ra guide 2010

A Guide toSupply Chain Risk Managementfor the Pharmaceutical and Medical Device Industries and their Suppliers

V.1.0 2010

Foreword

Structure & Acknowledgements

Contents

General Introduction

Supply Chain Considerations

Risk Management Process

Risk Management Toolbox

Supply Chain Examples

Glossary

Bibliography

2010 The Chartered Quality Institute

2Foreword


Contents






Glossary

Bibliography

A Guide to Supply Chain Risk Management for the Pharmaceutical and Medical Device Industries and their Suppliers


2010 The Chartered Quality Institute All rights reserved. This document may be freely downloaded from the Pharmaceutical Quality Group website at www.pqg.org. The contents of this document should not be sold in whole or in part in any form or by any means. Extracts from this document may be quoted for the purpose of reference or criticism provided full acknowledgement of its source is given. Any other usage of the content of this document requires written permission from The Chartered Quality Institute. The Chartered Quality Institute, 12 Grosvenor Crescent, London SW1X 7EE, UK.

3Foreword


Contents






Glossary

Bibliography



Foreword

The provision of medicines and medical devices to the UK is now a global business. Active pharmaceutical ingredients, components and even finished products are sourced from many different countries. The increasingly complex supply chain for these items exposes the limitations of regulatory oversight by any individual country. This serves to reinforce the need for all in the supply chain to understand their role and work to implement and maintain a robust and comprehensive quality system.

The MHRA has implemented a risk based approach to the inspection of pharmaceutical operations as a key element of its Better Regulation initiative. This approach recognises to a greater degree the ownership of pharmaceutical companies of the quality assurance of their total manufacturing and supply processes. The industry, therefore, is being expected to take overall responsibility for the quality of its output.

The pressure on the industry to fund research into new products and embrace technological advances while containing costs and maintaining material and component availability is challenging and these days inevitably involves outsourcing to a greater or lesser extent. Risk

Management should play a key role in the supplier selection, approval and management process if the quality and continuity of supply of medicines and medical devices is to be assured.

This PQG Guide provides an important reference text to assist medicinal product and medical device manufacturers and their suppliers understand their respective responsibilities. The examples, in particular, should help each party to understand the expectations of the other. Company assessments will form a key element of the MHRAs assessment of risk and thereby enable regulations to target our resources in co-operation with Industry to further enhance consumer safety.

Risks are part of life, but it is imperative that processes are in place to identify and manage them in such a way that patients and healthcare professionals can continue to enjoy a reliable supply of safe and effective medicines and medical devices.

Gerald W Heddell, DirectorInspection, Enforcement & Standards Division, MHRA


4Foreword


Contents






Glossary

Bibliography




Basic structure of this Risk Management guideThis interactive guide comprises a general introduction followed by 4 parts, a glossary and bibliography. It is easy to navigate around the guide using the recurring index which is hyperlinked to the respective topics. In addition there are links within the contents that allow the user to look at related information. There are both internal and external hyperlinks. Internal links allow navigation of information within the guide and external links permit access to external websites and information.

Part 1 considers specifically the challenges with supply chains and provides an overview of some of the types of controls that can be applied to increase assurance of quality, safety and security of supply.

Part 2 provides an overview of the Risk Management process and emphasises that this is a living and reiterative process. The stages follow a consistent format:

Part 3 gives an overview of a number of readily available Risk Management tools and techniques that have been used in many industries, with guidance on their use and some worked examples and / or templates. The format for each tool provides an overview, some advantages and disadvantages, and advisory notes on its use.

Part 4 provides 19 real-life examples relating to supply chain events. It gives an overview of the scenario and some learning points. The reader may well identify more learning points, and these should serve as a useful tool in order to consider how such events could have been prevented.

Please NoteThe authors would like to remind the reader that the guidance given here is advisory. It is recommended that users supplement their understanding of Risk Management from some of the publications listed in the Bibliography.OutputsProcessInputsPurpose

5Foreword


Contents






Glossary

Bibliography



Note about definitionsAlthough the glossary defines certain terms used throughout this guide, it is important to make a special point here about possible confusion over the terms risk, harm and hazard. The definitions of these are taken from International Conference on Harmonisation (ICH) Q9 as follows:

Risk is defined as:

The combination of the probability of occurrence of harm and severity of that harm. [ICH Q9]

Harm is defined as:

Damage to health, including the damage that can occur from loss of product quality or availability. [ICH Q9]

Hazard is defined as:

The potential source of harm. [ICH Q9]

The first step in the Risk Management process is known widely as Risk Identification. This should actually be Hazard Identification, but for consistency with the ICH Q9 and other international standards the authors have kept it as Risk Identification.

Specific acknowledgements are given for the contributions of the following people:

AuthorsJill Jenkins, Justin Ahern, David Cock, Sharon Shutler, Richard Smalley, Sharon Hooper

QA reviewersPhil Butson, Tony Harper, Rowland Lewis, Linda Nield, Kevin MacKenzie, James Pink

PQG Steering GroupSteve Moss, Ashley McCraight, Norman Randall, Ian Richardson

ContributorsNina Abbassi, Dr Tim Bateman, Ian Birch, Richard Bream, John Cooper, Annie Dallison, John Evans, Adolfo Ferreira, Mark Francom, Roland Gassmann, Esme Gibb, Peter Gough, Michael Grunow, Gerard McAteer, Stephen Mitchell, David Mogg, Jeff Monk, Iain Moore, Dr Ray Noy, Caroline OBrien, Kevin ODonnell, Richard OKeeffe, Bronwyn Phillips, Patricia Rafidison, Stephan Roenninger, Sandra Routledge, Sandra Skarratt, Neil Smith, Tony Storey, Lorna Third, Tony Trill, Neil Wayman

6Foreword


Contents






Glossary

Bibliography



p7

p12p19

p23p23

p25p25p27p29p31p31p33p35p39

p42p42p44p46p46p53p62p64p64p66p67p69p70

p72

p76

p78p78p80p81p82p83p84p85

p86p87p88p90p91p92p93p94p95p96

p97p98

p99

p103

0 General Introduction

Part 1 Supply Chain ConsiderationsAppendix 1 - Examples of Different Supply

Categories and Key Controls

Part 2 Risk Management Process2.1 Risk Management Team and

Responsibilities2.2 Risk Assessment 2.2.1 RiskIdentification 2.2.2 Risk Analysis 2.2.3 Risk Evaluation 2.3 Risk Control 2.3.1 RiskReduction 2.3.2 RiskAcceptance2.4 Risk Communication2.5 Risk Review

Part 3 Risk Management Toolbox3.1 Introduction to the Toolbox3.2 Approach to Implementation3.3 Risk Assessment 3.3.1 RiskIdentificationTools 3.3.2 RiskAnalysisTools 3.3.3 RiskEvaluationTools3.4 Risk Control 3.4.1 RiskReductionTools 3.4.2 RiskAcceptanceTools3.5 Risk Communication Tools3.6 Risk Review Tools Appendix 1 - Worked example: Ranking

andFilteringforContractorManagement

Appendix2-Workedexample:MedicalDeviceRiskAssessmentusingaSimplifiedFMEA

Appendix 3 - Worked example: Supplier Audit Priority using Risk Assessment

Part 4 Supply Chain Examples4.1 Product Contamination4.2 Management of Second Tier Suppliers4.3 Verification of Artwork4.4 Warehouse Operations & Pest Control4.5 Temperature Controlled Transportation4.6 Change Control - Process4.7 Fraudulent Activities in the Supply

Chain4.8 Errors in Proof Reading4.9 Change Control Source of Material4.10 Implementation of a New Process4.11 Multiple uses of a Material4.12 High Bioburden4.13 Inconsistent Analytical Results4.14 Continuity of Supply4.15 Lack of Formal Contracts4.16 Effect of Global Supply Chains4.17 Effect of not knowing all the links in a

Transport Chain4.18 Raw Material Source of Origin4.19 Reuse and Potential Infection

Glossary

Bibliography

Contents

7Foreword


Contents






Glossary

Bibliography



GeneralIntroduction

Threats to the supply chain feature in the top ten risks of most companies.Globalisation and the quest for ever more cost effective means of supply have greatly increased the complexity of the supply chain which can often reduce both the knowledge and understanding of the exposure to risk. The 2009 credit crunch and financial crisis significantly raised the level of risk of failure of key suppliers. Within the context of globalisation, outsourcing and complex supply chains, there is an increasing emphasis on controls around product quality assurance and security of supply. It is the responsibility of each organisation to ensure that their suppliers provide products that are fit for purpose throughout the product lifecycle, from design and development through to supply to the end-user.

The objective of this document is to provide guidance on Supply Chain Risk Management and therefore:

1. Support organisations with varying levels of experience in Risk Management to apply the principles, by minimising supply chain risk and securing both quality and continuity of supply

2. Emphasise to the pharmaceutical and medical device industries and their suppliers the need toa. apply Risk Management when making sourcing decisions (from

development through to commercial manufacture and distribution) b. involve the relevant people (procurement, technical, quality,

environment, health and safety, etc.) when making sure that adequate and appropriate controls are in place

3. Encourage suppliers to:a. understand the regulatory requirements and expectations of the

pharmaceutical and medical device industriesb. use Risk Management as a tool to understand their customer needs

betterc. identify potential hazards and the risks arising from those hazards

that may exist during the manufacture and supply of product (from raw materials to finished goods)

8Foreword


Contents






Glossary

Bibliography



Risk Management can help organisations safeguard the quality and supply of product to customers and ultimately the end user. It is about anticipating hazards and controlling risk through an ongoing process of risk awareness, reduction and / or acceptance, and review. This approach can help justify improvement and investment where it is needed, and prevent both potential problems for customers (e.g. product recalls, or even patient harm) and loss of business.

Applying the principles of Risk Management can provide many of the following benefits:

improve and develop business relationships between customers and their suppliers, thereby supporting business continuity and security of product supply

reduce costs

minimise cost of non-conformance

improve business efficiency

increase confidence of customers and regulators

reduce liability

increase security of supply

avoid waste and scrap

With respect to outsourcing, ISO 9001:2008 states that:

where an organisation chooses to outsource any process that affects product conformity to requirements, the organisation shall ensure control over such processes; and that the type and extent of control to be applied shall be defined.

It further states that outsourced processes do not absolve the organisation of the:

responsibility of conformity to all customer, statutory and regulatory requirements.

The Medical Device Directive (Directive 93/42/EEC) has been revised (Directive 2007/47/EC) and compliance effective from 21st March 2010. One of the requirements is for organisations to have control over sub-contractors and third parties. It also requires post market surveillance for products already in the market.

Figure 1 (following page) shows the ISO 9004:2009 process-based model, incorporating continual improvement throughout a lifecycle approach. It shows the importance of information flow between the organisation and its customers and the value in activities that meet customers needs and expectations.

The International Conference on Harmonisation (ICH) describes a pharmaceutical quality system (ICH Q10), which importantly extends to the control and review of any outsourced activities and quality of purchased materials. It defines the accountable organisation as being ultimately responsible for ensuring that processes are in place to assure the control of outsourced activities and quality of purchased materials. It requires that these processes incorporate Quality Risk Management as defined in ICH Q9 and includes:

Assessing (prior to outsourcing operations or selecting material suppliers) the suitability and competence of the other party to carry out the activity or provide the material using a defined supply chain by use of, for example, audits, material evaluations and qualification

Defining the responsibilities and communication processes for quality-related activities of the involved parties. For outsourced activities, this should be included in a written agreement between the contract giver and contract acceptor

Monitoring and review of the performance of the contract acceptor or the quality of the material from the provider, and the identification and implementation of any needed improvements

Monitoring incoming ingredients and materials to ensure they are from approved sources using the agreed supply chain

This guide to Supply Chain Risk Management does not introduce new concepts; rather it provides guidance on the practical application of existing risk management models to the supply chain. It is consistent with currently developing industry standards and expectations. Supply Chain Risk Management should be an integrated part of the organisations business and quality management system.

9Foreword


Contents






Glossary

Bibliography



Organizations Environment

Interested Parties

Needs & expectations

Needs & expectations

Information flow

Value-adding activities

Customers

Organizations Environment

Interested Parties

Satisfaction

Customers

ISO 9001

ISO 9004

Continual improvement of the quality management systemleading to sustained success

Foundation: Quality management principles (ISO 9000)

ISO 9001 Clause 6 Resource

management

ISO 9001 Cl. 8 Measurement, analysis and improvement

ISO 9004 Clause 7 Process

management

ISO 9004 Clause 4

Managing for the sustained

successISO 9004 Clause 5

Strategy and policy

ISO 9004 Clause 9

Improvement, innovation and

learning

ISO 9004 Clause 6 Resource

management (extended)

ISO 9004 Cl. 8 Monitoring,

measuring analysis and

review

Product

ISO 9001 Clause 5

Management Facility

ISO 9001 Clause 7 Product

realization

1 - Figure 1 is taken from BS EN ISO 9004:2009 and reproduced here with permission from BSI. No other use of this material is permitted. The complete British Standard can be purchased from the BSI online shop - BS EN ISO 9004:2009

Figure 1 An extended model of a process-based quality management system[1]

10

Foreword


Contents






Glossary

Bibliography



This document is based on the pharmaceutical Quality Risk Management model detailed in ICH Q9 in Figure 2 (below), where Risk Management is defined as:

The systematic application of quality management policies, procedures and practices to the tasks of assessing, controlling, communicating and reviewing risk.

The level of effort invested will vary from case to case and should be commensurate with the level of risk. Internationally, regulators are incorporating official guidance on Risk Management into their requirements, and have identified the supply chain as an area of criticality.

Implementing Risk ManagementRisk Management should be an integrated part of any business and for successful implementation the following are key foundations:

there should be top level management support and commitment

start simply and avoid complexity

look at internal and external risks

follow the cycle several times, learn, evolve and embed in the organisation culture

Senior management are responsible for ensuring that the key risks to the organisation are properly identified, assessed and managed. Their commitment is required to ensure the risk management framework is viable and maintained, and that valuable resource is invested correctly and not subsequently wasted. Risk Management should not be considered as a one off project or event, but as the implementation of a mutually beneficial culture within and between organisations.

The risk management development activities should provide a systematic, effective and efficient way by which risk management can be embedded and maintained throughout the organisation. These activities should, as a minimum, comprise the following steps:

planning

implementation and maintenance

monitoring, reviewing and continual improvement

reporting

The level of Risk Management awareness will develop with practice and experience. Table 1 (following page) illustrates the progression organisations will make as they gain experience in the use and application of Risk Management.

Risk Assessment

Risk Reduction

Risk Acceptance

Risk Control

Ris

k C

omm

unic

atio

n

Risk M

anagement tools

Review Events

Risk Review

Risk Identification

Risk Analysis

Risk Evaluation

unacceptable

InitiateQuality Risk Management Process

Output / Result of theQuality Risk Management Process

Figure 2 Quality Risk Management Overview (ICH Q9)

11

Foreword


Contents






Glossary

Bibliography



The above table is a simple representation of Risk Management maturity. It does not take into account the different functions and their individual involvement with Risk Management. In terms of the level of skills and knowledge in the right hand column, consider the analogy of learning to drive a car:

unconscious incompetence: person who has not yet got into the driving seat and therefore is not competent to drive nor do they know what is needed.

conscious Incompetence: person has started to learn to drive, is not competent but has some awareness of what they need to do to learn.

conscious competence: person has learned to drive and passed their test and should be competent and confident to drive.

unconscious competence: person has been driving for some time and can drive to their destination without having to think about compliance with the road regulations or the mechanics of driving the car, such as changing gear, indicating and choosing the correct lane at junctions.

Risk Maturity Level Risk Processes Attitude Behaviour Skills & Knowledge

Scepticism No Formal Processes Accidents will happen Fear of Blame Culture Unconscious Incompetence

Awareness Ad hoc use of Stand Alone Processes

Suspended Belief Reactive, Fire fighting Conscious Incompetence

Understanding & Application

Tick Box Approach Passive Acceptance Compliance, reliance on registers

Conscious Competence

Embedding & Integration Risk Management embedded in Business

Active Engagement Risk-based decision making

Unconscious Competence

Robust Risk Management Regular review & Improvement

Champion Innovation, Confident & appropriate Risk Management

Expert

Table 1 Risk Management Maturity

12

Foreword


Contents


Supply Chain ConsiderationsAppendix 1 - Examples of Different Supply Categories and Key Controls




Glossary

Bibliography



Supply Chain ConsiderationsPart 1

A general understanding of how supply chains work and how suppliers are managed is required to provide organisations with a basis from which to implement a structured Risk Management process. An effective Risk Management process will protect the continuity of product supply and ensure that end-users receive products that are fit for purpose.Media focus on contaminated products, for example heparin supplied from China in 2007, and other supply-related incidents, such as counterfeiting, have emphasised the challenge of managing supply chains that extend around the world, where there is great variation in the standards and controls used. With respect to the heparin issue, the Food and Drug Administration (FDA) in the US investigated reports of serious and some fatal adverse events following the use in products of heparin supplied from China. Distribution was halted and product recalled from the market. The investigation identified that a contaminant molecule similar to heparin was found using a non-routine test. This contaminant was not previously detectable using conventional routine standard test methods, and levels between 5% and 20% were found in the final product. See page 78 for more detail.

Sourcing new materials and outsourcing manufacturing or other activities for the supply of product to the end-user requires careful evaluation. All parties in the supply chain need to ensure that their activities both support

the health and wellbeing of patients and maintain business continuity. This is especially important during times of economic downturn, since cost-saving measures can increase risk.

Within each supply chain, there is an organisation that is legally accountable. Each competent and regulatory authority ultimately holds one manufacturer primarily responsible for meeting regulatory quality requirements. This accountable organisation (pharmaceutical or medical device) has ultimate responsibility and cannot relinquish or delegate (contractually or otherwise) its obligation and responsibility over any or all functions to their suppliers of products. The accountable organisation is responsible for sourcing suitable suppliers who will support the supply of its product(s) to the market. It is essential that the relevant functions within an organisation such as procurement, technical, development, quality, manufacturing and Environment Health and Safety (EHS) work together to source materials based on agreed and appropriate criteria.

13

Foreword


Contents






Glossary

Bibliography



Competent and regulatory authorities and third parties will assess the accountable organisation to confirm that they have objective evidence of adequate control of their suppliers. The regulators expect that the organisation complies with requirements, which include evaluating and approving their suppliers. There is an expectation to see effective interfaces between the accountable organisation and each of its suppliers. This holds true regardless of the regulatory standard of the industry sector required for the product. Failure to have or to provide access to any objective evidence of the controls associated with products from suppliers, could result in the accountable organisations quality system being non-compliant. Depending on the nature of the deficiencies identified, this can have significant and serious consequences for the organisation and their business continuity.

Some suppliers may also undergo some form of oversight by a regulatory authority, or a third party acting on behalf of a regulatory authority. This oversight does not absolve an accountable organisation of the responsibility to establish controls and provide evidence for compliance of products obtained from such suppliers.

Sourcing decisions should be based on agreed, specified requirements appropriate to the following stages of product lifecycle:

experimental design

investigational or clinical trial material

commercialised product

The rigour with which a supplier is managed does not exempt responsibility of the supplier for the provision of adequate controls and quality of products, wherever they fit in the supply chain hierarchy.

All suppliers should recognise their role in assuring mutual business continuity and take an ethically responsible approach to the potential impact of their actions or inaction. Feedback and communication is essential between the procuring organisation and its suppliers in terms of requirements, expectations, product end-use, performance measures, health and safety etc.

Supply chains themselves can be short and simple, or long and convoluted. However, as a result of increasing globalisation and the risks inherent in long and complex supply chains, the regulators are encouraging organisations to keep their supply chains short, simple and under good control. A survey published in 2009 by Carla Reed has shown that increased outsourcing is challenging product safety and security, largely due to the complexity of outsourcing models, and in particular inconsistency in controls at the outsourced facilities.See Reference No.41

Figure 3 (below) shows the various functional activities and the supporting services that may be involved in product development and supply. An organisation may choose to outsource part or all of their activities. It is essential that organisations understand how their supply chains and interfaces work. This should apply throughout all phases of the product lifecycle from design and development to routine manufacture, supply and discontinuation.

Internal Support Services (examples): Quality, EHS, Engineering, Facilities, IT

Supplied materials/ products

Product / ServiceDesign &

Development

Manufacturing& Testing Packaging

Warehouse& Distribution

End user/ customer

External Contracted ServicesE.g. manufacturing, testing, artwork & origination, packaging, warehousing & distribution, calibration, etc

Figure 3 Example of Functional Activities and Support Services within an Organisation

14

Foreword


Contents






Glossary

Bibliography



Figure 4 (left) illustrates a typical supply chain based upon hierarchical tiers, where suppliers can be far removed from the ultimate end-user and can still potentially have a significant impact. The more complex the supply chain, the more difficult it is to control, and the greater the risk of a supply chain impact on the quality of the end product. Hazards and their associated risks can be present anywhere throughout the supply chain. Risks may be compounded or increased by further processing, thus creating a hazard at a later stage. In the worst case, those hazards may not become apparent until too late, after finished product has been released to the market. For example, there may be an adverse effect on long-term stability. Therefore, it is in the interests of all stakeholders, including regulatory authorities, that hazards are identified and the resultant risks are managed throughout every tier of the supply chain. Good communication between all parties is required to do this effectively.

Various problems can manifest themselves at any part of the product lifecycle, from the source of raw materials used to manufacture the product through to the compliance of the end-user using the product correctly. Problems in the supply chain can have an impact on products as well as business continuity, product performance and security of supply. In order to protect both the end user and the accountable organisation, it is necessary to identify the potential hazards and assess their resultant risks, before implementing ways to control or mitigate them.

For the accountable organisation and its suppliers to manage risk effectively, it is worth reflecting that the sources of risk throughout the tiers of supply can be both external and internal to the organisation and its suppliers. Some examples are shown in Table 2 (following page) where the column on the left lists some external risks that can be mitigated through planning and action, leaving only a few that are unknown or outside of the organisations control. The column on the right identifies some internal risks which can be managed and mitigated.

Tier 3 suppliersBrokers /

Distributors /Transport companies

Supplier A Tier 2 suppliers Supplier B

Brokers / Distributors /Transport companies Tier 1 suppliers

Pharmaceutical andMedical Device

Industry

Wholesale / retailer/ pharmacy

End customer/ patient

Supplier C Tier 4 suppliers Supplier D

Transport / Distribution

Transport / Distribution

Figure 4 - Typical supply chain hierarchy

15

Foreword


Contents






Glossary

Bibliography



The objectives of a global supply chain are to deliver products to the market whilst saving cost, time and resources. This has increased the level of risk and the likelihood of impact from supply chain disruption. The contamination of heparin will have far reaching ramifications for accountable organisations and the regulators. At the very least it serves as a warning to the industry that nothing can be taken for granted when sourcing materials and outsourcing manufacture or other critical activities. Related examples on page 78 and page 85

Medicines and medical device counterfeiting is a growing threat worldwide. It was estimated by the World Health Organisation (WHO) in 2006 to be 30% of total supply in South America, sub-Saharan Africa and India. Regulators have been investigating incidents where batches of counterfeit medicines have reached pharmacies and patients. A number of these have been found at wholesale dealer level. Supply chains can be long and convoluted, involving a number of storage or transit locations and a variety of transport systems. In the UK, MHRA has developed proposals in response to the need to raise standards of practice in some sectors of the supply chain in order to bring all operators up to the required standard. See Reference No. 30

The European Medicines Agencys (EMEA) GMP / GDP Inspectors Working Group are working on a revision to Chapter 7 of the EU GMP Guide, contract manufacture and analysis. This is in response to a lack of clarity, both within industry and inspectorates, regarding the scope of activities that should fall under this chapter, and what constitutes satisfactory documented arrangements for contracted activities. In addition to manufacturing, packing and analytical activities, this chapter will be relevant to the following:

artwork generation and print ready material

assessment and sourcing of starting and packaging materials

washing and depyrogenation and / or sterilisation of packaging materials used in manufacture

storage and distribution

maintenance and calibration of equipment and premises

qualification and validation work for new premises

professional services for GMP audits of suppliers

hosting of IT functions

document archiving and storage

External Internal

Increase / decrease in demand

Capacity / resources changes

Fluctuating exchange rates

Political climate / instability

Greater exposure to global social, political and financial environments

Takeovers / mergers

Legal status (regulatory restrictions in individual markets and of supplier)

Environmental responsibilities

Counterfeiting / fraud

Facility disaster disaster planning

Materials, product, service supply interruption

Termination of materials or services

Uncontrolled variation in materials

Unexpected contaminants in supplied product

Deliberate or accidental adulteration

Unknown or poorly controlled use of brokers / agents

Non-conformity

Rejection of a batch

Product recall

Capacity / resource issues

Reduced inventory

Cost reduction programmes

Single sourcing versus dual sourcing

Inadequate supplier selection / qualification process

Longer / more complex supply chains

Complex processes

Inadequate monitoring process or oversight controls / interface

Non-conformance with contracts / agreements

Staying with poorly performing supplier & not progressing improvement or exit strategy

Inadequate communication

Facility disaster

Transportation / storage events

Lack of technical knowledge

Personnel / organisational changes

Lack of adequate documentation control

Increasing process variability

Distribution / transportation / storage events

Inadequate communication

Lack of adequate documentation control

Complex processes

Table 2 - Examples of hazards / events creating risks that are either external or internal to an organisation

16

Foreword


Contents






Glossary

Bibliography



High potential risk in complex processes and systemsNational Aeronautics and Space Administration (NASA) defined systems or processes that are time dependent, rigidly ordered, requiring precision, and with only one path to a successful outcome, as being tightly coupled (closely linked). They identified that where such systems or processes are complex and activities closely linked, failures can arise due to many seemingly unconnected events and may go undetected.

A good example is the control of changes relating to the packaging and artwork of medical products. Such changes can sometimes be highly complex, because inputs can be required from a number of internal and external stakeholder groups prior to implementation. Stakeholders can include manufacturing, marketing, regulatory affairs and printing contractors. Interactions are necessary in order to communicate and schedule product manufacturing activities with the changed packaging or labelling component.

Complex systems and processes often present high risk for organisations. Many regulatory non-conformities have been identified over recent years in the areas of product packaging and labelling. These were frequently attributed to the poor management of changes in packaging and artwork components, resulting in the cessation of batch release activities in some organisations, and subsequent market shortages of medical products. Investigations revealed that procedures and systems in place for packaging and artwork change control were usually:

highly convoluted

had many interdependencies

subject to tight timelines

described as being complex and tightly coupled

Within a single organisation there can be a lack of clarity or understanding of how the whole process works and how different groups are involved or interact in that process. When more organisations are involved this becomes increasingly difficult.

Decoupling and reducing system complexity can be a useful risk mitigation strategy particularly in critical manufacturing environments and supply chains. Process mapping or flowcharting is a useful tool to use here, and by involving the relevant key stakeholders, a shared understanding of the overall process can help to identify potential hazards particularly across functional interfaces. See Example Flowchart

Consideration of hazards and their associated risks in the supply chainAs part of planning activities, the organisation should identify any hazards associated with the products to be procured. Some examples of key questions are as follows:

is the product off-the-shelf or custom made?

how complex is the product to manufacture?

is the process adequately defined and understood?

what is the criticality of the product to the compliance of the end-product?

would any product specification failure be detectable by the organisation prior to use?

what is the detectability of non-conformity in the product supplied and how it can be corrected?

is packaging, storage and distribution fit for the product characteristics?

is the supplier currently approved to supply products to the organisation or are they a new supplier?

what is the percentage of supply to the organisations business sector?

Information about potential suppliers should be used to determine additional potential supply and business risks and include the following:

financial viability of supplier

continuity of supply

liability

amount of work awarded to supplier in view of the suppliers overall capacity

technical capability

distribution and transportation considerations

agents and brokers (potential for agents and brokers to change source of supply)

capital investment needed

single source suppliers i.e. vulnerability

supplier company legal status (licensing)

ethical / political acceptability

does the supplier have a disaster / contingency plan for supply?

17

Foreword


Contents






Glossary

Bibliography



does the supplier manage their suppliers adequately?

does the supplier have a culture of continuous improvement?

The procuring organisation is responsible for communicating and agreeing the product requirements with the supplier. It may request data and / or sample product in order that the potential supplier can demonstrate their ability to meet the specified requirements. When defining initial supplier arrangements, the relevant information should be communicated for consideration. The organisation should ensure that the relevant people are involved in specifying, reviewing and evaluating information and should include as a minimum, technical and quality representatives.

Consideration of controls for managing the supply chainRisk Management is an effective means of identifying the necessary controls required. To do this requires knowledge of the complete supply chain and all the organisations involved within it. Then the activities of the organisations in the supply chain should be reviewed to identify what is critical to the product and what could go wrong.

In some instances it may be necessary for the organisation to ensure control beyond the first tier supplier due to potentially serious effects of changes made by a second, third or fourth tier supplier see Figure 4 (page 14). The organisation should ensure when developing controls, that they comply with relevant regulatory requirements such as Good Manufacturing Practices (GMPs); occupational health and safety legislation, environmental protection legislation etc.

Examples of controls are included in Figure 5 (following page) which is adapted from the Global Harmonisation Task Forces guidance on the control of products and services obtained from suppliers. On the right hand side under objective evidence some of the controls are listed.Reference GHTF Guidance

The following lists some items that should be considered during sourcing and supply chain review:

knowledge of the complete supply chain and all organisations within it

change control and notification from suppliers

supplier audits or technical visits (note that this requirement should be included in any agreement for a critical supplier)

control of second or further tier suppliers via specifications or Agreements

sampling / testing / verification

Certificates of Analysis / Conformity

formal requirements (e.g. specific certificates, accreditation, contracts / Technical Agreements etc)

methods for measuring performance e.g. process capability indices

correction, reworking, investigations

batch / lot sizes

inventory control; (First-In-First-Out (FIFO), time limit / target)

traceability (process, product, equipment, operators)

Radio Frequency Identification (RFID) or other security tag system

document / sample retention periods

protection of intellectual property Different categories of supplier and examples of some of the key controls are shown in Appendix 1 of this Part.

The organisation should seek to continually improve the quality and delivery of products based on periodic supplier performance evaluation, feedback and consideration of cost. It is important to continually review and strengthen relationships with suppliers, while balancing the short and long term objectives. Risk Management activities provide a basis for sharing identified hazards and mitigating the risks resulting from those hazards throughout the product and supplier lifecycle. It demonstrates that all parties are taking a responsible approach in ensuring product quality and safety and security of supply. Auditors or assessors expect organisations to be able to demonstrate that they manage their supply chains effectively and risk management provides the means to do this.

18

Foreword


Contents






Glossary

Bibliography



Sup

plie

r exi

tst

rate

gyFe

edba

ck &

com

mun

icat

ion

Per

form

ance

mea

sure

men

t

Sup

plie

rev

alua

tion

&fin

alis

atio

n

Sup

plie

rse

lect

ion

Pla

nnin

g

Product specifications / part requirements, instructions

Potential supplier contact details

Risk Assessment

Product / process controls

Objective evidence

Selection criteria for suppliers / rationale

Review existing suppliers

Due diligence / audit report

Supplier capability detail

Purchasing information

Evaluation & selection

Purchasing information

Acceptance & verification activities

Questionnaire / Audit report

Contact / Supply / Technical Quality / Technical Agreement

Decision & rationale

Records of monitoring: supply, receipt, inspection, acceptance

Data analysis

Records of corrections / investigations

Manufacturer &/or suppliercorrespondence

Records of corrective & preventive action(s)

Change control notification / approval

Review impact on other products supplied

Archive data & documents

Product left in marked support

Continuity arrangements and reiteration of cycle if replacement supplier

Describe requirementsIdentify technical &process information

Identify potentialsupplier(s) (existing

approved / new)

Product / ProcessRisk Assessment

Identify controls

Corrective Action /Preventive Action

by supplier

Feedback andcommunication

Terminationstrategy for Supplier

Termination ofProduct market

Periodic re-evaluationof supplier

Performance measurementReceive product

Acceptance criteriaMeasurement & monitoring

Analyse data

Review auditrequirements

Communication withpotential supplier(s)

Evaluate supplier(s)ability to fulfil specified

requirements

Supplieracceptable?

Problemsidentified?

Satisfactoryperformance?

Exit strategy?

Correctiveaction

required?

Establish:Purchasing informationControls (acceptance

activities, verification etc)

Plan for evaluation& selection criteria

Select potentialsupplier(s)

Investigate operationalcapability of supplier(s)

Identify businesscapability of supplier(s)

YES

YES

YES

YES

YES

YES

NO

NONO

NO

NO

Figure 5 Guidance on Control of Products during Supplier Lifecycle Management (adapted from GHTF/SG3/N17:2008)

19

Foreword


Contents






Glossary

Bibliography



Appendix 1 Examples of Supply Categories & Key Controls

All suppliers should have an effective quality management system in place that is, where appropriate, certified to ISO 9001:2008, ISO 13485, or relevant industry standards e.g. ICH Q10.

Suppliers should have their own appropriate assessments in place to manage their supply chains.

The level of requirement depends on the level of potential risk to the product (criticality).

Supply Category Additional examples of key requirements for Suppliers

Manufacturers of Active Pharmaceutical Ingredients (API)

Controls in place to meet requirements of EU GMP Guide part 2 or ICH Q7A, and Active Pharmaceutical Ingredient Council (APIC) recommendations.

Quality / Technical Agreement to define roles & responsibilities of each party (contract giver / contract acceptor).

Adequate product testing performed to confirm compliance with customer and where appropriate pharmacopoeial specifications.

Cross-contamination control precautions in place e.g. use of dedicated manufacturing equipment or effective cleaning verification of non-dedicated equipment.

Full traceability of Raw Materials to the site of origin, including processing aids used in manufacturing processes with respect to animal / non-animal derivation and safeguards against Transmissible Spongiform Encephalopathies (TSE).

Excipients Refer to International Pharmaceutical Excipients Council/Pharmaceutical Quality Group, Pharmaceutical Excipients GMPs, 2006.

Appropriate Quality / Technical Agreement to define roles & responsibilities of each party (Contract Giver / Contract Acceptor).

Full traceability of Raw Materials to the site of origin, including processing aids used in manufacturing processes with respect to animal / non-animal derivation and safeguards against Transmissible Spongiform Encephalopathies (TSE).

Adequate product testing performed to confirm compliance with customer and pharmacopoeial specifications.

Cross-contamination control precautions in place e.g. use of dedicated manufacturing equipment or effective cleaning verification of non-dedicated equipment.

20

Foreword


Contents






Glossary

Bibliography




Raw Materials Industry standards where relevant.

Adequate product testing performed to confirm compliance with customer specifications .

Appropriate Quality / Technical Agreement to define roles & responsibilities of each party (contract giver / contract acceptor).

Full traceability of raw materials to the site of origin, including processing aids used in manufacturing processes with respect to animal / non-animal derivation and safeguards against Transmissible Spongiform Encephalopathies (TSE), and phthalates.

Cross-contamination control precautions in place e.g. cleaning, line-clearance, appropriate segregation of activities and good housekeeping.

Manufacturing / Packaging contractors

Effective quality documentation system compliant with required regulatory standard e.g. EU Guide to GMP part 1 or 2, 21-CFR -210 / 211, 600, 820 as appropriate.


Supply agreement or commercial contract to define business requirements.

Appropriate licensing and regulatory history.

Clear lines of communication.

Control of outsourced activities (Quality / Technical Agreements, specifications etc.).

Effective control measures, staffing and facility appropriate to the product being manufactured.

Laboratory / Analytical Testing contractors

Operate to appropriate industry standard e.g. ISO 17025, Good Control Laboratory Practice (GCLP), Good Laboratory Practice (GLP), Good Clinical Practice (GCP).


Appropriate licensing and regulatory history.

Full traceability of customer samples.

Testing performed to customer and pharmacopoeial specifications.

Effective out-of-specification result management procedure.

Packaging component manufacturers (primary, secondary, tertiary)

Reference, ISO 15378, PS 9000, PS 9004, also country specific legislation relevant to the product e.g. GMP differences.

Certification scheme.


Effective mechanisms in place for customer approval of labels and prevention of mix-ups.

Planned preventative maintenance and calibration of automated packaging lines.

21

Foreword


Contents






Glossary

Bibliography




Printed Packaging suppliers (artwork, origination)

Effective quality documentation system compliant with required regulatory standard e.g. EU Guide to GMP, PS 9000.

Certification scheme.


Participants in approved Certification scheme.

Manufacturers of product contact consumables

Appropriate materials of construction for product contact component (e.g. pharmacopoeial recognised plastic or food grade).

Full traceability of raw materials to the site of origin, including processing aids used in manufacturing processes with respect to animal / non-animal derivation and safeguards against Transmissible Spongiform Encephalopathies (TSE).

Adequate product testing performed to confirm compliance with customer specifications and industry standards where relevant.

Free from chemical and microbial / particulate contamination and easy to clean / sterilise.

Manufacturers of product contact equipment

Legible & fully completed documentation covering factory acceptance testing, calibration certificates and material conformity certificates.

Agreed customer requirements.

Appropriate materials of construction used for product contact surfaces (e.g. 316L stainless steel, pharmacopoeial recognised plastic) that are easy to clean and sterilise.

Instruments used for calibration are traceable to international standards e.g. United Kingdom Accreditation Services (UKAS) / National Association of Measurement and Sampling (NAMAS).

Minimal particle generation produced by moving parts (e.g. pumps).

Wholesalers, Warehouse & Distributors

Reference Good Distribution Practice (GDP) and appropriate country legal requirements for the product e.g. MLX 357, FDA Globalisation Act.

Approved, contractual agreement with customer.

Designated Responsible Person where appropriate.

Effective stocktaking, security, pest and segregation controls at storage facility with good housekeeping.

Temperature control and monitoring of storage area and distribution.

Full traceability of chain of custody for the customers product; effective recall procedures.

Service providers (e.g. calibration, utility, pest control, cleaning etc)

Approved contractual agreement with customer.

Specification of work and controls.

Defined service level with traceability appropriate to reference standards for materials and instruments used.

Appropriate training for service provided.

22

Foreword


Contents






Glossary

Bibliography




Software, automated systems and IT

EU GMP part 1 annexes 11 and 15; Code of Federal Regulations (CFR) Part 11.

Knowledge of a risk-based approach to compliant GxP systems (Good Automated Manufacturing Practice Guidelines) (ISPE GAMP-5).

Complete and legible documentation with traceability of software changes from initial development to master copy.

Availability of master copy of software for back up purposes and disaster planning.

Agreement on ownership of source code.

Provision of technical support.

Consultants Full curriculum vitae available for review.

Approved contract to define scope of work.

Evidence of experience and expertise required for customers project.

Professional indemnity insurance.

Third party liability and Non-Disclosure Agreement (NDA) or confidentiality agreement.

23

Foreword


Contents



Risk Management Process2.1 Risk Management Team and




Glossary

Bibliography



Risk Management ProcessPart 2

2.1 Risk Management Team and Responsibilities

For the product / process being assessed it is fundamental that the relevant process experts are consulted to ensure accurate and complete data / information. It is recommended that the risk management process is undertaken by interdisciplinary teams (people with the necessary expertise representing relevant operational functions within the organisation or supply chain).

Involvement of individuals may vary from stage to stage. Note that in smaller organisations / supply chains this may be limited to just a couple of people.

Consider the example which illustrates the importance of having the right team. See Example

Stakeholders are commonly divided into four categories: Responsible, Accountable, Consulted and Informed (RACI). This division can aid appropriate communication (see Table 3 following page). It is beneficial to develop a matrix to identify the roles of different individuals associated with the risk management process at the beginning so that responsibilities throughout the process are clear.

24

Foreword


Contents







Glossary

Bibliography



Role Responsibility

Responsible Those who do the work to achieve the task. There is typically one role with a participation type of Responsible, although others can be delegated to assist in the work required.

Accountable (also Approver / Final Approver)

There should be only one Accountable person specified for each task or deliverable. An Accountable signs off (approves) the work provided by Responsible person(s).

Consulted Those whose opinions are sought; and with whom there is two-way communication.

Informed Those who are kept up-to-date on progress, often only on completion of the task or deliverable, or at key milestones; communication is typically just one-way.

Table 3 RACI roles and responsibilities

25

Foreword


Contents







Glossary

Bibliography



2.2 Risk Assessment

Risk Assessment is defined as:

A systematic process of organizing information to support a risk decision to be made within a risk management process. It consists of the identification of hazards and the analysis and evaluation of risks associated with exposure to those hazards. [ICH Q9]

Quality risk assessments begin with a well-defined problem description or risk question. When the risk in question is well defined, the appropriate risk management tools and the types of information needed to address the risk question will be easier to identify. Open Toolbox

As an aid to clearly defining the risk(s) for risk assessment purposes, four fundamental questions are often helpful:

1. What might go wrong?

2. What is the likelihood (probability) it will go wrong?

3. What are the consequences (severity)?

4. What is the detectability?

2.2.1 - Risk Identification

Purpose Risk identification is defined as:

The systematic use of information to identify potential sources of harm (hazards) referring to the risk question or problem description. [ICH Q9]

Take water and the hazard of drowning as a simple example. The probability of drowning whilst drinking a cup of water is very low, though not zero; the probability of drowning whilst rowing a boat across the Atlantic Ocean is much higher as there is a far greater quantity of water and other adverse elements, such as wind and waves, make a contribution. The material is the same, the hazard of drowning is the same, but the probabilities, and thus the risks, are different.

Risk = Hazard x Probability of Occurrence

The purpose of the Risk Identification stage in the overall Risk Management process is to determine what might go wrong?

Initiation and planning of the Risk Identification stage represents an important starting point in the overall Risk Management process and forms the foundation for the remaining stages. Potential hazards identified as outputs from the Risk Identification stage are subject to detailed examination during the Risk Analysis and Evaluation stages.

Input Risk Identification requires information about the process to be assessed. The scope should be defined to ensure focus and appropriate use of resource. This will also help to define what data / information may be relevant and / or should be examined to identify potential hazards.

QRM Overview

QRM Overview

makiHighlight

26

Foreword


Contents







Glossary

Bibliography



In terms of the supply chain the following should be considered:

each supplier within the whole supply chain

what is supplied (material / product / service)

the structure of the supply chain and interfaces between / within organisations, their suppliers and suppliers to the suppliers

security of the supply chain (potential for contamination or tampering)

internal processes used to manage the organisations suppliers

internal production processes

Data / information can take many forms, for example:

quantitative data / information - numbers, figures, measurements and variables

qualitative data / information attributes (yes / no, go / no go)

soft data / information subjective opinions / historical / experience / process complexity and interactions between processes

Many professionals and organisations often assume that all relevant information takes the form of formalised (hard) quantitative and qualitative data / information. This information is valuable and easily evaluated, however, soft data / information should also be included otherwise it is likely to leave many gaps. See Figure 6 for sources of information.

ProcessRisk Identification is the process of identifying hazards and their related risks. Brainstorming is a useful tool to use to generate information and ask what can go wrong? for each step in the process. Whatever the activity being assessed, it is recommended to map the process concerned. This enables potential risk areas to be easily identified, agreed and visualised by the appointed interdisciplinary team. It is important for completeness to ensure that interfaces between processes are also identified as this is where problems may easily go undetected.Information to support Risk Identification can come from various sources, such as for example:

internal and external factors throughout the supply chain Open Table

known deviations / non-conformities

near miss events (valuable source of potential risk areas)

complaints

internal / external audits

components of the process under assessment, such as:- people, premises, equipment, materials- QA / QC- services- utilities- transportation, logistics- agents and brokers in supply chain- environmental factors

business stability / continuity:- capacity increase / decrease versus capability- rate at which the company has expanded / contracted- staff turnover etc

quality system and technical capabilities

management review

opportunities for cross-contamination

inherent process risks

knowledge in the public domain (e.g. news, regulatory actions, legislation, etc)

supplier performance e.g. Key Performance Indicators (KPI) / Critical Process Parameters (CPP)

Hard Data / Information

Facts

Measurements

Analysis results

Trends

Variables

Attributes

Soft Data / Information

Observation

Experience

Assumptions(based on experience)

Key

= Qualitative

= Quantitative

= Both

Data / Information

Figure 6 - Sources of Information that can be used in Risk Identification

makiHighlight

27

Foreword


Contents







Glossary

Bibliography



OutputThe output of the Risk Identification stage is a list of known and potential sources of harm (hazards), referring to the risk question, and their associated risks, based on the information available at that time. There is no guarantee that all hazards and associated risks can be identified at any given time as processes may change. It is important to understand that these changes and other events may influence the outcome and will require further review and reassessment, to determine the level of risk based on the combination of the probability of occurrence and the severity of that harm. Depending on the Risk Identification tool used and the scope of the assessment, potential risks may be categorised prior to analysis. For example:

product quality risks

business risks

risks associated with raw materials

risks associated with machinery

risks associated with people etc

Corporate Social Responsibility - environmental / social risk e.g. dealing with low price suppliers who pollute the environment or exploit their workforce.

At completion of this step there should be confidence in answering the question What might go wrong? for the product / process under assessment. At this stage risks will not be evaluated as critical or non-critical as this level of risk understanding will be achieved through the Risk Analysis and Risk Evaluation stages. However, it is important to note that different mitigation approaches may be used depending on the nature of the risks identified. Be aware that there will be unidentified and / or unidentifiable risks to the organisation.

The output from Risk Identification should be agreed, documented and communicated to relevant stakeholders.

2.2.2 - Risk Analysis

Purpose Risk Analysis is defined as:

The estimation of the risk associated with the identified hazards. [ICH Q9]

This step of the Risk Management process attempts to estimate the level of risk in terms of severity of harm, likelihood of occurrence and detection. It provides a quantitative or qualitative estimate of each risk.

InputPrerequisitesFollowing the completion of the Risk Identification stage there should be sufficient confidence that at least the significant hazards have been captured. The most appropriate Risk Analysis tool or combination of tools should be chosen. As there may be only limited data during the early stages of Risk Management, the choice of tool may be restricted. As experience grows, there may be a transition to the use of various and more complex tools.

Part 3, the Toolbox gives examples of a range of available tools and techniques from simple to complex. Open Toolbox

ConsiderationsBoth qualitative and quantitative input data can be processed using the chosen tools. Some risk tools require hard data rather than soft data (subjective opinion) therefore it may be necessary to have a mechanism to convert soft data into hard data where possible. This can be achieved by generating comparative scoring to produce semi-quantitative data.

The relevant operational experts should provide detailed and up-to-date knowledge of current and historical process performance. Where knowledge does not exist or data is unavailable, then methods to source this information should be initiated in the long term. In the short term, best estimates can be made on the basis of assumptions, provided these are clearly identified, explained and considered at the review stage. Significant decisions based on subsequent recommendations should always reference the original assumptions and further reviews should be scheduled.

QRM Overview

makiHighlight

makiHighlight

makiHighlight

28

Foreword


Contents







Glossary

Bibliography



Table 4 (above) illustrates the advantages and disadvantages of different types of Risk Analysis tools. It also demonstrates that limited data may exist in early stages of implementing Risk Management. With experience, there may be a transition from the use of Qualitative to Quantitative tools. Both techniques are equally valid and fit for purpose. However Quantitative tools are often perceived to be beneficial after several full cycles of the Risk Management process as more information is obtained and accuracy is demanded.

Ultimately the decision of which Risk Analysis tool to use depends upon:

the risks identified

the precision of the data or opinions that define the risks

what tools customers / suppliers use

how accurate the output needs to be

how quickly the output is required

It is common for accurate or precise data to be missing in one or more areas, allowing the expert in that area to have some understanding of the level of risk, but not be able to support opinion with factual evidence or data.

It is recommended that where an organisation has little or no experience of any particular tools, or are not required by customers to use a certain tool, then they initially use a qualitative tool. Once expertise in the tool has been gained and supporting systems established, then the organisation can progress with the use of increasingly more quantitative tools. This approach means, that for the same investment of time, at each repetition of Risk Analysis, an increasing percentage of time is dedicated to improving the confidence of the risk estimation, and therefore adding more value and confidence in the output each and every time.

Example of subjective assessment: Company A does not have a supplier complaints system. The logistics manager knows that Supplier X is the worst offender for late deliveries because the logistics team are always complaining about them. However, the logistics manager does not know how they compare with Supplier Y as there is no data to show how each is performing. This demonstrates a gap in the organisations systems and supplier performance metrics / data related to risk management.

Tool Type of information Advantages Disadvantages

Qualitative May be subjective opinion based on experience.

QuickCan use soft data / opinionLimited training neededAppears easy to verify

Output may not be preciseDoes not differentiate well between levels of risk or types of risk Opinion may be biased on previous or historical experience not considering current capability

Semi quantitative

Mixture of data / opinion. Use comparison techniques to get estimations.

Differentiates better between risks than the Qualitative approachGood balance of advantages and disadvantages of the other tools

Output may not be precise enough for a mature Risk Management process

Quantitative Significant data and figures

Output is preciseGood differentiation between risks Provides clear prioritisation of all risks Includes detectability assessment

Relies upon hard dataTraining and experience are neededConfusion can occur because the differences between failure mode and effect are not well understoodTakes time to perform, especially the first timeReliant upon experts to agree scores and calibrate accurately

Table 4 Types of information advantages and disadvantages

29

Foreword


Contents







Glossary

Bibliography



ProcessHaving identified the hazards and associated risks and decided on the Risk Analysis tool to be used, the next step is to assign a rank or score to each of the identified risks. The interdisciplinary team, with knowledge of the identified risk areas, should agree ranking or scores for each one, following the rules and guidance for the tool being used. If necessary, input can be provided remotely, but this is only effective where hard data is available and is being entered or converted into a risk level. Where opinion / soft data is being used, agreement through discussion and compromise is necessary.

Identified risks are normally assessed using the same tool. It is advantageous to assess all risks at the same time / same stage of the process.

Risk Assessment can sometimes be initiated and performed on an ad hoc basis in addition to the routine periodic cycle of Risk Management, when external or internal events occur. At such times, the generation of a Risk Assessment level or score will enable the correct evaluation and risk acceptance / mitigation decision to be made.

Output / deliverable The output should include information on missing data and any assumptions made. A level or a score for each identified risk should be generated and documented. It is essential that this output is communicated to those responsible for the Risk Evaluation step in a timely manner. Rapid escalation and communication of the Risk Analysis output should occur for any confirmed high risks.

Note that where ad hoc assessments are made, immediate communication should be performed for any confirmed high risk events.

2.2.3 - Risk Evaluation

Purpose Risk evaluation is defined as:

The comparison of the estimated risk to given risk criteria using a quantitative or qualitative scale to determine the significance of the risk. [ICH Q9]

Risk Evaluation is the process that organises the information from Risk Analysis to allow the decision making step of Risk Reduction or Risk Acceptance to be made. To achieve this, a level of tolerable risk should be defined against which the Risk Analysis output can be compared.

Input The prerequisites for this step are that:

Risk Analysis has been completed

data is organised in the most appropriate way according to the Risk Analysis tool used

a tolerance level has been set so that the Risk Analysis output can be compared against

The level of tolerable risk depends on the product and the criticality of its application. A simple way of setting the level of tolerable risk is to identify the highest risk groups or most frequent type, or create a Pareto chart, and select the top 20% (and hopefully cover 80% of issues). The method for setting the level should be explained and documented so that it can be reviewed over time. Be aware however that if analysis shows that 25% of the identified risks have a high probability of causing patient harm, there is a need to act on all of these. Conversely, if none of the risks have more than a low probability of causing a minor non-compliance that would not impact the patient, no further action may be decided. Open Toolbox - Risk Analysis

QRM Overview

makiHighlight

30

Foreword


Contents







Glossary

Bibliography



Process In order to compare the Risk Analyses against an agreed level of tolerable risk, it is easier to rank or sort these in order of descending risk. The Risk Evaluation process is summarised as follows:

1. Rank or sort risks from the Risk Analysis step

2. Check that the data is complete and valid

3. Determine if the level of tolerable risk is appropriate

4. Review the Risk Analysis output against the level of tolerable risk

5. Compare the output to see if it is acceptable or higher than the level of tolerable risk

6. Document the evaluation

7. Communicate the findings to the necessary people Open Risk Communication

The Risk Analysis output should be organised (filtered, ranked etc) to ensure that those of most significance (i.e. above the level of agreed tolerable risk) are identified for Risk Reduction. Those below the level of tolerable risk can go forward as residual risk for the Risk Acceptance stage. In some tools using a simple two-dimensional arithmetic scale, risk can be ranked as high / medium / low risks and the combination of probability and severity can be evaluated, by simply multiplying the factors. Those risks which have a higher score can be highlighted for immediate mitigation.There are more sophisticated models for setting a more precise level of tolerable risk. Setting a level of tolerable risk is probably the step where both experience and evolution of the risk management process can provide most value. Although a sense check of the information / data may have been performed already in the Risk Analysis stage, anomalous results can often be detected more easily during this stage. For example, outputs that look too high or too low can be checked for calculation errors, missing data, incorrect data, and then either corrected or verified as being accurate.Finally, this step categorises the risks into those that are above or below the level of tolerable risk. Failure to perform this step correctly can lead to poor decision making at the Risk Reduction and Acceptance steps.

OutputNo final decision is made in this step. The output consists of two data sets (above and below the level of tolerable risk) that can be checked further or be used as the basis for either Risk Reduction or Risk Acceptance.

The output should be communicated to all relevant stakeholders especially the Risk Control owner. Formal records should be retained for a suitably defined period to provide evidence of the basis for any decisions made and enable ongoing reiteration / review.

31

Foreword


Contents







Glossary

Bibliography



2.3 Risk Control

Risk Control is defined as:

Actions implementing risk management decisions [ISO Guide 73; ICH Q9]

Risk Control encompasses the decision-making activities that result in action (Risk Reduction) or justified inaction (Risk Acceptance).

The purpose of risk control is to reduce the risk to an acceptable level. The amount of effort used for risk control should be proportional to the significance of the risk i.e. serious high risks require decisive, timely and effective action. Decision makers might use different processes, including benefit-cost analysis, for understanding the optimal level of risk control.

Risk control might focus on the following questions:

is the risk above an acceptable level?

what