1. Do all inspections cover the quality risk management process?
2. How will deficiencies be categorised?
3. Should a company have a procedure to describe how they approach quality risk management related to manufacture and GMP?
4. Is it acceptable to link quality risk management with cost saving measures?
5. Should sites have a formal risk register and management process?
6. What tools are acceptable to use in quality risk management?
7. Do formal tools and a full report have to be issued for every risk assessment?
8. What are the key attributes of a good risk assessment?
9. What is the difference between a planned and unplanned risk assessment?
10. Should we expect there to be no risk to patient safety as a conclusion to a risk assessment?
11. Are any areas out of bounds for risk assessment?
12. How should risk assessments be controlled?
13. Do risk assessments have to be supported by factual evidence or can they just use professional judgment?
14. Scoring in risk assessments is subjective, is there danger that risk assessments may be manipulated to draw desired conclusions?
15. Is it acceptable to allow external consultants to participate in site risk assessments?
16. Is it acceptable to allow contract staff to participate in site risk assessments?
1. Do all inspections cover the quality risk management process?
Yes, quality risk management (QRM) is a requirement of Chapter 1 of the EU GMP Guide Part I and Annex 20. All manufacturing authorisation holders, third country manufacturing sites, blood establishments, blood banks and active pharmaceutical ingredient manufacturers must have a system for QRM. Inspectors will review the QRM system as part of the Quality Systems section of the inspection (along with complaints, recalls, deviations, and product quality reviews etc). Additionally, inspectors may review specific risk assessments when encountered during inspection. Inspectors will allocate time commensurate with their perceived significance of the risk and if necessary request the company to produce a formal summary of the risk assessment, key decisions and conclusions or take copies of risk assessments for further consideration outside the inspection.
2. How will deficiencies be categorised?
As with other areas of inspection, deficiencies will be categorised dependent on the significance of the findings. Typically complete lack of a system should be classed as a major deficiency, while lesser deviations within a system would be classed as other. Critical deficiencies may reference QRM where risk assessments have inappropriately supported release of products that pose a threat to patient safety. QRM deficiencies may be grouped with other quality systems deficiencies under a quality systems heading. As always factual statements of what are seen as deficiencies will be clearly recorded.
3. Should a company have a procedure to describe how it approachs QRM related to manufacture and GMP?
Yes, the procedure should be integrated with the quality system and apply to planned and unplanned risk assessments. It is an expectation of Chapter 1 that companies embody quality risk management. The standard operating procedure (SOP) should define how the management system operates and its general approach to both planned and unplanned risk management. It should include scope, responsibilities, controls, approvals, management systems, applicability, and exclusions.
4. Is it acceptable to link quality risk management with cost saving measures?
The expectation of QRM is to assess risks to the medicinal product and patient and manage these to an acceptable level. It is appropriate for companies to assess their control systems to implement the optimum controls to ensure product quality and patient safety. If this can be achieved in a more cost effective manner while maintaining or reducing risk to the product and patient then this is acceptable. However inappropriate risk assessment and mitigation in order to achieve cost savings is not appropriate.
5. Should sites have a formal risk register and management process?
Yes, a risk register (or equivalent title document) should list and track all key risks as perceived by the organisation and summarise how these have been mitigated. There should be clear reference to risk assessments and indeed a list of risk assessments conducted should be included or linked to the register. A management process should be in place to review risk management – this may be incorporated into the quality management review process.
6. What tools are acceptable to use in quality risk management?
There is no definitive list although a number of examples are given in Annex 20 (and ICH Q9). In some cases combinations of tools or other approaches may be seen. The important criterion is for the tool used to support the key attributes of a good risk assessment (see below).
7. Do formal tools and a full report have to be issued for every risk assessment?
As stated in Chapter 1 of the EU GMP guide ‘...the level of effort, formality and documentation of the quality risk management process is commensurate with the level of risk’. As such expectations of inspectors will be pragmatic regarding the degree of formality that is required, however appropriate evidence should be available of what has been done and as such a written output must be retained. Inspector’s pragmatism will be directly related to the nature of the risk with increasingly more formality and detail required for more significant risk (risk being the probability of occurrence of harm and the severity of that harm, often supplemented by the ability to detect the potential harm occurring).
8. What are the key attributes of a good risk assessment?
The following key attributes should be observed (mindful of the risk significance addressed in the previous question):
- clearly identify the process being assessed and what it is attempting to achieve, ie what the harm/risk is and what the impact could be on the patient
- be based on systematic identification of possible risk factors
- take full account of current scientific knowledge
- be conducted by people with experience in the risk assessment process and the process being risk assessed
- use factual evidence supported by expert assessment to reach conclusions
- do not include any unjustified assumptions
- identify all reasonably expected risks – simply and clearly along with a factual assessment and mitigation where required
- be documented to an appropriate level and controlled/approved
- ultimately be linked to the protection of the patient
- should contain objective risk mitigation plans.
9. What is the difference between a planned and unplanned risk assessment?
A planned risk assessment is one that is conducted in advance of conducting an activity, either before any activity is conducted or before further activity is conducted. This would often allow quality to be built in to activities and risk reduced (quality by design) eg design of facilities for manufacture of cytotoxic products or organisation/design of a label printing room. An unplanned risk assessment is one that is conducted to assess the impact of a situation that has already occurred, eg impact of a deviation from normal ways of working.
10. Should we expect there to be no risk to patient safety as a conclusion to a risk assessment?
In reality there is always a degree of risk in all situations but mitigation controls should minimise the likelihood to an acceptable level of assurance. The degree of risk tolerated very much depends on the circumstances, the proximity to the patient and other controls that may follow the process being assessed before the product is used by the patient. It should be expected that risk mitigation plans are identified and implemented where any risk to patient safety is posed. Companies should take a holistic view and be mindful that critical issues often occur where multiple failures in systems occur together so mitigation plans should be sufficiently robust to tackle such potential. Inspectors will be assessing if risk assessments underate either the likelihood, consequences or detection of occurrences in order to make it appear that there is minimal risk to the patient. The factual evidence behind statements may be challenged.
The impact should not consider the financial impact on a site/company to the detriment of the patient.
11. Are any areas out of bounds for risk assessment?
It would be unacceptable for risk assessment to conclude that statutory, regulatory or GMP requirements should not be followed or are not appropriate eg risk assessment could not conclude that it was appropriate for licensed products to be released by someone who was not a qualified person (QP). Otherwise risk assessments can be used within GMP systems as a tool to identify, quantify and minimise risk to patient safety.
12. How should risk assessments be controlled?
Risk assessments should be controlled within a defined document management system. If risk assessments are conducted to justify controls for an ongoing process then the assessments should be subject to change control and periodic review, eg line clearance risk assessment. Frequency of review should be appropriate for the nature of the process. Such risk assessments should be seen as living documents that are visible and subject to change as required. Risk assessments that were conducted as one off activities to assess a situation that will not recur need not be controlled in a ‘live’ manner but must be documented, approved and retained eg assessment of a temperature excursion on storage of a batch of starting material. Such ‘one off’ activities should be controlled as live documents if any conclusions are to be used in any future excursions. Ultimately these may then need to be reviewed in light of experience or developments.
13. Do risk assessments have to be supported by factual evidence or can they just use professional judgment?
There should be factual evidence recorded to support any conclusions drawn eg plant design details in controlling cross contamination - an unsupported assumption that the plant must be suitably designed as we have used it for 10 years or we’ve had an standard operating procedure (SOP) for five years so it must be suitable is a weak approach that may be unfounded and must be challenged by those conducting risk assessments. Professional judgment should be used in interpretation of factual evidence but must be subject to justification.
14. Scoring in risk assessments is subjective, is there danger that risk assessments may be manipulated to draw desired conclusions?
The scoring system and trigger points for mitigating action are subjective. However as important as the scores in risk assessments is the rationale for the score. If supported by factual evidence it should be more obvious what mitigating action is required – the mitigating action is as important as the score assigned. Companies should not score risks in a blinkered manner without considering the factual causes, likelihood of detection and consequences. Inspectors will be alert to improper use of risk assessments to condone poor practice or exclude patient risk.
15. Is it acceptable to allow external consultants to participate in site risk assessments?
It may be appropriate for consultants to provide support for risk assessments where they can provide specific expertise or knowledge. Their role in the risk assessment should be clear. The reason for delegation and resultant accountability must be understood. Inspectors will expect sites to demonstrate that delegation was effective and that appropriate skill, knowledge, local knowledge and local accountability was appropriate for the life cycle of the risk assessment. A technical agreement may be appropriate with the consultant where GMP responsibility is assumed.
16. Is it acceptable to allow contract staff to participate in site risk assessments?
It would be usual for contract staff, eg contract QPs to lead or participate in risk assessments. The extent of involvement as responsibility/accountability must be documented in the technical agreement between the individual and the organisation.
