Antonio B. Regadio Jr., BSIP R.Ph.

Regulatory Assistance Manager,

Regworks

Outline Regulatory basis for the risk management plan

Risk Management

Risk Management Plan

What is a Risk Management Plan? "Risk Management Plan" means a set of health product

vigilance activities and interventions designed to identify, characterize, prevent or minimize risks relating to health products, and the assessment of effectiveness of those interventions.

The risk management plan is a requirement for the issuance of the appropriate authorization.

- IRR of RA 9711 Article 1, Book 1 Section 5. Definition of Terms, ll

Why does FDA require your establishment to make RMP? Answer 1 # It is required by law

(l). To require all concerned to implement the risk management plan which is a requirement for the issuance of the appropriate authorization;

Section 2. General Powers and Functions. Article II. A. Food and Drug Administration of IRR of RA 9711

Licensing and Registration Division’s function To mandate, order, review, and implement a Risk Management Plan

on any health product for conformance with the FDA standards;

Article VII, Section 4 (h) of IRR of RA 9711 )

Why does FDA require your establishment to make RMP? Answer 1 # It is required by law all marketing authorization

holders (MAHs) (or CPR Holders) and other concerned stakeholders (DD/DI/DE/DS?) are required to implement an RMP for the issuance of the appropriate authorization

Republic Act No. 9711 Section 5, (k)

“All establishments are required to implement a risk management plan which is a requirement for the issuance of an LTO or other authorization”

- Administrative Order 2014-0034. General Guidelines(D)

all MAH shall establish a PMS system for every product in the market, which shall be translated into a RMP

FDA Circular No. 2013-004

Section V, (2)

Why does FDA require your establishment to make RMP?

Why does FDA require your establishment to make RMP? Answer 1 # It is required by law

Licensing, Inspection and Compliance Division

Sec. 7. Powers and Functions of the Licensing, Inspection" and Compliance Division.

c. To review, evaluate and monitor implementation of Risk Management Plans for conformance with the FDA standards;

IRR of RA 9711

Risk Management Plan

Requirement for the licensing of drug establishments

During initial for new establishments

During renewal for existing establishments

Must always be available for inspection

Administrative Order 2014-0034

Drug

meeting

requirements

Equipment Personnel

Methods Premises

Definition of conditions under which

drugs are manufactured, packed,

tested, held

State of Control: a drug firm is considered

to be operating in a state of

control when it can guarantee

a finished drug product

for which quality, strength

and purity has been

assured throughout production and

that the product is compliant

with its registration

Why does FDA require your establishment to make RMP?

Risk Management

Risk Management is not a New Concept

Risk Management Framework Risk management --

Principles and guidelines ICH Q9 – Quality Risk

Management

Risk Review

R i s

k C

o m

m u n i c

a t i o n

Risk Assessment

Risk Evaluation unacceptable

Risk Control

Risk Analysis

Risk Reduction

Risk Identification

Review Events

Risk

Acceptance

Initiate Quality Risk Management Process

Output / Result of the Quality Risk Management Process

R i s

k M a n

a g e

m e n t t o

o l s

Regulatory Requirement ISO 14971:2007 Medical Devices –

“Application of Risk Management to

Medical Devices”

Note 1: ISO 14971:2007 = EN ISO 14971:2009

Note 2: Conformity to EN ISO 14971:2007 expired on March 21, 2010

ISO 13485:2003 - Medical Devices Quality

Management Systems Requirements for Regulatory Purposes

•Clause 7.1 requires, “…risk management throughout product realization.” –In addition, “Records arising from risk management shall be maintained”.

–The standard cross references ISO 14971 for guidance related to risk management.

•Clause 7.3.2 states that design and development inputs

include risk management outputs

FDA’s Quality System Regulation Requirements for Risk Analysis

Risk Assessment is required as part of design validation

(820.30 (g))

Note : Design Validation is defined as “establishing by objective evidence that device specifications conform with user needs and intended use(s).

Risk Analysis -Intended use and

Id of Char related to safety

of the device

-Id hazards

-Est risk for each

hazardous situation

Risk evaluation

Risk Control -Option analysis

-Implement controls

-Residual risk evaluation

-Risk/benefit analysis

-Risks arising from control

measures

-Completeness of risk control

Ris

k A

sses

smen

t

Evaluation of overall

residual risk

acceptability

Risk Management

Report

Production and

post-production

information

Risk

Man

agem

ent

Adapted from ISO

14971:2007 Figure 1

What Could Go Wrong? What is the Consequence if it Goes Wrong?

What Situation It Could Go Wrong?

Philippines

22

Philippines

PRINCIPLES OF QUALITY RISK MANAGEMENT

The evaluation of the risk to quality should be based on scientific knowledge and ultimately link to the protection of the patient

The level of effort, formality and documentation of the quality risk management process should be commensurate with the level of risk

Philippines

24

Philippines

25

Risks

Product

Process

Establishment

Performing Risk Management Some Tips…

1. Set the Purpose of QRM exercise

2. Assemble the QRM Team

3. Set P, S, & D Criteria

4. Determine Potential

Negative Event

5. Determine the Causes and

Evaluate the Risk

6. Evaluate Detection

7. Risk Control

8. Qualification & Validation

9. Action Items

10. Periodic Risk Review

10 Step Quality Risk

Management Process for

DM

Preparation for RM

State the purpose of risk management exercise

Set the limits of the item under study

Step 1 to Step 2

State any assumptions for RM exercise

e.g. All personnel are trained in SOP.

Reveal documents involved in the item under study

Risk Identification Brainstorming

What could fail in the system/ equipment/process?

What is the consequence/effect of the risks?

What is/are the likely cause of the risks ?

Do simulations

Near miss incidents

Deviation reports

Ask the subject matter experts (operators, WHmen, etc…)

Risk Identification

Determine the cause of the risks

Brainstorming

5 Whys

Fishbone Diagram

Pareto Analysis

Risk Identification

Hazard Assessment

Device Misuse Assessment

Dose response Assessment

Exposure Assessment

What could go wrong?

Risk Identification Tip Beware of “human error” causes for risk?

• Human error tends to be over-used when performing Risk

Management exercises. It offers quick answer, but it can be problematic!

• It usually only addresses the symptoms not the root cause • It blames someone, and this may or may not be the right

person. • TIP: Dig deeper. Ask why did the person conducted an

error which lead to the risk? (Perform 5 Whys?)

What Could Go Wrong? What is the Consequence if it Goes Wrong?

What Situation It Could Go Wrong?

Risk Identification Tip Separate the risk from cause and effect e.g.#1 Priority Risk - Incomplete/poorly managed records will hamper the process of recall Risk Cause Effect Delayed recall Incomplete/poorly Harm to managed records patient e.g.#2 power outage risk? Risk Cause Effect Product degradation Power outage ineffective or toxic product

Risk Analysis Tip Document the Sources of Uncertainty, Assumptions, or Gaps in the Risk Scoring Process may include: • unknown root causes • lack of clarity regarding the effectiveness of an individual

preventive or detection control • pending scientific inquiries (e.g. experiments or studies) • sources of variability within a process that have not been

fully characterized

Risk Evaluation

Probability : 1 (improbable) to 5 (highly probable) Severity : 1 (not severe) to 5 (very severe) Detectability: 1 (very detectable) to 5 (zero detection controls)

Which should be the first one to be controlled? RPN: A=B=C=D=E=F=G=H

Tips for Risk Evaluation

Do not rely only on RPN for Risk Evaluation Go back to Risk = P x S Challenge detectability The team has to formally decide (with justification) if the risk is

adequately controlled, by considering whether the detection controls give assurance that the risk is adequately controlled and that no further controls are required This is in line with the GMP QA principles of building in quality by

design rather than relying on QC test at the final product.

This is why the QRM tool that I’am using is different from GAMP 4, FMEA and FMECA

Risk Evaluation

Probability : 1 (improbable) to 5 (highly probable) Severity : 1 (not severe) to 5 (very severe) Detectability: 1 (very detectable) to 5 (zero detection controls)

RPN: A=B=C=D=E=F=G=H RP: A,C*,E* >B*>G*>D,H,F *challenge detectability

I use qualitative scales to remove the bias from multiplying ordinal numbers

RISK=PxS

Severity Minor Moderate Critical

Pro

bab

ilit

y

High Unacceptable Intolerable Intolerable

Medium Acceptable Unacceptable Intolerable

Low Acceptable Acceptable Unacceptable

Remote Acceptable

Acceptable

Acceptable*

* Acceptable only with Justification

Control the risk to an acceptable level

Risk Control

Risk Control

43

Risk Control Options re-design the process or replace a component

(Remove and Replace Control)

e.g. manual filing CD drive USB E-application

Risk Control Options isolate that part of the process/system so the impact of the

effects of the hazard may be reduced and contained

(Isolation Control)

e.g. isolate Liberia peacekeepers in Caballo island

Put effective procedures and checking activities in place to ensure that unwanted steps and actions are avoided

(Detection Control)

e.g. highlight changes during label re-design

Risk Control Options improve training for operator or staff to ensure compliance

with procedures and policies

(Compliance Control)

e.g. training of operators on the risks to quality of blistering

process

reduce or counteract the effects of the potential negative event

(Redundancy/ Contingency controls)

e.g. schedule of breaks of tableting machine to prevent

melting of tablets due to machine friction

Risk Control Options any fool-proof controls which cannot be by-passed via

human error or the by accidental or deliberate non-compliance with procedures (Poka Yoke controls)

e.g. unique pin index valves for different medical gas

Risk Control Options Controls outside the GMP or GDP environment.

E.g. nurses checks the solutions before injecting to patient

New and Improved Controls Any risk presented by the new component (or changes)

will be assessed and managed.

Check residual risks

New risks can be generated out of the new or

improved controls.

e.g. manual filing vs CD drive / USB / E-application

Risk of lost data, brown-out, computer virus…

Risk and Change Control

Old Status Quo New Status Quo

Regulatory QA

Production Warehouse

Engineering

Quality Control

Clients

…

Say, what you do

Do, what you say

Gain experience

Improve it

Approval

Manufacture

for market

Analyse root cause:

Continuous

improvement

Update

documentation

Risk

Management

Risk of Failure ?

Risk Management is a continuous improvement system

Risk Management Plan

MDM MDT MDD MDI MDS

Product Risks M M C M/C C

Establishment Risks

M M M M M

M - Make C - Compile

Just to Simplify…

Approaches to Risk Management

Proactive Reactive

includes measures employed before occurrence of risks (accidents, failures and incidents)

Examples: HAZOP HACCP FMEA Brainstorming Risk Ranking and Filtering

Examples: Recalls Complaints PV Reports/ ADR Reports Whistle blowing

includes measures employed after occurrence of risks (accidents, failures and incidents)

Proactive Risk Assessment Multidisciplinary team (3-6 members)

1 Risk Management Facilitator (Team Leader)

1 QA and/or Quality Control

1 Subject matter expert (operators, engineers, warehouseman)

Establishment Suggested Frequency Composition

Device Manufacturer Quarterly Inter-/Intra-department Independent research

Device Distributor/Importer

Quarterly Inter-/Intra-department Independent research

Risk Identification;

Risk Control;

Risk Communication;

Risk Monitoring and Management

Evaluation

Medical Device Vigilance System

Risk Management

System

Product Complaints

System

Recall System

Establishment of RMP

Risk Identification

1. Sources of Risks

Internal FDA

deficiencies

Product Compliant

Recall

order

Deviations

Counterfeit Experience Whistle

blowing

Near -miss incidents

Incident reports

Brainstorming

Contributors: Pharmacovigilance, Customer Relations, Regulatory, QA, QC, Risk Management Team, Customers, Patients, FDA…

II. Risk Assessment

1. Sources of Risks

External Product Recall

FDA Advisories

Adverse Event Report

Counterfeit Report

Journals, News,etc…

Contributors: FDA, Media, Other Pharmacovigilance Teams,

Medical Device Vigilance System RM Approach Reactive

Risk Identification ADE/ADR report from patient, Journals, News, Device vigilance Database, Datamining

Risk Control Preventive recall of suspected batch Label Change Warning Letter/Advisories Dispense to Specialists Training of health professionals

Medical Device Vigilance System

Risk Communication Communicate the PV issue to the Manufacturer/Importer Get detailed information and contact details from the complainant (patient, physician, healthcare provider, pharmacist)

Risk Review Review PV issues for the year Review recurring PV issues Check effectivity of CAPA arising from PV

Complaint and Returns System Expectations:

Manufacturers/Traders Distributors/Importers

Receive returns/ complaints Receive returns/complaints

Investigate returns/complaints

Refer complaints/returns to the manufacturer

Issue preventive recall to distributors

Proactively hold the batch under complaint (depending on risk)

Report drug quality defect, possible recall to FDA

Complaint and Returns System RM Approach Reactive

Risk Identification Quality and Safety complaint, returns from patient/physician/customer

Risk Control Preventive recall of complaint batch Provide record of traceability of the complaint batch

Risk Communication Contact Details of Device Distributor/Importer Device Trader Device Manufacturer Patient/Customer/Physician

Preventive recall letter

Risk Review Review of recurring complaints/returns Check effectivity of CAPA arising from complaints/returns

Recall System Expectations:

Manufacturers/Traders Distributors/Importers

Remove the product for sale upon receipt of recall notice

Fast decision and execution of recall of products based on risk

Submit status report to FDA Status report to source

Report companies not complying with recall notice

Store in recalled product in appropriate storage (return or reject area)

Dispose recalled products Dispose recalled products ( for importers)

Consolidate the recalled products

Recall System RM Approach Reactive

Risk Identification Recall notice from Drug establishment or FDA

Risk Control Preventive recall of recalled batch Provide record of traceability of the complaint batch Mock recalls

Risk Communication 24/7 Contact Details of Medical Device Distributor/Importer Medical Device Trader Medical Device Manufacturer Patient/Customer/Physician

Risk Review Review of recurring recalls

Risk Management Plan

Outline I. Introduction

II. Risk Assessment

III. Risk Control

IV. Risk Communication

V. Risk Review, Monitoring and Management Evaluation

VI. References

VII. Appendices

Common Mistakes in QRM Poor understanding of Risk Management Concepts

Conducting risk assessment without consulting the subject matter experts

Unqualified, untrained personnel conducting risk assessments

Not considering all the hazards (unusual events, that will never happen)

Hiding risks

Business priorities over quality and due diligence

Poor risk communication

Quality management as function of time

Consequences

What if

disaster happens?

Nowadays

QR

M

Based on Prof. M. Haller, University St. Gallen, Switzerland

Using QRM

Prior use of QRM may

lower the consequences

What happens to regulatory expectations when things go wrong?

Collaboration is the key to a successful Risk Management Plan

Reference ICH Q9

ISO 14971

ISO 13485

AO 2013-0034

FDA Drug Circular 2014-004

RA 9711

IRR of RA 9711