an introduction to risk management professional societies
DESCRIPTION
FDA recently endorsed the Risk Management approach described in ICH Q9. I presented this a year ago to ASQ Philadelphia. Still relevant today!TRANSCRIPT
1
An Introduction to Risk Management
Michael D. Kaufer, MBA, MSCGMP Solutions, Inc.
2
Learning Objectives
ICH Q9 What are the basics of Risk? Risk Tools Principles of Risk Management
3
Learning Objective #1
ICH Q9
4
What is ICH Q9?
Developed by the Expert Working Group of ICH for Technical Requirements for Registration of Pharmaceuticals for Human Use
Endorsed by the ICH Steering Committee, Nov. 2005.
Issued as a Guidance document June 2006. Also represents the FDA's current thinking on a topic. Doesn’t create or confer any rights for or on any
company and does not bind FDA or a company. Alternative approaches are acceptable, if the approach
satisfies the requirements of the applicable statutes and regulations.
5
Why Q9?
Risk management practices are inadequate. Effective quality risk management can:
Control potential quality issues Improve decision making Facilitate better and more informed decisions Provide regulators with greater assurance of a
company’s ability to deal with potential risks
6
Risk & the perception of Risk
Risk Management is the systematic use of available information to identify hazards and to estimate the risk.
Different stakeholders perceive risk differently Company Medical Community Individual physicians Who else?
Risk = Probability of harm * Severity of harm * Exposure
7
Figure 1.1: Stakeholders
ThePatient
The FirmThe MedicalCommunity
FDA
HealthcareIndustry
The Firm’s Partners& Investors
PatientAdvocacy Grps.
Society
Patient’s Family
8
Why Q9, continued
Q9 uses a life-cycle approach What is a product life cycle?
Administration of a drug product always entails some risk
Manufacturing a drug product always entails some risk FDA expects firms to manage the risks associated
with manufacturing Product quality should be maintained throughout
the product life cycle
9
Figure 1.2: Drug Product Lifecycle
Phase of FDASubmissions
Phase ofDevelopment
Time Required(Years)
Early research& preclinical
ChemicalSynthesis
PreclinicalTesting &
Pharmacology
Toxicology
5.8 7.4
Phase IClinical
Phase IIClinical
Phase IIIClinical
Supplementaryreporting &
review
1.5
Approval
Supplementalreporting
Phase III(continued)
Phase IVPost-
marketing
NDASubmission
IND Filing30-day wait
10
ICH Q9, continued
Q9 proposes that firms use a “Systematic Approach” consisting of: Formalized policies, procedures, tools & models Support from senior management
What does this entail? CPGM 7356.002 Compliance Program – Drug
Manufacturing Inspections http://www.fda.gov/cder/dmpq/compliance_guide.htm
RMP should be used daily for decision-making!
11
Figure 1.3: Typical Risk Management Process
Initiate Quality RMP
Risk ID
RiskAnalysis
RiskEvaluation
RiskReduction
RiskAcceptance
Result of Quality RMP
ReviewEvents
Acceptable orUnacceptable
RiskAssessment
Risk Control
Risk Review
Risk CommunicationRisk Management Tools
Unacceptable
12
Figure 1.4: FDA’s Approach
Sept. ’04 - Risk-based Method for Prioritizing CGMP Inspections
FDA convened a panel of experts
Brainstorming sessions identified 70 potential risk factors!
Site Risk Potential
Product Process Facility
IntrinsicFactors
1997-2003
RecallHistory
ProcessRisk
Factors
ProcessControls
History ofViolations
InspectionHistory
Est.Production
Output
Type ofEstablish-
ment
13
Learning Objective #2
What are the basics of Risk?
14
What is Risk?
Potential loss Outcomes that make us worse-off Outcomes that are not as good as some other outcome
Chance Likelihood, potential, etc. Probabilistic or Qualitative
Exposure How much of the risk am I exposed to? There’s no exposure, if you don’t take the product! FDA is
concerned about patients’ exposure! Severity
What’s going to happen, if the risk materializes?
15
Risk & Perceptionof Risk
Risk = Probability of harm * Severity of harm This is the definition given in many standards Ignores the exposure factor
Different stakeholders perceive risk differently, i.e., view exposure differently Legal Department Finance Purchasing Manufacturing Packaging QA/QC Project Management
16
Risk Determinants
Control Information Time
Lack of control
Lack of timeLack of information
Figure 1.5: Basic Risk Determinants
17
Risk Determinants, cont.
Lack of control Natural environment Socio-cultural environment Political environment Competitive environment Internal environment Actions of individuals
18
Risk Determinants, cont.
Lack of information In a business environment, what do we need
information about?
Lack of time to: Identify sources of information Gather information Analyze information Evaluate
Current operations Planned operations
Formulate information into meaningful controls
Can we “create” time?
19
Classifying Risk, cont.
Further classification: Pure (insurable) risk Business risk Project risk Operational risk Technical risk Political risk
Life Sciences industry is concerned with these!
20
Adjusting Risk, continued
Adjusting risks: (1) actions that modify the chances of the undesired event
occurring or the overall loss if the event does occur Stolen car Burglary Life sciences?
(2) actions that modify the distribution of consequences Carpooling or using public transit Keeping valuables in a safe deposit box Life sciences?
(3) actions that neither reduce the chance of an event or the associated loss
Buying insurance
21
Learning Objective #3
Risk Tools
22
Risk Models
“Academic” models and studies: MacCrimmon & Wehrung, 1986 Finkel & Golding, 1994 Davies, 1996 Haimes, 1998 Konisky, 1999 Morgan, 2002 Ayub, 2003
Industry standards ISO 14971:2007(E) Medical Devices – Application of risk
management GAMP 4/5 ICH Q9
23
Tools for Risk Management
Cause-&-Effect Analysis
Brainstorming Decision Trees Process Mapping /
Flowcharts
QFD FTA FMEA
FMECA
HACCP
Matrices?
24
Figure 1.6: Cause-and-Effect Diagram for the elements of process validation
Vessel #1
Approved APIs
Approved Excipients
Approved PKG & LBLQC
Pharm Eningeering
Operations
Validation Policies
Validation SOPs
Validation Approach
Manufacturing
Packaging
Surfaces
Air
Controlled Access In Process
Release
Stability
Water
Vessel #2
25
Figure 1.7: Brainstorming how do we clean equipment & facilities?
AutomatedSystem
(Not in-place)
SIP System
Manually
CIP System
Combinationof methods
How do weclean it?
No productresidue
No detergentresidue
No micro-organisms
No dye orflavor
residues
What are the criteriafor clean?
RISK:CLEANING
VALIDATION
Equipment
Facilities
Handtools
IMTE
What needs tobe cleaned? Supppliers
QA
QC Labs
Operations
Who is involved?(Functionally)
26
Figure 1.8: Decision Tree - do I look for another job or start-up my own firm?
YEAR 1 YEAR 2 YEAR 3
$150K/year
$135K/year
Sign with theStart-up?
Look foranother job?
?
Stay with Start-up or leave?
$138K/year
$150K/year
$150K/year+110K cash
?
Partners agreeto buy-back?
?
$142K/year
$150K/year
$150K/year+220K cash
?
27
S tart/E n d P roces s
P roces s S u b rou tin es
D ecis ion P oin t
P roces s A ltern ate P roces s
M an u al O p eration
P roces s
D elay
D ecis ionP oin t
O ff-p ag e P roces s
S tart/E n d P roces s
Buy SmartDraw!- purchased copies print this document without a watermark .
Visit www.smartdraw.com or call 1-800-768-3729.
Figure 1.9Basic Flowchart Shapes
28
Table 1.1 Example of a Matrix(using risk rankings or weightings)
Criteria Factors-to-be-considered Points No. of APIs Score
I. Type of product being developed or transferred
A. Non-sterile solutions 1 1 2 ≥3
B. Non-sterile suspensions 2 1 2 ≥3
C. Semi-solids 3 1 2 ≥3
D. Solid dosage (tablets) 4 1 2 ≥3
E. Solid dosage (capsules) 5 1 2 ≥3
F. Solid dosage (lozenges) 6 1 2 ≥3
G. Drug coated patches 7 1 2 ≥3
H. Terminally sterilized products 8 1 2 ≥3
I. Injectable drug (aseptically produced) 9 1 2 ≥3
J. Injectable drug (aseptically produced and lyophilized) 10 1 2 ≥3
K. Implantable device with drug component(s) 11 1 2 ≥3
Criteria Factors-to-be-considered Points Weight Score
II. Non-API-related changes to components & composition
A. Changes are those that are unlikely to have any detectable impact on formulation quality and performance.
1Multiply by score from Section I
B. Changes are those that could have a significant impact on formulation quality and performance.
2
C. Changes are those that are likely to have a significant impact on formulation quality and performance.
3
29
The Problems with Tools
Relevant examples Medical Device Industry Healthcare Industry
Not everyone knows how to use them Facilitators? SOPs?
Must be adapted to the industry Some are too complex (now) Some have simplified nomenclature
30
Table No. 1.2: Failure Severity Rating
Effect Severity Rating
Criteria
No effect 1 Failure would have no effect on the customer
Slight effect 2 Customer is dissatisfied; still uses product
Moderate effect 4 Customer complains
Significant effect 6 Customer declines further use
Major effect 8 Adverse event
Extreme effect 10 Serious adverse event
31
Table No. 1.4: Failure Occurrence Rating
Occurrence Rating Failure Rate
Criteria
Remote 1 1 in 10,000 Process deviation very unlikely
Very slight 2 1 in 4,000 Very few process deviations
Slight 3 1 in 2,000 Few process deviations
Low 4 1 in 400 Occasional process deviation
Medium 5 1 in 80 Moderate number of process deviations
Moderately high 6 1 in 20 Frequent process deviations
High 7 1 in 10 High number of process deviations
Very high 8 1 in 5 Very high number of process deviations
32
Table No. 1.5: Detection Rating (for failure modes)
Detection Ability
Rating Criteria for Controls in Place
Almost certain 1 Detection is certain; validated on-line PAT controls
Very high 2 Detection is likely; heavy use of inspection between & during process steps (with some automation)
High 3 Detection is very likely; validated lab methods
Moderately high 4 Moderate likelihood of detection; heavy use of inspection during process steps
Medium 5 Medium likelihood of detection; heavy use of inspection between process steps
Low 6 Low likelihood of detection; low usage of inspection and testing; inspections & tests are not optimal
Slight 7 Controls being concurrently validated
Very slight 8 Controls are experimental
Remote 9 Controls not aligned to critical quality attributes
Impossible 10 No controls in place
33
Learning Objective #4
Principles of Risk Management
34
Principles of Risk Management
1. Risk management is a process that occurs throughout a product’s lifecycle Risks change as the product moves through the
life cycle Our level of understanding progresses along a
learning curve The level of control we can achieve varies with
technology Who is privy to risk communication changes
35
Principles of RiskManagement, cont.
2. Safety-by-design is the preferred option for managing risks Is the design inherently safe?
Preclinical studies Clinical studies
Protective measures built into the manufacturing process Manufacturing Packaging
Protective measures built-into the product Can this be done with drug products? Is labeling information all we can do?
36
Principles of RiskManagement, cont.
3. Risk management models & tools must be modified to account for: The patients’ conditions The dosage form Maturity of the firm’s RMS
Can I use RM tools without a RM model?
Maturity of the firm’s QMS Can I use a RMS without a QMS?
The firm’s culture
37
Principles of RiskManagement, cont.
4. Risk management is an iterative process. How often does it need to be done?
Annual Product Review? Change? Deviation Investigations? Project basis? sNDA?
How often it is done dictates what part of the organization does it, and the resources available.
Knowledge is transferable from one product to another
38
Principles of RiskManagement, cont.
5. Top management commitment is critical for effective risk management Without adequate resources, RM is ineffective
RM requires the involvement of trained individuals Each company’s top management must also
establish a policy on how “acceptable” risks will be determined
Can this be done “universally”? RM is a new and evolving process requiring
periodic review & improvement
39
Principles of RiskManagement, cont.
Policies and procedures document the 5 essential questions: Who What When Where How
Training records
What about the output from risk management activities? Where does that get documented? Annual Product Reports? Deviation Investigations? IQ//OQ/PQ? Other?
6. Risk management activities must be documented.
40
Thank you!Thank you!Questions?Questions?
41
Bibliography Akao, Yoji, ed. Quality Function Deployment Integrating Customer Requirements into Product Design ,
Cambridge: Productivity Press, 1990, p. 27. Berry, Ira R. and Nash, Robert A., eds., Pharmaceutical Process Validation, 2nd ed., Marcel Dekker:
New York, 1993. Butler, Shawn A., Fischbeck, Paul, “Multi-Attribute Risk Assessment” Carnegie Mellon University. FDA, Guidance for Industry Q9 Quality Risk Management, GPO, June 2006. FDA, Guidance for Industry Quality Systems Approach to Pharmaceutical CGMP Regulations , GPO,
September 2006. FDA, Risk-Based Method for Prioritizing CGMP Inspections of Pharmaceutical Manufacturing Sites –
A Risk Ranking Model, GPO, September 2004. Frame, J. Davidson, Managing Risk in Organizations A Guide for Managers, Josey-Bass: San
Francisco, 2003. Franceschini, Fiorenzo, Advanced Quality Function Deployment, New York: St. Lucie Press, 2002. Gitlow, Oppenheim & Oppenheim, Quality Management: Tools and Methods for Improvement, 2nd
ed., Irwin: Boston, 1995. Ishikawa, Kaoru, Guide to Quality Control, Quality Resources: White Plains, New York, 1982. ISPE, GAMP 4 Guide Validation of Automated Systems, ISPE: Orlando, Florida, 2001, Appendix M3,
p. 2. MacCrimmon, Kenneth R. and Wehrung, Donald A., Taking Risks the Management of Uncertainty,
The Free Press: New York, 1986. Project Management Institute, A Guide to the Project Management Body of Knowledge, 3rd edition,
Project Management Institute: Newtown Square, Pennsylvania, 2004. Russell, J.P., The Process Auditing Techniques Guide, Quality Press: Milwaukee, Wisconsin, 2003.