Quality Risk Management SOP

SOP on Pharmaceutical quality risk management | Quality risk management in pharmaceutical industry |

  • SOP covers below points:
    • Quality Risk Management Process:
    • Quality Risk Management Principles
    • Initiation of Quality Risk Management Process
      • Process Mapping
      • Risk Assessment
      • Risk Identification
      • Risk Analysis
      • Risk Analysis Tools
      • Risk Evaluation
      • Risk Control
    • Risk communication
    • Risk Documentation
    • Risk Review
    • Potential Application
    • Quality Risk Management Team
    • Quality Risk Management formats
  • To describe the procedure for management of risk, arising from different operations, activities and discrepancies.
2.0 SCOPE :
  • This procedure is covering overall management of risks in facility and equipment, production, testing and analysis , warehousing, engineering that arise from different operations.
  • All functional / Departmental Heads
  • Risk Management Team
  • (At least one responsible member from Technical function including Quality Assurance, Quality Control, Formulation and Development, Engineering and Production)

5.1 Quality Risk Management Process:

  • Principles: Primary principle of quality risk management are:
    • The evaluation of the risk to quality is based on scientific knowledge and ultimately link to the protection of the patient; and
    • The level of effort, formality and documentation of the quality risk management process is commensurate with level of risk.
  • Quality risk management is a systematic process for the assessment, control, communication and review of risks to the quality of the product across the product lifecycle.
  • An overview of typical quality risk management process as per Annexure No. 1 in flowchart form attached.
  • Note: “unacceptable” in the flowchart does not only refer to statutory, legislative or regulatory requirement, but also to the need to revisit the risk assessment process.
  • The emphasis on each component of the framework might differ from case to case but a robust process shall incorporate consideration of all the elements at a level of detail that commensurate with the specific risk.
  • Quality risk management include systematic processes designed to coordinate, facilities and improve science based decision making with respect to risk.

5.2 Initiation of (QRM) Quality Risk Management Process Approach

  • The QRM process consists of following steps;
    • Process mapping (identifying all inputs, outputs and existing control measures),
    • Risk assessment (risk-identification, risk-analysis and risk- evaluation),
    • Risk control (risk reduction and risk acceptance),
    • Risk communication (communication of residual risks to regulators/customers),
    • Periodic Risk review.
  • Process Mapping:
    • Clearly identify the process inputs/ outputs being assessed and what it is attempting to achieve, i.e ,what is the harm/risk and what the impact could be on the patients?
    • Assemble background information and/ or data on the potential hazard or harm relevant to the risk assessment.
    • Take full account of current scientific knowledge and subject matter expertise who are experienced in the risk assessment process being risk assessed.
    • Use factual evidence supported by expert assessment to reach conclusions and include any unjustified assumptions.
    • Process mapping information/ gathering data include historical data, theoretical analysis, informed opinions and the concerns of stakeholders (brain storming).
    • Existing control measures like procedural control, engineering control, administrative control or any detection control shall be identified during the process mapping.
  • Risk Assessment
    • Risk assessment consists of the identification of hazards, analysis and evaluation of risks associated with exposure to those hazards.
    • Quality risk assessments begin with a well-defined problem description or risk question like;
      • What might go wrong?
      • What is the likelihood (probability) it will go wrong?
      • What are the consequence (severity)?
  • Risk assessment :
    • Proactive: is one that is conducted in advance of conducting an activity either before any activity is conducted in advance of conducting an activity. This would often allow quality to be built in to activities and risk reduced (quality by design). (Example: Design of facilities for MLT room from Microbiology Section.)
    • Reactive; is one that is conducted to assess the impact of a situation that has already occurred. (Example: Impact of deviation from established standard and regulatory filed information.)
  • Risk Identification:
    • All risks (reasonable/ expected) shall be identified by anyone working in his/her respective workplace with the systematic use of information collected during process mapping.
  • Risk Analysis:
    • The estimation of the risk associated with the identified hazards shall be done qualitatively or quantitatively.
    • Risk shall be analyzed by setting occurrence level based on actual occurrence history of particular problem/ failure by referring Quality events like deviations, Change  control, Complaint, OOS previous audit finding, risk register and interventions that could potentially impact batch quality.
    • Team shall analyze the risk linking the likelihood of occurrence, detection and severity of harm using qualitative and quantitative descriptors respectively as:

  • Risk Analysis Tools:
    • Different risk analysis tools shall be employed to categorize and prioritize the risks. Wherever possible, quantitative data shall be obtained and used to justify risk statements. However; qualitative analysis can be utilized when no data exists.
    • The different kinds of tools that are used for risk analysis. One of the tools is failure mode effect critically analysis (FMECA) where the output of FMECA is a risk ranking based on risk priority numbers that are then used to determine if the risk is acceptable or needs further action.
      • FMECA provides for an evaluation of potential failure modes for processes and their likely effect on outcomes and or product performance. FMECA can be applied to equipment and facilities and might be used to analyze a manufacturing operation and its effect on product or process.
      • FMECA relies on product and process understanding and breaks down the analysis of complex processes into manageable steps.
      • FMECA is powerful tool for summarizing the important modes of failure, factors causing these failures and the likely effects of these failures.
      • FMECA can be used to prioritize risks and monitor the effectiveness of risk control activities.
      • Once failure modes are established, risk reduction can be used to eliminate, contain, reduce or control the potential failures.
      • The outputs / result of FMECA can be used as a basis for design or further analysis or guide resources deployment.
    • Following steps to be followed to carry out Risk assessment by using FMECA tool and document the same in Annexure No. 5 (for Qualitative/ Quantitative analysis.
      • List the elements of the  system/facility/process/equipment.
      • Identify the known and potential failure modes: develop list of known problems and brainstorm other potentials;
      • e.g. Product not meeting specification,
      • Process not meeting yield requirements,
      • Malfunctioning equipment, software problem’s 
      • Describe the effect of the failure on identified failures.
      • Determine failure Severity (S), Probability (P) and Detection (D).
      • a) Severity: Based on numeric values of 1,3,5,7 & 10 or qualitative ranking, the severity of risk shall be assessed.
      • b) Probability: Value or qualitative based on actual or assessed rate of occurrence.
      • c) Detection: Using the Risk factors tables, ability to detect failure shall be recorded.
      • Determine risk level on the basis of qualitative or quantitative (S x P x D) ranking.
    • Quantitative Risk ranking shall be done on the basis of below mentioned Charts (Severity, Probability and Detection) Risk priority number (RPN) shall be calculated for cross contamination risk application.

  • RPN shall be calculated as per below mentioned formula
  • RPN= Severity (S) x Probability (P) x Detection (D)
  • Risk Evaluation:
    • After analyzing, the risk shall be compared and evaluated against given risk criteria by considering the strength of statistical evidence as the quality of output is dependent on robustness of data analyzed.
    • Risk shall be evaluated by considering the probability of occurrence, detectability and severity of the harm as per Annexure – No. 5 covered under risk management tools.
    • Conclusion of risk evaluation shall reflect the level of risk to patient and outlines the following actions:
RPN NumberRankingProductionInvestigationRemedial ActionReview
250-342High RiskContinueYesYesMonthly
175-249SignificantContinueYesYesSix monthly
Less than 175AcceptableContinueNoNoAnnually

5.3 Risk Control:

Risk control process shall ensure to reduce the risk to an acceptable level or accept the risk and the amount of efforts for risk control shall be proportional to the level of risk. The following question shall be focused while decision making process;

  • Risk control process shall ensure to reduce the risk to an acceptable level or accept the risk and the amount of efforts for risk control shall be proportional to the level of risk. The following questions shall be focused while decision making process;
    • Is the risk above an acceptable level?
    • What can be done to reduce or eliminate the risk?
    • What is the appropriate balance among benefits, risk and resources?
    • Are new risks introduced as a result of identified risks being controlled?
  • Risk Reduction: is a process to either mitigate the severity/ probability of harm or avoidance of risk when exceeding acceptable level.
    • Effort shall be done to mitigate or avoid the risk by Quality risk management team keeping in mind that the steps taken should not introduce a new risk.
    • Following risk control strategies shall be considered during Risk reduction.
      • Mitigate the severity
      • Reduce probability of harm
      • Increase detectability of hazards
    • All identified risks that require remediation shall be accompanied by corrective and preventive actions shall be capable of quantifiable demonstrating a sustained reduction in original risk level/RPN value.
    • Corrective and preventive actions shall be capable of quantifiable demonstrating a sustained reduction in original risk level/ RPN value.
    • Quality Assurance Head shall ensure that all risks reduction controls have been implemented in a manner they appear in the risk assessment and shall be effectiveness verified on periodic basis to identity any possible change in risk past risk reduction process.
    • The results of verification shall be incorporated back in to risk analysis to determine if the risk is adequately reduced. If the risk is still not reduced to an acceptable level, additional measures to be implemented and verified till the risks are deemed acceptable in a cyclic manner.
  • Risk acceptance: is a formal decision to accept the residual risk. If it is not possible to entirely eliminate the risk, decision shall be taken to accept the risk assuring to reduce it to (specified) acceptable level. This acceptable level shall depend on many parameters and should be decided on a case to case basis.

5.4 Risk communication: is a sharing about risk and risk management outcome between decision makers and others (regulatory agencies, within the company and customers).

  • Risks can be communicated to the relevant stakeholder at any stage in the entire process of Quality risk management.
  • Once accepted, risk assessment reports/risks shall be forwarded to Quality Assurance Head or his/her designee for review and approval.
  • Once approved, risks shall be communicated to all relevant departments/stakeholders to implement the suggested actions to mitigate/avoid risks.

5.5 Risk Documentation:

  • All risk assessment reports shall be maintained by QA.
  • Annual risk assessment plan shall be prepared by designated QA person as per Annexure No. 6 for proactive risk assessment and shall be approved by Quality Assurance Head or his/her designee.
  • QRM team shall assess the risks per Annual risk assessment plan.
  • All identified risks shall be logged in “Quality Risks Register” Annexure No. 7 and same shall be tracked/ monitored by QA for completion of mitigation action if any.
  • Risk assessment shall be numbered as mentioned below :
    • RA/XXX/YY
    • Where, RA : Risk Assessment
    • XXX : Document no. starting from 001
    • YY : Last two digit of current calendar year

5.6 Risk Review

  • As an ongoing part of quality management process, individual risk assessment and their outcomes shall be reviewed, controlled and re- assessments periodically.
  • Review of Risk Assessment:
    • Quality Assurance  head  shall ensure the performing, communicating and documenting periodic reviews of risk assessments and outcomes of its risk management plans.
    • The QRM process shall be utilized continuously by QRM team, for events that might impact the original quality risk management decisions.
    • Risks shall be reviewed annually by QA as per the annual risk assessment plan for proactive risks and reactive risks. Risk review shall be done as per Annexure No. 8 “Periodic Risk Review Form”.
    • Quantification of number of risk reduced to an acceptable level shall be done during review.
    • The formality of the documentation shall be appropriate to the level of review.
  • Review of Effectiveness of QRM System:
    • Quality Assurance head – Quality shall monitor, evaluate and review the effectiveness of the QRM activities conducted for particular site.
    • The effectiveness verification of QRM system shall be done yearly by Quality Assurance head as per Annexure No. 9 “Effectiveness Verification of QRM process”.
    • The verification process is to determine the QRM process is working effectively.
    • The process of verification activities is as follows:
      • Review of the QRM system and its records/ Registers.
      • Review of deviations and product dispositions based on risk assessment.
      • Verifications may be conducted when there is unexplained system failure, a significant change in product, process or packaging occurs or further new hazards are identified and recognized.
      • If the results of comprehensive verification identify deficiencies, the QRM team should modify the QRM plan through CAPA.
    • Effectiveness verification of QRM system shall be forwarded to senior management for their approval.

5.7  Potential Application:

  • Quality Risk Assessment shall be carried out for the following system. Example of these potential applications are explained in Annexure No. 4.
    • Quality System (Training, Change management, Deviation, CAPA,OOS- results, Investigation, Auditing/ Inspection, complaints, recalls etc.
    • Inspection and assessment activities
    • Development
    • Facilities, Equipment and Utilities
    • Cross contamination
    • Material Management
    • Production System
    • Laboratory controls and stability testing
    • Packaging and labeling

5.8 Quality Risk Management Team

  • Quality Assurance Head shall decide and coordinate on Quality Risk Management activities. These  activities are usually undertaken by interdisciplinary teams and teams shall be organized by Quality Assurance head.
  • Quality risk management team shall be cross functional team comprising of experts from different area such as Quality Assurance, Quality Control, Production, Warehouse and Engineering departments, Business development, Marketing, F & D, HR or any other consultant who is subject matter expert.
AbbreviationExpanded form
SOPStandard Operating Procedure
QRMQuality Risk Management
CAPACorrective and Preventive action
GMPGood Manufacturing Practices
ICHInternational Conference On Harmonization
QAQuality Assurance
FMECAFailure Mode Effect Criticality Analysis
TCDTarget completion date
F & DFormulation and Development
MLTMicrobial Limit Test

Annexure No.Title
01Flow chart for Quality Risk Management process
02Flow chart for Quality Risk Management
03Quality Risk Management tools
04Potential Applications for Quality Risk Management
05Format for “Risk Assessment by FMECA”
06Format for “Annual Risk Assessment Plan”
07Format for “Quality Risk Register”
08Format for “Periodic Risk Review Form”
09Format for “Effectiveness Verification of QRM Process”

  • WHO TRS 937
  • ICH Q9 Guidelines
  • PIC/S



Annex. No. 01 Flow chart for Quality Risk Management process

Annex. No. 02 Flow chart for Quality Risk Management

Annex. No. 03 Quality Risk Management tools

Annex. No. 04 Potential Applications for Quality Risk Management

Annex. No. 05 Format for “Risk Assessment by FMECA”

Annex. No. 06 Format for “Annual Risk Assessment Plan”

Annex. No. 07 Format for “Quality Risk Register”

Annex. No. 08 Format for “Periodic Risk Review Form”

Annex. No. 09 Format for “Effectiveness Verification of QRM Process”

2 thoughts on “Quality Risk Management SOP”

  1. Pingback: Flowchart for Quality Risk Management and Quality Risk Management Process - PharmaBlog

  2. Pingback: Stability Studies SOP - PharmaBlog

Comments are closed.