SCM Risk

Foreword Structure & Acknowledgements Contents
General Introduction Supply Chain Considerations Risk Management Process Risk Management Toolbox Supply Chain Examples Glossary Bibliography
A Guide to Supply Chain Risk Management

for the Pharmaceutical and Medical Device Industries and their Suppliers
V.1.0 2010
2010 The Chartered Quality Institute
A Guide to Supply Chain Risk Management for the Pharmaceutical and Medical Device Industries and their Suppliers
2010 The Chartered Quality Institute All rights reserved. This document may be freely downloaded from the Pharmaceutical Quality Group website at www.pqg.org. The contents of this document should not be sold in whole or in part in any form or by any means. Extracts from this document may be quoted for the purpose of reference or criticism provided full acknowledgement of its source is given. Any other usage of the content of this document requires written permission from The Chartered Quality Institute. The Chartered Quality Institute, 12 Grosvenor Crescent, London SW1X 7EE, UK.
Foreword
The provision of medicines and medical devices to the UK is now a global business. Active pharmaceutical ingredients, components and even finished products are sourced from many different countries. The increasingly complex supply chain for these items exposes the limitations of regulatory oversight by any individual country. This serves to reinforce the need for all in the supply chain to understand their role and work to implement and maintain a robust and comprehensive quality system. The MHRA has implemented a risk based approach to the inspection of pharmaceutical operations as a key element of its Better Regulation initiative. This approach recognises to a greater degree the ownership of pharmaceutical companies of the quality assurance of their total manufacturing and supply processes. The industry, therefore, is being expected to take overall responsibility for the quality of its output. The pressure on the industry to fund research into new products and embrace technological advances while containing costs and maintaining material and component availability is challenging and these days inevitably involves outsourcing to a greater or lesser extent. Risk Management should play a key role in the supplier selection, approval and management process if the quality and continuity of supply of medicines and medical devices is to be assured. This PQG Guide provides an important reference text to assist medicinal product and medical device manufacturers and their suppliers understand their respective responsibilities. The examples, in particular, should help each party to understand the expectations of the other. Company assessments will form a key element of the MHRAs assessment of risk and thereby enable regulations to target our resources in co-operation with Industry to further enhance consumer safety. Risks are part of life, but it is imperative that processes are in place to identify and manage them in such a way that patients and healthcare professionals can continue to enjoy a reliable supply of safe and effective medicines and medical devices. Gerald W Heddell, Director Inspection, Enforcement & Standards Division, MHRA
Structure & Acknowledgements

Basic structure of this Risk Management guide
This interactive guide comprises a general introduction followed by 4 parts, a glossary and bibliography. It is easy to navigate around the guide using the recurring index which is hyperlinked to the respective topics. In addition there are links within the contents that allow the user to look at related information. There are both internal and external hyperlinks. Internal links allow navigation of information within the guide and external links permit access to external websites and information. Part 1 considers specifically the challenges with supply chains and provides an overview of some of the types of controls that can be applied to increase assurance of quality, safety and security of supply. Part 2 provides an overview of the Risk Management process and emphasises that this is a living and reiterative process. The stages follow a consistent format: Part 3 gives an overview of a number of readily available Risk Management tools and techniques that have been used in many industries, with guidance on their use and some worked examples and / or templates. The format for each tool provides an overview, some advantages and disadvantages, and advisory notes on its use. Part 4 provides 19 real-life examples relating to supply chain events. It gives an overview of the scenario and some learning points. The reader may well identify more learning points, and these should serve as a useful tool in order to consider how such events could have been prevented.
Please Note
Purpose
Inputs
Process
Outputs
The authors would like to remind the reader that the guidance given here is advisory. It is recommended that users supplement their understanding of Risk Management from some of the publications listed in the Bibliography.
Note about definitions

Although the glossary defines certain terms used throughout this guide, it is important to make a special point here about possible confusion over the terms risk, harm and hazard. The definitions of these are taken from International Conference on Harmonisation (ICH) Q9 as follows: Risk is defined as: The combination of the probability of occurrence of harm and severity of that harm. [ICH Q9] Harm is defined as: Damage to health, including the damage that can occur from loss of product quality or availability. [ICH Q9] Hazard is defined as: The potential source of harm. [ICH Q9] The first step in the Risk Management process is known widely as Risk Identification. This should actually be Hazard Identification, but for consistency with the ICH Q9 and other international standards the authors have kept it as Risk Identification.
Specific acknowledgements are given for the contributions of the following people:
Authors
Jill Jenkins, Justin Ahern, David Cock, Sharon Shutler, Richard Smalley, Sharon Hooper
QA reviewers
Phil Butson, Tony Harper, Rowland Lewis, Linda Nield, Kevin MacKenzie, James Pink
PQG Steering Group

Steve Moss, Ashley McCraight, Norman Randall, Ian Richardson
Contributors
Nina Abbassi, Dr Tim Bateman, Ian Birch, Richard Bream, John Cooper, Annie Dallison, John Evans, Adolfo Ferreira, Mark Francom, Roland Gassmann, Esme Gibb, Peter Gough, Michael Grunow, Gerard McAteer, Stephen Mitchell, David Mogg, Jeff Monk, Iain Moore, Dr Ray Noy, Caroline OBrien, Kevin ODonnell, Richard OKeeffe, Bronwyn Phillips, Patricia Rafidison, Stephan Roenninger, Sandra Routledge, Sandra Skarratt, Neil Smith, Tony Storey, Lorna Third, Tony Trill, Neil Wayman
0 General Introduction Supply Chain Considerations
p7 p12 p19
Contents
Part 3 Risk Management Toolbox Part 1
3.1 Introduction to the Toolbox 3.2 Approach to Implementation 3.3 Risk Assessment 3.3.1 Risk Identification Tools 3.3.2 Risk Analysis Tools 3.3.3 Risk Evaluation Tools 3.4 Risk Control 3.4.1 Risk Reduction Tools 3.4.2 Risk Acceptance Tools 3.5 Risk Communication Tools 3.6 Risk Review Tools Appendix 1 - Worked example: Ranking and Filtering for Contractor Management Appendix 2 -Worked example: Medical Device Risk Assessment using a Simplified FMEA Appendix 3 - Worked example: Supplier Audit Priority using Risk Assessment p42 p42 p44 p46 p46 p53 p62 p64 p64 p66 p67 p69 p70
Part 4
4.1 4.2 4.3 4.4 4.5 4.6 4.7 4.8 4.9 4.10 4.11 4.12 4.13 4.14 4.15 4.16 4.17 4.18 4.19
Supply Chain Examples
Appendix 1 - Examples of Different Supply Categories and Key Controls
Part 2
Risk Management Process
2.1 Risk Management Team and Responsibilities 2.2 Risk Assessment 2.2.1 Risk Identification 2.2.2 Risk Analysis 2.2.3 Risk Evaluation 2.3 Risk Control 2.3.1 Risk Reduction 2.3.2 Risk Acceptance 2.4 Risk Communication 2.5 Risk Review
p23 p23 p25 p25 p27 p29 p31 p31 p33 p35 p39
p72
p76
Product Contamination Management of Second Tier Suppliers Verification of Artwork Warehouse Operations & Pest Control Temperature Controlled Transportation Change Control - Process Fraudulent Activities in the Supply Chain Errors in Proof Reading Change Control Source of Material Implementation of a New Process Multiple uses of a Material High Bioburden Inconsistent Analytical Results Continuity of Supply Lack of Formal Contracts Effect of Global Supply Chains Effect of not knowing all the links in a Transport Chain Raw Material Source of Origin Reuse and Potential Infection
p78 p78 p80 p81 p82 p83 p84 p85 p86 p87 p88 p90 p91 p92 p93 p94 p95 p96 p97 p98 p99 p103
Glossary Bibliography
General Introduction
Threats to the supply chain feature in the top ten risks of most companies.
Globalisation and the quest for ever more cost effective means of supply have greatly increased the complexity of the supply chain which can often reduce both the knowledge and understanding of the exposure to risk. The 2009 credit crunch and financial crisis significantly raised the level of risk of failure of key suppliers. Within the context of globalisation, outsourcing and complex supply chains, there is an increasing emphasis on controls around product quality assurance and security of supply. It is the responsibility of each organisation to ensure that their suppliers provide products that are fit for purpose throughout the product lifecycle, from design and development through to supply to the end-user. The objective of this document is to provide guidance on Supply Chain Risk Management and therefore: 1. Support organisations with varying levels of experience in Risk Management to apply the principles, by minimising supply chain risk and securing both quality and continuity of supply 2. Emphasise to the pharmaceutical and medical device industries and their suppliers the need to a. apply Risk Management when making sourcing decisions (from development through to commercial manufacture and distribution) b. involve the relevant people (procurement, technical, quality, environment, health and safety, etc.) when making sure that adequate and appropriate controls are in place 3. Encourage suppliers to: a. understand the regulatory requirements and expectations of the pharmaceutical and medical device industries b. use Risk Management as a tool to understand their customer needs better c. identify potential hazards and the risks arising from those hazards that may exist during the manufacture and supply of product (from raw materials to finished goods)
Risk Management can help organisations safeguard the quality and supply of product to customers and ultimately the end user. It is about anticipating hazards and controlling risk through an ongoing process of risk awareness, reduction and / or acceptance, and review. This approach can help justify improvement and investment where it is needed, and prevent both potential problems for customers (e.g. product recalls, or even patient harm) and loss of business. Applying the principles of Risk Management can provide many of the following benefits: improve and develop business relationships between customers and their suppliers, thereby supporting business continuity and security of product supply reduce costs minimise cost of non-conformance improve business efficiency increase confidence of customers and regulators reduce liability increase security of supply avoid waste and scrap With respect to outsourcing, ISO 9001:2008 states that: where an organisation chooses to outsource any process that affects product conformity to requirements, the organisation shall ensure control over such processes; and that the type and extent of control to be applied shall be defined. It further states that outsourced processes do not absolve the organisation of the: responsibility of conformity to all customer, statutory and regulatory requirements. The Medical Device Directive (Directive 93/42/EEC) has been revised (Directive 2007/47/EC) and compliance effective from 21st March 2010. One of the requirements is for organisations to have control over subcontractors and third parties. It also requires post market surveillance for products already in the market.
Figure 1 (following page) shows the ISO 9004:2009 process-based model, incorporating continual improvement throughout a lifecycle approach. It shows the importance of information flow between the organisation and its customers and the value in activities that meet customers needs and expectations. The International Conference on Harmonisation (ICH) describes a pharmaceutical quality system (ICH Q10), which importantly extends to the control and review of any outsourced activities and quality of purchased materials. It defines the accountable organisation as being ultimately responsible for ensuring that processes are in place to assure the control of outsourced activities and quality of purchased materials. It requires that these processes incorporate Quality Risk Management as defined in ICH Q9 and includes: Assessing (prior to outsourcing operations or selecting material suppliers) the suitability and competence of the other party to carry out the activity or provide the material using a defined supply chain by use of, for example, audits, material evaluations and qualification Defining the responsibilities and communication processes for qualityrelated activities of the involved parties. For outsourced activities, this should be included in a written agreement between the contract giver and contract acceptor Monitoring and review of the performance of the contract acceptor or the quality of the material from the provider, and the identification and implementation of any needed improvements Monitoring incoming ingredients and materials to ensure they are from approved sources using the agreed supply chain This guide to Supply Chain Risk Management does not introduce new concepts; rather it provides guidance on the practical application of existing risk management models to the supply chain. It is consistent with currently developing industry standards and expectations. Supply Chain Risk Management should be an integrated part of the organisations business and quality management system.

Organizations Environment Continual improvement of the quality management system leading to sustained success Organizations Environment
ISO 9004 Clause 6 Resource management (extended) ISO 9001 Clause 6 Resource management Interested Parties Needs & expectations ISO 9004 Clause 5 Strategy and policy
ISO 9004 Clause 4 Managing for the sustained success ISO 9001 Clause 5 Management Facility
Interested Parties ISO 9004 Clause 9 Improvement, innovation and learning
ISO 9001 Cl. 8 ISO 9001 Measurement, analysis and improvement
ISO 9004 Cl. 8 Monitoring, measuring analysis and review
Satisfaction
9
Customers ISO 9001 Clause 7 Product realization Product Customers
Needs & expectations
ISO 9004
ISO 9004 Clause 7 Process management
Information flow Value-adding activities
Foundation: Quality management principles (ISO 9000)
Figure 1 An extended model of a process-based quality management system[1]
1 - Figure 1 is taken from BS EN ISO 9004:2009 and reproduced here with permission from BSI. No other use of this material is permitted. The complete British Standard can be purchased from the BSI online shop - BS EN ISO 9004:2009
This document is based on the pharmaceutical Quality Risk Management model detailed in ICH Q9 in Figure 2 (below), where Risk Management is defined as: The systematic application of quality management policies, procedures and practices to the tasks of assessing, controlling, communicating and reviewing risk.
The level of effort invested will vary from case to case and should be commensurate with the level of risk. Internationally, regulators are incorporating official guidance on Risk Management into their requirements, and have identified the supply chain as an area of criticality.
Implementing Risk Management
Risk Management should be an integrated part of any business and for successful implementation the following are key foundations: Initiate Quality Risk Management Process there should be top level management support and commitment start simply and avoid complexity look at internal and external risks Risk Assessment Risk Identification Risk Analysis unacceptable Risk Evaluation Risk Communication follow the cycle several times, learn, evolve and embed in the organisation culture Senior management are responsible for ensuring that the key risks to the organisation are properly identified, assessed and managed. Their commitment is required to ensure the risk management framework is viable and maintained, and that valuable resource is invested correctly and not subsequently wasted. Risk Management should not be considered as a one off project or event, but as the implementation of a mutually beneficial culture within and between organisations. The risk management development activities should provide a systematic, effective and efficient way by which risk management can be embedded and maintained throughout the organisation. These activities should, as a minimum, comprise the following steps: planning implementation and maintenance Output / Result of the Quality Risk Management Process monitoring, reviewing and continual improvement reporting The level of Risk Management awareness will develop with practice and experience. Table 1 (following page) illustrates the progression organisations will make as they gain experience in the use and application of Risk Management.
10
Risk Management tools
Risk Control Risk Reduction Risk Acceptance
Risk Review Review Events
Figure 2 Quality Risk Management Overview (ICH Q9)
Foreword Structure & Acknowledgements Contents Risk Maturity Level

Scepticism Awareness
Risk Processes
No Formal Processes Ad hoc use of Stand Alone Processes Tick Box Approach Risk Management embedded in Business Regular review & Improvement
Attitude
Accidents will happen Suspended Belief Passive Acceptance Active Engagement Champion
Behaviour
Fear of Blame Culture Reactive, Fire fighting Compliance, reliance on registers Risk-based decision making Innovation, Confident & appropriate Risk Management
Skills & Knowledge

Unconscious Incompetence Conscious Incompetence Conscious Competence Unconscious Competence Expert
Robust Risk Management Understanding & Application Embedding & Integration
Table 1 Risk Management Maturity
The above table is a simple representation of Risk Management maturity. It does not take into account the different functions and their individual involvement with Risk Management. In terms of the level of skills and knowledge in the right hand column, consider the analogy of learning to drive a car: unconscious incompetence: person who has not yet got into the driving seat and therefore is not competent to drive nor do they know what is needed. conscious Incompetence: person has started to learn to drive, is not competent but has some awareness of what they need to do to learn. conscious competence: person has learned to drive and passed their test and should be competent and confident to drive. unconscious competence: person has been driving for some time and can drive to their destination without having to think about compliance with the road regulations or the mechanics of driving the car, such as changing gear, indicating and choosing the correct lane at junctions.
11
General Introduction Supply Chain Considerations

Risk Management Process Risk Management Toolbox Supply Chain Examples Glossary Bibliography
Supply Chain Considerations

Part 1
A general understanding of how supply chains work and how suppliers are managed is required to provide organisations with a basis from which to implement a structured Risk Management process. An effective Risk Management process will protect the continuity of product supply and ensure that end-users receive products that are fit for purpose.
Media focus on contaminated products, for example heparin supplied from China in 2007, and other supply-related incidents, such as counterfeiting, have emphasised the challenge of managing supply chains that extend around the world, where there is great variation in the standards and controls used. With respect to the heparin issue, the Food and Drug Administration (FDA) in the US investigated reports of serious and some fatal adverse events following the use in products of heparin supplied from China. Distribution was halted and product recalled from the market. The investigation identified that a contaminant molecule similar to heparin was found using a non-routine test. This contaminant was not previously detectable using conventional routine standard test methods, and levels between 5% and 20% were found in the final product. See page 78 for more detail. Sourcing new materials and outsourcing manufacturing or other activities for the supply of product to the end-user requires careful evaluation. All parties in the supply chain need to ensure that their activities both support the health and wellbeing of patients and maintain business continuity. This is especially important during times of economic downturn, since costsaving measures can increase risk. Within each supply chain, there is an organisation that is legally accountable. Each competent and regulatory authority ultimately holds one manufacturer primarily responsible for meeting regulatory quality requirements. This accountable organisation (pharmaceutical or medical device) has ultimate responsibility and cannot relinquish or delegate (contractually or otherwise) its obligation and responsibility over any or all functions to their suppliers of products. The accountable organisation is responsible for sourcing suitable suppliers who will support the supply of its product(s) to the market. It is essential that the relevant functions within an organisation such as procurement, technical, development, quality, manufacturing and Environment Health and Safety (EHS) work together to source materials based on agreed and appropriate criteria.
12

Competent and regulatory authorities and third parties will assess the accountable organisation to confirm that they have objective evidence of adequate control of their suppliers. The regulators expect that the organisation complies with requirements, which include evaluating and approving their suppliers. There is an expectation to see effective interfaces between the accountable organisation and each of its suppliers. This holds true regardless of the regulatory standard of the industry sector required for the product. Failure to have or to provide access to any objective evidence of the controls associated with products from suppliers, could result in the accountable organisations quality system being noncompliant. Depending on the nature of the deficiencies identified, this can have significant and serious consequences for the organisation and their business continuity. Some suppliers may also undergo some form of oversight by a regulatory authority, or a third party acting on behalf of a regulatory authority. This oversight does not absolve an accountable organisation of the responsibility to establish controls and provide evidence for compliance of products obtained from such suppliers. Sourcing decisions should be based on agreed, specified requirements appropriate to the following stages of product lifecycle: experimental design investigational or clinical trial material commercialised product
The rigour with which a supplier is managed does not exempt responsibility of the supplier for the provision of adequate controls and quality of products, wherever they fit in the supply chain hierarchy. All suppliers should recognise their role in assuring mutual business continuity and take an ethically responsible approach to the potential impact of their actions or inaction. Feedback and communication is essential between the procuring organisation and its suppliers in terms of requirements, expectations, product end-use, performance measures, health and safety etc. Supply chains themselves can be short and simple, or long and convoluted. However, as a result of increasing globalisation and the risks inherent in long and complex supply chains, the regulators are encouraging organisations to keep their supply chains short, simple and under good control. A survey published in 2009 by Carla Reed has shown that increased outsourcing is challenging product safety and security, largely due to the complexity of outsourcing models, and in particular inconsistency in controls at the outsourced facilities. See Reference No.41 Figure 3 (below) shows the various functional activities and the supporting services that may be involved in product development and supply. An organisation may choose to outsource part or all of their activities. It is essential that organisations understand how their supply chains and interfaces work. This should apply throughout all phases of the product lifecycle from design and development to routine manufacture, supply and discontinuation.
13
Internal Support Services (examples): Quality, EHS, Engineering, Facilities, IT
Supplied materials / products
Product / Service Design & Development
Manufacturing & Testing
Packaging
Warehouse & Distribution
End user / customer
External Contracted Services E.g. manufacturing, testing, artwork & origination, packaging, warehousing & distribution, calibration, etc
Figure 3 Example of Functional Activities and Support Services within an Organisation

End customer / patient Transport / Distribution
Figure 4 (left) illustrates a typical supply chain based upon hierarchical tiers, where suppliers can be far removed from the ultimate end-user and can still potentially have a significant impact. The more complex the supply chain, the more difficult it is to control, and the greater the risk of a supply chain impact on the quality of the end product. Hazards and their associated risks can be present anywhere throughout the supply chain. Risks may be compounded or increased by further processing, thus creating a hazard at a later stage. In the worst case, those hazards may not become apparent until too late, after finished product has been released to the market. For example, there may be an adverse effect on long-term stability. Therefore, it is in the interests of all stakeholders, including regulatory authorities, that hazards are identified and the resultant risks are managed throughout every tier of the supply chain. Good communication between all parties is required to do this effectively. Various problems can manifest themselves at any part of the product lifecycle, from the source of raw materials used to manufacture the product through to the compliance of the end-user using the product correctly. Problems in the supply chain can have an impact on products as well as business continuity, product performance and security of supply. In order to protect both the end user and the accountable organisation, it is necessary to identify the potential hazards and assess their resultant risks, before implementing ways to control or mitigate them. For the accountable organisation and its suppliers to manage risk effectively, it is worth reflecting that the sources of risk throughout the tiers of supply can be both external and internal to the organisation and its suppliers. Some examples are shown in Table 2 (following page) where the column on the left lists some external risks that can be mitigated through planning and action, leaving only a few that are unknown or outside of the organisations control. The column on the right identifies some internal risks which can be managed and mitigated.

Wholesale / retailer / pharmacy Transport / Distribution Pharmaceutical and Medical Device Industry
Brokers / Distributors / Transport companies
Tier 1 suppliers
Supplier A
Tier 2 suppliers
Supplier B
14
Tier 3 suppliers
Supplier C
Tier 4 suppliers
Supplier D
Figure 4 - Typical supply chain hierarchy
Foreword Structure & Acknowledgements Contents External

Increase / decrease in demand Capacity / resources changes Fluctuating exchange rates Political climate / instability Greater exposure to global social, political and financial environments Takeovers / mergers Legal status (regulatory restrictions in individual markets and of supplier) Environmental responsibilities Counterfeiting / fraud Facility disaster disaster planning Materials, product, service supply interruption Termination of materials or services Uncontrolled variation in materials Unexpected contaminants in supplied product Deliberate or accidental adulteration Unknown or poorly controlled use of brokers / agents Distribution / transportation / storage events Inadequate communication Lack of adequate documentation control Complex processes
Table 2 - Examples of hazards / events creating risks that are either external or internal to an organisation
Internal
Non-conformity Rejection of a batch Product recall Capacity / resource issues Reduced inventory Cost reduction programmes Single sourcing versus dual sourcing Inadequate supplier selection / qualification process Longer / more complex supply chains Complex processes Inadequate monitoring process or oversight controls / interface Non-conformance with contracts / agreements Staying with poorly performing supplier & not progressing improvement or exit strategy Inadequate communication Facility disaster Transportation / storage events Lack of technical knowledge Personnel / organisational changes Lack of adequate documentation control Increasing process variability

The objectives of a global supply chain are to deliver products to the market whilst saving cost, time and resources. This has increased the level of risk and the likelihood of impact from supply chain disruption. The contamination of heparin will have far reaching ramifications for accountable organisations and the regulators. At the very least it serves as a warning to the industry that nothing can be taken for granted when sourcing materials and outsourcing manufacture or other critical activities. Related examples on page 78 and page 85 Medicines and medical device counterfeiting is a growing threat worldwide. It was estimated by the World Health Organisation (WHO) in 2006 to be 30% of total supply in South America, sub-Saharan Africa and India. Regulators have been investigating incidents where batches of counterfeit medicines have reached pharmacies and patients. A number of these have been found at wholesale dealer level. Supply chains can be long and convoluted, involving a number of storage or transit locations and a variety of transport systems. In the UK, MHRA has developed proposals in response to the need to raise standards of practice in some sectors of the supply chain in order to bring all operators up to the required standard. See Reference No. 30 The European Medicines Agencys (EMEA) GMP / GDP Inspectors Working Group are working on a revision to Chapter 7 of the EU GMP Guide, contract manufacture and analysis. This is in response to a lack of clarity, both within industry and inspectorates, regarding the scope of activities that should fall under this chapter, and what constitutes satisfactory documented arrangements for contracted activities. In addition to manufacturing, packing and analytical activities, this chapter will be relevant to the following: artwork generation and print ready material assessment and sourcing of starting and packaging materials washing and depyrogenation and / or sterilisation of packaging materials used in manufacture storage and distribution maintenance and calibration of equipment and premises qualification and validation work for new premises professional services for GMP audits of suppliers hosting of IT functions document archiving and storage
15
High potential risk in complex processes and systems

National Aeronautics and Space Administration (NASA) defined systems or processes that are time dependent, rigidly ordered, requiring precision, and with only one path to a successful outcome, as being tightly coupled (closely linked). They identified that where such systems or processes are complex and activities closely linked, failures can arise due to many seemingly unconnected events and may go undetected. A good example is the control of changes relating to the packaging and artwork of medical products. Such changes can sometimes be highly complex, because inputs can be required from a number of internal and external stakeholder groups prior to implementation. Stakeholders can include manufacturing, marketing, regulatory affairs and printing contractors. Interactions are necessary in order to communicate and schedule product manufacturing activities with the changed packaging or labelling component. Complex systems and processes often present high risk for organisations. Many regulatory non-conformities have been identified over recent years in the areas of product packaging and labelling. These were frequently attributed to the poor management of changes in packaging and artwork components, resulting in the cessation of batch release activities in some organisations, and subsequent market shortages of medical products. Investigations revealed that procedures and systems in place for packaging and artwork change control were usually: highly convoluted had many interdependencies subject to tight timelines described as being complex and tightly coupled Within a single organisation there can be a lack of clarity or understanding of how the whole process works and how different groups are involved or interact in that process. When more organisations are involved this becomes increasingly difficult. Decoupling and reducing system complexity can be a useful risk mitigation strategy particularly in critical manufacturing environments and supply chains. Process mapping or flowcharting is a useful tool to use here, and by involving the relevant key stakeholders, a shared understanding of the overall process can help to identify potential hazards particularly across functional interfaces. See Example Flowchart
Consideration of hazards and their associated risks in the supply chain
As part of planning activities, the organisation should identify any hazards associated with the products to be procured. Some examples of key questions are as follows: is the product off-the-shelf or custom made? how complex is the product to manufacture? is the process adequately defined and understood? what is the criticality of the product to the compliance of the endproduct? would any product specification failure be detectable by the organisation prior to use? what is the detectability of non-conformity in the product supplied and how it can be corrected? is packaging, storage and distribution fit for the product characteristics? is the supplier currently approved to supply products to the organisation or are they a new supplier? what is the percentage of supply to the organisations business sector? Information about potential suppliers should be used to determine additional potential supply and business risks and include the following: financial viability of supplier continuity of supply liability amount of work awarded to supplier in view of the suppliers overall capacity technical capability distribution and transportation considerations agents and brokers (potential for agents and brokers to change source of supply) capital investment needed single source suppliers i.e. vulnerability supplier company legal status (licensing) ethical / political acceptability does the supplier have a disaster / contingency plan for supply?

16
does the supplier manage their suppliers adequately? does the supplier have a culture of continuous improvement? The procuring organisation is responsible for communicating and agreeing the product requirements with the supplier. It may request data and / or sample product in order that the potential supplier can demonstrate their ability to meet the specified requirements. When defining initial supplier arrangements, the relevant information should be communicated for consideration. The organisation should ensure that the relevant people are involved in specifying, reviewing and evaluating information and should include as a minimum, technical and quality representatives.
The following lists some items that should be considered during sourcing and supply chain review: knowledge of the complete supply chain and all organisations within it change control and notification from suppliers supplier audits or technical visits (note that this requirement should be included in any agreement for a critical supplier) control of second or further tier suppliers via specifications or Agreements sampling / testing / verification Certificates of Analysis / Conformity formal requirements (e.g. specific certificates, accreditation, contracts / Technical Agreements etc) methods for measuring performance e.g. process capability indices correction, reworking, investigations batch / lot sizes inventory control; (First-In-First-Out (FIFO), time limit / target) traceability (process, product, equipment, operators) Radio Frequency Identification (RFID) or other security tag system document / sample retention periods protection of intellectual property Different categories of supplier and examples of some of the key controls are shown in Appendix 1 of this Part. The organisation should seek to continually improve the quality and delivery of products based on periodic supplier performance evaluation, feedback and consideration of cost. It is important to continually review and strengthen relationships with suppliers, while balancing the short and long term objectives. Risk Management activities provide a basis for sharing identified hazards and mitigating the risks resulting from those hazards throughout the product and supplier lifecycle. It demonstrates that all parties are taking a responsible approach in ensuring product quality and safety and security of supply. Auditors or assessors expect organisations to be able to demonstrate that they manage their supply chains effectively and risk management provides the means to do this.

Consideration of controls for managing the supply chain

Risk Management is an effective means of identifying the necessary controls required. To do this requires knowledge of the complete supply chain and all the organisations involved within it. Then the activities of the organisations in the supply chain should be reviewed to identify what is critical to the product and what could go wrong. In some instances it may be necessary for the organisation to ensure control beyond the first tier supplier due to potentially serious effects of changes made by a second, third or fourth tier supplier see Figure 4 (page 14). The organisation should ensure when developing controls, that they comply with relevant regulatory requirements such as Good Manufacturing Practices (GMPs); occupational health and safety legislation, environmental protection legislation etc. Examples of controls are included in Figure 5 (following page) which is adapted from the Global Harmonisation Task Forces guidance on the control of products and services obtained from suppliers. On the right hand side under objective evidence some of the controls are listed. Reference GHTF Guidance
17
Foreword Structure & Acknowledgements

Planning
Objective evidence
Product specifications / part requirements, instructions Describe requirements Identify technical & process information Identify potential supplier(s) (existing approved / new) Product / Process Risk Assessment Potential supplier contact details Identify controls Risk Assessment Product / process controls
Contents
Supplier selection
Selection criteria for suppliers / rationale Plan for evaluation & selection criteria Select potential supplier(s) Investigate operational capability of supplier(s) Identify business capability of supplier(s) Review existing suppliers Due diligence / audit report Supplier capability detail Purchasing information NO Evaluation & selection Supplier acceptable? Establish: Purchasing information Controls (acceptance activities, verification etc) Purchasing information Acceptance & verification activities Questionnaire / Audit report Contact / Supply / Technical Quality / Technical Agreement Decision & rationale Records of monitoring: supply, receipt, inspection, acceptance Data analysis Records of corrections / investigations
Risk Management Process Risk Management Toolbox
Supplier evaluation & finalisation
Review audit requirements
Communication with potential supplier(s)
Evaluate supplier(s) ability to fulfil specified requirements
YES
18
Performance measurement
Corrective action required? YES
YES
Problems identified?
Periodic re-evaluation of supplier
Performance measurement Receive product Acceptance criteria Measurement & monitoring Analyse data
NO
NO YES Satisfactory performance? Feedback and communication Manufacturer &/or supplier correspondence Records of corrective & preventive action(s) Change control notification / approval
Feedback & communication
Corrective Action / Preventive Action by supplier
YES
NO
Supplier exit strategy
Review impact on other products supplied Termination strategy for Supplier YES Exit strategy? NO Termination of Product market Archive data & documents Product left in marked support Continuity arrangements and reiteration of cycle if replacement supplier
Figure 5 Guidance on Control of Products during Supplier Lifecycle Management (adapted from GHTF/SG3/N17:2008)

Appendix 1 Examples of Supply Categories & Key Controls

All suppliers should have an effective quality management system in place that is, where appropriate, certified to ISO 9001:2008, ISO 13485, or relevant industry standards e.g. ICH Q10. Suppliers should have their own appropriate assessments in place to manage their supply chains. The level of requirement depends on the level of potential risk to the product (criticality).
Supply Category
Manufacturers of Active Pharmaceutical Ingredients (API)
Additional examples of key requirements for Suppliers

Controls in place to meet requirements of EU GMP Guide part 2 or ICH Q7A, and Active Pharmaceutical Ingredient Council (APIC) recommendations. Quality / Technical Agreement to define roles & responsibilities of each party (contract giver / contract acceptor). Adequate product testing performed to confirm compliance with customer and where appropriate pharmacopoeial specifications. Cross-contamination control precautions in place e.g. use of dedicated manufacturing equipment or effective cleaning verification of non-dedicated equipment. Full traceability of Raw Materials to the site of origin, including processing aids used in manufacturing processes with respect to animal / non-animal derivation and safeguards against Transmissible Spongiform Encephalopathies (TSE).
19
Excipients
Refer to International Pharmaceutical Excipients Council/Pharmaceutical Quality Group, Pharmaceutical Excipients GMPs, 2006. Appropriate Quality / Technical Agreement to define roles & responsibilities of each party (Contract Giver / Contract Acceptor). Full traceability of Raw Materials to the site of origin, including processing aids used in manufacturing processes with respect to animal / non-animal derivation and safeguards against Transmissible Spongiform Encephalopathies (TSE). Adequate product testing performed to confirm compliance with customer and pharmacopoeial specifications. Cross-contamination control precautions in place e.g. use of dedicated manufacturing equipment or effective cleaning verification of non-dedicated equipment.
Foreword Structure & Acknowledgements Contents Supply Category

Raw Materials

Industry standards where relevant. Adequate product testing performed to confirm compliance with customer specifications . Appropriate Quality / Technical Agreement to define roles & responsibilities of each party (contract giver / contract acceptor). Full traceability of raw materials to the site of origin, including processing aids used in manufacturing processes with respect to animal / non-animal derivation and safeguards against Transmissible Spongiform Encephalopathies (TSE), and phthalates. Cross-contamination control precautions in place e.g. cleaning, line-clearance, appropriate segregation of activities and good housekeeping.

Manufacturing / Packaging contractors
Effective quality documentation system compliant with required regulatory standard e.g. EU Guide to GMP part 1 or 2, 21-CFR -210 / 211, 600, 820 as appropriate. Quality / Technical Agreement to define roles & responsibilities of each party (contract giver / contract acceptor). Supply agreement or commercial contract to define business requirements. Appropriate licensing and regulatory history. Clear lines of communication. Control of outsourced activities (Quality / Technical Agreements, specifications etc.). Effective control measures, staffing and facility appropriate to the product being manufactured.
20
Laboratory / Analytical Testing contractors
Operate to appropriate industry standard e.g. ISO 17025, Good Control Laboratory Practice (GCLP), Good Laboratory Practice (GLP), Good Clinical Practice (GCP). Quality / Technical Agreement to define roles & responsibilities of each party (contract giver / contract acceptor). Appropriate licensing and regulatory history. Full traceability of customer samples. Testing performed to customer and pharmacopoeial specifications. Effective out-of-specification result management procedure.
Packaging component manufacturers (primary, secondary, tertiary)
Reference, ISO 15378, PS 9000, PS 9004, also country specific legislation relevant to the product e.g. GMP differences. Certification scheme. Quality / Technical Agreement to define roles & responsibilities of each party (contract giver / contract acceptor). Effective mechanisms in place for customer approval of labels and prevention of mix-ups. Planned preventative maintenance and calibration of automated packaging lines.

Printed Packaging suppliers (artwork, origination)

Effective quality documentation system compliant with required regulatory standard e.g. EU Guide to GMP, PS 9000. Certification scheme. Quality / Technical Agreement to define roles & responsibilities of each party (contract giver / contract acceptor). Participants in approved Certification scheme.

Manufacturers of product contact consumables
Appropriate materials of construction for product contact component (e.g. pharmacopoeial recognised plastic or food grade). Full traceability of raw materials to the site of origin, including processing aids used in manufacturing processes with respect to animal / non-animal derivation and safeguards against Transmissible Spongiform Encephalopathies (TSE). Adequate product testing performed to confirm compliance with customer specifications and industry standards where relevant. Free from chemical and microbial / particulate contamination and easy to clean / sterilise.
Manufacturers of product contact equipment
Legible & fully completed documentation covering factory acceptance testing, calibration certificates and material conformity certificates. Agreed customer requirements. Appropriate materials of construction used for product contact surfaces (e.g. 316L stainless steel, pharmacopoeial recognised plastic) that are easy to clean and sterilise. Instruments used for calibration are traceable to international standards e.g. United Kingdom Accreditation Services (UKAS) / National Association of Measurement and Sampling (NAMAS). Minimal particle generation produced by moving parts (e.g. pumps).
21
Wholesalers, Warehouse & Distributors
Reference Good Distribution Practice (GDP) and appropriate country legal requirements for the product e.g. MLX 357, FDA Globalisation Act. Approved, contractual agreement with customer. Designated Responsible Person where appropriate. Effective stocktaking, security, pest and segregation controls at storage facility with good housekeeping. Temperature control and monitoring of storage area and distribution. Full traceability of chain of custody for the customers product; effective recall procedures.
Service providers (e.g. calibration, utility, pest control, cleaning etc)
Approved contractual agreement with customer. Specification of work and controls. Defined service level with traceability appropriate to reference standards for materials and instruments used. Appropriate training for service provided.

Software, automated systems and IT

EU GMP part 1 annexes 11 and 15; Code of Federal Regulations (CFR) Part 11. Knowledge of a risk-based approach to compliant GxP systems (Good Automated Manufacturing Practice Guidelines) (ISPE GAMP-5). Complete and legible documentation with traceability of software changes from initial development to master copy. Availability of master copy of software for back up purposes and disaster planning. Agreement on ownership of source code. Provision of technical support.

Consultants
Full curriculum vitae available for review. Approved contract to define scope of work. Evidence of experience and expertise required for customers project. Professional indemnity insurance. Third party liability and Non-Disclosure Agreement (NDA) or confidentiality agreement.
22
General Introduction Supply Chain Considerations Risk Management Process

Risk Management Process

Part 2
Risk Management Toolbox Supply Chain Examples Glossary Bibliography
2.1 Risk Management Team and Responsibilities For the product / process being assessed it is fundamental that the relevant process experts are consulted to ensure accurate and complete data / information. It is recommended that the risk management process is undertaken by interdisciplinary teams (people with the necessary expertise representing relevant operational functions within the organisation or supply chain).
Involvement of individuals may vary from stage to stage. Note that in smaller organisations / supply chains this may be limited to just a couple of people. Consider the example which illustrates the importance of having the right team. See Example Stakeholders are commonly divided into four categories: Responsible, Accountable, Consulted and Informed (RACI). This division can aid appropriate communication (see Table 3 following page). It is beneficial to develop a matrix to identify the roles of different individuals associated with the risk management process at the beginning so that responsibilities throughout the process are clear.
23

Role Responsible Accountable (also Approver / Final Approver) Consulted Informed Responsibility Those who do the work to achieve the task. There is typically one role with a participation type of Responsible, although others can be delegated to assist in the work required. There should be only one Accountable person specified for each task or deliverable. An Accountable signs off (approves) the work provided by Responsible person(s). Those whose opinions are sought; and with whom there is two-way communication. Those who are kept up-to-date on progress, often only on completion of the task or deliverable, or at key milestones; communication is typically just one-way.
Table 3 RACI roles and responsibilities

24

2.2 Risk Assessment

Risk Assessment is defined as:
QRM Overview Take water and the hazard of drowning as a simple example. The probability of drowning whilst drinking a cup of water is very low, though not zero; the probability of drowning whilst rowing a boat across the Atlantic Ocean is much higher as there is a far greater quantity of water and other adverse elements, such as wind and waves, make a contribution. The material is the same, the hazard of drowning is the same, but the probabilities, and thus the risks, are different. Risk = Hazard x Probability of Occurrence The purpose of the Risk Identification stage in the overall Risk Management process is to determine what might go wrong? Initiation and planning of the Risk Identification stage represents an important starting point in the overall Risk Management process and forms the foundation for the remaining stages. Potential hazards identified as outputs from the Risk Identification stage are subject to detailed examination during the Risk Analysis and Evaluation stages.
A systematic process of organizing information to support a risk decision to be made within a risk management process. It consists of the identification of hazards and the analysis and evaluation of risks associated with exposure to those hazards. [ICH Q9] Quality risk assessments begin with a well-defined problem description or risk question. When the risk in question is well defined, the appropriate risk management tools and the types of information needed to address the risk question will be easier to identify. Open Toolbox As an aid to clearly defining the risk(s) for risk assessment purposes, four fundamental questions are often helpful: 1. What might go wrong? 2. What is the likelihood (probability) it will go wrong? 3. What are the consequences (severity)? 4. What is the detectability?
25
2.2.1 - Risk Identification

Purpose
Risk identification is defined as:
QRM Overview
Input
Risk Identification requires information about the process to be assessed. The scope should be defined to ensure focus and appropriate use of resource. This will also help to define what data / information may be relevant and / or should be examined to identify potential hazards.
The systematic use of information to identify potential sources of harm (hazards) referring to the risk question or problem description. [ICH Q9]
In terms of the supply chain the following should be considered: each supplier within the whole supply chain what is supplied (material / product / service) the structure of the supply chain and interfaces between / within organisations, their suppliers and suppliers to the suppliers security of the supply chain (potential for contamination or tampering) internal processes used to manage the organisations suppliers internal production processes Data / information can take many forms, for example: quantitative data / information - numbers, figures, measurements and variables qualitative data / information attributes (yes / no, go / no go) soft data / information subjective opinions / historical / experience / process complexity and interactions between processes Many professionals and organisations often assume that all relevant information takes the form of formalised (hard) quantitative and qualitative data / information. This information is valuable and easily evaluated, however, soft data / information should also be included otherwise it is likely to leave many gaps. See Figure 6 for sources of information. Data / Information Hard Data / Information Facts Measurements Analysis results Trends Variables Attributes Soft Data / Information Observation Experience Assumptions (based on experience) Key = Qualitative = Quantitative = Both
Process
Risk Identification is the process of identifying hazards and their related risks. Brainstorming is a useful tool to use to generate information and ask what can go wrong? for each step in the process. Whatever the activity being assessed, it is recommended to map the process concerned. This enables potential risk areas to be easily identified, agreed and visualised by the appointed interdisciplinary team. It is important for completeness to ensure that interfaces between processes are also identified as this is where problems may easily go undetected. Information to support Risk Identification can come from various sources, such as for example: internal and external factors throughout the supply chain Open Table known deviations / non-conformities near miss events (valuable source of potential risk areas) complaints internal / external audits components of the process under assessment, such as: - people, premises, equipment, materials - QA / QC - services - utilities - transportation, logistics - agents and brokers in supply chain - environmental factors business stability / continuity: - capacity increase / decrease versus capability - rate at which the company has expanded / contracted - staff turnover etc quality system and technical capabilities management review opportunities for cross-contamination inherent process risks knowledge in the public domain (e.g. news, regulatory actions, legislation, etc) supplier performance e.g. Key Performance Indicators (KPI) / Critical Process Parameters (CPP)

26
Figure 6 - Sources of Information that can be used in Risk Identification
Output
The output of the Risk Identification stage is a list of known and potential sources of harm (hazards), referring to the risk question, and their associated risks, based on the information available at that time. There is no guarantee that all hazards and associated risks can be identified at any given time as processes may change. It is important to understand that these changes and other events may influence the outcome and will require further review and reassessment, to determine the level of risk based on the combination of the probability of occurrence and the severity of that harm. Depending on the Risk Identification tool used and the scope of the assessment, potential risks may be categorised prior to analysis. For example: product quality risks business risks risks associated with raw materials risks associated with machinery risks associated with people etc Corporate Social Responsibility - environmental / social risk e.g. dealing with low price suppliers who pollute the environment or exploit their workforce. At completion of this step there should be confidence in answering the question What might go wrong? for the product / process under assessment. At this stage risks will not be evaluated as critical or noncritical as this level of risk understanding will be achieved through the Risk Analysis and Risk Evaluation stages. However, it is important to note that different mitigation approaches may be used depending on the nature of the risks identified. Be aware that there will be unidentified and / or unidentifiable risks to the organisation. The output from Risk Identification should be agreed, documented and communicated to relevant stakeholders.
2.2.2 - Risk Analysis

Purpose
Risk Analysis is defined as:
QRM Overview

The estimation of the risk associated with the identified hazards. [ICH Q9] This step of the Risk Management process attempts to estimate the level of risk in terms of severity of harm, likelihood of occurrence and detection. It provides a quantitative or qualitative estimate of each risk.
Input
Prerequisites Following the completion of the Risk Identification stage there should be sufficient confidence that at least the significant hazards have been captured. The most appropriate Risk Analysis tool or combination of tools should be chosen. As there may be only limited data during the early stages of Risk Management, the choice of tool may be restricted. As experience grows, there may be a transition to the use of various and more complex tools. Part 3, the Toolbox gives examples of a range of available tools and techniques from simple to complex. Open Toolbox Considerations Both qualitative and quantitative input data can be processed using the chosen tools. Some risk tools require hard data rather than soft data (subjective opinion) therefore it may be necessary to have a mechanism to convert soft data into hard data where possible. This can be achieved by generating comparative scoring to produce semi-quantitative data. The relevant operational experts should provide detailed and up-todate knowledge of current and historical process performance. Where knowledge does not exist or data is unavailable, then methods to source this information should be initiated in the long term. In the short term, best estimates can be made on the basis of assumptions, provided these are clearly identified, explained and considered at the review stage. Significant decisions based on subsequent recommendations should always reference the original assumptions and further reviews should be scheduled.
27
Foreword Structure & Acknowledgements Contents Tool

Qualitative
Type of information
May be subjective opinion based on experience. Mixture of data / opinion. Use comparison techniques to get estimations. Significant data and figures
Advantages
Quick Can use soft data / opinion Limited training needed Appears easy to verify Differentiates better between risks than the Qualitative approach Good balance of advantages and disadvantages of the other tools Output is precise Good differentiation between risks Provides clear prioritisation of all risks Includes detectability assessment
Disadvantages
Output may not be precise Does not differentiate well between levels of risk or types of risk Opinion may be biased on previous or historical experience not considering current capability Output may not be precise enough for a mature Risk Management process

Semi quantitative
Quantitative
Relies upon hard data Training and experience are needed Confusion can occur because the differences between failure mode and effect are not well understood Takes time to perform, especially the first time Reliant upon experts to agree scores and calibrate accurately
Table 4 Types of information advantages and disadvantages
Table 4 (above) illustrates the advantages and disadvantages of different types of Risk Analysis tools. It also demonstrates that limited data may exist in early stages of implementing Risk Management. With experience, there may be a transition from the use of Qualitative to Quantitative tools. Both techniques are equally valid and fit for purpose. However Quantitative tools are often perceived to be beneficial after several full cycles of the Risk Management process as more information is obtained and accuracy is demanded. Ultimately the decision of which Risk Analysis tool to use depends upon: the risks identified the precision of the data or opinions that define the risks what tools customers / suppliers use how accurate the output needs to be how quickly the output is required It is common for accurate or precise data to be missing in one or more areas, allowing the expert in that area to have some understanding of the level of risk, but not be able to support opinion with factual evidence or data.
It is recommended that where an organisation has little or no experience of any particular tools, or are not required by customers to use a certain tool, then they initially use a qualitative tool. Once expertise in the tool has been gained and supporting systems established, then the organisation can progress with the use of increasingly more quantitative tools. This approach means, that for the same investment of time, at each repetition of Risk Analysis, an increasing percentage of time is dedicated to improving the confidence of the risk estimation, and therefore adding more value and confidence in the output each and every time. Example of subjective assessment: Company A does not have a supplier complaints system. The logistics manager knows that Supplier X is the worst offender for late deliveries because the logistics team are always complaining about them. However, the logistics manager does not know how they compare with Supplier Y as there is no data to show how each is performing. This demonstrates a gap in the organisations systems and supplier performance metrics / data related to risk management.
28
Process
Having identified the hazards and associated risks and decided on the Risk Analysis tool to be used, the next step is to assign a rank or score to each of the identified risks. The interdisciplinary team, with knowledge of the identified risk areas, should agree ranking or scores for each one, following the rules and guidance for the tool being used. If necessary, input can be provided remotely, but this is only effective where hard data is available and is being entered or converted into a risk level. Where opinion / soft data is being used, agreement through discussion and compromise is necessary. Identified risks are normally assessed using the same tool. It is advantageous to assess all risks at the same time / same stage of the process. Risk Assessment can sometimes be initiated and performed on an ad hoc basis in addition to the routine periodic cycle of Risk Management, when external or internal events occur. At such times, the generation of a Risk Assessment level or score will enable the correct evaluation and risk acceptance / mitigation decision to be made.
2.2.3 - Risk Evaluation

Purpose
Risk evaluation is defined as:
QRM Overview

The comparison of the estimated risk to given risk criteria using a quantitative or qualitative scale to determine the significance of the risk. [ICH Q9] Risk Evaluation is the process that organises the information from Risk Analysis to allow the decision making step of Risk Reduction or Risk Acceptance to be made. To achieve this, a level of tolerable risk should be defined against which the Risk Analysis output can be compared.
Input
The prerequisites for this step are that: Risk Analysis has been completed data is organised in the most appropriate way according to the Risk Analysis tool used a tolerance level has been set so that the Risk Analysis output can be compared against The level of tolerable risk depends on the product and the criticality of its application. A simple way of setting the level of tolerable risk is to identify the highest risk groups or most frequent type, or create a Pareto chart, and select the top 20% (and hopefully cover 80% of issues). The method for setting the level should be explained and documented so that it can be reviewed over time. Be aware however that if analysis shows that 25% of the identified risks have a high probability of causing patient harm, there is a need to act on all of these. Conversely, if none of the risks have more than a low probability of causing a minor non-compliance that would not impact the patient, no further action may be decided. Open Toolbox - Risk Analysis
29
Output / deliverable
The output should include information on missing data and any assumptions made. A level or a score for each identified risk should be generated and documented. It is essential that this output is communicated to those responsible for the Risk Evaluation step in a timely manner. Rapid escalation and communication of the Risk Analysis output should occur for any confirmed high risks. Note that where ad hoc assessments are made, immediate communication should be performed for any confirmed high risk events.
Process
In order to compare the Risk Analyses against an agreed level of tolerable risk, it is easier to rank or sort these in order of descending risk. The Risk Evaluation process is summarised as follows: 1. Rank or sort risks from the Risk Analysis step 2. Check that the data is complete and valid 3. Determine if the level of tolerable risk is appropriate 4. Review the Risk Analysis output against the level of tolerable risk 5. Compare the output to see if it is acceptable or higher than the level of tolerable risk 6. Document the evaluation 7. Communicate the findings to the necessary people Open Risk Communication The Risk Analysis output should be organised (filtered, ranked etc) to ensure that those of most significance (i.e. above the level of agreed tolerable risk) are identified for Risk Reduction. Those below the level of tolerable risk can go forward as residual risk for the Risk Acceptance stage. In some tools using a simple two-dimensional arithmetic scale, risk can be ranked as high / medium / low risks and the combination of probability and severity can be evaluated, by simply multiplying the factors. Those risks which have a higher score can be highlighted for immediate mitigation. There are more sophisticated models for setting a more precise level of tolerable risk. Setting a level of tolerable risk is probably the step where both experience and evolution of the risk management process can provide most value. Although a sense check of the information / data may have been performed already in the Risk Analysis stage, anomalous results can often be detected more easily during this stage. For example, outputs that look too high or too low can be checked for calculation errors, missing data, incorrect data, and then either corrected or verified as being accurate. Finally, this step categorises the risks into those that are above or below the level of tolerable risk. Failure to perform this step correctly can lead to poor decision making at the Risk Reduction and Acceptance steps.
Output
No final decision is made in this step. The output consists of two data sets (above and below the level of tolerable risk) that can be checked further or be used as the basis for either Risk Reduction or Risk Acceptance. The output should be communicated to all relevant stakeholders especially the Risk Control owner. Formal records should be retained for a suitably defined period to provide evidence of the basis for any decisions made and enable ongoing reiteration / review.

30

2.3 Risk Control

Risk Control is defined as:
QRM Overview
Actions implementing risk management decisions [ISO Guide 73; ICH Q9] Risk Control encompasses the decision-making activities that result in action (Risk Reduction) or justified inaction (Risk Acceptance). The purpose of risk control is to reduce the risk to an acceptable level. The amount of effort used for risk control should be proportional to the significance of the risk i.e. serious high risks require decisive, timely and effective action. Decision makers might use different processes, including benefit-cost analysis, for understanding the optimal level of risk control. Risk control might focus on the following questions: is the risk above an acceptable level? what can be done to reduce or eliminate risks? what is the appropriate balance among benefits, risks and resources? are new risks introduced as a result of the identified risks being controlled? These can be summarised as Treat, Transfer, Tolerate or Terminate
2.3.1 - Risk Reduction

Purpose
Risk Reduction is defined as:
QRM Overview
Actions taken to lessen the probability of occurrence of harm and the severity of that harm. [ICH Q9] The Risk Reduction step focuses on processes for control or avoidance of risks where it exceeds a specified or tolerable level. Having evaluated the risks as part of the Risk Assessment step (Risk Identification, Analysis and Evaluation) and decided what the most significant risks are, appropriate decisions should be taken. Where the Risk Management cycle has been completed previously, risk tolerance levels should be reviewed taking into account the current situation, new information and available resource.
31
Input
Ensure that the Risk Assessment phase is completed before proceeding. Generating two data sets (above and below the level of tolerable risk) is the output from the Risk Evaluation step. The inputs for the Risk Reduction and Risk Acceptance processes are as follows: output of Risk Evaluation additional or new information identified availability of key decision makers
Process
Where risks have been evaluated as requiring action, a decision has to be made as to whether or not: the organisation (or its stakeholders) require each risk to be controlled the feasibility to technically, safely or economically reduce each of the risks It is important to note that at this stage several theoretically possible solutions to reduce or eliminate risks may be identified. However not all actions will be practical to implement in either a reasonable timeframe, at a reasonable cost, or even be technically possible. At this point, the principles of As Low As Reasonably Practical (ALARP) may be applied. Some actions may be possible or preferable to others, and these may reduce the risk to an acceptable level (see Risk Acceptance section). When determining actions it is important to consider the following with input from the relevant experts: available resources capability (organisation, suppliers and suppliers to suppliers) policy (EHS, quality, finance and ethics) There may also be both primary and secondary risks, where for example the supplier may be the primary risk and their supplier may be a secondary risk; both may need to be reduced. Risk Reduction actions that are identified for implementation should be examined in terms of their impact on the overall Risk Management process. Consider the following questions: are any new risks introduced as a result of the identified risks being controlled? is one significant risk being replaced by another? should a reiteration or part of the Risk Assessment process be performed?
Output
Decisions and actions relating to Risk Reduction should be documented and approved. Approval should endorse resource allocation, timelines and implementation strategy, and be communicated to all relevant stakeholders including any residual risk. Examples of reducing risk in the supply chain include the following: define / map the supply chain to provide visibility of controls including security and authenticity of materials and services implement a robust supplier qualification process implement a supply contract to ensure consistent supply and controlled costs implement a Quality Agreement or Technical Agreement to ensure responsibilities are clearly defined and understood by all parties with clear specifications ensure that the supplier understands what the products / services they supply are used for have regular meetings between both parties to ensure effective communication, better understanding and co-operation in making improvements to control risks influence the supplier to ensure that they develop a proactive risk management process implement metrics / key performance indicators that are tracked by both parties identify and implement a second source of supply that is not subject to the same risks as the original source of supply e.g. does not manufacture in the same region, does not have the same suppliers or is not subject to the same energy or transport limitations identify and qualify a new supplier where the existing supplier is currently not capable and / or cannot be improved in an acceptable timeframe

32

Different strategies can be applied to manage and control risk. For example, the supply from one company to another can be disrupted or cease in the event that the original site of manufacture closes. The transfer of production to another site where the material / product has not been made before presents a potentially high risk to the business. Technically it is possible (unless the skills and knowledge have been lost). The decisions of one organisation on both economic and technical grounds, can present a significant and direct impact on the organisations customers and / or suppliers and their ability to function. In any case, another way will need to be found to ensure product continuity. Where the impacted customer is a pharmaceutical or device manufacturer, the risk is not only one that could prevent manufacture, but could require lengthy and costly changes to the product licence or device registration. Delays in supply to the market could result in the inability to meet a patients medical needs and / or severe criticism or fines from the regulatory authorities where this could seriously impact the end-user, the patient. In many cases, the ways of reducing risk are simple and do not have significant costs, if these are identified and planned for in sufficient time. Costly risk reductions are usually the result of insufficient planning or insufficient co-operation between customers and suppliers. For example, calling an equipment supplier in response to the breakdown of critical equipment can be costly and cause delays in manufacture compared with having a Planned Preventive Maintenance (PPM) programme in place.
Reduction in risk is beneficial and to be encouraged, however there may be circumstances where there is no reasonably practicable way of reducing it or no added value at this time based on prioritisation. The risk still exists therefore senior management need to formally accept this decision and its implications. Being aware of risks at least enables an organisation to monitor the situation and be more able to respond in an appropriate way should the situation change. Once known some risks can be mitigated further along in the supply chain as a holding situation, whilst longer term improvements are implemented. For example, to reduce the risk of receiving material that does not meet specification, the organisation may increase testing and inspection in order to mitigate the risk until there is assurance of supplier capability.
Input
Risk Evaluation should have been completed and the list of risks above the agreed tolerable level should have undergone Risk Reduction, unless this has been decided not to be appropriate. Before taking the decision to accept or reject, the following questions should be considered: have the right people been involved? have the right tools and techniques been used? has anything been missed? is all the information available? are the assumptions valid?
33
2.3.2 - Risk Acceptance

Purpose
Risk Acceptance is defined as:
QRM Overview
Process
Once the risks are understood and appropriate actions proposed, a formal review should be performed. Risk Acceptance is a decision by an organisation to continue to operate without any action to reduce a given risk on the grounds of either: the risk was below the tolerable level (either before or after risk mitigation) the risk cannot be reduced at this time
The decision to accept risk [ISO Guide 73] Whereas Risk Reduction is a decision step to agree to take action, Risk Acceptance is a decision step to accept the level of risk or residual risk or to take no further action. A key part of Risk Acceptance is to formally record the decision by management and communicate this to the business and relevant stakeholders. Open RACI
Output
Once the consequences and costs of any action or inaction have been explored and accepted as being appropriate, then these need to be formally communicated within and between the respective organisations. Records should be maintained. An example of a risk that may be accepted is where a product is to be discontinued. If the risk mitigation decision involved making a change of supplier or investment, this may not be feasible for this product and therefore the risk may be accepted with no action. The continued acceptability of risks from this stage should be part of Risk Review.

34

2.4 Risk Communication

Purpose
Risk Communication is defined as:
QRM Overview
Business Benefits
Ensures interests of stakeholders are understood & considered Timely delivery of business impacting information Increased awareness & understanding Improved planning through knowledge Improved resource allocation Improved effectiveness & efficiency Enhanced mutually beneficial business relationships Efficient and effective change management Brings functional experts together to identify and analyse risks
Quality Benefits
Implementation of risk-focused quality management Timely / effective end-user protection Consistent conformance of products to specification Empowered continuous improvement Timely and effective change management Promotes proactive approach Promotes good understanding and knowledge of product source and authenticity Brings functional experts together to identify and analyse risks as part of QRM
The sharing of information about risk and risk management between the decision maker and other stakeholders [ICH Q9] Effective internal and external communication is critical to the success of any Risk Management process. A plan to communicate and consult with internal and external stakeholders should be developed at an early stage to manage any issues that arise in relation to the Risk Management process. Where appropriate, communication and consultation with internal and external stakeholders should take place at each stage of the Risk Management process. Effective communication ensures that those accountable for implementing Risk Management understand the basis for decisions and outcomes of each stage in the process. Applying good communication practices with all stakeholders will increase the efficiency and effectiveness of the Risk Management process. Examples of potential benefits of good communication practices within and between organisations are listed in Table 5 (right). The most appropriate methods of communication to use should be determined by the organisation in terms of Who, What, When and How.
35
Table 5 Potential Business and Quality Benefits of Good Communication Practices
Who?
The first step in any successful communication process is to identify the relevant stakeholders, for example those in Table 6 (below). These will be the individuals, parties, groups and / or functions who; have an impact (direct or indirect) on the product / service have an interest in the activities or project have to act on the outputs of the Risk Management process These stakeholders need to be identified and included where and when necessary at each Risk Management stage. It is useful to document such stakeholders as part of the overall process. This is common practice in project management activities.
What?
The information that requires communicating may change over time as inputs and outputs to the Risk Management process develop. The who, when and how may also change over time. Communication can be formal or informal. This will depend on the following: the needs of the parties involved the stage / step of the Risk Management process the nature of the inputs / outputs (e.g. data, information) the timelines & urgencies Important points can be captured in meeting minutes, but key decisions from Risk Control should be formally documented to permit traceability and review. The type of information to communicate may be determined using a variety of basic tools including brainstorming and gap analysis techniques. Table 7 (following page) illustrates what may be communicated in terms of inputs and outputs at the various stages of the Risk Management Process. The level of detail communicated should be commensurate with the intended stakeholders needs and expectations. Enough information should be provided to allow for informed decision or assessment but too much or too little information can be counter-productive. For example: senior management usually do not require a detailed history, rather a concise summary of the situation with outputs of analysis and any decisions required those preparing the summary will need detailed information / technical detail to base the analysis and recommendations on recipients of the decision may just require a brief / letter outlining the decision and guidance for future action the provider of the original information may require communication by way of feedback that appropriate action has been taken there should be appropriate acknowledgement of actions and responsibility taken through communication and feedback

Internal
Contract Management / Procurement Manufacturing / production Testing / QC Quality Assurance Warehouse & Distribution Sales & Marketing Finance
External
Customers Suppliers / Contractors Regulatory Authorities Notified Bodies Certification Bodies Consultants
36
Table 6 Examples of some stakeholders / key parties
Not all information needs to be communicated; it should be appropriate and relevant to the recipient. It is useful to appoint someone responsible for communication who understands that confidentiality, contractual and regulatory obligations should be respected at all stages. A RACI is a useful tool to define responsibilities within the Risk Management process. Open RACI
Foreword Structure & Acknowledgements Contents Inputs

Risk Identification Scope Process steps Information - Hard / Soft Data Assumptions [1] Risk Analysis Output from Risk Identification Scope Hard / Soft Data Assumptions [1] Choice of Analysis Tool Rationale Risk Evaluation Output from Risk Analysis Tolerable Risk Level Rationale Assumptions [1] Risk Evaluation [2] Ranked / filtered risks Decisions / assumptions made in ranking / evaluation High Risks requiring immediate action / escalation

Outputs
Risk Identification Hazards Risks Process Maps Assumptions [1] Risk Analysis Risk Analysis Scores High Risks requiring immediate action / escalation Defined actions
Inputs
Risk Reduction / Risk Acceptance Output from Risk Evaluation Resources Processes for control Capability Practicality Decisions Actions Risk Review Output from previous Risk Management process New hazards or risks New data / information Changes Assumptions [1]
Outputs
Risk Reduction / Risk Acceptance Resources Processes for control Assumptions [1] / rationale Capability Practicality Decisions [2] Defined actions [2] Risk Review New hazards or risks [2] New action [2] Changes [2]
37
Table 7 Examples of items to be communicated during Risk Management process
Note: 1 - Assumptions are made when little or no data is available at that time. This should be used with extreme caution as it could impact on the Risk Management process if they are found to be incorrect. It is important to document assumptions so that the inherent risk in their usage can be considered by recipients of the communication. Always aim to replace any assumptions at the next iteration of Risk Management or when information becomes available. 2 - Formal risk information should be communicated in writing to a defined circulation list and kept on record.
When?
Communication should take place throughout the Risk Management process whenever appropriate to do so. Fundamentally these activities will occur at the beginning and end of each stage. Communication is required when the following situations arise: unexpected developments where urgent issues, events or new information comes to light, which may change previous information / assumptions and require the initiation of a review of previously completed Risk Management stages routine developments as per a defined plan or in accordance with the process in the scope of the Risk Management process as per the needs of the stakeholders at set milestones such as the point of Risk Evaluation, Risk Control, Risk Review and so on as part of periodic risk management review
In summary it is important to ensure that: the correct audience and stakeholders are identified the communication is suitable for the recipients concise, clear and traceable to all parties communication is timely for the intended recipients or stakeholders feedback is requested that communication has been received, understood and acknowledged ensure records are maintained appropriate documentary evidence is available for stakeholder scrutiny

How?
The method of Risk Communication should be clearly established at each stage in the Risk Management process. Key decisions should be communicated formally. Elsewhere less formal methods will be sufficient. When there is an increased risk or event, it is important to have a process that enables an appropriate response to be made, so that the relevant stakeholders receive accurate and timely information to make decisions and / or take action. Always agree on the means of communication up front. The method of communication should be based on capabilities between parties. There is no point in expecting to communicate solely via e-mail if one of the parties doesnt have a reliable electronic mail system or is unable to access one.
38

2.5 Risk Review

Purpose
Risk Review is defined as:
QRM Overview any events or changes that have taken place since the previous assessment inspections or audits management review case studies near miss events an appropriate interdisciplinary team
Review or monitoring of output / results of the risk management process considering (if appropriate) new knowledge and experience about the risk [ICH Q9] Risk Review is required to ensure that the outputs / results of the Risk Management process are revisited at defined intervals and actively evaluated in response to events / new information. Changes regularly occur within supply chains and risk models therefore need to be dynamic. Risk Review is about being able to demonstrate and verify the status and effectiveness in managing the hazards and associated risks that changes present. Without a planned review, the risk process may gradually become more out of date, and may cease to be valid or useful. As a result, new risks and variables will not be identified and assumptions will not be validated or moderated. This is wasteful of resources that have been invested in the original assessment.
Process
A review should enable the targeting of resource to areas based on assumptions, or new information that has become available. It is not necessary to repeat the whole process with already identified and unchanged risks. The review requires that accurate information be reviewed and presented to the decision-makers. A well executed Risk Review establishes that: the unknowns are minimised new variables are identified and assessed the supply chain is controlled effectively Risk Management has a dynamic lifecycle. Review criteria are required at the outset of the process to ensure that they are updated and kept upto-date. Appropriate measurement tools should be established to monitor performance and feedback on any given process. Such information should be communicated to provide feedback to users and decisionmakers to enable effective Risk Review.
39
Input
Risk Review can only begin once Risk Assessment and Risk Control have been completed. It requires the following information as a minimum: the results of the original / previous assessment (and actions arising from them), should be repeated and updated with current information any assumptions taken monitoring information (planned feedback)
An effective Risk Review process should accommodate the ability to respond to both Proactive and Reactive events. Proactive it is recommended that reviews initially be performed at least annually. Further reviews are dependant on the nature of the business (supplier history, known risks, assumptions and criticality of the product and processes). Some examples of measurements: performance of a new supplier against expectations Key Performance Indicators / Critical Control Parameters (e.g. data that shows quality, satisfaction and delivery) outcome of a corrective / preventive action plan (CAPA) trend analysis (e.g. product performance review) industry trends benchmarking expected or anticipated changes in legalisation, standards or guidelines other measures to control the process Reactive significant new information or events can change the results of a Risk Assessment or at least indicate that a review should be performed (this is not an exhaustive list): new site for an established supplier (changes in operations, culture, capabilities and setup issues) new product or service at an established supplier technical changes in the product supplied e.g. specification or a high rate of change changes in markets supplied and in volumes produced ramp up / down in production serious complaint / adverse event and / or recall
regulatory actions or incidents, such as Warning Letters, Consent Decrees or other unexpected events changes in legislation (may be unforeseen) failure of supplier processes impacting quality and supply (e.g. deviations, complaints etc) results of audits or other visits resource changes (financial, personnel or equipment) new or modifications to monitoring systems other significant issues impacting information used as a basis for assessment application of issues learnt to other materials, areas and activities Some brief and illustrative examples of reactive events: A distribution service supplier originally rated as very low risk reports that their main warehouse in France has been partially destroyed by fire destroying 500,000 Euros of finished product and affecting the status of 5 million Euros of stock on the site. - was this a one-off low probability event previously identified and accepted, or an unforeseen event? - were there failures in systems mitigating this risk, or had the need for such systems been overlooked or not identified? - are other warehouses / markets at risk? A number of complaints are reported for an eye-drop finished product. Upon investigation, a broker is identified in the supply chain, and it is found that there has been a change in the crystalline structure of the herbal extract ingredient, causing an adverse reaction. Events have since demonstrated that the original assessment was based on inaccurate information and false assumptions. A key member of staff at a contract manufacturer leaves and the communication lines, flow of information and ability to interact between organisations breaks down. A Product Review highlights an unexpected series of deviations, or a trend relating to a service or material supplied.

40
The level of significance of an event or new information should determine if a review is required. Risks and risk indicators can change with time and, with the change some risks require re-evaluation. Some key questions to ask are as follows:
In summary
Risk Management is an ongoing cyclical process, and not a one-off activity. It should enable control or elimination of significant risks as well as the identification of any new risks and processes. The process should continue to be used for events that might impact on the original Risk Assessment decisions, whether planned or unplanned. As experience with the Risk Management process in use grows, more advanced tools and methods may be used.

has the probability of occurrence changed? has the impact or significance of known risks changed? are there any new areas to include in the Risk Assessment that have not been captured before? are there any risk indicators that are no longer applicable due to changes in processes, equipment, suppliers, services, materials, circumstances etc.? are there any new risk indicators or risk tools that should be used (Risk Management process improvement)? as well as having good communication and regular feedback relating to Risk Review, a process should be defined for the escalation of urgent matters to key stakeholders and decision makers including both criteria and timescale.
Output
The output / results of the Risk Review is not the end of the process. It is an iterative process that has a number of different outcomes: no action is required at present as all risks are known and under control, next review should be determined based on risk (about one year) or where new information / changes are made new risks are identified or assumptions are shown to be invalid or requiring reassessment a significant event, improvements or major gaps are identified that invalidate the original assessment resulting in a new Risk Assessment for that supplier or product Risk Review should be formally documented, approved and appropriately communicated.
41
General Introduction Supply Chain Considerations Risk Management Process Risk Management Toolbox
3.1 Introduction to the Toolbox 3.2 Approach to Implementation 3.3 Risk Assessment 3.3.1 Risk Identification Tools 3.3.2 Risk Analysis Tools 3.3.3 Risk Evaluation Tools 3.4 Risk Control 3.4.1 Risk Reduction Tools 3.4.2 Risk Acceptance Tools 3.5 Risk Communication Tools 3.6 Risk Review Tools Appendix 1 - Worked example: Ranking and Filtering for Contractor management Appendix 2 -Worked example: Medical Device Risk Assessment using a Simplified FMEA Appendix 3 - Worked example: Supplier Audit Priority using Risk Assessment
Risk Management Toolbox

Part 3
3.1 Introduction to the Toolbox

This toolbox is to provide the user with basic information on some relevant, commonly available tools and techniques and demonstrate how they are applicable to Risk Management. The tools and techniques discussed in this section are proven, effective methods that are commonly used in a variety of industries. Thus, if anyone is trained or experienced in any of the tools, it is advisable to use such resource for coaching. Complex tools Commonly used to: gather / organise data analyse data into meaningful information with increasing levels of sensitivity manipulate complex data to simplify and aid informed decision making The drivers for which tool to use and where are: scope experience of the user the process under examination type of Risk or Hazard identified availability of appropriate information amount of time available, which is a balance of the extremes of quick and approximate or slow with precision
42
Supply Chain Examples Glossary Bibliography
Simple tools Commonly used to: gather / organise data structure data / information project manage process and facilitate decision making
Some tools are very effective in all areas of Risk Management while others are better employed for specific areas of the process. Some tools utilised in Lean, 6-Sigma and Right First Time may be the same or similar to Risk Management tools. This toolbox provides guidance on their use with examples, where appropriate. Some characteristics of good Risk Management tools: provide structure in reaching conclusions or making decisions encourage multiple functional team input value the differences of expertise, knowledge and viewpoint deployable at various stages function well with relevant resources and trained facilitators are proactive There will be tools and techniques not mentioned in this guide which may be appropriate to use and new techniques are always being developed. Care should be exercised as some tools may appear suitable but are designed for retrospective analysis (for example Root Cause Analysis), whilst Risk Management tools and techniques are intended to be prospective in order to determine the potential future consequences. The tools and techniques explained in this section are provided as overviews to illustrate their applicability to Risk Management with their respective advantages and disadvantages. Some are explored in more detail with a specific example to demonstrate how they have been successfully applied in some organisations. This toolbox guide is not intended to be definitive. To gain a full understanding of some of the tools and techniques mentioned, individuals may need to supplement the guidance given here with knowledge or training from elsewhere. The ICH Q9 Briefing Pack contains a set of pharmaceutical industry oriented tools which may supplement information on those given in this guide. A cautionary note is that the ICH Q9 Briefing pack tools are generic to all areas of Risk Management and not all are considered ideal for assessment in a supply chain environment. ICH Q9 briefing pack
43
3.2 Approach to Implementation

Tools and techniques used in project management work well in initiating a Risk Management process. Some of the tools and techniques, given in subsequent sections, are processes in their own right. They may be used to implement Risk Management as well as perform specific risk identification or analysis tasks, e.g. HAZOP or HACCP. A project management approach to Risk Management provides structure, control and assignment of resource, and is successfully used by many organisations. This approach includes the following: a scope or charter is defined key roles are defined (sponsor, project lead, team members) sponsor accountable and approves goals and objectives a team is appointed of appropriate stakeholders (subject matter experts and / or involved parties) budgetary requirements are identified and agreed milestones and timelines are defined in a plan progress measured against the plan There are some disadvantages in using a strict project management approach: managed projects generally have a finite life with an end-point Risk Management is a reiterative process and will require refinement and change as products and organisations evolve project management teams are often disbanded at the end of the project and therefore the review phase might not be complete The best organisational aspects of project management can be selected for use as appropriate, e.g. the charter. Whatever approach is used the following should be included: 1. Establish an effective cross functional team 2. Establish scope, responsibilities, accountability and budget 3. Define timelines for decisions 4. Establish controls, feedback mechanisms and formal reporting 5. Review at defined intervals
44
A sub-tool within project management is the charter or objective statement which should include the following: scope for the Risk Management team (what is and what is not in scope) - in the supply chain this would identify the limits of the supply chain or the section of the supply chain to focus on objectives and performance criteria - these will detail any special performance targets and what is expected as the steady state any known management or operational obstacles budget requirements decision-makers and levels of authority departments that need to be represented identification of the facilitator or leader, and roles and expectations for team members Open RACI The charter / objective statement should be a formal document approved by the individual(s) accountable for budget. When approved by senior management this document becomes the baseline for the Risk Management process. As work progresses the charter / objective statement should be revisited to ensure the objectives remain valid and that there is continued support and ownership.
45
Implementation review
For effective implementation, the original objectives and any changes should be reviewed. This should focus on the effectiveness of the implementation within the organisation and not be concerned with the review of the data and levels of risk accepted. Key areas to review include: were the objectives correct? have the objectives been met? was the team assembled effective? is the process in use in the right areas? what should be considered for future improvement? The implementation review should be documented and be reported at management review; it should also be considered in the next cycle of the Risk Management process.
3.3 Risk Assessment

This section describes some of the tools that are useful for the 3 phases involved in Risk Assessment prior to the Risk Control phase: Risk Identification, Risk Analysis and Risk Evaluation
3.3.1 Risk Identification Tools
Brainstorming
Overview Brainstorming is a technique usually utilised where you have a group of people trying to find a solution to a problem. It aims to achieve quality through quantity by capturing a wide spectrum of ideas from various disciplines in an open and encouraging atmosphere. Some advantages are: simple method requires few resources apart from the facilitator, participants require little training generates quantities of data fast can identify areas not considered before generates new ideas from non subject matter experts not explored before Some disadvantages are: requires an impartial facilitator requires active participation of all members to be really successful can generate large quantities of data of which some is eliminated later can lose focus and drift off scope if not managed well
This section describes some of the tools that are useful for identifying hazards and their associated risks at the Risk Identification stage of the Risk Management process. Tools included are as follows: Brainstorming What If? Mind Mapping Check-sheets Flowcharting Process Mapping HAZOP is described here as it focuses on identification of hazards and their associated risks, however it does cover several phases of a Risk Management process from implementation to Risk Analysis. It illustrates a combination approach using several of the Risk Identification tools. HACCP is a similar tool to HAZOP and is described in the Risk Analysis section within this toolbox. Cause and Effect / Fishbone Diagrams Hazard Operability Analysis (HAZOP) Hazard Analysis and Critical Control Point (HACCP)
46
Using Brainstorming: appoint a facilitator it is beneficial to assign one individual as a facilitator to ensure that all participants voices are heard and the process is managed effectively ensure the appropriate people from the relevant functions are present (interdisciplinary team) provide an environment and atmosphere removed from external distractions the facilitator should open the session with a clear description of the subject to be brainstormed e.g. this session is focused on identifying risks with repacking sodium chloride before distribution to our customers utilise a means of capturing ideas e.g. using a whiteboard or flipcharts or other means and share with everyone involved encourage a focus on quantity aim to ensure that a large number of ideas are generated keep each idea succinct and separate there should be no discouragement or criticism all ideas no matter how unusual should be heard - this encourages input from all participants, and prevents areas or ideas for solving the risk problem from being overlooked the more hazards and associated risks that are identified, the more comprehensive the subsequent analysis and evaluation will be, however be careful to stay in scope and remain focused as the list of ideas increases, review the ideas put forward and group those that are identical or similar under a single heading - make use of colour or symbols or other distinguishing means to collate ideas into subgroups e.g. all risks identified with machinery in black, all risks associated with raw materials in red etc. The final output should be a list of ideas which can be developed further and subjected to risk assessment
interrogated by asking what if there is a failure in the sub-process? or what if there is a failure in the operation of the sub-process? The answers to the questions will identify if potential hazards exist. The technique is more structured than a brainstorming session. Some advantages are: simple method requires few resources participants require minimal training very effective for defined processes may identify areas where knowledge gaps need to be filled Some disadvantages are: requires active participation to be successful can generate large quantities of data where processes are long or complex is of limited use where processes are undefined or unknown (however this may lead to identifying a list of what is required) requires effective brainstorming to generate relevant and effective What if? questions about sub-processes requires substantial knowledge of the process under scrutiny in the first place Using What If What if is easily adopted in supply chain scenarios, for example an asthma inhaler (pressurised Metered Dose Inhalator - pMDI) has many complex parts in addition to the medicine it dispenses. What If questions can be formulated for every part of the operation: what if the temperature in the distribution warehouse rises above 35C? what if the No actuation detector on the packaging line develops an intermittent fault? what if the moulded plastic actuator supplier has used a different plastic mould release agent after an unusual breakdown than the one approved for the product? what if the master-batch supplier of the plastic granules for the device has used a different supplier of raw materials to reduce costs or ensure delivery on time?
47
What If?
Overview What if? is a technique commonly used in engineering to determine hazards associated with a facility, equipment or a process. The process under review is broken down into sub-processes and each step
Mind Mapping
Overview Mind maps are diagrammatic representations of ideas arranged radially around a central idea or theme. They have been used as study aids, for problem solving and as decision making tools.
Some advantages are: promotes the brainstorming / idea generation sub-processes by way of its structure allows the capture of information in a concise visual representation fast process for recording data / information
View
Ba la n
1 2 3 4
Pr a
Action
Plan
Follow
d ce
Resu lt
ca l cti
o Em
Def
-u p
Persona l
tional
Iss
plore Ex
ue
in
Time
Money
irements Requ
SO
s rce Resou
Peo
ON
PR O
LU TI
MS LE B
Fe eli
ng s
Other
Own
ath er
48
Stren
hs gt
ple
Creative Solutions
t Fa c
se Weaknes
Idea
A LU VA E
TE
Opinions
ID EA
knesses Wea
Change
Strengths
Idea
itu ation
ea Id
es se s
Weakn
St ren gths
en 1 erate
8 7 6 5
2 3 4
Figure 7 Example of a mind map
Some disadvantages are: may require training of personnel to become effective users of the technique not all people find this technique useful use of colour / symbols / diagrams can make the resultant mind map prone to misinterpretation by persons not involved with its construction limited scope in terms of volumes of data with large quantities of data a single diagram may become too complex and cumbersome to work with Use of mind maps Mind maps can be constructed manually by hand-drawing or electronically using software packages. The key topic is placed in the centre. Branches are drawn from the key topic radially. Each branch represents a single sub-idea of the main idea relating to the key topic. On each of these branches are drawn subbranches, each one drilling down further into the idea represented by the main branch. Experts promote the use of colour for different branch trees as well as graphics to aid the conceptualisation process in the brain. It is also recommended that the least number of words is used to describe each idea or branch in the diagram. Related ideas or issues can also be linked from one branch to another, illustrating interactions or interrelations. An example of a mind map is given in Figure 7 (previous page).
data generated lends itself well as an input mechanism to other tools provides objective evidence to counteract opinion and assumptions Some disadvantages are: relies heavily on people recording data accurately can become cumbersome and lengthy for complex processes relies upon good check-sheet design may become limited by design if there is insufficient scope to record data some items of data may get missed out Use of Check-sheets There are four main types of check-sheets commonly used: 1. Item check-sheets used to capture identified hazards in the process e.g. the check-sheet will have a list of potential problems and provision to count occurrences or frequency 2. Location check-sheets used to identify potential areas or locations in the process where a hazard and its associated risks occur, e.g. the check-sheet may be a diagrammatic flowchart of the sale and distribution of a product that illustrates the main processing steps involved - a mark is placed on the location where the problem occurs most often giving data on counts and / or frequency 3. Defect check-sheets used to try and identify causes of risk e.g. may be used to identify the potential causes associated with mislabelling of products and provides a means of recording data about the operators, labelling machines, batch code printers etc. 4. Checklist check-sheets used to identify risks by checking if procedures are followed e.g. a check-sheet will have a list of tasks that need to be performed or risks to be mitigated Information on designing and using check sheets is widely available outside of this guide. It is important to ensure a check sheet is suitably designed to allow capture of all relevant data and that it does not bias data collection and lead to mis-informed data analysis or evaluation. Checksheets are widely used in other applications, for example an audit checklist for an auditor as an aide memoir.
49
Check-sheets
Overview Check-sheets are commonly used tools that allow collection of information from a process in a systematic, organised way in real time at the location where data is being generated. Data collected on checksheets is easily used as an input to other tools. Data can be collected quantitatively e.g. counts, or qualitatively e.g. attributes like yes/no or go/ no go type data. Some advantages are: simple fast process for recording data / information
Flowcharting
Overview Flowcharting is the process of charting a process or information by representing the individual steps as boxes and displaying the order of occurrence by connecting each box with an arrow showing the direction of process / information flow. It is through process understanding that flowcharts can be used to aid Risk Identification in identifying potential issues, hazards, defects, bottlenecks and restrictions. Medical Device Organisation Supplier 1 Raw Materials Stage A Bulk Chemical Conversion Stage B Bulk Chemical Conversion Supplier 2 Raw Materials Stage 1 Sub-Assembly B Stage 2 Sub-Assembly B Supplier 4 Raw Materials Supplier 5 Raw Materials Supplier 6 Raw Materials Supplier 7 Raw Materials Supplier 3 Raw Materials Stage 1 Sub-Assembly A Sub-Assembly C Outsourced Conversion Supplier 9 Raw Materials Mechanical Conversion Outsourced Sterilisation
50
Final Device Assembly
Primary Packing
Secondary Packing
Tertiary Packing
Terminal Sterilisation
Product Testing & Release
Supplier 8 Distribution
Warehouse
Figure 8 Flowchart of a Medical Device Manufacture showing Suppliers & Contractors
Flowcharting is a simple tool to map out the supply chain. Figure 8 (previous page) illustrates a simple integrated flowchart used to show the flow of materials in the manufacture of a Medical Device with links between organisations performing key outsourced manufacturing steps in the process. Each of the 9 different suppliers and the outsourced organisations in the flowchart in Figure 8 (previous page) can also be individually flowcharted to provide an accurate picture of the process and related risks. Flowcharting of processes in more detail is more commonly known as process mapping.
How to Process Map: Most process maps begin with a start point and end with a termination point for the process or sub-process. A decision needs to be made on the level of detail required. An example of a process map is shown in Part 1, Figure 5. Open Process Map The final output of the exercise should be full diagrammatic representation of the process that provides process understanding and a means to identify where risks can occur in that mechanism. The risks identified can then be subjected to the subsequent steps of the risk management process.
Process Mapping
Overview A process map is a diagrammatic representation of a process that utilises geometric shapes representing actions or stages interconnected by flow-lines. Over the years various conventions have been adopted on the shapes and symbols to be used for representing steps such as start and end points of the process, individual actions, decision steps and documentation steps. It is not necessary to adopt any of these conventions; however it may assist in understanding when sharing process maps with customers or suppliers. Some advantages are: useful tool to define the supply chains prevents oversights and omissions in considering potential sources of risk within and associated with a process enable interactions, flow of materials, people and services to be characterised and visualised Some disadvantages / constraints are: takes time to accurately map the process need to have the process experts available to capture the process correctly
Cause and Effect / Fishbone Diagrams

Overview Fishbone Diagrams (also known as cause and effect diagrams or Ishikawa diagrams) are primarily used to identify causes associated with an event, but are easily adopted to identify hazards / risks associated with an event. Some advantages are: simple method requires few resources participants require little training organises related ideas into groups can identify knowledge gaps very effective for defined processes Some disadvantages are: requires active participation to be successful can generate large quantities of data where processes are long or complex limited use where processes are undefined or unknown (however can identify the knowledge gaps) requires substantial knowledge of the process under scrutiny in the first place
51
Use of Fishbone Diagrams: The diagram is constructed with a box on the right hand side (the head of the fish) see Figure 9 (below). This box contains the subject under examination, for example the Risk Question. The spine of the fish has a number of main bones coming off it. Each one represents a subject category. These can be tailored to specific needs but some commonly used categories are the 6Ms, 8Ps or 4Ss: 6Ms = Materials, Men (People), Machinery (Equipment), Methods (Procedures), Maintenance (Management), Mother Nature (Environment) 8Ps = Price, Promotion, People, Processes, Place / Plant, Policies, Procedures, Product 4Ss = Surroundings, Suppliers, Systems and Skills Finer bones come off each category bone to list potential hazards and risks associated with for example materials. Often the more populated the bone is the more influential that category is to overall risk. This technique is very powerful when used in conjunction with other tools such as Brainstorming and Pareto analysis.
Hazard Operability Analysis (HAZOP)

Overview HAZOP was developed in the chemical industry in the 1960s for health and safety Risk Analysis and the control of chemical processes. It is one of the most commonly known risk tools used to evaluate safety hazards in Environmental Health and Safety. It is considered a simple but highly structured hazard identification tool. Therefore organisations may already have personnel skilled in the use of this tool. Using the HAZOP approach assumes that events and hazards that generate risks are caused by deviations from the established mapped design and operating intentions, and uses a systematic technique to help identify potential deviations from normal use or design intentions in use. It can be considered as an example of a possible combination package covering several Risk Management stages and incorporates some of the previous identification tools and techniques. Some advantages are: may be used as a overall Risk Management tool for initial implementation captures and retains product and process knowledge for an organisation safeguards against repeat error (reactive analysis) and facilitates rapid detection and correction as a quick reference for problem solving may be used to test a suppliers manufacturing processes or facilities for robustness can handle significant amounts of data uses brainstorming, process mapping etc. in a structured manner can be used for situations when the hazards and associated risks and underlying consequences are diverse and difficult to compare using a single tool widely used
52
Identify Risks and verify that each potential risk is related to the Risk Question. Assess the frequency of occurrence and potential severity of each risk.
GMP
Regulatory
Medical
Risk Question
Legal
Environment
People
Figure 9 Example of Ishikawa / Fish-bone Diagram
Some of the disadvantages are: it is a tool originally designed for evaluating engineering or chemical processes and equipment and therefore has to be significantly modified for alternative uses it requires combination with a hazard analysis tool and has some limitations in its scope it doesnt generate quantitative data but relies on key words it lacks a technique to sort and categorise the risk level Use of HAZOP An outline of the basic steps in HAZOP are: 1. Collect applicable documents and drawings 2. Break the process into manageable sections 3. Prepare a list of parameters and operations to be examined 4. For each section create deviations 5. List and record causes for each deviation 6. List and record consequences for each cause 7. List and record safeguards or controls that may prevent either the cause or the consequence 8. List any future actions or recommendations that should be implemented
Complex Tools: Fault Tree Analysis (FTA) Preliminary Hazard Analysis (PHA) Hazard Analysis and Critical Control Points (HACCP) Failure Modes Effect Analysis (FMEA) Failure Modes Effect and Criticality Analysis (FMECA) All these tools require data input. This may be hard data, such as that within computerised systems or generated by statistical analysis, or soft data from more subjective analysis or semi-quantitative data analysis. Data analysis can be a complex area of the Risk Management process. Therefore the tools employed in Risk Analysis range from simple to complex. Selection of which tool to use is a decision based on the suitability of the tool for the task and competency of the user in its use. There are three elements to Risk Analysis: severity of event frequency of occurrence detectability of risk Not all tools account for the detectability of the risk. The use of any particular tool is dependent on the objectives of the Risk Management programme and doesnt detract from the power of some of the simple tools applied correctly such as ranking and filtering. This is a very powerful, simple technique similar to Failure Mode and Effect Analysis (FMEA) and can be very successful when used appropriately. Some of the tools given can be used in combination to produce a hybrid set of tools e.g. HACCP and FMEA. The more complex tools may be applied when more information is available and there is knowledge and confidence to use more advanced and specific tools for Risk Management.
53
3.3.2 - Risk Analysis Tools

This section describes some of the tools that are useful for assessing the identified risks for their level of impact at the Risk Analysis stage of the Risk Management process. Some tools included are: Simple Tools: Control charts Pareto charts Risk ranking and filtering
Simple Tools - Control Charts

Overview: Control charts are simple charts used to determine if a process is in a state of statistical control or not. Perhaps the best known control chart is the Shewhart Chart. This simple chart allows special cause variation to be differentiated from common cause (natural) variation, and can aid prediction of the future state of the process. It is this characteristic of the Shewhart Chart that makes it a useful tool in analysing risks associated with a process. Some advantages are: reasonably simple method to master requires few resources modern statistical software generates it in seconds high visual impact in determining trends, patterns or state of control personnel require little training statistically based Some of the disadvantages are: limited to processes that comply with the statistical model (normal distribution) is only a statistical tool, requires the use of an additional tool for Risk Assessment to be completed will highlight potential special cause variation being present but will not identify why it is present (root cause) requires a statistically significant number of data points to provide useful information may be biased by error in the measurement method used for the data being analysed there is no way of measuring risk as a detectable event Use of Control Charts A control chart has a number of common features: the central line represents the mean for the data set the Upper Control Limit (UCL) and Lower Control Limit (LCL) lines represent limits of the mean +/- 3 standard deviations and are referred to as the control limits
data falling outside these limits indicates the process is statistically out of control and that a special cause of variation exists Often the lines depicted as Upper Warning and Lower Warning Limits (UWL and LWL) are set at the mean +/- 2 standard deviations. These lines are referred to as warning limits and data falling between these limits and the control limits can be indicative of a process approaching a statistically uncontrolled state. Inclusion of these warning limits aids detection of trends, variation, bias or change, e.g. a number of points above or below the mean or a set of consecutive points showing a decreasing or increasing trend. Over the years organisations have developed rules to aid detection of trends and special cause variation. In Risk Analysis, data that indicates trends, special cause variation, a breach of warning or control limits, are data that may be pointing towards hazards and associated risks with / within a process. ICH Q9 briefing pack
Pareto Charts
Overview The Pareto principle (also known as the 80-20 rule), states that for many events, approximately 80% of the effects come from 20% of the causes. A Pareto chart is the graphical representation of data, containing a bar chart and a line chart in one diagram. Some advantages are: reasonably simple method to master requires few resources modern statistical software generates charts in seconds high visual impact aids minimising effort for maximum benefit based on scientifically sound statistics combined with ALARP (see page 62) or similar tool may be used for determining risk tolerance levels
54
Some disadvantages are: the basic underlying mathematics may result in a low frequency hazard with a high impact (therefore an unacceptable risk) being ignored limited use where individual factors are evenly frequent or significant is only a statistical tool, requires the use of an additional tool for Risk Assessment data may be easily biased by selection of incorrect weighting factors doesnt reflect consequence unless a factoring or a weighting applied which has to be validated no way of measuring risk as a detectable event Use of Pareto Charts The left hand vertical access represents a parameter frequency for the subject being analysed. The right hand vertical axis represents the cumulative percentage of the occurrences of that parameter. The horizontal axis represents the categories of parameter under analysis and represents each in the form of a bar chart in order of decreasing values. This tool can be used in Risk Assessment to set an agreed tolerance level. However the level set is not based on tolerable risk but focuses on resource and effort where improvement and risk migration actions will provide the greatest cost benefit. Such an approach is possible when combined with ALARP principles to identify and target exposure to risk. ICH Q9 briefing pack
high visual impact allowing the easy ranking of risks against their outcomes, leading to a view of the risk as high, medium or low, which aids the targeting of resources to minimise high risks permits the setting of targets for Risk Reduction in specific areas can handle significant amounts of data can be used for situations when the risks and underlying consequences are diverse and difficult to compare using a single tool based on the principles of cause and effect allows quantification of soft data in a usable format can be simple or more complex as the situation requires can be used to provide many levels of risks (e.g. very low, low, medium, high, very high) Some disadvantages are: has limitations in discrimination where individual factors may be evened out by frequency or significance data may be easily biased by the level of filters selected consequences should be fully recognised detection of risk has to be built in as it assumes that all risks are detectable events Use of Risk Ranking and Filtering The technique works by assigning values to probability of occurrence and the severity of the outcome to give a two-dimensional view. In its simplest form, a risk that is present but highly unlikely to occur has a low probability with a score of 1 assigned. Account should also be taken of what the consequences would be if the risk did become reality i.e. severity. If the consequences were severe in effect then this would be assigned a severity of high with a score of 3. This translates as a risk score 1 x 3 = 3 (medium). For each identified risk the probability and severity are multiplied to give a risk score, with 1 as the lowest and 9 as the highest score in the simplest model illustrated on the next page. Once scored, the risks can be ranked and a risk score assigned for each identified undesirable event. The weightings for severity and frequency can be modified to give a different spread of risk depending on the application and focus required.
55
Risk Ranking and Filtering

Overview Risk Ranking is a method used to compare risks and typically involves evaluation of multiple quantitative and qualitative factors for each identified risk, e.g. weighting factors and risk scores. This in its simplest form leads to a two-dimensional diagram of probability of occurrence measured against the severity of the consequences if it did occur. This technique is widely used in health and safety Risk Management. Some advantages are: reasonably simple requires few resources
Foreword
Increasing probability of an error or failure
Structure & Acknowledgements Contents
High Medium Low
3 2 1 Low
6 4 2 Medium
9 6 3 High
In Table 9 (below left), a score of 1 for Low, 2 for Medium and 3 for High is used for the Probability and Severity of an individual risk / hazardous event occurring, with thresholds of 3 and 6 as risk boundaries. More complex models with 5 or more levels can be used. This allows for ranking for immediate action or finer discrimination. However within some situations, even remote risks are unacceptable with outcomes such as serious injury or patient death. Examples of unacceptable consequences: 1. Purchasing adulterated Glycerine (contained propylene glycol) resulted in product being contaminated with unexpected material, with routine tests not being sufficiently sensitive to easily detect the contaminant at low level. This has occurred several times in the 20th century including an incident in the 1990s for a cough product sold in Haiti where approximately 60 children died as a result. 2. In 2009, baby milk powder was adulterated with Melamine in Asia. Melamine is used to increase the nitrogen content used as a generic indicator for the protein content. Several hundred babies suffered kidney failure as a result and some died. An example where the technique of risk ranking has been developed further and applied in supply chain management of contract manufacturers is given in Appendix 1 of this Part. In addition, a worked example is given as Appendix 3 of this Part, illustrating where risk ranking may also be used as a tool in prioritising work. Risk Assessment is increasingly utilised in the selection of suppliers and sites for re-audit / re-assessment based on a risk scorecard or for comparing the same risks at various suppliers.
Increasing severity of consequences as a result of an error or failure

Table 8: The basic risk versus consequence table
Table 8 (above) depicts a simple risk versus consequence matrix. This leads to the following ranking of a series of identified hazards or undesirable events into a level of risk within a process. The score can be ranked in a tabular form or a Pareto Chart for the next stage of risk evaluation and decision making. It is important to note that regulators consider Severity as more important than Probability in terms of patient harm, so it is important to think about the impact during assessment.
56
Potential Risks / Risk Analysis hazards (from Risk Severity Identification stage) Probability
Event 1 Event 2 Event 3 Event 4 Event 5 Event 6 Event 7 Low (1) Med (2) Med (2) Med (2) Low (1) High (3) Low (1) High (3) Low (1) Med (2) High (3) Low (1) High (3) Low (1)
Risk Evaluation Score

Med (3) Low (2) Med (4) High (6) Low (1) High (9) Low (1)
Complex tools Preliminary Hazard Analysis (PHA)

Overview PHA applies prior experience and knowledge of a hazard or failure to identify future hazards or failures. It can be performed in a manner very similar to Risk Ranking and Filtering. In terms of complexity it is an intermediate tool and may be harnessed to the more complex tools in this section, e.g. as a precursor to the use of FMEA or HACCP tools, as it determines the potential for harm.
Table 9 Risk Ranking Score
Some advantages are: uses other risk tools such as ranking and filtering prioritises hazards useful when analysing existing systems where there is little information, knowledge, design details, or operating procedures can be used on product, process, or facility design permits the setting of risk thresholds for risk reduction in specific areas visual impact allows quantification of soft data in a usable format Some disadvantages are: provision of preliminary information only data may be easily biased by selection of filter levels does not measure levels of detection of an event requires additional follow up Use of PHA As in Risk Ranking, the technique works by assigning values to probability of occurrence and the severity of the outcome using key words (see Table 10 (below)). A hazard that is present but which is highly unlikely to occur has a remote probability of occurrence when rated against its severity and if the consequences are negligible then the rating is that of a very low risk. It leads to a simplified automatic Risk Evaluation.
The thresholds between frequencies or severity can be defined using a scaling system. For example in frequency of occurrence: Remote = 1 incidence every 20 years or in a very large number of deliveries or batches. Occasional = 1 incidence every 5 years. Probable = 1 incidence every 2 years. Frequent >/= 1 incidence every 6 months. These thresholds are set based on the process the technique is applied to and as information increases, should be reviewed for effectiveness. The following rules can then be applied from ALARP principles (See ALARP Principles): High Risk should be reduced if possible or avoided Intermediate Reduce risk to As Low As Reasonably Possible (ALARP) principles or otherwise termed As Low As Reasonably Achievable (ALARA) Low Reduce risk according to ALARP principles considering cost vs. benefit criteria or determine if it is an acceptable risk Very Low Generally acceptable level of risk with no further action required This can then be tabulated and hazards with their current or future risk controls identified (see Table 11 following page).
57
Frequency of Occurrence Frequent Probable Occasional Remote
Severity Negligible
Low Risk Low Risk Very Low Risk Very Low Risk
Minor
Intermediate Risk Intermediate Risk Intermediate Risk Low Risk
Major
High Risk High Risk Intermediate Risk Intermediate Risk
Severe
High Risk High Risk High Risk Intermediate Risk
Table 10 - Example of a PHA matrix for assigning the Risk status for an identified hazard

Hazard Wrong Material Late delivery Additional Hazards
Table 11 - Example of a partial PHA matrix for a materials supplier
Identified hazards for Supplier

Investigational / Control in place Identity test, Documentation & audit SOP Severity Severe Major Frequency (previous history) Remote Remote Risk and Hazard Rating Intermediate Low
Fault Tree Analysis (FTA)

Overview FTA was developed in the 1960s in Bell Laboratories as an analytical logic technique. It is a deductive method (top down) to identify all root causes of an assumed failure or problem. The method evaluates system / sub-system failures one at a time, but can combine multiple causes of failure by identifying causal chains. FTA relies upon process understanding to identify causal factors. Some advantages are: strength is a measure of how controls fail provides a visual map of paths to failure uses logic gates (and / or) to analyze root causes identifies multiple events leading to an end result and identify common cause events with resulting safeguards against the same mistakes can handle complex processes captures and retains process knowledge for the organisation
Some disadvantages are: narrow focus only identifies causes associated with the predetermined hazard or event being analysed requires a significant amount of information to use effectively if the system is complex it can be very resource and time intensive to quantify the information requires significant expertise and the results depend on the training, skill and experience of the analyst Use of Fault Tree Analysis A fault tree analysis can be conducted by taking the following steps: 1. Define the undesired event to analyse 2. Obtain an understanding of the system / process 3. Construct the fault tree 4. Analyse the fault tree determine here what hazards have a direct or indirect effect on the outcome of the system / process and which hazards / risks need most focus
58
Hazard Analysis and Critical Control Points (HACCP)

Overview HACCP was developed in the early 1970s by NASA as part of a food safety initiative for astronauts using science-based controls to prevent hazards that could cause food-borne illnesses. It is well established as a requirement within the food industry, whilst its application is increasing in other industries including pharmaceutical. Its objective is to reduce any emphasis on testing for failure at the end of a process when it is more difficult to detect. Some advantages are: it caters for both Risk Assessment and Risk Control in one tool, as it identifies the Critical Control Points (CCP) in a process. It is also useful in the Risk Reduction phase may be used as an overall Risk Management tool for the supplier management process captures and retains product and process knowledge for an organisation safeguards against repeat error (reactive analysis) and facilitates rapid detection and correction as a quick reference for problem solving may be used to test a suppliers processes proactive can handle a large amount of data can be used for situations when the hazards / risks and underlying consequences are diverse and difficult to compare using a single tool emphasises the detectability of a risk Some disadvantages are: designed for evaluating manufacturing processes and often used for contamination risks it has to be modified for other applications requires combination with other tools to quantify and categorise level of risks requires resource and preparation to carry out may require external training
Use of HACCP In preparation for HACCP the following prerequisites are required: 1. Assemble a team of relevant experts 2. Describe product / processes in detail 3. Identify intended use / objectives 4. Construct detailed process flow diagram Open Process Map 5. Confirm the flow diagram and level of detail HACCP is a seven step process that provides for both Risk Assessment and Risk Control. In essence it is a detailed process flowchart map for manufacturing from raw materials to finished product and testing, with each identified critical control point on the flowchart identified. It is often extended into the supply chain and also projected to the end user. The seven steps are as follows: 1. Conduct hazard analysis A hazard is defined as the potential to harm the consumer (safety and for pharmaceuticals also efficacy) or danger to the product (contamination). In considering hazard analysis, all hazards should be listed that reasonably may occur from incoming materials, production, testing, distribution up to point of use. Hazard analysis identifies which hazards are such that elimination or reduction to acceptable levels is essential. It is advisable to separately identify quality, safety and business risks. Note: FMEA (see following page) may be used as an appropriate hazard analysis tool. 2. Determine critical control points (CCP) A critical control point is defined as a stage in the manufacturing process (including all raw materials), which, if not controlled correctly, will cause a threat to safety or a contamination issue. Having identified the hazards on the flowchart, determine if there are any stages which compensate for earlier hazards or for those that have no critical controls (if there is a need to install controls at these points). 3. Establish target levels and critical limits Specify critical limits for each CCP. Typical criteria for measurement could be temperature, time, etc or subjective criteria. Data should be scientifically based and more than one limit may be necessary for a CCP.
59
4. Establish a system to monitor critical control points Monitoring should detect loss of control at a CCP and should be recorded. Real time monitoring enables timely response to trends and prevents deviation from the limit. 5. Establish corrective actions when critical limit deviation occurs 6. Establish a record keeping system 7. Establish procedures to verify that the HACCP system is working correctly Its common use is to identify and manage physical, chemical and biological (including possible sources of microbiological) contamination related risks in a process, which may well be a mapped current supply chain or a production process, and also assess the impact of any change. From a supply chain perspective it can look from customer through tiers to the base supplier or as part of the whole process flow of components to final product.
once performed it provides a quick reference for problem solving and is easily updated minimises unforeseen failures allows for qualitative data to be converted to semi-quantitative information for input can be utilised for quantitative and semi-quantitative information to produce a near-quantitative result Some disadvantages are: requires significant information for input into the tool it is not quick to develop or perform limitations in assessing where there are multiple risks involved it is a complex tool requiring significant user competency and training for effective and efficient use the number scales are not obtained by direct measurement and the output may be misinterpreted as purely quantitative when in reality is not fully quantitative the three components of the RPN; likelihood, severity and detectability are not all equally weighted, and likelihood and detectability are inversely related over analysis can lead to paralysis Use of FMEA FMEA uses the evaluation of identified potential failure modes for processes, and the likely effect of outcomes and / or product performance. Once these failure modes are identified, Risk Reduction can be used to eliminate, reduce, or control potential failures. It relies upon product and process understanding. The output is a relative risk score for each failure mode as a structured score with a RPN. The calculation of the RPN for a failure mode is Severity x Likelihood of Occurrence x Detectability. Severity (S) what is the consequence with a number assigned in the range 1 to 10 with 1 being of minimal impact and 10 being the most disastrous impact.
Failure Mode and Effects Analysis (FMEA)

Overview FMEA has its origins in the military in the 1940s and, with its later extension Failure Mode Effects and Criticality Analysis (FMECA), FMEA is often used in the automotive industry with success as a suitable Risk Analysis tool. Some advantages are: identifies the points of potential failure for a given process or product a formatted analysis tool suitable for use in other processes e.g. HACCP or as a stand alone tool provides structured and sensitive scoring with a Risk Priority Number (RPN) with relativities between risks visible helps communication and builds trust across different functions and interfaces can ignore failure interactions has risk detection as an inherent part of the process
60

Occurrence Occurrence Risk Score Risk score Detection Detection Severity
Before Action
After Action(s) taken
Risk
Failure Mode
Effect of Failure
Potential causes
Current controls
Recommended action
Table 12 - A typical blank FMEA table
Likelihood (O) is the Probability of Occurrence with a number assigned in the range 1 to 10 with 1 being a probability of near zero of occurrence and 10 reflecting that it will routinely always occur. Probability of Detection (D) of the occurrence of a risk event in the range of 10 to 1 with 10 as undetectable if it occurred to 1 as highly visible. Some interpretations of FMEA require the 3 criteria to have a number assigned depending on the basis of high, medium or low (with subsets within). Assignment of high, medium or low should be applied consistently. When following these models care should be exercised, as severity does not carry the same weighting as Likelihood and Detection. It has been advised for a RPN to then use a 3, 2, 1 weighting scheme with Severity as 3 (highest) and Detectability as 1 (lowest). Cautionary note: These scales are invented to assist prioritisation. The numbers are not obtained by direct measurement and have led to some organisations inappropriately expecting fixed threshold limits for acceptable / unacceptable RPNs. This has caused FMEA teams to adjust the Severity, Likelihood or Detection values to achieve RPNs above or below the threshold.
This tool also accounts for detection of the risk event. Thus if an event is easily detectable, then the risk is lower than if it is not detectable at all until after the full impact is realised. Thus Likelihood and Detectability are considered inversely related. This approach provides priorities for action with risks with large RPN prioritised first and smaller RPNs later if there is determined a need for action. Table 12 (above) is an example of a typical FMEA table layout. An example of the use of FMEA in the medical device industry is given in Part 3, appendix 2. Open Example
Severity
61
Failure Mode, Effects and Criticality Analysis (FMECA)

Overview FMECA extends FMEA to incorporate the degree of criticality to the severity of consequences and the respective probability / detectability of each consequence. Product and process specifications should be established to utilise FMECA. Typically used in failures, and risks associated with manufacturing processes. It has the similar strengths and limitations as FMEA. There are other variations for other tasks.
3.3.3 - Risk Evaluation Tools

This is part of Risk Assessment that enables data to provide for a yes or no decision. Some of the analysis tools will generate a level of risk which requires evaluation for the risk acceptance decision and establish the criteria why a risk may or may not be acceptable. It may also establish the residual risk level. Either risk is then deemed acceptable or Risk Reduction has to be applied. Some tools included are: ALARA / ALARP Carrot Diagrams Brainstorming (page 46) Pareto analysis (page 54) The tools used for Risk Evaluation are fewer and focus on justifying the level below where little or no actions are appropriate. However it is always advisable, if resources allow, to take simple, often low cost steps to reduce identified residual risks until they become negligible.
Some disadvantages are: an organisation may use inappropriately low targets to set acceptance criteria on grounds of perceived investment required. The practice of ALARP The ALARP principle is that the residual risk shall be as low as reasonably practical. To apply the principle it should be possible to show that the investment or practicality would be grossly disproportionate to the benefit gained. The principle arises from the fact that infinite resources (time, money, effort) could be used to try and reduce a risk that is not achievable realistically. It is not a simple quantitative measure of benefit against detriment. It is interlinked to the assessment of whether a risk is tolerable and / or controllable. If so the resulting level of residual risk has to be accepted. In determining that a risk has been reduced to ALARP, an assessment of the risk to be avoided should be carried out and compared with the actions involved in taking measures to avoid that risk totally. Risk Threshold examples: High risk should be reduced if possible or avoided
ALARA & ALARP

Overview Risk Management has been widely practised in the field of nuclear medicine and the nuclear industry, from which the principles of ALARA (As Low As Reasonably Achievable) were developed for safety of personnel from exposure to excessive levels of radiation. It is more commonly referred to as ALARP (As Low As Reasonably Practical) in the UK from UK Health and Safety legislation. Some advantages are: residual risk is known and the basis of the acceptance of the residual risk is clearly defined baseline established of what can be achieved versus effect, available resources, and technical capability, investment requirements and level of technology
62
Intermediate reduce risk to ALARP Low reduce risk according to ALARP principles considering cost versus benefit criteria or determine if it is an acceptable risk Trivial generally acceptable level of risk with no action required
Carrot Diagram
Overview A carrot diagram is often used to visually display risks and place in tolerable or intolerable regions (see Figure 10 below). Advantages: simple tool to use visual presentation to enable clear decision making sets a zone of tolerable and residual risk Disadvantages Requires knowledge to set the tolerable regions and placement of risks Process in use The high risks (to be reduced) are at the top and the low risks at the bottom. The middle risks may be described as the tolerable region as the risks are not insignificant but not practically reduced.
63
Increasing individual risks and societal concerns Unacceptable region
Tolerable region
Broadly acceptable region
Figure 10 Carrot diagram
3.4 Risk Control

Risk control encompasses the two phases of Risk Management Risk Reduction and Risk Acceptance Risk acceptance may be accomplished without risk reduction however an organisation should always endeavour to maximise risk benefit by reducing risk to a minimum.
3.4.1 Risk Reduction Tools

This section describes some of the tools that are useful for assessing what controls or actions should be put in place to reduce the occurrence or severity of a risk. Now that a risk is identified some retrospective investigational tools are useful. It may be appropriate to use two or more tools used in combination. Tools included are as follows: Root Cause Analysis (RCA) Corrective Action and Preventive Action (CAPA) The 4Ts Risk avoidance strategy Brainstorming (see page 46)
Risk Management is a proactive process in addressing risk before it occurs. However in terms of Risk Reduction, knowledge and understanding of the risk enables the appropriate action to be taken to mitigate the risk (see CAPA following page). Some advantages are: prevents recurrence through Risk Reduction actions focused on root cause and not symptom effects demonstrates full understanding of the root cause and related events structures interrelated events provides a record Some disadvantages are:
64
Root Cause Analysis

Overview Many of the tools described in 3.3 were initially developed as methods to determine the root cause(s) for events that have already occurred such as Fishbone Diagrams, Brainstorming etc. Others such as 5 Whys may be found when studying Root Cause Analysis.
retrospective and reactive assumptions may be taken leading to incorrect identification of the root cause training and knowledge is required to apply RCA effectively
Use of RCA Basic steps to application of root cause analysis irrespective of the tool used are as follows: 1. define the risk to be reduced = output of Risk Evaluation 2. define potential root causes for this risk to occur 3. define which root causes if removed will prevent or reduce the risk 4. implement risk reduction measures = address the root causes 5. document & observe the effect of implementing the Risk Reduction measures 6. review and repeat as required
Use of CAPA Essentially there are three elements to CAPA as shown in Table 13.
Correction
Correction of the effect of an event so as to bring the process, product or service back into a state of compliance with the specification (reactive) Implementation of an action to address the root cause of an event to prevent recurrence of that event in the future (reactive) Preventive action - action to eliminate the cause of a potential nonconformity or other undesirable potential situation.
NOTE 1 There can be more than one cause for a potential nonconformity. NOTE 2 Preventive action is taken to prevent occurrence whereas corrective action is taken to prevent recurrence.
Corrective Action Preventive Action
Corrective Action and Preventive Action (CAPA)

Overview CAPA is a term used in Quality Management Systems such as The International Organization for Standardization (ISO) and whilst used in a variety of industries, it is often poorly understood. To use effectively after an event has occurred, RCA should be used in combination with CAPA Some advantages are: prevents recurrence if applied effectively provides a structured plan to address identified issues provides for continuous improvement and effective use may result in proactive actions being taken provides a record Some disadvantages are: retrospective for correction and corrective actions not a stand alone tool training and knowledge are required to apply effectively and understand the differences between Correction and Corrective and Preventive action requires established standards and controls for a baseline to be set
Table 13 Elements of CAPA
In terms of Risk Reduction CAPA is a process that compliments other techniques such as Root Cause Analysis. In order to utilise CAPA for Risk Reduction these basic steps should be followed: 1. define the risk to be reduced = output of Risk Evaluation or the RCA 2. define the appropriate action i.e. correction, corrective action, preventative action 3. document the CAPA to be taken including, the responsible person(s) and the timeline for completion 4. implement the CAPA 5. document and observe the effect of the CAPA implemented 6. review and repeat as required Risk Management aims to be a proactive approach. It is likely then that once embedded in an organisations culture the majority of CAPAs being implemented as Risk Reduction measures will be preventive actions rather than corrections or corrective actions.
65
Mitigation strategy and actions based on the 4 Ts:

Overview The four Ts are a useful technique in Risk Control. TREAT a risk to prevent it occurring or reduce its potential impact.
Brainstorming
This is a key tool to identify possible control actions for risk reduction. More detail is given in section 3.3.1. See Brainstorming
have processes in place that improve the control effectiveness the amount of effort to control risk should be proportional to the significance of the risk TRANSFER the risk to someone else risk financing, insurance, contracting out, etc. some of the impact of the risk is transferred, not the responsibility that the business has for managing the risk TERMINATE the risk i.e. stop doing whatever it is that is exposing the business to the risk. TOLERATE the risk after deciding that the risk has been reduced to an acceptable level. See Risk Acceptance
3.4.2 - Risk Acceptance Tools
Risk Acceptance is a stage that incorporates information from the Risk Evaluation and Control steps. It is the decision that risk is at a tolerable level and sufficient, adequate controls are in place. When deciding to accept a risk there is still always no as a possible answer, causing a return to perform or improve risk reduction, so risk evaluation is interlinked to acceptance. This represents the approval of the results of Risk Evaluation and Control. Risk acceptance decisions are performed by the responsible and accountable persons that should be defined at the start of the Risk Management process such as in a RACI matrix Part 2 section 2.4, Table 3. Clear decision making and documenting of those decisions is key here. See RACI.
66
Risk Avoidance Strategy

Overview Risk avoidance strategy is a risk reduction technique commonly exploited in financial and business arenas. It involves the elimination of risk by avoiding the process or activity that carries the risk e.g. not using a supplier so as not to have a future incident but has limited use in the manufacturing arena. It could be argued that this strategy is the safest option to avoid risk completely. In reality however it is difficult to take this approach to many activities as this strategy would simply mean no process or no product. Every risk avoided in this way is a loss in potential gain in terms of business, profit, end-user benefit and / or customer satisfaction. Risk avoidance is a practical and sometimes only viable approach to risk reduction. However it should be applied cautiously to ensure the benefit outweighs any alternatives.
3.5 Risk Communication Tools

The method of communication depends upon what is being exchanged, audience / recipients (external or internal) and the importance of the information regardless whether it is if related to risk or other management activities. Table 14 (below) provides examples of some of the common methods of communication.
Contracts:
The most formal method is a business contract however this is normally the method of communicating legal and basic business expectations. A supplementary technical agreement is a regulatory requirement for organisations to agree, control and define such matters as: communications, information flow, capabilities, regulatory requirements and expectations, duties and responsibilities; however the main sections of these can be very difficult to amend quickly. A formal communication normally reserved for agreeing or approving actions and expectations. It may contain formal certificates, specifications, processes and other technical information. These may contain electronic copies of draft documents and scanned agreements, technical information, certificates etc, that may be used for agreeing, requesting or discussing information. This now takes the place of a letter in most matters as well as being a vehicle for less formal communications. Ideas, arrangements, informal agreement and discussion. These may be added to by use of teleconferences, internet meetings and video conferencing if appropriate to the task. Teleconferences are frequently used by global organisations or where there are multiple sites that need to communicate. Although cost effective (i.e. no travel involved), it is good wherever possible to at least have periodic face to face meetings. Normally considered as formal as a letter but its use is being replaced by the use of e-mail. This is a way of advertising and a source of information however care should taken to verify information freely available in this way. To exchange ideas, presentations, carry out audits and come up with assignments, actions and agreements. Agreements and actions should formally recorded in minutes or a letter. Formal records of any type of meeting (or conference) that includes decisions, agreements and actions. These should be retained as documents in a quality management system for audit of a decision or review. An example of this practice is the retention of meeting minutes for development and design of medical devices as part of the device master file.
Letter / memo: E-mail:
67
Telephone:
Fax: Internet: Face to face meeting Minutes
Foreword Structure & Acknowledgements Contents Reports Presentations

Including graphs, mapping and plans that may be shared to show general proposals and action points but these reflect the author(s) ideas and situation progress. This is a common and visually effective way of quickly getting essential points across to explain a situation or proposal for a wider, possibly less knowledgeable, audience or to get outline management approval. These do not normally include detailed plans. Reports are formal records which have been authorised and can be circulated both internally and externally. These can summarise the Risk Management activities performed and highlight decisions taken (mitigation, acceptance and actions to acknowledge or respond to risks can be included). Responsibility diagram.
Table 14 Common Methods of Communication
RACI
68
3.6 Risk Review Tools

Risk Review utilises techniques and tools to measure the success or failure of the Risk Management process. Risk review is a monitoring process and can use information drawn from measurement tools. There should also be a simple set of guidelines in a procedure set out as to how and when a review should be carried out. Examples of measurement tools are: Performance metrics / Key Performance Indicators (KPIs) Bench Marking A KPI is a key part of a measurable objective, and may be used as a tool in a bench marking process.
Benchmarking
Overview Benchmarking is the process of comparing the performance of a specific process or method to another that is widely considered to be an industry standard or best practice. Essentially, benchmarking provides help in understanding where you are in relation to a particular requirement or a definition of success. The result often leads to changes in order to make improvements. Bench marking has been described as learning, sharing information and adopting best practices to bring about step changes in performance. It has a subset of tools which can be adapted depending on what is being benchmarked: Improving ourselves by learning from others. Benchmarking is used to measure performance using a specific indicator resulting in a metric of performance that is then compared to others. This then allows organisations to develop plans on how to make improvements or adopt best practice, usually with the aim of increasing some aspect of performance Benchmarking usually involves: regular comparison of functions / processes with best practice examples the identification of gaps in performance exploring new ways of improving how things are done introducing and using the improved processes monitoring and reviewing of processes, measuring progress and beneficial outcomes
Key Performance Indicators, Performance metrics

Overview Key Performance Indicators (KPI) are measures or metrics used to help an organization define and evaluate how successful it has been in meeting targets, typically in terms of maintaining key areas of performance and making progress towards its long-term goals. KPIs can be specified by answering the question, What is really important to different stakeholders? KPIs may be used to assess the present state of the process or business and to assist in prescribing a course of action. The act of monitoring KPIs in real-time is known as business activity monitoring (BAM). KPIs are frequently used to value difficult to measure activities such as the benefits of engagement, service, and satisfaction. The type and number of KPIs used differ depending on the nature of the organization, the processes being monitored, industry requirements, outputs of the organisation and future strategy. They assist in evaluating progress towards objectives, especially toward difficult to quantify knowledge-based goals. However care should be exercised in specifying the correct parameters and their criticality. Too many indicators may swamp the critical indicator that something is awry with a supplier.
69
Appendix 1 Worked Example: Ranking and Filtering example for Contractor Management
This is a practical example of the use of risk ranking in supply chain management for contract manufacturing. A set of key parameters was determined from quality focused elements, where the probability of an undesirable event based on historical data or possible undesirable events could occur. The consequences are dependent on the product characteristics, regulatory requirements and customer impact from an event. A series of criteria for use is required as follows: To give defined boundaries between the 3 levels of risk, only the High and Low Risk criteria are required to be defined. If the risk level is greater than the Low level but doesnt meet any of the High risk criteria then the level of risk will be Medium Risk (defined as between High and Low Risk). A lack of adequate measurement or lack of data means that the risk defaults to High Risk until evidence of performance over time (approximately one year in operation) can be collected. Thus any new supplier or gap in data defaults to High Risk in a given risk element. The risk score for that risk element is the identified risk level multiplied by a weighting factor. Not all the risk elements have the same degree of risk or have the same level of consequences in the event of an issue occurring. For example technical capabilities are weighted 1 against communications weighted 3. Some elements are separated due to their importance. Some areas are interrelated e.g. complaints, investigations and recalls. Some elements can be easy to set given criteria. Some are subjective scores converted into figures. The score for the individual element is the identified risk level multiplied by its weighting factor. The total cumulative score for Probability of event and the total cumulative score for Consequences is plotted onto a Risk Evaluation score matrix of the X Y plot with Probability the Y axis and Consequences the X axis. Note this also converts some subjective qualitative data into quantitative data. Please note that the axiss are not of the same scale so cannot be a simplified into a single column table. The Y axis is a business axis for Consequences of failure so key or large volumes are easier to highlight and therefore there is discrimination of low volumes or activities from activities with higher inherent risk. If a single axis is used then Consequences are not easy to see and key risks factors are hidden. To maintain the Rank Ranking as being accurate and current this should be regularly reviewed and have any new event factored in, in addition to a routine recheck frequency to monitor performance. The assumption is that all risks are detectable.
70

Risk Element High = 5
Risk*
Medium = 2 Low = 0.5 Weight Score
cGMP Compliance History Quality System Processes
Significant quantity and / or severity of regulatory observations Adverse Regulatory Status (e.g., FDA Consent Decree, Severe or multiple Warning Letters, Official Action Indicated) An Area of Special Concern Several Major Findings Past Due CAPA items High number of deviations per batch Significant deviations Multiple events requiring a major quality review Product recall and / or market actions Significant reprocessing of manufacturing step indicating a requirement to change process step Customer complaints as a result of significant failure of manufacturing controls and associated quality systems Not thorough or poorly written, No or greatly inadequate Root Cause analysis Not completed in a timely manner Scope is not adequately defined The number, type & frequency of deviations suggest systemic cGMP and / or quality issues CAPAs are not identified, are not effective or are well overdue Changes are not communicated Change control documentation is routinely incomplete and / or inaccurate Changes implemented without Client approval Significant gaps with regulatory file / license due to contractor Supplier is not willing to accept Client terms in the Quality Agreement Significant deviation(s) from the quality agreement No Quality Agreement or Quality Agreement not effective Older facility with poorly operating equipment None or significant non adherence to maintenance schedule Lack capable personnel and high staff turnover Significant events due to technical & supply issues Infrequent volume - 3 or less batches per year Newer product - Less experience with product Lack of RFT throughout facility operations Poor Risk Assessment (i.e., Quality Management is ineffective in assuring appropriate decisions) Lack of continuous improvement (e.g., trending, CAPA) Lack of internal audit and external supplier audit program Financially unstable, low investment willingness Broker in supply chain (Complex) material origin from area of high concern Supply of API from area of high concern Supply of excipients from area of high concern
Few or no regulatory observations
Few Findings CAPA on target per schedule Audit closed on time Few to no deviations / significant deviations No market related events Few to no reworks or reprocessing
Complaints Investigations
Few or no complaints justifiable based on failure of manufacturing controls and associated quality system High quality investigations that are RFT, Root Cause Analysis clear and effective Well documented and written Prompt response and timely completion Appropriate number of investigations CAPAs are identified, implemented in a timely manner and are effective Changes are communicated in a proactive manner with complete and accurate documentation Changes are implemented in a timely manner after the appropriate regulatory approval No gaps with regulatory file / license Supplier is in compliance with all the significant requirements of the Quality Agreement Newer facility with contemporary technology and automation Highly capable, well-trained personnel Low staff turnover High volume (non necessarily Client company brand) Long-term experience with product RFT environment Risk assessment is accurate (e.g., Science-based compliance decisions) Quality Management applies appropriate control at the facility Continuous improvement (e.g., trending, CAPA) Strong internal audit and external supplier audit program Financially stable, demonstrated willingness to invest Supply of API from area of high quality regulatory control Supply of excipients from area of high quality regulatory control Non complex supply chain All issues requiring notification to X are communicated in a timely manner per the appropriate agreement. visits are readily accepted and communication lines smooth Non-registered products Tablets, capsules and topicals (Non sterile products and API) Not medically critical High Therapeutic Index No issues with supply of Product to markets Non-critical product or market
Probability of event
Change Management
Quality / Technical Agreement Technical Capabilities
71
Quality and Risk Culture
Supply Chain Security
Communications Supplier deficient in reacting to and notifying X of deviations / changes with X affecting X products Difficult to visit, contact / liaise with. Product Criticality or administration Supply Chain continuity Critical device or injectable / parenteral for X Highly potent narrow therapeutic range Controlled release pharmaceutical Life-saving product Sterile API for use in a non terminally sterilized Finished product No or very limited product for supply Top value product (may have relative low volume) Critical markets
Consequences of Risk
Table 15: Risk elements and Risk Scorecard

Return to Page 61
Appendix 2 Worked Example: Medical Device Risk Assessment using a simplified FMEA
This example defines the scope, the product, and the relevant departments needed to provide input. It provides a way of recording the assessment and allows traceability. See below the inclusion of questions for Hazard Identification, are there any similar products where lessons may be used or output referenced? how could it be misused? what can go wrong?
Example template
Product Description Product / Process or Component(s) analyzed Intended Use(s) / Intended Purpose Participants: (persons and organization) Wound management system Complete assembly Treatment of chronic wounds Quality management Regulatory affairs Clinical affairs Marketing Manufacturing External independent Research and Development
72
Date: Originator: Signed & Date Similar products / process used for identification of potential hazards Potential misuses identified List of ALL hazards identified (include a consideration of hazards due to misuse and design characteristics see table on the following page for examples) This list should be continually reviewed and updated to include new hazards identified during the FMEA process. None Use of secondary topical treatments... Does not function as intended...
Table 16 - Risk Management: Risk Estimation and Evaluation example header form
Foreword Structure & Acknowledgements Contents PART

Part Name /# Component X Function Device Active Component
CHARACTERISTICS OF FAILURE / HAZARD

Failure Mode Does not function as intended Causes of Failure Insufficient component X Wrong device version used Wrong active component used Effects of failure on Part / System / User Delayed wound healing Maceration Current Controls Process controls Process validation Single device size for all applications Active component characteristic controlled in material specification Processing conditions controlled to give consistent mixing Instructions For Use (IFU) included with pack detailing the suitable types of wound IFU included with pack, use of topical treatment included in warning section
Estimation
Po 1 1 1 S 3 3 4
Evaluation and Control

Risk Evaluation Control (Accept / Reduce Risk) Accept Accept ALARP
Delayed wound healing Infection
Incorrect degree of mixing
Delayed wound healing
Accept
Incorrect application
Delayed wound healing
ALARP
73

Interference of secondary topical treatment with active component Delayed wound healing Infection Misuse
ALARP
Table 17 - Example Failure Mode And Effect Analysis (FMEA) / Design format
Po = Probability of Occurrence (Scale 1 to 5) S = Severity (Scale 1 to 5) Risk Assessment is a combination of the Severity and the Probability of Occurrence See Tables 18 and 19 on following page.
Detectability level in this example has not been assessed.
Calculate / estimate the number of individual uses (or manufacturing operations) that would be required to cause one event of the hazard.
OCCURRENCE
REMOTE LOW MODERATE HIGH VERY HIGH
RANKING
1 2 3 4 5
PROBABILITY (Po)
LESS THAN 1 IN 500,000 (P<0.000002) Up to 1 in 500,000 (P>0.000002) Up to 1 in 20,000 (P>0.00005) Up to 1 in 2,000 (P>0.0005) Up to 1 in 20 (P>0.05)
Table 18 - Example rankings for Risk Estimation
CRITERIA
FAILURE UNLIKELY RELATIVELY FEW FAILURES OCCASIONAL FAILURES FREQUENT FAILURES PERSISTENT FAILURES
Note: Probability is an estimate of the probability of the hazard reaching the user and causing harm. It should take into account Detectability. When possible it should be based on information from similar products, clinical results, scientific literature, etc.
EFFECT
MINIMAL SLIGHT MODERATE
RANKING
1 2 3
CRITERIA
cosmetic or no effect on product function gross cosmetic defect or some effect on product function product performance compromised or customer experiences temporary impairment of bodily function or body structure but does not require medical intervention additional to routine care
74
MAJOR
potential compliance issue not resulting in field action or the failure necessitates medical intervention by healthcare professional to preclude permanent damage to body
SERIOUS
compliance issue resulting in field action or the failure results in a complication that is life threatening
Table 19 - Severity Criteria for FMEA

Occurrence Very high 5 High 4 Moderate 3 Low 2 Remote 1 Minimal 1 ALARP ALARP Accept Accept Accept
RISK EVALUATION
Severity Slight 2 ALARP ALARP ALARP Accept Accept Moderate 3 Decision ALARP ALARP ALARP Accept Major 4 Decision Decision Decision ALARP ALARP Serious 5 Decision Decision Decision Decision Decision
Table 20 - Example of Two dimensional acceptance criteria chart for Risk Evaluation
If the ranking falls in the Accept region, there is no requirement to conduct Risk Control activities. If the ranking falls in the As Low As Reasonably Practicable (ALARP) region, risk control activities may not be required. However, the rationale for concluding that no further mitigation is reasonably practicable should be included. If the ranking falls in the Decision region, Risk Control activities should be conducted. In cases where the probability of occurrence is ranked 1 but it is considered to be extremely remote given the number of products (i.e. an inconceivable event) and the severity is ranked 5, the residual risk remains in the decision region. Although a risk benefit analysis is required it does not need to be signed by the Heads of R&D, Global Quality and Regulatory Affairs and Clinical Affairs.
75
Appendix 3 Worked Example: Supplier Audit Priority Risk Assessment

Company Name : Y Location : Somewhere Material sourced : Bulk finished product for packaging
Low
Route of Final product Administration Critical Care Previous supply history Quality System Type of operation Country of operation Number of products on site Previous audit Supplier rating API Sole / strategic source Weighting factor Topical No > 3 years Regulatory GMP Service (no material) EU / US Single < 3 years (A) Approved no issues No Not applicable Total x 1 X X 4 X X
Medium
Oral Yes < 3 years ISO 9001 or equivalent Repackager Developed rest of World Multiple >3 years (B) Approved some minor issues Not applicable No Total x 2 5 X X X X X
High
Parenteral
76
Yes None None Manufacturer Developing rest of the world Multiple with high potency or sensitivity None or > 5 years Unapproved or (C) major issues Yes Yes Total x 3 2 X X
Table 21 - An Example of a Simplified Application to Set Audit Priority of Suppliers based on Perceived Risk (adapted from GMP Review Vol. 2, No. 4, Jan 2004)
Total Score = a summation of all the scores in the individual columns multiplied by the weighting factor and then the 3 scores added together (Low + Medium + High totals) to give a final risk score. Total score = 4 + 10 + 6 = 20
This example gives a score that can be used as a risk level for comparison in a scoring system, to prioritise frequency of visits against other suppliers, including maximum deadlines for the next visit. The full model should be more searching in requirements and incorporate a Risk Evaluation of audit duration and minimum objectives for the audit. A more detailed example may be found on the MHRA website as the basis for regulatory audits performed according to a Risk Assessment. MHRA reference
77
General Introduction Supply Chain Considerations Risk Management Process Risk Management Toolbox Supply Chain Examples
4.1 4.2 4.3 4.4 4.5 4.6 4.7 4.8 4.9 4.10 4.11 4.12 4.13 4.14 4.15 4.16 4.17 Product Contamination Management of Second Tier Suppliers Verification of Artwork Warehouse Operations & Pest Control Temperature Controlled Transportation Change Control - Process Fraudulent Activities in the Supply Chain Errors in Proof Reading Change Control Source of Material Implementation of a New Process Multiple uses of a Material High Bioburden Inconsistent Analytical Results Continuity of Supply Lack of Formal Contracts Effect of Global Supply Chains Effect of not knowing all the links in a Transport Chain 4.18 Raw Material Source of Origin 4.19 Reuse and Potential Infection

Part 4
4.1
Active Pharmaceutical Ingredient (API) Supplier Product Contamination

20%. The contaminant was not detectable using the standard testing procedures already in use. The supply of heparin was severely interrupted throughout the world and stock was in very short supply. FDA found several breaches in compliance and contamination of heparin relating to inadequate processing, testing and equipment. Further it was established that the heparin came from an undisclosed manufacturer which had since closed down. This heparin had been through several wholesalers and been repackaged within the supply chain. Other customers using this material had to initiate internal investigations, introduce new test methods and further risk assessments of their existing heparin supply chain to determine the impact for them of this situation, including similar risks. Reference to FDA investigation
78
Scenario:
Between November 2007 and February 2008 there was an increase in the number of recorded deaths following injection of heparin. The US regulator Food and Drug Administration (FDA) focused on the supply of multi-dose and single-dose vials of heparin sodium produced by a global pharmaceutical company. As a result the organisation initiated a product recall of the heparin products. FDAs investigation led them to suppliers of the API which had been manufactured in China. Subsequently, several other companies were found to have made or handled products contaminated with a heparinlike compound. At least ten Chinese Companies were involved in the supply chain for contaminated heparin. Using a new and sophisticated test method, the contaminant was identified as a large molecule similar to heparin and was found in samples tested, and levels found in the API were between 5% and
Learning points:
This case demonstrates how important it is for the accountable organisation to understand in detail the sources and the supply chain for raw materials and active ingredients. This includes knowledge of proceedings at all wholesalers and re-packagers in the supply chain. It is especially important in less regulated countries. The accountable organisation should be sure of the standards that suppliers might claim to operate, and might be able to demonstrate from time to time, are actually being practised all of the time. The supplier at the very start of the supply chain may be unaware of the application to which their material may ultimately be used. For example, the company who extracts the heparin from pigs (source of heparin) may not have any idea that the end point of their work is a life-saving anticoagulant drug. They are unlikely to be aware of GMP or be in a position to practice it. The accountable organisation is responsible for the product and as such has a duty to ensure that the quality of materials and supply chain security are maintained through a programme of supplier assurance involving the necessary key stakeholders.
79
4.2
Plastics Supplier Management of Second Tier Suppliers

Learning Points:
Most supply chains involve more than one tier of supply. It is important for the accountable organisation to understand the entire supply chain for its products even to the lowest tier in order to assess the potential hazards and determine the level of risk involved. Each supplier within the supply chain also has a responsibility to have supplier assurance in place.
Scenario:
During finished product manufacture, a customer found black contamination moulded within red plastic components used in packaging. The issue was reported back to the 1st tier supplier and the components quarantined, pending the outcome of the investigation by the supplier. The source of the identified quality issue was traced back to the 2nd tier supplier of the plastic colorant, where the material had separated during storage. The black contamination was part of the colorant material and therefore presented no risk to this finished product or end user. This was a considered a cosmetic defect. This issue led to significant delays in manufacture as the plastic components had to be returned to the supplier for sorting. The 2nd tier supplier was audited as a consequence of this event and other non compliances identified. As a long term action the 2nd tier supplier decided to transfer manufacture of the colorant to another site. Due to significant audit findings by a number of different customers resulting in capital investment needed to ensure to meet the required standards, the original site was closed.
80
4.3
Printed Artwork Supplier Verification of Artwork

Learning Points:
All printing processes utilise digital files / images and there is much reliance on the security and quality of the electronic transfer of such files. This reiterates the importance of installing a robust data transfer verification process. With the increased reliance on electronic methods of data transfer, the integrity of such files is paramount. It was fortunate that the routine QC checks detected this error and reinforces the criticality of such checks.
Scenario:
A pharmaceutical manufacturer had printed labels produced from artwork supplied by an external artwork house. During the production of some printed labels, the label manufacturer performed a routine QC check and identified an error with some of the text on the labels. They contacted their client who verified that the original approved artwork and the supporting documentation was correct. Further investigation highlighted that the error occurred during the transfer of an electronic file from the artwork supplier to the label manufacturer. A check was performed by both the artwork supplier and label manufacturer which independently confirmed that the contents of the electronic file had been corrupted. This issue delayed the production of the labels and those already printed had to be destroyed. Both the artwork supplier and label manufacturer reviewed their processes and initiated corrective actions.
81
4.4
Primary Packaging Supplier Warehouse Operations & Pest Control

Learning Points:
All suppliers will use warehouse facilities to store materials and they may not have the same standard of pest control processes as their customers. Warehouse facilities including those used remotely, should be maintained to the appropriate standards and checked on a regular basis. Regardless of the value of the product, the accountable organisation still needs to consider potential hazards within the supply chain and apply Risk Management.
Scenario:
Two dead mice were found inside the pallet wrapping of a consignment of plastic bottles to be used for a low margin antiseptic liquid product. This caused major disruption to the output of the pharmaceutical filling plant. All the stock of bottles had to be manually inspected for contamination. It was necessary to audit the supplier and its remote warehouse. Immediate action involved the relocation of bottle storage back into the main factory. The root cause was identified as inadequate warehouse pest control at the suppliers remote warehouse. It prompted an extensive programme of work to improve standards at the supplier.
82
4.5
Distribution Temperature Controlled Transportation

Learning Points:
Many companies use contract manufacturers and distributors. Contracting out does not absolve an organisation of its responsibility to ensure the quality of products. The risks that transportation can pose to the final stages of a product supply chain should not be underestimated. It is important to ensure that all the defined requirements of parties within the supply chain do not pose any risks to the finished product and should be regularly reviewed and audited. Transportation requirements should be clearly defined and covered by a formal agreement. Temperature control is critical for many products in the pharmaceutical and medical device industries. Consideration should be given to transport conditions throughout the supply chain, in particular where a number of organisations are involved, such as distributors and brokers etc. Another example of unsatisfactory conditions during transport leading to a Class 2 drug alert and precautionary product recall can be found at the following link. http://www.mhra.gov.uk/Publications/Safetywarnings/DrugAlerts/CON054589
Scenario:
A contract manufacturer shipped product using its approved transportation service provider. The product required shipment at a temperature of 2C - 8C as specified by the customer. On receipt of the product, the customer found that it was frozen due to incorrect temperature setting. The root cause was determined to be the lack of a check to verify the temperature settings after loading of the vehicle. The product had to be rejected and destroyed resulting in significant delay and failure to meet market demand. Additional costs included replacement of product and disruption to production schedules.
83
4.6
Solvent Supplier Change Control

Learning Points:
Never rely on one method of control which is subject to only periodic oversight by audit. Audit is an essential tool but is only part of the controls. Expectations on events, specifications and change management at suppliers should be controlled by a Quality / Technical Agreement even if the material is processed out of the final product being manufactured. The importance of communication, especially with long standing suppliers, should not be underestimated. Regular communication should be maintained at an appropriate frequency to ensure that as the customer supplier relationship develops, both parties still fully understand the sometimes changing requirements of each other.
Scenario:
A well established supplier delivers solvents to all customers in drums which are returned to the supplier, when empty. The drums are recycled by washing thoroughly to ensure no cross-contamination from either solvents or additional uses by clients. The drums are not dedicated to a client or a solvent. The supplier is regularly audited by clients and subjected to strict Environmental Health and Safety regulations in the country of main operations. After an Environmental Health and Safety inspection the solvent supplier was ordered to discontinue the washing of drums on grounds of staff exposure to highly volatile solvents. The residual content was instead allowed to dissipate on standing as the contents were highly volatile. The clients were given no notification of this change as a result of the audit because no formal agreements were in place. A major client then noticed a cross-contamination issue in the manufacture of several batches of an Active Pharmaceutical Ingredient. Extensive investigation identified the contaminant to be from residual solvent in the drums. This contamination was difficult to process out and was present at a regulated stage of the process adding complexity to the recovery process as well as investigation costs.
84
4.7
Active Pharmaceutical Ingredient (API) Supplier Fraudulent Activities in Supply Chain

Learning Points:
An increasing number of companies look for ways to minimise costs. This often involves looking at Cost Competitive Countries as sources of supply where manufacturing standards vary significantly. Some suppliers based in these countries may falsify documents for various reasons. In the regulated industry requiring a secure supply chain, such practices can lead to serious consequences including recall of product. It is important during the supplier selection and evaluation process to ensure that all aspects of the supply chain are as ethical, robust and as secure as possible. Appreciation is required of potential ethical issues when a supplier tenders for business and strict monitoring should be implemented prior to the suppliers approval. The accountable organisation should be sure that the standards that suppliers might claim to operate, and might be able to demonstrate from time to time, are actually being practised all of the time.
Scenario:
A pharmaceutical manufacturer, Company A, had outsourced the manufacture of an Active Pharmaceutical Ingredient to a supplier (Company B) that was based in a part of the world with cultural and ethical differences. In recognition of the risks associated with this particular supplier, Company A set up a team to control and manage Company B. During one of Company As routine technical visits at Company Bs premises, it was discovered that a third party, Company C, who were not approved by Company A, was actually manufacturing some of the product and that Company B had generated batch records as if Company B had made the product instead of Company C.
85
4.8
Packaging Supplier Errors in Proof Reading

Learning Outcome:
Reading proofs is still a key part of the printing process and anyone can make a mistake. No process is infallible; therefore it is important to identify any potential risks in a process and to implement corrective / preventive action to mitigate those risks. It is important that critical data is independently verified and that such check points are identified using a Risk Management approach.
Scenario:
A printers proof for artwork relating to a heart condition medicinal product was incorrectly read by the supplier as Approved when it was actually Rejected. As a consequence, the wrong file was used to make replacement printing plates and cartons were printed which indicated on one end flap 14 tablets instead of 28 and were used by an outsourced packager. The stock had to be recalled from the all distribution centres to enable a full rework programme to be initiated. This delayed the critical medicinal product reaching the market. Working together, the customer and supplier were able to reconstruct the complete sequence of events. In addition to awareness training, the rules regarding issuing artwork and file management between the supplier and the plate-maker were updated and the process improved.
86
4.9
Label Supplier Change Control

Learning Points:
It is easy to make the assumption that an alternative material is the same as the original material without performing any verification activities. A simple verification such as a line trial may have captured this before introduction. Many companies do not have formal agreements in place with their suppliers and so there is no legal requirement for the supplier to notify their customers of changes. Even changes that a supplier considers as minor, could have a large impact on its customers. It is important for both customers and suppliers to understand each others processes and requirements. To clearly define roles and responsibilities within some form of simple agreement or contract, as a minimum, is a starting point for agreeing which changes require notification / approval.
Scenario:
At a pharmaceutical customers premises, self-adhesive labels were failing to stick to glass vials. This had been caused by the supplier switching their source of unprinted label material. The raw material was thought to be of equivalent quality and no extra quality checks were performed at Goods-Inwards. This change was introduced without informing the customer therefore, no formal Change Control or Risk Assessment could be performed by the customer. The problem caused chaos on the customers packing line and it was not certain how well the labels were affixed to apparently satisfactorily packed vials. The label printing company pursued the quality issue with its supplier and trials of alternatives were subsequently conducted with the pharmaceutical company. In addition, revisions were made to the Change Control system.
87
4.10 Active Pharmaceutical Ingredient (API) Supplier Implementation of a New Process

Scenario:
Company A was planning the installation of a new process for the manufacture of Active Pharmaceutical Ingredients (APIs). The process had a number of stages involving chemical reaction, crude isolation, purification by re-crystallisation, isolation by filtration and drying of the final API bulk powder. The process utilised a number of different solvents at different stages. Delivery of solvents to the purification vessel is automatically controlled by an operator using a computer terminal. The different solvents are piped through a single manifold system before branching out for delivery to the various vessels. To implement the new process, an interdisciplinary team was assembled with the following experts: - R&D Chemist who was familiar with the chemistry of the process. - Process Engineer who was familiar with the plant construction and especially the automated control system. - Quality Assurance Specialist who was familiar with Quality Management System and Quality Control testing. At the team meetings, discussions were held about potential issues (identifying the risks). Based on the knowledge of the experts it was concluded that: - The raw materials did not introduce anything foreign to the process and once they were QC passed, would deliver product of the correct quality. - The process did not introduce any impurities by side reactions or the natural chemistry of the process, provided the purification step was performed in virgin Solvent A. If any other solvents were present the batch would fail for impurities. - No introduction of foreign solvent to the process could occur, as the automated system should only open the correct valve to charge the solvent to the correct tank. As a result the most probable risk identified was the quality of the raw materials. A few weeks after implementation, a number of batches began failing for impurities, and residual solvent appeared that was foreign to the process. An investigation could not determine the root cause of the batch failures. A production operator was invited to the meeting where the team reviewed all the information previously reviewed in setting up the process. The production operator quickly noted that the valve on the solvent feed-line to the purification vessel was hand actuated and not controlled by the automated system. It was discovered by further investigation that the failed batches were all contaminated with Solvent B. This was because the hand valve had been left in the open position when Solvent B was being charged to adjacent processes and the foreign solvent was able to travel along the line into the purification vessel.
88
Learning Points:
The implementation of many new systems or processes fail due to the lack of involvement of the relevant people right at the beginning. It is important to consider all stakeholders. Even a large company with abundant resources, finances, large departments with well-defined and separated roles can overlook the importance of key knowledge holders. The personnel involved should have a suitable level of process knowledge in the operation of the process. Sufficient unbiased scientific data or information about all potential risks in implementing any new process should be gathered to define the limits of a Risk Assessment. It is not enough to rely on the gut feel of a process expert. Appropriate resources should be allocated and a team leader identified who has clear responsibility for the co-ordination of all activities. Project deliverables and set timelines will give focus to the Risk Management process and allow the management of larger processes.
89
4.11 Raw Material Manufacturer Multiple uses of a Material

Scenario:
Company B supplied salt (Sodium Chloride) to various types of industry. 60% of Company Bs business is supplying salt to local County Councils for gritting roads. The remaining 40% of the business is supplying salt to the pharmaceutical industry for use in sterile injection products. The business owner purchases salt in bulk from a manufacturer and repacks it into 25 Kg bags for their customers. A process review was conducted of the supply chain and customers to maximise business potential. The owner in reviewing the process used brainstorming to decide what the problems / questions were. The first major fact was the 60:40 split of the business. If considered alone it would appear that the 60% was the more important client base. The 60:40 split was based on quantities only and didnt reflect the income from the business. The County Council only needed salt for 3 months of the year, however, the pharmaceutical customers purchased all year round. Company B charged 25 per bag for the pharmaceutical customers but could only charge 15 per bag to the councils. Thus if Company B sold 100 bags this year the company will receive 2500 from the pharmaceutical customers and 1500 from the council customers. The owner talked to the buyers from both the council and pharmaceutical customers to understand how important the supply of salt was to them. The council had no real requirements and would accept any grade of salt supplied. The pharmaceutical customers however explained that they should receive salt of a pharmacopoeial grade to reduce the risk of contamination to sterile products and the consequences to the patient.
The owner of Company B now had a different perspective of the risks in the manufacturing process for the supply of pharmaceutical grade salt.
Learning Points:
Many materials particularly excipients have multiple uses and are often used in both pharmaceutical and non-pharmaceutical manufacture. It is important to ensure that formal specifications and other expectations are agreed between both parties to ensure that the supplier fully understands the need for high quality materials. A full Risk Management review of the complete supply chain should be conducted to identify potential hazards and associated risks, and the actions to be taken to eliminate or mitigate those risks. A supplier should consider the end use of the material supplied to its customers and the risks to the customers who use the final product.
90
4.12 Medical Device Supplier High Bioburden

Scenario:
A medical device manufacturer Company Y had developed a new product (wound dressing) that used a material not commonly used in the medical device sector. After a series of trials on the functionality of the material, the development team selected Company Z to supply. The manufacturing process was successfully initiated, however, during routine incoming analysis of the material, the bio-burden (i.e. microbial contamination) of the material was found to exceed acceptable limits causing a delay to the product launch. A facility inspection of Company Z identified that although the company had a good Quality Management System (QMS) and cross-contamination controls, it did not have adequate environmental controls in place to minimise the potential bio-burden of the product in question. A follow up technical visit and discussion led to an agreed change in the temperature and storage parameters during the conditioning process that significantly reduced the bioburden. As an additional and precautionary measure, a sterilisation process was introduced downstream.
Learning Points:
It is important to ensure that all risks relating to product are established at the design stage. Control in design includes selection of material, manufacturing process and sterilisation validation (ISO 14971:2007 Table E). Harm should have been identified as potential bioburden in a patient leading to infection or the wound not healing. Specifications should define maximum allowable limits. Risk Analysis of the supply chain here would have identified the need for the suppliers processing facility to be audited and the manufacturing process qualified with respect to GMP and environmental control. Some industry sectors will be unfamiliar with GMP and / or medical device requirements even though they may have their own established quality standards. Controls in manufacture should then be included in Supplier Quality or Technical Agreement. In the development of new products, new materials / technologies are often required which may not have been used in a regulated industry previously even though these materials / technologies may have a proven track record in other industries. Early involvement of key stakeholders from other functions such as Quality Assurance would help ensure that requirements such as GMP or special requirements are specified and understood. In selecting materials and suppliers with no medical device experience, it is important that the process steps at the supplier are evaluated carefully against specifications and final product requirements.
91
4.13 Raw Material Supplier Inconsistent Analytical Results

Scenario:
Company A has purchased a chemical excipient from Supplier C for many years. The material is used in an oral dosage product and there have been no reported quality issues. This material is not purchased as a pharmaceutical grade and there is limited communication between the two companies. Company A analysed a recent delivery and found an Out of Specification result for one of the test results. This was reported to Supplier C as a complaint, for investigation and root cause identification. During the investigation, it was identified that the suppliers results for this particular test were consistently lower than those obtained by Company A. Further reviews of the analytical differences confirmed the trend and that there was the potential for high results to be within the acceptable limits for Supplier C, but to be outside the acceptable limits for Company A This created a stalemate situation where both parties confirmed their relevant results. It also meant a delay in the availability of material for use in production, whilst investigations were ongoing. Supplier C was the only source of this material so it was important to Company A that the situation was resolved. Discussions were held to assess the risks associated with the manufacture and supply of this material. As part of the risk mitigation strategy, it was agreed that Supplier C would provide a pre-shipment sample for any future deliveries that could be analysed and approved before final shipment was made. This would avoid any material rejections and maintain the supply chain to Company A.
Learning Points:
It is so important to assess the potential analytical differences between testing laboratories and to perform trend analysis. The importance of regular communication, especially with historical suppliers, should not be underestimated and assumptions should be avoided. Even if a material is considered low risk from historical data, it should always be re-evaluated at a defined timeline. Some form of supply contract or agreement should have been generated and approved which clearly stated the roles and responsibilities between both parties, especially in the event of a dispute. There should be agreement on the requirements (specifications) to ensure that a supplier can meet customer requirements. Where appropriate a review of the analytical methods should be conducted to identify any potential differences with equipment or methods. As time progresses many Industry Standards and chemical tests evolve so the importance of periodic communication and review is vital to ensure the continuity of a successful supply chain. In this case, the material used was cosmetic grade which may have been the only one available at the time of product development; however more and more suppliers are now offering pharmaceutical grade alternatives.
92
4.14 Aluminium Tube Supplier Continuity of Supply

Scenario:
Supplier A has manufactured aluminium tubes for the pharmaceutical industry for many years. Company B purchases tubes from Supplier A for use with a topical product and has never had issues with the supply chain or quality. The relationship between the two companies was managed from a distance with little or no contact. Suddenly, Company B received a phone call from Supplier A to say that they had gone into administration and sold their tube business to another company with immediate effect! Company B had no knowledge or experience of this new Supplier C and had no choice in the transfer to Supplier C. The tubes supplied were classed as primary packaging as the inner surface of the tubes were in direct contact with the product. It was therefore important to establish that the specification for the tubes remained unchanged and that they would be manufactured under cGMP conditions. An audit of Supplier Cs facility had to be quickly organised, as this was required before the next delivery which would be manufactured by Supplier C. In addition, confirmation was required that the specification was exactly the same as before. To meet legislative requirements, product manufactured using the new tubes were put on stability trials to verify that there was no effect on the product. This change, without prior notification by Supplier A, forced Company B to initiate a number of priority activities and caused delays in the production of this topical product. Customer service was dramatically affected.
Learning Points:
The financial stability of suppliers and the potential affects on the supply chain should be assessed as part of regular Risk Management. In theory this should not have come as a surprise. However in practice it is often difficult to predict the financial stability of a supplier. There are various ways of verifying a companys financial status however these may not always reveal the full picture. The key here is to always maintain open channels of communication and to conduct regular reviews of suppliers based on risk evaluation outcome. Just talking to suppliers often yields interesting and open discussions that give each party an insight into the way the other one works. The importance of building a good relationship cannot be ignored and looking at the bigger picture for any signs that the supplier is in trouble is paramount for example: were there any delivery issues? Was it difficult to get hold of people to ask questions? Was there any information communicated by the supplier that was missed? Where feasible and available, the identification of a second source of supply to strengthen the supply chain would ultimately reduce the risks to supply. The use of a sole source of supply will always present a risk and should be avoided if possible. If there is no alternative, then that makes the use of a Risk Management process even more vital to an organisation. At the very least, a risk mitigation plan should be formulated to consider the what if scenario? It is important to fully understand what activities would need to be completed and the impact on an organisation if a particular supplier went out of business.
93
4.15 Distribution Supplier Lack of Formal Contracts

Scenario:
Company A does not have its own transportation so it relies on a local haulage company to collect and deliver its products. A customer had recently complained to Company A about the receipt of a damaged pallet of goods. The customer provided photographic evidence of the issue which identified that the damage was not just superficial but severe. The pallet had apparently been re-wrapped by the haulier. Company A contacted the haulage company to investigate the complaint. The investigation identified the fact that there was no formal contract between the two companies that clearly defined the roles and responsibilities of each party, that the hauliers did not fully understand the importance of their role in the supply chain and the impact / consequences of their actions. Therefore they had not reported the issue where a forklift truck had damaged the pallet and thought they were doing the right thing by re-wrapping the pallet. There was no transport specification defined that included the details of such areas as: - Transportation routes - Storage conditions - Handling methods - Documentation - Reporting process for issues - Key contact information at both companies The pallet was returned to Company A and the product had to be rejected at a cost to Company A as the level of company insurance was not adequate to cover the cost of this product.
Learning Points:
It is important to ensure that all suppliers fully understand and document their customers requirements and what their roles / responsibilities are in the supply chain. It is essential that the hauliers insurance cover is adequate to cover costs should a claim be initiated.
94
4.16 Chemical Supplier Effect of Global Supply Chains

Scenario:
During the manufacture of plastic parts for cars, a by-product called acetonitrile is produced which is used by many pharmaceutical and device companies during product manufacture and QC testing. During an economic downturn, the volume of manufactured car parts reduced due to the drop in car sales. This led to a supply shortage for acetonitrile producers and ultimately a supply shortage for consumers. There was a global shortage of the material and customers were unable to maintain their regular supply. Prices increased significantly and the effect led to severe delays in manufacture and analysis. This in turn led to late or missed orders by manufacturers.
Learning Points:
Events in a seemingly unrelated industry sector can have an indirect knock on effect in other industries The risks to a supply chain should be assessed throughout all tiers. Even if a material is used in laboratory analysis, it is still vital to understand its importance to a manufacturing process and the ability to meet customers requirements.
95
4.17 Cold Chain Transport Effect of not knowing all the links in a Transport Chain
Scenario:
Pharmaceutical products were manufactured and shipped from UK to Spain using cold chain transport. The products were collected from the contract manufacturing site by a haulage company understood to be the designated haulage contractor of the client. The lorry appeared to be a clean, controlled temperature vehicle. The products arrived after a few days at the Spanish warehouse of the client pharmaceutical company. The products were stored in the recesses of a refrigerated lorry containing sides of meat. The outer containers of the pallets were contaminated with particles of meat and blood that were adhering to the boxes. After taking photographic evidence of event, the receiving warehouse quarantined the consignment which was eventually destroyed due to contaminated packaging. The product had to be reordered from the manufacturer and the market was out of stock of the needed pharmaceutical product. From the investigation, it was not clear where or why the crossdocking event had occurred onto the meat lorry or the transit route taken between manufacturing site and final destination warehouse. There may be more than one supplier involved in an event or transactional movement. Even if transport of the finished product is considered as low risk, there is a need to understand its possible complexity and importance in the final supply links to market. For pharmaceutical products adherence to Good Distribution Practice applies in transit as well as in storage. Assumptions should not be made that a transport company knows how to protect their customers products appropriately. Standards of care should be set and applied to transport companies, their sub contractors and transit locations. These should include clear definition of roles & responsibilities, expectations on protection from various contamination sources, specific storage conditions, handling or documentation requirements and the regulatory standards under which the operations occur. Transit routes for products should be agreed, and if possible, where products may be stored / located with other goods to save on transit costs. Activities should be monitored at the transport hubs / cross-dock locations. One vehicle may not collect in one country and deliver direct in another. A process for reporting of issues should be agreed to ensure that the communication channels are established. The hauliers insurance coverage should be checked that it is adequate to cover costs should a claim be initiated. Investigation reports and events should be circulated for future learning by different quality units in a complex chain.
96
Learning Points:
It is important to ensure that all suppliers fully understand what the requirements are and what their role / responsibility is in the supply chain.
4.18 Brokers in Raw Material Supply Chains Raw Material Source of Origin
Scenario:
A range of sterile eye drop products was expanded from one market to several new markets. The product was registered as a medical device with a key complex ingredient of natural origin obtained from a supplier that was listed as the processor of the plant extract. It was critical that during the manufacturing process, the ingredient forms a certain crystalline structure. There were other crystalline structures formed by different processes but were not detectable in the specification. The manufacturer ordered a 10-fold increase in raw material to build stock for launch into new markets, which was delivered on time. The supplied material passed all specification tests. During the pre-launch promotional trials, there were a large number of adverse events from the test markets causing soreness and worsening of the original condition. Extensive laboratory tests of the product and materials failed to identify any differences until specialist crystallography testing was performed. The key ingredient supplier was questioned and revealed that their supplier was a broker purchasing from different sources. To meet the increased demand, the supplier had sourced additional material from a different source which used an alternative crystallization process. Some batches were known as to which material source they came from, and others were not known, so as the materials were mixed it was not clear which batches were fit for purpose and which were not. The launch was severely delayed with large additional costs for the investigation.
Learning Points:
It is important to know the source of raw materials and the security of a reliable source especially with historical suppliers. Assumptions should not be made - just because there have been no detectable issues doesnt mean that everything is alright. A thorough evaluation of the risks involved should be conducted even if a material is considered low risk from a product perspective. A supply contract or Technical Agreement should be in place which includes specifications and all quality requirements including key processing requirements and which clearly state the roles and responsibilities between client and supplier Non-pharmaceuticals can be a source of adverse events. Supplier audits should be performed to ensure that a supplier has full traceability of their supply chain. Discussions should take place that clearly define what the requirements (capacity, specifications and processing) are to ensure that a supplier can meet customer requirements. If possible and feasible, a review of the analytical methods should be conducted to identify potential differences with equipment or methods. Regular communication should be maintained, at an appropriate frequency to ensure that the customersupplier relationship develops and that both parties fully understand the requirements of each other. The supply chain should be re-evaluated on a regular basis and, if feasible and cost effective, new or alternative methods of supply should be investigated with an appreciation of the impact of making such a change and the potential risks that it may cause.
97
4.19 Medical Device Service Supplier Reuse Potential Infection Problem

Scenario
The FDA in the USA has warned of a potential infection problem with medical devices that are rented or leased by health care facilities. The FDA reported their concerns that reusable (non-disposable) medical devices rented or leased from third parties may not be properly cleaned, disinfected and / or sterilised prior to delivery to the health care facility. Also, when health care facilities exchange equipment with other institutions, the equipment may be improperly cleaned, disinfected and / or sterilized either before or after patient use. It is uncertain how often this occurs, or which devices are most likely to be involved, but the potential seriousness of the problem warrants attention. Improper handling of devices between uses can contaminate facilities and expose individuals, including health care providers and couriers who come into contact with this equipment, as well as patients, to infectious, biohazardous material. Also, the presence of residual organic material on such equipment may compromise the effectiveness of sterilisation procedures. Rental / leasing contracts between health care facilities and third parties may fail to clearly identify the party responsible for cleaning, disinfecting and / or sterilising used medical equipment. In some cases, no contract or agreement may exist. It may be unclear whether health care facility personnel who handle this equipment should clean, disinfect, and / or sterilize it after use, before it is returned to the third party supplier.
Learning / Recommendations
If the health care facility is responsible for cleaning, disinfecting and / or sterilising equipment for reuse, it should ensure that all appropriate personnel are aware of these hazards, are responsible and properly trained and equipped to perform the required tasks appropriately. If the Rental / leasing company or health care facility (Contract Giver) uses a third party as responsible for cleaning, disinfecting and / or sterilising equipment for reuse, they should periodically review the third partys operating procedures to determine that its facilities, equipment, processes and personnel are adequate to perform these operations. The Contract Giver should be sure that the third party is familiar with the manufacturers instructions for cleaning, disinfecting and sterilising the device. Additionally, if a third party is responsible for cleaning, disinfecting and / or sterilising equipment for reuse, the Contract Giver must ensure that its own personnel are properly trained and equipped to handle, package, and label contaminated equipment for shipment back to the supplier. In some cases, third-party suppliers may also reprocess or refurbish medical devices between uses. When the contract calls for these services, the contract giver should ensure that the supplier is familiar with the device manufacturers specifications for the product. Health care facilities may wish to establish quality assurance procedures to be sure that reprocessed or refurbished devices fulfil these specifications before use. Reference to FDA report
98
Glossary
Term
Accountable organisation
Definition
Within each supply chain, there is an organisation that is legally accountable. Each competent and regulatory authority ultimately holds one manufacturer primarily responsible for meeting regulatory and quality requirements for the product(s) supplied. This accountable organisation (pharmaceutical or medical device) has ultimate responsibility and cannot relinquish or delegate (contractually or otherwise) its obligation and responsibility over any or all functions to its suppliers. Any substance or mixture of substances intended to be used in the manufacture of a drug (medicinal) product and that, when used in the production of a drug, becomes an active ingredient of the drug product. Such substances are intended to furnish pharmacological activity or other direct effect in the diagnosis, cure, mitigation, treatment, or prevention of disease or to affect the structure and function of the body. [ICH Q7] A defined quantity of the product, manufactured in one process or series of processes, so that the product qualities and characteristics are expected to be uniform and consistent.
99
Active Pharmaceutical Ingredient (API) (or Drug Substance) Batch (or lot)
...Continued on following page

Foreword Structure & Acknowledgements Contents Term

Corrective Action and Preventive Action (CAPA)
Definition
Reference ISO 9000:2005 Correction action to eliminate a detected nonconformity. NOTE 1 A correction can be made in conjunction with a corrective action. NOTE 2 A correction can be, for example, rework or regrade. Corrective action action to eliminate the cause of a detected nonconformity or other undesirable situation. NOTE 1 There can be more than one cause for a nonconformity. NOTE 2 Corrective action is taken to prevent recurrence whereas preventive action is taken to prevent occurrence. NOTE 3 There is a distinction between correction and corrective action. Preventive action action to eliminate the cause of a potential nonconformity or other undesirable potential situation. NOTE 1 There can be more than one cause for a potential nonconformity. NOTE 2 Preventive action is taken to prevent occurrence whereas corrective action is taken to prevent recurrence.
Contamination
Contamination is any kind of unwanted materials that may be incorporated into the product. Contamination may be physical (e.g. extraneous dirt or dust), chemical (e.g. processing aids, lubricants) or biological (e.g. mould, fungus, bacterial). This may be introduced, for example, from equipment, air systems or personnel, during production, sampling, packaging, storage and distribution. A legally binding document agreed between organisations on the provision of products or services. Specifications and Technical Agreements may form part of a contract. The party accepting the requirements of another party as defined in a written contract or agreement. The party communicating its requirements to another party as defined in a written contract or agreement. A copy produced without authority with the intention of deceiving a user as to its true origin. The ability to discover or determine the existence, presence, or fact of a hazard. Person(s) with the competence and authority to make appropriate and timely Quality Risk Management decisions. An inactive substance used as a carrier for the active ingredient(s) of a medicinal product. Food and Drug Administration USA Regulatory Body. GMP is that part of quality assurance which ensures that products are consistently produced and controlled to the quality standard appropriate to their intended use as required by the product specification. A collective term for good practices (including GMP) covered by the regulations or guidance that ensure and control quality, safety and efficacy at different stages of the product lifecycle and supply chain X = clinical (GCP); distribution (GDP); laboratory (GLP / GCLP); manufacturing (GMP).
100
Contract (or agreement) Contract Acceptor Contract Giver Counterfeit Detectability Decision maker Excipient FDA Good Manufacturing Practice (GMP) GxP

Harm Hazard ICH Management System Business Management System Quality Manufacture Origination Outsource Process Product Product Lifecycle Quality Quality Risk Management Raw Material Residual Risk Requirements
Definition
Damage to health, including the damage that can occur from loss of product quality or availability. The potential source of harm. International Conference on Harmonisation. An organisation comprising representatives from 3 major pharmaceutical regulatory bodies and 3 industry representative bodies. The set of interrelated elements that establish policy, processes, procedures and objectives which direct and control an organisation with regard to all management activities. Quality Management System is a subset of interrelated elements that establish policy, processes, procedures and objectives which direct and control an organisation with regard to quality. All operations including purchase and receipt of materials and products, production, quality control, release, storage, distribution and related records. Origination is all the preparative activities prior to print. These include concept, design, graphics, reprographics, film, plate making, silk screens and digital files and masters. Outsourcing is the use of another supplier to conduct all or part of an activity and may also be referred to as subcontracting. Set of interrelated or interacting activities which transforms inputs into outputs. The result of a process. All phases in the life of the product from the initial development through marketing until the products discontinuation. The degree to which a set of inherent properties of a product, system or process fulfils requirements See also ICH Q6A definition specifically for quality of drug substance and drug (medicinal) products. A systematic process for the assessment, control, communication and review of risks to the quality of the product across the product lifecycle. A general term used to denote starting materials, reagents and solvents intended for use in the production of intermediates, sub-assembly or finished product. Risk remaining after Risk Control measures have been taken. (ISO 14971: 2007) The explicit or implicit needs or expectations of customers (e.g. patients, health care professionals, regulators and legislators). In this guide, requirements refers not only to statutory, legislative, or regulatory requirements, but also to such needs and expectations. The combination of the probability of occurrence of harm and the severity of that harm. (ICH Q9) The decision to accept risk. (ICH Q9) The estimation of the risk associated with the identified hazards. (ICH Q9)
101
Risk Risk Acceptance Risk Analysis

Risk Assessment
Definition
A systematic process of organizing information to support a risk decision to be made within a risk management process. It consists of the identification of hazards and the analysis and evaluation of risks associated with exposure to those hazards. (ICH Q9) A recognised technique for the identification, prioritisation and management of key risks for example, Failure Mode Effects Analysis (FMEA), Fault Tree Analysis (FTA) and Risk Ranking and Filtering. The sharing of information about risk and risk management between the decision maker and other stakeholders (internal or external). Actions implementing Risk Management decisions. (ICH Q9) The comparison of the estimated risk to given risk criteria using a quantitative or qualitative scale to determine the significance of the risk. (ICH Q9) The systematic use of information to identify potential sources of harm (hazards) referring to the risk question or problem description. (ICH Q9) The systematic application of quality management policies, procedures, and practices to the tasks of assessing, controlling, communicating and reviewing risk. (ICH Q9) Actions taken to lessen the probability of occurrence of harm and the severity of that harm. (ICH Q9) Review or monitoring of output / results of the Risk Management process considering (if appropriate) new knowledge and experience about the risk. (ICH Q9) A number that indicates the likelihood of an event occurring and the severity of the events impact. A measure of the possible consequences of a hazard. A description of the material(s) using a designated name and unique code reference, stating the physical attributes and performance and, in some instances, the chemical and biological attributes required of a material or product. It typically lists attributes in terms of appearance and variable characteristics, stipulating values, ranges and limits. It should either refer to or include test methods and, where appropriate, sampling plans, acceptance quality limits, associated defect classifications, storage conditions and precautions and the maximum period of storage before re-examination. Any individual, group or organization that can affect, be affected by, or perceive itself to be affected by a risk. Decision makers might also be stakeholders. For the purposes of this guide, the primary stakeholders are the patient, healthcare professional, regulatory authority, and industry. Includes all providers of materials or services throughout the supply chain that are important to the users organisation based on risk including: Products (materials, components etc.); Services (e.g. calibration, cleaning, pest control, freight); Contractors (manufacturers, packing, warehouse, distributors, agents etc.). A system of organisations, people, technology, activities, information and resources involved in moving a product from supplier to a customer.
Risk Assessment Tool Risk Communication Risk Control Risk Evaluation Risk Identification Risk Management Risk Reduction Risk Review Risk Score Severity Specification
102
Stakeholder
Supplier
Supply Chain
Bibliography
1. ASTM E2476 09 Standard Guide for Risk Assessment and Risk Control as it Impacts the Design, Development, and Operation of PAT Processes for Pharmaceutical Manufacture BS 31100:2008 Risk Management. Code of Practice BS IEC 61882:2001 - Hazard and operability studies (HAZOP studies) application guide Code of Federal Regulations, 21 CFR 210 / 211, 600, 820 Part 820; 820.50: Purchasing Controls Reference 5. 6. 7. 8. EU Guide to GMP Failure Mode and Effect Analysis, FMEA from Theory to Execution, 2nd Edition 2003, D. H. Stamatis, ISBN 0873895983 Food and Drug Administration (FDA), FDAs Ongoing Heparin Investigation Global Harmonisation Task Force (GHTF) Quality Management System Medical Devices - Guidance on the control of products and services obtained from suppliers, GHTF/SG3/N17:2008. 16. 17. 11. 12. 13. 14. 15. 9. 10. Guidelines for Failure Modes and Effects Analysis (FMEA) for Medical Devices, 2003 Dyadem Press, ISBN 0849319102 International Conference on Harmonisation (ICH) Q8 Pharmaceutical Development International Conference on Harmonisation (ICH) Q9 Quality Risk Management International Conference on Harmonisation (ICH) Q10 Pharmaceutical Quality System IEC 61025 Fault Tree Analysis (FTA) IEC 61882 Hazard Operability Analysis (HAZOP) International Commission on Radiological Protection (ICRP) in Publication 26 (ICRP 1977) as quoted in Textbook of Radiopharmacy, Theory and Practice Ed. Charles B Sampson 3rd 1999 relating to ALARP / ALARA ISO/IEC Guide 73 Risk Management Vocabulary Guideline for Use in Standards ISO/IEC 17025:2005 General Requirements for the Competence of Testing and Calibration Laboratories
103
2. 3. 4.
18. 19. 20. 21. 22. 23. 24. 25. 26. 27.
ISO 7870:1993 Control Charts. ISO 7871:1997 Cumulative Sum Charts ISO 7966:1993 Acceptance Control Charts ISO 8258:1991 Shewhart Control Charts ISO 9000:2005 Fundamentals and Vocabulary ISO 9001:2008 Quality Management Systems - Requirements ISO 9004:2009 Managing for Sustainability A Quality Management Approach ISO 13485:2003 Medical Devices Quality Management Systems Requirements for Regulatory Purposes ISO 14971:2007 Medical Devices Application of Risk Management to Medical Devices ISO 15378:2006 Primary Packaging Materials for Medicinal Products Particular Requirements for the Application of ISO 9001:2000 with reference to Good Manufacturing Practice (GMP) ISPE GAMP-5 Good Automated Manufacturing Practice Medical Device Directive (EU Directive 93/42/EEC) MLX 357 Public Consultation on Measures to Strengthen the Medicines Supply Chain and Reduce the Risk from Counterfeit Medicines www.mhra.gov.uk Pharmaceutical Technology Europe Regulatory Report Is the Pharmaceutical Supply Chain Safe? Philip Payne, July 2008 Process Mapping by the American Productivity & Quality Center, 2002, ISBN 1928593739. PS 9000:2001: The application of ISO 9001 and ISO 9004 to Pharmaceutical Packaging Materials. IQA ISBN 0 906810 73 6. PS 9004: A Guide to the GMP Requirements of PS 9000:2001 Pharmaceutical Packaging Materials. 2004, IQA. ISBN 0 906810795 PS 9100:2002: Pharmaceutical excipients, The application of ISO 9001:2000 and GMP guide for pharmaceutical excipients. IQA ISBN 0 906810 83 3
36.
Quality Risk Management, British Association of Research Quality Assurance (BARQA) 2008, ISBN: 978-1-904610-10-6 http://www.barqa.com Risk Assessment in Supply Chain Management, Ian Williams, GMP Review Vol. 2 No. 4, January 2004 Rules and Guidance for Pharmaceutical Manfacturers and Distributors 2007 (Orange Guide) The Basics of FMEA, Robin McDermott, Raymond J. Mikulak, Michael R. Beauregard 1996, ISBN 0527763209 The Development of a Quality Risk Management Solution designed to Facilitate Compliance with the Risk-based Qualification, Validation & Change Control GMP Requirements of the EU ODonnell, K, February 2008. Weak Links 2009 - A Survey Suggests that Manufacturers dont have as much Control over Supply Chain Security as they think they do, Carla Reed. Reference WHO Technical Report Series No 908, 2003, Annex 7 Application of Hazard Analysis and Critical Control Point (HACCP) Methodology to Pharmaceuticals ICH Q9 Briefing Pack
37. 38. 39. 40.
41.
28. 29. 30.
42.
104
43.
31. 32. 33. 34. 35.
This electronic document was developed for publication for PQG by Design Inc, 01784 410380
Return to General Introduction Page 9
Organizations Environment
Continual improvement of the quality management system leading to sustained success
Organizations Environment
Interested Parties Needs & expectations ISO 9004 Clause 5 Strategy and policy
ISO 9004 Clause 4 Managing for the sustained success ISO 9001 Clause 5 Management Facility
Interested Parties ISO 9004 Clause 9 Improvement, innovation and learning
ISO 9004 Clause 6 Resource management (extended)
ISO 9001 Clause 6 Resource management
ISO 9001 Cl. 8 ISO 9001 Measurement, analysis and improvement
ISO 9004 Cl. 8 Monitoring, measuring analysis and review
Satisfaction
Customers
ISO 9001 Clause 7 Product realization
Product
Customers
Needs & expectations
ISO 9004
ISO 9004 Clause 7 Process management
Information flow Value-adding activities
Foundation: Quality management principles (ISO 9000)
Figure 1 An extended model of a process-based quality management system[1]
Initiate Quality Risk Management Process
Return to General Introduction Page 10 Return to Risk Management Process 2.2 Page 25 Return to Risk Management Process 2.2.2 Page 27 Return to Risk Management Process 2.2.3 Page 29 Return to Risk Management Process 2.3 Page 31 Return to Risk Management Process 2.3.2 Page 33 Return to Risk Management Process 2.4 Page 35 Return to Risk Management Process 2.5 Page 39
Risk Assessment Risk Identification Risk Analysis unacceptable Risk Evaluation Risk Communication
Risk Management tools
Risk Control Risk Reduction Risk Acceptance
Output / Result of the Quality Risk Management Process
Risk Review Review Events
Figure 2 Quality Risk Management Overview (ICH Q9)
Return to Supply Chain Considerations Page 13
Internal Support Services (examples): Quality, EHS, Engineering, Facilities, IT
Supplied materials / products
Product / Service Design & Development
Manufacturing & Testing
Packaging
Warehouse & Distribution
End user / customer
External Contracted Services E.g. manufacturing, testing, artwork & origination, packaging, warehousing & distribution, calibration, etc
Figure 3 Example of Functional Activities and Support Services within an Organisation
Return to Supply Chain Considerations Page 14 Return to Supply Chain Considerations Page 17
End customer / patient Transport / Distribution Wholesale / retailer / pharmacy Transport / Distribution Pharmaceutical and Medical Device Industry
Tier 1 suppliers
Supplier A
Tier 2 suppliers
Supplier B
Tier 3 suppliers
Supplier C
Tier 4 suppliers
Supplier D
Figure 4 - Typical supply chain hierarchy
Return to Supply Chain Considerations Page 18 Return to Risk Management Toolbox 3.3.1 Page 51 Return to Risk Management Toolbox 3.3.2 Page 59
Objective evidence
Product specifications / part requirements, instructions Describe requirements Identify technical & process information Identify potential supplier(s) (existing approved / new) Product / Process Risk Assessment Potential supplier contact details Identify controls Risk Assessment Product / process controls
Planning
Supplier selection
Selection criteria for suppliers / rationale Plan for evaluation & selection criteria Select potential supplier(s) Investigate operational capability of supplier(s) Identify business capability of supplier(s) Review existing suppliers Due diligence / audit report Supplier capability detail Purchasing information NO Evaluation & selection Supplier acceptable? Establish: Purchasing information Controls (acceptance activities, verification etc) Purchasing information Acceptance & verification activities Questionnaire / Audit report Contact / Supply / Technical Quality / Technical Agreement Decision & rationale Records of monitoring: supply, receipt, inspection, acceptance Data analysis Records of corrections / investigations
Supplier evaluation & finalisation
Review audit requirements
Communication with potential supplier(s)
Evaluate supplier(s) ability to fulfil specified requirements
YES
Performance measurement
Corrective action required? YES
YES
Problems identified?
Periodic re-evaluation of supplier
Performance measurement Receive product Acceptance criteria Measurement & monitoring Analyse data
NO
NO YES Satisfactory performance? Feedback and communication Manufacturer &/or supplier correspondence Records of corrective & preventive action(s) Change control notification / approval
Feedback & communication
Corrective Action / Preventive Action by supplier
YES
NO
Supplier exit strategy
Review impact on other products supplied Termination strategy for Supplier YES Exit strategy? NO Termination of Product market Archive data & documents Product left in marked support Continuity arrangements and reiteration of cycle if replacement supplier
Figure 5 Guidance on Control of Products during Supplier Lifecycle Management (adapted from GHTF/SG3/N17:2008)
Return to Risk Management Process 2.2.1 Page 26
Data / Information Hard Data / Information Facts Measurements Analysis results Trends Variables Attributes Soft Data / Information Observation Experience Assumptions (based on experience) Key = Qualitative = Quantitative = Both
Figure 6 - Sources of Information that can be used in Risk Identification
Return to Risk Management Toolbox 3.3.1 Page 48
View
Ba la n
1 2 3 4
Pr a
Action
Plan
Follow
d ce
Resu lt
ca l cti
o Em
Def
-u p
Persona l
tional
u Iss
plore Ex
es
in
Time
Money s ce sour Re
irements Requ
SO
ON
PR O
LU TI
L B
EM S
Fe eli
ng s
Other
Own
ath er
Peo
Stren
hs gt
ple
Creative Solutions
t Fa c
se Weaknes
Idea
UA AL EV
TE
Opinions
ID EA
knesses Wea
Change
Strengths
Idea
itu ation
ea Id
es se s
Weakn
St ren gths
en 1 erate
8 7 6 5
2 3 4
Figure 7 Example of a mind map
Return to Supply Chain Considerations Page 16 Return to Risk Management Toolbox 3.3.1 Page 50
Medical Device Organisation Supplier 1 Raw Materials Stage A Bulk Chemical Conversion Stage B Bulk Chemical Conversion Supplier 2 Raw Materials Stage 1 Sub-Assembly B Stage 2 Sub-Assembly B Supplier 4 Raw Materials Supplier 5 Raw Materials Supplier 6 Raw Materials Supplier 7 Raw Materials Supplier 3 Raw Materials Stage 1 Sub-Assembly A Sub-Assembly C
Outsourced Conversion Supplier 9 Raw Materials Mechanical Conversion
Outsourced Sterilisation
Final Device Assembly
Primary Packing
Secondary Packing
Tertiary Packing
Terminal Sterilisation
Product Testing & Release
Supplier 8 Distribution
Warehouse
Figure 8 Flowchart of a Medical Device Manufacture showing Suppliers & Contractors
Identify Risks and verify that each potential risk is related to the Risk Question. Assess the frequency of occurrence and potential severity of each risk.
GMP
Regulatory
Medical
Risk Question
Legal
Environment
People
Figure 9 Example of Ishikawa / Fish-bone Diagram
Increasing individual risks and societal concerns
Unacceptable region
Tolerable region
Broadly acceptable region
Figure 10 Carrot diagram
Return to Risk Management Process 2.2.1 Page 26
External
Increase / decrease in demand Capacity / resources changes Fluctuating exchange rates Political climate / instability Greater exposure to global social, political and financial environments Takeovers / mergers Legal status (regulatory restrictions in individual markets and of supplier) Environmental responsibilities Counterfeiting / fraud Facility disaster disaster planning Materials, product, service supply interruption Termination of materials or services Uncontrolled variation in materials Unexpected contaminants in supplied product Deliberate or accidental adulteration Unknown or poorly controlled use of brokers / agents Distribution / transportation / storage events Inadequate communication Lack of adequate documentation control Complex processes
Internal
Non-conformity Rejection of a batch Product recall Capacity / resource issues Reduced inventory Cost reduction programmes Single sourcing versus dual sourcing Inadequate supplier selection / qualification process Longer / more complex supply chains Complex processes Inadequate monitoring process or oversight controls / interface Non-conformance with contracts / agreements Staying with poorly performing supplier & not progressing improvement or exit strategy Inadequate communication Facility disaster Transportation / storage events Lack of technical knowledge Personnel / organisational changes Lack of adequate documentation control Increasing process variability
Table 2 - Examples of hazards / events creating risks that are either external or internal to an organisation
Return to Risk Management Process 2.3.2 Page 33 Return to Risk Management Process 2.4 Page 36 Return to Risk Management Toolbox 3.2 Page 45 Return to Risk Management Toolbox 3.4.2 Page 66
Role Responsible Accountable (also Approver / Final Approver) Consulted Informed
Responsibility Those who do the work to achieve the task. There is typically one role with a participation type of Responsible, although others can be delegated to assist in the work required. There should be only one Accountable person specified for each task or deliverable. An Accountable signs off (approves) the work provided by Responsible person(s). Those whose opinions are sought; and with whom there is two-way communication Those who are kept up-to-date on progress, often only on completion of the task or deliverable, or at key milestones; communication is typically just one-way.
Table 3 RACI roles and responsibilities

SCM Risk

Transféré par

Informations du document

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

SCM Risk

Transféré par

Droits d'auteur :

Formats disponibles

Foreword Structure & Acknowledgements Contents

A Guide to Supply Chain Risk Management

Foreword Structure & Acknowledgements Contents

Foreword Structure & Acknowledgements Contents

2010 The Chartered Quality Institute

Foreword Structure & Acknowledgements Contents

Structure & Acknowledgements

2010 The Chartered Quality Institute

Foreword Structure & Acknowledgements Contents

Note about definitions

PQG Steering Group

2010 The Chartered Quality Institute

Foreword Structure & Acknowledgements Contents

Supply Chain Examples

Appendix 1 - Examples of Different Supply Categories and Key Controls

Risk Management Process

2010 The Chartered Quality Institute

Foreword Structure & Acknowledgements Contents

2010 The Chartered Quality Institute

Foreword Structure & Acknowledgements Contents

2010 The Chartered Quality Institute

Foreword Structure & Acknowledgements Contents

Interested Parties ISO 9004 Clause 9 Improvement, innovation and learning

ISO 9001 Cl. 8 ISO 9001 Measurement, analysis and improvement

ISO 9004 Cl. 8 Monitoring, measuring analysis and review

Needs & expectations

Information flow Value-adding activities

Foundation: Quality management principles (ISO 9000)

Figure 1 An extended model of a process-based quality management system[1]

2010 The Chartered Quality Institute

Foreword Structure & Acknowledgements Contents

Implementing Risk Management

Risk Management tools

Risk Control Risk Reduction Risk Acceptance

Risk Review Review Events

Figure 2 Quality Risk Management Overview (ICH Q9)

2010 The Chartered Quality Institute

Foreword Structure & Acknowledgements Contents Risk Maturity Level

Skills & Knowledge

Table 1 Risk Management Maturity

2010 The Chartered Quality Institute

Foreword Structure & Acknowledgements Contents

General Introduction Supply Chain Considerations

Supply Chain Considerations

2010 The Chartered Quality Institute

Foreword Structure & Acknowledgements Contents

General Introduction Supply Chain Considerations

Internal Support Services (examples): Quality, EHS, Engineering, Facilities, IT

Supplied materials / products

Product / Service Design & Development

Manufacturing & Testing

Warehouse & Distribution

End user / customer

2010 The Chartered Quality Institute

Foreword Structure & Acknowledgements Contents

General Introduction Supply Chain Considerations

Brokers / Distributors / Transport companies

Brokers / Distributors / Transport companies

Figure 4 - Typical supply chain hierarchy

2010 The Chartered Quality Institute

Foreword Structure & Acknowledgements Contents External

General Introduction Supply Chain Considerations

2010 The Chartered Quality Institute

Foreword Structure & Acknowledgements Contents