium”, or “low”, which should be defined in as much detail as possible. Sometimes a "risk
165
score" is used to further define descriptors in risk ranking. In quantitative risk assessments, a
166
risk estimate provides the likelihood of a specific consequence, given a set of risk-generating
167
circumstances. Thus, quantitative risk estimation is useful for one particular consequence at a
168
time. Alternatively, some risk management tools use a relative risk measure to combine
169
multiple levels of severity and probability into an overall estimate of relative risk. The
170
intermediate steps within a scoring process can sometimes employ quantitative risk estimation.
171
4.4 Risk Control 172
Risk control includes decision making to reduce and/or accept risks. The purpose of risk
173
control is to reduce the risk to an acceptable level. The amount of effort used for risk control
174
should be proportional to the significance of the risk. Decision makers might use different
175
processes, including benefit-cost analysis, for understanding the optimal level of risk control.
176
Risk control might focus on the following questions:
177
• Is the risk above an acceptable level?
178
• What can be done to reduce or eliminate risks?
179
• What is the appropriate balance among benefits, risks and resources?
180
• Are new risks introduced as a result of the identified risks being controlled?
181
Risk reduction focuses on processes for mitigation or avoidance of quality risk when it exceeds
182
a specified (acceptable) level (see Fig. 1). Risk reduction might include actions taken to
183
mitigate the severity and probability of harm. Processes that improve the detectability of
184
hazards and quality risks might also be used as part of a risk control strategy. The
185
implementation of risk reduction measures can introduce new risks into the system or increase
186
the significance of other existing risks. Hence, it might be appropriate to revisit the risk
187
assessment to identify and evaluate any possible change in risk after implementing a risk
188
reduction process.
189
Risk acceptance is a decision to accept risk. Risk acceptance can be a formal decision to accept
190
the residual risk or it can be a passive decision in which residual risks are not specified. For
191
(acceptable) level. This (specified) acceptable level will depend on many parameters and
195
should be decided on a case-by-case basis.
196
4.5 Risk Communication 197
Risk communication is the sharing of information about risk and risk management between
198
the decision makers and others. Parties can communicate at any stage of the risk management
199
process (see Fig. 1: dashed arrows). The output/result of the quality risk management process
200
should be appropriately communicated and documented (see Fig. 1: solid arrows).
201
Communications might include those among interested parties; e.g., regulators and industry,
202
industry and the patient, within a company, industry or regulatory authority, etc. The included
203
information might relate to the existence, nature, form, probability, severity, acceptability,
204
control, treatment, detectability or other aspects of risks to quality. Communication need not
205
be carried out for each and every risk acceptance. Between the industry and regulatory
206
authorities, communication concerning quality risk management decisions might be effected
207
through existing channels as specified in regulations and guidances.
208
4.6 Risk Review 209
Risk management should be an ongoing part of the quality management process. A mechanism
210
to review or monitor events should be implemented.
211
The output/results of the risk management process should be reviewed to take into account new
212
knowledge and experience. Once a quality risk management process has been initiated, that
213
process should continue to be utilized for events that might impact the original quality risk
214
management decision, whether these events are planned (e.g., results of product review,
215
inspections, audits, change control) or unplanned (e.g., root cause from failure investigations,
216
recall). The frequency of any review should be based upon the level of risk. Risk review might
217
include reconsideration of risk acceptance decisions (section 4.4).
218 219