Special thanks to Outsourced Pharma for the guest feature.
Guest Column Article by Tiffany Baker, Danica Brown, and Amanda McFarland of ValSource, Inc.
The topics covered in this article represent some of the common risk management pain points and mechanisms to overcome these challenges, focusing on the foundation of quality risk management (QRM). This includes using consistent terminology, determining risk strategy, implementing QRM, and the advantages of early implementation. In another article, we will focus on risk execution and how we can best get information from our subject matter experts in a virtual world.
The Foundation — Getting Started
One of the biggest challenges when developing a risk management program is identifying which risk assessments are needed in your risk management system. Identifying these risk assessments is commonly achieved through evaluating critical processes across the facility or critical equipment that is needed to enable organizational success. Once you have identified the risk assessments that need to be executed, the next hurdle is identifying which risk assessments require routine updates — this is where having a strong risk foundation is instrumental. A critical part of the risk foundation is how risk assessments are classified. Two elements are considered when you classify a risk assessment: the spectrum of formality and nature the risk assessment.
The spectrum of formality is commonly associated with the risk management tool or the structured approach taken to complete an assessment. As per ICH Q9 Quality Risk Management,1 “the level of effort, formality and documentation of the quality risk management process should be commensurate with the level of risk.” This principle allows each organization to select the risk tool that most appropriately meets the needs of the risk assessment objectives. In years past, organizations almost exclusively relied upon Failure Modes and Effects Analysis (FMEA) to execute all risk assessments across their organizations. This “FMEA for everything” approach has slowly taken a back seat as less formal risk assessments, such as Preliminary Risk Assessment (PRA) and Risk Estimation Model (REM), have become more widely used.2
The second part of classifying risk assessments is the nature of the risk assessment, which outlines the purpose of the risk management activity. There are two ways to categorize the nature of a risk assessment. The appropriate categorization can be determined by asking “am I performing this assessment to understand the system, the product, or the process, or am I evaluating a condition to make a decision?”. A life cycle assessment (LCA) is the best choice when you want to understand a process, product, or system. LCAs are dynamic/living risk assessments and cover a process from cradle to grave. LCAs give a big picture view of the system’s health and are subject to the risk review portion of the risk management life cycle. A gate-to-gate assessment can be used if you are interested in making a decision about a system, such as, for example, whether to implement a design change. Gate-to-gate assessments that support a decision are commonly called ad hoc or static risk assessments. These smaller assessments are inputs into the risk review portion of the QRM life cycle; however, they are not themselves periodically reviewed.
Life cycle assessments and gate-to-gate assessments are connected through the risk management life cycle. Consider Figure 1.0, which shows that the life cycle assessment from cradle to grave represents the full life cycle of a system. This assessment evaluates the process risks of a particular system, and through this formal assessment we would expect detailed analysis of the hazards and harms that impact the system or process. However, the inputs to the risk assessment may change over time — changes in facility conditions, deviation rates, reject rates, or regulatory conditions may impact the living risk assessment. To account for changes or improvements to the process, the LCA needs to be updated with the decision-focused risk assessments represented in the cloud in Figure 1. It is both the original life cycle assessment and all the events occurring to that process, product, or system that give us a full picture of system health.
When considering how these two types of assessments come together, think about the life cycle assessment as an establishment of your state of control. This is the baseline assessment and reflects how the system, product, or process is performing at its onset. The gate-to-gate assessments are the ways in which you demonstrate that you’re maintaining a state of control, such as, for example, maintaining a state with minimal numbers of deviations or minimal numbers of rejects. The connection between life cycle assessments and gate-to-gate assessments can also facilitate continual improvement. Once you have classified your risk assessments, it is time to consider the strategy you will take to make them most effective.
The Strategy – Creating Structure For Your QRM Portfolio
Regulations like EU GMP Annex 1: Manufacture of Sterile Products3 tell us what and where to use quality risk management principles. Firms are expected to use QRM in making decisions about processes, equipment, facilities, and manufacturing activities. In thinking about what is needed to develop a strategy for our QRM practice, you’ll see that you need to tackle when and how to use risk management.
Early implementation of a QRM strategy can reap substantial long-term benefits. By intentionally implementing a defined QRM approach at the beginning of a life cycle, you can avoid headaches and save costs associated with future corrections to patchwork inadequate risk management practices. This is aligned with quality by design principles, as from the outset we are contemplating how various decisions may impact quality. We can assemble the appropriate expertise to proactively identify and address potential issues, from decisions on project viability to what interventions should be included in process simulations and whether gaps exist in an external contamination control strategy. Assessments can also become supporting documents to articulate relevant deciding factors and drive consistency in decision-making. A risk assessment has a beginning, middle, and end. In the beginning, scope and methodology are determined in advance for the assessment at hand. In the middle, the work of performing the risk assessment is done, and risk levels are assigned based on the predefined methodology. At the end, the outcomes of the risk assessment are summarized, along with their implications or identified mitigations.
As you begin gathering inputs, you need to gain knowledge on current controls, pull relevant data, and identify intended controls in cases where a future state is under assessment. There are some common challenges to gathering QRM inputs early in a life cycle, such as lack of clarity, ongoing changes to the planned future state, limited physical access to a space or piece of equipment, and evolving deadlines for decision-making. How do you take the available information and develop a portfolio of risk documentation that meets the requirements of Annex 1?
Option 1: One by One
You could choose to create an individual, discrete assessment for each risk question that emerges: Using one by one, the best tool will be selected, the appropriate team assembled, and a scope set in order to answer the question at hand. This approach will yield a QRM portfolio that has a one-to-one relationship between risk questions or topics and assessments, giving you the ability to check off the list of needed assessments. Some difficulties may be encountered with this strategy. You will be creating scattered sources of knowledge, potentially assessing the same thing multiple times, and creating a cumbersome QRM portfolio to maintain through its life cycle. A summary of these strengths and difficulties is shown in Table 1.
Option 2: Master Assessment
Conversely, you could choose to answer all risk questions within a single master risk assessment. This will provide a centralized source of organizational knowledge and avoid potential discrepancies in how assessments are performed. It will also streamline the risk review process considerably, as it will be the only assessment to review. Lastly, there will be just one methodology on which to train participants and facilitators.
However, crafting criteria that incorporate all QRM needs is a challenge to be considered carefully. To be meaningful, criteria should be more detailed than their functional descriptions. For instance, the interpretation of “unlikely” will differ between users or across risk topics. In drafting likelihood criteria, for example, criteria can specify what each level would mean across different topics that will be assessed. It may also be difficult to identify a single tool that meets all input needs. And even with this master risk assessment, you will have life cycle challenges. Documenting one-off risk-based decision-making in the same document as “health-of-system” risks creating challenges in how to appropriately scope the risk review without rehashing past decisions that were made to support one-time events. See Table 2 for a summary of this approach.
Option 3: Strategic Grouping
The final strategic choice we will explore is to combine risk questions and topics wherever possible, generating as few documents as is practical and keeping similar risk topics together (for example, for a manufacturing process used across multiple products). This approach provides flexibility in the tool selected to examine a risk topic, and you are not creating as dispersed a knowledge base as in the scenario with separate assessments for every topic. Management of the QRM life cycle is also easier. Based on the risk topic and type of decision or strategy it supports, risk review can be planned and executed accordingly. To achieve this strategy, knowledge and understanding are still required. Furthermore, you must decide how to divide up assessments: Should this be done by inputs needed to complete an assessment? By outputs of an assessment or what kinds of decisions will be made based on it? By when information is available to inform it? Thought should be given to find the right size and appropriate scope for these assessments. Table 3 summarizes the strengths and difficulties of this approach.
Carefully considering the ways in which your organization defines the nature of risk assessments will enable tracking of risk assessments, robust risk review processes, and will provide a direct view of the state of control of the processes under assessment. Equally critical is the strategy that an organization takes in developing and maintaining a portfolio of risk assessments. The strategy selected (i.e., one-by one, master assessment, or strategic grouping) will be dependent upon the needs of the organization.
ICH Harmonized Tripartite Guideline, Quality Risk Management Q9, 09November 2005
Understanding the Concept of Formality In Quality Risk Management, Institute of Validation Technology, Kevin O’Donnell, Deidre Tobin, Stephanie Butler, Ghada Haddad, and Donal Kelleher, 20Jul2020
Volume 4, EU Guidelines to Good Manufacturing Practice, Medicinal Products for Human and Veterinary Use. Annex 1, Manufacture of Sterile Medicinal Products, 25Nov2008