GENERAL QUALITY RISK MANAGEMENT PROCESS

on
Figure 1: Overview of a typical quality risk management process

GENERAL QUALITY RISK MANAGEMENT PROCES


Quality risk management is asystematic process for the assessment, control, communication and review of risks to the quality of the drug product across the productlifecycle. A model for qualityrisk management is outlined in the diagram (Figure 1). Other models could be used. The emphasis on each component of the frameworkmight differ from case to case but a robustprocess will incorporate consideration of all the elements at a level of detail thatis commensurate with the specific risk.

Decision nodes are not shown in the diagram above because decisionscan occur at any point in the process. Thesedecisions might be to return to the previousstep and seek further information, to adjust the risk models or even to terminate the risk management process based upon informationthat supports such a decision. Note: “unacceptable” in the flowchartdoes not only


refer to statutory, legislative, or regulatory requirements, but alsoto indicate that the risk assessment process should be revisited.


Quality risk management activities are usually, but notalways, undertaken by interdisciplinary teams. Whenteams are formed, they should include experts from the appropriate areas (e.g., qualityunit, business development, engineering, regulatory affairs, production operations, sales and marketing, legal,statistics, and clinical) inaddition to individuals who are knowledgeable about the quality risk management process.

Decision makersshould
·         take responsibility for coordinating qualityrisk management across variousfunctions and departments of their organization and
·         ensure that a quality risk management process is defined,deployed, and reviewed and that adequate resources are available.



Quality risk management shouldinclude systematic processes designedto coordinate, facilitate andimprove science-based decision making with respect to risk. Possiblesteps used to initiate and plan a quality risk management process might include the following:

·         Define the problem and/or risk question, including pertinent assumptions identifying the potential for risk
·         Assemblebackground information and/or data on the potential hazard, harm or humanhealth impact relevant to the risk assessment
·         Identify a leader and critical resources
·         Specify a timeline, deliverables, and appropriate level of decision making for the risk management process


Risk assessment consists of the identificationof hazards and the analysisand evaluation of risks associated with exposure to those hazards (as defined below).Quality risk assessments begin with a well-defined problem description or risk question. When therisk in questionis well defined,an appropriate riskmanagement tool (see examples in section 5) and the typesof information that will address the risk question will bemore readily identifiable. As an aid to clearlydefining the risk(s)for risk assessment purposes, threefundamental questions are often helpful:

1.      What might go wrong?
2.      What is the likelihood (probability) it will gowrong?
3.      What are the consequences (severity)?



Risk identification is a systematic use of information to identify hazards referring to the risk question or problem description. Information can include historical data, theoretical analysis, informed opinions, and the concernsof stakeholders. Risk identification addresses the“What might go wrong?” question, including identifying the possible consequences. This provides the basis for further steps inthe quality risk management process.

Risk analysisis theestimation of the risk associated withthe identified hazards. It is the qualitative or quantitative process of linkingthe likelihood ofoccurrence and severity of harms. In some risk management tools, the ability to detect the harm (detectability)also factors in the estimationof risk.

Risk evaluation compares the identifiedand analyzed risk against given risk criteria. Risk evaluations considerthe strength of evidence for all threeof the fundamental questions.

In doing an effective risk assessment, the robustness of the data set is important becauseit determines the quality of the output.Revealing assumptions and reasonable sourcesof uncertainty willenhance confidence in this output and/or help identify its limitations.
Uncertainty is due to combination ofincomplete knowledge about a process and its expected or unexpected variability. Typical sources of uncertainty include gaps in knowledge, gaps in pharmaceutical science and process understanding, sources of harm (e.g., failure modes of a process, sources of variability),and probability of detection of problems.

The output of a risk assessment is either a quantitative estimate of risk or a qualitative description of a range of risk. When risk is expressedquantitatively, a numericalprobability is used. Alternatively, risk can be expressed using qualitativedescriptors, such as “high,” “medium,”or “low,” which should be definedin as much detail as possible. Sometimes a risk score is used to further definedescriptors in risk ranking.In quantitative riskassessments, a risk estimateprovides the likelihood of a specific consequence, given a set of risk-generating circumstances. Thus, quantitative risk estimation is useful for one particular consequence at a time. Alternatively,some risk management tools use a relative risk measure to combine multiplelevels of severityand probability into an overall estimateof relative risk. The intermediatesteps within a scoringprocess can sometimes employ quantitative risk estimation.


Risk control includes decisionmaking to reduce and/oraccept risks. The purpose of risk controlis to reduce the risk to an acceptable level.The amount of effort used for riskcontrol should be proportional to the significance of the risk. Decision makersmight use different processes, including benefit-cost analysis, for understanding the optimal level of risk control.

Risk control might focus on the following questions:

·         Is the risk abovean acceptable level?
·         What can be done to reduce or eliminaterisks?
·         What is the appropriate balance among benefits, risksand resources?
·         Are new risks introduced as a result of the identified risks being controlled?




Risk reduction focuseson processes for mitigation or avoidance of quality risk when it exceeds a specified (acceptable) level (see Fig. 1). Risk reduction might include actionstaken to mitigatethe severity and probability of harm.Processes that improve the detectability of hazards and quality risks might also be used as part of arisk control strategy. The implementationof risk reduction measurescan introduce new risks into the systemor increase the significance of other existingrisks. Hence, itmight be appropriate torevisit the risk assessment to identify and evaluate any possiblechange in risk after implementinga risk reduction process.

Risk acceptance is a decision to accept risk.Risk acceptance can be a formaldecision to accept the residual risk or it can be apassive decision in which residual risks are not specified. For some types ofharms, even the best quality risk managementpractices might not entirely eliminaterisk. In these circumstances, it might be agreed that an appropriate quality risk managementstrategy has been applied and that qualityrisk is reduced to aspecified (acceptable) level.This (specified) acceptable levelwill depend onmany parameters and should be decidedon a case-by-case basis.


Risk communication is the sharingof information about risk and risk management between the decision makers and others. Parties can communicate at any stage of the risk management process(see Fig. 1: dashed arrows). The output/result of the quality riskmanagement process should be appropriately communicated and documented (see Fig. 1:  solid arrows).
Communications might include those among interested parties (e.g., regulators and industry; industry and the patient;within a company,industry, or regulatory authority). The included informationmight relate to the existence, nature, form, probability, severity, acceptability, control, treatment, detectability, or other aspects of risks to quality. Communication need not be carried outfor each and everyrisk acceptance. Betweenthe industry and regulatory authorities, communication concerning quality risk management decisions might be effected through existing channels as specified in regulations and guidances.


Risk management should be an ongoing part of the qualitymanagement process. Amechanism to reviewor monitor eventsshould be implemented.

The output/results of the riskmanagement process should be reviewed to take into account new knowledge and experience. Once a quality risk management process has been initiated, that process should continue to be utilized for events that might impact the original qualityrisk management decision, whetherthese events are planned (e.g.,results of productreview, inspections, audits,change control) or unplanned (e.g.,root cause from failure investigations, recall).The frequency of any reviewshould be based upon the level of risk. Risk reviewmight include reconsideration of risk acceptance decisions.

[Source: Guidance for Industry; Q9 Quality Risk Management
U.S. Department of Health and Human Services
Food and Drug Administration
Center for Drug Evaluation and Research (CDER)
Center for Biologics Evaluation and Research (CBER)
June 2006
ICH]

Comments

Post a Comment