Header Ads Widget


SOP for Quality Risk Management Plan

This Master Plan defines how Quality Risk Management (QRM) program will be conducted through the integration of knowledge gained from formal risk assessments, operational alerts, change controls and inspections as required by ICH Q9 Quality Risk Management. Information on higher risks will be communicated to management and the quality unit through a risk register intended to increase visibility and provide focus in discussions on risk control and mitigation.

This plan applies to all personnel involved in the delivery of results in the evaluation of quality attributes of starting materials, excipients, components, API, and drug products intended for investigative medicine testing. Risk management will also be applied to the systems used to enable testing, including instruments and equipment qualification, and to the design of analytical methods for use in support of commercial manufacturing. The following risk management programs are not in the scope of this plan and are addressed by other guidance:
  • Risk management for IT-supported applications
  • Risk management of spongiform encephalopathies to our API and products
  • Safety risk assessments
  • Testing activities conducted at contract facilities
  • Testing of research materials. 

Roles and Responsibilities




  • Provide the resources necessary to support the implementation of this Master Plan for Quality Risk Management.
  • Ensure that employees complete any required training regarding risk assessment.
  • Ensure that related Standard Operating Procedures and Work Instructions are aligned with this Master Plan.
  • Ensure periodic assessments are conducted to verify that related activities are in compliance.
  • Ensure risk assessments, when they are appropriate, are performed, and that they are properly documented and approved by the Quality Unit as needed.
  • Review risk assessments.
  • Perform periodic review of risk register.

Quality Unit

  • Assist in identifying and evaluating sources of risk and in establishing appropriate controls.
  • Review and approve risk assessments on activities governed by procedures.
  • Perform periodic review of risk register.


  • Utilize risk tools and perform risk assessments where appropriate.
  • If in the role of risk assessment facilitator:
  • study the features of the tool to use.
  • identify subject matter experts to participate in the assessment.
  • document the assessment.
  • Submit formal risk assessments to Functional Area Management and Quality Unit for review and approval.
  • Comply with this management plan.

  • The principles of QRM in the preparation of medicinal products are described in ICH Guidance for Industry Q9 -Quality Risk Management. In alignment with ICH Q9 recommendations, this QRM plan is built around the following steps: Risk Assessment, Control, Communication and Review.
  • QRM is a critical component of quality systems and feeds from the investigations and inspections program and is leveraged to guide change management. Risk management is implemented with practices appropriate to the stage of project development.

Risk Assessment

Risk Identification
  • ICH Q9 defines risk as to the combination of the probability of occurrence of harm and the severity of that harm for the intended patients. As an organization developing analytical knowledge and methods, another fitting definition for risk is that of the ISO 31000 Risk Management Standard which defines risk as uncertainty in reaching objectives. This QRM intends to both address potential harm to patients and uncertainty in objectives. The primary focus of risk management is to control the risk to data on product attributes, as this data is used to both determine the suitability of products for clinical programs and to propose specifications utilized in the evaluation of manufacturing process control. Other objectives include accurate data for the proposal of labeling information; development and validation of robust methods, and testing in support of manufacturing activities (e.g., water testing).
  • Risks are proactively identified in deliverables by conducting risk assessments to the type of tests that evaluate product quality attributes used in the decision for batch release. Failure modes are identified by experts in the technique and ranked. Multiple sources are used for further identification of risks to be evaluated as well as to trigger a review of processes for risk assessment. These sources include Quality Unit and regulatory inspections, benchmarking, internal self-inspections, investigations on operational alerts, and trend evaluations. These risks are analyzed and evaluated for inclusion in the Risk Register.

Risk Analysis & Evaluation
  • Multiple tools will be used for the estimate of risk posed by the hazards identified. Subject matter experts will consider the risk to be evaluated and select a tool appropriate to the complexity of the system or activity under evaluation. Informal risk management may be used, including empirical evaluations where appropriate, flow charts, checklists and procedures.
  • For the analysis and evaluation of data for batch release, Failure Mode and Effect Analysis was chosen as it can guide the evaluation of numerous failure modes, summarizing the effect and quantitative ranking for guiding control efforts. For the FMEA risk analysis of tests for the release testing activity, the table presented below outlines the starting point. A team using this tool can further refine this table to suit the risk question and should capture the analysis table in the documentation of the risk assessment.






Passing a failing product can result in the release of an adulterated product


Cannot be detected


Not used to ensure the assessment of severity is most conservative.*

Moderate, occasional

Very Low


The additional introduction of error, expands the uncertainty of the method while still meeting specification

Infrequent or has occurred **



Data representative of product attribute

Remote or unlikely

Almost Certain

*  False OOS/OOA were not included in judgment of severity as these are investigated and resolved without impact to the product release timeline and consequently no impact to product availability to patients
**  In an effort to address the uncertainty on failure mode occurrence, any observation of a failure mode was given a raised value occurrence value (3) recognizing limitations in detecting some failure modes.

  • Each failure mode is assigned a Risk Priority Number 
(RPN) = Severity X Occurrence X Detectability

For example for Severity=10, Occurrence=3, and Detectability=10 the calculated RPN is 300. These RPN are then categorized as Low 1-100, Medium 101-500 and High 501 -1000.

Risk Control
  • The purpose of a risk management program is to decide, for the hazards identified, what controls are possible and when they should be sought and implemented. Evaluation of risk controls will consider the following questions:
  1. Is the risk currently managed at an acceptable level?
  2. What can be done to reduce or eliminate the risk?
  3. Is there other data that helps manage the process, and evaluation and can be used in place of a control?
  4. What is the appropriate balance among benefits, risks, and resources?
  5. Does implementation of the control introduce new risks?

Final Risk Level

Decision Guidance (10)


Risk is unacceptable and action to reduce risk is required.

Design New Controls:  Actively work to mitigate these through design, systems, procedures and other controls.


The decision required accepting risk or taking action to reduce risk.

Take action: If detectability of risk is poor (e.g, 7-10), consider whether action is required and seek to develop a clear understanding on how to recognize when this failure mode occurs. An action might include awareness/training or the development of new controls.

Observe/Accept:  If detectability of risk is good (e.g., 1-3) or severity is low (1-3), maintain vigilance (operational alerts program).


Residual risk is acceptable, the risk is detectable and of low severity, and no further action is required. Knowledge of the actual process is well understood.

Risk Communication
  • The goal of risk communication is to, by way of sharing information on risks identified and their controls, increase risk awareness and promote controls that support quality. This means that personnel in different roles have different needs regarding the communication of risk.
  • Personnel conducting activities will need to be informed of risks so that they maintain behaviors that support best practices sustain vigilance and understand processes to help control risk. These communications are achieved through training, method details, formal procedures, and aides such as checklists to enhance their ability to control risk. Management is responsible to allocate resources for activities; therefore, they must support the identification of risks and stay informed of risks that require additional controls.
  • Management is also responsible to commit resources to the development of those controls or accept residual risk. This communication will be achieved and documented through their approval of plans, procedures, formal change controls, and the risk register.

Documentation of Risk Assessments
  • Formal documentation of risk assessment and other risk management activities will be at the discretion of management and the Quality Unit observing the guiding principle of documentation effort commensurate with the impact of the risk. Formal risks assessments will utilize a template that will include the following elements:
  1. Contain a unique number
  2. Define the risk assessment method /tool and rationale for selection
  3. Conducted by appropriately trained personnel
  4. Discuss controls and risk acceptance (if appropriate)
  5. Define periodic review cycle
  6. Include approval by the Quality Unit when analyzing a process for purpose of a buildup of the risk register or used to justify changes to procedures.
  • Low-impact risk assessments for easily understood or specific situations/processes may be analyzed and documented by an SME. These will be managed informally, documented in the process tools (e.g. TrackWise record, instrument qualification document, notebook record), or incorporated into a procedure

Establishment of a Risk Register
  • A risk register(s) will be maintained to be comprised of a ranking of risks identified through risk assessment of the major deliverables and processes. The Business Unit and the Quality Unit will review the risks identified and decide which risks should be managed through the risk register based on the potential impact on patients and the quality of deliverables.
  • Each risk listed in the register will:
a.  Have a number assigned as per the following scheme:
  2. SEQUENTIAL NUMBER = 1, 2, 3 etc (individual risk within the risk assessment)
b.  SITE
c.  Classify the risk listed qualitatively (e.g., Medium or High).
d.  Address how the risk is managed or controlled.
e.  Document the decision on whether the risk is acceptable under current controls or new controls should be developed.
f.  Contain a reference to an issued risk assessment or other references.
  • It is intended that the register will list high risks and can include medium risks agreed upon during the review as requiring remediation.
  • The risk register will be approved by Management and the Quality Unit.

Risk Review
  • To remain effective, the risk register review will consider the impact of trends in quality events, change controls, and lessons learned from audits/inspections, and its review documented at a minimum once every 3 years. This review will also document the removal of risk from the register due to risk reassessment.

Revision History

Post a Comment