By Peter H. Calcott, Ph.D., president and CEO, Calcott Consulting LLC
In Part 1 of this two-part article series, I explained how to effectively set up your quality risk management (QRM) program for pharmaceuticals and medical devices. In this article, I explain how to implement that program. For such a numbers-based topic, there is still an important role for using your intuition to make QRM decisions.
What Scale Should I Use?
Quality risk management (QRM)1,2 is all about converting opinions into data or numbers. But dealing with those numbers can be daunting. What scale should we use? The three, four, five, or the 10-point scale? I tend to favor the three or five, depending on the situation.
For a preliminary hazard analysis (PHA), I tend to favor a three-point scale. Basically, it is a high, medium, or low. It is simple and easy to make decisions. You actually try not to differentiate the severity and the probability from each other. You simply score risk. This is useful for an initial or minor analysis.
For more detailed analysis using FMEA, I favor a five-point scale. It gives enough granularity without being overly complex. Often, with a 10-point scale, you get members arguing between a 7 and an 8. That is just not important. Even on the 1-5 scale, define what each represents for severity and probability. It need not be overly elaborate, just a clear verbal description. In most FMEA analysis, we examine severity (what is worst thing that could happen?) and probability (how likely is it to happen?).
These are my preferences because they are simple. You might use a different scale, and that is fine, too.
The ICH Q9 guidance also calls for examining detectability and incorporating it into the calculations. I prefer to keep it separate. I do make an assessment, but I do the analysis without it. I do my remediation based on severity and probability. If I cannot reduce the hazard enough, that is when detectability comes in. Then, I work on getting the issue detectable. If I cannot solve it, at least I know when it is there.
Remember, Your Numbers Are Subjective
As you go through the calculations and assignment of risk, just remember that the numbers you assign are subjective. It is your interpretation of your opinions, often with little hard data, but sometimes, maybe only soft data. Treat them as such and do not get wound up with the actual numbers. These numbers should not be treated like specifications, with fail and pass assigned. The purpose of the numbers is really to group the elements into three buckets. The first are those that must be remedied. The second can be left alone. That is, nothing is done. The third bucket is for the items that fall in between. Then, you have to ask, Do I fix it? Do I leave it? Or do I observe it?
Many people ask me, “How do you set the bar to decide which you will work on and which you won’t?” My answer is to look at the analysis and you will get a feeling of where, based on some of the items that you already know intuitively need fixing or not. Most fall into the two buckets above and the decision is clear. It is the third bucket that is more difficult to deal with. After you do the analysis, look over the results. Ask the question, does it feel right? It is perfectly fine to decide to remedy something that scores low on risk or to dismiss something that scores high. The key is to document your decisions, together with the assumptions and the data you used. This report will be reviewed later, and you may decide to change your mind. The key is to document the rationale for the future.
At the end of the day, look at the result and ask whether it looks right and makes sense. If the answer is yes, you are done. If not, take it through another cycle.
Important Elements To Keep In Mind
So, you have completed the analysis. That means you have the tools to help you prioritize the work and allocate the right resources for the problems and the fixes. After the remediation, it is wise to go through the exercise again to assure yourself the fixes have reduced the hazard to an acceptable level of risk. Even then, it is not over.
There are two further things some people have problems with. The first is to accept that risk will always be there. You will never get to zero risk. You will either go crazy to get there or bankrupt yourself. You have to accept that there will always be some residual risk. We accept it in real life. Why not here?
The second is the belief that regulators will not accept your decision to do nothing. In fact, this fear was quantified in a survey a colleague and I performed several years ago across the industry. A sizeable percentage of respondents were not convinced that agency representatives would accept their decisions.3,4 But the agencies have said they will use the techniques. I have developed devices, which included a lot of risk analysis in the development, and I have seen the regulators accept my risk analyses during inspections.
One other element, not connected to the above items, was related to an observation that was made at a company that will remain anonymous, for obvious reasons. That company presented a colleague of mine with a risk analysis that was done very well and well documented. It detailed an analysis of whether they would release a lot based on a risk analysis. So far, so good! But the risk analysis was not related to compliance, patient safety, or product quality. Rather, it was related to whether they would get caught during an inspection or other regulatory interaction and the consequences. My colleague quickly nipped that one in the bud, as they say. The take home message here is that risk analysis should never be used to justify something you know intrinsically is not right.
- ICH Q9 Quality Risk Management (November 2005)
- Quality Implementation Working Group on Q8, Q9, and Q10 Questions & Answers (R4) (November 2010).
- P. Calcott & P. Ko, “Measuring the Impact of Recent Regulatory Guidances on Pharma Quality Systems,” Pharmaceutical Online (April 3, 2017).
- P. Calcott & P. Ko, “Survey Says: Pharma Perspectives on Implementation and Impact of Recent Regulatory Guidances,” Pharmaceutical Online (Feb. 15, 2017).
About The Author:
Peter H. Calcott, D.Phil., is president and CEO of Calcott Consulting LLC, which delivers solutions to pharmaceutical and biotechnology companies in the areas of corporate strategy, supply chain, quality, clinical development, regulatory affairs, corporate compliance, and enterprise e-solutions. He has also served as an expert witness. He also teaches at the University of California, Berkeley in the biotechnology and pharmaceutics postgraduate programs. Previously, he was executive VP at PDL BioPharma, chief quality officer at Chiron and Immunex Corporations, and director of quality assurance for SmithKline Beecham and for Bayer. He has also held positions in R&D, regulatory affairs, process development, and manufacturing at other major pharmaceutical companies. He has successfully licensed products in the biologics, drugs, and device sectors on all six continents. Calcott holds a doctorate in microbial physiology and biochemistry from the University of Sussex in England. He has been a consultant for more than 20 years to government, industry, and academia.