QRM is a process with a series of operations, inputs, and outputs (see Figure 3). All unit operations, formulations, analytical methods, excipients, cell banks, working cell banks, equipment, reagents, chemistry, facilities, and materials are evaluated for the potential influence they may have on drug CQAs and product requirements. Any time a change event is being recommended, a risk assessment should be initiated. Any time an analytical method is being developed and/or a process is being characterized, a risk assessment should be generated prior to study design.
Risk assessment
The QRM process is linked to product and process CQAs because they are the quality attributes of the drug to be assessed. Risk assessment includes risk identification, risk analysis, and evaluation. This process is generally a team effort to work through the product/process step-by-step to identify and evaluate each potential risk. Outcome from the assessment should be a set of identified and prioritized risks that either require action or are considered acceptable with an associated rationale. Risk assessments should generally be done in advance of development or change control rather than as a justification of changes after the fact.
All risk assessments begin with a clear risk question. The risk question focuses the risk assessment team on to the risk area to be assessed. It is recommended that a list of CQAs be identified until there is line of sight determined from CQAs to unit operation and/or other drug attributes. Two types of risk assessment templates are commonly used: QRM high-level risk assessment (e.g., failure mode and effects analysis [FMEA]) and a low-level detailed design of experiment (DOE) factor response matrix (see Figures 4 and 5).
Risk control
Risk control has two potential outcomes: either action is taken to minimize and control risks, and/or the risks are considered acceptable and there is a scientific rationale as to why the risks are acceptable. There are many potential activities that can control risk. In general, the severity is reduced, the probability is lowered, and/or detectability to lower risk is improved. Adding redundancy and/or increasing robustness are also key considerations to design out and control risk. Process analyical technology (PAT), statistical process control (SPC), and the associated control logic design are also important concepts in designing out risk and designing in input and output control loops. Figure 6 is associated with risk control and is used to either accept risk or to reduce the risk.
Risk communication and review
Once the risk assessment and the control actions have been determined, it is crucial in the QRM process to communicate the actions to process owners and key stakeholders (see Figure 7). CMC team leaders, key managers, and development teams, who will need to know the actions required to minimize the identified risks. Clear action owners, implementation timelines, and an effective documentation and review process are needed to make the needed and identified changes happen.