Quality Risk Management in Pharmaceutical Plant

Standard Operating Procedure of Quality Risk Management in Pharmaceutical Plant is describe in this post.

{getToc} $title={Table of Contents}


To establish the quality risk management process according to ICH Q9 guidelines & FMEA approach.


Applicable to any process at pharmaceuticals which requires a Risk Management evaluation.


3.1 Interdisciplinary teams are formed for risk assessment activities, which include quality unit, engineering, sales, regulatory, business development, and production.

3.2 Team members take responsibility for coordinating quality risk management across all functions and departments.

3.3 All technical team members ensure that quality risk management process is defined, deployed and reviewed. And the adequate resources are available. 




5.1 Definitions 

5.1.1 Quality Risk Management (QRM): Quality risk management is a systematic process for the 

Identification, assessment and control of risks to the quality of pharmaceutical products across the 

product lifecycle.”

Risk = Probability X Severity X Detectability

5.1.2 Risk: Combination of the probability of occurrence of harm and the severity of that harm.

5.1.3 Harm: Physical injury or damage to the health of people, or any damage that can occur from loss of product quality or availability. 

5.1.4 Hazard: Potential source of harm. 

5.1.5 Occurrence or Probability: Frequency is the number of occurrences of a repeating event per unit time. It is

also referred to as temporal frequency. 

5.1.6 Detectability: The ability to discover or determine the existence, presence or fact of a hazard.

5.1.7 Severity: A measure of the possible consequences of a hazard. 

5.1.8 Quality: The degree to which a set of inherent properties of a product, system, or process fulfills requirements. 

5.1.9 Quality Risk Management: A systematic process for the assessment, control, communication and review of risks to the quality of the drug (medicinal) product across the product lifecycle. 

5.1.10 Requirements: the explicit or implicit needs and expectations of the patients or their surrogates (e.g. health care professionals, regulators, and legislators.).

5.1.11 Risk Assessment: A systematic process of organizing information to support a risk decision to be made within a risk management process.

5.1.12 Risk identification: A systematic use of information to identify hazards referring to the risk question or

problem description. Information can include historical data, theoretical analysis, informed opinions, and the concerns of stakeholders. 

5.1.13 Risk analysis: Estimation of the risk associated with the identified hazards. It is the qualitative or quantitative process of linking the likelihood of occurrence and severity of harms. In some risk management tools, the ability to detect the harm (detectability) also factors in the estimation of risk.

5.1.14 Risk evaluation: the comparison of the estimated risk to given risk criteria using a qualitative or quantitative scale to determine the significance of the risk. 

5.1.15 Risk control: A process through which decisions are reached and protective measures are implemented for reducing risks.

5.1.16 Risk acceptance: The decisions to accept the residual risk after risk control actions are taken and that the quality risk is reduced to a specified (acceptable) level. 

5.1.17 Risk Reduction: Actions taken to lessen the probability of occurrence of harm and the severity of that harm. 

5.1.18 Risk Communication:  The sharing of information about risk and risk management between the decision makers and other stakeholders. 

5.1.19 Risk Review Monitoring of output/results of the risk management process considering (if appropriate) new knowledge and experience about the risk.

5.1.20 Deviation / Nonconformity: Any non-compliance of an established GMP standard or of approved requirements, specifications and standard operating procedures. Deviations need to be documented, evaluated and when appropriate, investigated in order to determine the originating causes to prevent recurrence. 

5.1.21 Correction: Corrections are immediate actions taken to correct, contain or eliminate nonconformity or other undesirable event. Note: A correction can be made in conjunction with a corrective action 

5.1.22 Corrective Action: Action taken to eliminate the cause of the deviation, based on an investigation. Corrective actions should prevent recurrence of the deviation. 

5.1.23 Preventive action: Action to eliminate the cause of a potential nonconformity. “Preventive action is taken to prevent occurrence whereas corrective action is taken to prevent recurrence”. 

5.1.24 Production process parameters: Parameters that have to be followed during a manufacturing process to 

obtain a product that meets the expected quality attributes and is produced in a consistent manner. 

5.1.25 Stakeholders: any individual, group or organization that can affect, be affected by, or perceive itself to be affected by a risk. Decision makers might also be stakeholders. 

5.1.26 Trend: a statistical term referring to the direction or rate of change of variables.

5.1.27 Product life cycle: All phases in the life of the product from the initial development through marketing until the products’ discontinuation. 

5.2 Principles of Quality Risk Management:

Two primary principles of quality risk management are:

5.2.1 The evaluation of the risk to quality should be based on scientific knowledge, and ultimately link to the

protection of the patient.

5.2.2 The level of effort, formality and documentation of the quality risk management process should be commensurate with the level of risk. 

5.3 Quality Risk Management Process:

Quality risk management is a systematic process for the assessment, control, communication and review of risks to the quality. It consists of the identification of hazards and the analysis and evaluation of risks associated with exposure to those hazards through a multidisciplinary approach. 

ICH Q9 gives a model for quality risk management as outlined in Figure below.

5.3.1 Initiating a Quality Risk Management Process: 

It should include a systematic process designed to coordinate, facilitate, and improve science based decision making with respect to risk. The process includes following steps:

a. Define the problem and/ or risk question, including pertinent assumptions identifying the potential for risk.

b. Assemble background information and / or data on the potential hazard, harm or human health impact relevant to the risk assessment.

c. Identify a leader and necessary resources.

d. Specify a timeline, deliverables and appropriate level of decision making for the risk management process.

5.3.2 Risk assessment 

Three fundamental questions are often helpful as an aid to clearly defining the risk for risk assessment 

purposes. These are as follows:

1) What might go wrong?

2) What is the likelihood (probability) it will go wrong?

3) What are the consequences (severity)? 

Risk assessment includes the following sequential activities: 

a. Identification of Hazards: It is based on well-defined process description, and adequate sources of information (e.g. historical data; description of the possible consequences). It addresses the question “What might go wrong?”.

b. Risk Analysis: Estimates the risk associated with the identified hazard/s. “It is the qualitative or quantitative process of linking the likelihood (probability) of occurrence and severity of harms; in some risk management tools, the ability to detect the harm (i.e. Detectability) also factors in the estimation of risk”. 

c. Risk Evaluation: “Compares the identified and analyzed risk against given risk criteria and the strength of evidence for all three of the fundamental questions”. 

The output of a risk assessment is either a qualitative description of a range of risk or a quantitative estimate if risk. When risk is expressed quantitatively, a numerical probability is used. Alternatively, risk can be expresses using qualitative descriptions, such as high, medium, or low. A risk score is used to further define the descriptors in risk ranking.

5.3.3 Risk Control:

Risk Control is a decision making process to reduce and/ or accept the risks. Its purpose is to reduce the risk to an acceptable level. Different processes can be used including benefit-cost analysis for understanding the optimal level of risk control. It includes: 

a. Risk Reduction: 

It focuses on mitigation or elimination of the quality risk when it exceeds a specified (acceptable) level. 

It might include the actions taken to mitigate the severity, and probability of harm. 

b. Risk Acceptance: It is a formal decision to accept the residual risk or it can be a passive decision in 

which residual risks are not specified. For some type of harms, even best quality risk management practices might not entirely eliminate risk. In these circumstances, it might be agreed that the quality risk is reduced to a specified (acceptable) level which depends on different parameters case by case.         

5.3.4 Risk Review: 

A mechanism to review or monitor events is implemented and the effectiveness of the risk management process reviewed periodically based on meaningful information “(e.g., results of product review, inspections, audits, change control) or unplanned changes (e.g., root cause from failure investigations, recalls). Risk review could include reconsideration of risk acceptance decisions”. Risk Review is an essential Quality Management System activity which is incorporated in the overall lifecycle and continuous improvement approach.

5.3.5 Risk Communication:

Sharing of information about risk and risk management between the decision makers and others. Communications might include those among interested industry or regulatory authority, etc. The included information might relate to the existence, nature, form, probability, severity, acceptability or other aspects of risks to quality.

Note: QRM associated to regulatory non-compliances should never be used to justify violation of 

clearly established regulatory requirements (e.g. air grade class A not used for aseptic fill). “Appropriate 

use of quality risk management can facilitate but does not obviate the industry’s obligation to comply 

with regulatory requirements”.

5.4 Risk Management Methodology 

5.4.1 Quality risk management supports a scientific and practical approach to decision making. It provides documented, transparent and reproducible methods to accomplish steps of the quality risk management process based on current knowledge about assessing the probability, severity, and sometimes detectability of the risk.

5.4.2 Tools for Quality Risk Management:

i. Basic methods include flowcharts, check sheets, cause & effect diagram, etc.

ii. Failure Modes Effects Analysis (FMEA)

iii. Failure Modes Effects & Criticality Analysis (FMECA)

iv. Fault tree analysis (FTA)

v. Hazard analysis, and critical control points (HACCP)

vi. Hazard operability Analysis (HAZOP)

vii. Preliminary hazard analysis (PHA)

viii. Risk Ranking & Filtering 

ix. Supporting Statistical Tools (Control charts, histograms, pareto charts, and process capability analysis etc.)

Quality risk management methods and the supporting statistical tools can be used in combination. Combined use provides flexibility that can facilitate the application of quality risk management principles.

The degree of rigor and formality of quality risk management should reflect available knowledge and be commensurate with the complexity and/ or criticality of the issue to be addressed.

5.4.3 Failure Modes Effects Analysis (FMEA) is commonly applied due to its versatility. This tool is used for identifying potential failure modes, potential effects of failures and potential causes of the risks to propose more adequate corrective and preventive actions. FMEA relies on product and process understanding. FMEA can be applied to equipment and facilities and might be used to analyze a manufacturing operation and its effect on product or process.

5.4.4 FMEA includes the following aspects: 

a. Probability or frequency of occurrence, 

b. Severity or how significant the problem/deviation/change is in terms of impact on product quality and patient´s safety.

c. Detectability the extent to which detection of occurrence of any hazard is possible. 

5.5 Risk Prioritization Number or RPN” may be assigned to the stage of the process that is affected; this helps to categorize the problem, or risk. RPN is calculated by multiplying Probability (P), Severity (S) and Detectability (D), which are individually categorized and scored as described below as described in related tables provided for each category. Accepted level of risk is ˂50 rating after careful evaluation.

Table - 1 SEVERITY (Consequences of failure)


SEVERITY (Consequences of failure)



Predicted to cause severe impact to quality (Product out of specification. No expert statement possible)



Predicted to cause significant impact on quality (Failure to meet specifications, No stability data, Expert statement possible)



Predicted to cause minor impact on quality (Failure to meet specifications, Stability data available.)



Predicted to cause No/Minor impact on quality of the product (Quality within specification)


Table - 2 PROBABILITY (Likelihood of Failure will happen)


PROBABILITY ( Likelihood of Failure will happen)


Regular failures

Expected to happen regularly


Repeated failures

Expected to happen in a low frequency


Occasional failures

Expected to happen infrequently


Unlikely failures

Unlikely to happen


Table - 3 DETECTION (Ability to find the failure)


DETECTION (Ability to find the failure)


Normally not Detected

Failure very likely to be overlooked, hence not detected.


Likely not Detected

Failure may be overseen (manual control, spot check)


Regularly Detected

Failure will normally be detected (manual control, routine work with statistical control)


Always Detected

Failure can and will be detected in all cases.


Table - 4 Failure Mode Effects Analysis - Risk Evaluation

Risk = Probability X Severity X Detectability




























Unlikely failures


Occasional failures


Repeated failures


Regular failures




Always Detected


Regularly Detected


Likely not Detected


Normally not Detected





 {getButton} $text={Download in Microsoft Office} $icon={Download} $color={Hex Color}

Previous Post Next Post