Embracing quality risk management: The new paradigm by Tim

Sandle and Madhu Raju Saghee

Originally published by Express Pharma in 2010:

http://www.expresspharmaonline.com/20100930/pharmatechnologyreview02.shtml

Introduction

A current popular aphorism in all regulated pharmaceutical and

biotechnology arenas is the phrase, 'Risk Management.' In general, risks

describe any potential dangers. We are all confronted with risks in our day

to day life, and we all have well-developed skills, known as heuristics,

with which we incessantly assess the various risks and find ways to avoid

them or reduce them the best we can. No matter how we try, the fact is

'risks cannot be avoided' and there is no such thing as 'zero risk'. We

constantly accept and or take risks because accomplishing anything

necessarily entails risks of all sorts; using any mode of transportation

means the risk of accident, falling in love means the risk of heartbreak1.

Risk management has always been an intrinsic part of the world of

pharma - with the decisive calculation of benefit-risk for each medicine serving as the

ultimate determinant for drug and patient safety. While the rigorous adherence to drug

safety hasn't changed over the years, there has been a noticeable shift in the approach

to risk management as companies have begun to implement more standardized, formal

processes in light of the new requirements and challenges around drug safety.

Risk management has been successfully employed in various industrial sectors like US

Space industry (NASA), nuclear power industry and automobile industry which benefited

these industries in several areas. But in application, the pharmaceutical sector is still in

its infancy and the utilization of risk assessment techniques to pharmaceutical production

is just beginning and the potential gains are yet to be realised2. At present, the

pharmaceutical industry is juggling with needing to comply with the increasing global

regulatory requirements and legal enforcements, and yet upholding the quality with the

limited resources and cost pressure. So the limited resources must be streamlined and

utilised, where the risks are highest, thus minimising risk to patients while maximising

resource utilisation and efficiencies. In this quandary, risk management can provide

support. It should be made clear that this concept of risk management in principle does

not represent any new development. The new concept is towards more systematic and

formal implementation of quality risk management by driving the existing systems

towards the critical quality attributes which ensures patient safety rather than wasting

the resources and time towards less critical activities. The purpose of risk management

is to focus resources on those areas which are the most important. It ensures a more science-based decision making process and full utilisation of the resulting advantages.

The use of risk assessment in the pharma industry is both

an increasingly used tool and an expectation of regulatory

authorities. Risk assessment forms a key component of any

risk management programme. Risk analysis and risk

evaluation together represent the two fundamental parts of

the risk assessment phase of a risk management process

cycle. The assessment of risk involves either the

quantitative or qualitative determination of one or more risks. Risks are generally

recognised as being related to a situation, event or scenario in which a recognised

hazard may result in harm. Quantitative risk assessment requires a type of calculation.

This is often based upon the magnitude or severity of the risk and the probability that the risk will occur.

Tim Sandle,

Head of Microbiology, Bio Products

Laboratory, UK

Madhu Raju Saghee, Corporate Quality Assurance, Gland Pharma. He can be reached at madhu@ glandpharma.com.

Risk assessment involves identifying risk scenarios either prospectively or

retrospectively. With the former, this involves determining what can go wrong in the

system and all the associated consequences and likelihoods; with the latter this looks at

what has gone wrong and using risk assessment to assess the process, product or

environmental risk and to aid in formulating the appropriate actions to prevent the

incident from re-occurring. Risk analysis is also highly beneficial in that it can also be

used to identify and justify process improvements. Furthermore, the use of risk

assessments can allow manufacturers to explore weaknesses and to construct scientific and data based rationales.

This drive towards risk based approach has been spurred by three main events

1. The 'Pharmaceutical cGMPS for the 21st century: A Risk Based Approach' initiative by FDA in 2002

2. Annex 15 to the EU GMP Guide3

3. The ICH Guideline titled Quality Risk management., (ICH Q9)4

(The ICH-Q9 guideline concerning Quality Risk Management in the pharmaceutical field

(active substances and medicinal products) was adopted by the European Union and

PIC/S in Annex 20 of the EU and PIC/S GMP Guides.)

Figure 2: The quality risk management process according

to ICH Q9

Figure 1: The Linkage of various processes where QRM can

be deployed for evaluating patient risk (Adopted from Presentation by H. Gregg Claycamp, 2006)

The 'Pharmaceutical cGMPS for the 21st century: A Risk Based Approach'

initiative by FDA:

On Aug. 21, 2002, FDA announced a significant new initiative: "Pharmaceutical Current

Good Manufacturing Practices (CGMPs) for the 21st Century: A Risk-Based Approach."

The objective was to enhance and modernise the regulation of pharmaceutical

manufacturing and quality. The methodology was to use risk-based and science-based

approaches for regulatory decision-making throughout the entire life-cycle of a product.

To create a framework that will streamline the quality review of many products, allowing

pharmaceutical organizations to use their valuable resources in a more efficient manner.

This initiative set forth a plan to enhance and modernize FDA's regulations governing

pharmaceutical manufacturing and product quality for human and veterinary drugs and human biological products.

The objectives were to:

Encourage the early adoption of new technological advances by the

pharmaceutical Industry Facilitate industry application of modern quality management techniques,

including implementation of quality systems approaches, to all aspects of

pharmaceutical production and quality assurance Encourage implementation of risk-based approaches that focus both industry and

FDA attention on critical areas Ensure that regulatory review, compliance, and inspection policies are based on

state-of the-art pharmaceutical science Enhance the consistency and coordination of FDA's drug quality regulatory

programs, in part, by further integrating enhanced quality systems approaches

into the Agency's business processes and regulatory policies concerning review

and inspection activities

In September 2004, FDA released its final report on achievements and future plans of

the initiative known as the "Pharmaceutical cGMPs for the 21st Century--A Risk-Based Approach5."

Figure 3: Sub processes in risk management, (Adopted

from Presentation by H. Gregg Claycamp, 2006)

Figure 4: Continuous improvement strategy facilitated by

ICH Q9

Few Key accomplishments of the council were announced in the 2004 final

report, including:

Adoption of a quality systems model for agency operation, developed under FDA's

Management Council and published in the FDA Staff Manual Guide. The guide

defines the essential quality elements to consider as part of any system that

controls an internal FDA regulatory activity. Development of a quality systems guidance for cGMP regulation, by which the

final guidance for industry, Quality Systems Approach to Pharmaceutical Current

Good Manufacturing Practice Regulations was released by FDA in September

2006, which is intended to encourage industry to implement the use of quality-

management systems and risk-management principles. Science based regulation of product quality, As pharmaceutical manufacturing

evolves from an art to a science and engineering based activity, application of

this enhanced science and engineering knowledge in regulatory decision-making,

establishment of specifications, and evaluation of manufacturing processes will

improve the efficiency and effectiveness of both manufacturing and regulatory

decision-making. Adoption of risk-management principles to enhance the agency's inspection and

enforcement program, which is focused on protecting the public health. For

example, FDA began using a risk-based approach for prioritising inspections. This

approach will help the agency predict where its inspections are likely to achieve

the greatest public health impact etc. A number of guiding principles were adopted by the FDA as a part of this restructuring program

Annex 15 to the EU GMP Guide

General risk based consideration have been a feature of the European GMP framework

since the inception of the first version of the EU GMP guide in 1989. Annex 15 mandates

the manufacturers to formally evaluate the risk during manufacturing related activities of

validation and change control. Annex 15 is specifically concerned with qualification and

validation activities, and it states that a "risk assessment approach should be used to

determine the scope and extent of validation", and that the likely impact of changes

"should be evaluated, including risk analysis". A lot of work was done in developing a

Quality Risk Management solution designed to facilitate compliance with the risk-based

qualification, validation and change control GMP requirement of the EU by Dr. Kevin

O'Donnell (Market Compliance Manager at the Irish Medicines Board (IMB), Dublin, Ireland). Readers are advised to refer to the below listed references6.

The ICH guideline titled Quality Risk Management, (ICH Q9):

In November, 2005 the ICH published a guideline Quality Risk Management (numbered

as ICH Q9) which was a significant milestone in the development of quality risk

management activities within pharmaceutical industrial and regulatory activities. ICH Q9

together with ICH Q8 and Q10 is one of the ICH Q-topics that encourage further

development science based and risk based approaches to quality. The ICH Q8, Q9 and

Q10 guidelines have been discussed as a tripartite approach to total quality management

system for the pharmaceutical industry. The inimitability of this guideline meant that it is

applicable to both the industry and to regulators. As per ICH Q9, risk is defined as "Combination of the probability of occurrence of harm and the severity of that harm".

Two primary principles of quality risk management as per ICH Q9 are:

The evaluation of the risk to quality should be based on scientific knowledge and

ultimately link to the protection of the patient; and The level of effort, formality and documentation of the quality risk management

process should be commensurate with the level of risk.

Anatomy of ICH Q9:

ICH Q9 is the most comprehensive document which provides principle and framework for

effective implementation of risk management to support science based decision making

which facilitates communication and transparency. The main body of this document

explains the "What?" and its supplemented Annex I gives ideas on the "How?"and Annex II gives ideas on the "Where?" as shown in Figure 1.

In brief this document highlights: A common language and process, Potential

methodologies for Quality Risk Management, and Where Quality Risk Management can

add value. The model for quality risk management according to ICH Q9 is outlined in the

Figure 2.

This document provides the structure for various risk analysis approaches which is centered on the fundamental three questions:

1. What might go wrong?

2. What is the likelihood (probability) it will go wrong?

3. What are the consequences (severity)?

There are different levels of processes where risk management be implemented. This

insight sometimes provides difficulties between the involved people discussing different levels of detail compared to different processes as in Figure 3.

Within ICH Q9, the major risk analysis tools described include FMEA (Failure Mode and

Effects Analysis); FTA (Fault Tree Analysis) and HACCP (Hazard Analysis Critical Control

Points), although there are other approaches (Other approaches include FMECA (Failure

Mode Effect and Criticality Analysis). In addition to the basic FMEA, FMECA includes a

criticality analysis, which is used to chart the probability of failure modes against the

severity of their consequences; HAZOP (Hazard and Operational Studies or Hazard

Operability Analysis) which originated in the Chemistry Industry, this approach considers

that all risks originate from deviations from the agreed process; QMRA (Quantitative

Microbiological Risk Assessment); MPRM (Modular Process Risk Model); SRA (System

Risk Analysis); Method for Limitation of Risks and Risk Profiling.), these tools are

particularly useful in helping to deconstruct the complexity of pharmaceutical operations.

At present, no definitive method exists (and probably, given the variety of

pharmaceutical operations, never will); and the various approaches differ in their

processes as well as the degree of complexity involved. ICH Q9 facilitates continuous improvement along the entire life cycle as shown in Figure 4.

Other approaches should not be ignored and the reader is encouraged to examine other

risk assessment tools. Computer modeling, for instance, has tremendous potential power

(Tidswell and McGarvey 2, for instance, covers this very well). Outside of FMEA and

HACCP, Fault Tree Analysis (FTA) is used for many equipment operational issues.

However, with FTA (a form of probabilistic risk assessment), is one of the more

sophisticated tools used for risk analysis. It is a 'top-down' approach which looks at any

possible faults that could occur at each stage of the process. The fault is then reviewed

to see how it might occur and the possible root causes determined to prevent the fault from ever occurring. This is achieved by breaking the process down into different steps.

Regulatory concerns are not only about when quality risk management is performed but

also whether it is integrated into the Quality Systems of an organization. A regulator is

unlikely to be satisfied with an organization that has a totally dedicated risk

management department, which fails to implement risk management practices within

the whole organization. Moreover each department within any organisation should be

using fundamentally identical risk management tools and techniques.

When a risk assessment is presented to an inspector or an auditor, it is likely that the

reviewer will be concerned with whether the risk assessment is traceable to a risk

methodology and that the process is clear, understandable, and that it has been

performed consistently. In this sense, the reviewer will want to understand how the

decisions were made and that the risk (or problem) was defined upfront. With the

question established, the reviewer will also wish to see if the process performed actually

answered the question in a meaningful way using scientific principles. With the process

itself, the reviewer may well want to note if an appropriate multifunctional team was

involved and if appropriate documentation was used. For complex process investigations,

evidence that the team followed the process step-by-step will be required. With the final

conclusion the reviewer will expect to see that the risk has been assessed and action

taken, as well as some action being in place to either prevent future occurrence or to mitigate the risk7.

The Basics of Risk Assessment

Risk assessment tools and techniques can be applied to every aspect of pharmaceutical

processing. An important part of this application involves an understanding of the process.

Formal risk approaches normally share four basic concepts, which are listed below:

1) Risk assessment

2) Risk control

3) Risk review

4) Risk communication

With different approaches to risk management there are differences in terminology. These four steps are interpreted as:

Risk assessment

Risk assessment is the assessment of effects of the incident or scenario (such as a

microbiological contamination event). It involves the use of risk analysis tools and the evaluation of risk. The object of using these tools is to identify the root cause.

Risk control

Risk control is centered on risk reduction or risk mitigation. This process consists of

corrective actions taken to resolve the incident and preventative actions proposed to

avoid a recurrence of the incident in the future. At some point, risk control will also

involve a consideration of risk acceptance for the measures put in place will ultimately need to be accepted or rejected.

Risk review

The risk review is the follow up of action items and the final summary and evaluation of

the incident. This should be approved by senior management.

Risk communication

Risk communication discusses the important steps involved in reporting and discussing

the incident. It should also ensure that the appropriate parties are included in resolving the incident.

Before commencing a risk assessment it is important to define the magnitude and the

scope of the assessment (remaining focused on what is to be achieved); to select the

appropriate team (often an interdisciplinary team is best); selecting and reviewing the

appropriate risk management tool; deciding upon any numerical scale to be used (if any

is applicable) and prioritising the different problems to be addressed. Most approaches begin by constructing a process map.

The various analytical tools used for conducting risk assessments are similar, in that

they involve:

Constructing diagrams of work flows (these are pictorial representations of a

process designed to break the process down into its constituent steps, this allows

complex processes to be simplified); Identify hazards (which can be intrinsic, that is specific or inherent to the process

or equipment, or extrinsic, that is factors which are external to the process or

equipment but which might impact upon it). In doing so, this helps to: Pin-point the areas of greatest risk; Allow an examination of the potential sources of contamination; Decide on the most appropriate sample methods; Help to establish alert and action levels for on-going monitoring and to detect

future risks; They should be flexible enough to take into account changes to the work process

and any seasonal activities.

In doing so a standard series questions should be asked. For example, when considering equipment breakdown:

What is the function of the equipment? What are its performance requirements? How can it fail to fulfill these functions? What can cause each failure?

What happens when each failure occurs? How much does each failure matter? What are its consequences? What can be done to predict or prevent each failure? What should be done if a suitable proactive task cannot be found? If a risk cannot be eliminated then how can it be reduced? If the risk cannot be reduced then how can it be monitored?

Thus the general approach is to recognise a risk, rate the level of the risk and then set

out a plan to minimise, control and monitor the risk. Subsequent monitoring of the risk will help to determine, any follow up action.

Advantages and disadvantages of Risk Assessment

There are many advantages of risk assessment equally here are also some

'disadvantages' (or at least pitfalls to be aware of). The advantages of using risk management methodologies include:

1. The fact that decision making is improved and streamlined.

2. Activities can be prioritised; organizations can concentrate efforts on what will be of

greatest importance to the final product and therefore yield the greatest benefit to the

patient population. This also helps with effective resource allocation.

3. The scientific and data driven nature of risk assessment methodologies significantly reduces subjectivity.

4. Risk assessment allows the organisation to enhance its credibility with regulatory agencies.

5. Risk assessment provides one of the means of building quality into an organisation.

As already mentioned there are, however, some disadvantages with risk management

approaches. Although they can be rationalised to a degree and scientific principles are

applied, many of the tools are subjective and rely, to an extent, upon supposition. Often

with a contamination event there can be multiple risks and some of the approaches are

weaker when dealing with multiple risk situations. Additionally some techniques are

especially weak when they are directed to filtering out multiple risk factors, such as

HACCP which works in a relatively linear way. The inclusion of substantiated facts, data

and established scientific principles within risk assessment is paramount. Theoretical

concepts and scientific principles which cannot be substantiated or validated must not be

tolerated within any assessment of risk. With some quantitative risk assessments there

is a danger that qualitative differences between different risks are ignored. To compound

this some assessment tools may drop out important non-quantifiable or inaccessible information7.

A further weaknesses arises with risk assessment tools still being relatively new within

the pharmaceutical industry, which means there is only a small number of published case studies on which to draw upon, primarily focusing on HACCP and FMEA.

Conclusion

Nevertheless, with these weaknesses understood the advantages of risk assessment

outweigh the disadvantages. Risk assessment allows processes and equipment to be

designed in ways which are more efficient and safe for users and patients, and risk

assessment allows problems which occur during processing to be addressed so that the

patient can be safeguard and preventative actions formulated to prevent a re-

occurrence. Thus understanding and applying risk assessment is an essential

requirement for 21st Century Pharma. This article presented the underlying principles of

quality risk management. To implement an expedient risk management exercise,

knowledge of these fundamental concepts must be thoroughly understood. The risk

analysis tools for assessment of risk and a framework for implementing quality risk

management and its integration into the existing quality system will be discussed further in the future issues.

To support the implementation of Quality Risk Management into daily operations for

Regulators and Industry some members of the ICH Q9 Expert Working Group have

prepared a set of slides, ICH Q9 briefing pack available at

http://www.ich.org/cache/html/3158-272-1.html

References:

1. Risk: An Introduction by Jakob Arnoldi, Polity Press, U.K, 2009.

2. Tidswell, E. C.; McGarvey, B. Quantitative risk modelling in aseptic manufacture. PDA J. Pharm. Sci. Technol. 2006, 60 (5), 267-283.

3. The Rules Governing Medicinal Products in the European Community, Volume IV, published by the European Commission.

4. Quality Risk Management (ICH Q9), International Conference of Harmonisation of

Technical requirements for Registration of Pharmaceuticals for Human Use, November

9th , 2005, available at www.ich.org

5. Pharmaceutical cGMPS for 21st Century - A Risk Based Approach, Final Report-

September 2004, U.S. Food and Drug Applications

6. O'Donnell, K., Greene, A., A risk management solution designed to facilitate risk-

based qualification, validation & change control activities within GMP and Pharmaceutical

regulatory compliance environments in the EU, Parts I & II, Journal of GXP Compliance,

Vol 10, No.4, July 2006

7. T. Sandle 'Risk Management in Microbiology' in 'Microbiology and Sterility Assurance

in Pharmaceuticals and Medical Devices' edited by Madhu Raju Saghee, Tim Sandle and Edward Tidswell, 2010, Business Horizons, India

About the Authors: Madhu Raju Saghee Madhu Raju Saghee is currently working in Corporate Quality Assurance department of Gland Pharma Limited, a producer of SVPs. He can be reached at madhu@glandpharma.com

Tim Sandle Tim Sandle is currently working at the Bio Products Laboratory; U.K. Tim is an honorary consultant with the School of Pharmacy and Pharmaceutical Sciences, University of Manchester. Tim serves on several national and international committees relating to pharmaceutical microbiology and cleanroom contamination control (including the ISO cleanroom standards). Tim has written over eighty book chapters, peer reviewed papers and technical articles relating to microbiology. He is currently the editor of the Pharmaceutical Microbiology Interest Group Journal (www.pharmig.blogspot.com). He can be reached at Tim.Sandle@bpl.co.uk