SOP for Quality Risk Assessment and Quality Risk Management (QRM)

To describe the procedure for the management of risks, arising from different operations, activities and discrepancies. 

This SOP shall cover overall management of risks that arise from different operations, activities, discrepancies, deviations and failures in the manufacturing operations at Pharmasky Ltd. 

  • Each Operating Manager and Department Head shall be responsible for identification of operations and activities that pose potential risk, reporting and investigation of discrepancies, deviations and failures within the department and carrying out Risk assessment, control and review. 
  • QA Head shall be responsible for facilitating and evaluating the adequacy of Risk assessment. 
  • Risk Management Team shall be responsible for the overall Risk Management Program, its review and closure. 

Risk Management Team (RMT) shall be accountable for the overall Risk Management Program.

  • RMT shall be formed comprising of at least one responsible member from each function (Quality Assurance, Production, Engineering, Quality Control, Warehouse, and Personnel & Administration).
  • The “Responsibilities of the Risk Management Team” shall be as follows:
  1. Assuring the Risk Management Program continuity,
  2. Providing directions to the user departments,
  3. Verifying the identified cause(s) of risks,
  4. Risk analysis (using various tools),
  5. Endorsing the identified control measures,
  6. Training and reporting to the senior management.
  7. Assuring Risk Management Program related communication and Providing guidance on implementation of control measures and time frame.
  • A Quality Risk Manager shall be assigned the responsibility of coordinating the entire Risk Management Program with all technical functions.
  • The “Responsibilities of the Quality Risk Manager” shall be as follows: 
  1. Coordinating the Risk Management Program between the user departments.
  2. Organizing monthly meetings of the Risk Management Team.
  3. Releasing minutes of meetings.
  4. Risk communication.
  5. Facilitating the identification and categorization of risks.
  6. Facilitating implementation of control measures.
  7. Organizing follow-up and closure of risk implementation.
  8. Organizing training related to Risk Management Program.
  9. Preparing a annual report for the senior management and Archival of related records and documentation.
  • RMT shall conduct regular monthly meeting coordinated by Quality Risk Manager. The meeting can be conducted with a minimum quorum of 3 members and the Quality Risk Manager. However, the presence of the QA member is essential in all such meetings. 
  • The Risk Management Program shall cover the following areas:
  1. Facilities and Equipment.
  2. Production, processing and packing.
  3. Quality Control Laboratories, Testing and Analysis.
  4. Materials and warehousing.
  5. Engineering, Maintenance and Utilities.
  6. Quality Assurance and Quality Management System.
  7. HR related GMPs.
  8. Environment, Health and Safety
  9. Any other area, considered significant for the risk for running the business.

  • Each member of RMT shall ensure that any operation and activity that poses potential risk, or any discrepancy, deviation or failure discovered in the department or its processes/systems shall be reported by the operating personnel to the Senior Officer / Manager.
  • Each member of RMT shall initiate a “Risk Assessment Log”. 
  • The department subject expert shall analyze the operation and activity, discrepancies, deviations or failures and categorize the potential risk and its impact on the process or system or operation and/or product quality, yield, purity, potency, identity, stability, safety or efficacy within 7 days, depending on the seriousness of the risk and the area or process affected. 
  • The “Risk Assessment Report” shall be prepared and compiled. 
  • All identified risks shall bear a unique Risk Reference number and shall be numbered as an alphanumerical number consisting of 14 characters. For example, R/DC/MM/YY/NNN.


          ‘R’ represent the Risk.

          ‘DC’ denotes ‘Department Code’.

          ‘MM’ denote the month in which the review is conducted.

          ‘YY’ denote the year say ‘20’ for 2020.

          ‘NNN’ denote serial number of the risk in that particular area, starting with ‘001’

          The “Risk Assessment Report” shall be prepared and compiled.

          Risk Evaluation:

          Risk Priority Number (RPN) is calculated by using the formula:
          RPN = Occurrence (O) × Severity (S) × Detectability (D)

          The risk shall be rated according to the table below:

          As depicted above, the higher the risk priority number, higher is the risk and vice versa.

          Occurrence (O):

          Occurrence (O) refers to an assessment of the probability of the incident of a risk effect or discrepancy or deviation or failure. A higher probability of occurrence may be possible if the equipment or system or process is poorly designed or the operation is in manual mode instead of automation. The lower the probability of occurrence, the lower is the risk involved. The rating scale for determining the probability of occurrence is given in the following Table.

          Severity (S):
          Severity (S) refers to an assessment of the seriousness of the risk effect or the discrepancy or deviation or failure as it affects the end-user. A higher severity rating may be assigned to process steps that involved manual operations or interventions as compared to done by automation. The higher rating is necessary because of quality failure or introduction of contamination during these steps will result in a higher risk to the product safety and end-user. The lower the severity the lower the risk involved. The rating for determining severity is given in the following Table.

          Detection (D):
          Detection is the ability to detect a risk or an incident of defect, discrepancy, deviation or a failure as it affects the end-user. The ability of detection depends on the system, equipment or operation – which, with advanced technology or automated inspection will have a higher ability to detect the defects, discrepancies or failures. In a manual mode of inspection, the ability of detection will be poor. 
          Lower the ability to detect the defect, higher is the risk.

          • The risks shall be categorized as Low, Moderate or High, depending on the product of the probability of occurrence, degree of severity and ability of detection as the Risk Priority Number (RPN). 
          1. Low Risk: This risk has low potential and is less likely to impact directly or indirectly the process, system, operation, product quality, yield, purity, potency, identity, stability, safety or efficacy.
          2. Moderate Risk: This risk has moderate potential and is likely to moderately impact directly or indirectly the process, system, operation, product quality, yield, purity, potency, identity, stability, safety or efficacy.
          3. High Risk: This risk has high potential and is likely to highly impact directly or indirectly the process, system, operation, product quality, yield, purity, potency, identity, stability, safety or efficacy.
          • If the risk and impact is considered to be moderate or high, the discrepancies, deviations or failures shall be immediately reported to the QA and the Quality Risk Manager. After initial review and assessment, it must be reported to RMT members within 5 days. 
          • If the risk and impact is Low, then it shall be only reported to the Quality Risk Manager within 10 working days. 
          • For any such identified risk (Low, Moderate, High), necessary Risk Control Measures shall be identified and evaluated to mitigate / reduce the risk to an acceptance level. 
          • RMT shall evaluate the risk of Moderate and High categories and examine the existing control measures and other immediate possible control measures. 
          • RMT shall finalize the control measures and communicate to the department representative and the Quality Risk Manager to effect implementation within a pre-determined planned time-frame. 
          • The determination and finalization of “Risk Control Measures, Implementation and Deviation Closure” shall be defined. 
          • RMT shall also determine deployment of resources (personnel and funds) and time-frame for implementation of control measures. 
          • The concerned department’s RMT member shall discuss with the department group the Risk Control Measures and the mechanism of implementation. 
          • The Control Measures shall be implemented within the allowed time frame to complete satisfaction. In case, the controls are not completed within the time frame allowed, an extension can be sought in advance from RMT by the department concerned, after providing a valid reason for the extension. 
          • The department RMT member along with the Quality Risk Manager shall examine the effectiveness of the implementation of control measures. 
          • The implementation activity shall be reported to RMT. 
          • RMT in the next meeting shall do final evaluation of the implementation and order for Deviation Closure. 

          Risk Communication and Report:
          RMT shall identify what communication shall be released to the employees from time to time on matters related to Risk Management and the actions undertaken. It will also initiate the points to be included in the Risk related ‘Annual Report’ for the senior management review.         
          Management Review:
          The senior management representative(s) shall review the activities related to Risk Management Program and the actions and follow-up being done by the Risk Management Team, periodically. The Annual Report shall also be reviewed by the senior management representative(s) and a feedback will be sent to the Risk Management Team by the Quality Risk manager for providing necessary directions and facilitation in deploying resources and funds where necessary. 

          Flow Scheme: 
          The Flow scheme for the “Quality Risk Management” is depicted as per Annexure No. for reference and training purpose.

          Attachments I: Risk Assessment Log 
          Attachments II: Risk Assessment Report 
          Attachments III: Risk Control Measures, Implementation, and Deviation Closure. 
          Attachments IV: Flow Scheme for Quality Risk Assessment.

          GMP – Good Manufacturing Practices 
          OOS – Out of Specification 
          QA – Quality Assurance 
          RMT – Risk Management Team 

          Post a Comment