Quality Risk Management Demystified at CMC Strategy Forum

ICH Q9 encourages companies to apply the concept of quality risk management. Easier said than done.
Sep 01, 2009



The prospect of conducting risk assessments, as part of the quality risk management (QRM) strategy promoted by the International Conference on Harmonization (ICH) Q9 guideline, tends to evoke blank stares and confusion. It also prompts many questions: Which of the many tools—PHA, HACCP, FMEA, etc.—should we use? How could we possibly conduct a line-by-line analysis of every risk known to bioprocessing? Is this really useful?


Laura Bush
The CMC Strategy Forum on Practical Applications of Quality Risk Management, held in Bethesda, MD, on July 27 and 28, tackled these challenges and questions through a hands-on workshop and plenty of lively discussion.


Table 1. A partial risk assessment worksheet created during a fictitious exercise for the operation of a production bioreactor, using the preliminary hazard analysis (PHA) method. Each potential harm was assigned a severity score (on a scale of 1–9), and each potential hazardous situation was given an occurrence score, based on the likelihood that it would occur, taking into account the controls used to prevent or mitigate the event. The two scores were multiplied to reach an overall risk index.
In the workshop, small groups used the preliminary hazard analysis (PHA) method to assess the risks involved in operating a large-scale production bioreactor for a monoclonal antibody. As the groups considered inputs such as duration, media, and temperature, they identified the possible hazards involved and the harms those hazards could cause, and then assigned a severity score to each harm. They also assigned a separate risk score to each potential harm, based on the likelihood that it would occur. Then they multiplied those numbers to reach an overall risk score, addressed the controls used to prevent or mitigate the event, and decided whether or not the risk would be acceptable (Table 1).

After the breakout sessions, everyone understood the concepts, terminology, and process much better, and had a good appreciation for the challenges involved in conducting risk assessments. They also had a lot of questions, which were discussed with the overall group.

HOW TO ACCOUNT FOR CONTROLS

One common question raised during the risk assessment exercise was how to account for the controls that mitigate risks.

Several speakers stressed that the effectiveness of controls should never affect how one ranks the severity of a potential harm. "Severity rankings are dependent on harm only," said Joe Siemiatkoski of Biogen Idec. "You should never lower a severity score by taking credit for controls."

For example, if a given harm, such as bioreactor contamination, is considered high, say 9 on a scale of 1 to 10, that severity ranking should not be lowered just because numerous measures are in place to prevent contamination. Instead, those controls would lower the ranking number assigned to the likelihood that such a harm would occur. Then, when the total risk is assessed by multiplying the severity and likelihood scores, its overall risk ranking would not be high, and thus additional controls may not be warranted.

Dan Weese of Amgen explained that this approach is important for documenting the potential risks to any given unit operation. "You may have a risk where you are confident that a later step will take care of it, but what if a later step is removed?" he said. "You need the risk to be flagged as severe in the earlier unit operation, so you don't lose your record of it."