Embracing quality risk management: The new paradigm by Tim

Sandle and Madhu Raju Saghee

Originally published by Express Pharma in 2010:

http://www.expresspharmaonline.com/20100930/pharmatechnologyreview02.shtml

Introduction

A current popular aphorism in all regulated pharmaceutical and

biotechnology arenas is the phrase, 'Risk Management.' In general, risks
describe any potential dangers. We are all confronted with risks in our day
to day life, and we all have well-developed skills, known as heuristics,
with which we incessantly assess the various risks and find ways to avoid
them or reduce them the best we can. No matter how we try, the fact is
'risks cannot be avoided' and there is no such thing as 'zero risk'. We Tim Sandle,
Head of
constantly accept and or take risks because accomplishing anything
Microbiology,
necessarily entails risks of all sorts; using any mode of transportation Bio Products
means the risk of accident, falling in love means the risk of heartbreak1. Laboratory, UK
Risk management has always been an intrinsic part of the world of
pharma - with the decisive calculation of benefit-risk for each medicine serving as the
ultimate determinant for drug and patient safety. While the rigorous adherence to drug
safety hasn't changed over the years, there has been a noticeable shift in the approach
to risk management as companies have begun to implement more standardized, formal
processes in light of the new requirements and challenges around drug safety.

Risk management has been successfully employed in various industrial sectors like US
Space industry (NASA), nuclear power industry and automobile industry which benefited
these industries in several areas. But in application, the pharmaceutical sector is still in
its infancy and the utilization of risk assessment techniques to pharmaceutical production
is just beginning and the potential gains are yet to be realised2. At present, the
pharmaceutical industry is juggling with needing to comply with the increasing global
regulatory requirements and legal enforcements, and yet upholding the quality with the
limited resources and cost pressure. So the limited resources must be streamlined and
utilised, where the risks are highest, thus minimising risk to patients while maximising
resource utilisation and efficiencies. In this quandary, risk management can provide
support. It should be made clear that this concept of risk management in principle does
not represent any new development. The new concept is towards more systematic and
formal implementation of quality risk management by driving the existing systems
towards the critical quality attributes which ensures patient safety rather than wasting
the resources and time towards less critical activities. The purpose of risk management
is to focus resources on those areas which are the most important. It ensures a more
science-based decision making process and full utilisation of the resulting advantages.

Madhu Raju Saghee, The use of risk assessment in the pharma industry is both
Corporate Quality an increasingly used tool and an expectation of regulatory
Assurance, Gland
Pharma. He can be
authorities. Risk assessment forms a key component of any
reached at madhu@ risk management programme. Risk analysis and risk
glandpharma.com. evaluation together represent the two fundamental parts of
the risk assessment phase of a risk management process
cycle. The assessment of risk involves either the
quantitative or qualitative determination of one or more risks. Risks are generally
recognised as being related to a situation, event or scenario in which a recognised
hazard may result in harm. Quantitative risk assessment requires a type of calculation.
This is often based upon the magnitude or severity of the risk and the probability that
the risk will occur.
Risk assessment involves identifying risk scenarios either prospectively or
retrospectively. With the former, this involves determining what can go wrong in the
system and all the associated consequences and likelihoods; with the latter this looks at
what has gone wrong and using risk assessment to assess the process, product or
environmental risk and to aid in formulating the appropriate actions to prevent the
incident from re-occurring. Risk analysis is also highly beneficial in that it can also be
used to identify and justify process improvements. Furthermore, the use of risk
assessments can allow manufacturers to explore weaknesses and to construct scientific
and data based rationales.

This drive towards risk based approach has been spurred by three main events

1. The 'Pharmaceutical cGMPS for the 21st century: A Risk Based Approach' initiative by
FDA in 2002

2. Annex 15 to the EU GMP Guide3

3. The ICH Guideline titled Quality Risk management., (ICH Q9)4

(The ICH-Q9 guideline concerning Quality Risk Management in the pharmaceutical field
(active substances and medicinal products) was adopted by the European Union and
PIC/S in Annex 20 of the EU and PIC/S GMP Guides.)

Figure 2: The quality risk management process according

to ICH Q9

Figure 1: The Linkage of various processes where QRM can

be deployed for evaluating patient risk
(Adopted from Presentation by H. Gregg Claycamp, 2006)

The 'Pharmaceutical cGMPS for the 21st century: A Risk Based Approach'
initiative by FDA:
On Aug. 21, 2002, FDA announced a significant new initiative: "Pharmaceutical Current
Good Manufacturing Practices (CGMPs) for the 21st Century: A Risk-Based Approach."
The objective was to enhance and modernise the regulation of pharmaceutical
manufacturing and quality. The methodology was to use risk-based and science-based
approaches for regulatory decision-making throughout the entire life-cycle of a product.
To create a framework that will streamline the quality review of many products, allowing
pharmaceutical organizations to use their valuable resources in a more efficient manner.
This initiative set forth a plan to enhance and modernize FDA's regulations governing
pharmaceutical manufacturing and product quality for human and veterinary drugs and
human biological products.

The objectives were to:

Encourage the early adoption of new technological advances by the

pharmaceutical Industry
Facilitate industry application of modern quality management techniques,
including implementation of quality systems approaches, to all aspects of
pharmaceutical production and quality assurance
Encourage implementation of risk-based approaches that focus both industry and
FDA attention on critical areas
Ensure that regulatory review, compliance, and inspection policies are based on
state-of the-art pharmaceutical science
Enhance the consistency and coordination of FDA's drug quality regulatory
programs, in part, by further integrating enhanced quality systems approaches
into the Agency's business processes and regulatory policies concerning review
and inspection activities

In September 2004, FDA released its final report on achievements and future plans of
the initiative known as the "Pharmaceutical cGMPs for the 21st Century--A Risk-Based
Approach5."

Figure 3: Sub processes in risk management, (Adopted

from Presentation by H. Gregg Claycamp, 2006)
 Figure 4: Continuous improvement strategy facilitated by
ICH Q9

Few Key accomplishments of the council were announced in the 2004 final
report, including:

Adoption of a quality systems model for agency operation, developed under FDA's
Management Council and published in the FDA Staff Manual Guide. The guide
defines the essential quality elements to consider as part of any system that
controls an internal FDA regulatory activity.
Development of a quality systems guidance for cGMP regulation, by which the
final guidance for industry, Quality Systems Approach to Pharmaceutical Current
Good Manufacturing Practice Regulations was released by FDA in September
2006, which is intended to encourage industry to implement the use of quality-
management systems and risk-management principles.
Science based regulation of product quality, As pharmaceutical manufacturing
evolves from an art to a science and engineering based activity, application of
this enhanced science and engineering knowledge in regulatory decision-making,
establishment of specifications, and evaluation of manufacturing processes will
improve the efficiency and effectiveness of both manufacturing and regulatory
decision-making.
Adoption of risk-management principles to enhance the agency's inspection and
enforcement program, which is focused on protecting the public health. For
example, FDA began using a risk-based approach for prioritising inspections. This
approach will help the agency predict where its inspections are likely to achieve
the greatest public health impact etc. A number of guiding principles were
adopted by the FDA as a part of this restructuring program

Annex 15 to the EU GMP Guide

General risk based consideration have been a feature of the European GMP framework
since the inception of the first version of the EU GMP guide in 1989. Annex 15 mandates
the manufacturers to formally evaluate the risk during manufacturing related activities of
validation and change control. Annex 15 is specifically concerned with qualification and
validation activities, and it states that a "risk assessment approach should be used to
determine the scope and extent of validation", and that the likely impact of changes
"should be evaluated, including risk analysis". A lot of work was done in developing a
Quality Risk Management solution designed to facilitate compliance with the risk-based
qualification, validation and change control GMP requirement of the EU by Dr. Kevin
O'Donnell (Market Compliance Manager at the Irish Medicines Board (IMB), Dublin,
Ireland). Readers are advised to refer to the below listed references6.
The ICH guideline titled Quality Risk Management, (ICH Q9):

In November, 2005 the ICH published a guideline Quality Risk Management (numbered
as ICH Q9) which was a significant milestone in the development of quality risk
management activities within pharmaceutical industrial and regulatory activities. ICH Q9
together with ICH Q8 and Q10 is one of the ICH Q-topics that encourage further
development science based and risk based approaches to quality. The ICH Q8, Q9 and
Q10 guidelines have been discussed as a tripartite approach to total quality management
system for the pharmaceutical industry. The inimitability of this guideline meant that it is
applicable to both the industry and to regulators. As per ICH Q9, risk is defined as
"Combination of the probability of occurrence of harm and the severity of that harm".

Two primary principles of quality risk management as per ICH Q9 are:

The evaluation of the risk to quality should be based on scientific knowledge and
ultimately link to the protection of the patient; and
The level of effort, formality and documentation of the quality risk management
process should be commensurate with the level of risk.

Anatomy of ICH Q9:

ICH Q9 is the most comprehensive document which provides principle and framework for
effective implementation of risk management to support science based decision making
which facilitates communication and transparency. The main body of this document
explains the "What?" and its supplemented Annex I gives ideas on the "How?"and Annex
II gives ideas on the "Where?" as shown in Figure 1.

In brief this document highlights: A common language and process, Potential

methodologies for Quality Risk Management, and Where Quality Risk Management can
add value. The model for quality risk management according to ICH Q9 is outlined in the
Figure 2.

This document provides the structure for various risk analysis approaches which is
centered on the fundamental three questions:

1. What might go wrong?

2. What is the likelihood (probability) it will go wrong?

3. What are the consequences (severity)?

There are different levels of processes where risk management be implemented. This
insight sometimes provides difficulties between the involved people discussing different
levels of detail compared to different processes as in Figure 3.

Within ICH Q9, the major risk analysis tools described include FMEA (Failure Mode and
Effects Analysis); FTA (Fault Tree Analysis) and HACCP (Hazard Analysis Critical Control
Points), although there are other approaches (Other approaches include FMECA (Failure
Mode Effect and Criticality Analysis). In addition to the basic FMEA, FMECA includes a
criticality analysis, which is used to chart the probability of failure modes against the
severity of their consequences; HAZOP (Hazard and Operational Studies or Hazard
Operability Analysis) which originated in the Chemistry Industry, this approach considers
that all risks originate from deviations from the agreed process; QMRA (Quantitative
Microbiological Risk Assessment); MPRM (Modular Process Risk Model); SRA (System
Risk Analysis); Method for Limitation of Risks and Risk Profiling.), these tools are
particularly useful in helping to deconstruct the complexity of pharmaceutical operations.
At present, no definitive method exists (and probably, given the variety of
pharmaceutical operations, never will); and the various approaches differ in their
processes as well as the degree of complexity involved. ICH Q9 facilitates continuous
improvement along the entire life cycle as shown in Figure 4.

Other approaches should not be ignored and the reader is encouraged to examine other
risk assessment tools. Computer modeling, for instance, has tremendous potential power
(Tidswell and McGarvey 2, for instance, covers this very well). Outside of FMEA and
HACCP, Fault Tree Analysis (FTA) is used for many equipment operational issues.
However, with FTA (a form of probabilistic risk assessment), is one of the more
sophisticated tools used for risk analysis. It is a 'top-down' approach which looks at any
possible faults that could occur at each stage of the process. The fault is then reviewed
to see how it might occur and the possible root causes determined to prevent the fault
from ever occurring. This is achieved by breaking the process down into different steps.

Regulatory concerns are not only about when quality risk management is performed but
also whether it is integrated into the Quality Systems of an organization. A regulator is
unlikely to be satisfied with an organization that has a totally dedicated risk
management department, which fails to implement risk management practices within
the whole organization. Moreover each department within any organisation should be
using fundamentally identical risk management tools and techniques.

When a risk assessment is presented to an inspector or an auditor, it is likely that the

reviewer will be concerned with whether the risk assessment is traceable to a risk
methodology and that the process is clear, understandable, and that it has been
performed consistently. In this sense, the reviewer will want to understand how the
decisions were made and that the risk (or problem) was defined upfront. With the
question established, the reviewer will also wish to see if the process performed actually
answered the question in a meaningful way using scientific principles. With the process
itself, the reviewer may well want to note if an appropriate multifunctional team was
involved and if appropriate documentation was used. For complex process investigations,
evidence that the team followed the process step-by-step will be required. With the final
conclusion the reviewer will expect to see that the risk has been assessed and action
taken, as well as some action being in place to either prevent future occurrence or to
mitigate the risk7.

The Basics of Risk Assessment

Risk assessment tools and techniques can be applied to every aspect of pharmaceutical
processing. An important part of this application involves an understanding of the
process.

Formal risk approaches normally share four basic concepts, which are listed below:

1) Risk assessment

2) Risk control

3) Risk review

4) Risk communication

With different approaches to risk management there are differences in terminology.

These four steps are interpreted as:
Risk assessment

Risk assessment is the assessment of effects of the incident or scenario (such as a

microbiological contamination event). It involves the use of risk analysis tools and the
evaluation of risk. The object of using these tools is to identify the root cause.

Risk control

Risk control is centered on risk reduction or risk mitigation. This process consists of
corrective actions taken to resolve the incident and preventative actions proposed to
avoid a recurrence of the incident in the future. At some point, risk control will also
involve a consideration of risk acceptance for the measures put in place will ultimately
need to be accepted or rejected.

Risk review

The risk review is the follow up of action items and the final summary and evaluation of
the incident. This should be approved by senior management.

Risk communication

Risk communication discusses the important steps involved in reporting and discussing
the incident. It should also ensure that the appropriate parties are included in resolving
the incident.

Before commencing a risk assessment it is important to define the magnitude and the
scope of the assessment (remaining focused on what is to be achieved); to select the
appropriate team (often an interdisciplinary team is best); selecting and reviewing the
appropriate risk management tool; deciding upon any numerical scale to be used (if any
is applicable) and prioritising the different problems to be addressed. Most approaches
begin by constructing a process map.

The various analytical tools used for conducting risk assessments are similar, in that
they involve:

Constructing diagrams of work flows (these are pictorial representations of a

process designed to break the process down into its constituent steps, this allows
complex processes to be simplified);
Identify hazards (which can be intrinsic, that is specific or inherent to the process
or equipment, or extrinsic, that is factors which are external to the process or
equipment but which might impact upon it). In doing so, this helps to:
Pin-point the areas of greatest risk;
Allow an examination of the potential sources of contamination;
Decide on the most appropriate sample methods;
Help to establish alert and action levels for on-going monitoring and to detect
future risks;
They should be flexible enough to take into account changes to the work process
and any seasonal activities.

In doing so a standard series questions should be asked. For example, when considering
equipment breakdown:

What is the function of the equipment? What are its performance requirements?
How can it fail to fulfill these functions?
What can cause each failure?
 What happens when each failure occurs?
How much does each failure matter? What are its consequences?
What can be done to predict or prevent each failure?
What should be done if a suitable proactive task cannot be found?
If a risk cannot be eliminated then how can it be reduced?
If the risk cannot be reduced then how can it be monitored?

Thus the general approach is to recognise a risk, rate the level of the risk and then set
out a plan to minimise, control and monitor the risk. Subsequent monitoring of the risk
will help to determine, any follow up action.

Advantages and disadvantages of Risk Assessment

There are many advantages of risk assessment equally here are also some
'disadvantages' (or at least pitfalls to be aware of). The advantages of using risk
management methodologies include:

1. The fact that decision making is improved and streamlined.

2. Activities can be prioritised; organizations can concentrate efforts on what will be of

greatest importance to the final product and therefore yield the greatest benefit to the
patient population. This also helps with effective resource allocation.

3. The scientific and data driven nature of risk assessment methodologies significantly
reduces subjectivity.

4. Risk assessment allows the organisation to enhance its credibility with regulatory
agencies.

5. Risk assessment provides one of the means of building quality into an organisation.

As already mentioned there are, however, some disadvantages with risk management
approaches. Although they can be rationalised to a degree and scientific principles are
applied, many of the tools are subjective and rely, to an extent, upon supposition. Often
with a contamination event there can be multiple risks and some of the approaches are
weaker when dealing with multiple risk situations. Additionally some techniques are
especially weak when they are directed to filtering out multiple risk factors, such as
HACCP which works in a relatively linear way. The inclusion of substantiated facts, data
and established scientific principles within risk assessment is paramount. Theoretical
concepts and scientific principles which cannot be substantiated or validated must not be
tolerated within any assessment of risk. With some quantitative risk assessments there
is a danger that qualitative differences between different risks are ignored. To compound
this some assessment tools may drop out important non-quantifiable or inaccessible
information7.

A further weaknesses arises with risk assessment tools still being relatively new within
the pharmaceutical industry, which means there is only a small number of published
case studies on which to draw upon, primarily focusing on HACCP and FMEA.

Conclusion

Nevertheless, with these weaknesses understood the advantages of risk assessment

outweigh the disadvantages. Risk assessment allows processes and equipment to be
designed in ways which are more efficient and safe for users and patients, and risk
assessment allows problems which occur during processing to be addressed so that the
patient can be safeguard and preventative actions formulated to prevent a re-
occurrence. Thus understanding and applying risk assessment is an essential
requirement for 21st Century Pharma. This article presented the underlying principles of
quality risk management. To implement an expedient risk management exercise,
knowledge of these fundamental concepts must be thoroughly understood. The risk
analysis tools for assessment of risk and a framework for implementing quality risk
management and its integration into the existing quality system will be discussed further
in the future issues.

To support the implementation of Quality Risk Management into daily operations for
Regulators and Industry some members of the ICH Q9 Expert Working Group have
prepared a set of slides, ICH Q9 briefing pack available at
http://www.ich.org/cache/html/3158-272-1.html

References:

1. Risk: An Introduction by Jakob Arnoldi, Polity Press, U.K, 2009.

2. Tidswell, E. C.; McGarvey, B. Quantitative risk modelling in aseptic manufacture. PDA

J. Pharm. Sci. Technol. 2006, 60 (5), 267-283.

3. The Rules Governing Medicinal Products in the European Community, Volume IV,
published by the European Commission.

4. Quality Risk Management (ICH Q9), International Conference of Harmonisation of

Technical requirements for Registration of Pharmaceuticals for Human Use, November
9th , 2005, available at www.ich.org

5. Pharmaceutical cGMPS for 21st Century - A Risk Based Approach, Final Report-
September 2004, U.S. Food and Drug Applications

6. O'Donnell, K., Greene, A., A risk management solution designed to facilitate risk-
based qualification, validation & change control activities within GMP and Pharmaceutical
regulatory compliance environments in the EU, Parts I & II, Journal of GXP Compliance,
Vol 10, No.4, July 2006

7. T. Sandle 'Risk Management in Microbiology' in 'Microbiology and Sterility Assurance

in Pharmaceuticals and Medical Devices' edited by Madhu Raju Saghee, Tim Sandle and
Edward Tidswell, 2010, Business Horizons, India

About the Authors:

Madhu Raju Saghee
Madhu Raju Saghee is currently working in Corporate Quality Assurance department of Gland Pharma Limited,
a producer of SVPs. He can be reached at madhu@glandpharma.com

Tim Sandle
Tim Sandle is currently working at the Bio Products Laboratory; U.K. Tim is an honorary consultant with the
School of Pharmacy and Pharmaceutical Sciences, University of Manchester. Tim serves on several national and
international committees relating to pharmaceutical microbiology and cleanroom contamination control
(including the ISO cleanroom standards). Tim has written over eighty book chapters, peer reviewed papers and
technical articles relating to microbiology. He is currently the editor of the Pharmaceutical Microbiology Interest
Group Journal (www.pharmig.blogspot.com). He can be reached at Tim.Sandle@bpl.co.uk