Exam 2 Content - Quality Risk Management, Deviations, Root Cause Analysis, and Auditing

quality risk management

systematic process for assessing, controlling, communicating, and reviewing risks to product quality

what is the importance of quality risk management?

to ensure patient safety, compliance with regulatory standards, and continuous improvement

key components of the QRM process

risk assessment, risk control, risk reviewed, and risk communication

the purpose of risk assessment

to identify and evaluate risks associated with pharmaceutical processes

risk identification objective

determine what could go wrong 

risk identification methods

brainstorm, process mapping and failure mode and effects analysis

risk analysis objective

to understand the nature of identified risks

factors of risk analysis

likelihood of occurrence, severity of impact, and detectability

risk evaluation objective

to determine the significance of risks

risk evaluation criteria

acceptability thresholds and comparison against predefined risk acceptance criteria

risk evaluation outcome

prioritization of risks for control

QRM problems

manufacturing issues, adverse trends, process validation and post marketing issues

improving QRM issues

proposed changes, regulatory actions, new operations, and tool for continuous improvement

risk control purpose

to implement measures to mitigate identified risks

strategies for risk control

risk reduction, risk acceptance and risk avoidance

risk reduction objective

to lower the likelihood or severity of risks

risk reduction approaches

process optimization to minimize risk, enhanced training programs, and implementation of quality control measures

risk acceptance objective

to acknowledge and monitor risks that are within acceptable limits

risk acceptance criteria

cost-benefit analysis, regulatory compliance, and impact on product quality

risk avoidance objective

to eliminate risks by changing processes or materials

control implementation steps

develop control strategies, assign responsibilities, and monitor effectiveness

control implementation documentation

control plans and SOPs

communication of controls objective

to ensure all stakeholders are informed of control measures

risk review purpose

to evaluate the effectiveness of risk controls and identify new risks

monitoring and auditing methods

regular audits, continuous monitoring systems, feedback systems, and review meetings that address of current risk, evaluation of control effectiveness, and identification of new risks

risk review tools

fault tree analysis, FMEA, HACCP, and HAZOP

failure mode and effect analysis (FMEA)

prompts teams to review, evaluate, and record all the steps in the process, the failures modes (what), the failure causes (why), and the failure effects (consequences)

Hazard analysis critical control point (HACCP)

Principle 1: conduct a hazard analysis

Principle 2: Determine the critical control points (CCPs)

Principle 3: Establish critical limits

Principle 4: Establish monitoring procedures

Principle 5: Establish corrective actions

Principle 6: Establish verification procedures

Principle 7: Establish record-keeping and documentation procedures

hazard operability analysis

examines deviations from the intended design; breakdown process into nodes, analyze nodes for potential error and explore potential causes, consequences, and existing controls

preliminary hazard analysis (PHS)

use prior knowledge to predict future hazards and estimate probability of occurrence 

ICH Q10 regulatory guideline

CAPA subsystem at the core of the PQS; “a structured approach to the investigation process should be used with the objective of determining the root cause”

USP

trainings on “deviations, root cause analysis, and CAPA resolution” with an emphasis on regulatory expectations

ICH Q9 regulatory guideline

quality risk management

deviation

event or occurrence that deviates from specified procedures, standards, or acceptable limits

non-conformance

product or process not meting specification or requirement

incident/quality event

a broader term that may cover a complaint, audit finding, or malfunction

typical deviation categories

manufacturing process upset, equipment failure, material discrepancy, out of spec result, labeling error, packaging error, and environmental excursion

steps from occurrence to closure include

detection/identification of deviation; logging and initial classification; containment (immediate actions); investigation & RCA; CAPA; verification of effectiveness; closure & trending/feedback into PQS 

detection and logging deviations

usually detected via process monitoring, QC tests, audits, complaints or trend data; must be logged in a deviation register or quality system with a unique ID, date, description, category and immediate status

initial classification & risk assessment

the deviation is assessed by severity, probability of occurrence and detectability; classification of deviation can be critical, major, or minor (based on impact to product quality & patient safety)

containment (immediate actions)

includes stopping production, quarantining product/materials, initiating corrective actions such as rework, recall or customer notification; limited by impact and prevents further deviation

investigation planning

start by defining the investigation team, typically cross-functional: QA, production, engineering, etc.; develop an investigation plan that includes the scope, timeline, data collection method, witnesses and analysis tools; ensure the right resources and data are available

data gathering

collect relevant data - batch records, equipment logs, maintenance/cleaning records, training logs, environmental monitoring, calibration records and audit findings

timeline reconstruction

reconstruct the timeline of what happened, when and by who; data gathering must be accurate to isolate the cause and prevent ‘quick fixes’

root cause analysis (RCA)

systematic process to determine the underlying cause(s) of a deviation; effective RCA supports meaningful CAPA and continuous improvement

common RCA tools and techniques

5 Whys, Ishikawa diagrams, fault tree analysis, failure modes & effects analysis (FMEA); tool is chosen depending on complexity and risk

identifying root cause vs casual factor

a causal factor is not the core reason for a deviation and the root cause is the fundamental reason (if eliminated the issue would not occur)

casual factor

an event or condition that contributed to the deviation and is not the core reason for a deviation

corrective action

eliminates the cause of a detected non-conformity or undesirable situation and prevents recurrence

preventive action

eliminates the cause of a potential non-conformity and prevents occurrence

CAPA must be:

commensurate with risk, implemented, documented, and verified for effectiveness

CAPA planning and implementation

prioritize CAPA by risk, develop CAPA plan through tasks, responsible persons, deadlines, resources, and success criteria, and implementation may involve SOP changes, training, equipment upgrade, process redesign, and monitoring additions

verification of CAPA effectiveness

verify that CAPA worked by metrics/trends, audits, monitoring, and root cause not recurring

if CAPA is not effective:

revisit RCA, adjust actions or escalate

documentation of effectiveness

check is essential for audits and inspections

documentation must include:

deviation report, investigation summary, RCA, CAPA plan, implementation evidence, effectiveness verification, and closure approval

closure

lessons learned are fed back into QS for continuous improvement

best practices and effective implementation

-use cross-functional teams data-driven investigation, documented RCA tools, risk-based prioritization, timely CAPA, measurable indicators and management review

-adopt a culture of continuous improvement deviations are learning opportunities, not blame events

-ensure CAPA feeds back into training, SOP updates, change control, and system improvement

validation definition

establishing documented evidence that a process, system or method consistently produces results meeting predetermined acceptance criteria

purpose of validation

to ensure consistently safe, effective, high-quality product manufacture

what is the purpose of a validation master plan?

to prevent duplication & gaps in validation activities, to provide a risk-based, organized approach to validation, to serve as a reference for audits & inspections, and to help coordinate cross-functional teams & resource allocation

scope

which systems, process, and equipment are included

validation policy

overall approach and philosophy

roles & responsibilities

QA, QC, engineering, operations

lifecycle apporach

DQ, IQ, OQ, PQ for equipment and processe

validation strategy

risk-based approach to prioritize critical systems

documentation & protocol requirements

protocols, reports, change control

schedule or timeline

planned validation activities & maintenance intervals

references

applicable regulations, guidance, and standards (FDA, ICH, USP, and GMP)

facility, utilities, and clean utilities qualification

clean utilities such as WFI, clean steam, compressed gases; HVAC which considers airflow/pressure differentials, and environmental monitoring; qualification of facility design features like cleanrooms, barriers and airlocks

supplies & materials qualification

qualification of critical supplies - raw materials, components, consumables; vendor qualification - certifications of analysis, change control and compatibility testing

process qualification definition

combination of qualified equipment, facility, utilities, and trained personnel; important to run validation batches under defined conditions & PPQ

key metrics of process qualification

critical quality attributes (CQAs); critical process parameters (CPPs); statistical evaluation & acceptance criteria

cross-contamination prevention

risk mitigation via validation of cleaning procedures with written sampling plan

cleaning validation

requirements for cleaning validation documented with details such as frequency, acceptance criteria, and worse-case residues

risk management in validation

use of quality risk management with ICH Q9 standards to drive scope, severity, and extent of validation activities by using risk assessment tools for justification of challenge limits or acceptance criteria

documentation and protocols

the following documents should be accounted for: validation protocols, test scripts, acceptance criteria, deviations / CAPA, test reports and summary reports

continued process verification (CPV)

continued monitoring to ensure the system remains in a validated state after qualification and validation; statistical trending includes control charts, key performance indicators, and alert & action levels

requalification & maintenance

when to requalify - after maintenance, modification, periodic intervals, deviations; preventative maintenance program - calibration schedule, verification of repairs/updates

supplies & consumables change control

changes in suppliers/materials/packaging requires impact assessment and potentially re-qualification; regulatory expectations for change control are listed under ICH 10/GMP

technology/software & computer system validation (CSV)

validation of software / automated systems controlled equipment & integration of CSV with equipment qualification and process validation strategy

roles, responsibilities, and organization

who owns validation; usage of RACI matrix; for design, protocol development, execution, review and approval; training and competencies involved in the validation

purpose of GMP auditing

to verify compliance with written procedures and regulations, to detect weaknesses before inspections occur, to promote continuous improvement and data integrity and to build organizational accountability

types of audits

internal, external, regulatory, for-cause audits

the audit lifecycle

planning → preparation → execution → reporting → follow-up

audit planning

define scope, objectives and criteria; identify audit team & schedule; review previous audit history and CAPAs

pre-audit preparation

review SOPs, batch records and deviations; notify auditees and prepare audit checklist

process of conducting the audit

opening meeting, audit execution, gathering evidence, classification & documentation, and closing meeting

purpose of opening meeting when conducting an audit

audit scope, objectives, schedule, and confidentiality; introduce audit team & key site contacts; the goal is fact-based compliance verification

purpose of audit execution when conducting an audit

follow plan and observe processes in real time; review records such as batch records, deviations, EM data, training and equipment logs; interview staff to assess process knowledge and adherence to SOPs

purpose of gathering evidence when conducting an audit

focus on objective evidence like documents, records, and direct observations; record what you see/hear; corroborate evidence using ‘triangulation’

purpose of classification & documentation when conducting an audit

note issues factually and link to specific regulatory or SOP cause

purpose of closing meeting when conducting an audit

to summarize key findings and positive practices; to provide initial classification of observations and to clarify CAPA expectations and reporting timelines

purpose of follow-up and closure

to verify CAPA implementation and closure, to document verification outcome, and feed into next audit cycle for trend analysis

purpose of supplier and contractor audits

to assess GMP compliance and technical capability and to evaluate data integrity, material traceability, and training

special challenges for auditing in biotech manufacturing

aseptic operations, single-use systems and cell banks; documentation of validation and process control; environmental monitoring data review

audit readiness culture

embed compliance in daily operations to equip quality mindset, train employees to expect and welcome audits, routine internal self-checks, and foster transparency and continuous learning