REVIEW ARTICLE Am. J. PharmTech Res.

2018; 8(2) ISSN: 2249-3387

Journal home page: http://www.ajptr.com/

Quality Risk Management: A Review

T. A. Mandhare*, P.R. Khuspe, P. S. Nangare, R. D. Vyavhare
Navsahyadri Institute of Pharmacy, Nasrapur, Pune, Maharashtra-415 213, India

ABSTRACT
In the pharmaceutical industry today, there are some examples of the use of quality risk
management but, they do not represent the full contributions that risk management has to offer.
Quality risk assessment is a process of identification of hazards, analysis and evaluation of the
risks associated with exposure to those hazards. Risk assessment is a main part of quality risk
management process. The evaluation of the risk to quality is based on scientific knowledge,
experience with the process and ultimately links to the safety of the patient. For any
pharmaceutical organization, quality risk management should aim at raising the level of protection
for the patient, by reduction of the risk to which that patient is exposed at the time he/she receives
a drug product. In the present seminar report all the aspects regarding quality, quality risk
assessment and risk management are covered in great detail.
Keywords: quality, risk management, risk assessment, hazards, analysis, evaluation of risks

*Corresponding Author Email: [email protected]

Received 01 March 2018, Accepted 13 March 2018

Please cite this article as: Mandhare TA et al., Quality Risk Management: A Review. American Journal
of PharmTech Research 2018.
Mandhare et. al., Am. J. PharmTech Res. 2018; 8(2) ISSN: 2249-3387

INTRODUCTION
According to ISO8402-1986 standards quality is “the totality of features and characteristics of
product or service that bears its ability to satisfy stated or implied needs”. In manufacturing, a
measure of excellence or state of being free defects, deficiencies and significant variations [1].
According to ISO 31000, risk is the “effect of uncertainty on objectives” and an effect is a positive
or negative deviation from what is expected [2].
A risk is ANYTHING that may affect the achievement of an organization’s objectives. It is the
UNCERTAINTY that surrounds future events and outcomes.
Risk management principles are effectively utilized in many areas of business and government
including finance, insurance, occupational safety, public health, pharmacovigilance, and by
agencies regulating these industries. Although there are some examples of the use of quality risk
management in the pharmaceutical industry today, they are limited and do not represent the full
contributions that risk management has to offer. In addition, the importance of quality systems has
been recognized in the pharmaceutical industry, and it is becoming evident that quality risk
management is a valuable component of an effective quality system.
It is commonly understood that risk is defined as the combination of the probability of occurrence
of harm and the severity of that harm. However, achieving a shared understanding of the
application of risk management among diverse stakeholders is difficult because each stakeholder
might perceive different potential harms, place a different probability on each harm occurring and
attribute different severities to each harm. In relation to pharmaceuticals, although there are a
variety of stakeholders, including patients and medical practitioners as well as government and
industry, the protection of the patient by managing the risk to quality should be considered of
prime importance.
The manufacturing and use of a drug product, including its components, necessarily entail some
degree of risk. The risk to its quality is just one component of the overall risk. It is important to
understand that product quality should be maintained throughout the product lifecycle such that the
attributes that are important to the quality of the drug product remain consistent with those used in
the clinical studies. An effective quality risk management approach can further ensure the high
quality of the drug product to the patient by providing a proactive means to identify and control
potential quality issues during development and manufacturing. In addition, use of quality risk
management can improve the decision making if a quality problem arises. Effective quality risk
management can facilitate better and more informed decisions, can provide regulators with greater

57 www.ajptr.com
Mandhare et. al., Am. J. PharmTech Res. 2018;8(2) ISSN: 2249-3387

assurance of a company’s ability to deal with potential risks, and can beneficially affect the extent
and level of direct regulatory oversight.
The purpose of this document is to offer a systematic approach to quality risk management. It
serves as a foundation or resource document that is independent of, yet supports other ICH Quality
documents and complements existing quality practices, requirements, standards, and guidelines
within the pharmaceutical industry and regulatory environment. It specifically provides guidance
on the principles and some of the tools of quality risk management that can enable more effective
and consistent risk-based decisions, by both regulators and industry, regarding the quality of drug
substances and drug products across the product lifecycle. It is not intended to create any new
expectations beyond the current regulatory requirements.
It is neither always appropriate nor always necessary to use a formal risk management process
(using recognized tools and/or internal procedures, e.g., standard operating procedures). The use of
informal risk management processes (using empirical tools and/or internal procedures) can also be
considered acceptable. Appropriate use of quality risk management can facilitate but does not
obviate industry’s obligation to comply with regulatory requirements and does not replace
[3]
appropriate communications between industry and regulators . Quality and risk management are
complementary and, together, are key components of healthcare governance. Effective risk
management underpins healthcare quality management activity and can result in:
• Better patient care
• Improved public perception and confidence
• Reduction in errors
• Reduction in staff turnover
• Systematic identification of organizational weaknesses
• Improved communication with stakeholders
• Improved performance and effectiveness [9].
SCOPE
a) Quality risk management (QRM) principles can be applied to both MRAs and pharmaceutical
manufacturers and MRAs
• MRAs: systematic and structured planning of reviews and inspections. The submission review
and inspection programmes can also operate in a coordinated and synergistic manner.
• Manufacturers: development, manufacture, distribution of medicines. RM can be an integral
element of organizational culture.
b) Science-based decision-making can be embedded into practice
www.ajptr.com 58
Mandhare et. al., Am. J. PharmTech Res. 2018; 8(2) ISSN: 2249-3387

• MRAs: company decisions easier to scrutinize. Acceptance of residual risks through

understanding the RM decisions involved.
• Manufacturers: quality decisions and filing commitments can be based on science based process
understanding and RM (quality by design). Process control focused on critical attributes.
Uncertainty can be addressed explicitly.
c) Resources can be focused on risks to patients
• MRAs: RM can be used to determine best allocation of inspection resource, both in terms of
product types and for specific areas of focus for a given inspection. This enables the most efficient
and effective scrutiny of the most significant health risks.
Those manufacturers with poor histories of GMP compliance can also be more closely and
frequently evaluated by on-site inspection than those manufacturers with better records.
• Manufacturers: evaluation of quality risk through science-based decisions can be linked
ultimately to protection of the patient. Supports a corporate culture to focus on the patient as a
primary stakeholder in all activities.
d) Restrictive and unnecessary practices can be avoided
• MRAs: regulatory scrutiny adjusted to level of process understanding. Improvement and
innovation by manufacturers is encouraged.
• Manufacturers: instead of having systems designed to inhibit change and minimize business risk,
changes can be managed within a company’s quality management system. Real-time batch release
is feasible. Innovation and the adoption of latest scientific advances in manufacturing and
technology are supported.
e) Communication and transparency are facilitated
• MRAs: facilitated dialogue with pharmaceutical manufacturers and tailoring of the inspection
programme. Improved clarity of a company’s decision-making process and judgement on critical
issues.
• Manufacturers: matrix team approach, stakeholders kept informed via science-based decisions.
Culture of trust and “one-team” mindset with focus on product and patient.
QRM is the overall and continuing process of minimizing risks to product quality throughout its
life-cycle in order to optimize its benefit/risk balance. It is a systematic process for the assessment,
control, communication and review of risks to the quality of the medicinal product.
It can be applied both proactively and retrospectively. QRM should ensure the evaluation of risk to
quality based on scientific knowledge and experience that ultimately links to the protection of the
patient.
59 www.ajptr.com
Mandhare et. al., Am. J. PharmTech Res. 2018;8(2) ISSN: 2249-3387

This guideline will align with the general framework described within other current international
papers on this subject [4].
PRINCIPLES OF QUALITY RISK MANAGEMENT
Four primary principles of QRM are:
• •The evaluation of the risk to quality should be based on scientific knowledge and 3
ultimately link to the protection of the patient;
• QRM should be dynamic, iterative and responsive to change;
• The level of effort, formality and documentation of the QRM process should be
commensurate with the level of risk;
• The capability for continual improvement and enhancement should be embedded in the
QRM process [3].
GENERAL QUALITY RISK MANAGEMENT PROCESS
Quality risk management is a systematic process for the assessment, control, communication and
review of risks to the quality of the drug product across the product lifecycle. A model for quality
risk management is outlined in the diagram (Figure 1). The emphasis on each component of the
framework might differ from case to case but a robust process will incorporate consideration of all
the elements at a level of detail that is commensurate with the specific risk.

www.ajptr.com 60
Mandhare et. al., Am. J. PharmTech Res. 2018; 8(2) ISSN: 2249-3387

Figure 1: Overview of a typical quality risk management process

Decision points are not shown in the diagram above because decisions can occur at any point in the
process. These decisions might be to return to the previous step and seek further information, to
adjust the risk models or even to terminate the risk management process based upon information
that supports such a decision. Note: “unacceptable” in the flowchart does not only refer to
statutory, legislative, or regulatory requirements, but also to indicate that the risk assessment
process should be revisited [4, 5, 6].
RESPONSIBILITIES
Quality risk management activities are usually, but not always, undertaken by interdisciplinary
teams (Assemble a QRM team). When teams are formed, they should include experts from the
appropriate areas (e.g., quality unit, business development, engineering, regulatory affairs,
production operations, sales and marketing, legal, statistics, and clinical) in addition to individuals
who are knowledgeable about the quality risk management process.
Decision makers should

61 www.ajptr.com
Mandhare et. al., Am. J. PharmTech Res. 2018;8(2) ISSN: 2249-3387

• Take responsibility for coordinating quality risk management across various functions and
departments of their organization and
•
Ensure that a quality risk management process is defined, deployed, and reviewed and that
adequate resources are available [4]
INITIATING A QUALITY RISK MANAGEMENT
Quality risk management should include systematic processes designed to coordinate, facilitate
and improve science-based decision making with respect to risk. Possible steps used to initiate and
plan a quality risk management process might include the following:
• Define the problem and/or risk question, including pertinent assumptions identifying the
potential for risk
• Assemble background information and/or data on the potential hazard, harm or human
health impact relevant to the risk assessment
• Identify a leader and critical resources
• Specify a timeline, deliverables, and appropriate level of decision making for the risk
management process [4].
RISK ASSESSMENT
Risk assessment consists of the identification of hazards and the analysis and evaluation of risks
associated with exposure to those hazards (as defined below). Quality risk assessments begin with
a well-defined problem description or risk question. When the risk in question is well defined, an
appropriate risk management tool and the types of information that will address the risk question
will be more readily identifiable. As an aid to clearly defining the risk(s) for risk assessment
purposes, three fundamental questions are often helpful:
1. What might go wrong?
2. What is the likelihood (probability) it will go wrong?
3. What are the consequences (severity)? [5].
Risk Control
Risk control includes decision making to reduce and/or accept risks. The purpose of risk control is
to reduce the risk to an acceptable level. The amount of effort used for risk control should be
proportional to the significance of the risk. Decision makers might use different processes,
including benefit-cost analysis, for understanding the optimal level of risk control.
Risk control might focus on the following questions:
1. Is the risk above an acceptable level?
2. What can be done to reduce or eliminate risks?
www.ajptr.com 62
Mandhare et. al., Am. J. PharmTech Res. 2018; 8(2) ISSN: 2249-3387

3. What is the appropriate balance among benefits, risks and resources?

4. Are new risks introduced as a result of the identified risks being controlled?
Risk reduction focuses on processes for mitigation or avoidance of quality risk when it exceeds a
specified (acceptable) level (see Fig. 1). Risk reduction might include actions taken to mitigate the
severity and probability of harm. Processes that improve the detectability of hazards and quality
risks might also be used as part of a risk control strategy. The implementation of risk reduction
measures can introduce new risks into the system or increase the significance of other existing
risks. Hence, it might be appropriate to revisit the risk assessment to identify and evaluate any
possible change in risk after implementing a risk reduction process.
Risk acceptance is a decision to accept risk. Risk acceptance can be a formal decision to accept
the residual risk or it can be a passive decision in which residual risks are not specified. For some
types of harms, even the best quality risk management practices might not entirely eliminate risk.
In these circumstances, it might be agreed that an appropriate quality risk management strategy has
been applied and that quality risk is reduced to a specified (acceptable) level. This (specified)
acceptable level will depend on many parameters and should be decided on a case-by-case basis [3,
4]
.
Risk Communication
Risk communication is the sharing of information about risk and risk management between the
decision makers and others. Parties can communicate at any stage of the risk management process
(see Fig. 1: dashed arrows). The output/result of the quality risk management process should be
appropriately communicated and documented (see Fig. 1: solid arrows). Communications might
include those among interested parties (e.g., regulators and industry; industry and the patient;
within a company, industry, or regulatory authority). The included information might relate to the
existence, nature, form, probability, severity, acceptability, control, treatment, detectability, or
other aspects of risks to quality. Communication need not be carried out for each and every risk
acceptance. Between the industry and regulatory authorities, communication concerning quality
risk management decisions might be effected through existing channels as specified in regulations
and guidances [3].
Risk Review
Risk management should be an ongoing part of the quality management process. A mechanism to
review or monitor events should be implemented. The output/results of the risk management
process should be reviewed to take into account new knowledge and experience. Once a quality
risk management process has been initiated, that process should continue to be utilized for events
63 www.ajptr.com
Mandhare et. al., Am. J. PharmTech Res. 2018;8(2) ISSN: 2249-3387

that might impact the original quality risk management decision, whether these events are planned
(e.g., results of product review, inspections, audits, change control) or unplanned (e.g., root cause
from failure investigations, recall). The frequency of any review should be based upon the level of
risk. Risk review might include reconsideration of risk acceptance decisions [2, 3].
QUALITY RISK ASSESSMENT
Risk assessment consists of the identification of hazards and the analysis and evaluation of risks
associated with exposure to those hazards (as defined below).
When hazard identification and risk analysis is conducted safety concerns must be distinguished
from quality concerns. An initial assessment should be performed based on an understanding of the
business processes. Understanding can be derived from user requirements, design specifications,
operating procedures, regulatory requirements and known functional areas [7].
The QRM team should list all the hazards that may be reasonably expected to occur at each step
from production, testing and distribution up to the point of use. It should then conduct a hazard
analysis to identify for the QRM plan which hazards are of such a nature that their elimination or
reduction to acceptable levels is essential.
A thorough risk analysis is required to ensure an effective control point. A two-stage risk analysis
is recommended. During the first stage, the team should review the materials, activities,
equipment, storage, distribution and intended use of the product. A list of the hazards (biological,
chemical and physical) which may be introduced, increased or controlled in each step should be
drawn up.
The QRM team should then decide which potential hazards should be addressed in the QRM plan
and what control measures, if any, exist that can be applied for each hazard. If a hazard has been
identified at a step where control is necessary for safety, and no control measure exists at that step
or any other, the product or process should be modified at that step, or at an earlier or later stage, to
include such a control measure. More than one control measure may be required to control a
specific hazard and more than one hazard may be controlled by a specified control measure.
This activity can be facilitated by the use of a decision-tree, which facilitates a logical approach.
The way that a decision-tree is used will depend on the operation concerned, e.g. production,
packing, reprocessing, storage or distribution. Potential hazards in relation to at least the following
should be considered:
• Materials and ingredients;
• Physical characteristics and composition of the product;
• Processing procedures;
www.ajptr.com 64
Mandhare et. al., Am. J. PharmTech Res. 2018; 8(2) ISSN: 2249-3387

• Microbial limits, where applicable;

• Premises;
• Equipment;
• Packaging;
• Sanitation and hygiene;
• Personnel – human error; and
• Risk of explosions.
The output of a risk assessment is either a quantitative estimate of risk (numeric probability) or a
qualitative description of a range of risk (e.g. high/medium/low) and may be related to a risk
matrix .The scoring system and trigger points for mitigating action are subjective so the rationale
for score categorization should be defined in as much detail as possible. If supported by factual
evidence it should be more obvious what mitigating action is required – the mitigating action is as
important as the score assigned. Professional judgment should be used in interpretation of factual
evidence but must be subject to justification.
The expectation of QRM is to assess risks to the medicinal product and patient and then manage
both to an acceptable level. It is appropriate for companies to assess their control systems to
implement the optimum controls to ensure product quality and patient safety. If this can be
achieved in a more cost-effective manner whilst maintaining or reducing risk to the product and
patient then this is acceptable. Inappropriate risk assessment and mitigation in order to achieve cost
savings but which could be to the detriment of the patient must be avoided [4].
Risk identification is a systematic use of information to identify hazards referring to the risk
question or problem description. Information can include historical data, theoretical analysis,
informed opinions, and the concerns of stakeholders. Risk identification addresses the “What
might go wrong?” question, including identifying the possible consequences. This provides the
basis for further steps in the quality risk management process .You will also need to consult a
range of documentation held by your organization. For example:
• Risk registers
• Strategy and policy documents
• Previous assessment reports
• Internal audits, National Audit Office reports or other assurance reporting
• An Information Asset Register (IAR), or similar database, which your organization has
used to map the relationships between its information assets, business use and
technological environment [4, 14].
65 www.ajptr.com
Mandhare et. al., Am. J. PharmTech Res. 2018;8(2) ISSN: 2249-3387

Risk analysis is the estimation of the risk associated with the identified hazards. It is the
qualitative or quantitative process of linking the likelihood of occurrence and severity of harms.
In some risk management tools, the ability to detect the harm (detectability) also factors in the
estimation of risk.
Risk evaluation compares the identified and analyzed risk against given risk criteria. Risk
evaluations consider the strength of evidence for all three of the fundamental questions. In doing
an effective risk assessment, the robustness of the data set is important because it determines the
quality of the output. Revealing assumptions and reasonable sources of uncertainty will enhance
confidence in this output and/or help identify its limitations.
Uncertainty is due to combination of incomplete knowledge about a process and its expected or
unexpected variability. Typical sources of uncertainty include gaps in knowledge, gaps in
pharmaceutical science and process understanding, sources of harm (e.g., failure modes of a
process, sources of variability), and probability of detection of problems. The output of a risk
assessment is either a quantitative estimate of risk or a qualitative description of a range of risk.
When risk is expressed quantitatively, a numerical probability is used. Alternatively, risk can be
expressed using qualitative descriptors, such as “high,” “medium,” or “low,” which should be
defined in as much detail as possible. Sometimes a risk score is used to further define descriptors
in risk ranking. In quantitative risk assessments, a risk estimate provides the likelihood of a
specific consequence, given a set of risk-generating circumstances. Thus, quantitative risk
estimation is useful for one particular consequence at a time. Alternatively, some risk management
tools use a relative risk measure to combine multiple levels of severity and probability into an
overall estimate of relative risk. The intermediate steps within a scoring process can sometimes
employ quantitative risk estimation [5].
How often should the assessment be reviewed?
Risk assessments must be reviewed regularly:
• Every two years as a minimum
• Immediately following a serious incident or where there is reason to suspect it is no longer
valid.
What should be recorded in the written risk assessment?
All risk assessments should consider and record the following:
• Identification of the hazards
• Determination of who might be harmed and how
• Description of existing controls, and whether these adequately control the risk
www.ajptr.com 66
Mandhare et. al., Am. J. PharmTech Res. 2018; 8(2) ISSN: 2249-3387

• Description of additional steps to take (if necessary), in the form of an action plan
• Measures to be taken if things go wrong – an emergency action plan
• Date of the assessment
• Signatures of assessor(s) and workers involved [8, 13].
RISK MANAGEMENT METHODOLOGY
Quality risk management supports a scientific and practical approach to decision making. It
provides documented, transparent, and reproducible methods to accomplish steps of the quality
risk management process based on current knowledge about assessing the probability, severity,
and, sometimes, detectability of the risk. Traditionally, risks to quality have been assessed and
managed in a variety of informal ways (empirical and/or internal procedures) based on, for
example, compilation of observations, trends, and other information. Such approaches continue to
provide useful information that might support topics such as handling of complaints, quality
defects, deviations, and allocation of resources.
In addition, the pharmaceutical industry and regulators can assess and manage risk using
recognized risk management tools and/or internal procedures (e.g., standard operating procedures).
Below is a no exhaustive list of some of these tools:
1. Basic risk management facilitation methods
2. (Flowcharts check sheets, etc.)
3. Failure Mode Effects Analysis (FMEA)
4. Failure Mode, Effects, and Criticality Analysis (FMECA)
5. Fault Tree Analysis (FTA)
6. Hazard Analysis and Critical Control Points (HACCP)
7. Hazard Operability Analysis (HAZOP)
8. Preliminary Hazard Analysis (PHA)
9. Risk ranking and filtering
10. Supporting statistical tools
It might be appropriate to adapt these tools for use in specific areas pertaining to drug substance
and drug product quality. Quality risk management methods and the supporting statistical tools can
be used in combination (e.g., Probabilistic Risk Assessment). Combined use provides flexibility
that can facilitate the application of quality risk management principles. The degree of rigor and
formality of quality risk management should reflect available knowledge and be commensurate
with the complexity and/or criticality of the issue to be addressed. It is important to note that no

67 www.ajptr.com
Mandhare et. al., Am. J. PharmTech Res. 2018;8(2) ISSN: 2249-3387

one tool or set of tools is applicable to every situation in which a quality risk management
procedure is used.
1. Basic Risk Management Facilitation Methods
Some of the simple techniques that are commonly used to structure risk management by
organizing data and facilitating decision making are:
• Flowcharts
• Check Sheets
• Process Mapping
• Cause and Effect Diagrams (also called an Ishikawa diagram or fish bone diagram)
2. Failure Mode Effects Analysis (FMEA)
FMEA provides for an evaluation of potential failure modes for processes and their likely effect on
outcomes and/or product performance. Once failure modes are established, risk reduction can be
used to eliminate, contain, reduce, or control the potential failures. FMEA relies on product and
process understanding. FMEA methodically breaks down the analysis of complex processes into
manageable steps. It is a powerful tool for summarizing the important modes of failure, factors
causing these failures, and the likely effects of these failures.
Potential Areas of Use(s)
FMEA can be used to prioritize risks and monitor the effectiveness of risk control activities.
FMEA can be applied to equipment and facilities and might be used to analyze a manufacturing
operation and its effect on product or process. It identifies elements/operations within the system
that render it vulnerable. The output/results of FMEA can be used as a basis for design or further
analysis or to guide resource deployment.
3. Failure Mode, Effects, and Criticality Analysis (FMECA)
FMEA might be extended to incorporate an investigation of the degree of severity of the
consequences, their respective probabilities of occurrence, and their detectability, thereby
becoming a Failure Mode, Effects, and Criticality Analysis. In order for such an analysis to be
performed, the product or process specifications should be established. FMECA can 2identify
places where additional preventive actions might be appropriate to minimize risks.
Potential Areas of Use(s)
FMECA application in the pharmaceutical industry should mostly be utilized for failures and risks
associated with manufacturing processes; however, it is not limited to this application. The output
of an FMECA is a relative risk “score” for each failure mode, which is used to rank the modes on a
relative risk basis.
www.ajptr.com 68
Mandhare et. al., Am. J. PharmTech Res. 2018; 8(2) ISSN: 2249-3387

4. Fault Tree Analysis (FTA)

The FTA tool is an approach that assumes failure of the functionality of a product or process. This
tool evaluates system (or subsystem) failures one at a time but can combine multiple causes of
failure by identifying causal chains. The results are represented pictorially in the form of a tree of
fault modes. At each level in the tree, combinations of fault modes are described with logical
operators (AND, OR, etc.). FTA relies on the experts’ process understanding to identify causal
factors.
Potential Areas of Use(s)
FTA can be used to establish the pathway to the root cause of the failure. FTA can be used to
investigate complaints or deviations in order to fully understand their root cause and to ensure that
intended improvements will fully resolve the issue and not lead to other issues (i.e. solve one
problem yet cause a different problem). Fault Tree Analysis is an effective tool for evaluating how
multiple factors affect a given issue. The output of an FTA includes a visual representation of
failure modes. It is useful both for risk assessment and in developing monitoring programs.
5. Hazard Analysis and Critical Control Points (HACCP)
HACCP is a systematic, proactive, and preventive tool for assuring product quality, reliability, and
safety .It is a structured approach that applies technical and scientific principles to analyze,
evaluate, prevent, and control the risk or adverse consequence(s) of hazard(s) due to the design,
development, production, and use of products. HACCP consists of the following seven steps:
1. Conduct a hazard analysis and identify preventive measures for each step of the process
2. Determine the critical control points
3. Establish critical limits
4. Establish a system to monitor the critical control points
5. Establish the corrective action to be taken when monitoring indicates that the critical
control points are not in a state of control
6. Establish system to verify that the HACCP system is working effectively
7. Establish a record-keeping system
Potential Areas of Use(s)
HACCP might be used to identify and manage risks associated with physical, chemical, and
biological hazards (including microbiological contamination). HACCP is most useful when
product and process understanding is sufficiently comprehensive to support identification of
critical control points. The output of a HACCP analysis is risk management information that

69 www.ajptr.com
Mandhare et. al., Am. J. PharmTech Res. 2018;8(2) ISSN: 2249-3387

facilitates monitoring of critical points not only in the manufacturing process but also in other
lifecycle phases.
6. Hazard Operability Analysis (HAZOP)
HAZOP is based on a theory that assumes that risk events are caused by deviations from the design
or operating intentions. It is a systematic brainstorming technique for identifying hazards using so-
called guide words. Guide words (e.g., No, More, Other Than, Part of) are applied to relevant
parameters (e.g., contamination, temperature) to help identify potential deviations from normal use
or design intentions. HAZOP often uses a team of people with expertise covering the design of the
process or product and its application.
Potential Areas of Use(s)
HAZOP can be applied to manufacturing processes, including outsourced production and
formulation as well as the upstream suppliers, equipment and facilities for drug substances and
drug products. It has also been used primarily in the pharmaceutical industry for evaluating process
safety hazards. As is the case with HACCP, the output of a HAZOP analysis is a list of critical
operations for risk management. This facilitates regular monitoring of critical points in the
manufacturing process.
7. Preliminary Hazard Analysis (PHA)
PHA is a tool of analysis based on applying prior experience or knowledge of a hazard or failure to
identify future hazards, hazardous situations and events that might cause harm, as well as to
estimate their probability of occurrence for a given activity, facility, product, or system. The tool
consists of:
• The identification of the possibilities that the risk event happens,
• The qualitative evaluation of the extent of possible injury or damage to health that could
result,
• A relative ranking of the hazard using a combination of severity and likelihood of
occurrence, and
• The identification of possible remedial measures
Potential Areas of Use(s)
PHA might be useful when analyzing existing systems or prioritizing hazards where circumstances
prevent a more extensive technique from being used. It can be used for product, process and
facility design as well as to evaluate the types of hazards for the general product type, then the
product class, and finally the specific product. PHA is most commonly used early in the
development of a project when there is little information on design details or operating procedures;
www.ajptr.com 70
Mandhare et. al., Am. J. PharmTech Res. 2018; 8(2) ISSN: 2249-3387

thus, it will often be a precursor to further studies. Typically, hazards identified in the PHA are
further assessed with other risk management tools such as those in this section.
8. Risk Ranking and Filtering
Risk ranking and filtering is a tool for comparing and ranking risks. Risk ranking of complex
systems typically involves evaluation of multiple diverse quantitative and qualitative factors for
each risk. The tool involves breaking down a basic risk question into as many components as
needed to capture factors involved in the risk. These factors are combined into a single relative risk
score that can then be used for ranking risks. “Filters,” in the form of weighting factors or cut-offs
for risk scores, can be used to scale or fit the risk ranking to management or policy objectives.
Potential Areas of Use(s)
Risk ranking and filtering can be used to prioritize manufacturing sites for inspection/audit by
regulators or industry. Risk ranking methods are particularly helpful in situations in which the
portfolio of risks and the underlying consequences to be managed are diverse and difficult to
compare using a single tool. Risk ranking is useful for management to evaluate both quantitatively-
assessed and qualitatively-assessed risks within the same organizational framework.
9. Supporting Statistical Tools
Statistical tools can support and facilitate quality risk management. They can enable effective data
assessment, aid in determining the significance of the data set(s), and facilitate more reliable
decision making. A listing of some of the principal statistical tools commonly used in the
pharmaceutical industry is provided:
 Control charts, for example:
 Acceptance control charts (see ISO 7966)
 Control charts with arithmetic average and warning limits (see ISO 7873)
 Cumulative sum charts (see ISO 7871)
 Shewhart control charts (see ISO 8258)
 Weighted moving average [9, 11, 12].
 Design of experiments (DOE)
 Histograms
 Pareto charts
 Process capability analysis [2, 3, 10].

71 www.ajptr.com
Mandhare et. al., Am. J. PharmTech Res. 2018;8(2) ISSN: 2249-3387

Dissociating approach towards QRM

The implementation of Risk Management will be effective only if this requires a volume of
resources compatible with the possibilities of the organization. Therefore, the approach developed
consists in dissociating the constants from the variables in the policy of Quality Risk Management.
Constants encompass all areas, except products, which are implemented by the organization
including processes, facilities, equipment, personnel; they are indicated in a generic way under
name of “System”;
Variables are given by the specific characteristics of the products manufactured, handled or even
simply harvested by the System; these variables are indicated by “Product”. According to the
approach, Global Risk determination (Rg), as required by the regulatory framework, corresponds
to the risk of manufacturing the considered product in the existing system. The Global Risk (Rg) is
then obtained as a result of the multiplication of the System Risk (Rs) by a modulating factor
called “Product factor” (P) ,then: Rg = Rs x P
This dissociating approach thus proposes to the organization to initially evaluate its systemic risk
(Rs) independently of the products, which are manufactured. The introduction of the product as a
factor (P) avoids reworking all elementary steps for each different product. Moreover, the
dissociating approach makes it possible to define the limits of acceptability of the system and
authorizes the prospective and retrospective analyzes. These limits will be given in specific
documents, called “rational techniques” which will support the decisions of acceptance of the risk
by the Organization. It is interesting to stress that technical rationales could advantageously be
established on recurring questions (such as the prevention of the airborne contaminations, the
performances of cleanings, etc.) to avoid the repetition of specific studies. The integration of the
diagram given with the principle of the dissociating approach led to the establishment of the
complete diagram given below:

www.ajptr.com 72
Mandhare et. al., Am. J. PharmTech Res. 2018; 8(2) ISSN: 2249-3387

Figure 2: Global Risk Management Diagram [6]

Implementation of methodology
Quantification
For its implementation, the example of methodology requires to define the rules of quantification
for the different parameters Severity (S), Frequency (F) and Detectability (D) entering calculation
of the systemic risk (Rs):
 Severity (S):
1. 0; Not addressed explicitly or implicitly by the applicable GMP
2. 1; Addressed by applicable GMP, but without possible impact on the manufactured product
3. 2; Possible impact on the manufactured product but without risk for the patient (end user)
4. 3; Possible impact on the manufactured product and with possible hazard for the patient
(end user)

73 www.ajptr.com
Mandhare et. al., Am. J. PharmTech Res. 2018;8(2) ISSN: 2249-3387

 Frequency (F):
 0; Event intervening with a frequency lower than 10e-6
 1; Accidental event, occurrence exceptional
 2; Frequent but non-systematic event
 3; Event noted each time or almost
 Detectability (D):
 a; Undetectable
 b; Absence of system of detection but detection is still possible by chance
 c; Presence of a single system of detection which is not 100% reliable
 d; System of multiple and independent detection tools or a single system of detection
which is 100% reliable [5,6].
Determination of the systemic risk
Each elementary step for each stage included in these processes is submitted to the system risk
assessment according to a standardized mode as represented in the following form:

www.ajptr.com 74
Mandhare et. al., Am. J. PharmTech Res. 2018; 8(2) ISSN: 2249-3387

Figure 3: Standardized form for an elementary step

The document developed as a database where the selection of a single step loads all data (such as
compiled primary risks) related to that step will facilitate the systematic review and risk
assessment for every activities and every process of the Organization.
Basically, a working group will select the step and recorded data will be loaded.
75 www.ajptr.com
Mandhare et. al., Am. J. PharmTech Res. 2018;8(2) ISSN: 2249-3387

Select Process

Figure 4: Process is selected

Select Sub-Process

Figure 5: Sub-process is selected

www.ajptr.com 76
Mandhare et. al., Am. J. PharmTech Res. 2018; 8(2) ISSN: 2249-3387

Selection of the elementary stage:

The selection of an elementary step will cause the automatic loading of the harmonized primary
risks to which the Organization will add, if necessary, risks specific to its environment:

Figure 6: Elementary step is selected

The blue square is automatically filled out from the database with the harmonized risks; the red
square is dedicated to the specific risks.

77 www.ajptr.com
Mandhare et. al., Am. J. PharmTech Res. 2018;8(2) ISSN: 2249-3387

Figure 7: Primary risks are filled out

Each primary risk is referenced and can be evaluated in an independent way, by definition, it is
agreed that a level of risk R is:
• Low if: 0 =< R < 3
• Moderate if: 3 =< R < 5
• High if: R >= 5
It is also agreed that:
A risk is acceptable if it is low
A risk is also acceptable if it is moderate and detection is certain (D = d)
A risk which is not acceptable is unacceptable.
For a given elementary step, the value of risk associated with this step is the highest S x F value of
the identified/indexed primary risks combined with the value of the factor of experience (N)
according to the definition:
Rs = S x F x N
The values of the risk are discrete values belonging to the explicit series:
[0.0; 1.0; 1.1; 1.2; 2.0; 2.2; 2.4; 3.0; 3.3; 3.6; 4.0; 4.4; 4.8; 6.0; 6.6; 7.2; 9.0; 9.9;10.8].
These values define the zones of acceptance according to the rules given above with:
www.ajptr.com 78
Mandhare et. al., Am. J. PharmTech Res. 2018; 8(2) ISSN: 2249-3387

• In green; the zone of direct acceptance

• In red; the non acceptable zone
• In yellow; the zone subject to condition of detection
Table 1: Acceptance diagram

The highest calculated value of the primary risk for an elementary step is indicated in the upper
part of the form:

Figure 8: Primary Risk [6, 13].

79 www.ajptr.com
Mandhare et. al., Am. J. PharmTech Res. 2018;8(2) ISSN: 2249-3387

N Description
1.0 Existence of documented evidence, established by an independent
entity, proving the ongoing compliance to regulatory requirements
during more than 36 months.
1.1 Existence of documented evidence, established by an independent
entity, proving the ongoing compliance to regulatory requirements
since less than 36 months.
1.2 Absence of documented evidence, established by an independent entity,
proving the compliance to regulatory requirements or existence of a no
addressed non-conformity.

As soon as the section of the primary risks is completed in the form, methodology invites the users
to introduce the implemented measures of risk reduction.

Figure 9: Risk Reduction

www.ajptr.com 80
Mandhare et. al., Am. J. PharmTech Res. 2018; 8(2) ISSN: 2249-3387

Implemented measures of risk reduction are brought for each primary risk. These measures of risk
reduction make it possible to calculate a new value for the parameters S, F, D associated with this
risk and thus establish the value of the residual risk. Ideally, it is expected that measures of risk
reduction is supported by documented evidence quoted within the section “Related references”.

Figure 10: Residual Risk and Final statement

The residual risk consists of e.g.
• Hazards that have been assessed and risks that have been accepted
• Hazards which have been identified but the risks have not been correctly assessed
• Hazards that have not yet been identified
• Hazards which are not yet linked to the patient risk
The global value of the residual risk is calculated according to a principle identical to that used for
the globalized value of the primary risk. It should be noted that the value of the factor of
experience (N) remains the same one for the calculation of the primary and residual risks. The
results obtained for the whole of the elementary steps are then compiled in a synoptic table
according to the model given below:

81 www.ajptr.com
Mandhare et. al., Am. J. PharmTech Res. 2018;8(2) ISSN: 2249-3387

Figure 11: Compilation of elementary step with values of systemic residual risks
This table gives synoptic systemic risk (Rs) [6].
Product factor
Product factor is then assessed for the considered product. Results are presented in a standardized
table as shown below:

www.ajptr.com 82
Mandhare et. al., Am. J. PharmTech Res. 2018; 8(2) ISSN: 2249-3387

Figure 12: Determination of Product factor

The fact of ticking off the boxes corresponding to specificities of the product generates in a
transparent way for the operator a value of Product factor (P).As for the evaluation of the systemic
risk, the computation charts of the factor (P) are organized in databases from which the parameters
of calculation are accessible to the database administrators [6].
Determination of the total risk
The determination of the total risk is obtained by the multiplication of the systemic risk (Rs) by
weighting produced (P).

83 www.ajptr.com
Mandhare et. al., Am. J. PharmTech Res. 2018;8(2) ISSN: 2249-3387

A synoptic table of the risk total for a particular product is then produced with the following
format:

Figure 13: Compilation of elementary steps with values of systemic residual risks and global
risks
This table gives the decisional tool for the acceptability of the global risk [6].
CONCLUSION
Risk management principles are effectively utilized in many areas of business and government
including finance, insurance, occupational safety, public health, pharmacovigilance and by
agencies regulating these industries. Although there are some examples of the use of quality risk
management (QRM) in the pharmaceutical industry today, they are limited and do not represent

www.ajptr.com 84
Mandhare et. al., Am. J. PharmTech Res. 2018; 8(2) ISSN: 2249-3387

the full contributions that risk management has to offer. In addition, the importance of quality
systems has been recognized in the pharmaceutical industry and it is becoming evident that quality
risk management is a valuable component of an effective quality system. In relation to
pharmaceuticals, although there are a variety of stakeholders, including patients and medical
practitioners as well as government and industry, the protection of the patient by managing the risk
to quality should be considered of prime importance. The manufacturing and use of a drug product,
including its components, necessarily entail some degree of risk. The risk to its quality is just one
component of the overall risk. It is important to understand that product quality should be
maintained throughout the product lifecycle such that the attributes that are important to the quality
of the drug product remain consistent with those used in the clinical studies. An effective quality
risk management approach can further ensure the high quality of the drug product to the patient by
providing a proactive means to identify and control potential quality issues during development
and manufacturing. In addition, use of quality risk management can improve the decision making
if a quality problem arises.
The purpose of this document is to offer a systematic approach to QRM. It serves as a foundation
or resource document that is independent of, yet supports other ICH quality documents and
complements existing quality practices, requirements, standards and guidelines within the
pharmaceutical industry and regulatory environment. It specifically provides guidance on the
principles and some of the tools of QRM that can enable more effective and consistent risk-based
decisions, by both regulators and industry, regarding the quality of drug substances and drug
products across the product lifecycle.
Lastly it is concluded that an effective QRM can facilitate better and more informed decisions, can
provide regulators with greater assurance of a company’s ability to deal with potential risks, and
can beneficially affect the extent and level of direct regulatory oversight.
REFERENCES:
1. http//www.businessdictionary.com
2. Praxiom Research Group Limited.ISO31000 Risk Management Audit Tool. 2013.
3. Guidance for Industry.Q9 Quality Risk Management. June 2006; ICH: 1-25.
4. World Health Organisation. WHO Guidelines on Quality Risk Management. Working
document QAS/10.376; August 2010:1-24.
5. M. S .Sodhi, C. S. Tang. International Series in Operations Research & Management
Science 172. © Springer Science + Business Media, LLC 2012:1-21.

85 www.ajptr.com
Mandhare et. al., Am. J. PharmTech Res. 2018;8(2) ISSN: 2249-3387

6. L.Viornery. Quality Risk Management. Implementation of Q9 in Pharmaceutical field an

example of methodology from PIC/S. Pharmaceutical Inspection Cooperation Scheme;
2010:1-30.
7. Kelvin C Martin and Authur (Randy) Perez. The Official Magazine of ISPE.GAMP 5
Quality Risk Management Approach. (Vol.28 No.3); 2008:1-7.
8. Risk Assessment Guidance. Health and safety services. University of Leeds:1-37.
9. Quality and Risk Management Standard. Feidhmeannacht na seirbhi Slainte. Health
Service Executive.2007:1-23.
10. T.Frank, S. Brooks, R. Creekmore, B. Hasselbalch, K. Murray, K. Obeng, et.al…Quality
Risk Management Principles and Industry Case Studies; 2008:1-9.
11. Information and resources. The HSE has a useful guide to risk Assessment; 2008:1-16.
12. Maria POPESCU, Adina DASCALU. Considerations on Integrating Risk and Quality
Management. (Vol.1);2011:1-6.
13. Robin Burgess-Limerick. “Further risk assessment methods” for Hazardous Manual tasks.
Minerals Industry Safety and Health Centre, The University of Queensland, 4072.2011:1-
11.
14. Risk Assessment Handbook. The National Archives (Version 1.2); 2011:1-35.
15. Risk Assessment Program. Quality Assurance Plan. ES/ER/TM-117/R1; 1997:1-49.
16. Process in Risk Assessment. Using the Data Quality Objectives. Office of Environmental
Guidance; 1994:1-2.

AJPTR is
 Peer-reviewed
 bimonthly
 Rapid publication
Submit your manuscript at: [email protected]

www.ajptr.com 86