Pharmaceuticals Risk Management
Quality risk management is a systematic process for the assessment, control, communication, and review of risks to the quality of the product throughout its life cycle. ICH Q9, Quality Risk Management, provides the framework that may be applied to all aspects of pharmaceutical quality, including development, manufacturing, distribution, inspection, and submission/review processes across the life cycle of drug substances and drug products as well as biologic and biotechnological products. Quality risk management can be applied in the product life cycle to the use of raw materials, solvents, excipients, packaging, and labeling materials.
The two primary principles of quality risk management are that the evaluation of the quality risk should ultimately link back to the potential harm to the patient, and that the level of effort, formality, and documentation of the quality risk management process should be commensurate with the level of risk.
GENERAL QUALITY RISK MANAGEMENT PROCESS
Quality risk management should include systematic processes designed to coordinate, facilitate, and improve science-based decision making with respect to risk. Steps used to initiate and plan a quality risk management process include:
• Defining the process, which typically involves risk assessment, risk control, risk communication, and risk review elements at an appropriate level of detail
• Assembling background information and/or data on the potential hazard, harm, or human health impact relevant to the risk assessment
• Identifying a leader and critical resources
• Specifying a timeline, deliverables, and appropriate level of decision making for the risk management process
• Identifying the interrelationships of the elements of the quality risk management process
RISK ASSESSMENT
Risk assessment consists of the identification of hazards and the analysis and evaluation of risks associated with exposure to those hazards. Quality risk assessments begin with a well-defined problem description or risk question. When the risk in question is well defined, an appropriate risk management tool and the types of information required to address the risk question will be readily identifiable. As an aid to clearly defining the risk(s) for risk assessment purposes, three fundamental questions are often used:
• What might go wrong?
• What is the likelihood (probability) it will go wrong?
• What are the consequences (severity)?
The output of a risk assessment is either a quantitative estimate of risk or a qualitative description of a range of risk. When risk is expressed quantitatively, a numerical probability is used. In quantitative risk assessments, a risk estimate provides the likelihood of a specific consequence, given a set of risk-generating circumstances. Thus, quantitative risk estimation is useful for one particular consequence at a time. Alternatively, risk can be expressed using qualitative descriptors, such as “high,” “medium,” or “low,” that should be defined in as much detail as possible. Sometimes a risk score is used to further define descriptors in risk ranking. In addition, some risk management tools use a relative risk measure to combine multiple levels of severity and probability into an overall estimate of relative risk. The intermediate steps within a scoring process can sometimes employ quantitative risk estimation.
Risk identification provides the basis for further steps in the quality risk management process. It systematically uses information to identify hazards associated with the risk question or problem description. Information can include historical data, theoretical analysis, informed opinions, and the concerns of stakeholders. It addresses the “What might go wrong?” question, including identifying the possible consequences. Risk analysis is the estimation of the risk associated with the identified hazards. It is a qualitative or quantitative process of linking the likelihood of occurrence with the severity of harms. The extent to which the harm can be detected also factors into the estimation of risk. Risk evaluation compares the identified risk against given risk criteria and considers the strength of evidence for the three fundamental questions.
RISK CONTROL
The purpose of risk control is to reduce the risk to an acceptable level. The amount of effort used for risk control should be proportional to the significance of the risk. Decision makers might use different processes, including benefit–cost analysis, for understanding the optimal level of risk control.
Risk control might focus on the following questions:
• Is the risk estimated in the risk assessment above an acceptable level?
• What can be done to reduce or eliminate risk(s)?
• What is the appropriate balance between benefits, risks, and resources?
• Are new risks introduced due to the identified risks being controlled?
Risk reduction focuses on mitigation and avoidance of quality risk when it exceeds a specified (acceptable) level. It includes actions taken to mitigate the severity, and reduce the probability, of harm. It may also identify processes that improve the detectability of hazards.
The implementation of risk reduction measures can introduce new risks into the system or increase the significance of other existing risks. Hence, it might be appropriate to revisit the risk assessment to identify and evaluate any possible change in risk after implementing a risk reduction process.
Risk acceptance is a decision to accept risk. It can be a formal decision to accept the residual risk, or it can be a passive decision in which residual risks are not specified. For some types of harms, even the best quality risk management practices might not entirely eliminate risk. In these circumstances, it might be agreed that an appropriate quality risk management strategy has been applied, and that quality risk is reduced to a specified (acceptable) level. This specified and acceptable level will depend on many parameters and should be decided on a case-by-case basis.
RISK COMMUNICATION AND RISK REVIEW
Risk communication is the exchange or sharing of information about risk and its management between the decision makers and others. Communication should include the existence, nature, form, probability, severity, and detectability of the risk. This process can sometimes be formal. It may be internal (that is, occur within the organization) or external (that is, occur with suppliers, customers, or regulators). Formal processes should be documented. Risk review is a process that allows for the review or monitoring of events. It should incorporate new knowledge and experience and may be used for planned or unplanned events, and it should be performed periodically.
RISK MANAGEMENT METHODOLOGY
Quality risk management supports a scientific and practical approach to decision making. It provides documented, transparent, and reproducible methods to accomplish steps of the quality risk management process based on current knowledge about assessing the probability, severity, and, sometimes, the detectability of the risk. Figure
10.1 lists some risk management tools. Combined use of these tools provides flexibility that can facilitate the application of quality risk management principles.
INTEGRATION INTO INDUSTRY AND REGULATORY OPERATIONS
Quality risk management is the foundation for science-based decisions when integrated into a quality management system (QMS). It does not obviate industry’s obligations to comply with regulatory requirements. It can facilitate better and more-informed decisions and may provide regulators with greater assurance of a company’s ability to address potential risks. It may affect the extent and level of direct regulatory oversight.
The degree of rigor and formality used in quality risk management should be commensurate with the complexity and/or criticality of the issue. Quality risk management should be integrated into existing operations and documented appropriately. Finally, training of personnel provides for greater understanding of decision-making processes and builds confidence in quality risk management outcomes.
METHODS AND TOOLS
Basic Risk Management Facilitation Methods
Basic risk management facilitation methods include flowcharts, check sheets, process maps, and cause-and-effect diagrams (that is, the Ishikawa diagram, or fishbone diagram).
Failure Mode and Effects Analysis
Failure mode and effects analysis (FMEA) includes the evaluation of potential failure modes and their effect on outcomes. It methodically breaks down the analysis of complex processes into manageable steps; risk reduction can then be used to eliminate, contain, reduce, or control failures.
The potential areas of use for FMEA are to prioritize risks and monitor the effectiveness of risk control activities. It can be applied to equipment and facilities, and might be used to analyze a manufacturing operation and its effect on product or process. It identifies elements/operations within the system that render it vulnerable. The output or results of FMEA can be used as a basis for design or further analysis, or to guide resource deployment.
Failure Mode, Effects and Criticality Analysis
Failure mode, effects and criticality analysis (FMECA) is extended to investigate the degree of severity of the consequences, probabilities of occurrence, and detectability. It can identify places for additional preventive actions.
Potential areas of use for FMECA application in the pharmaceutical industry should be primarily for failures and risks associated with manufacturing processes; however, it is not limited to this application. The output of an FMECA is a relative risk score for each failure mode, which is used to rank the modes on a relative risk basis.
Fault Tree Analysis
Fault tree analysis (FTA) evaluates system (or subsystem) failures one at a time, represented pictorially in the form of a branching tree of fault modes. At each level in the tree, combinations of fault modes are described with logical operators (for example, AND, OR). FTA relies on experts’ process understanding to find causes. A potential area of use for FTA can be to establish the pathway to the root cause of the failure. FTA can be used to investigate complaints or deviations to fully understand their root cause and to ensure that intended improvements will resolve the issue and not lead to other issues. FTA is an effective tool for evaluating how multiple factors affect a given issue. The output of an FTA includes a visual representation of failure modes. It is useful both for risk assessment and in developing monitoring programs
Hazard Analysis and Critical Control Points
Hazard analysis and critical control points (HACCP) is used to manage risks with physical, chemical, and biological hazards. HACCP has seven steps:
1. Conduct a hazard analysis and identify preventive measures for each step of the process.
2. Determine the critical control points.
3. Establish critical limits.
4. Establish a system to monitor the critical control points.
5. Establish the corrective actions to be taken when monitoring indicates that the critical control points are not in a state of control.
7. Establish a record-keeping system.
Potential areas of use for HACCP might be to identify and manage risks associated with physical, chemical, and biologic hazards (including microbiological contamination). HACCP is useful when product and process understanding is sufficiently comprehensive to support identification of critical control points. The output of a HACCP analysis is risk management information that facilitates monitoring of critical points not only in the manufacturing process but also in other life cycle phases.
Hazard Operability Analysis
Hazard operability analysis (HAZOP) is used primarily to evaluate process safety hazards. It is a systematic brainstorming technique for identifying hazards using guide words (for example, no, more, other than, part of). HAZOP is for risk events caused by design or operating deviations. Potential areas of use for HAZOP are manufacturing processes, including outsourced production and formulation, and the upstream suppliers, equipment, and facilities for drug substances and drug products. It has been used primarily in the pharmaceutical industry for evaluating process safety hazards. As is the case with HACCP, the output of a HAZOP analysis is a list of critical operations for risk management. This facilitates regular monitoring of critical points in the manufacturing process.
Preliminary Hazard Analysis
Preliminary hazard analysis (PHA) is the application of experience or knowledge of a hazard to identify future hazards. This tool consists of identification of the possibility that the risk event happens, qualitative evaluation of the extent of possible injury or damage to health that could result, relative ranking of the hazard using a combination of severity and likelihood of occurrence, and identification of possible remedial measures. Potential areas of use for PHA might be analysis of existing systems or prioritizing hazards where circumstances prevent a more extensive technique from being used. It can be used for product, process, and facility design, as well as to evaluate the types of hazards for the general product type, then the product class, and finally the specific product. PHA is most commonly used early in the development of a project when little information on design details or operating procedures is available; thus, it will often be a precursor to further studies. Typically, hazards identified in the PHA are further assessed with other risk management tools.
Risk Ranking and Filtering
Risk ranking and filtering is a tool for comparing and ranking risks including filters (for example, cutoff scores). Potential areas of use include prioritizing manufacturing sites for inspection/audit by regulators or industry. Risk ranking methods are consequences to be managed are diverse and difficult to compare using a single tool. Risk ranking is useful to management in evaluating both quantitatively assessed and qualitatively assessed risks within the same organizational framework.
Supporting Statistical Tools
These tools support data assessment and facilitate decision making. The most common statistical tools are control charts, design of experiments (DOE), histograms, Pareto charts, process capability analysis, FTA, FMEA, and HACCP.