Risk Assessment , Purpose :
Risk Assessment , The objective of carrying out the Risk Assessment is to ensure the potential threats to the product quality/ supply are properly assessed and appropriate control measures are in place.
Risk Assessment , Scope :
This procedure applies for the risk assessment of facilities, utility services, equipment & machinery, warehousing, manufacturing, packaging, testing and transfer of quality products from at XX Pharmaceuticals Limited (Both General and Sterile Block).
Definitions / Abbreviation:
[][]Risk assessment: Risk assessment consists of the identification of product quality risk and evaluation of risks. Quality risk assessments begin with a well-defined problem description or risk question. When the risk in question is well defined, an appropriate risk management tool and the types of information needed to address the risk question will be more readily identifiable.
Responsibilities:
[][]The roles and responsibility is as follows
All concerned department heads
[][]To perform the risk assessment associated in his area in a cross-functional team, including one QA personnel as a mandatory member.
Manager, Quality Assurance
[][]To ensure that proper risk assessment is done if there any potential risk(s) involved in the product quality/ supply.
Head of Quality Assurance
[][]Approval of the SOP.
[][]Implementation of risk assessment procedure
Procedure:
=>Risk assessment: Risk assessment consists of the identification of product quality risk and evaluation of risks. Quality risk assessments begin with a well-defined problem description or risk question. When the risk in question is well defined, an appropriate risk management tool and the types of information needed to address the risk question will be more readily identifiable. As an aid to clearly defining the risk(s) for risk assessment purposes, three fundamental questions are often helpful:
[][]What might go wrong?
=>Output for Question 1: Problem/ Failure descriptions- Cause – Failure mode – Effects
[][]What is the likelihood (probability) it will go wrong?
[][]What are the consequences (severity)?
=>Output for Question 2 & 3: Risk Class, Job/Action Priority, Failure rates, Risk priority number (RPN).
[][]Risk identification: Risk identification is a systematic use of information to identify product quality risk or problem description. Information can include historical data, theoretical analysis, informed opinions, and the concerns of stakeholders.
[][]Risk analysis: Risk analysis is the estimation of the risk associated with the product quality. It is the qualitative or quantitative process of linking the likelihood of occurrence and severity of harms. In some risk management tools, the ability to detect the harm (detectability) also factors in the estimation of risk.
[][]Risk evaluation: Risk evaluation compares the identified and analyzed risk against given risk criteria. Risk evaluations consider the strength of evidence for all three of the fundamental questions.
[][]The output of a risk assessment is either a quantitative estimate of risk or a qualitative description of a range of risk. When risk is expressed quantitatively, a numerical probability is used.
[][]Alternatively, risk can be expressed using qualitative descriptors, such as “high”, “medium”, or “low” (Risk class one, Risk class two or Risk class three) , which should be defined in as much detail as possible.
[][]Sometimes a “risk score” is used to further define descriptors in risk ranking. In quantitative risk assessments, a risk estimate provides the likelihood of a specific consequence, given a set of risk-generating circumstances.
[][]Thus, quantitative risk estimation is useful for one particular consequence at a time.
[][]To access and manage risk the following recognized tools will be applied:
=>Risk ranking and filtering will be applied for qualitative (High, Medium or low) risk analysis.
=>Failure Mode Effect Analysis (FMEA) will be used for quantitative estimate of risk. (Score of RPN).
=>Fish Bone Diagram/ Cause & Effect Diagram Analysis
Procedure for Risk ranking and filtering:
[][]Identify the key stages for the part of the supply chain for which the company has responsibility from material supply through to use of product by patients & customers.
[][]Identify potential threats that could impact the product quality or security at each key stage.
[][]Estimate the consequences both in terms of threats and opportunities may be high, medium or low.
[][]Evaluate the exiting control measures for their effectiveness at controlling the threats.
[][]Determine the risk to product quality associated with each threat.
[][]Establish a plan for the introduction of improved controls (additional control measures) where existing threats are not adequately addressed.
[][]Implement the additional control measures and monitor their effectiveness.
[][]To identify the threats the following points should be considered:
=>Patient : Hazard/ risk to the patient safety, patient compliance.
=>Personnel : Attributes, training, education, competence, communication
=>Equipment : Type, design, condition, capacity, location, installation, operation, maintenance & calibration.
=>Facility : Layout, utilities, maintenance, dedication & hygiene.
=>Methods & Procedures : Checking, content, alterations, distribution, utilization, condition, change control, storage, trends, handling planned & abnormal events.
=>Materials : Identity, status, control, quantity, handling, specification, security arrangements, counterfeiting controls & material condition.
=>Environment : Physical effects of climatic & storage conditions (temperature, time, humidity, rain, air pressure, light, vibration etc.), pest infestation, contamination, and damage due to fire or natural disaster like flood, tornado, earthquake etc.
[][]When threats have been identified and commented upon, the table in Annexure – I should be completed.
[][]A judgment should be made on the severity of the consequences & the probability/ likelihood of the adverse events occurring taking into consideration any current control measures that are in place. Each of this can be “low”, “medium”, or “high”.
[][]Considering the severity and probability/likelihood of the events risk will be expressed Risk class one, Risk class two or Risk class three (or, High risk”, “medium risk”, or “low risk).
[][]Risk filtering will be done considering the Risk class (i.e. Risk class one, Risk class two or Risk class three) and detection of the events. Jobs/ actions will be prioritized as High priority, Medium priority or Low priority.
[][]All the jobs/actions for the changed situation shall be identified with in-depth analysis making sure all the impacted areas and the actions with the documentation requirements are assessed and completion date against all the identified actions are set.
[][]Below are two matrixes for clear understanding.
Procedure for Failure Mode Effect Analysis (FMEA):
[][]Risk in an FMEA evaluation has three components: Severity, Probability and detection/ detectability. The first step in any risk assessment is to define the component of FMEA
[][]Definition of the components of the FMEA are:
[][]Severity: if a failure were to occur, what effect would that failure have on the product quality and on the patient (if any)?
[][]Probability of occurrence: how likely is it for a particular failure to occur?
[][]Detectability (ability to detect): what mechanisms are in place (if any) to detect a failure if it were occur?
[][]Each of the above components requires clear descriptions and a corresponding scale to rank or score the projected impact (i.e. a scale for Severity; a scale for Probability; and a scale for ability to Detect). In addition, a composite score would then need to be calculated (e.g. severity multiplied by Probability multiplied by ability to detect)
[][]Non sequential number (e.g. 1,3,5,7, 9) will be used for probability and detection as the use of non-consecutive numbers allow more distinction between rating (table 2 & table 3) and to put more emphasis on the severity criteria a non-linear scoring scale will be utilized (e.g. 1, 4, 9,16, 25) . Please see table 1 for details.
[][]Table 1: Severity criteria for FMEA
Severity
| Value | Description | Criteria |
|---|---|---|
| 1 | Irrelevant | No impact to product quality and process robustness |
| 4 | Slight | No impact to product quality |
| 9 | Important | Noticeable impact to product quality, but can be recovered by reprocessing |
| 16 | Critical | Definite impact to product quality that may require rework |
| 25 | Disastrous | Batch failure, not recoverable by rework |
Note: Criteria in the above table will be changed based on the subject under assessment
[][]Table 2: Probability criteria for FMEA
Probability
| Value | Description | Criteria |
|---|---|---|
| 1 | An unlikely probability of occurrence | Failure has never been seen in any relevant lab experiments, or scale-up batches yet but it is theoretically possible. |
| 3 | A remote probability of occurrence | Failure only seen once or twice in relevant lab experiments, never in scale-up batches. |
| 5 | An occasional probability of occurrence | Failure potential has been noted in several relevant lab experiments, or at scale-up. If procedures are followed the failure potential is minimal. |
| 7 | A moderate probability of occurrence | Failure potential has been noted in several relevant lab experiments, or at scale-up, in-process control maybe required to avoid failure. |
| 9 | A high probability of occurrence | Failure potential has been noted in several relevant lab experiment, or at scale-up, an active non-standard feedback control loop may be required. |
Note: Criteria in the above table will be changed based on the subject under assessment
[][]Table 3: Detectability criteria for FMEA
Detection
| Value | Description | Criteria |
|---|---|---|
| 1 | High degree of detectability | A: Validated automatic detection system that is a direct measure of failure. B: Two or more manual operated validated detection systems, direct or indirect. (e.g. Control range and IPC) |
| 3 | Good detectability | A: Single manually operated validated detection system that is a direct measure of failure. (e.g. IPC of failure, validated PAT) |
| 5 | Likely to detect | A: Single manually operated validated detection system that is not a direct measure of failure. (e.g. PAT measurements or IPC's not directly linked to failure) |
| 7 | Fair detectability | A: Non validated (manual or automated) detection. (e.g. visual level check, visual inspection of vessels). |
| 9 | Low or no detectability | No ability to detect the failure |
Note: Criteria in the above table will be changed based on the subject under assessment
Risk Scoring Matrix
[][]The composite risk score for each unit operation step is the product of its three individual component ratings: severity, probability, and detection. This composite risk is called a risk priority number (RPN).
RPN = S x P x D (S= Severity; P= Probability & D= Detection)
[][]The RPN number is not absolute and should be considered in context with other factors that influence the product risk outside the scope of this evaluation. The RPN provides a relative priority for taking action – the bigger the RPN, the more important to address the corresponding failure being assessed.
[][]The table in Annexure – III will be used for FMEA. For each formulation component or manufacturing processing step under evaluation, the function of the component or processing step, potential failure mode and effect of the failure mode should be recorded.
[][]A severity score is then assigned. The root cause of the failure is described and a score is assigned to the probability of occurrence of the failure. Controls that are currently in place to detect the failure are listed and a detection score is then assigned.
[][]The RPN number is calculated. The action(s) that need to be taken to reduce or mitigate the risk are listed and individuals or departments responsible for implementing the actions are identified with target dates for completion.
[][]All the actions for the changed situation shall be identified with in-depth analysis making sure all the impacted areas and the actions with the documentation requirements are assessed and completion date against all the identified actions are set.
Fish Bone Diagram/ Cause & Effect Diagram Analysis
[][]The root cause analysis tool used for major or critical deviation, OOS, market complaint to identify quality defect prevention and potential factors causing an overall effect. Each cause or reason for imperfection is a source of variation. Causes are usually grouped into major categories to identify these sources of variation.
Defining “Effect”
[][]The first step in using the fishbone diagram as a problem solving tool is to clearly define your effect, or outcome that you don’t like. This could be a quality issues, not meeting metrics or troubleshooting the introduction of a new process or product line. This becomes the “head” of the diagram. Use butchers paper or a whiteboard to sketch out the fishbones template.
[][]Defining an effect takes a little practice. Make sure it is brief and succinct. Use facts and numbers where possible. Spend a few minutes reflecting on your effect with the team; does everyone agree that the statement defines the problem as fully as possible?
Brainstorming the “Causes”
[][]With your team, we want to add the bones to this diagram, brainstorming all of the possible influencing factors. Each idea needs to be put into a category or branch.
[][]The following probable categories to be assessed the probable causes through brainstorming is also known as 6M as per annexure-IV
=>Man
=>Machine
=>Method
=>Measurement
=>Material
=>Mother Nature
[][]Man/People/Personnel: Everyone involved with the process across the value stream, including support functions Processes / Methods: This defines how the process is performed and the all requirements needed for doing it, including quality procedures, work orders / travelers / work instructions, drawings.
[][]Machines / Equipment: All machines and equipment, needed to accomplish the job, including tools.
[][]Materials: Raw & Packaging materials, purchased parts and sub-assemblies that feed into the end product.
[][]Measurements: defines how have we determined that the outcome is wrong.
[][]Mother Nature: The standard one which turns to wrong or deviation of the standard outcome
[][]As the team suggests possible causes, determine which heading that idea belongs under, jotting it down clearly. Also add another branch, covering “why” that cause would influence the effect we are investigating. Continue until the team runs out of ideas.
[][]If is there any branches of the diagram that are missing, develop into that area further, asking questions; “Is it possible that the environment has affected our problem” too hot, too cold, too wet?
Document Numbering
[][]The unique document numbering for Risk Assessment shall consist of 9 (nine) alpha-neumerical characters, broken down as follows –
=>e.g. RA/XXX/YY
Where,
=>RA is the Risk Assessment
=>/ is separator
[][]XXX is the sequential number starting from 001, 002 & so on for a calendar year which will be further start from 001 for the next year.
=>YY is the last two digits of the year
=>For example; RA/001/YY
=>Here RA means Risk Assessment
=>001 is the sequential number
=>YY represents for the year 20YY
[][]QA shall issue the Risk Assessment document number and maintain the log register (Annexure – II).
Annexure:
Annexure-I: Risk Assessment Table and Action Plan
Annexure-II: Log Register for Risk Assessment
Annexure-III: Risk Assessment Table and Action Plan
Annexure-IV: Fish Bone Diagram Chart