SOP for Quality Risk Management (Guideline ICH Q9)

Quality Risk Management: An overall and continuing systematic process for the assessment, control, communication and review of risks to the quality of a pharmaceutical product or medical device across the product lifecycle in order to optimize its benefit-risk balance.

SOP for Quality Risk Management

1.0       PURPOSE:
Quality Risk Management

    • This Standard Operating Procedure  (SOP) establishes uniform requirements for quality risk management (QRM) utilizing a risk-based systems approach for implementation into a quality system.
    • The Quality Risk Management process shall be based on scientific methodologies and practical decisions.
    • This approach shall be used on all phases of the product lifecycle from the initial development through marketing until the product’s discontinuation and final disposition.

2.0      SCOPE:

    • This SOP applies to Quality Risk Management records for biological products, drug substances, drug products, bulk products, intermediates manufactured by the pharmaceutical company.

Visit to copy this SOP

    • This SOP is applicable to the management of all types of risk events that have a potential threat to product quality, facility, organization, etc.

3.0      REFERENCES:

    • In House
    • ICH Q9 – Quality Risk Management


    • Manufacturing head/designee shall be responsible to demonstrate a commitment to the risk management process by:

      • Providing leadership for the risk management process to ensure that ongoing Quality Risk Management processes operate effectively.
      • Ensuring adequate resources for execution.
      • Create a cross-functional team across various functions and departments and appoint a Team Leader appropriate to the risk being considered.
    • Manufacturing head/designee shall be responsible to ensure the following principles of Quality Risk Management are applied:

      • The evaluation of the risk to quality is based on scientific knowledge and ultimately linked to the protection of the patient.
      • The level of effort, formality, and documentation of the quality risk management process should be aligned with the level of risk.
      • To assure coordination of quality risk management across the various functions and departments.
      • To facilitate continuous improvement in manufacturing resulting from knowledge gained through periodic Quality Risk Management system reviews.

Also read: SOP for Audit Trail Review and Privilege Policy

    • Quality head/designee shall be responsible for

      • Authorization and oversee the creation of Quality Risk Management procedures that include the requirements established in this SOP.
      • Ensure appropriate training of personnel involved in Quality Risk Management activities and provide for traceable record keeping of such training.
      • Maintain a GMP compliant document control system for the review, approval, issuance, maintenance and archiving of Quality Risk Management Records throughout the product or device lifecycle.
      • Ensure all paper-based or electronic Quality Risk Management documents are prepared, securely stored, executed, reviewed, approved, signed and dated by appropriately trained, responsible persons and distributed according to written procedures.
      • Serve as the gatekeeper for initiation of and as a final approver for Quality Risk Management activities and reports.
      • Ensure personnel alerts the Quality Unit in accordance with the current version of the SOP for Deviations/Incidents if they observe a possible product quality risk so it can be evaluated to determine if initiation of a Quality Risk Management process is warranted.
    • Quality Risk Management cross-functional team (CFT) leader or relevant stakeholder/designee shall be responsible for:

      • Serve as: The initiator of QRM change control activities.
      • The preparer of the quality risk management control strategy and a risk assessment.
      • Prepare related reports and records or delegates these duties to qualified team members for specific aspects of the Quality Risk Management process.
      • Ensure assigned Quality Risk Management design and implementation teams are qualified to perform assigned tasks and include subject matter experts (SMEs) from the affected areas (e.g., quality unit, business development, engineering, regulatory affairs, production operations, sales and marketing, legal, statistics and clinical, as appropriate), as well as SMEs in the QRM process.
      • Oversee that all documentation related to specific product/process Quality Risk Management activities is:

      • Completed per established schedule.
      • Securely maintained in the quality risk management record.
      • File in accordance with site document control procedures.
      • Accessible to relevant staff, reviewers or inspectors.
      • Traceable at the time of inspection.
    • Assure Quality Risk Management documentation is satisfactory and approved by QA prior to the implementation of any new method/process or proposed change to an existing method or process in accordance with the current version of the SOP for Change Control Management.


    • A/E: Adverse Event
    • APR: Annual Product Review
    • CAPA: Corrective and Preventive Action
    • CQ: Corporate Quality
    • FMECA: Failure Mode Effects and Criticality Analysis
    • HACCP: Hazard Analysis and Critical Control Points
    • QRM: Quality Risk Management
    • SME: Subject Matter Expert

6.0      DEFINITION- Quality Risk Management:

    • A/E Adverse Event:

    • Any unfavorable or unintended sign, symptoms or disease, or laboratory or physiological observations associated with the use of a drug product, whether or not considered related to the drug product.
    • An A/E may occur in association with the use of drug product in professional practice, from a drug overdose (accidental or intentional), from drug abuse, from drug withdrawal, and from any failure of expected pharmacological action.
    • The Annual Product Review is developed for products marketed in the U.S. and countries other than the EU. The report is an annual assessment of each product produced at a given site, compiling a broad range of Quality product/process indicators.
    • Corrective Action/Preventive Action:

    • A concept with current Good Manufacturing Practice (cGMP) that focuses on the systematic investigation of root causes of unexpected incidences to prevent their recurrence (corrective action) or to prevent their occurrence (preventive action).
    • Corrective Action:

    • Action is taken to eliminate the causes of an existing nonconformity, defect or other undesirable situation, in order to prevent a recurrence.
    • Preventative Action:

    • Action is taken to eliminate the cause of a potential nonconformity, defect or other undesirable situation, in order to prevent occurrence.
    • Cross-Functional Team:
    • A group of people with different functional expertise working toward a common goal.
    • The team may be responsible for the development, review, and implementation of the Risk Assessment.
    • Contract Manufacturing Organization (CMO)/In-License Third-Party Manufacturer:

    • An organization that supports any part of, or completes the process of manufacturing, labeling, packing, testing, and distribution of product on behalf of another organization.
    • Contract manufacturing involves the production of goods by an organization, under the label or brand of another organization.
    • Control Strategy:

    • A planned set of controls, derived from current product and process understanding that assures process performance and product quality.
    • The controls can include parameters and attributes related to drug substance and pharmaceutical product materials and components, facility and equipment operating conditions, in-process controls, finished product specifications, and the associated methods and frequency of monitoring and control.
    • Decision Maker(s):

    • Person(s) with the competence and authority to make appropriate and timely quality risk management decisions.
    • Failure The condition or fact of not achieving an expected result; a cessation of proper functioning or performance.
    • FMEA Failure Mode and Effects Analysis: Bottom-up analysis of each potential failure mode in every subsystem to determine its effect on other subsystems and on the function of the system.
    • FMECA Failure Mode Effects and Criticality Analysis: Follow-up to FMEA which classifies each effect according to its severity and probability of occurrence.
    • Hazard Analysis and Critical Control Points: A structured seven-step process to analyze, evaluate, prevent and control risk and adverse events based on technical/scientific principles.
    • Harm: Physical injury or damage to the health of people including the damage that can occur from loss of product quality or availability, or to property or the environment.
    • Hazardous Situation: Circumstance where people, property, or the environment potentially are exposed to one or more hazards resulting in harm.
    • Lifecycle: All phases in the life of a product from the initial development through marketing until the product’s discontinuation.
    • Objective Evidence: Data supporting the existence of information based on facts that can be proven through analysis, observation, measurement, testing, and other such means.
    • Out-of-Specification (OOS) Results:

    • Test results that fall outside the specification or acceptance criteria established in drug application, drug master file, and official compendia or pre-determined by the manufacturer.
    • Out-of-Trend (OOT) Results: Test results that do not follow the expected trend in comparison with the previous test results.
    • Product Quality Review: An annual assessment, as required by the EU completed for each drug product and starting material produced at a given site compiling a broad range of Quality product/process indicators and distributed in the EU following requirements provided in this standard.
    • Prospective Analysis: Assesses the probable occurrence of future events.
    • Record: Document stating results achieved or providing evidence of activities performed.
    • Retrospective Analysis: Assesses the causes of past events. It is (Risk) the Combination of the probability of the occurrence of harm and the severity of harm.
    • Risk Acceptance: The decision to accept the risk.
    • Risk Analysis: The estimation of the risk associated with the identified hazards.
    • Risk Assessment:
    • A systematic process of organizing information to support a risk decision to be made within a risk management process.
    • It consists of the identification of hazards and the analysis and evaluation of risks associated with exposure to those hazards.
    • Risk Communication:

    • The sharing of information about risk and risk management between the decision-maker and other stakeholders.
    • Risk Control: Actions of implementing risk management decisions.
    • Risk Estimation: Process used to assign values to the probability of incurring harm, the detectability of failures and the severity of harm.
    • The comparison of the estimated risk of given risk criteria using a quantitative or qualitative scale to determine the significance of the risk (Risk Evaluation).
    • Risk Identification:

    • The systematic use of information to identify potential sources of harm (hazards) referring to risk question or problem description. Information can use historical data, theoretical analysis, informed opinions and concerns of stakeholders.
    • Risk Management:

    • The systematic application of quality management policies, procedures, and practices to the tasks of assessing, controlling, communicating and reviewing risk.
    • Risk Reduction: Actions taken to lessen the probability of occurrence of harm and the severity of that harm.
    • Risk review: Review or monitoring of output/results of the risk management process considering (if appropriate) new knowledge and experience about the risk.
    • Subject Matter Expert: An individual, who is educated, trained, experienced and recognized in a particular field or subject matter.
    • Verification: Confirmation, through the provision of objective evidence, that specified requirements have been fulfilled.


    • Perform Risk Management by using a systematic process, designed to coordinate, facilitate and improve science-based decision making with respect to risk.
    • Occurrence based events like OOS, market complaints, unplanned deviations, etc. as well as system-based events like change controls, planned deviations, etc. shall undergo risk management process.
    • Implementation of the quality risk management process includes the following major steps:
    • Risk assessment (identification / analysis /evaluation).
    • Risk control (reduction, acceptance) conducted commensurate with the level of risk.
    • Review of Risk -evaluating and communicating the results of the risk management efforts.

Note: Since risk management is an iterative process, it should be repeated if new information is developed that changes the need for, or nature of, risk management.

    • Initiating and planning the Quality Risk Management process:
    • Identify a qualified and quality risk management team leader and cross-functional team (CFT) with experience from the affected areas and trained in the Quality Risk Management process.
    • Answer the define the question or problem statement that (e.g. a problem and/or risk question).
    • Include pertinent assumptions identifying the potential for risk.
    • Assemble background information and/or data on the potential hazard, harm or impact relevant to the risk and gather appropriate information for consideration and inclusion in the Quality Risk Management Process including but not limited to:
      • Master formulae
      • GMP requirements
      • Regulatory commitments
      • Validation documents, as applicable
      • Technical information/reports
      • Pilot plant data
      • Development Protocols and Reports
      • Product specifications/packaging specifications
      • Bill of materials
      • Change control documents
      • Investigation report commitments
      • Audit commitments
      • Regulatory inspection findings / commitments
      • Related subject SOPs
      • Annual / Product Quality Reviews (APR/PQR)
      • Rework or reprocess documentation
      • Product-specific equipment or tools used in manufacturing
      • License documents, license applications or equivalent documents.
      • Formal, approved drawings showing the movement of materials, personnel, and equipment through all production areas.
    • Specify a timeline, deliverables and appropriate level of decision making for the Quality Risk Management process.
    • Complete the risk assessment (refer to the section below on process for completing a risk assessment to classify risk):

    • Risk identification: A systematic use of objective evidence to identify hazards through processes like collection and organizing information, reviewing appropriate references and identifying assumptions. The information required to risk identification shall be gathered from questions like:
    • What
      • Might go wrong?
      • Is the likelihood it will go wrong?
      • Are the consequences?
    • Risk analysis: Identify the likelihood (probability) that the risk will occur.
    • The estimation of the risk associated with the identified hazards. Include in the risk analysis process a linking the likelihood of occurrences and severity of harm.
    • For each risk event (i.e. identified potential hazards), severity, probability of occurrence and detection shall be assessed separately.
    • Risk evaluation: Identify the consequences (severity) of the risk. Compare the identified and analyzed risk against given risk criteria considering the probability, detectability, and severity.
    • Risk Control (Quality Risk Management):

    • Risk reduction: The mitigation, avoidance or elimination of the quality risk with a focus on the severity and/or probability of the harm.
    • A decision-making activity to determine if the risk is above an acceptable level.
    • Identify corrective and preventative actions (CAPA) to reduce, manage or eliminate the risk considering the appropriate balance between benefits, risks, and resources.
    • Risk acceptance: The decision to accept the risk which may require support by the sponsoring leader and stakeholders being affected by the risk.
    • Risk Review:

    • Review events: Such as the Annual Product Review/Product Quality Review reports that serve as a mechanism to review the output and results of the Quality Risk Management process.
    • Risk Communication (Quality Risk Management):

    • Ensure bi-directional sharing of information between departments and within the organization about any identified risk and risk management strategies employed by the Quality Risk Management team leader / CFT members.
    • Escalation of significant quality concerns shall be initiated in accordance with the SOP of Management Notification.
    • The sharing of information can be formal and/or informal. The Quality Risk Management CFT leader will coordinate notifications to external stakeholders, Agency filings or submissions with an appropriate site or quality unit representative.
    • Communication can occur at any stage of the Quality Risk Management process.
    • Document and communicate the output/result of the Quality Risk Management process.
    • Process for completing a risk assessment to classify risk:
    • Refer to Annexure 1 – Determination of risk category (Risk Assessment Matrix) (Example Template).
    • Risk assessment of quality-related events shall be performed to classify the risk category.
    • The level of risk shall, in turn, help in prioritization of investigation, and finalization of strategy and CAPA used to resolve the incident/event.
    • The following three factors shall be considered when assessing the level of risk:
      • Severity/impact of risk
      • Probability of occurrence
      • Probability of detection (State of controls)
  • Assessment of Severity (S) / impact of event/incident on product quality and patient safety:

    • Having determined that the event/incident may have a risk(s) on the safety, identity, strength, purity, and quality of the product, the Quality Risk Management team leader / CFT shall assign a risk rating as per table A below:

Table A: Severity / Impact – Rating and Criteria




Risk Rating

1-2  (Low) Low
  • No impact on product identity, strength, purity, and quality·
  • Minor GMP non-compliance·
  • No impact on patient safety (defects which may not pose any significant hazard to health)
3-4  (Medium) Medium
  • Likely impact on product identity, strength, purity, and quality·  
  • Major GMP non-compliance· 
  • The potential impact on patient safety (defects which could cause illness or mistreatment but are not life-threatening or serious ones or are medically reversible)
5-6  (High) High
  • Direct impact on product identity, strength, purity, and quality·
  • Critical GMP non-compliance·
  • Critical impact on patient safety (defects which are potentially life-threatening or could cause serious risk to health)


    • Examples of ‘Low Severity’ defects include (but are not limited to):

    • Missing or wrong text/figures on the packaging which will, however, not affect the product/batch identity or usage instructions.
    • Faulty closure, which will not cause any medical consequences.
    • Insignificant
    • Faulty secondary or tertiary packaging, which will not, however, affect product quality.
    • Poor / improper presentation of product containers.
    • Quality defects which are likely to cause efficacy issues, but will not cause any significant hazard to health.
    • Examples of ‘Medium Severity’ defects include (but are not limited to):

    • Quality defects are likely to cause AE/efficacy issues which are, however not life-threatening, or serious ones, or are medically reversible.
    • Failure to meet specifications (such as for Assay, Stability, Fill Weight, etc.)
    • Wrong/missing text or figures which may affect the product identity/usage instructions (e.g. missing or incorrect manufacturing/expiry date, missing patient information leaflets or leaflets with incorrect information), significant shortages
    • Extraneous matter in non-injectable / non-ophthalmic products that may not have life-threatening consequences.
    • Insecure closure with medical consequences (e.g. potent products such as cytotoxic, etc.)
    • Examples of ‘High Severity’ defects include (but are not limited to):

    • Quality defects which are likely to cause AE/ efficacy issues with life-threatening consequences.
    • Any extraneous matter in injectable and ophthalmic products.
    • Extraneous matter in non-injectable / non-ophthalmic product with life-threatening consequences (like metal, glass, etc.)
    • Wrong product (label and contents are different).
    • Correct product but wrong strength, with serious medical consequences.
    • Microbial contamination of sterile injectable or ophthalmic products.
    • Chemical contamination (abnormal impurities, cross-contamination, etc.) with serious medical consequences.
    • Mix-up of some products (rogues).
    • The wrong active ingredient in a multi-component product, with serious medical consequences.

Note: Categorization examples quoted in this section are provided for illustration only and are not meant to be exhaustive.

  • Assessment of Probability of Occurrence (O) of the Cause:

    • The review of the cause of the incident/event to determine the ‘probability of occurrence’ in the future.
    • The Quality Risk Management team leader / CFT shall assign a rating as per table B below:

Table B: Probability of Occurrence – Rating and Criteria




Risk Rating

1-2 (Low) Low
  • The quality-related event is unlikely to occur (i.e. it has not occurred in the past and is not expected to occur or recur)
3-4 (Medium) Medium
  • The quality-related event may occur (i.e. it has occurred infrequently in the past and is expected to recur)
5-6 (High) High
  • The quality-related event is likely to occur(i.e. it has occurred in the past on a frequent basis and is definitely expected to occur again).

Note: Definitions of ‘past’ and ‘frequent’ for calculation of the probability of occurrence of product quality complaints (PQCs) shall be customized by considering at a minimum, the actual frequency of occurrence of such events. These definitions shall be captured in specific site/regional procedures.

Example: If a site has an average of 5 recalls in a year, ‘past’ may be defined as: ‘2 years’ and ‘frequent’ may be defined as ‘more than 2’. However, if the same site receives an average of 30 recalls in a year, it is more logical to define ‘past’ as ‘6 months’ and ‘frequent’ as – ‘more than 5’.

(Please note: this example is only for the purpose of illustrating the logic to be used to frame the definition of ‘past’ and frequent’– this should not be considered as a benchmark for the definitions).


  • Assigning Level of Risk-Based on ‘Severity of Impact’ (S) and ‘Probability of Occurrence’ (O):

    • After assessing the ‘Severity of impact’ and ‘probability of occurrence’ the Quality Risk Management team leader / CFT shall assign a risk level as shown in table C.
    • It should be noted that severity (i.e. the impact on the patient) carries a heavier weighting than the probability of occurrence:

Table C: Risk Level based on Severity & Probability of Occurrence (Qualitative Analysis)

Table C - Quality Risk Management

Table D: Probability of Detection (State of Controls) – Rating and CriteriaAssessment of the ‘Probability of Detection (D) (or ‘State of Control’):

    • The purpose of this stage in the risk assessment process is to determine if there are sufficient controls to ensure that the cause for the incident/event can be recognized or detected and prevented from recurrence.
    • The incident/event may have occurred due to a lapse in the application of existing controls or may be due to the absence of sufficient controls.
    • The Quality Risk Management team leader / CFT shall assess the state of controls surround the incident/event and assign a rating as per table D below:





5-6(Weak) Weak The Quality System has either ‘weak’ or ‘no’ controls to detect the quality-related event after its occurrence and prevent it from recurring, e.g. systems are nonvalidated or with perception-based evaluation techniques, process controls are dependent on human efficiency, etc.

There is a low chance the current controls will detect the quality event after its occurrence.

Explanation:· There is little to no chance that the patient will detect the quality issue after its occurrence.

Passes the faults (to the patient) undetected.

Quality System has weak controls to detect the quality-related event after its occurrence and prevent it from recurring (e.g., systems are not validated).

3-4(Medium) Medium The system has controls and will possibly detect the quality-related event after its occurrence.

Explanation:· Patient will possibly detect the quality issue after its occurrence.·           

Some faults may be detected; several coincident faults may go undetected.

The quality system has controls and will possibly detect the quality-related event after its occurrence and avoid it from recurring (e.g., Statistical Process Control is used in the process, but the product undergoes final inspection off-line).

1-2(Strong) Strong The system has multiple controls and is very likely to detect the quality-related event after its occurrence

Explanation:· Patient is very likely to detect the quality issue after its occurrence.·

The fault will be caught certainly or most certainly.

The quality system has multiple controls and is very likely to detect the event after its occurrence and prevent it from recurring (e.g., 100% automatic inspection with regular calibration and preventive maintenance of the inspection equipment, validated systems having multi-level checks, alarm systems/ direct measurement techniques to monitor faults).


    • Final Risk Classification:

    • Using the results of the risk assessment process as described in the earlier sections to identify the level of risk based on the ‘severity’ and ‘probability of occurrence’ of the quality issue and corresponding ‘probability of detection’ (state of controls), the team leader / CFT shall assess the risk and classify the same as ‘critical’ / ‘major’ / ‘minor’ as also defined in table E:

Table E: Final Risk Classification

Table E - Quality Risk Management


  1. Upgrade the risks level determined through this matrix to a higher level, if needed, based on a case-by-case evaluation by QA.
  2. If severity, probability of occurrence, and the probability of detection are determined to be ‘not applicable’ (example: alleged lack of effect (LOE), PQC received for non-company products, etc.), the risk category shall be concluded as ‘unclassified.’
  3. In case of quantitative analysis, risk priority number (RPN) shall be calculated using the rating values of Severity (S), Probability of Occurrence (O) and Detection (D):

Risk priority number (RPN) = S x O x D

    • Risk Evaluation:
    • Determine the risk category / calculate the RPN values.
    • Annexure 1 (Risk Assessment Form – Qualitative Risk Assessment) and 3 (Risk Assessment Form – Quantitative Risk Assessment) may be used for evaluating the risks.

Risk Evaluation (Qualitative Analysis)

Risk Category Action item
Minor Acceptable
Major Acceptable with control/explanation of control
Critical Requires control measure before acceptance
    • The Risk Evaluation is given as below quantitative assessment:

Risk Evaluation (Quantitative Analysis)

Events Risk Ratings and Classification
Minor Major Critical
Risk on product/patient < 20 < 60 ≥ 60
Risk on people/facility/organization < 25 < 75 ≥ 75


    • Risk Control/Mitigation:

    • The output of the risk assessment exercise shall be considered by the CFT nominated to perform the Risk Control/Mitigation exercise to identify the action plans for control/mitigation of risk as immediate action based on risk evaluation.
    • This may lead to the correction of process, procedures, and practices to avoid the aggravation of the impact of the risk.
    • Risk control/mitigation shall focus on the following questions:
      • Is the risk above an acceptable level?
      • What can be done to reduce or eliminate risks?
      • What is the appropriate balance among benefits, risks, and resources?
      • Are new risks introduced as a result of the identified risks being controlled?
    • Control measures/CAPA shall be considered for risk control/mitigation and shall be implemented using applicable procedures for the same.
    • Such actions shall be prioritized to control/mitigate the risk or reduce it to an acceptable level.
    • Risk Reduction (Quality Risk Management):

    • Risk reduction shall focus on processes for control/mitigation or avoidance of quality risk when it exceeds an acceptable level. It might include actions taken to mitigate the probability of harm.
    • It may achieve by (but not limited to):
      • Improvement in the quality of the product by design – this may include improvement in the process, procedures, control measures, monitoring.
      • Change of process and/or procedures.
      • Revision of specification to stringent limits.
      • Improvement of the periodicity of the measurement of parameters.
      • Change in the frequency of calibration, qualification, validation, quality system internal audits in order to proactively identify the chances of the risk.
    • Risk Acceptance (Quality Risk Management) :

    • Risk acceptance is a decision to accept the identified & evaluated risk. It is a formal decision to accept the residual risk. For some types of harms, even the best quality risk management practices might not entirely eliminate risk.
    • In these circumstances, it might be agreed that the optimal quality risk management strategy has been applied and that quality risk is reduced to an acceptable level.
    • This acceptable level will depend on many parameters and shall be decided on a case-by-case basis as explained in Table F:

Table F: Action items based on Risk Classification

Overall RiskClassification Action item
Minor Acceptable
Major Acceptable as an isolated exception, if states of control can be improved. States of control have to be improved, where visible
Critical Not Acceptable. Improve the States of control


    • Risk Communication and Reporting:

    • Risks identified by the risk analysis/evaluation steps shall be communicated to relevant stakeholders.
    • The table given below shows risk categories and their level of communication and reporting in the organization.

Table G: Communication and Reporting

Risk Type Communication and Reporting
Minor Functional Head / Quality-Head (Manufacturing Site/Location)
Major Functional Head / Quality-Head (Manufacturing Site/Location), Head-Regional Quality
Critical Functional Head / Quality-Head (Manufacturing Site/Location), Head-Regional Quality, Head-Global Quality and Compliance, Head-Global Manufacturing, ManagingDirector


    • In any case, risk on patient safety and risk on quality which is classified as ‘major’ or ‘critical’ should be formally reported on a monthly basis.
    • Risk Review (Quality Risk Management):

    • Effectiveness of control measures / CAPA implemented to reduce the risk level shall be reviewed. The CFT shall decide the effectiveness review criteria with respect to:
      • What and Why to review?
      • How to review?
      • When to review?
      • Who will review?
    • Handle the risk review action plan through action item/actionable, tasks, or CAPA for effectiveness verification.
    • Review/closure the risk assessment as per site-specific procedures.
    • Risk Management Tools:

    • Numerous risk management tools are available to support objective, science-based decisions, used either alone or in combination.
    • No one tool or set of tools is applicable to every situation in which a quality risk management procedure is used, the selection of a tool should be commensurate with the level of risk.
    • Listed below are examples of tools successfully used in Quality Risk Management by industry and regulators (also reference annexure IV – Examples of common risk management tools), but it is not an exhaustive list:
    • Flow Charting – well suited as a first step
    • Brainstorming – free form collaborative discussion among key stakeholders of possible solutions to an identified problem or question
    • Process mapping – the visual representation of workflow inputs and outputs
    • Statistical tools
    • Risk ranking & filtering
    • Preliminary hazard analysis (PHA) – focuses on hazardous situations
    • Root cause analysis – suited for retrospective analysis
    • Ishikawa or Fish Bone Diagrams (also called Cause and Effect Diagrams) – suited for defining process variables and process elements
    • FMEA (failure mode and effects analysis)/FMECA (failure mode effects and criticality analysis) – suited for prospective analysis to predict multiple effects; 
    • HACCP (hazard analysis and critical control points) – supports the identification of critical control points in a process
    • Variation risk management
    • Probabilistic risk analysis
    • Decision trees
    • Event tree analysis
    • FTA (Fault tree analysis) – suited for retrospective analysis
    • Numbering System:

    • Follow the following procedure for FMEA document numbering,
    • Give the number to PDR based FMEA in the format of FMEA/XXXX/YY/ZZZ

                     Where XXXX: PDR no. , YY: Year such as 12,13,14, ZZZ: Serial no such as 001,002…

    • Give the number to BMR based FMEA in the format of FMEA/XXXX/YY/ZZZ

                     Where, XXXX: MBR no. and YY: Year such as 12,13,14, ZZZ: Serial no such as 001,002…

    • Give the number to Department/ Section based FMEA in the format of FMEA/XXX/YY/ZZZ

                    Where XXX: Department code or equipment Code. in case of equipment / instrument/ utility. Year such                        as 12, 13,14, ZZZ: Serial no such as 001,002….. department codes are the following :

Sr. No. Department Code Department
1 QAD Quality Assurance
2 QCD Quality Control
3 COM Compression
4 GRN Granulation
5 WHD Warehouse
6 MND Engineering
7 ITD Information Technology
8 PAD Personnel and Administration
9 CAP Capsule
10 PAC Packing
11 COT Coating
12 EHS Environmental, Health and Safety


    • Requirements (Quality Risk Management):

    • Occurrence based events including (but not limited to): OOS, product quality complaints, unplanned deviations, etc., as well as system-based events like change controls, planned deviations, etc., shall be submitted to the quality unit for Quality Risk Management process initiation.
    • Any deviation from the written procedures or processes shall be recorded, justified and, if warranted, identified as an event and investigated, then assessed or reexamined in accordance with the quality risk management process.
    • Processes using Quality Risk Management methodologies should be dynamic, iterative and responsive to change.
    • Enable the capability for continual improvement in the Quality Risk Management process.
    • Do not reduce an acceptable level of risk to a simple constant value:
    • This is due to the wide range of possible risk acceptance levels that a variety of real-world circumstances will present.
    • How the values were determined shall be documented since they will depend on parameters used by the Quality Risk Management team leader / CFT on a case-by-case basis.
    • Control measures/CAPA shall be considered for risk control/mitigation and shall be implemented in accordance with SOP corrective and preventive action. Such actions shall be prioritized to control/mitigate the risk or reduce it to an acceptable level.

8.0      ANNEXURES:

  • Schematic Representation of the Quality Risk Management Process (Annexure 1).

                  Annexure 1-Risk Management Process



  • Risk Assessment Form – Qualitative Risk Assessment “Example Template” (Annexure 3)


Annexure 3


  • Risk Assessment Form – Quantitative Risk Assessment “Example Template” (Annexure 4)


Annexure 4-Risk Management Process


  • Examples of Common Risk Management Tools (Annexure 5)

Risk Management Tool Description, Attributes Potential Applications
Diagram Analysis, Flowcharts, Check sheets, Process mapping, Cause/effect diagrams Simple techniques that are commonly used to gather and organize data, structure risk management processes and facilitate decision-making. Compilation of observations, trends or other empirical information to support a variety of less complex deviations, complaints, defaults or other circumstances.
Risk Ranking and Filtering Method to compare and rank risks. Typically involves evaluation of multiple diverse quantitative and qualitative factors for each risk, and weighting factors and risk score. Prioritizing operating Areas. Useful for situations when the risks and underlying consequences are diverse and difficult to compare using a single tool.
Fault-Tree Analysis The method used to identify all root causes of an assumed failure or problem. Used to evaluate system or subsystem failures one at a time, but can combine multiple causes of failure by identifying causal chains. Relies heavily on full process understanding to identify causal factors. Investigate product complaints. Evaluate deviations.
Hazard Operability Analysis


The tool assumes that risk events are caused by deviations from the design and operating intentions. Uses a systematic technique to help identify potential deviations from normal use or design intentions. Assess manufacturing processes, suppliers, facilities and equipment

Commonly used to evaluate process safety hazards.

Hazard Analysis and

Critical Control Point


Identify and implement process controls that consistently and effectively

prevent hazard conditions from occurring

The bottom-up approach that considers how to prevent hazards from occurring

and/or propagating Emphasizes the strength of preventive controls rather than the ability to detect.

Better for preventive applications than reactive Valuable precursor or complement to the process

validation Assessment of the efficacy of critical control points and the ability to consistently execute them for any process


Risk Management Tool

Description, Attributes

Potential Applications

Failure Modes Effects

Analysis (FMEA)

Assumes comprehensive understanding of the process and that CPPs have been

defined prior to initiating the assessment.

The tool ensures that CPPs will be met.

Assesses potential failure modes for processes, and the probable effect on outcomes and/or product performance

Once failure modes are known, risk reduction actions can be applied to

eliminate, reduce or control potential failures Highly dependent upon a strong understanding of the product, process and/or

the facility under evaluation Output is a relative “risk score” for each failure


Evaluate equipment and

facilities; analyze a

manufacturing process

to identify high-risk steps and/or critical parameters

Note: A quantitative

the version of FMEA is known as Failure Modes, Effects, and Criticality Analysis



  • Risk Assessment Register (Annexure 6)



Product FMEA No. Department Done by Reviewed by Remarks


Janki Singh is experienced in Pharmaceuticals, author and founder of Pharma Beginners, an ultimate pharmaceutical blogging platform. Email: [email protected]

This Post Has 7 Comments

Leave a Reply