Quality Management Systems (QMS) and Risk Management

Quality Management Systems (QMS) and Risk Management

This chapter will cover Quality Management Systems (QMS) and the use of Risk Management methodologies in pharmaceutical manufacturing, and is based upon guidance described in two Food and Drug Administration (FDA) Guidance Documents on Quality Systems Approaches: Quality Systems Approach to Pharmaceutical Current Good Manufacturing Practice Regulations, September 2006, and Compliance Program Guidance Manual for FDA Staff: Drug Manufacturing Inspections Program 7356.002. These documents provide insight into the FDA’s current thinking and change in approach since the introduction of their Pharmaceutical Current Good Manufacturing Practices (CGMPs) for the 21st Century Initiative.

The introduction to FDA’s Quality Systems Approach to Pharmaceutical Current Good Manufacturing Practice Regulations reads:


This guidance is intended to help manufacturers that are implementing modern quality systems and risk management approaches to meet the requirements of the current good manufacturing practice (CGMP) regulations (2l CFR parts 210 and 211). The guidance describes a comprehensive quality systems (QS) model, highlighting the model’s consistency with the CGMP regulatory requirements for manufactur- ing human and veterinary drugs, including biological drug products. The guidance also explains how manufacturers implementing such quality systems can be in full compliance with parts 210 and 211. This guidance is not intended to place new expectations on manufacturers or to replace the CGMP requirements. Readers are advised to always refer to parts 210 and 211 to ensure full compliance with the regulations.


The last two sentences are very important. The FDA is clearly saying that quality systems are not additional expectations or requirements and do not establish legally enforceable responsi- bilities. The quality system approach/model does not replace the GMP regulations. However, the document does allow for more operational flexibility and use of modern quality concepts and business practices to meet GMP requirements. In FDA’s Pharmaceutical CGMPs for the 21st Century Initiative, the Agency expressed its intent to integrate quality systems and risk manage- ment approaches into existing programs with the goal of encouraging the adoption of modern and innovative manufacturing technologies. An important linkage between CGMP and robust, modern quality systems is the Quality by Design (QBD) principle and the fact that testing alone cannot be relied upon to ensure product quality.


The Agency also recognized the need to harmonize the CGMPs and other non-US pharmaceutical and regulatory systems (ISO 9000, Device Quality Systems Regulations, Drug Manufacturing Inspections Program, etc.) as well as FDA’s own medical device quality system regulations 21 CFR 820. This harmonization brings into practice the science of process, systems, and quality management principles and allows for needed flexibility in applied GMP practices.


…a comprehensive quality systems model, which, if implemented, will allow manufacturers to operate robust, modern quality systems that are fully compliant with CGMP regulations. The guidance demon- strates how and where the requirements of the CGMP regulations fit within this comprehensive model. The inherent flexibility of the CGMP regulations should enable manufacturers to implement a quality system in a form that is appropriate for their specific operations.

The FDA is quite clear that this guidance is primarily based on sustainable GMP compliance and how that fits into modern quality systems approaches of running a business.

As with all guidance documents, there are fundamental concepts and principles. There are seven in this document.

  1. Quality
  2. Quality by Design (QBD) and Product Development
  3. Risk Assessment and Management
  4. Corrective and Preventive Action (CAPA)
  5. Change Control
  6. The Quality Unit
  7. Six Quality System Inspection Approach (Figure 2.1)


Quality Management Systems and Risk Management                                                      21


The six quality systems are organized into four sections:


Management Responsibilities


      Structure and organization

      Build/design quality systems to meet requirements

      Establish policies, objectives, and plans

      Review the system


      General arrangements (adequate resources)

      Develop personnel

      Facilities and equipment

      Control outsourcing operations

Manufacturing Operations

      Design and develop product and processes

      Monitor packaging and labeling processes

      Examine inputs

      Perform and monitor operations

      Address nonconformities

Evaluation Activities

      Analyze data for trends

      Conduct internal audits

      Risk assessment

      Corrective action

      Promote improvement

 While still focused on product quality, the guidance brings in additional elements found in ISO and other quality standards. In addition, the model and the section requirements go beyond the basic GMP/CFR requirements in some areas:



      General arrangements or providing adequate resources

      Internal audits (other than data)

      Preventive action

      Promote improvement


Failures in these specific areas will not show up in FDA inspection observations, but they are neces- sary parts of quality management and continuous improvement.




A system is defined as a collection of components organized to accomplish a specific function or set of functions. A single process or collection of processes can make up a system.

A QMS is typically defined as a structured and documented management system describing the policies, objectives, principles, organizational authority, responsibilities, accountability, and imple- mentation plan of an organization for ensuring quality in its work processes, products (items), and services. The quality system provides the framework for planning, implementing, and assessing

the work performed by an organization and for carrying out required Quality Assurance (QA) and Quality Control (QC) activities (1). Elements of a QMS typically include:


1.     Quality policy

2.      Quality objectives

3.     Quality manual

4.      Organizational structures and responsibilities

5.     Data management

6.      Processes

7.     Product quality

8.      Continuous improvement


The following table lists the six FDA quality systems and the typical GMP quality systems in a pharmaceutical manufacturing business. (Table 2.1)


FDA Quality Systems and the Typical GMP Quality Systems

FDA Quality System                                       Typical GMP Quality Systems

Facilities/ Equipment        • Facilities and equipment management

   Master planning

   Commissioning, qualification, and validation

   Drawings and document control

   Facilities cleaning

   Equipment maintenance

   Corrective and preventive maintenance systems for utilities and production equipment

   Equipment calibration—programs/systems for GMP and other equipment

   Facility environmental monitoring

Production                      • Manufacturing operations

   Batch record execution and review

   Document control

   Product sampling

   Equipment operation and clearance

   Equipment cleaning

   Process validation

   Contract manufacturing (management)

   Technology transfer

   Reprocessing and rework

Packaging/ Labeling         • Packaging operations

   Batch record execution and review

   Document control

   Product sampling

   Equipment operation and clearance

   Labeling control systems

   Receipt, inspection, release, issuance, control reconciliation, and storage

Materials                        • Raw material and components

   Receipt, sampling, test, release, and storage

   Warehousing and distribution

   Returns and salvage


Laboratory Controls          • Laboratory control systems

   Sample management

   Test methods and specifications

   Method validation

   Instrument qualification, calibration, and maintenance

   Reference standards

   Reagents, solutions

   Data analysis and reporting

   Failure investigations

   Glassware control

   Contract laboratories management

Quality                           • Policies and standards: creation and issuance

   Documentation control: Standard Operating Procedures (SOPs), protocols, records and reports, forms, and log books

   Regulatory reporting: new drug application (NDA), abbreviated new drug application (ANDA)

   Training: GMP and job

   Change control: document, equipment, labeling, process, and computer systems

   Annual product review

   Audit program: internal, contractors, regulatory

   Complaint handling

   Failure investigations (other than laboratory)

   Batch record review and product release

   Management notification

   Product stability program management and reporting

   Computer system validation


There are a number of subsystems possible in any of the GMP Quality Systems identified above. For example, computer system validation has a number of subsystems that manage and control the computer system life cycle: validation master planning; Design/Installation/Operation/Process Qualification (DQ/IQ/OQ/PQ) protocols, execution; reporting; periodic revalidation; change con- trol; data center management and control; disaster recovery; and so on.

It is worthwhile to note that the vast majority of operational and quality systems are multi- or cross-functional and involve more than one department for input, execution, and output. This is a reason why having standard operating procedures (SOPs) only defined by department usually results in disconnects and incomplete system design and deviations/observations in performance. Policies, “umbrella” (overarching) SOPs, multifunctional SOPs, or mapped and connected indi- vidual SOPs are needed to bridge those gaps and provide the communication links for a robust and sustainable system.

There are also system interdependencies that must be recognized. For example, the QA batch record reviews and product release process depends not only on a completed batch record but also on batch-related information from other control systems: laboratory out-of-specification investiga- tions, process deviation or failure investigations, pending batch-related change controls, regulatory commitments, environmental monitoring and water testing results, product testing results, and so on.

To have effective, robust, and sustainable systems requires that the fundamental process elements are in place, are linked where needed, and sound process management and control is consistently being practiced.

The typical elements of a QMS and the GMP quality systems listed above are also in broad alignment with the essential elements that a quality system shall embody for medical device design, production, and distribution as promulgated in 21 CFR 820 (see below):


1.     Personnel training and qualification

2.      Product design control

3.     Documentation control

4.     Purchasing control

5.     Product identification and traceability (at all stages of production)

6.      Production and process definition and control

7.     Process validation

8.      Product acceptance

9.     Controlling nonconforming product

10.      Corrective and preventive actions

11.     Labeling and packaging controls

12.      Handling, storage, and distribution

13.      Records

14.     Servicing

15.      Statistical techniques



The following elements are key to a robust, effective, and efficient QMS:


      Process/system inputs are well defined, controlled, and monitored. In most pharmaceuti- cal systems, the input is documented information; for example, a change control system input is a detailed change request. Information must be complete, accurate, and timely. The input quality can and should be measured where needed. In the change control example, a change request can be right at the first time or sent back for more information. That success rate can be measured and fed back to the suppliers.

      Process/system ownership, responsibility, and accountability are defined and accepted. This involves job role and responsibility definition in procedures, job descriptions, and role profiles. It also involves management leadership, planning, resource allocation levels, support organization levels, and process oversight and follow-up. The ownership, respon- sibility, and accountability must be consistently practiced.

      Process/system design is adequate for use. Simple designs by work processes are best but need to include/identify input information, activities, decision criteria, decision outputs, timeliness requirements, document requirements, and how to handle exceptions or devia- tions and fail-safe or stop criteria where needed.

      Level of process/system definition is adequate for use. Having the proper balance of enough information in SOPs, instructions, documents, and forms to achieve consistent execution by different people on different days is the goal. Refer to Chapter 6 Production and Process Controls, for details on SOP content. SOPs should be concise, to the point, user friendly, and written for a trained operator. However, there must be enough “how to” detail to assure consis- tent execution. Operational SOPs are often good on what is supposed to be done but short on details of how it is done, which leads to varying approaches and unacceptable variation. Quality and consistency of systems relies on minimizing variation, ambiguity, and providing clarity.

      Consistency in execution. If the previous elements are in place, consistent execution should follow. Audits and process metrics can be the measurement tools.

      Process performance and output should be monitored, measured, controlled, and reported where needed. Process performance and output can be measured by metrics. Metrics can be diagnostic or performance-related. In the change control system, for example, the performance metrics could be on time and right at the first-time comple- tion/approval of change control requests, change authorizations, and change close out. The ultimate performance metric is no adverse impact in product quality or compliance as a result of the change. Diagnostic measures of change control process performance may be types of changes submitted, departmental breakdowns, overall cycle times, and so on.


FDA’s Compliance Program Guidance Manual for FDA Staff: Drug Manufacturing Inspections Program 7356.002 closely follows the approaches of risk management and quality systems laid out in FDA’s Quality Systems Approach to Pharmaceutical CGMP Regulations Guide and FDA’s 21st Century Initiative.

The background section states that the guidance is structured to provide for efficient use of resources devoted to routine surveillance coverage, recognizing that in-depth coverage is not feasible for all firms on a biennial basis. Inspections are defined as audit coverage of two or more systems, with mandatory coverage of the quality system, and coverage of a system should be sufficiently detailed so that the system inspection outcome reflects the state of control. The guidance further lists subsystems and compliance requirements/expectations in each of the six quality systems.

Inspectional observations support the new approach. They are listed in quality systems buckets but are written up in traditional GMP context.

To have an effective internal audit program to evaluate conditions and level of risk and most importantly to gain prompt corrective action, internal audit programs need to be designed to address the system deficiencies, root causes, or lasting improvement, and not just fixing the observation or symptom. Warning letters available on FDA’s website show a pattern of comments from the FDA continually citing firms for inadequate response to inspectional observations because they are apply- ing patches to procedures to fix observations and not addressing the root cause. Additionally, FDA will verify if the same or similar observations are made at multiple site inspections of the same company. Identification of quality system failures across sites indicates inadequate corporate qual- ity oversite, lack of executive management visibility to quality issues, and/or lack of any or some corrective actions in a timely manner. Forward-thinking executive management, not just quality, will analyze site observations and determine if they could be the same on other company sites and if so they will promptly respond as needed. They may not have completed all the actions unless there is a significant compliance or product quality issue, but a plan with justifiable timelines to be shared with FDA investigators will be expected.

Performing process audits can provide for better identification of system deficiencies, root causes, and a more effective level of corrective actions.1 However, this approach requires a different knowledge/skills base for a typical compliance auditor.

The following example is presented to illustrate the difference in approach. An analytical labora- tory was audited, and after the first day, there was an observation that the secondary reference stan- dard storage unit had expired reference standard vials co-mingled with in-date vials. The auditor was ready to write the observation as is. The likely action taken to that observation would have been to go through the incubator and remove the expired standards. This would have done little to fix the problem from recurring. By comparison, a system review of the total reference standard program might include a challenge of the following system elements:


      Quality of reference standard system inputs (compendial and other standards)

      Primary and secondary reference standard program ownership, responsibility, and accountability

      Overall system design

      Level of definition and detail in the SOPs

      Consistency in practice


      Management oversight of the process


This approach might find that the system failure was not an isolated incident, but that it has been happening for some time. The failure may be due primarily to the fact that a SOP requires one per- son to be in charge of primary standards and another person to be in charge of secondary standards, and in practice no backups were designated or assigned. In this situation, staff on leave would result in a significant gap in coverage. The overall cause would include a questionable system design and poor system oversight and resource allocation.

The resulting observation would cite the deficiencies in design, oversight, and resource alloca- tion. A CAPA to this type of observation would need to address those system deficiencies instead of fixing only the symptom (outdated standards).

A systems audit approach is designed to challenge high-risk or value-adding systems with the fundamental system elements that should be in place rather than just looking for nonconformances (see Key Process/Systems Elements). However, this approach will require a different skill set level for the auditor, different sets of questions being asked, and, most importantly, management support of the concept.



Risks are commonly defined as uncertain future events—both positive (opportunity) and negative (risks) that have the potential to affect the achievement of a company’s goals and objectives. One of the elements that can help a company achieve their goals and objectives is an effectively functioning risk management and internal control framework. Risk management can be implemented at several different levels within an organization, including setting an organization’s strategy, a unit’s objectives, or running daily operations. Risks can also be cate- gorized or classified in several different risk frameworks including Strategic Risks, Operational Risks, Financial Risks, and Hazard Risks (e.g., natural disasters). The following discussion of risk management methodologies will focus primarily on their application to pharmaceutical manufacturing operations.

Risk management methodologies have been used for a number of years and applied in many different areas including investment, finance, safety, and medicine. Quality risk management in the pharmaceutical industry is a relatively new concept but was utilized within the FDA in August 2002, when they announced their new major initiative for drug quality regulations on Pharmaceutical CGMPs for the 21st Century: A Risk Based Approach.

The FDA uses a risk management approach and methodology in the prioritization of CGMP inspections of pharmaceutical manufacturing sites. In the initial concept paper issued on the initiative, the FDA identified “a risk-based orientation” as one of the guiding principles that would drive the initiative. The concept paper stated that “resource limitations prevent uniformly intensive coverage of all pharmaceutical products and production” and that “to provide the most effective public health protection, the FDA must match its level of effort against the magnitude of the risk. From the basis of this analysis, the FDA determined the top three priorities for their inspection program:


      Firms that produce sterile products

      Firms that produce prescription drugs

      Firms that have not been inspected previously


Applying risk management approaches to pharmaceutical manufacturing operations and decisions makes good business sense and benefits the company and the patient. The importance of quality systems has now been recognized in the pharmaceutical industry and quality risk management is a valuable component of an effective quality system. Risk management can be used in a number of different aspects of pharmaceutical manufacturing including: vendor assessments/audits; process and equipment risk assessments; and sampling/testing criteria.

The ICH Q9 Consensus Guideline on Quality Risk Management describes the general quality risk management process, tools, and application in pharmaceutical operations. Two additional sources of guidance on the elements of a risk management and internal control framework are the Australia/ New Zealand Standard on Risk Management (AS/NZS 4360) and the Enterprise Risk Management Conceptual Framework. The COSO Framework identifies eight interrelated components:


1.     Internal Environment

2.      Objective Setting

3.     Event Identification

4.      Risk Assessment

5.     Risk Response

6.      Control Activities

7.     Information and Communication

8.      Monitoring


The COSO Framework and ICH Q9 are very similar in overall structure; however, for the purposes of this discussion, the ICH Q9 framework will be used. There are two very important cautions to consider before embarking on a quality risk management program:


1.     The time, effort, formality, and documentation of the quality risk management process should be commensurate with the level of risk. One can spend more time on the process than mitigating the risk. Although a systematic approach and use of tools are preferred, informal processes can be acceptable, especially for more obvious risks.

2.      The quality risk management process should not be used as an excuse to delay or avoid compliance gaps/issues.


Figure 2.2 is an overview of the risk management process described in ICH Q9.

The primary principle of risk management is that the evaluation of risk to quality is based on the risk to the patient. From a manufacturing perspective, anything that has a high impact or is very close to the product will be high risk. For example, weighing of active ingredients in pharmaceutical production operations is a high-risk process worthy of compliance monitoring.

In the world of GMP compliance, there are at least three types of risks to consider:


1.     Patient and Product-related. These are obviously the highest risk and must always be considered.

2.      Collective Risk: One can have a series of risks or failures identified that individually may not appear serious or have direct product impact but collectively could have direct

product impact. An example would be a weak or incomplete change evaluation process, coupled with an inconsistent periodic revalidation process and incomplete historical product records and data. In combination, these deficiencies could lead to product failure. During the risk assessment phase, in addition to ranking individual risks, it is sometimes important to look at the collective risk, especially when systems and interdependencies are involved.

1.     Compliance Failures: Patterns of failure in GMP compliance, regardless of individual severity, may have an adverse impact on the business if a regulatory agency perceives that the systems are still not in control.


Initiating a quality risk management process usually involves establishing a multidisciplinary team dedicated to the task. Key leaders and decision-makers need to assure risk management has cross- functional participation.

The process described below is based on the eight elements of the COSO Framework; however, they more closely follow ICH Q9 risk management process in order to focus on aspects most rel- evant to pharmaceutical manufacturing at an operational level.

The process begins by identifying a team leader, establishing project timelines and deliverables, and agreeing the process to be followed.

The first phase of the process is Risk Assessment, which includes risk identification, analysis, and evaluation. It is very important that the process starts with a well-defined problem description or risk question. This will help facilitate the gathering of information and data and to choose the correct tools for analysis.


Risk Identification typically involves asking three questions:


1.     What might or could go wrong?

2.      What is the probability or likelihood it will go wrong?

3.     What is the severity or consequence if the event happens?


There are a number of tools that can be used to identify risks, including (1) internal interviews, discussions; (2) brainstorming sessions; (3) external sources (e.g., benchmarking, discussion with peers, comparison to other organizations); and (4) tools, diagnostics, and processes (e.g., checklists, scenario analysis, process mapping).

Risk Analysis involves focusing on the last two questions above and estimating the associated risk and ability to detect.

Risk Evaluation can involve a qualitative (high to low) or quantitative (numerical probability) approach evaluating the impact (significance) and likelihood (chance or probability of risk occurring) for each risk. The identified and analyzed risk is evaluated against the defined criteria. At this stage of the process, it’s critical that the criteria are documented and well understood by individuals performing the evaluation. Criteria commonly used in the pharmaceutical industry are a five-by-five model:

Probability of Occurrence (Ratings): Improbable, Remote, Occasional, Probable, Frequent Severity Levels (Ratings): Negligible, Insignificant, Serious, Critical, Catastrophic

The output of the risk assessment phase is an estimate of risk for a quantitative approach or a range of risk for a qualitative approach. At this stage, you may produce what is commonly referred to as a Risk Map. Two different styles of Risk Maps are shown in Figure 2.3a and b. A Risk Map is

FIGURE 2.3 (a) Impact vs Likelihood and (b) Impact vs Likelihood.

a good tool to visualize the relative likelihood and impact of different risks and provide guidance in prioritizing risks for various mitigation activities.

The second phase is Risk Control where the goal is to eliminate or reduce the risk to an accept- able level. Risk control focuses on four questions:


1.     Is the risk above an acceptable level?

2.      What can be done to reduce, control, or eliminate the risk?

3.     What is the correct balance between risk, benefits, and resources?

4.      Are new risks introduced as a result of these efforts?


Risk control involves risk reduction (actions taken to mitigate or avoid the risk) and the risk accep- tance decision. In some cases, it may not be possible to eliminate the risk altogether, but short-term remedial actions may reduce it to an acceptable level or make sure it is detected.

Risk Communication is the third phase. If a team has been working together on the problem, there should have already been communication between the decision-makers and stakeholders. However, there may be a need for a more formal process of notification for other parties involved in or impacted by the decisions and changes.

Risk Review is the final phase. The output of the risk management process should be docu- mented, especially when a formal process is used. The output and results should be reviewed for new knowledge and lessons learned. The changes and results should be monitored, and if needed, the risk management process can be re-engaged to handle planned or unplanned events. Risk management should be an ongoing quality management process.

Similar to failure investigations (Chapter 7) and process improvement projects, a number of use- ful tools and techniques can be used including:


      Flowcharts, process mapping, check sheets, and cause-and-effect diagrams can help organize information and facilitate decision-making.

      Failure mode effects (and criticality) analyses (FMEA and FMECA) and evaluates potential failures and likely effect. Can be used for equipment, facilities, manufacturing, and system analysis.

      Fault tree analysis identifies root causes of an assumed failure. Can be used in failure and complaint investigations or deviations.

      Hazard analysis and critical control points (HACCP) was developed in the food industry and is a seven-step systematic and preventive methodology that is used primarily for chemical, biological, and physical hazards.

      Hazard operability analysis (HAZOP) is used in cases of suspected deviation from design or operating intentions. It has been used for safety concerns regarding facilities, equipment, and manufacturing processes.

      Preliminary hazard analysis (PHA) uses past knowledge to help identify future failures. Can be used for product, process, or facility design, especially when information is scarce.

      Risk ranking and filtering breaks down the basic risk question into its components.


Throughout the process, statistical tools can be used to gather and analyze data; for example, control charts and process capability (Cp, Cpk) analysis.

Quality Risk Management is being increasingly adopted by the FDA and the pharmaceutical industry. The FDA has actively used it in prioritizing CGMP inspections as a result of the increasing demand for inspections and the finite level of staff to cover them, and pharmaceutical companies recognize this as a powerful management tool, and as good business practice.



1.   Nally J, Kieffer R, Stoker J. From audits to process assessment—The more effective approach. Pharm Technol 1995, 19 (9): 128.

2.   Dills DR. Risk-based method for prioritizing CGMP inspections of pharmaceutical manufacturing sites—A pilot risk ranking model. J GXP Compliance 2006, 10 (2): 75.



      Quality Systems Approach to Pharmaceutical Current Good Manufacturing Practice Regulations, September 2006.

      Compliance Program Guidance Manual for FDA Staff: Drug Manufacturing Inspections Program, 7356.002.

      Pharmaceutical Current Good Manufacturing Practices (CGMPs) for the 21st Century Initiative, 2004.

      FDA Guidance for Industry: Q9 Quality Risk Management, June 2006.

      Bhatt V. GMP Compliance, Productivity and Quality. Interpharm, 1998.

      Field P. Modern Risk Management A History. Risk Books, 2003.

      Vesper JL. Risk Assessment and Risk Management in the Pharmaceutical Industry: Clear and Simple. Bethesda, MD, Parenteral Drug Association. July 2006.

      Bhote KR. The Power of Ultimate Six Sigma. New York, Amacom, 2003.

      Russell JP. The Process Auditing Techniques Guide. Milwaukee, WI, ASQ, 2006.

      Kausek J. The Management System Auditor’s Handbook. Milwaukee, WI, ASQ, 2006.

      Cobb CG. Enterprise Process Mapping, Milwaukee, WI, ASQ, 2005.

      Imler K. Get It Right. Milwaukee, WI, ASQ, 2006.

      PIC/S Guide to Good Distribution Practices for Medicinal Products, 2014.

      Kolisnyk YPORT. A new method for  risk assessment of pharmaceutical excipients.

Pharmaceutical Technology 2018, 42 (3): 38–44.

      Nally J, Kieffer R, Stoker J. From audits to process assessment—The more effective approach. Pharmaceutical Technology 1995, 19 (9): 128.

      Australia/New Zealand Standard on Risk Management (AS/NZS 4360)

      Enterprise Risk Management Conceptual Framework, published by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).

RReference: Good Manufacturing Practices for Pharmaceuticals (2020) book

Previous Post Next Post