Risk assessment consists of the identification of hazards and the analysis and evaluation of risks associated with exposure to those hazards as defined below. Quality risk assessments begin with a well-defined problem description or risk question. When the risk in question is well defined, an appropriate risk management tool and the types of information needed to address the risk question will be more readily identifiable. As an aid to clearly defining the risk for risk assessment purposes, three fundamental questions are often helpful;
1. What might go wrong?
2. What is the likelihood (probability) it will go wrong?
3. What are the consequences (severity)?
RISK IDENTIFICATION:
A systematic use of information to identify hazards referring to the risk question or problem description. Information can include historical data, theoretical analysis, informed opinions, and the concerns of stakeholders. Risk Identification addresses the “What might go wrong?” question, including identifying the possible consequences. This provides the basis for further steps in the quality risk management process.
RISK ANALYSIS:
The estimation of the risk associated with the identified hazards. It is the qualitative or quantitative process of linking the likelihood of occurrence and severity of harms. In some risk management tools, the ability to detect the harm (detectability) also factors in the estimation of risk.
RISK EVALUATION:
The identified and analyzed risk against given risk criteria. Risk evaluations consider the strength of evidence for all three of the fundamental questions. In doing an effective risk assessment, the robustness of the data set is important because it determines the quality of the output. Revealing assumptions and reasonable sources of uncertainty will enhance confidence in this output and/or help identify its limitations. Uncertainty is due to combination of incomplete knowledge about a process and its expected or unexpected variability. Typical sources of uncertainty include gaps in knowledge gaps in pharmaceutical science and process understanding, sources of harm (e.g., failure modes of a process, sources of variability), and probability of detection of problems.
The output of a risk assessment is either a quantitative estimate of risk or a qualitative description of a range of risk. When risk is expressed quantitatively, a numerical probability is used. Alternatively, risk can be expressed using qualitative descriptors, such as “high”, “medium”, or “low”, which should be defined in as much detail as possible. Sometimes a “risk score” is used to further define descriptors in risk ranking. In quantitative risk assessments, a risk estimate provides the likelihood of a specific consequence, given a set of risk-generating circumstances. Thus, quantitative risk estimation is useful for one particular consequence at a time. Alternatively, some risk management tools use a relative risk measure to combine multiple levels of severity and probability into an overall estimate of relative risk. The intermediate steps within a scoring process can sometimes employ quantitative risk estimation.
Quality risk management supports a scientific and practical approach to decision-making. It provides documented, transparent and reproducible methods to accomplish steps of the quality risk management process based on current knowledge about assessing the probability, severity and sometimes detectability of the risk.
Traditionally, risks to quality have been assessed and managed in a variety of informal ways (empirical and/ or internal procedures) based on, for example, compilation of observations, trends and other information. Such approaches continue to provide useful information that might support topics such as handling of complaints, quality defects, deviations and allocation of resources.
Additionally, the pharmaceutical industry and regulators can assess and manage risk using recognized risk management tools and/ or internal procedures (e.g., standard operating procedures). Below is a non-exhaustive list of some of these tools;
- Basic risk management facilitation methods (flowcharts, check sheets etc.);
- Failure Mode Effects Analysis (FMEA);
- Failure Mode, Effects and Criticality Analysis (FMECA);
- Fault Tree Analysis (FTA);
- Hazard Analysis and Critical Control Points (HACCP);
- Hazard Operability Analysis (HAZOP);
- Preliminary Hazard Analysis (PHA);
- Risk ranking and filtering;
- Supporting statistical tools.
It might be appropriate to adapt these tools for use in specific areas pertaining to drug substance and drug (medicinal) product quality. Quality risk management methods and the supporting statistical tools can be used in combination (e.g., Probabilistic Risk Assessment). Combined use provides flexibility that can facilitate the application of quality risk management principles.
The degree of rigor and formality of quality risk management should reflect available knowledge and be commensurate with the complexity and/ or criticality of the issue to be addressed.