QUALITY RISK MANAGEMENT PROCESS
QRM is a process with a series of operations, inputs, and outputs (see Figure 3). All unit operations, formulations, analytical methods, excipients, cell banks, working cell banks, equipment, reagents,
chemistry, facilities, and materials are evaluated for the potential influence they may have on drug CQAs and product requirements.
Any time a change event is being recommended, a risk assessment should be initiated. Any time an analytical method is being
developed and/or a process is being characterized, a risk assessment should be generated prior to study design.
Figure 3: Quality risk management (QRM) process (Q9).
The QRM process is linked to product and process CQAs because they are the quality attributes of the drug to be assessed.
Risk assessment includes risk identification, risk analysis, and evaluation. This process is generally a team effort to work
through the product/process step-by-step to identify and evaluate each potential risk. Outcome from the assessment should
be a set of identified and prioritized risks that either require action or are considered acceptable with an associated rationale.
Risk assessments should generally be done in advance of development or change control rather than as a justification of changes
after the fact.
Figure 4: QRM template, high-level risk assessment.
All risk assessments begin with a clear risk question. The risk question focuses the risk assessment team on to the risk area
to be assessed. It is recommended that a list of CQAs be identified until there is line of sight determined from CQAs to unit
operation and/or other drug attributes. Two types of risk assessment templates are commonly used: QRM high-level risk assessment
(e.g., failure mode and effects analysis [FMEA]) and a low-level detailed design of experiment (DOE) factor response matrix
(see Figures 4 and 5).
Figure 5: Design of experiment (DOE) factor response matrix, low-level risk assessment.
Risk control has two potential outcomes: either action is taken to minimize and control risks, and/or the risks are considered
acceptable and there is a scientific rationale as to why the risks are acceptable. There are many potential activities that
can control risk. In general, the severity is reduced, the probability is lowered, and/or detectability to lower risk is improved.
Adding redundancy and/or increasing robustness are also key considerations to design out and control risk. Process analyical
technology (PAT), statistical process control (SPC), and the associated control logic design are also important concepts
in designing out risk and designing in input and output control loops. Figure 6 is associated with risk control and is used to either accept risk or to reduce the risk.
Figure 6: Risk control.
Risk communication and review
Once the risk assessment and the control actions have been determined, it is crucial in the QRM process to communicate the
actions to process owners and key stakeholders (see Figure 7). CMC team leaders, key managers, and development teams, who will need to know the actions required to minimize the identified
risks. Clear action owners, implementation timelines, and an effective documentation and review process are needed to make
the needed and identified changes happen.
Figure 7: Risk communication.