You are on page 1of 9

Embracing quality risk management: The new paradigm by Tim Sandle and Madhu Raju Saghee

Originally published by Express Pharma in 2010:
Introduction A current popular aphorism in all regulated pharmaceutical and biotechnology arenas is the phrase, 'Risk Management.' In general, risks describe any potential dangers. We are all confronted with risks in our day to day life, and we all have well-developed skills, known as heuristics, with which we incessantly assess the various risks and find ways to avoid them or reduce them the best we can. No matter how we try, the fact is Tim Sandle, 'risks cannot be avoided' and there is no such thing as 'zero risk'. We Head of constantly accept and or take risks because accomplishing anything Microbiology, necessarily entails risks of all sorts; using any mode of transportation Bio Products Laboratory, UK means the risk of accident, falling in love means the risk of heartbreak1. Risk management has always been an intrinsic part of the world of pharma - with the decisive calculation of benefit-risk for each medicine serving as the ultimate determinant for drug and patient safety. While the rigorous adherence to drug safety hasn't changed over the years, there has been a noticeable shift in the approach to risk management as companies have begun to implement more standardized, formal processes in light of the new requirements and challenges around drug safety. Risk management has been successfully employed in various industrial sectors like US Space industry (NASA), nuclear power industry and automobile industry which benefited these industries in several areas. But in application, the pharmaceutical sector is still in its infancy and the utilization of risk assessment techniques to pharmaceutical production is just beginning and the potential gains are yet to be realised2. At present, the pharmaceutical industry is juggling with needing to comply with the increasing global regulatory requirements and legal enforcements, and yet upholding the quality with the limited resources and cost pressure. So the limited resources must be streamlined and utilised, where the risks are highest, thus minimising risk to patients while maximising resource utilisation and efficiencies. In this quandary, risk management can provide support. It should be made clear that this concept of risk management in principle does not represent any new development. The new concept is towards more systematic and formal implementation of quality risk management by driving the existing systems towards the critical quality attributes which ensures patient safety rather than wasting the resources and time towards less critical activities. The purpose of risk management is to focus resources on those areas which are the most important. It ensures a more science-based decision making process and full utilisation of the resulting advantages. The use of risk assessment in the pharma industry is both an increasingly used tool and an expectation of regulatory authorities. Risk assessment forms a key component of any risk management programme. Risk analysis and risk evaluation together represent the two fundamental parts of the risk assessment phase of a risk management process cycle. The assessment of risk involves either the quantitative or qualitative determination of one or more risks. Risks are generally recognised as being related to a situation, event or scenario in which a recognised hazard may result in harm. Quantitative risk assessment requires a type of calculation. This is often based upon the magnitude or severity of the risk and the probability that the risk will occur.
Madhu Raju Saghee, Corporate Quality Assurance, Gland Pharma. He can be reached at madhu@

Risk assessment involves identifying risk scenarios either prospectively or retrospectively. With the former, this involves determining what can go wrong in the system and all the associated consequences and likelihoods; with the latter this looks at what has gone wrong and using risk assessment to assess the process, product or environmental risk and to aid in formulating the appropriate actions to prevent the incident from re-occurring. Risk analysis is also highly beneficial in that it can also be used to identify and justify process improvements. Furthermore, the use of risk assessments can allow manufacturers to explore weaknesses and to construct scientific and data based rationales. This drive towards risk based approach has been spurred by three main events 1. The 'Pharmaceutical cGMPS for the 21st century: A Risk Based Approach' initiative by FDA in 2002 2. Annex 15 to the EU GMP Guide3 3. The ICH Guideline titled Quality Risk management., (ICH Q9)4 (The ICH-Q9 guideline concerning Quality Risk Management in the pharmaceutical field (active substances and medicinal products) was adopted by the European Union and PIC/S in Annex 20 of the EU and PIC/S GMP Guides.)

Figure 2: The quality risk management process according to ICH Q9

Figure 1: The Linkage of various processes where QRM can be deployed for evaluating patient risk (Adopted from Presentation by H. Gregg Claycamp, 2006)

The 'Pharmaceutical cGMPS for the 21st century: A Risk Based Approach' initiative by FDA:

On Aug. 21, 2002, FDA announced a significant new initiative: "Pharmaceutical Current Good Manufacturing Practices (CGMPs) for the 21st Century: A Risk-Based Approach." The objective was to enhance and modernise the regulation of pharmaceutical manufacturing and quality. The methodology was to use risk-based and science-based approaches for regulatory decision-making throughout the entire life-cycle of a product. To create a framework that will streamline the quality review of many products, allowing pharmaceutical organizations to use their valuable resources in a more efficient manner. This initiative set forth a plan to enhance and modernize FDA's regulations governing pharmaceutical manufacturing and product quality for human and veterinary drugs and human biological products. The objectives were to: Encourage the early adoption of new technological advances by the pharmaceutical Industry Facilitate industry application of modern quality management techniques, including implementation of quality systems approaches, to all aspects of pharmaceutical production and quality assurance Encourage implementation of risk-based approaches that focus both industry and FDA attention on critical areas Ensure that regulatory review, compliance, and inspection policies are based on state-of the-art pharmaceutical science Enhance the consistency and coordination of FDA's drug quality regulatory programs, in part, by further integrating enhanced quality systems approaches into the Agency's business processes and regulatory policies concerning review and inspection activities

In September 2004, FDA released its final report on achievements and future plans of the initiative known as the "Pharmaceutical cGMPs for the 21st Century--A Risk-Based Approach5."

Figure 3: Sub processes in risk management, (Adopted from Presentation by H. Gregg Claycamp, 2006)

Figure 4: Continuous improvement strategy facilitated by ICH Q9

Few Key accomplishments of the council were announced in the 2004 final report, including: Adoption of a quality systems model for agency operation, developed under FDA's Management Council and published in the FDA Staff Manual Guide. The guide defines the essential quality elements to consider as part of any system that controls an internal FDA regulatory activity. Development of a quality systems guidance for cGMP regulation, by which the final guidance for industry, Quality Systems Approach to Pharmaceutical Current Good Manufacturing Practice Regulations was released by FDA in September 2006, which is intended to encourage industry to implement the use of qualitymanagement systems and risk-management principles. Science based regulation of product quality, As pharmaceutical manufacturing evolves from an art to a science and engineering based activity, application of this enhanced science and engineering knowledge in regulatory decision-making, establishment of specifications, and evaluation of manufacturing processes will improve the efficiency and effectiveness of both manufacturing and regulatory decision-making. Adoption of risk-management principles to enhance the agency's inspection and enforcement program, which is focused on protecting the public health. For example, FDA began using a risk-based approach for prioritising inspections. This approach will help the agency predict where its inspections are likely to achieve the greatest public health impact etc. A number of guiding principles were adopted by the FDA as a part of this restructuring program

Annex 15 to the EU GMP Guide General risk based consideration have been a feature of the European GMP framework since the inception of the first version of the EU GMP guide in 1989. Annex 15 mandates the manufacturers to formally evaluate the risk during manufacturing related activities of validation and change control. Annex 15 is specifically concerned with qualification and validation activities, and it states that a "risk assessment approach should be used to determine the scope and extent of validation", and that the likely impact of changes "should be evaluated, including risk analysis". A lot of work was done in developing a Quality Risk Management solution designed to facilitate compliance with the risk-based qualification, validation and change control GMP requirement of the EU by Dr. Kevin O'Donnell (Market Compliance Manager at the Irish Medicines Board (IMB), Dublin, Ireland). Readers are advised to refer to the below listed references6.

The ICH guideline titled Quality Risk Management, (ICH Q9): In November, 2005 the ICH published a guideline Quality Risk Management (numbered as ICH Q9) which was a significant milestone in the development of quality risk management activities within pharmaceutical industrial and regulatory activities. ICH Q9 together with ICH Q8 and Q10 is one of the ICH Q-topics that encourage further development science based and risk based approaches to quality. The ICH Q8, Q9 and Q10 guidelines have been discussed as a tripartite approach to total quality management system for the pharmaceutical industry. The inimitability of this guideline meant that it is applicable to both the industry and to regulators. As per ICH Q9, risk is defined as "Combination of the probability of occurrence of harm and the severity of that harm". Two primary principles of quality risk management as per ICH Q9 are: The evaluation of the risk to quality should be based on scientific knowledge and ultimately link to the protection of the patient; and The level of effort, formality and documentation of the quality risk management process should be commensurate with the level of risk.

Anatomy of ICH Q9: ICH Q9 is the most comprehensive document which provides principle and framework for effective implementation of risk management to support science based decision making which facilitates communication and transparency. The main body of this document explains the "What?" and its supplemented Annex I gives ideas on the "How?"and Annex II gives ideas on the "Where?" as shown in Figure 1. In brief this document highlights: A common language and process, Potential methodologies for Quality Risk Management, and Where Quality Risk Management can add value. The model for quality risk management according to ICH Q9 is outlined in the Figure 2. This document provides the structure for various risk analysis approaches which is centered on the fundamental three questions: 1. What might go wrong? 2. What is the likelihood (probability) it will go wrong? 3. What are the consequences (severity)? There are different levels of processes where risk management be implemented. This insight sometimes provides difficulties between the involved people discussing different levels of detail compared to different processes as in Figure 3. Within ICH Q9, the major risk analysis tools described include FMEA (Failure Mode and Effects Analysis); FTA (Fault Tree Analysis) and HACCP (Hazard Analysis Critical Control Points), although there are other approaches (Other approaches include FMECA (Failure Mode Effect and Criticality Analysis). In addition to the basic FMEA, FMECA includes a criticality analysis, which is used to chart the probability of failure modes against the severity of their consequences; HAZOP (Hazard and Operational Studies or Hazard Operability Analysis) which originated in the Chemistry Industry, this approach considers that all risks originate from deviations from the agreed process; QMRA (Quantitative Microbiological Risk Assessment); MPRM (Modular Process Risk Model); SRA (System Risk Analysis); Method for Limitation of Risks and Risk Profiling.), these tools are

particularly useful in helping to deconstruct the complexity of pharmaceutical operations. At present, no definitive method exists (and probably, given the variety of pharmaceutical operations, never will); and the various approaches differ in their processes as well as the degree of complexity involved. ICH Q9 facilitates continuous improvement along the entire life cycle as shown in Figure 4. Other approaches should not be ignored and the reader is encouraged to examine other risk assessment tools. Computer modeling, for instance, has tremendous potential power (Tidswell and McGarvey 2, for instance, covers this very well). Outside of FMEA and HACCP, Fault Tree Analysis (FTA) is used for many equipment operational issues. However, with FTA (a form of probabilistic risk assessment), is one of the more sophisticated tools used for risk analysis. It is a 'top-down' approach which looks at any possible faults that could occur at each stage of the process. The fault is then reviewed to see how it might occur and the possible root causes determined to prevent the fault from ever occurring. This is achieved by breaking the process down into different steps. Regulatory concerns are not only about when quality risk management is performed but also whether it is integrated into the Quality Systems of an organization. A regulator is unlikely to be satisfied with an organization that has a totally dedicated risk management department, which fails to implement risk management practices within the whole organization. Moreover each department within any organisation should be using fundamentally identical risk management tools and techniques. When a risk assessment is presented to an inspector or an auditor, it is likely that the reviewer will be concerned with whether the risk assessment is traceable to a risk methodology and that the process is clear, understandable, and that it has been performed consistently. In this sense, the reviewer will want to understand how the decisions were made and that the risk (or problem) was defined upfront. With the question established, the reviewer will also wish to see if the process performed actually answered the question in a meaningful way using scientific principles. With the process itself, the reviewer may well want to note if an appropriate multifunctional team was involved and if appropriate documentation was used. For complex process investigations, evidence that the team followed the process step-by-step will be required. With the final conclusion the reviewer will expect to see that the risk has been assessed and action taken, as well as some action being in place to either prevent future occurrence or to mitigate the risk7. The Basics of Risk Assessment Risk assessment tools and techniques can be applied to every aspect of pharmaceutical processing. An important part of this application involves an understanding of the process. Formal risk approaches normally share four basic concepts, which are listed below: 1) Risk assessment 2) Risk control 3) Risk review 4) Risk communication With different approaches to risk management there are differences in terminology. These four steps are interpreted as:

Risk assessment Risk assessment is the assessment of effects of the incident or scenario (such as a microbiological contamination event). It involves the use of risk analysis tools and the evaluation of risk. The object of using these tools is to identify the root cause. Risk control Risk control is centered on risk reduction or risk mitigation. This process consists of corrective actions taken to resolve the incident and preventative actions proposed to avoid a recurrence of the incident in the future. At some point, risk control will also involve a consideration of risk acceptance for the measures put in place will ultimately need to be accepted or rejected. Risk review The risk review is the follow up of action items and the final summary and evaluation of the incident. This should be approved by senior management. Risk communication Risk communication discusses the important steps involved in reporting and discussing the incident. It should also ensure that the appropriate parties are included in resolving the incident. Before commencing a risk assessment it is important to define the magnitude and the scope of the assessment (remaining focused on what is to be achieved); to select the appropriate team (often an interdisciplinary team is best); selecting and reviewing the appropriate risk management tool; deciding upon any numerical scale to be used (if any is applicable) and prioritising the different problems to be addressed. Most approaches begin by constructing a process map. The various analytical tools used for conducting risk assessments are similar, in that they involve: Constructing diagrams of work flows (these are pictorial representations of a process designed to break the process down into its constituent steps, this allows complex processes to be simplified); Identify hazards (which can be intrinsic, that is specific or inherent to the process or equipment, or extrinsic, that is factors which are external to the process or equipment but which might impact upon it). In doing so, this helps to: Pin-point the areas of greatest risk; Allow an examination of the potential sources of contamination; Decide on the most appropriate sample methods; Help to establish alert and action levels for on-going monitoring and to detect future risks; They should be flexible enough to take into account changes to the work process and any seasonal activities.

In doing so a standard series questions should be asked. For example, when considering equipment breakdown: What is the function of the equipment? What are its performance requirements? How can it fail to fulfill these functions? What can cause each failure?

What happens when each failure occurs? How much does each failure matter? What are its consequences? What can be done to predict or prevent each failure? What should be done if a suitable proactive task cannot be found? If a risk cannot be eliminated then how can it be reduced? If the risk cannot be reduced then how can it be monitored?

Thus the general approach is to recognise a risk, rate the level of the risk and then set out a plan to minimise, control and monitor the risk. Subsequent monitoring of the risk will help to determine, any follow up action. Advantages and disadvantages of Risk Assessment There are many advantages of risk assessment equally here are also some 'disadvantages' (or at least pitfalls to be aware of). The advantages of using risk management methodologies include: 1. The fact that decision making is improved and streamlined. 2. Activities can be prioritised; organizations can concentrate efforts on what will be of greatest importance to the final product and therefore yield the greatest benefit to the patient population. This also helps with effective resource allocation. 3. The scientific and data driven nature of risk assessment methodologies significantly reduces subjectivity. 4. Risk assessment allows the organisation to enhance its credibility with regulatory agencies. 5. Risk assessment provides one of the means of building quality into an organisation. As already mentioned there are, however, some disadvantages with risk management approaches. Although they can be rationalised to a degree and scientific principles are applied, many of the tools are subjective and rely, to an extent, upon supposition. Often with a contamination event there can be multiple risks and some of the approaches are weaker when dealing with multiple risk situations. Additionally some techniques are especially weak when they are directed to filtering out multiple risk factors, such as HACCP which works in a relatively linear way. The inclusion of substantiated facts, data and established scientific principles within risk assessment is paramount. Theoretical concepts and scientific principles which cannot be substantiated or validated must not be tolerated within any assessment of risk. With some quantitative risk assessments there is a danger that qualitative differences between different risks are ignored. To compound this some assessment tools may drop out important non-quantifiable or inaccessible information7. A further weaknesses arises with risk assessment tools still being relatively new within the pharmaceutical industry, which means there is only a small number of published case studies on which to draw upon, primarily focusing on HACCP and FMEA. Conclusion Nevertheless, with these weaknesses understood the advantages of risk assessment outweigh the disadvantages. Risk assessment allows processes and equipment to be designed in ways which are more efficient and safe for users and patients, and risk assessment allows problems which occur during processing to be addressed so that the

patient can be safeguard and preventative actions formulated to prevent a reoccurrence. Thus understanding and applying risk assessment is an essential requirement for 21st Century Pharma. This article presented the underlying principles of quality risk management. To implement an expedient risk management exercise, knowledge of these fundamental concepts must be thoroughly understood. The risk analysis tools for assessment of risk and a framework for implementing quality risk management and its integration into the existing quality system will be discussed further in the future issues. To support the implementation of Quality Risk Management into daily operations for Regulators and Industry some members of the ICH Q9 Expert Working Group have prepared a set of slides, ICH Q9 briefing pack available at References: 1. Risk: An Introduction by Jakob Arnoldi, Polity Press, U.K, 2009. 2. Tidswell, E. C.; McGarvey, B. Quantitative risk modelling in aseptic manufacture. PDA J. Pharm. Sci. Technol. 2006, 60 (5), 267-283. 3. The Rules Governing Medicinal Products in the European Community, Volume IV, published by the European Commission. 4. Quality Risk Management (ICH Q9), International Conference of Harmonisation of Technical requirements for Registration of Pharmaceuticals for Human Use, November 9th , 2005, available at 5. Pharmaceutical cGMPS for 21st Century - A Risk Based Approach, Final ReportSeptember 2004, U.S. Food and Drug Applications 6. O'Donnell, K., Greene, A., A risk management solution designed to facilitate riskbased qualification, validation & change control activities within GMP and Pharmaceutical regulatory compliance environments in the EU, Parts I & II, Journal of GXP Compliance, Vol 10, No.4, July 2006 7. T. Sandle 'Risk Management in Microbiology' in 'Microbiology and Sterility Assurance in Pharmaceuticals and Medical Devices' edited by Madhu Raju Saghee, Tim Sandle and Edward Tidswell, 2010, Business Horizons, India
About the Authors: Madhu Raju Saghee Madhu Raju Saghee is currently working in Corporate Quality Assurance department of Gland Pharma Limited, a producer of SVPs. He can be reached at Tim Sandle Tim Sandle is currently working at the Bio Products Laboratory; U.K. Tim is an honorary consultant with the School of Pharmacy and Pharmaceutical Sciences, University of Manchester. Tim serves on several national and international committees relating to pharmaceutical microbiology and cleanroom contamination control (including the ISO cleanroom standards). Tim has written over eighty book chapters, peer reviewed papers and technical articles relating to microbiology. He is currently the editor of the Pharmaceutical Microbiology Interest Group Journal ( He can be reached at