The 3 Phases of QRM – An Inspector's View
By Petra Rempe, Ph.D.
For the pharmaceutical world, quality risk management (QRM) is demanded as an obligatory tool in more and more GxP-regulated areas. The areas of application for QRM in a company are complex and cover the entire life cycle of a medicinal product. The implementation of such a system is closely linked to the quality management system.
The QRM process starts with the assessment of risks, as shown in Figure 1 (risk assessment). This step includes identification, analysis, and evaluation.
The results of this first phase serve as a basis for determining the measures to be taken to manage the risks (risk control). In this phase, minimization is the first step, followed by acceptance of the residual risk.
Implementing measures to minimize risks and communicating the overall result within the company initially conclude the QRM process.
The regular review of previous results and assessments completes the life cycle of the QRM process (risk review).
Figure 1: The QRM process according to ICH Q9(R1)
Risk Assessment
Figure 2: The three elements of risk assessment according to ICH Q9(R1)
What is risk assessment? |
|---|
| Risk assessment consists of the identification of hazards and the analysis and evaluation of risks associated with exposure to those hazards. It consists of the following sub-steps: |
| • Hazard identification is the systematic use of information to identify potential sources of harm (hazards) referring to the risk question or problem description. |
| • Risk analysis is the estimation of the risk associated with the identified hazards. It is the qualitative or quantitative process of linking the likelihood of occurrence and severity of harms. |
| • Risk evaluation is a comparison of the estimated risk to given risk criteria using a quantitative or qualitative scale to determine the significance of the risk. |
It’s all about the right team
If the subject of the risk assessment is clearly and unambiguously formulated (risk question or subject), the team responsible for the risk analysis is then put together. Having an individual carry out a comprehensive risk analysis and assessment – possibly justified by a shortage of resources – is neither appropriate nor expedient. The goal of identifying hazards as comprehensively as possible and analyzing and assessing the resulting risks can only be achieved with an interdisciplinary team. Professional competence of the team members and experience in the analysis and assessment of risks, combined with the ability of the individual members to work in a team, are just as necessary for efficient and effective risk management as the individual characteristics of willingness and ability to communicate.
For team composition, different approaches are possible, e.g.:
- All risk assessments are carried out by a team with permanent members.
- Individual teams are formed for questions from the individual areas.
- A fixed core team is supplemented by the necessary experts depending on the issue at hand.
The procedure is at the discretion of the company. It is important to clearly describe the team-building.
Step 1: hazard identification
Starting from the defined object of the risk assessment, the identification of potential hazards forms the basis for the evaluation of associated risks. For this purpose, it is essential to theoretically penetrate the object of consideration by means of using, e.g., detailed descriptions of a process, device, or plant, usually by dividing it into individual steps. With this fragmentation, the microcosm of each step or area is analyzed and the parameters and attributes that actually determine quality can be identified better than with a general, less detailed view of the overall process. Possible risks can thus be worked out more comprehensively and precisely.
Step 2: Risk analysis and evaluation
If the purpose of hazard identification is to identify hazards, whether theoretical or real, risk assessment is designed to distinguish the actual relevant risks that need to be minimized from the more theoretical, speculative ones. GMP regulations do not specify methods that are mandatory for this purpose. Here, too, companies have the choice of how they want to proceed:
- using empirical or internal tools and methods, based, for example, on observations and trends,
- formally with recognized tools and methods, or
- a combination of "formal" and "empirical" (multi-level approach).
It is important that the choice of a suitable instrument is made according to the specifications of the company's QMS and that the choice is justified in a comprehensible manner.
Objectivity has priority
Risk management means a systematic approach to risk. Thus, in addition to the choice of methods and procedures, the character and scope of the available data on which the risk assessment is based are also decisive for the result. A scientifically based approach is appropriate to the requirements. It is expected that such an assessment will be based on existing data, trends, etc., i.e., justifiable, and not detached from them. One shortcoming that is particularly observed in the context of risk assessment is that similar risks in different issues are classified differently without justification.
 |
Unsubstantiated decisions made "on a gut feeling" do not meet the requirements of systematic procedure and scientific rigor. |
Chapter 5.3, which deals with the influence of subjectivity on the QRM process, is new in the revised ICH Q9(R1) document. Individual risk assessments, which are characterized by subjective assessments or even prejudices, can lead to different assessments that differ from an objective view.
Subjectivity cannot be completely ruled out in QRM. It should therefore be the declared aim of all those involved in the QRM process to recognize/anticipate potentially interest-driven actions and address them in order to minimize the influence of subjectivity in QRM.
Risk Control
Figure 3: Definition of risk control according to ICH Q9(R1)
What is risk control? |
|---|
| Risk control is the actions taken to implement risk management decisions. It encompasses the following phases: |
| Risk reduction: actions taken to lessen the probability of occurrence of harm and the severity of that harm. |
| Risk acceptance: an informed decision to take a particular risk. (ISO Guide 73:2009) |
In this step, a pharmaceutical company must decide how to deal with the risk in an appropriate manner. The basis for this is the identification of hazards and the assessment, and if necessary, quantification, of the related risks.
The aim of risk control is to reduce the existing risks for the object under consideration (process, device, facility, drug supply) without creating new risks.
Risks that still exist and cannot be influenced further are also referred to as “residual risks” (see Figure 4).
Figure 4: What is a residual risk?
What is residual risk? |
|---|
Residual risk
|
Risk is a combination of probability of occurrence of harm and the severity of that harm. Although an influence on the severity of harm would be theoretically conceivable, in practice it is regarded as rather unlikely.
In addition to these two factors, the detectability of a hazard also has a decisive influence on the extent of a risk.
Step 1: Risk reduction
In risk reduction, appropriate measures are defined in order to:
- exclude,
- avoid,
- minimize, and
- control
the risks classified as relevant. This can be achieved either by reducing the probability of occurrence or by increasing the possibilities of detection.
Processes that improve the detectability of hazards and quality risks can also be incorporated into the risk control strategy.
When defining the measures, it is of great importance to check whether they are suitable for the purpose and whether the critical control points/causes are really influenced in the desired way.
The defined measures are to be planned according to the specifications in the QMS and, if necessary, prioritized. Their timely implementation must be monitored.
Risk-reducing measures are usually aimed at reducing the probability of occurrence and/or increasing the probability of detection. Based on the planned or implemented risk-reducing measures, the remaining risk is reassessed and compared with the criteria for risk acceptance. However, risk reduction does not mean "measures at any price." Rather, the effort required for risk control should be proportionate to the significance of the risk (see chapter 1.1.4.2 of GMP Compliance Adviser).
In the course of the implementation of what has been determined, it must be checked whether the desired result has been achieved and whether the measure has generated new risks and introduced them into the process. It goes without saying that the procedure and the results, as well as possible follow-up measures, must be documented.
|
A complete exclusion of all risks is a goal that is unrealistic to achieve. On the contrary, a certain level of imponderables cannot be further reduced. A residual risk remains. |
Step 2: Risk acceptance
The risk reduction phase is followed by the risk acceptance phase. For this purpose, decision parameters must be defined, analogous to all other phases of a risk management process.
- What is an acceptable level for the residual risk?
- Under what conditions can risks be accepted?
These parameters should be defined in advance and also justified.
The risk acceptance step concludes the risk assessment process and the regulated handling of the results. However, this does not mean that this is a one-off procedure. New findings may emerge in the life cycle of QRM. A change in the state of knowledge/understanding means first of all to review the previous assessment of risks. In the event that new risks or changes in their characteristics are identified, the risk control procedure must be adapted to the new circumstances.
Risk Review
Figure 5: Definition of risk review according to ICH Q9(R1)
What is risk review? |
|---|
| Risk review involves reviewing and monitoring the conclusions and results of the risk management process and, if necessary, taking into account new findings about or experience with the risk. |
Risk review involves reviewing and monitoring the conclusions and results of the risk management process and, if necessary, taking into account new findings about or experience with the risk.
Quality risk management serves to minimize errors and harmful events to ensure the quality of the medicinal product and to avoid possible supply shortages. This makes QRM a fundamental element of the policy of every pharmaceutical company. It is of crucial importance that QRM is not seen as a one-off action, but that it takes into account the passage of time and the associated changes in knowledge and experience.
Against this background, companies should have a vested interest in regularly reviewing the results of all risk assessments to ensure that they are up-to-date and appropriate. Whether this is done using evaluation tools (e.g., self-inspection, management review, PQR) or following an individually defined procedure is up to the individual.
The aim of risk monitoring is to check and assess the effectiveness of the risk management systems and to confirm the performance of the QRM system. If shortcomings are identified, appropriate measures are required to restore this performance to its full extent.
This article is an excerpt from GMP knowledge contained in the online portal GMP Compliance Adviser, which provides in-depth information about GMP best practices and regulations with a focus on Europe, but also referring to the U.S., Japan, and many more (PIC/S, ICH, WHO, etc.).
About The Author:
Petra Rempe works in the GMP/GDP inspectorate of the district government in Münster, Germany. After initially being responsible for the GMP supervision of manufacturing sites, her area of responsibility expanded with the increasing legal requirements and now also includes plants that have to work according to GDP or the principles of good practice according to the EU Tissue Directive. She is a founding member of the inspectors’ expert group EFG 10 (qualification/validation), which she also headed for many years.