OBJECTIVE:

• To prepare a procedure for formal risk management process comprising the identification, analysis, evaluation, controlling and review of risk factors associated with business and product quality across the life cycle.

 SCOPE:

• This procedure provides the procedure for Quality Risk Management (QRM) that can be applied to different aspect at Company.
• This procedure covers identification, assessment, mitigation, monitoring, escalation, communication and documentation of risks related to product identity, quality and safety and business risk.

RESPONSIBILITIES:

• Designee / Department Head:
  • • Identification of risks.
    • Initiation of assessment.
    • Fill draft risk forms.
    • Propose mitigation actions.

• Quality Assurance (QA):
  • Issue & control Risk Assessment Record numbers.
  • Maintain & archive all master and completed risk assessment documents.
  • Review consistency, completeness, and data integrity.
  • Ensure linkage of QRM outcomes with Deviations, CAPA, Change Control, Validation, and other QMS components etc.

• Risk Assessment Team:
  • Provide inputs, analysis, and support documentation under QA supervision.
• Quality Head:
  • Approve closure of major/critical deviations.
  • Ensure effectiveness checks are performed.

• Senior Management:
  • Provide resources and oversight for critical deviation investigations.

DEFINATIONS:

• Change Control (CC): A documented and traceable process to manage proposed or realized changes that may impact GMP.
• Risk Assessment (RA): A systematic process to identify hazards, analyze and evaluate risks using defined criteria and tools (e.g., FMEA, impact/risk matrix), and to define risk controls and residual risks.
• Corrective and Preventive Action (CAPA): Action taken to eliminate the cause of an identified nonconformity or deviation to prevent its recurrence and Action taken to eliminate the cause of a potential nonconformity or other undesirable situation to prevent its occurrence.
• Deviation: Any departure from an approved instruction, standard procedure, established process, or expected result in manufacturing, testing, packaging, storage, or distribution, which may have an actual or potential impact on product quality, patient safety, or regulatory compliance.
• Quality Risk Management (QRM): A systematic process for assessment, control, communication, and review of risks to product quality throughout its life cycle.

PROCEDURE:

Initiation:

• Risks may be identified during routine operations, change control, deviation, validation, audits, or regulatory inspections.
•  User department initiates Risk Assessment Request Form.
• QA assigns a unique Risk Assessment Number: XX/RAR/YY/ZZZ. It identifies,
  • XX identifies which department initiated the risk assessment.
  • Examples:
    • QA (Quality Assurance)
    • QC (Quality Control)
    • PD (Production/Manufacturing)
    • EG (Engineering)
    • WH (Warehouse)
    • PT (Procurement)
    • IT (Information Technology)
    • RA (Regulatory Affairs)
    • EH (Health, Environment and Safety)
    • PV (Pharmacovigilance)
  • RAR = Risk Assessment Record. A fixed code showing that the document belongs to the Risk Assessment Register.
  • YY = Identifies last two digits of the calendar year in which the risk assessment was initiated.
  • ZZZ = Identifies Sequential numbering starting from 001 each year, for each department.
  • QA/RAR/25/001: identifies First risk assessment of 2025, initiated by QA.

Formation of Risk Assessment Team:

• QA nominates cross-functional members such as Production, Quality Control (QC), QA, Engineering, Warehouse, Regulatory Affairs (RA), Information Technology (IT), Pharmacovigilance (PV) etc.
• Team members must be trained in QRM tools.
• The selection of risk assessment team members shall be based on the nature of the risk. For example, if the risk relates to the functioning of Granulation equipment, the team shall include representatives from Granulation, Engineering, and Quality Assurance. Additional members from other relevant departments (e.g., Production, Validation, or Safety) may be included as required.

Risk Assessment:

Risk Identification:

• Department head/designee shall identify the risk during unit operations that are likely to have greatest impact on product quality/business.
•  Risk identified during routine work shall be logged in. Mention risk identification date, short description and source department/area in which risk identified.
• The Risk Assessment then starts with identifying potential hazards associated with a man, material, process, environment and equipment. Risk identification shall be done by considering below points but not limited to: Potential Product quality Problems, Cross Contamination issues, Potential Hazards, Safety Problems, Product Recall potential, GMP failure, Microbial limits, where applicable, Premises, Equipment, Packaging, Personnel (human error), Utilities and Supply chain.

Risk Analysis:

• Risk analysis is the investigation of the risk associated with the identified hazards.
• After identification of risk by department head/Designee, shall communicate to risk assessment team to instigate the cause, source of risk, severity, occurrence and detection of risk.
• When risk analysis is conducted for safety and efficacy need to be considered in addition to the quality concerns.

• In the risk analysis the following basic questions should be addressed:
  • What might go wrong?
  • What is the nature of possible risks?
  • What is the probability of their Occurrence?
  • What are the consequences (Severity)?
  • How easy is it to detect them? (Detectability)

• We shall assess severity(S), occurrence(O), and detectability(D) using predefined rating scales.

Risk evaluation:

• Risk evaluation shall be done by multiplication of occurrence, severity and detectability of associated risk which will give risk priority number. It shall be presented as (RPN = S × O × D)
• Risk priority number is important to categorize the risk as major, moderate and minor risk.
• Risk shall be expressed quantitatively, a numerical probability is used like 1 -125 which is expressed using qualitative descriptors, such as “low”, “moderate” & “Major”.
• Risk score shall be used to define type of risk as below,
  • 1-16 (Low)
  • 17-63 (Moderate)
  • 64-125 (Major)

Risk Control:

• Risk control shall include decision making to reduce and/or accept risks.
•  Risk assessment team shall use different processes, including benefit-cost analysis, for understanding the optimal level of risk control.
• Risk control shall focus on the following questions:
  • Is the risk above an acceptable level?
  • What can be done to reduce or eliminate risks?
  • What is the appropriate balance among benefits, risks and resources?
  • Are new risks introduced as a result of the identified risks being controlled?
• Risk control and risk mitigation plan with target date shall be updated by respective departments.

Risk acceptance:

• Risk acceptance shall be a formal decision to accept the residual risk or it can be a passive decision in which residual risks are not specified.
•  For some types of harms, even the best quality risk management practices might not entirely eliminate risk and in these circumstances, it might be agreed that an appropriate quality risk management strategy has been applied to reduce the risk to acceptable level.
• This acceptable level shall depend on many parameters and should be decided on a case-by-case basis as below,
  • Low Risk (RPN 1–16): May be accepted at the department level with QA review and justification. No further escalation required.
  • Moderate Risk (RPN 17–63): Acceptance shall require approval from the Risk Assessment Team and QA Head, with implementation of appropriate CAPA or monitoring measures.
  • High Risk (RPN 64–125): Not acceptable without formal mitigation. Escalation to Quality Head, and Senior Management, is mandatory before acceptance. Documented justification and risk reduction measures shall be required.

Risk Acceptance Criteria

Risk Review:

• Risk management shall be an ongoing part of the quality management process.
• The output/results of the risk management process shall be reviewed to take into account new knowledge and experience.
• Risk register shall be reviewed by Designee QA on monthly basis to update development in mitigation plan.

• All risks, including those arising from minor deviations managed without formal risk assessment, shall be documented and trended to identify recurring issues and early warning signals.
• Risk assessment outcomes shall be incorporated into the Product Quality Review (PQR) annually to support ongoing product quality evaluation.
• Open & close risk trend shall be presented in management review.

Risk Communication:

• Risk communication shall the sharing of information about risk and risk management.
• Risk communication shall be done by Designee QA to risk assessment team and related department at each stage of risk management process.
• The output/result of the quality risk management process shall be appropriately communicated and documented.
• Critical risks shall be immediately escalated by QA to Quality Head, and Senior Management for decision-making.
• Risk Register  shall be maintained for all the risk assessments performed.

Risk management tools:

• Risk assessment shall be done by using risk management tools. Below is a list of some of these tools:
  • • Failure Mode Effects Analysis (FMEA).
    • Failure Mode, Effects and Criticality Analysis (FMECA).
    • Fault Tree Analysis (FTA).
    • Hazard Analysis and Critical Control Points (HACCP).
    • Hazard Operability Analysis (HAZOP).
    • Preliminary Hazard Analysis (PHA).
    • Supporting statistical tools.

Calculation of RPN (Risk Priority Number):

• Risk Management Team members shall map and evaluate the process using appropriate Quality Risk Management tools and shall record the details in the Risk Assessment Record.
• Quality Risk Management shall be performed through scientific evaluation of Severity (S), Occurrence (O), and Detection (D) ratings, as described below.

• Severity rating: This rating shall explain extent and Impact of defect or failure. The severity rating criteria used for the exercise with examples is provided in below table:

Occurrence rating: This Rating Explains Occurrence frequency of defect or failure. The occurrence rating criteria used for the exercise is provided in below table:

Detection rating: This refers to the detection of the root cause of a defect or the actual failure. The detection rating criteria used for the exercise in provided in following Table with examples:

Requirement of Risk Assessment:

• Risk Assessment is embedded across the QMS, but the key mandatory areas auditors always check are: Change Control, Deviations, CAPA, Supplier Qualification, and Validation, Audit and Self Inspection.
• expect decisions to be based on structured risk evaluation, not just experience or opinion.
• Risk Assessment shall be performed for all major and critical deviations/issues to evaluate their potential impact on product quality, patient safety, and regulatory compliance. Minor deviations may be managed without a formal risk assessment, provided they are well-documented and justified.

REFERENCES:

• EudraLex Volume 4, Chapter 1 (Pharmaceutical Quality System),
• Chapter 4 (Documentation)
• ICH Q10 Pharmaceutical Quality System
• ICH Q9 Quality Risk Management

RECORDS:

REVISION HISTORY.