When I sat down to write this two-part article series on quality risk management (QRM), I was debating whether to write an article on best practices or a cautionary tale on things I have seen during my 15 years of consulting on its implementation. I decided on both.
The International Conference for Harmonisation guidance on this topic (ICH Q9 – Quality Risk Management) entered stage 4 of its life cycle in 2005,1,2 two years before I branched out into the consulting world. So, I had experience as the head of quality when I rolled it out into my company. Of course, I had used the techniques for several decades before, although it was not a requirement, at least in the U.S. in the drug development and manufacturing world. But in the consulting world, I did see a lot more instances of its rollout than if I had simply worked for a single company. As a consultant, I have taught courses on QRM and its implementation as well as seen it in action in many companies. These are some of my observations and lessons learned.
Applying QRM Techniques
ICH Q9 has a very good addendum that illustrates the various areas in which QRM can be used. They can be split up into two categories: reactive and proactive. Many of the techniques in QRM, which are described in another appendix, are very well known and used extensively in the reactive mode to investigate deviations, discrepancies, and complaints, as well as out-of-specifications. Basically, you analyze the situation, asking the questions, “What could have gone wrong?” and “What is the probability that it happened this way?” Many of these techniques are well engrained in our thinking. However, we can use the same techniques in a more proactive manner. That same addendum illustrates these as well. The techniques can be used in designing a process or product or in the device world to develop and document a product (process and product development). But it does not stop there. You can use these techniques to design other processes, including operational processes such as environmental monitoring and stability programs, to name just two. We can use the techniques to streamline and optimize our quality management system (QMS). I have used it to determine the frequency, duration, and manpower used for our auditing programs. Change control has embedded it in its process elements of risk management. Our calibration, maintenance, and validation programs utilize these techniques well. Annual product review can take advantage of the techniques, too. The scope is limited just by your own imagination.
In the reactive mode, we can use the techniques to get to the root cause of a problem, but the techniques can give us more. We can use the techniques to evaluate the potential solutions, asking which of the two solutions we might uncover can give us a “better” result, that is, to remove risk. While an engineering or hard fix can eliminate more risk than a softer procedural solution, the techniques allow us to weigh the advantage of one over the other and ask whether it is really worth the extra effort in one case.
We can take it one step further by introducing an analysis of the costing of two potential solutions. That is the dollar cost, the time cost, and perhaps even the regulatory cost. From the analysis, you might conclude that the softer fix may be better in the short run, with the hard fix coming along later. So, risk can be used in many different manners.
Avoid Adding Complexity And Rigidity To Your Operations
QRM, when introduced properly, should be a value-added activity. Sometimes, I have seen it not adding the value it should. Two examples jump to mind.
I have seen, at least once in my consulting time, a company that developed a separate risk management function that literally came around after each decision was made and performed a risk assessment. Thus, they added a separate process step in all major decisions. It was akin to the situation that companies get into when operating under a consent decree, where they have to hire a consulting company to QA the QA decisions. That is not very efficient. The writers of the guidance expected the techniques to be embedded in existing processes to improve decision-making, not as an added bolt-on to existing processes.
The second example is when the tools are embedded in existing processes (good so far), but the tools used become too rigid. This means that the SOP calls for a defined process to be used for risk analysis and does not allow any user choice. It becomes “one size fits all.” This is particularly true when used with investigations. And we know that some investigations are more critical than others. Sometimes, no QRM is needed or a very simple preliminary hazard analysis (PHA) using the high, medium, low (H,M,L) scale suffices. Other situations will need a full FMEA (failure mode and effects analysis) to be performed. Procedures must give the operator some choice, so that the appropriate level of analysis is used. Unfortunately, I have seen too many situations where a full court press FMEA is prescribed for a single missing signature. Do not box yourself into a corner.
Setting Up A Foundation Before Implementing Your QRM Program
We are all guilty of getting into the weeds too quickly and too deeply. You know the situation: something in an investigation stands out and we all jump to the same conclusion. We dash in that direction, ignoring other factors. It is the 6-year-old playing football (soccer) syndrome. As an ex-coach to young kids, I know that teaching them to play positions is important. Otherwise, you see 22 kids all chasing the same ball and getting nowhere.
In the QRM world, it is important to get a good foundation before you implement. A good training session with a coach who knows the techniques helps everybody. Similarly, before you begin, choose the team well. You must have different skillsets, including a good mixture of disciplines, because different people will see the problem or challenge differently. Choose good analytical thinkers for team members. Choose your best performers, not the person put on “special projects” because you do not know what to do with them.
At the beginning, define the scope of the challenge that needs to be solved. That is, what is in scope and what is out of scope? Otherwise, I guarantee scope creep gets into the project and escalates it out of control. That does not mean there might need to be realignment or change of scope. But as a sponsor of the program, you should take an active role in reviewing any scope change, and some may be appropriate.
Courtesy- https://www.meddeviceonline.com/doc/how-to-set-up-an-effective-quality-risk-management-program-0001