Guia QRM Cadena de Suministro (Proveedores)

Foreword
Structure & Acknowledgements
Contents
General Introduction
Supply Chain Considerations
Risk Management Process
Risk Management Toolbox
Supply Chain Examples
Glossary
A Guide to
Bibliography
Supply Chain Risk Management

for the Pharmaceutical and Medical Device Industries and their Suppliers
V.1.0 2010
2010 The Chartered Quality Institute

A Guide to Supply Chain Risk Management for the Pharmaceutical and Medical Device Industries and their Suppliers
Foreword
Contents
Glossary
Bibliography

All rights reserved. This document may be freely downloaded from the Pharmaceutical Quality Group website at www.pqg.org. The contents of this
document should not be sold in whole or in part in any form or by any means. Extracts from this document may be quoted for the purpose of reference
or criticism provided full acknowledgement of its source is given. Any other usage of the content of this document requires written permission from The
Chartered Quality Institute.
The Chartered Quality Institute, 12 Grosvenor Crescent, London SW1X 7EE, UK.

Foreword
Contents

Foreword
Glossary
Bibliography
A Guide to Supply Chain Risk Management for the Pharmaceutical and Medical Device
3
Industries and their Suppliers
The provision of medicines and medical devices to the UK is now a Management should play a key role in the supplier selection, approval
global business. Active pharmaceutical ingredients, components and and management process if the quality and continuity of supply of
even finished products are sourced from many different countries. The medicines and medical devices is to be assured.
increasingly complex supply chain for these items exposes the limitations
of regulatory oversight by any individual country. This serves to reinforce This PQG Guide provides an important reference text to assist medicinal
the need for all in the supply chain to understand their role and work to product and medical device manufacturers and their suppliers understand
implement and maintain a robust and comprehensive quality system. their respective responsibilities. The examples, in particular, should
help each party to understand the expectations of the other. Company
The MHRA has implemented a risk based approach to the inspection assessments will form a key element of the MHRAs assessment of risk
of pharmaceutical operations as a key element of its Better Regulation and thereby enable regulations to target our resources in co-operation
initiative. This approach recognises to a greater degree the ownership with Industry to further enhance consumer safety.
of pharmaceutical companies of the quality assurance of their total
manufacturing and supply processes. The industry, therefore, is being Risks are part of life, but it is imperative that processes are in place to
expected to take overall responsibility for the quality of its output. identify and manage them in such a way that patients and healthcare
professionals can continue to enjoy a reliable supply of safe and effective
The pressure on the industry to fund research into new products and medicines and medical devices.
embrace technological advances while containing costs and maintaining
material and component availability is challenging and these days Gerald W Heddell, Director
inevitably involves outsourcing to a greater or lesser extent. Risk Inspection, Enforcement & Standards Division, MHRA

Foreword
Contents

Structure
Glossary
& Acknowledgements
Bibliography
Basic structure of this Risk Management guide

This interactive guide comprises a general introduction followed by 4 Part 3 gives an overview of a number of readily available Risk
4
parts, a glossary and bibliography. It is easy to navigate around the guide Management tools and techniques that have been used in many
using the recurring index which is hyperlinked to the respective topics. industries, with guidance on their use and some worked examples and
In addition there are links within the contents that allow the user to look / or templates. The format for each tool provides an overview, some
at related information. There are both internal and external hyperlinks. advantages and disadvantages, and advisory notes on its use.
Internal links allow navigation of information within the guide and external
links permit access to external websites and information. Part 4 provides 19 real-life examples relating to supply chain events.
It gives an overview of the scenario and some learning points. The
Part 1 considers specifically the challenges with supply chains and reader may well identify more learning points, and these should serve
provides an overview of some of the types of controls that can be applied as a useful tool in order to consider how such events could have been
to increase assurance of quality, safety and security of supply. prevented.
Part 2 provides an overview of the Risk Management process and Please Note
emphasises that this is a living and reiterative process. The stages follow The authors would like to remind the reader that the guidance given here
a consistent format: is advisory. It is recommended that users supplement their understanding
of Risk Management from some of the publications listed in the
Bibliography.
Purpose Inputs Process Outputs

Foreword
Note about definitions Specific acknowledgements are given for the contributions of the
Structure & Acknowledgements following people:
Although the glossary defines certain terms used throughout this guide,
Contents it is important to make a special point here about possible confusion
over the terms risk, harm and hazard. The definitions of these are taken Authors
from International Conference on Harmonisation (ICH) Q9 as follows: Jill Jenkins, Justin Ahern, David Cock, Sharon Shutler, Richard Smalley,
Sharon Hooper
Risk is defined as:
Supply Chain Considerations QA reviewers
The combination of the probability of occurrence of harm and
severity of that harm. [ICH Q9] Phil Butson, Tony Harper, Rowland Lewis, Linda Nield, Kevin
Risk Management Process MacKenzie, James Pink
Risk Management Toolbox Harm is defined as:
PQG Steering Group
Damage to health, including the damage that can occur from loss
Supply Chain Examples Steve Moss, Ashley McCraight, Norman Randall, Ian Richardson
of product quality or availability. [ICH Q9]
Glossary
Hazard is defined as: Contributors
Bibliography Nina Abbassi, Dr Tim Bateman, Ian Birch, Richard Bream,
The potential source of harm. [ICH Q9]
John Cooper, Annie Dallison, John Evans, Adolfo Ferreira,
Mark Francom, Roland Gassmann, Esme Gibb, Peter Gough,
The first step in the Risk Management process is known widely as
Michael Grunow, Gerard McAteer, Stephen Mitchell, David Mogg,
Risk Identification. This should actually be Hazard Identification, but
Jeff Monk, Iain Moore, Dr Ray Noy, Caroline OBrien, Kevin ODonnell,
for consistency with the ICH Q9 and other international standards the
Richard OKeeffe, Bronwyn Phillips, Patricia Rafidison, 5
authors have kept it as Risk Identification.
Stephan Roenninger, Sandra Routledge, Sandra Skarratt, Neil Smith,
Tony Storey, Lorna Third, Tony Trill, Neil Wayman

Foreword
Contents

Contents
Glossary
Bibliography
0 General Introduction p7 Part 3 Risk Management Toolbox p42 Part 4 Supply Chain Examples p78
3.1 Introduction to the Toolbox p42 4.1 Product Contamination p78
Part 1 Supply Chain Considerations p12 3.2 Approach to Implementation p44 4.2 Management of Second Tier Suppliers p80
Appendix 1 - Examples of Different Supply p19 3.3 Risk Assessment p46 4.3 Verification of Artwork p81
Categories and Key Controls 3.3.1 Risk Identification Tools p46 4.4 Warehouse Operations & Pest Control p82
6
3.3.2 Risk Analysis Tools p53 4.5 Temperature Controlled Transportation p83
Part 2 Risk Management Process p23 3.3.3 Risk Evaluation Tools p62 4.6 Change Control - Process p84
2.1 Risk Management Team and p23 3.4 Risk Control p64 4.7 Fraudulent Activities in the Supply p85
Responsibilities 3.4.1 Risk Reduction Tools p64 Chain
2.2 Risk Assessment p25 3.4.2 Risk Acceptance Tools p66 4.8 Errors in Proof Reading p86
2.2.1 Risk Identification p25 3.5 Risk Communication Tools p67 4.9 Change Control Source of Material p87
2.2.2 Risk Analysis p27 3.6 Risk Review Tools p69 4.10 Implementation of a New Process p88
2.2.3 Risk Evaluation p29 Appendix 1 - Worked example: Ranking p70 4.11 Multiple uses of a Material p90
2.3 Risk Control p31 and Filtering for Contractor 4.12 High Bioburden p91
2.3.1 Risk Reduction p31 Management 4.13 Inconsistent Analytical Results p92
2.3.2 Risk Acceptance p33 Appendix 2 -Worked example: Medical p72 4.14 Continuity of Supply p93
2.4 Risk Communication p35 Device Risk Assessment using a 4.15 Lack of Formal Contracts p94
2.5 Risk Review p39 Simplified FMEA 4.16 Effect of Global Supply Chains p95
Appendix 3 - Worked example: Supplier p76 4.17 Effect of not knowing all the links in a p96
Audit Priority using Risk Assessment Transport Chain
4.18 Raw Material Source of Origin p97
4.19 Reuse and Potential Infection p98
Glossary p99
Bibliography p103

Foreword
Contents

General
Glossary
Introduction
Bibliography
Threats to the supply chain feature in the top ten risks of most companies. 7
Globalisation and the quest for ever more cost effective means of supply 2. Emphasise to the pharmaceutical and medical device industries and
have greatly increased the complexity of the supply chain which can their suppliers the need to
often reduce both the knowledge and understanding of the exposure to a. apply Risk Management when making sourcing decisions (from
risk. The 2009 credit crunch and financial crisis significantly raised the development through to commercial manufacture and distribution)
level of risk of failure of key suppliers. Within the context of globalisation, b. involve the relevant people (procurement, technical, quality,
outsourcing and complex supply chains, there is an increasing emphasis environment, health and safety, etc.) when making sure that
on controls around product quality assurance and security of supply. It adequate and appropriate controls are in place
is the responsibility of each organisation to ensure that their suppliers
3. Encourage suppliers to:
provide products that are fit for purpose throughout the product lifecycle,
from design and development through to supply to the end-user. a. understand the regulatory requirements and expectations of the
pharmaceutical and medical device industries
The objective of this document is to provide guidance on Supply Chain b. use Risk Management as a tool to understand their customer needs
Risk Management and therefore: better
c. identify potential hazards and the risks arising from those hazards
1. Support organisations with varying levels of experience in Risk
that may exist during the manufacture and supply of product (from
Management to apply the principles, by minimising supply chain risk
raw materials to finished goods)
and securing both quality and continuity of supply

Foreword
Risk Management can help organisations safeguard the quality and Figure 1 (following page) shows the ISO 9004:2009 process-based
Structure & Acknowledgements supply of product to customers and ultimately the end user. It is about model, incorporating continual improvement throughout a lifecycle
anticipating hazards and controlling risk through an ongoing process of approach. It shows the importance of information flow between the
Contents
risk awareness, reduction and / or acceptance, and review. This approach organisation and its customers and the value in activities that meet
can help justify improvement and investment where it is needed, and customers needs and expectations.
prevent both potential problems for customers (e.g. product recalls, or
General Introduction even patient harm) and loss of business. The International Conference on Harmonisation (ICH) describes a
pharmaceutical quality system (ICH Q10), which importantly extends
Applying the principles of Risk Management can provide many of the to the control and review of any outsourced activities and quality of
Risk Management Process following benefits: purchased materials. It defines the accountable organisation as being
improve and develop business relationships between customers and ultimately responsible for ensuring that processes are in place to assure
Risk Management Toolbox the control of outsourced activities and quality of purchased materials. It
their suppliers, thereby supporting business continuity and security of
product supply requires that these processes incorporate Quality Risk Management as
defined in ICH Q9 and includes:
reduce costs
Glossary Assessing (prior to outsourcing operations or selecting material
minimise cost of non-conformance suppliers) the suitability and competence of the other party to carry out
Bibliography
improve business efficiency the activity or provide the material using a defined supply chain by use
of, for example, audits, material evaluations and qualification
increase confidence of customers and regulators
Defining the responsibilities and communication processes for quality-
reduce liability
related activities of the involved parties. For outsourced activities, this
increase security of supply should be included in a written agreement between the contract giver 8
avoid waste and scrap and contract acceptor
Monitoring and review of the performance of the contract acceptor or
With respect to outsourcing, ISO 9001:2008 states that: the quality of the material from the provider, and the identification and
where an organisation chooses to outsource any process that implementation of any needed improvements
affects product conformity to requirements, the organisation shall Monitoring incoming ingredients and materials to ensure they are from
ensure control over such processes; and that the type and extent of approved sources using the agreed supply chain
control to be applied shall be defined.
This guide to Supply Chain Risk Management does not introduce new
It further states that outsourced processes do not absolve the concepts; rather it provides guidance on the practical application of
organisation of the: existing risk management models to the supply chain. It is consistent with
responsibility of conformity to all customer, statutory and currently developing industry standards and expectations. Supply Chain
regulatory requirements. Risk Management should be an integrated part of the organisations
business and quality management system.
The Medical Device Directive (Directive 93/42/EEC) has been revised
(Directive 2007/47/EC) and compliance effective from 21st March 2010.
One of the requirements is for organisations to have control over sub-
contractors and third parties. It also requires post market surveillance for
products already in the market.

Foreword
Structure & Acknowledgements Continual improvement of the quality management system

Organizations Organizations
leading to sustained success
Contents Environment Environment
ISO 9004
General Introduction Clause 4
Managing for
Interested Interested
Supply Chain Considerations Parties
the sustained
Parties
success
ISO 9004
Risk Management Process ISO 9004
Clause 9
Needs & Clause 5
Improvement,
Risk Management Toolbox expectations Strategy and ISO 9001
innovation and
policy Clause 5
learning
Supply Chain Examples Management
Facility
Glossary
Bibliography ISO 9004 ISO 9004 Cl.

ISO 9001 ISO 9001 Cl. 8
Clause 6 8 Monitoring,
Clause 6
Resource ISO 9001 Measurement, measuring Satisfaction
Resource analysis and
management analysis and
management improvement
(extended) review
9
ISO 9001
Customers Clause 7 Customers
Product Product
realization
Needs & ISO 9004

expectations
ISO 9004
Clause 7
Process
management
Information flow
Foundation: Quality management principles (ISO 9000)
Value-adding
activities
Figure 1 An extended model of a process-based quality management system[1]
1 - Figure 1 is taken from BS EN ISO 9004:2009 and reproduced here with permission from BSI. No other use of this material is permitted. The complete British Standard can be purchased from
the BSI online shop - BS EN ISO 9004:2009

Foreword
This document is based on the pharmaceutical Quality Risk Management The level of effort invested will vary from case to case and should
Structure & Acknowledgements model detailed in ICH Q9 in Figure 2 (below), where Risk Management is be commensurate with the level of risk. Internationally, regulators
defined as: are incorporating official guidance on Risk Management into their
Contents
The systematic application of quality management policies, requirements, and have identified the supply chain as an area of criticality.
procedures and practices to the tasks of assessing, controlling,
communicating and reviewing risk.
General Introduction Implementing Risk Management
Risk Management should be an integrated part of any business and for
successful implementation the following are key foundations:
Risk Management Process Initiate there should be top level management support and commitment
Quality Risk Management Process
Risk Management Toolbox start simply and avoid complexity
look at internal and external risks
Risk Assessment follow the cycle several times, learn, evolve and embed in the
Glossary organisation culture
Risk Identification
Bibliography
Senior management are responsible for ensuring that the key risks to
Risk Analysis the organisation are properly identified, assessed and managed. Their
commitment is required to ensure the risk management framework is
viable and maintained, and that valuable resource is invested correctly
unacceptable
Risk Evaluation and not subsequently wasted. Risk Management should not be
considered as a one off project or event, but as the implementation of a 10
Risk Management tools

mutually beneficial culture within and between organisations.
Risk Communication
Risk Control
The risk management development activities should provide a
Risk Reduction systematic, effective and efficient way by which risk management can be
embedded and maintained throughout the organisation. These activities
should, as a minimum, comprise the following steps:
Risk Acceptance
planning
implementation and maintenance
Output / Result of the monitoring, reviewing and continual improvement

Quality Risk Management Process reporting
The level of Risk Management awareness will develop with practice

Risk Review
and experience. Table 1 (following page) illustrates the progression
Review Events organisations will make as they gain experience in the use and
application of Risk Management.
Figure 2 Quality Risk Management Overview (ICH Q9)

Foreword
Structure & Acknowledgements Risk Maturity Level Risk Processes Attitude Behaviour Skills & Knowledge
Scepticism No Formal Processes Accidents will happen Fear of Blame Culture Unconscious
Contents
Incompetence
Awareness Ad hoc use of Stand Alone Suspended Belief Reactive, Fire fighting Conscious Incompetence
Processes
Understanding & Tick Box Approach Passive Acceptance Compliance, reliance on Conscious Competence
Application registers
Risk Management Process Embedding & Integration Risk Management Active Engagement Risk-based decision Unconscious Competence
embedded in Business making
Robust Risk Management Regular review & Champion Innovation, Confident Expert
Improvement & appropriate Risk
Glossary Management
Bibliography Table 1 Risk Management Maturity
The above table is a simple representation of Risk Management maturity.

It does not take into account the different functions and their individual
involvement with Risk Management. In terms of the level of skills and
knowledge in the right hand column, consider the analogy of learning to 11
drive a car:
unconscious incompetence: person who has not yet got into the
driving seat and therefore is not competent to drive nor do they know
what is needed.
conscious Incompetence: person has started to learn to drive, is not
competent but has some awareness of what they need to do to learn.
conscious competence: person has learned to drive and passed their
test and should be competent and confident to drive.
unconscious competence: person has been driving for some time and
can drive to their destination without having to think about compliance
with the road regulations or the mechanics of driving the car, such as
changing gear, indicating and choosing the correct lane at junctions.

Foreword
Contents

Appendix 1 - Examples of Different Supply
Categories and Key Controls
Supply Chain
Considerations

Part 1
Glossary
Bibliography
A general understanding of how supply chains work and how suppliers are managed is 12
required to provide organisations with a basis from which to implement a structured Risk
Management process. An effective Risk Management process will protect the continuity of
product supply and ensure that end-users receive products that are fit for purpose.
Media focus on contaminated products, for example heparin supplied the health and wellbeing of patients and maintain business continuity. This
from China in 2007, and other supply-related incidents, such as is especially important during times of economic downturn, since cost-
counterfeiting, have emphasised the challenge of managing supply saving measures can increase risk.
chains that extend around the world, where there is great variation in
the standards and controls used. With respect to the heparin issue, the Within each supply chain, there is an organisation that is legally
Food and Drug Administration (FDA) in the US investigated reports of accountable. Each competent and regulatory authority ultimately holds
serious and some fatal adverse events following the use in products of one manufacturer primarily responsible for meeting regulatory quality
heparin supplied from China. Distribution was halted and product recalled requirements. This accountable organisation (pharmaceutical or medical
from the market. The investigation identified that a contaminant molecule device) has ultimate responsibility and cannot relinquish or delegate
similar to heparin was found using a non-routine test. This contaminant (contractually or otherwise) its obligation and responsibility over any or all
was not previously detectable using conventional routine standard functions to their suppliers of products. The accountable organisation is
test methods, and levels between 5% and 20% were found in the final responsible for sourcing suitable suppliers who will support the supply of
product. See page 78 for more detail. its product(s) to the market. It is essential that the relevant functions within
an organisation such as procurement, technical, development, quality,
Sourcing new materials and outsourcing manufacturing or other activities manufacturing and Environment Health and Safety (EHS) work together to
for the supply of product to the end-user requires careful evaluation. All source materials based on agreed and appropriate criteria.
parties in the supply chain need to ensure that their activities both support

Foreword
Competent and regulatory authorities and third parties will assess the The rigour with which a supplier is managed does not exempt
Structure & Acknowledgements accountable organisation to confirm that they have objective evidence responsibility of the supplier for the provision of adequate controls and
of adequate control of their suppliers. The regulators expect that the quality of products, wherever they fit in the supply chain hierarchy.
Contents
organisation complies with requirements, which include evaluating
and approving their suppliers. There is an expectation to see effective All suppliers should recognise their role in assuring mutual business
interfaces between the accountable organisation and each of its suppliers. continuity and take an ethically responsible approach to the potential
General Introduction This holds true regardless of the regulatory standard of the industry sector impact of their actions or inaction. Feedback and communication is
required for the product. Failure to have or to provide access to any essential between the procuring organisation and its suppliers in terms
objective evidence of the controls associated with products from suppliers, of requirements, expectations, product end-use, performance measures,
Appendix 1 - Examples of Different Supply could result in the accountable organisations quality system being non- health and safety etc.
compliant. Depending on the nature of the deficiencies identified, this can
Risk Management Process have significant and serious consequences for the organisation and their Supply chains themselves can be short and simple, or long and
business continuity. convoluted. However, as a result of increasing globalisation and the
Risk Management Toolbox risks inherent in long and complex supply chains, the regulators are
Some suppliers may also undergo some form of oversight by a regulatory encouraging organisations to keep their supply chains short, simple and
authority, or a third party acting on behalf of a regulatory authority. under good control. A survey published in 2009 by Carla Reed has shown
Glossary This oversight does not absolve an accountable organisation of the that increased outsourcing is challenging product safety and security,
responsibility to establish controls and provide evidence for compliance of largely due to the complexity of outsourcing models, and in particular
Bibliography products obtained from such suppliers. inconsistency in controls at the outsourced facilities.
See Reference No.41
Sourcing decisions should be based on agreed, specified requirements
appropriate to the following stages of product lifecycle: Figure 3 (below) shows the various functional activities and the 13
experimental design supporting services that may be involved in product development
and supply. An organisation may choose to outsource part or all of
investigational or clinical trial material their activities. It is essential that organisations understand how their
commercialised product supply chains and interfaces work. This should apply throughout all
phases of the product lifecycle from design and development to routine
manufacture, supply and discontinuation.
Internal Support Services (examples): Quality, EHS, Engineering, Facilities, IT
Product / Service
Supplied materials Manufacturing Warehouse End user
Design & Packaging
/ products & Testing & Distribution / customer
Development
External Contracted Services

E.g. manufacturing, testing, artwork & origination, packaging, warehousing & distribution, calibration, etc
Figure 3 Example of Functional Activities and Support Services within an Organisation

Foreword
Figure 4 (left) illustrates a typical supply chain based upon hierarchical
Structure & Acknowledgements End customer tiers, where suppliers can be far removed from the ultimate end-user
/ patient and can still potentially have a significant impact. The more complex the
Contents
supply chain, the more difficult it is to control, and the greater the risk of a
Transport / Distribution supply chain impact on the quality of the end product.
General Introduction Wholesale / retailer Hazards and their associated risks can be present anywhere throughout
/ pharmacy the supply chain. Risks may be compounded or increased by further
processing, thus creating a hazard at a later stage. In the worst case,
Appendix 1 - Examples of Different Supply Transport / Distribution those hazards may not become apparent until too late, after finished
product has been released to the market. For example, there may be an
Pharmaceutical and adverse effect on long-term stability. Therefore, it is in the interests of all
Risk Management Process Medical Device
Industry stakeholders, including regulatory authorities, that hazards are identified
Risk Management Toolbox and the resultant risks are managed throughout every tier of the supply
chain. Good communication between all parties is required to do this
effectively.
Brokers / Distributors /
Glossary Transport companies
Tier 1 suppliers
Various problems can manifest themselves at any part of the product
Bibliography lifecycle, from the source of raw materials used to manufacture the
product through to the compliance of the end-user using the product
correctly. Problems in the supply chain can have an impact on products
Supplier A Tier 2 suppliers Supplier B as well as business continuity, product performance and security of 14
supply. In order to protect both the end user and the accountable
organisation, it is necessary to identify the potential hazards and assess
their resultant risks, before implementing ways to control or mitigate them.
Brokers /
Tier 3 suppliers Distributors / For the accountable organisation and its suppliers to manage risk
Transport companies effectively, it is worth reflecting that the sources of risk throughout the
tiers of supply can be both external and internal to the organisation
and its suppliers. Some examples are shown in Table 2 (following
page) where the column on the left lists some external risks that can
Supplier C Tier 4 suppliers Supplier D be mitigated through planning and action, leaving only a few that are
unknown or outside of the organisations control. The column on the right
identifies some internal risks which can be managed and mitigated.
Figure 4 - Typical supply chain hierarchy

Foreword
The objectives of a global supply chain are to deliver products to the
Structure & Acknowledgements External Internal
market whilst saving cost, time and resources. This has increased the
Increase / decrease in demand Non-conformity level of risk and the likelihood of impact from supply chain disruption.
Contents
Capacity / resources changes Rejection of a batch The contamination of heparin will have far reaching ramifications for
accountable organisations and the regulators. At the very least it serves
Fluctuating exchange rates Product recall
as a warning to the industry that nothing can be taken for granted when
General Introduction Political climate / instability Capacity / resource issues sourcing materials and outsourcing manufacture or other critical activities.
Greater exposure to global Reduced inventory Related examples on page 78 and page 85
social, political and financial Cost reduction programmes
Appendix 1 - Examples of Different Supply Medicines and medical device counterfeiting is a growing threat
environments
Single sourcing versus dual worldwide. It was estimated by the World Health Organisation (WHO)
Takeovers / mergers sourcing
Risk Management Process in 2006 to be 30% of total supply in South America, sub-Saharan Africa
Legal status (regulatory Inadequate supplier selection / and India. Regulators have been investigating incidents where batches of
Risk Management Toolbox restrictions in individual qualification process counterfeit medicines have reached pharmacies and patients. A number
markets and of supplier) of these have been found at wholesale dealer level. Supply chains can be
Supply Chain Examples Longer / more complex supply
Environmental responsibilities chains long and convoluted, involving a number of storage or transit locations and
Glossary Counterfeiting / fraud a variety of transport systems. In the UK, MHRA has developed proposals
Complex processes
in response to the need to raise standards of practice in some sectors of
Bibliography Facility disaster disaster Inadequate monitoring process the supply chain in order to bring all operators up to the required standard.
planning or oversight controls / interface See Reference No. 30
Materials, product, service Non-conformance with
supply interruption contracts / agreements The European Medicines Agencys (EMEA) GMP / GDP Inspectors 15
Termination of materials or Working Group are working on a revision to Chapter 7 of the EU GMP
Staying with poorly performing
services Guide, contract manufacture and analysis. This is in response to a lack
supplier & not progressing
of clarity, both within industry and inspectorates, regarding the scope
Uncontrolled variation in improvement or exit strategy
of activities that should fall under this chapter, and what constitutes
materials Inadequate communication satisfactory documented arrangements for contracted activities. In
Unexpected contaminants in Facility disaster addition to manufacturing, packing and analytical activities, this chapter
supplied product will be relevant to the following:
Transportation / storage
Deliberate or accidental events artwork generation and print ready material
adulteration
Lack of technical knowledge assessment and sourcing of starting and packaging materials
Unknown or poorly controlled
Personnel / organisational washing and depyrogenation and / or sterilisation of packaging
use of brokers / agents
changes materials used in manufacture
Distribution / transportation /
Lack of adequate storage and distribution
storage events
documentation control
Inadequate communication maintenance and calibration of equipment and premises
Increasing process variability
Lack of adequate qualification and validation work for new premises
documentation control professional services for GMP audits of suppliers
Complex processes hosting of IT functions
Table 2 - Examples of hazards / events creating risks that are either external or document archiving and storage
internal to an organisation

Foreword
High potential risk in complex processes and systems Consideration of hazards and their associated risks in
Structure & Acknowledgements the supply chain
National Aeronautics and Space Administration (NASA) defined systems
or processes that are time dependent, rigidly ordered, requiring precision, As part of planning activities, the organisation should identify any hazards
Contents
and with only one path to a successful outcome, as being tightly coupled associated with the products to be procured. Some examples of key
(closely linked). They identified that where such systems or processes questions are as follows:
are complex and activities closely linked, failures can arise due to many is the product off-the-shelf or custom made?
seemingly unconnected events and may go undetected.
how complex is the product to manufacture?
A good example is the control of changes relating to the packaging and is the process adequately defined and understood?
Categories and Key Controls artwork of medical products. Such changes can sometimes be highly what is the criticality of the product to the compliance of the end-
complex, because inputs can be required from a number of internal product?
Risk Management Process and external stakeholder groups prior to implementation. Stakeholders
would any product specification failure be detectable by the
can include manufacturing, marketing, regulatory affairs and printing
Risk Management Toolbox organisation prior to use?
contractors. Interactions are necessary in order to communicate and
Supply Chain Examples schedule product manufacturing activities with the changed packaging or what is the detectability of non-conformity in the product supplied and
labelling component. how it can be corrected?
Glossary is packaging, storage and distribution fit for the product characteristics?
Complex systems and processes often present high risk for organisations.
Bibliography is the supplier currently approved to supply products to the
Many regulatory non-conformities have been identified over recent years
organisation or are they a new supplier?
in the areas of product packaging and labelling. These were frequently
attributed to the poor management of changes in packaging and artwork what is the percentage of supply to the organisations business sector?
components, resulting in the cessation of batch release activities in some 16
organisations, and subsequent market shortages of medical products. Information about potential suppliers should be used to determine
Investigations revealed that procedures and systems in place for additional potential supply and business risks and include the following:
packaging and artwork change control were usually: financial viability of supplier
highly convoluted continuity of supply
had many interdependencies liability
subject to tight timelines amount of work awarded to supplier in view of the suppliers overall
described as being complex and tightly coupled capacity
technical capability
Within a single organisation there can be a lack of clarity or understanding
of how the whole process works and how different groups are involved distribution and transportation considerations
or interact in that process. When more organisations are involved this agents and brokers (potential for agents and brokers to change source
becomes increasingly difficult. of supply)
capital investment needed
Decoupling and reducing system complexity can be a useful risk mitigation
strategy particularly in critical manufacturing environments and supply single source suppliers i.e. vulnerability
chains. Process mapping or flowcharting is a useful tool to use here, and supplier company legal status (licensing)
by involving the relevant key stakeholders, a shared understanding of the
ethical / political acceptability
overall process can help to identify potential hazards particularly across
functional interfaces. See Example Flowchart does the supplier have a disaster / contingency plan for supply?

Foreword
does the supplier manage their suppliers adequately? The following lists some items that should be considered during sourcing
Structure & Acknowledgements and supply chain review:
does the supplier have a culture of continuous improvement?
Contents knowledge of the complete supply chain and all organisations within it
The procuring organisation is responsible for communicating and change control and notification from suppliers
agreeing the product requirements with the supplier. It may request
data and / or sample product in order that the potential supplier can supplier audits or technical visits (note that this requirement should be
General Introduction included in any agreement for a critical supplier)
demonstrate their ability to meet the specified requirements. When
Supply Chain Considerations defining initial supplier arrangements, the relevant information should be control of second or further tier suppliers via specifications or
communicated for consideration. The organisation should ensure that Agreements
Categories and Key Controls the relevant people are involved in specifying, reviewing and evaluating
sampling / testing / verification
information and should include as a minimum, technical and quality
Risk Management Process representatives. Certificates of Analysis / Conformity
formal requirements (e.g. specific certificates, accreditation, contracts /
Technical Agreements etc)
Supply Chain Examples Consideration of controls for managing the supply chain
methods for measuring performance e.g. process capability indices
Risk Management is an effective means of identifying the necessary
Glossary controls required. To do this requires knowledge of the complete supply correction, reworking, investigations
chain and all the organisations involved within it. Then the activities of the batch / lot sizes
Bibliography
organisations in the supply chain should be reviewed to identify what is
inventory control; (First-In-First-Out (FIFO), time limit / target)
critical to the product and what could go wrong.
traceability (process, product, equipment, operators)
In some instances it may be necessary for the organisation to ensure 17
Radio Frequency Identification (RFID) or other security tag system
control beyond the first tier supplier due to potentially serious effects
document / sample retention periods
of changes made by a second, third or fourth tier supplier see Figure 4
(page 14). The organisation should ensure when developing controls, protection of intellectual property
that they comply with relevant regulatory requirements such as Good
Manufacturing Practices (GMPs); occupational health and safety Different categories of supplier and examples of some of the key controls
legislation, environmental protection legislation etc. are shown in Appendix 1 of this Part.
Examples of controls are included in Figure 5 (following page) which is The organisation should seek to continually improve the quality and
adapted from the Global Harmonisation Task Forces guidance on the delivery of products based on periodic supplier performance evaluation,
control of products and services obtained from suppliers. On the right feedback and consideration of cost. It is important to continually review
hand side under objective evidence some of the controls are listed. and strengthen relationships with suppliers, while balancing the short
Reference GHTF Guidance and long term objectives. Risk Management activities provide a basis for
sharing identified hazards and mitigating the risks resulting from those
hazards throughout the product and supplier lifecycle. It demonstrates
that all parties are taking a responsible approach in ensuring product
quality and safety and security of supply. Auditors or assessors expect
organisations to be able to demonstrate that they manage their supply
chains effectively and risk management provides the means to do this.

Foreword
Objective evidence
Product specifications / part
requirements, instructions
Contents
Planning
Identify potential Potential supplier contact details
Identify technical & Product / Process
Describe requirements supplier(s) (existing Identify controls Risk Assessment
process information Risk Assessment
approved / new) Product / process controls
Supply Chain Considerations Selection criteria for suppliers /

Appendix 1 - Examples of Different Supply rationale
selection
Supplier
Categories and Key Controls Review existing suppliers
Plan for evaluation Select potential Investigate operational Identify business
Due diligence / audit report
& selection criteria supplier(s) capability of supplier(s) capability of supplier(s)
Risk Management Process Supplier capability detail
Purchasing information
Supply Chain Examples NO Evaluation & selection

evaluation &
finalisation
Glossary Establish:
Supplier
Evaluate supplier(s) Acceptance & verification activities

Review audit Communication with Supplier Purchasing information
ability to fulfil specified YES Questionnaire / Audit report
requirements potential supplier(s) acceptable? Controls (acceptance
Bibliography requirements
activities, verification etc) Contact / Supply / Technical Quality /
Technical Agreement
Decision & rationale
Records of monitoring: supply, receipt, 18

measurement
inspection, acceptance
Performance
Performance measurement
Corrective Receive product Data analysis
Problems Periodic re-evaluation
action YES Acceptance criteria Records of corrections / investigations
identified? of supplier
required? Measurement & monitoring
Analyse data
YES
NO
NO
YES Manufacturer &/or supplier
communication
correspondence
Feedback &
Corrective Action / Records of corrective & preventive

Satisfactory Feedback and action(s)
Preventive Action performance? YES
communication
by supplier Change control notification / approval
NO
Review impact on other products
supplied
Supplier exit
strategy
Archive data & documents

Termination YES NO Termination of Product left in marked support
Exit strategy?
strategy for Supplier Product market
Continuity arrangements and
reiteration of cycle if replacement
supplier
Figure 5 Guidance on Control of Products during Supplier Lifecycle Management (adapted from GHTF/SG3/N17:2008)

Foreword
Contents
General Introduction Appendix 1 Examples of Supply

Supply Chain Considerations Categories & Key Controls
All suppliers should have an effective quality management system in place that is, where appropriate, certified to ISO 9001:2008, ISO 13485, or
relevant industry standards e.g. ICH Q10.
Suppliers should have their own appropriate assessments in place to manage their supply chains.
The level of requirement depends on the level of potential risk to the product (criticality).
Glossary
Bibliography Supply Category Additional examples of key requirements for Suppliers

Manufacturers of Active Controls in place to meet requirements of EU GMP Guide part 2 or ICH Q7A, and Active Pharmaceutical
Pharmaceutical Ingredients Ingredient Council (APIC) recommendations.
19
(API) Quality / Technical Agreement to define roles & responsibilities of each party (contract giver / contract acceptor).
Adequate product testing performed to confirm compliance with customer and where appropriate pharmacopoeial
specifications.
Cross-contamination control precautions in place e.g. use of dedicated manufacturing equipment or effective
cleaning verification of non-dedicated equipment.
Full traceability of Raw Materials to the site of origin, including processing aids used in manufacturing
processes with respect to animal / non-animal derivation and safeguards against Transmissible Spongiform
Encephalopathies (TSE).
Excipients Refer to International Pharmaceutical Excipients Council/Pharmaceutical Quality Group, Pharmaceutical
Excipients GMPs, 2006.
Appropriate Quality / Technical Agreement to define roles & responsibilities of each party (Contract Giver /
Contract Acceptor).
Full traceability of Raw Materials to the site of origin, including processing aids used in manufacturing
Encephalopathies (TSE).
Adequate product testing performed to confirm compliance with customer and pharmacopoeial specifications.
Cross-contamination control precautions in place e.g. use of dedicated manufacturing equipment or effective
cleaning verification of non-dedicated equipment.

Foreword
Structure & Acknowledgements Supply Category Additional examples of key requirements for Suppliers
Raw Materials Industry standards where relevant.
Contents
Adequate product testing performed to confirm compliance with customer specifications .
Appropriate Quality / Technical Agreement to define roles & responsibilities of each party (contract giver / contract
General Introduction acceptor).
Full traceability of raw materials to the site of origin, including processing aids used in manufacturing
Appendix 1 - Examples of Different Supply Encephalopathies (TSE), and phthalates.
Cross-contamination control precautions in place e.g. cleaning, line-clearance, appropriate segregation of activities
Risk Management Process and good housekeeping.
Risk Management Toolbox Manufacturing / Packaging Effective quality documentation system compliant with required regulatory standard e.g. EU Guide to GMP part 1
contractors or 2, 21-CFR -210 / 211, 600, 820 as appropriate.
Quality / Technical Agreement to define roles & responsibilities of each party (contract giver / contract acceptor).
Glossary
Supply agreement or commercial contract to define business requirements.
Bibliography Appropriate licensing and regulatory history.
Clear lines of communication.
Control of outsourced activities (Quality / Technical Agreements, specifications etc.). 20
Effective control measures, staffing and facility appropriate to the product being manufactured.
Laboratory / Analytical Operate to appropriate industry standard e.g. ISO 17025, Good Control Laboratory Practice (GCLP), Good
Testing contractors Laboratory Practice (GLP), Good Clinical Practice (GCP).
Appropriate licensing and regulatory history.
Full traceability of customer samples.
Testing performed to customer and pharmacopoeial specifications.
Effective out-of-specification result management procedure.
Packaging component Reference, ISO 15378, PS 9000, PS 9004, also country specific legislation relevant to the product e.g. GMP
manufacturers (primary, differences.
secondary, tertiary) Certification scheme.
Effective mechanisms in place for customer approval of labels and prevention of mix-ups.
Planned preventative maintenance and calibration of automated packaging lines.

Foreword
Printed Packaging suppliers Effective quality documentation system compliant with required regulatory standard e.g. EU Guide to GMP, PS
Contents
(artwork, origination) 9000.
Certification scheme.
General Introduction Quality / Technical Agreement to define roles & responsibilities of each party (contract giver / contract acceptor).
Participants in approved Certification scheme.
Manufacturers of product Appropriate materials of construction for product contact component (e.g. pharmacopoeial recognised plastic or
Categories and Key Controls contact consumables food grade).
Risk Management Process Full traceability of raw materials to the site of origin, including processing aids used in manufacturing
Risk Management Toolbox Encephalopathies (TSE).
Supply Chain Examples Adequate product testing performed to confirm compliance with customer specifications and industry standards
where relevant.
Glossary
Free from chemical and microbial / particulate contamination and easy to clean / sterilise.
Bibliography Manufacturers of product Legible & fully completed documentation covering factory acceptance testing, calibration certificates and material
contact equipment conformity certificates.
Agreed customer requirements.
21
Appropriate materials of construction used for product contact surfaces (e.g. 316L stainless steel, pharmacopoeial
recognised plastic) that are easy to clean and sterilise.
Instruments used for calibration are traceable to international standards e.g. United Kingdom Accreditation
Services (UKAS) / National Association of Measurement and Sampling (NAMAS).
Minimal particle generation produced by moving parts (e.g. pumps).
Wholesalers, Warehouse & Reference Good Distribution Practice (GDP) and appropriate country legal requirements for the product e.g. MLX
Distributors 357, FDA Globalisation Act.
Approved, contractual agreement with customer.
Designated Responsible Person where appropriate.
Effective stocktaking, security, pest and segregation controls at storage facility with good housekeeping.
Temperature control and monitoring of storage area and distribution.
Full traceability of chain of custody for the customers product; effective recall procedures.
Service providers (e.g. Approved contractual agreement with customer.
calibration, utility, pest Specification of work and controls.
control, cleaning etc)
Defined service level with traceability appropriate to reference standards for materials and instruments used.
Appropriate training for service provided.

Foreword
Software, automated systems EU GMP part 1 annexes 11 and 15; Code of Federal Regulations (CFR) Part 11.
Contents
and IT Knowledge of a risk-based approach to compliant GxP systems (Good Automated Manufacturing Practice
Guidelines) (ISPE GAMP-5).
General Introduction Complete and legible documentation with traceability of software changes from initial development to master copy.
Availability of master copy of software for back up purposes and disaster planning.
Agreement on ownership of source code.
Categories and Key Controls Provision of technical support.
Risk Management Process Consultants Full curriculum vitae available for review.
Risk Management Toolbox Approved contract to define scope of work.

Evidence of experience and expertise required for customers project.
Professional indemnity insurance.
Glossary
Third party liability and Non-Disclosure Agreement (NDA) or confidentiality agreement.
Bibliography
22

Foreword
Contents

2.1 Risk Management Team and
Risk Management
Process
Responsibilities
2.2 Risk Assessment
2.2.1 Risk Identification
2.2.2 Risk Analysis
2.2.3 Risk Evaluation
2.3 Risk Control Part 2
2.3.1 Risk Reduction
2.3.2 Risk Acceptance
2.4 Risk Communication
2.5 Risk Review
Risk Management Toolbox 2.1 Risk Management Team and Responsibilities 23

Glossary For the product / process being assessed it is fundamental that the relevant process
Bibliography
experts are consulted to ensure accurate and complete data / information. It is
recommended that the risk management process is undertaken by interdisciplinary teams
(people with the necessary expertise representing relevant operational functions within the
organisation or supply chain).
Involvement of individuals may vary from stage to stage. Note that in Stakeholders are commonly divided into four categories: Responsible,
smaller organisations / supply chains this may be limited to just a couple Accountable, Consulted and Informed (RACI). This division can aid
of people. appropriate communication (see Table 3 following page). It is beneficial
to develop a matrix to identify the roles of different individuals associated
Consider the example which illustrates the importance of having the right with the risk management process at the beginning so that responsibilities
team. See Example throughout the process are clear.

Foreword
Structure & Acknowledgements Role Responsibility
Contents Responsible Those who do the work to achieve the task. There is typically one role with a participation type of Responsible,
although others can be delegated to assist in the work required.
Accountable There should be only one Accountable person specified for each task or deliverable. An Accountable signs off
General Introduction (also Approver / Final Approver) (approves) the work provided by Responsible person(s).
Supply Chain Considerations Consulted Those whose opinions are sought; and with whom there is two-way communication.
Informed Those who are kept up-to-date on progress, often only on completion of the task or deliverable, or at key
milestones; communication is typically just one-way.
Responsibilities
2.2 Risk Assessment Table 3 RACI roles and responsibilities
2.2.2 Risk Analysis
2.3 Risk Control
2.5 Risk Review

24
Glossary
Bibliography

Foreword
Contents

2.2 Risk Assessment QRM Overview

Responsibilities Risk Assessment is defined as: Take water and the hazard of drowning as a simple example. The
2.2 Risk Assessment
A systematic process of organizing information to support a risk probability of drowning whilst drinking a cup of water is very low, though
decision to be made within a risk management process. It consists not zero; the probability of drowning whilst rowing a boat across the
2.2.2 Risk Analysis
2.2.3 Risk Evaluation of the identification of hazards and the analysis and evaluation of Atlantic Ocean is much higher as there is a far greater quantity of
2.3 Risk Control risks associated with exposure to those hazards. [ICH Q9] water and other adverse elements, such as wind and waves, make a
2.3.1 Risk Reduction contribution. The material is the same, the hazard of drowning is the
Quality risk assessments begin with a well-defined problem description same, but the probabilities, and thus the risks, are different.
2.5 Risk Review or risk question. When the risk in question is well defined, the appropriate
risk management tools and the types of information needed to address Risk = Hazard x Probability of Occurrence
Risk Management Toolbox the risk question will be easier to identify. Open Toolbox
The purpose of the Risk Identification stage in the overall Risk 25
Supply Chain Examples Management process is to determine what might go wrong?
As an aid to clearly defining the risk(s) for risk assessment purposes, four
Glossary fundamental questions are often helpful:
Initiation and planning of the Risk Identification stage represents an
1. What might go wrong? important starting point in the overall Risk Management process and
Bibliography
2. What is the likelihood (probability) it will go wrong? forms the foundation for the remaining stages. Potential hazards
identified as outputs from the Risk Identification stage are subject to
3. What are the consequences (severity)?
detailed examination during the Risk Analysis and Evaluation stages.
4. What is the detectability?
Input
2.2.1 - Risk Identification QRM Overview Risk Identification requires information about the process to be assessed.
The scope should be defined to ensure focus and appropriate use of
Purpose resource. This will also help to define what data / information may be
Risk identification is defined as: relevant and / or should be examined to identify potential hazards.
The systematic use of information to identify potential sources

of harm (hazards) referring to the risk question or problem
description. [ICH Q9]

Foreword
In terms of the supply chain the following should be considered: Process
each supplier within the whole supply chain Risk Identification is the process of identifying hazards and their related
Contents what is supplied (material / product / service) risks. Brainstorming is a useful tool to use to generate information
and ask what can go wrong? for each step in the process. Whatever
the structure of the supply chain and interfaces between / within the activity being assessed, it is recommended to map the process
organisations, their suppliers and suppliers to the suppliers concerned. This enables potential risk areas to be easily identified,
security of the supply chain (potential for contamination or tampering) agreed and visualised by the appointed interdisciplinary team. It is
Supply Chain Considerations important for completeness to ensure that interfaces between processes
internal processes used to manage the organisations suppliers
are also identified as this is where problems may easily go undetected.
Risk Management Process internal production processes Information to support Risk Identification can come from various sources,
2.1 Risk Management Team and such as for example:
Responsibilities Data / information can take many forms, for example:
2.2 Risk Assessment
internal and external factors throughout the supply chain Open Table
quantitative data / information - numbers, figures, measurements and
2.2.1 Risk Identification known deviations / non-conformities
2.2.2 Risk Analysis variables
2.2.3 Risk Evaluation near miss events (valuable source of potential risk areas)
qualitative data / information attributes (yes / no, go / no go)
2.3 Risk Control
complaints
2.3.1 Risk Reduction soft data / information subjective opinions / historical / experience /
2.3.2 Risk Acceptance process complexity and interactions between processes internal / external audits
2.5 Risk Review components of the process under assessment, such as:
Many professionals and organisations often assume that all relevant
- people, premises, equipment, materials
Risk Management Toolbox information takes the form of formalised (hard) quantitative and qualitative
- QA / QC 26
data / information. This information is valuable and easily evaluated,
Supply Chain Examples however, soft data / information should also be included otherwise it is - services
likely to leave many gaps. See Figure 6 for sources of information. - utilities
Glossary - transportation, logistics
Bibliography Data / Information - agents and brokers in supply chain
- environmental factors
Hard Data / Information Soft Data / Information
business stability / continuity:
Facts Observation - capacity increase / decrease versus capability
- rate at which the company has expanded / contracted
Measurements Experience - staff turnover etc
quality system and technical capabilities
Assumptions
Analysis results management review
(based on experience)
opportunities for cross-contamination
Trends Key
inherent process risks
= Qualitative
Variables knowledge in the public domain (e.g. news, regulatory actions,
= Quantitative legislation, etc)
Attributes = Both supplier performance e.g. Key Performance Indicators (KPI) / Critical
Process Parameters (CPP)
Figure 6 - Sources of Information that can be used in Risk Identification

Foreword
Output 2.2.2 - Risk Analysis QRM Overview
The output of the Risk Identification stage is a list of known and potential
Contents sources of harm (hazards), referring to the risk question, and their Purpose
associated risks, based on the information available at that time. There Risk Analysis is defined as:
is no guarantee that all hazards and associated risks can be identified at
any given time as processes may change. It is important to understand The estimation of the risk associated with the identified hazards.
General Introduction [ICH Q9]
that these changes and other events may influence the outcome and
Supply Chain Considerations will require further review and reassessment, to determine the level of
risk based on the combination of the probability of occurrence and the This step of the Risk Management process attempts to estimate the level
Risk Management Process severity of that harm. Depending on the Risk Identification tool used and of risk in terms of severity of harm, likelihood of occurrence and detection.
2.1 Risk Management Team and the scope of the assessment, potential risks may be categorised prior to It provides a quantitative or qualitative estimate of each risk.
Responsibilities analysis. For example:
2.2 Risk Assessment
2.2.1 Risk Identification product quality risks
2.2.2 Risk Analysis
Input
business risks
2.2.3 Risk Evaluation Prerequisites
2.3 Risk Control risks associated with raw materials Following the completion of the Risk Identification stage there should
risks associated with machinery be sufficient confidence that at least the significant hazards have been
2.4 Risk Communication captured.
risks associated with people etc
2.5 Risk Review
Corporate Social Responsibility - environmental / social risk e.g. The most appropriate Risk Analysis tool or combination of tools should be
Risk Management Toolbox dealing with low price suppliers who pollute the environment or exploit chosen. As there may be only limited data during the early stages of Risk
27
their workforce. Management, the choice of tool may be restricted. As experience grows,
there may be a transition to the use of various and more complex tools.
Glossary At completion of this step there should be confidence in answering
the question What might go wrong? for the product / process under Part 3, the Toolbox gives examples of a range of available tools and
Bibliography techniques from simple to complex. Open Toolbox
assessment. At this stage risks will not be evaluated as critical or non-
critical as this level of risk understanding will be achieved through the
Risk Analysis and Risk Evaluation stages. However, it is important to note Considerations
that different mitigation approaches may be used depending on the nature Both qualitative and quantitative input data can be processed using the
of the risks identified. Be aware that there will be unidentified and / or chosen tools. Some risk tools require hard data rather than soft data
unidentifiable risks to the organisation. (subjective opinion) therefore it may be necessary to have a mechanism
to convert soft data into hard data where possible. This can be achieved
The output from Risk Identification should be agreed, documented and by generating comparative scoring to produce semi-quantitative data.
communicated to relevant stakeholders.
The relevant operational experts should provide detailed and up-to-
date knowledge of current and historical process performance. Where
knowledge does not exist or data is unavailable, then methods to source
this information should be initiated in the long term. In the short term, best
estimates can be made on the basis of assumptions, provided these are
clearly identified, explained and considered at the review stage. Significant
decisions based on subsequent recommendations should always reference
the original assumptions and further reviews should be scheduled.

Foreword
Structure & Acknowledgements Tool Type of information Advantages Disadvantages

Qualitative May be subjective Quick Output may not be precise
Contents
opinion based on Can use soft data / opinion Does not differentiate well between levels of risk or types of risk
experience. Limited training needed Opinion may be biased on previous or historical experience not
Appears easy to verify considering current capability
Semi Mixture of data / opinion. Differentiates better between risks Output may not be precise enough for a mature Risk
Supply Chain Considerations quantitative Use comparison than the Qualitative approach Management process
techniques to get Good balance of advantages and
Risk Management Process estimations. disadvantages of the other tools
Responsibilities Quantitative Significant data and Output is precise Relies upon hard data
2.2 Risk Assessment figures Good differentiation between risks Training and experience are needed
2.2.1 Risk Identification Provides clear prioritisation of all Confusion can occur because the differences between failure
2.2.2 Risk Analysis risks mode and effect are not well understood
Includes detectability assessment Takes time to perform, especially the first time
2.3 Risk Control
2.3.1 Risk Reduction Reliant upon experts to agree scores and calibrate accurately
2.4 Risk Communication Table 4 Types of information advantages and disadvantages
2.5 Risk Review
Table 4 (above) illustrates the advantages and disadvantages of different It is recommended that where an organisation has little or no experience
types of Risk Analysis tools. It also demonstrates that limited data may of any particular tools, or are not required by customers to use a certain 28
Supply Chain Examples exist in early stages of implementing Risk Management. With experience, tool, then they initially use a qualitative tool. Once expertise in the
there may be a transition from the use of Qualitative to Quantitative tool has been gained and supporting systems established, then the
Glossary tools. Both techniques are equally valid and fit for purpose. However organisation can progress with the use of increasingly more quantitative
Quantitative tools are often perceived to be beneficial after several full tools. This approach means, that for the same investment of time, at each
Bibliography
cycles of the Risk Management process as more information is obtained repetition of Risk Analysis, an increasing percentage of time is dedicated
and accuracy is demanded. to improving the confidence of the risk estimation, and therefore adding
more value and confidence in the output each and every time.
Ultimately the decision of which Risk Analysis tool to use depends upon:
the risks identified Example of subjective assessment: Company A does not have a supplier
complaints system. The logistics manager knows that Supplier X is the
the precision of the data or opinions that define the risks worst offender for late deliveries because the logistics team are always
what tools customers / suppliers use complaining about them. However, the logistics manager does not know
how they compare with Supplier Y as there is no data to show how each
how accurate the output needs to be
is performing. This demonstrates a gap in the organisations systems and
how quickly the output is required supplier performance metrics / data related to risk management.
It is common for accurate or precise data to be missing in one or more

areas, allowing the expert in that area to have some understanding of
the level of risk, but not be able to support opinion with factual evidence
or data.

Foreword

Process 2.2.3 - Risk Evaluation QRM Overview
Having identified the hazards and associated risks and decided on the
Contents Risk Analysis tool to be used, the next step is to assign a rank or score Purpose
to each of the identified risks. The interdisciplinary team, with knowledge Risk evaluation is defined as:
of the identified risk areas, should agree ranking or scores for each one,
following the rules and guidance for the tool being used. If necessary, The comparison of the estimated risk to given risk criteria using a
General Introduction quantitative or qualitative scale to determine the significance of the
input can be provided remotely, but this is only effective where hard data
Supply Chain Considerations is available and is being entered or converted into a risk level. Where risk. [ICH Q9]
opinion / soft data is being used, agreement through discussion and
Risk Management Process compromise is necessary. Risk Evaluation is the process that organises the information from Risk
2.1 Risk Management Team and Analysis to allow the decision making step of Risk Reduction or Risk
Responsibilities Identified risks are normally assessed using the same tool. It is Acceptance to be made. To achieve this, a level of tolerable risk should be
2.2 Risk Assessment
advantageous to assess all risks at the same time / same stage of the defined against which the Risk Analysis output can be compared.
2.2.2 Risk Analysis process.
2.3 Risk Control Risk Assessment can sometimes be initiated and performed on an ad Input
2.3.1 Risk Reduction hoc basis in addition to the routine periodic cycle of Risk Management,
2.3.2 Risk Acceptance The prerequisites for this step are that:
when external or internal events occur. At such times, the generation of a
2.4 Risk Communication Risk Analysis has been completed
2.5 Risk Review Risk Assessment level or score will enable the correct evaluation and risk
acceptance / mitigation decision to be made. data is organised in the most appropriate way according to the Risk
Risk Management Toolbox Analysis tool used
29
Supply Chain Examples a tolerance level has been set so that the Risk Analysis output can be
Output / deliverable compared against
Glossary The output should include information on missing data and any
assumptions made. A level or a score for each identified risk should The level of tolerable risk depends on the product and the criticality of its
Bibliography be generated and documented. It is essential that this output is application. A simple way of setting the level of tolerable risk is to identify
communicated to those responsible for the Risk Evaluation step in a the highest risk groups or most frequent type, or create a Pareto chart,
timely manner. Rapid escalation and communication of the Risk Analysis and select the top 20% (and hopefully cover 80% of issues). The method
output should occur for any confirmed high risks. for setting the level should be explained and documented so that it can be
reviewed over time. Be aware however that if analysis shows that 25% of
Note that where ad hoc assessments are made, immediate the identified risks have a high probability of causing patient harm, there
communication should be performed for any confirmed high risk events. is a need to act on all of these. Conversely, if none of the risks have more
than a low probability of causing a minor non-compliance that would not
impact the patient, no further action may be decided.
Open Toolbox - Risk Analysis

Foreword
Process Output
In order to compare the Risk Analyses against an agreed level of tolerable No final decision is made in this step. The output consists of two data sets
Contents risk, it is easier to rank or sort these in order of descending risk. (above and below the level of tolerable risk) that can be checked further or
The Risk Evaluation process is summarised as follows: be used as the basis for either Risk Reduction or Risk Acceptance.
1. Rank or sort risks from the Risk Analysis step
The output should be communicated to all relevant stakeholders especially
General Introduction 2. Check that the data is complete and valid the Risk Control owner. Formal records should be retained for a suitably
Supply Chain Considerations 3. Determine if the level of tolerable risk is appropriate defined period to provide evidence of the basis for any decisions made and
enable ongoing reiteration / review.
4. Review the Risk Analysis output against the level of tolerable risk
5. Compare the output to see if it is acceptable or higher than the level
Responsibilities of tolerable risk
2.2 Risk Assessment
6. Document the evaluation
2.2.2 Risk Analysis 7. Communicate the findings to the necessary people
2.2.3 Risk Evaluation Open Risk Communication
2.3 Risk Control
2.3.2 Risk Acceptance The Risk Analysis output should be organised (filtered, ranked etc) to
2.4 Risk Communication ensure that those of most significance (i.e. above the level of agreed
2.5 Risk Review tolerable risk) are identified for Risk Reduction. Those below the level of
tolerable risk can go forward as residual risk for the Risk Acceptance stage.
In some tools using a simple two-dimensional arithmetic scale, risk can be 30
Supply Chain Examples ranked as high / medium / low risks and the combination of probability and
severity can be evaluated, by simply multiplying the factors. Those risks
Glossary which have a higher score can be highlighted for immediate mitigation.
There are more sophisticated models for setting a more precise level of
Bibliography
tolerable risk. Setting a level of tolerable risk is probably the step where
both experience and evolution of the risk management process can provide
most value.
Although a sense check of the information / data may have been

performed already in the Risk Analysis stage, anomalous results can often
be detected more easily during this stage. For example, outputs that look
too high or too low can be checked for calculation errors, missing data,
incorrect data, and then either corrected or verified as being accurate.
Finally, this step categorises the risks into those that are above or below
the level of tolerable risk. Failure to perform this step correctly can lead to
poor decision making at the Risk Reduction and Acceptance steps.

Foreword
Contents

2.3 Risk Control QRM Overview

Responsibilities Risk Control is defined as: 2.3.1 - Risk Reduction QRM Overview
2.2 Risk Assessment
Actions implementing risk management decisions [ISO Guide 73;
2.2.2 Risk Analysis ICH Q9] Purpose
Risk Reduction is defined as:
2.3 Risk Control Risk Control encompasses the decision-making activities that result in
action (Risk Reduction) or justified inaction (Risk Acceptance). Actions taken to lessen the probability of occurrence of harm and
2.3.2 Risk Acceptance the severity of that harm. [ICH Q9]
2.5 Risk Review The purpose of risk control is to reduce the risk to an acceptable level.
The amount of effort used for risk control should be proportional to the The Risk Reduction step focuses on processes for control or avoidance
Risk Management Toolbox significance of the risk i.e. serious high risks require decisive, timely and of risks where it exceeds a specified or tolerable level. Having evaluated
the risks as part of the Risk Assessment step (Risk Identification, 31
effective action. Decision makers might use different processes, including
Supply Chain Examples Analysis and Evaluation) and decided what the most significant risks are,
benefit-cost analysis, for understanding the optimal level of risk control.
appropriate decisions should be taken.
Glossary
Risk control might focus on the following questions:
Bibliography Where the Risk Management cycle has been completed previously,
is the risk above an acceptable level? risk tolerance levels should be reviewed taking into account the current
what can be done to reduce or eliminate risks? situation, new information and available resource.
what is the appropriate balance among benefits, risks and resources?
are new risks introduced as a result of the identified risks being Input
controlled?
Ensure that the Risk Assessment phase is completed before proceeding.
Generating two data sets (above and below the level of tolerable risk)
These can be summarised as Treat, Transfer, Tolerate or Terminate
is the output from the Risk Evaluation step. The inputs for the Risk
Reduction and Risk Acceptance processes are as follows:
output of Risk Evaluation
additional or new information identified
availability of key decision makers

Foreword
Process Output
Where risks have been evaluated as requiring action, a decision has to Decisions and actions relating to Risk Reduction should be documented
Contents be made as to whether or not: and approved. Approval should endorse resource allocation, timelines
the organisation (or its stakeholders) require each risk to be controlled and implementation strategy, and be communicated to all relevant
stakeholders including any residual risk.
the feasibility to technically, safely or economically reduce each of the
General Introduction risks Examples of reducing risk in the supply chain include the following:
Supply Chain Considerations define / map the supply chain to provide visibility of controls including
It is important to note that at this stage several theoretically possible
solutions to reduce or eliminate risks may be identified. However not all security and authenticity of materials and services
actions will be practical to implement in either a reasonable timeframe, implement a robust supplier qualification process
Responsibilities at a reasonable cost, or even be technically possible. At this point, the implement a supply contract to ensure consistent supply and
2.2 Risk Assessment principles of As Low As Reasonably Practical (ALARP) may be applied. controlled costs
2.2.1 Risk Identification Some actions may be possible or preferable to others, and these may
2.2.2 Risk Analysis
reduce the risk to an acceptable level (see Risk Acceptance section). implement a Quality Agreement or Technical Agreement to ensure
2.2.3 Risk Evaluation responsibilities are clearly defined and understood by all parties with
2.3 Risk Control
When determining actions it is important to consider the following with clear specifications
2.3.2 Risk Acceptance input from the relevant experts: ensure that the supplier understands what the products / services they
2.4 Risk Communication supply are used for
2.5 Risk Review
available resources
capability (organisation, suppliers and suppliers to suppliers) have regular meetings between both parties to ensure effective
Risk Management Toolbox communication, better understanding and co-operation in making
policy (EHS, quality, finance and ethics) 32
improvements to control risks
There may also be both primary and secondary risks, where for example influence the supplier to ensure that they develop a proactive risk
Glossary the supplier may be the primary risk and their supplier may be a management process
Bibliography secondary risk; both may need to be reduced. implement metrics / key performance indicators that are tracked by
both parties
Risk Reduction actions that are identified for implementation should
identify and implement a second source of supply that is not subject
be examined in terms of their impact on the overall Risk Management
to the same risks as the original source of supply e.g. does not
process. Consider the following questions:
manufacture in the same region, does not have the same suppliers or
are any new risks introduced as a result of the identified risks being is not subject to the same energy or transport limitations
controlled?
identify and qualify a new supplier where the existing supplier is
is one significant risk being replaced by another? currently not capable and / or cannot be improved in an acceptable
should a reiteration or part of the Risk Assessment process be timeframe
performed?

Foreword
Different strategies can be applied to manage and control risk. For Reduction in risk is beneficial and to be encouraged, however there
Structure & Acknowledgements example, the supply from one company to another can be disrupted may be circumstances where there is no reasonably practicable way
or cease in the event that the original site of manufacture closes. The of reducing it or no added value at this time based on prioritisation. The
Contents
transfer of production to another site where the material / product has risk still exists therefore senior management need to formally accept this
not been made before presents a potentially high risk to the business. decision and its implications.
Technically it is possible (unless the skills and knowledge have been
General Introduction lost). The decisions of one organisation on both economic and technical Being aware of risks at least enables an organisation to monitor the
grounds, can present a significant and direct impact on the organisations situation and be more able to respond in an appropriate way should the
customers and / or suppliers and their ability to function. In any case, situation change. Once known some risks can be mitigated further along
Risk Management Process another way will need to be found to ensure product continuity. in the supply chain as a holding situation, whilst longer term improvements
are implemented. For example, to reduce the risk of receiving material that
Responsibilities Where the impacted customer is a pharmaceutical or device does not meet specification, the organisation may increase testing and
2.2 Risk Assessment manufacturer, the risk is not only one that could prevent manufacture, but inspection in order to mitigate the risk until there is assurance of supplier
2.2.1 Risk Identification could require lengthy and costly changes to the product licence or device capability.
2.2.2 Risk Analysis registration. Delays in supply to the market could result in the inability to
meet a patients medical needs and / or severe criticism or fines from the
2.3 Risk Control
2.3.1 Risk Reduction regulatory authorities where this could seriously impact the end-user, the Input
2.3.2 Risk Acceptance patient. Risk Evaluation should have been completed and the list of risks above
the agreed tolerable level should have undergone Risk Reduction, unless
2.5 Risk Review In many cases, the ways of reducing risk are simple and do not have this has been decided not to be appropriate. Before taking the decision to
significant costs, if these are identified and planned for in sufficient time. accept or reject, the following questions should be considered:
Costly risk reductions are usually the result of insufficient planning or 33
have the right people been involved?
Supply Chain Examples insufficient co-operation between customers and suppliers. For example,
calling an equipment supplier in response to the breakdown of critical have the right tools and techniques been used?
Glossary equipment can be costly and cause delays in manufacture compared with has anything been missed?
having a Planned Preventive Maintenance (PPM) programme in place.
Bibliography is all the information available?
are the assumptions valid?
2.3.2 - Risk Acceptance QRM Overview
Purpose Process
Risk Acceptance is defined as: Once the risks are understood and appropriate actions proposed, a
formal review should be performed. Risk Acceptance is a decision by an
The decision to accept risk [ISO Guide 73]
organisation to continue to operate without any action to reduce a given
risk on the grounds of either:
Whereas Risk Reduction is a decision step to agree to take action, Risk
Acceptance is a decision step to accept the level of risk or residual risk the risk was below the tolerable level (either before or after risk
or to take no further action. A key part of Risk Acceptance is to formally mitigation)
record the decision by management and communicate this to the business the risk cannot be reduced at this time
and relevant stakeholders. Open RACI

Foreword
Output
Once the consequences and costs of any action or inaction have been
Contents explored and accepted as being appropriate, then these need to be
formally communicated within and between the respective organisations.
Records should be maintained.
An example of a risk that may be accepted is where a product is to be
Supply Chain Considerations discontinued. If the risk mitigation decision involved making a change
of supplier or investment, this may not be feasible for this product and
Risk Management Process therefore the risk may be accepted with no action.
Responsibilities The continued acceptability of risks from this stage should be part of
2.2 Risk Assessment Risk Review.
2.2.2 Risk Analysis
2.3 Risk Control
2.5 Risk Review

34
Glossary
Bibliography

Foreword
Contents

2.4 Risk Communication QRM Overview

Responsibilities Purpose
2.2 Risk Assessment Business Benefits Quality Benefits
Risk Communication is defined as:
2.2.2 Risk Analysis The sharing of information about risk and risk management Ensures interests of Implementation of risk-focused
between the decision maker and other stakeholders [ICH Q9] stakeholders are understood & quality management
2.3 Risk Control considered
Timely / effective end-user
2.3.2 Risk Acceptance Effective internal and external communication is critical to the success Timely delivery of business protection
2.4 Risk Communication of any Risk Management process. A plan to communicate and consult impacting information Consistent conformance of
2.5 Risk Review with internal and external stakeholders should be developed at an early Increased awareness & products to specification
stage to manage any issues that arise in relation to the Risk Management understanding
Risk Management Toolbox Empowered continuous
process. Where appropriate, communication and consultation with 35
internal and external stakeholders should take place at each stage of the Improved planning through improvement
Risk Management process. knowledge Timely and effective change
Glossary Improved resource allocation management
Effective communication ensures that those accountable for implementing
Bibliography Improved effectiveness & Promotes proactive approach
Risk Management understand the basis for decisions and outcomes of
efficiency Promotes good understanding
each stage in the process. Applying good communication practices with
all stakeholders will increase the efficiency and effectiveness of the Risk Enhanced mutually beneficial and knowledge of product
Management process. business relationships source and authenticity
Efficient and effective change Brings functional experts
Examples of potential benefits of good communication practices within management together to identify and
and between organisations are listed in Table 5 (right). analyse risks as part of QRM
Brings functional experts
together to identify and
The most appropriate methods of communication to use should be
analyse risks
determined by the organisation in terms of Who, What, When and How.
Table 5 Potential Business and Quality Benefits of Good Communication Practices

Foreword
Who? What?
The first step in any successful communication process is to identify the The information that requires communicating may change over time as
Contents relevant stakeholders, for example those in Table 6 (below). These will inputs and outputs to the Risk Management process develop. The who,
be the individuals, parties, groups and / or functions who; when and how may also change over time.
have an impact (direct or indirect) on the product / service
Communication can be formal or informal. This will depend on the
General Introduction have an interest in the activities or project following:
Supply Chain Considerations have to act on the outputs of the Risk Management process the needs of the parties involved
Risk Management Process the stage / step of the Risk Management process
These stakeholders need to be identified and included where and when
2.1 Risk Management Team and necessary at each Risk Management stage. It is useful to document such the nature of the inputs / outputs (e.g. data, information)
Responsibilities
2.2 Risk Assessment
stakeholders as part of the overall process. This is common practice in the timelines & urgencies
2.2.1 Risk Identification project management activities.
2.2.2 Risk Analysis Important points can be captured in meeting minutes, but key decisions
2.2.3 Risk Evaluation from Risk Control should be formally documented to permit traceability
2.3 Risk Control Internal External
and review. The type of information to communicate may be determined
Contract Management / Customers using a variety of basic tools including brainstorming and gap analysis
2.4 Risk Communication Procurement Suppliers / Contractors techniques.
2.5 Risk Review
Manufacturing / production Regulatory Authorities Table 7 (following page) illustrates what may be communicated in terms
Risk Management Toolbox Testing / QC Notified Bodies of inputs and outputs at the various stages of the Risk Management 36
Supply Chain Examples Quality Assurance Certification Bodies Process. The level of detail communicated should be commensurate with
Warehouse & Distribution the intended stakeholders needs and expectations. Enough information
Glossary Consultants should be provided to allow for informed decision or assessment but too
Sales & Marketing much or too little information can be counter-productive.
Bibliography
Finance
For example:
Table 6 Examples of some stakeholders / key parties senior management usually do not require a detailed history, rather
a concise summary of the situation with outputs of analysis and any
decisions required
Not all information needs to be communicated; it should be appropriate
those preparing the summary will need detailed information / technical
and relevant to the recipient. It is useful to appoint someone responsible
detail to base the analysis and recommendations on
for communication who understands that confidentiality, contractual and
regulatory obligations should be respected at all stages. recipients of the decision may just require a brief / letter outlining the
decision and guidance for future action
A RACI is a useful tool to define responsibilities within the Risk the provider of the original information may require communication by
Management process. Open RACI way of feedback that appropriate action has been taken
there should be appropriate acknowledgement of actions and
responsibility taken through communication and feedback

Foreword
Contents
Inputs Outputs Inputs Outputs

Risk Identification Risk Identification Risk Reduction / Risk Acceptance Risk Reduction / Risk Acceptance
Supply Chain Considerations Scope Hazards Output from Risk Evaluation Resources
Risk Management Process Process steps Risks Resources Processes for control
2.1 Risk Management Team and Information - Hard / Soft Data Process Maps Processes for control Assumptions [1] / rationale
Responsibilities
2.2 Risk Assessment Assumptions [1] Assumptions [1] Capability Capability
Risk Analysis Risk Analysis Practicality Practicality
2.2.2 Risk Analysis
2.2.3 Risk Evaluation Output from Risk Identification Risk Analysis Scores Decisions Decisions [2]
2.3 Risk Control
2.3.1 Risk Reduction Scope High Risks requiring Actions Defined actions [2]
Hard / Soft Data immediate action / escalation Risk Review Risk Review
2.5 Risk Review Assumptions [1] Defined actions Output from previous Risk New hazards or risks [2]
Choice of Analysis Tool Management process New action [2]
New hazards or risks 37
Rationale Changes [2]
New data / information
Risk Evaluation Risk Evaluation [2]
Glossary Changes
Output from Risk Analysis Ranked / filtered risks
Bibliography Assumptions [1]
Tolerable Risk Level Decisions / assumptions made
Rationale in ranking / evaluation
Assumptions [1] High Risks requiring

immediate action / escalation
Table 7 Examples of items to be communicated during Risk Management process
Note:
1 - Assumptions are made when little or no data is available at that time. This should be used with extreme caution as it could impact on the Risk Management process if they are found to be
incorrect. It is important to document assumptions so that the inherent risk in their usage can be considered by recipients of the communication. Always aim to replace any assumptions at the
next iteration of Risk Management or when information becomes available.
2 - Formal risk information should be communicated in writing to a defined circulation list and kept on record.

Foreword
When? In summary it is important to ensure that:
Structure & Acknowledgements Communication should take place throughout the Risk Management the correct audience and stakeholders are identified
Contents process whenever appropriate to do so. Fundamentally these activities the communication is suitable for the recipients concise, clear and
will occur at the beginning and end of each stage. Communication is traceable to all parties
required when the following situations arise:
communication is timely for the intended recipients or stakeholders
General Introduction unexpected developments where urgent issues, events or new
information comes to light, which may change previous information feedback is requested that communication has been received,
Supply Chain Considerations / assumptions and require the initiation of a review of previously understood and acknowledged
completed Risk Management stages ensure records are maintained
routine developments as per a defined plan or in accordance with appropriate documentary evidence is available for stakeholder scrutiny
Responsibilities the process in the scope of the Risk Management process
2.2 Risk Assessment
as per the needs of the stakeholders
2.2.2 Risk Analysis at set milestones such as the point of Risk Evaluation, Risk Control,
2.2.3 Risk Evaluation Risk Review and so on
2.3 Risk Control
2.3.1 Risk Reduction as part of periodic risk management review
2.5 Risk Review
How?
Risk Management Toolbox The method of Risk Communication should be clearly established at
each stage in the Risk Management process. Key decisions should be 38
Supply Chain Examples communicated formally. Elsewhere less formal methods will be sufficient.
When there is an increased risk or event, it is important to have a process
Glossary
that enables an appropriate response to be made, so that the relevant
Bibliography stakeholders receive accurate and timely information to make decisions
and / or take action.
Always agree on the means of communication up front. The method of

communication should be based on capabilities between parties. There
is no point in expecting to communicate solely via e-mail if one of the
parties doesnt have a reliable electronic mail system or is unable to
access one.

Foreword
Contents

2.5 Risk Review QRM Overview

Responsibilities Purpose any events or changes that have taken place since the previous
2.2 Risk Assessment
Risk Review is defined as: assessment
2.2.2 Risk Analysis Review or monitoring of output / results of the risk management inspections or audits
process considering (if appropriate) new knowledge and experience management review
2.3 Risk Control
about the risk [ICH Q9] case studies
2.4 Risk Communication Risk Review is required to ensure that the outputs / results of the Risk near miss events
2.5 Risk Review Management process are revisited at defined intervals and actively an appropriate interdisciplinary team
evaluated in response to events / new information. Changes regularly
occur within supply chains and risk models therefore need to be dynamic. 39
Supply Chain Examples Risk Review is about being able to demonstrate and verify the status and Process
effectiveness in managing the hazards and associated risks that changes A review should enable the targeting of resource to areas based on
Glossary present. assumptions, or new information that has become available. It is not
Bibliography necessary to repeat the whole process with already identified and
Without a planned review, the risk process may gradually become more unchanged risks. The review requires that accurate information be
out of date, and may cease to be valid or useful. As a result, new risks reviewed and presented to the decision-makers.
and variables will not be identified and assumptions will not be validated
or moderated. This is wasteful of resources that have been invested in A well executed Risk Review establishes that:
the original assessment.
the unknowns are minimised
new variables are identified and assessed
Input the supply chain is controlled effectively
Risk Review can only begin once Risk Assessment and Risk Control
have been completed. It requires the following information as a minimum: Risk Management has a dynamic lifecycle. Review criteria are required
the results of the original / previous assessment (and actions arising at the outset of the process to ensure that they are updated and kept up-
from them), should be repeated and updated with current information to-date. Appropriate measurement tools should be established to monitor
performance and feedback on any given process. Such information
any assumptions taken
should be communicated to provide feedback to users and decision-
monitoring information (planned feedback) makers to enable effective Risk Review.

Foreword
An effective Risk Review process should accommodate the ability to regulatory actions or incidents, such as Warning Letters, Consent
Structure & Acknowledgements respond to both Proactive and Reactive events. Decrees or other unexpected events
Contents changes in legislation (may be unforeseen)

Proactive it is recommended that reviews initially be performed at least
annually. Further reviews are dependant on the nature of the business failure of supplier processes impacting quality and supply (e.g.
(supplier history, known risks, assumptions and criticality of the product deviations, complaints etc)
General Introduction and processes). results of audits or other visits
Supply Chain Considerations resource changes (financial, personnel or equipment)

Some examples of measurements:
new or modifications to monitoring systems
Risk Management Process performance of a new supplier against expectations
other significant issues impacting information used as a basis for
2.1 Risk Management Team and Key Performance Indicators / Critical Control Parameters (e.g. data
Responsibilities assessment
2.2 Risk Assessment
that shows quality, satisfaction and delivery)
application of issues learnt to other materials, areas and activities
2.2.1 Risk Identification outcome of a corrective / preventive action plan (CAPA)
2.2.2 Risk Analysis
2.2.3 Risk Evaluation trend analysis (e.g. product performance review) Some brief and illustrative examples of reactive events:
2.3 Risk Control
industry trends A distribution service supplier originally rated as very low risk reports
2.3.2 Risk Acceptance benchmarking that their main warehouse in France has been partially destroyed by
2.4 Risk Communication fire destroying 500,000 Euros of finished product and affecting the
2.5 Risk Review expected or anticipated changes in legalisation, standards or status of 5 million Euros of stock on the site.
guidelines
- was this a one-off low probability event previously identified and
other measures to control the process accepted, or an unforeseen event? 40
Supply Chain Examples - were there failures in systems mitigating this risk, or had the need
Reactive significant new information or events can change the for such systems been overlooked or not identified?
Glossary results of a Risk Assessment or at least indicate that a review should be - are other warehouses / markets at risk?
performed (this is not an exhaustive list):
Bibliography A number of complaints are reported for an eye-drop finished product.
new site for an established supplier (changes in operations, culture, Upon investigation, a broker is identified in the supply chain, and it
capabilities and setup issues) is found that there has been a change in the crystalline structure of
new product or service at an established supplier the herbal extract ingredient, causing an adverse reaction. Events
technical changes in the product supplied e.g. specification or a high have since demonstrated that the original assessment was based on
rate of change inaccurate information and false assumptions.
changes in markets supplied and in volumes produced A key member of staff at a contract manufacturer leaves and the
communication lines, flow of information and ability to interact between
ramp up / down in production organisations breaks down.
serious complaint / adverse event and / or recall A Product Review highlights an unexpected series of deviations, or a
trend relating to a service or material supplied.

Foreword
The level of significance of an event or new information should determine In summary
Structure & Acknowledgements if a review is required. Risks and risk indicators can change with time Risk Management is an ongoing cyclical process, and not a one-off
and, with the change some risks require re-evaluation. activity. It should enable control or elimination of significant risks as well
Contents
as the identification of any new risks and processes. The process should
Some key questions to ask are as follows: continue to be used for events that might impact on the original Risk
has the probability of occurrence changed? Assessment decisions, whether planned or unplanned. As experience
has the impact or significance of known risks changed? with the Risk Management process in use grows, more advanced tools
Supply Chain Considerations and methods may be used.
are there any new areas to include in the Risk Assessment that have
Risk Management Process not been captured before?
2.1 Risk Management Team and are there any risk indicators that are no longer applicable due to
Responsibilities changes in processes, equipment, suppliers, services, materials,
2.2 Risk Assessment
circumstances etc.?
2.2.2 Risk Analysis are there any new risk indicators or risk tools that should be used (Risk
2.2.3 Risk Evaluation Management process improvement)?
2.3 Risk Control
2.3.1 Risk Reduction as well as having good communication and regular feedback relating
2.3.2 Risk Acceptance to Risk Review, a process should be defined for the escalation of
2.4 Risk Communication urgent matters to key stakeholders and decision makers including both
2.5 Risk Review
criteria and timescale.
41
Supply Chain Examples Output
Glossary The output / results of the Risk Review is not the end of the process. It is
an iterative process that has a number of different outcomes:
Bibliography no action is required at present as all risks are known and under
control, next review should be determined based on risk (about one
year) or where new information / changes are made
new risks are identified or assumptions are shown to be invalid or
requiring reassessment
a significant event, improvements or major gaps are identified that
invalidate the original assessment resulting in a new Risk Assessment
for that supplier or product
Risk Review should be formally documented, approved and appropriately

communicated.

Foreword
Contents

Risk Management
3.1 Introduction to the Toolbox
3.2 Approach to Implementation
3.3 Risk Assessment
3.3.1 Risk Identification Tools
Toolbox
3.3.2 Risk Analysis Tools Part 3
3.3.3 Risk Evaluation Tools
3.4 Risk Control
3.4.1 Risk Reduction Tools
3.4.2 Risk Acceptance Tools
3.5 Risk Communication Tools
3.6 Risk Review Tools 3.1 Introduction to the Toolbox 42
Appendix 1 - Worked example: Ranking and
Filtering for Contractor management
Appendix 2 -Worked example: Medical Device
Risk Assessment using a Simplified FMEA This toolbox is to provide the user with basic information on some Complex tools
Appendix 3 - Worked example: Supplier Audit relevant, commonly available tools and techniques and demonstrate Commonly used to:
Priority using Risk Assessment how they are applicable to Risk Management. The tools and techniques gather / organise data
discussed in this section are proven, effective methods that are
Supply Chain Examples analyse data into meaningful information with increasing levels of
commonly used in a variety of industries. Thus, if anyone is trained or
experienced in any of the tools, it is advisable to use such resource for sensitivity
Glossary
coaching. manipulate complex data to simplify and aid informed decision making
Bibliography
The drivers for which tool to use and where are:
Simple tools
scope
Commonly used to:
experience of the user
gather / organise data
the process under examination
structure data / information
type of Risk or Hazard identified
project manage
availability of appropriate information
process and facilitate decision making
amount of time available, which is a balance of the extremes of quick
and approximate or slow with precision

Foreword
Some tools are very effective in all areas of Risk Management while
Structure & Acknowledgements others are better employed for specific areas of the process. Some tools
utilised in Lean, 6-Sigma and Right First Time may be the same or similar
Contents
to Risk Management tools. This toolbox provides guidance on their use
with examples, where appropriate.
General Introduction Some characteristics of good Risk Management tools:
Supply Chain Considerations provide structure in reaching conclusions or making decisions

encourage multiple functional team input
value the differences of expertise, knowledge and viewpoint
deployable at various stages
function well with relevant resources and trained facilitators
3.3 Risk Assessment are proactive
3.3.2 Risk Analysis Tools
3.3.3 Risk Evaluation Tools There will be tools and techniques not mentioned in this guide which may
3.4 Risk Control be appropriate to use and new techniques are always being developed.
3.4.1 Risk Reduction Tools Care should be exercised as some tools may appear suitable but are
3.4.2 Risk Acceptance Tools designed for retrospective analysis (for example Root Cause Analysis),
whilst Risk Management tools and techniques are intended to be
3.6 Risk Review Tools
Appendix 1 - Worked example: Ranking and prospective in order to determine the potential future consequences. The 43
Filtering for Contractor management tools and techniques explained in this section are provided as overviews
Appendix 2 -Worked example: Medical Device to illustrate their applicability to Risk Management with their respective
Risk Assessment using a Simplified FMEA
Appendix 3 - Worked example: Supplier Audit advantages and disadvantages. Some are explored in more detail with
Priority using Risk Assessment a specific example to demonstrate how they have been successfully
applied in some organisations.
Glossary This toolbox guide is not intended to be definitive. To gain a full

understanding of some of the tools and techniques mentioned, individuals
Bibliography may need to supplement the guidance given here with knowledge or
training from elsewhere.
The ICH Q9 Briefing Pack contains a set of pharmaceutical industry

oriented tools which may supplement information on those given in
this guide. A cautionary note is that the ICH Q9 Briefing pack tools are
generic to all areas of Risk Management and not all are considered ideal
for assessment in a supply chain environment.
ICH Q9 briefing pack

Foreword
Contents

Risk Management Toolbox Tools and techniques used in project management work well in initiating a Risk Management process. Some of the tools and techniques, given in
3.1 Introduction to the Toolbox subsequent sections, are processes in their own right. They may be used to implement Risk Management as well as perform specific risk identification
3.2 Approach to Implementation or analysis tasks, e.g. HAZOP or HACCP.
3.3 Risk Assessment
3.3.2 Risk Analysis Tools A project management approach to Risk Management provides structure, There are some disadvantages in using a strict project management
3.3.3 Risk Evaluation Tools control and assignment of resource, and is successfully used by many approach:
3.4 Risk Control
organisations. This approach includes the following: managed projects generally have a finite life with an end-point
3.4.2 Risk Acceptance Tools a scope or charter is defined Risk Management is a reiterative process and will require refinement
3.6 Risk Review Tools key roles are defined (sponsor, project lead, team members) and change as products and organisations evolve
44
sponsor accountable and approves goals and objectives project management teams are often disbanded at the end of the
Appendix 2 -Worked example: Medical Device a team is appointed of appropriate stakeholders (subject matter project and therefore the review phase might not be complete
Appendix 3 - Worked example: Supplier Audit
experts and / or involved parties)
Priority using Risk Assessment
The best organisational aspects of project management can be selected
budgetary requirements are identified and agreed for use as appropriate, e.g. the charter.
Supply Chain Examples milestones and timelines are defined in a plan
Whatever approach is used the following should be included:
Glossary progress measured against the plan
1. Establish an effective cross functional team
Bibliography 2. Establish scope, responsibilities, accountability and budget
3. Define timelines for decisions
4. Establish controls, feedback mechanisms and formal reporting
5. Review at defined intervals

Foreword
A sub-tool within project management is the charter or objective
Structure & Acknowledgements statement which should include the following:
Contents scope for the Risk Management team (what is and what is not in
scope) - in the supply chain this would identify the limits of the supply
chain or the section of the supply chain to focus on
General Introduction objectives and performance criteria - these will detail any special
performance targets and what is expected as the steady state
Supply Chain Considerations any known management or operational obstacles
Risk Management Process budget requirements
Risk Management Toolbox decision-makers and levels of authority

departments that need to be represented
3.2 Approach to Implementation identification of the facilitator or leader, and roles and expectations for
3.3 Risk Assessment
team members Open RACI
3.3.3 Risk Evaluation Tools The charter / objective statement should be a formal document
3.4 Risk Control approved by the individual(s) accountable for budget. When approved
3.4.1 Risk Reduction Tools by senior management this document becomes the baseline for the
3.4.2 Risk Acceptance Tools Risk Management process. As work progresses the charter / objective
statement should be revisited to ensure the objectives remain valid and
that there is continued support and ownership. 45
Implementation review
Priority using Risk Assessment For effective implementation, the original objectives and any changes
should be reviewed. This should focus on the effectiveness of the
implementation within the organisation and not be concerned with the
Glossary review of the data and levels of risk accepted.
Bibliography Key areas to review include:

were the objectives correct?
have the objectives been met?
was the team assembled effective?
is the process in use in the right areas?
what should be considered for future improvement?
The implementation review should be documented and be reported at

management review; it should also be considered in the next cycle of the
Risk Management process.

Foreword
Contents

3.3 Risk Assessment
Risk Management Toolbox This section describes some of the tools that are useful for the 3 phases involved in Risk Assessment prior to the Risk Control phase:
3.2 Approach to Implementation Risk Identification, Risk Analysis and Risk Evaluation
3.3 Risk Assessment
3.4 Risk Control
3.3.1 Risk Identification Tools Brainstorming
This section describes some of the tools that are useful for identifying Overview
3.4.2 Risk Acceptance Tools hazards and their associated risks at the Risk Identification stage of the Brainstorming is a technique usually utilised where you have a group of
3.5 Risk Communication Tools Risk Management process. Tools included are as follows: people trying to find a solution to a problem. It aims to achieve quality
3.6 Risk Review Tools through quantity by capturing a wide spectrum of ideas from various
Appendix 1 - Worked example: Ranking and Brainstorming Cause and Effect / Fishbone 46
Filtering for Contractor management Diagrams disciplines in an open and encouraging atmosphere.
What If?
Risk Assessment using a Simplified FMEA Mind Mapping Hazard Operability Analysis Some advantages are:
Appendix 3 - Worked example: Supplier Audit (HAZOP)
Priority using Risk Assessment Check-sheets simple method
Hazard Analysis and Critical
Supply Chain Examples Flowcharting Control Point (HACCP) requires few resources
Process Mapping apart from the facilitator, participants require little training
Glossary
generates quantities of data fast
Bibliography HAZOP is described here as it focuses on identification of hazards and can identify areas not considered before
their associated risks, however it does cover several phases of a Risk
generates new ideas from non subject matter experts not explored
Management process from implementation to Risk Analysis. It illustrates
before
a combination approach using several of the Risk Identification tools.
Some disadvantages are:

HACCP is a similar tool to HAZOP and is described in the Risk Analysis
section within this toolbox. requires an impartial facilitator
requires active participation of all members to be really successful
can generate large quantities of data of which some is eliminated later
can lose focus and drift off scope if not managed well

Foreword
Using Brainstorming: interrogated by asking what if there is a failure in the sub-process?
Structure & Acknowledgements or what if there is a failure in the operation of the sub-process? The
appoint a facilitator it is beneficial to assign one individual as a
facilitator to ensure that all participants voices are heard and the answers to the questions will identify if potential hazards exist. The
Contents
process is managed effectively technique is more structured than a brainstorming session.
ensure the appropriate people from the relevant functions are present Some advantages are:
General Introduction (interdisciplinary team)
simple method
provide an environment and atmosphere removed from external
Supply Chain Considerations requires few resources
distractions
Risk Management Process the facilitator should open the session with a clear description of the participants require minimal training
subject to be brainstormed e.g. this session is focused on identifying very effective for defined processes
risks with repacking sodium chloride before distribution to our may identify areas where knowledge gaps need to be filled
3.1 Introduction to the Toolbox customers
3.3 Risk Assessment utilise a means of capturing ideas e.g. using a whiteboard or flipcharts Some disadvantages are:
3.3.1 Risk Identification Tools or other means and share with everyone involved requires active participation to be successful
3.3.3 Risk Evaluation Tools encourage a focus on quantity aim to ensure that a large number of can generate large quantities of data where processes are long or
3.4 Risk Control ideas are generated complex
keep each idea succinct and separate is of limited use where processes are undefined or unknown (however
3.5 Risk Communication Tools there should be no discouragement or criticism all ideas no matter this may lead to identifying a list of what is required)
3.6 Risk Review Tools how unusual should be heard - this encourages input from all
Appendix 1 - Worked example: Ranking and requires effective brainstorming to generate relevant and effective 47
Filtering for Contractor management participants, and prevents areas or ideas for solving the risk problem What if? questions about sub-processes
Appendix 2 -Worked example: Medical Device from being overlooked
Risk Assessment using a Simplified FMEA requires substantial knowledge of the process under scrutiny in the
Appendix 3 - Worked example: Supplier Audit the more hazards and associated risks that are identified, the more first place
Priority using Risk Assessment comprehensive the subsequent analysis and evaluation will be,
however be careful to stay in scope and remain focused Using What If
as the list of ideas increases, review the ideas put forward and group What if is easily adopted in supply chain scenarios, for example an
Glossary those that are identical or similar under a single heading - make use asthma inhaler (pressurised Metered Dose Inhalator - pMDI) has many
of colour or symbols or other distinguishing means to collate ideas complex parts in addition to the medicine it dispenses. What If questions
Bibliography
into subgroups e.g. all risks identified with machinery in black, all risks can be formulated for every part of the operation:
associated with raw materials in red etc. what if the temperature in the distribution warehouse rises above 35C?
The final output should be a list of ideas which can be developed what if the No actuation detector on the packaging line develops an
further and subjected to risk assessment intermittent fault?
what if the moulded plastic actuator supplier has used a different
plastic mould release agent after an unusual breakdown than the one
What If? approved for the product?
Overview
What if? is a technique commonly used in engineering to determine what if the master-batch supplier of the plastic granules for the
hazards associated with a facility, equipment or a process. The process device has used a different supplier of raw materials to reduce costs or
under review is broken down into sub-processes and each step ensure delivery on time?

Foreword
Mind Mapping Some advantages are:
Overview promotes the brainstorming / idea generation sub-processes by way of
Contents Mind maps are diagrammatic representations of ideas arranged radially its structure
around a central idea or theme. They have been used as study aids, for allows the capture of information in a concise visual representation
problem solving and as decision making tools.
fast process for recording data / information
Supply Chain Considerations Ba

View la n
ce
d
ca l
Risk Management Toolbox Resu cti
a
1 lt
tional
Pr
3.1 Introduction to the Toolbox o
3.2 Approach to Implementation 2 Follow
-u
Persona
l Em s
Action p ue
Iss
3.3 Risk Assessment
3.3.1 Risk Identification Tools 3
Def
4
Plan
in
plore
e
3.4 Risk Control Ex Fe
eli Other
s
3.4.1 Risk Reduction Tools ng s
Time
irements SO MS
3.4.2 Risk Acceptance Tools Requ LU B
LE Own
3.5 Risk Communication Tools TI
Money ath
O
ON
G
3.6 Risk Review Tools er
PR
48
Appendix 1 - Worked example: Ranking and s
Filtering for Contractor management rce
Resou hs Fa c
t
s
gt Creative
Risk Assessment using a Simplified FMEA Stren Solutions
ple

Priority using Risk Assessment Peo
Opinions
Supply Chain Examples Idea
TE
3
s A ID
se A LU EA
Glossary Weaknes EV S Change
Bibliography Strengths
itu
S
Id
2 knesses ation
Wea
ea
Idea 1
s
en 1
G
St
se
ren erate 2
es
Weakn gths
3
8
4
7
6 5
Figure 7 Example of a mind map

Foreword
Some disadvantages are: data generated lends itself well as an input mechanism to other tools
may require training of personnel to become effective users of the provides objective evidence to counteract opinion and assumptions
Contents technique
not all people find this technique useful Some disadvantages are:
use of colour / symbols / diagrams can make the resultant mind map relies heavily on people recording data accurately
General Introduction prone to misinterpretation by persons not involved with its construction can become cumbersome and lengthy for complex processes
Supply Chain Considerations limited scope in terms of volumes of data with large quantities of relies upon good check-sheet design
data a single diagram may become too complex and cumbersome to may become limited by design if there is insufficient scope to record
Risk Management Process work with data some items of data may get missed out
Use of mind maps Use of Check-sheets
3.2 Approach to Implementation Mind maps can be constructed manually by hand-drawing or There are four main types of check-sheets commonly used:
3.3 Risk Assessment electronically using software packages. 1. Item check-sheets used to capture identified hazards in the process
e.g. the check-sheet will have a list of potential problems and provision
3.3.3 Risk Evaluation Tools The key topic is placed in the centre. Branches are drawn from the key to count occurrences or frequency
3.4 Risk Control topic radially. Each branch represents a single sub-idea of the main idea 2. Location check-sheets used to identify potential areas or locations
3.4.1 Risk Reduction Tools relating to the key topic. On each of these branches are drawn sub- in the process where a hazard and its associated risks occur, e.g.
3.4.2 Risk Acceptance Tools branches, each one drilling down further into the idea represented by the
3.5 Risk Communication Tools the check-sheet may be a diagrammatic flowchart of the sale and
main branch. Experts promote the use of colour for different branch trees distribution of a product that illustrates the main processing steps
as well as graphics to aid the conceptualisation process in the brain. 49
Appendix 1 - Worked example: Ranking and involved - a mark is placed on the location where the problem occurs
most often giving data on counts and / or frequency
Appendix 2 -Worked example: Medical Device It is also recommended that the least number of words is used to
Risk Assessment using a Simplified FMEA 3. Defect check-sheets used to try and identify causes of risk e.g. may
Appendix 3 - Worked example: Supplier Audit describe each idea or branch in the diagram. Related ideas or issues can
Priority using Risk Assessment also be linked from one branch to another, illustrating interactions or inter- be used to identify the potential causes associated with mislabelling of
relations. An example of a mind map is given in Figure 7 (previous page). products and provides a means of recording data about the operators,
Supply Chain Examples labelling machines, batch code printers etc.
Glossary 4. Checklist check-sheets used to identify risks by checking if

Check-sheets procedures are followed e.g. a check-sheet will have a list of tasks that
Bibliography Overview need to be performed or risks to be mitigated
Check-sheets are commonly used tools that allow collection of
information from a process in a systematic, organised way in real time Information on designing and using check sheets is widely available
at the location where data is being generated. Data collected on check- outside of this guide. It is important to ensure a check sheet is suitably
sheets is easily used as an input to other tools. Data can be collected designed to allow capture of all relevant data and that it does not bias
quantitatively e.g. counts, or qualitatively e.g. attributes like yes/no or go/ data collection and lead to mis-informed data analysis or evaluation.
no go type data.
Checksheets are widely used in other applications, for example an audit
Some advantages are: checklist for an auditor as an aide memoir.
simple
fast process for recording data / information

Foreword
Flowcharting
Overview
Contents Flowcharting is the process of charting a process or information by representing the individual steps as boxes and displaying the order of occurrence
by connecting each box with an arrow showing the direction of process / information flow. It is through process understanding that flowcharts can be
used to aid Risk Identification in identifying potential issues, hazards, defects, bottlenecks and restrictions.
Medical Device Organisation Outsourced Conversion Outsourced Sterilisation
Supplier 1 Stage A Supplier 9
Risk Management Process Raw Materials Bulk Chemical Conversion Raw Materials
Risk Management Toolbox Stage B Mechanical Conversion

3.1 Introduction to the Toolbox Bulk Chemical Conversion
3.3 Risk Assessment
Supplier 2 Supplier 3
Raw Materials Raw Materials
3.4 Risk Control Stage 1 Stage 1
3.4.1 Risk Reduction Tools Sub-Assembly B Sub-Assembly A
3.6 Risk Review Tools Stage 2 Sub-Assembly C
Appendix 1 - Worked example: Ranking and Sub-Assembly B 50
Risk Assessment using a Simplified FMEA Supplier 4 Final Device Assembly
Appendix 3 - Worked example: Supplier Audit Raw Materials
Supply Chain Examples Supplier 5 Primary Packing

Raw Materials
Glossary
Bibliography Supplier 6 Secondary Packing

Raw Materials
Supplier 7 Tertiary Packing Terminal Sterilisation

Raw Materials
Product Testing & Release
Supplier 8 Warehouse
Distribution
Figure 8 Flowchart of a Medical Device Manufacture showing Suppliers & Contractors

Foreword
Flowcharting is a simple tool to map out the supply chain. Figure 8 How to Process Map:
Structure & Acknowledgements (previous page) illustrates a simple integrated flowchart used to show Most process maps begin with a start point and end with a termination
the flow of materials in the manufacture of a Medical Device with links point for the process or sub-process. A decision needs to be made on the
Contents
between organisations performing key outsourced manufacturing steps in level of detail required. An example of a process map is shown in Part 1,
the process. Figure 5. Open Process Map
General Introduction Each of the 9 different suppliers and the outsourced organisations in the The final output of the exercise should be full diagrammatic
flowchart in Figure 8 (previous page) can also be individually flowcharted representation of the process that provides process understanding and
to provide an accurate picture of the process and related risks. a means to identify where risks can occur in that mechanism. The risks
Risk Management Process identified can then be subjected to the subsequent steps of the risk
Flowcharting of processes in more detail is more commonly known as management process.
Risk Management Toolbox process mapping.
3.2 Approach to Implementation Cause and Effect / Fishbone Diagrams
3.3 Risk Assessment Process Mapping Overview
Overview Fishbone Diagrams (also known as cause and effect diagrams or
3.3.3 Risk Evaluation Tools A process map is a diagrammatic representation of a process that Ishikawa diagrams) are primarily used to identify causes associated with
3.4 Risk Control utilises geometric shapes representing actions or stages interconnected an event, but are easily adopted to identify hazards / risks associated
3.4.1 Risk Reduction Tools by flow-lines. Over the years various conventions have been adopted with an event.
on the shapes and symbols to be used for representing steps such as
start and end points of the process, individual actions, decision steps Some advantages are:
Appendix 1 - Worked example: Ranking and and documentation steps. It is not necessary to adopt any of these 51
simple method
Filtering for Contractor management conventions; however it may assist in understanding when sharing
process maps with customers or suppliers. requires few resources
Appendix 3 - Worked example: Supplier Audit participants require little training
Priority using Risk Assessment Some advantages are:
organises related ideas into groups
Supply Chain Examples useful tool to define the supply chains
can identify knowledge gaps
prevents oversights and omissions in considering potential sources of
Glossary very effective for defined processes
risk within and associated with a process
Bibliography enable interactions, flow of materials, people and services to be Some disadvantages are:
characterised and visualised
requires active participation to be successful
Some disadvantages / constraints are: can generate large quantities of data where processes are long or
complex
takes time to accurately map the process
limited use where processes are undefined or unknown (however can
need to have the process experts available to capture the process
identify the knowledge gaps)
correctly
requires substantial knowledge of the process under scrutiny in the
first place

Foreword
Use of Fishbone Diagrams: Hazard Operability Analysis (HAZOP)
Structure & Acknowledgements The diagram is constructed with a box on the right hand side (the head Overview
of the fish) see Figure 9 (below). This box contains the subject under HAZOP was developed in the chemical industry in the 1960s for health
Contents
examination, for example the Risk Question. and safety Risk Analysis and the control of chemical processes. It is one
of the most commonly known risk tools used to evaluate safety hazards
The spine of the fish has a number of main bones coming off it. Each one in Environmental Health and Safety. It is considered a simple but highly
General Introduction represents a subject category. These can be tailored to specific needs but structured hazard identification tool. Therefore organisations may already
some commonly used categories are the 6Ms, 8Ps or 4Ss: have personnel skilled in the use of this tool.
6Ms = Materials, Men (People), Machinery (Equipment), Methods
Risk Management Process (Procedures), Maintenance (Management), Mother Nature Using the HAZOP approach assumes that events and hazards that
(Environment) generate risks are caused by deviations from the established mapped
8Ps = Price, Promotion, People, Processes, Place / Plant, Policies, design and operating intentions, and uses a systematic technique to help
Procedures, Product identify potential deviations from normal use or design intentions in use.
3.2 Approach to Implementation It can be considered as an example of a possible combination package
3.3 Risk Assessment 4Ss = Surroundings, Suppliers, Systems and Skills covering several Risk Management stages and incorporates some of the
3.3.2 Risk Analysis Tools previous identification tools and techniques.
3.3.3 Risk Evaluation Tools Finer bones come off each category bone to list potential hazards and
3.4 Risk Control risks associated with for example materials. Often the more populated the Some advantages are:
bone is the more influential that category is to overall risk. This technique may be used as a overall Risk Management tool for initial
is very powerful when used in conjunction with other tools such as implementation
3.6 Risk Review Tools Brainstorming and Pareto analysis.
captures and retains product and process knowledge for an 52
Filtering for Contractor management organisation
Risk Assessment using a Simplified FMEA safeguards against repeat error (reactive analysis) and facilitates rapid
Appendix 3 - Worked example: Supplier Audit detection and correction as a quick reference for problem solving
Priority using Risk Assessment Identify Risks GMP Regulatory Medical
and verify that
may be used to test a suppliers manufacturing processes or facilities
Supply Chain Examples each potential for robustness
risk is related
Glossary to the Risk can handle significant amounts of data
Question. uses brainstorming, process mapping etc. in a structured manner
Bibliography Risk
Question can be used for situations when the hazards and associated risks and
Assess the underlying consequences are diverse and difficult to compare using a
frequency of single tool
occurrence
and potential widely used
severity of
each risk. Legal Environment People
Figure 9 Example of Ishikawa / Fish-bone Diagram

Foreword
Some of the disadvantages are: Complex Tools:
it is a tool originally designed for evaluating engineering or chemical Fault Tree Analysis (FTA)
Contents processes and equipment and therefore has to be significantly Preliminary Hazard Analysis (PHA)
modified for alternative uses
Hazard Analysis and Critical Control Points (HACCP)
it requires combination with a hazard analysis tool and has some
limitations in its scope Failure Modes Effect Analysis (FMEA)
it doesnt generate quantitative data but relies on key words Failure Modes Effect and Criticality Analysis (FMECA)
it lacks a technique to sort and categorise the risk level All these tools require data input. This may be hard data, such as that
within computerised systems or generated by statistical analysis, or soft
Use of HAZOP data from more subjective analysis or semi-quantitative data analysis.
An outline of the basic steps in HAZOP are: Data analysis can be a complex area of the Risk Management process.
1. Collect applicable documents and drawings Therefore the tools employed in Risk Analysis range from simple to
3.3 Risk Assessment 2. Break the process into manageable sections complex. Selection of which tool to use is a decision based on the
3.3.1 Risk Identification Tools suitability of the tool for the task and competency of the user in its use.
3.3.2 Risk Analysis Tools 3. Prepare a list of parameters and operations to be examined
4. For each section create deviations There are three elements to Risk Analysis:
3.4 Risk Control
3.4.1 Risk Reduction Tools 5. List and record causes for each deviation severity of event
3.5 Risk Communication Tools 6. List and record consequences for each cause frequency of occurrence
3.6 Risk Review Tools detectability of risk
7. List and record safeguards or controls that may prevent either the 53
Filtering for Contractor management cause or the consequence
Appendix 2 -Worked example: Medical Device Not all tools account for the detectability of the risk. The use of any
8. List any future actions or recommendations that should be
Appendix 3 - Worked example: Supplier Audit implemented particular tool is dependent on the objectives of the Risk Management
Priority using Risk Assessment programme and doesnt detract from the power of some of the simple
tools applied correctly such as ranking and filtering. This is a very
3.3.2 - Risk Analysis Tools powerful, simple technique similar to Failure Mode and Effect Analysis
Glossary This section describes some of the tools that are useful for assessing the (FMEA) and can be very successful when used appropriately. Some of
identified risks for their level of impact at the Risk Analysis stage of the the tools given can be used in combination to produce a hybrid set of
Bibliography tools e.g. HACCP and FMEA.
Risk Management process.
Some tools included are: The more complex tools may be applied when more information is
Simple Tools: available and there is knowledge and confidence to use more advanced
and specific tools for Risk Management.
Control charts
Pareto charts
Risk ranking and filtering

Foreword
Simple Tools - Control Charts data falling outside these limits indicates the process is statistically out
Structure & Acknowledgements of control and that a special cause of variation exists
Overview:
Contents Control charts are simple charts used to determine if a process is in a
state of statistical control or not. Perhaps the best known control chart Often the lines depicted as Upper Warning and Lower Warning Limits
is the Shewhart Chart. This simple chart allows special cause variation (UWL and LWL) are set at the mean +/- 2 standard deviations. These
to be differentiated from common cause (natural) variation, and can aid lines are referred to as warning limits and data falling between these
General Introduction limits and the control limits can be indicative of a process approaching
prediction of the future state of the process. It is this characteristic of the
Shewhart Chart that makes it a useful tool in analysing risks associated a statistically uncontrolled state. Inclusion of these warning limits aids
with a process. detection of trends, variation, bias or change, e.g. a number of points
Risk Management Process above or below the mean or a set of consecutive points showing a
Some advantages are: decreasing or increasing trend.
reasonably simple method to master Over the years organisations have developed rules to aid detection of
3.2 Approach to Implementation requires few resources modern statistical software generates it in trends and special cause variation. In Risk Analysis, data that indicates
3.3 Risk Assessment seconds trends, special cause variation, a breach of warning or control limits, are
3.3.1 Risk Identification Tools data that may be pointing towards hazards and associated risks with /
3.3.2 Risk Analysis Tools high visual impact in determining trends, patterns or state of control
within a process. ICH Q9 briefing pack
personnel require little training
3.4 Risk Control
3.4.1 Risk Reduction Tools statistically based
3.4.2 Risk Acceptance Tools Pareto Charts
Some of the disadvantages are: Overview
The Pareto principle (also known as the 80-20 rule), states that for many 54
Appendix 1 - Worked example: Ranking and limited to processes that comply with the statistical model (normal
distribution) events, approximately 80% of the effects come from 20% of the causes.
A Pareto chart is the graphical representation of data, containing a bar
is only a statistical tool, requires the use of an additional tool for Risk
Appendix 3 - Worked example: Supplier Audit chart and a line chart in one diagram.
Priority using Risk Assessment Assessment to be completed
will highlight potential special cause variation being present but will not Some advantages are:
identify why it is present (root cause)
reasonably simple method to master
Glossary requires a statistically significant number of data points to provide
requires few resources modern statistical software generates
useful information
Bibliography charts in seconds
may be biased by error in the measurement method used for the data
high visual impact
being analysed
aids minimising effort for maximum benefit
there is no way of measuring risk as a detectable event
based on scientifically sound statistics
Use of Control Charts combined with ALARP (see page 62) or similar tool may be used for
A control chart has a number of common features: determining risk tolerance levels
the central line represents the mean for the data set
the Upper Control Limit (UCL) and Lower Control Limit (LCL) lines
represent limits of the mean +/- 3 standard deviations and are referred
to as the control limits

Foreword
Some disadvantages are: high visual impact allowing the easy ranking of risks against their
Structure & Acknowledgements outcomes, leading to a view of the risk as high, medium or low, which
the basic underlying mathematics may result in a low frequency
hazard with a high impact (therefore an unacceptable risk) being aids the targeting of resources to minimise high risks
Contents
ignored permits the setting of targets for Risk Reduction in specific areas
limited use where individual factors are evenly frequent or significant can handle significant amounts of data
General Introduction is only a statistical tool, requires the use of an additional tool for Risk can be used for situations when the risks and underlying
Assessment consequences are diverse and difficult to compare using a single tool
data may be easily biased by selection of incorrect weighting factors based on the principles of cause and effect
doesnt reflect consequence unless a factoring or a weighting applied allows quantification of soft data in a usable format
Risk Management Toolbox which has to be validated can be simple or more complex as the situation requires
3.1 Introduction to the Toolbox no way of measuring risk as a detectable event can be used to provide many levels of risks (e.g. very low, low,
medium, high, very high)
3.3 Risk Assessment Use of Pareto Charts
The left hand vertical access represents a parameter frequency for Some disadvantages are:
3.3.3 Risk Evaluation Tools the subject being analysed. The right hand vertical axis represents
the cumulative percentage of the occurrences of that parameter. The has limitations in discrimination where individual factors may be
3.4 Risk Control
3.4.1 Risk Reduction Tools horizontal axis represents the categories of parameter under analysis and evened out by frequency or significance
3.4.2 Risk Acceptance Tools represents each in the form of a bar chart in order of decreasing values. data may be easily biased by the level of filters selected
3.6 Risk Review Tools consequences should be fully recognised
Appendix 1 - Worked example: Ranking and This tool can be used in Risk Assessment to set an agreed tolerance 55
Filtering for Contractor management level. However the level set is not based on tolerable risk but focuses on detection of risk has to be built in as it assumes that all risks are
Appendix 2 -Worked example: Medical Device resource and effort where improvement and risk migration actions will detectable events
Appendix 3 - Worked example: Supplier Audit provide the greatest cost benefit. Such an approach is possible when
Priority using Risk Assessment combined with ALARP principles to identify and target exposure to risk. Use of Risk Ranking and Filtering
ICH Q9 briefing pack The technique works by assigning values to probability of occurrence
and the severity of the outcome to give a two-dimensional view. In its
Glossary simplest form, a risk that is present but highly unlikely to occur has a
Risk Ranking and Filtering low probability with a score of 1 assigned. Account should also be taken
Bibliography Overview of what the consequences would be if the risk did become reality i.e.
Risk Ranking is a method used to compare risks and typically involves severity. If the consequences were severe in effect then this would be
evaluation of multiple quantitative and qualitative factors for each assigned a severity of high with a score of 3. This translates as a risk
identified risk, e.g. weighting factors and risk scores. This in its simplest score 1 x 3 = 3 (medium).
form leads to a two-dimensional diagram of probability of occurrence
measured against the severity of the consequences if it did occur. This For each identified risk the probability and severity are multiplied to give a
technique is widely used in health and safety Risk Management. risk score, with 1 as the lowest and 9 as the highest score in the simplest
model illustrated on the next page. Once scored, the risks can be ranked
Some advantages are: and a risk score assigned for each identified undesirable event. The
weightings for severity and frequency can be modified to give a different
reasonably simple
spread of risk depending on the application and focus required.
requires few resources

Foreword
In Table 9 (below left), a score of 1 for Low, 2 for Medium and 3 for High
Structure & Acknowledgements High 3 6 9 is used for the Probability and Severity of an individual risk / hazardous
Increasing probability
of an error or failure
event occurring, with thresholds of 3 and 6 as risk boundaries. More
Contents
Medium 2 4 6 complex models with 5 or more levels can be used. This allows for
ranking for immediate action or finer discrimination. However within some
situations, even remote risks are unacceptable with outcomes such as
General Introduction Low 1 2 3 serious injury or patient death.

Low Medium High Examples of unacceptable consequences:
Risk Management Process 1. Purchasing adulterated Glycerine (contained propylene glycol) resulted
Increasing severity of consequences
in product being contaminated with unexpected material, with routine
Risk Management Toolbox as a result of an error or failure
tests not being sufficiently sensitive to easily detect the contaminant at
3.1 Introduction to the Toolbox low level. This has occurred several times in the 20th century including
3.2 Approach to Implementation Table 8: The basic risk versus consequence table an incident in the 1990s for a cough product sold in Haiti where
3.3 Risk Assessment
approximately 60 children died as a result.
3.3.2 Risk Analysis Tools 2. In 2009, baby milk powder was adulterated with Melamine in Asia.
3.3.3 Risk Evaluation Tools Table 8 (above) depicts a simple risk versus consequence matrix.
Melamine is used to increase the nitrogen content used as a generic
3.4 Risk Control This leads to the following ranking of a series of identified hazards or
indicator for the protein content. Several hundred babies suffered
3.4.1 Risk Reduction Tools undesirable events into a level of risk within a process. The score can
3.4.2 Risk Acceptance Tools kidney failure as a result and some died.
be ranked in a tabular form or a Pareto Chart for the next stage of risk
evaluation and decision making. It is important to note that regulators
3.6 Risk Review Tools An example where the technique of risk ranking has been developed 56
Appendix 1 - Worked example: Ranking and consider Severity as more important than Probability in terms of patient
further and applied in supply chain management of contract
Filtering for Contractor management harm, so it is important to think about the impact during assessment.
Appendix 2 -Worked example: Medical Device manufacturers is given in Appendix 1 of this Part.
In addition, a worked example is given as Appendix 3 of this Part,
Potential Risks / Risk Analysis Risk Evaluation illustrating where risk ranking may also be used as a tool in prioritising
Supply Chain Examples hazards (from Risk work. Risk Assessment is increasingly utilised in the selection of suppliers
Identification stage) Probability Severity Score and sites for re-audit / re-assessment based on a risk scorecard or for
Glossary comparing the same risks at various suppliers.
Event 1 Low (1) High (3) Med (3)
Bibliography
Event 2 Med (2) Low (1) Low (2)
Complex tools
Event 3 Med (2) Med (2) Med (4)
Preliminary Hazard Analysis (PHA)
Event 4 Med (2) High (3) High (6)
Event 5 Low (1) Low (1) Low (1) Overview
PHA applies prior experience and knowledge of a hazard or failure to
Event 6 High (3) High (3) High (9)
identify future hazards or failures. It can be performed in a manner very
Event 7 Low (1) Low (1) Low (1) similar to Risk Ranking and Filtering. In terms of complexity it is an
intermediate tool and may be harnessed to the more complex tools in
Table 9 Risk Ranking Score this section, e.g. as a precursor to the use of FMEA or HACCP tools, as it
determines the potential for harm.

Foreword
Some advantages are: The thresholds between frequencies or severity can be defined using a
Structure & Acknowledgements scaling system. For example in frequency of occurrence:
uses other risk tools such as ranking and filtering
Contents prioritises hazards Remote = 1 incidence every 20 years or in a very large number of
useful when analysing existing systems where there is little deliveries or batches.
information, knowledge, design details, or operating procedures Occasional = 1 incidence every 5 years.
General Introduction Probable = 1 incidence every 2 years.
can be used on product, process, or facility design
Frequent >/= 1 incidence every 6 months.
Supply Chain Considerations permits the setting of risk thresholds for risk reduction in specific areas
Risk Management Process visual impact These thresholds are set based on the process the technique is applied
to and as information increases, should be reviewed for effectiveness.
allows quantification of soft data in a usable format
3.1 Introduction to the Toolbox The following rules can then be applied from ALARP principles (See
3.2 Approach to Implementation ALARP Principles):
3.3 Risk Assessment provision of preliminary information only
High Risk should be reduced if possible or avoided
data may be easily biased by selection of filter levels
3.3.2 Risk Analysis Tools Intermediate Reduce risk to As Low As Reasonably Possible
3.3.3 Risk Evaluation Tools does not measure levels of detection of an event (ALARP) principles or otherwise termed As Low As Reasonably
3.4 Risk Control
3.4.1 Risk Reduction Tools requires additional follow up Achievable (ALARA)
3.4.2 Risk Acceptance Tools Low Reduce risk according to ALARP principles considering cost vs.
3.5 Risk Communication Tools Use of PHA benefit criteria or determine if it is an acceptable risk
As in Risk Ranking, the technique works by assigning values to 57
Appendix 1 - Worked example: Ranking and Very Low Generally acceptable level of risk with no further action
Filtering for Contractor management probability of occurrence and the severity of the outcome using key words
required
Appendix 2 -Worked example: Medical Device (see Table 10 (below)).
Appendix 3 - Worked example: Supplier Audit This can then be tabulated and hazards with their current or future risk
Priority using Risk Assessment A hazard that is present but which is highly unlikely to occur has a
controls identified (see Table 11 following page).
remote probability of occurrence when rated against its severity and if the
Supply Chain Examples consequences are negligible then the rating is that of a very low risk. It
leads to a simplified automatic Risk Evaluation.
Glossary
Bibliography
Frequency of Severity
Occurrence Negligible Minor Major Severe
Frequent Low Risk Intermediate Risk High Risk High Risk
Probable Low Risk Intermediate Risk High Risk High Risk
Occasional Very Low Risk Intermediate Risk Intermediate Risk High Risk
Remote Very Low Risk Low Risk Intermediate Risk Intermediate Risk
Table 10 - Example of a PHA matrix for assigning the Risk status for an identified hazard

Foreword
Structure & Acknowledgements Identified hazards for Supplier
Contents Investigational Frequency

Hazard Severity Risk and Hazard Rating
/ Control in place (previous history)
Identity test,
Wrong Material Severe Remote Intermediate
General Introduction Documentation & audit
Late delivery SOP Major Remote Low
Additional Hazards
Table 11 - Example of a partial PHA matrix for a materials supplier
3.3 Risk Assessment
Fault Tree Analysis (FTA) Some disadvantages are:
3.4 Risk Control Overview narrow focus only identifies causes associated with the
3.4.1 Risk Reduction Tools FTA was developed in the 1960s in Bell Laboratories as an analytical predetermined hazard or event being analysed
logic technique. It is a deductive method (top down) to identify all requires a significant amount of information to use effectively
3.6 Risk Review Tools root causes of an assumed failure or problem. The method evaluates
system / sub-system failures one at a time, but can combine multiple if the system is complex it can be very resource and time intensive 58
Filtering for Contractor management causes of failure by identifying causal chains. FTA relies upon process to quantify the information requires significant expertise and the results
understanding to identify causal factors. depend on the training, skill and experience of the analyst
Priority using Risk Assessment Some advantages are:
Use of Fault Tree Analysis
Supply Chain Examples strength is a measure of how controls fail
A fault tree analysis can be conducted by taking the following steps:
provides a visual map of paths to failure
Glossary 1. Define the undesired event to analyse
uses logic gates (and / or) to analyze root causes
Bibliography 2. Obtain an understanding of the system / process
identifies multiple events leading to an end result and identify common
3. Construct the fault tree
cause events with resulting safeguards against the same mistakes
4. Analyse the fault tree determine here what hazards have a direct
can handle complex processes
or indirect effect on the outcome of the system / process and which
captures and retains process knowledge for the organisation hazards / risks need most focus

Foreword
Hazard Analysis and Critical Control Points (HACCP) Use of HACCP
Structure & Acknowledgements In preparation for HACCP the following prerequisites are required:
Overview
Contents HACCP was developed in the early 1970s by NASA as part of a food 1. Assemble a team of relevant experts
safety initiative for astronauts using science-based controls to prevent 2. Describe product / processes in detail
hazards that could cause food-borne illnesses. It is well established as a
requirement within the food industry, whilst its application is increasing in 3. Identify intended use / objectives
other industries including pharmaceutical. Its objective is to reduce any 4. Construct detailed process flow diagram Open Process Map
Supply Chain Considerations emphasis on testing for failure at the end of a process when it is more
5. Confirm the flow diagram and level of detail
difficult to detect.
HACCP is a seven step process that provides for both Risk Assessment
Some advantages are:
Risk Management Toolbox and Risk Control. In essence it is a detailed process flowchart map for
it caters for both Risk Assessment and Risk Control in one tool, as manufacturing from raw materials to finished product and testing, with
it identifies the Critical Control Points (CCP) in a process. It is also each identified critical control point on the flowchart identified. It is often
3.3 Risk Assessment useful in the Risk Reduction phase extended into the supply chain and also projected to the end user. The
may be used as an overall Risk Management tool for the supplier seven steps are as follows:
management process 1. Conduct hazard analysis
3.4 Risk Control captures and retains product and process knowledge for an A hazard is defined as the potential to harm the consumer (safety
organisation and for pharmaceuticals also efficacy) or danger to the product
3.5 Risk Communication Tools safeguards against repeat error (reactive analysis) and facilitates rapid (contamination).
3.6 Risk Review Tools detection and correction as a quick reference for problem solving In considering hazard analysis, all hazards should be listed that
59
Filtering for Contractor management may be used to test a suppliers processes reasonably may occur from incoming materials, production, testing,
Appendix 2 -Worked example: Medical Device distribution up to point of use. Hazard analysis identifies which hazards
Risk Assessment using a Simplified FMEA proactive are such that elimination or reduction to acceptable levels is essential.
Priority using Risk Assessment can handle a large amount of data It is advisable to separately identify quality, safety and business risks.
can be used for situations when the hazards / risks and underlying Note: FMEA (see following page) may be used as an appropriate
Supply Chain Examples hazard analysis tool.
consequences are diverse and difficult to compare using a single tool
Glossary emphasises the detectability of a risk 2. Determine critical control points (CCP)
A critical control point is defined as a stage in the manufacturing
Bibliography
process (including all raw materials), which, if not controlled correctly,
Some disadvantages are: will cause a threat to safety or a contamination issue. Having identified
designed for evaluating manufacturing processes and often used for the hazards on the flowchart, determine if there are any stages which
contamination risks compensate for earlier hazards or for those that have no critical
controls (if there is a need to install controls at these points).
it has to be modified for other applications
3. Establish target levels and critical limits
requires combination with other tools to quantify and categorise level
of risks Specify critical limits for each CCP. Typical criteria for measurement
could be temperature, time, etc or subjective criteria. Data should be
requires resource and preparation to carry out
scientifically based and more than one limit may be necessary for a
may require external training CCP.

Foreword
4. Establish a system to monitor critical control points once performed it provides a quick reference for problem solving and
Structure & Acknowledgements is easily updated
Monitoring should detect loss of control at a CCP and should be
Contents recorded. Real time monitoring enables timely response to trends and minimises unforeseen failures
prevents deviation from the limit. allows for qualitative data to be converted to semi-quantitative
5. Establish corrective actions when critical limit deviation occurs information for input
General Introduction 6. Establish a record keeping system can be utilised for quantitative and semi-quantitative information to
7. Establish procedures to verify that the HACCP system is working produce a near-quantitative result
correctly
Risk Management Process Some disadvantages are:
Its common use is to identify and manage physical, chemical and requires significant information for input into the tool
biological (including possible sources of microbiological) contamination it is not quick to develop or perform
3.1 Introduction to the Toolbox related risks in a process, which may well be a mapped current supply
chain or a production process, and also assess the impact of any change. limitations in assessing where there are multiple risks involved
3.3 Risk Assessment
3.3.1 Risk Identification Tools it is a complex tool requiring significant user competency and training
3.3.2 Risk Analysis Tools From a supply chain perspective it can look from customer through tiers for effective and efficient use
3.3.3 Risk Evaluation Tools to the base supplier or as part of the whole process flow of components
the number scales are not obtained by direct measurement and the
3.4 Risk Control to final product.
3.4.1 Risk Reduction Tools output may be misinterpreted as purely quantitative when in reality is
3.4.2 Risk Acceptance Tools not fully quantitative
Failure Mode and Effects Analysis (FMEA) the three components of the RPN; likelihood, severity and detectability
Appendix 1 - Worked example: Ranking and are not all equally weighted, and likelihood and detectability are 60
Overview
Filtering for Contractor management inversely related
Appendix 2 -Worked example: Medical Device FMEA has its origins in the military in the 1940s and, with its later
Risk Assessment using a Simplified FMEA extension Failure Mode Effects and Criticality Analysis (FMECA), FMEA over analysis can lead to paralysis
Appendix 3 - Worked example: Supplier Audit is often used in the automotive industry with success as a suitable Risk
Analysis tool. Use of FMEA
Supply Chain Examples FMEA uses the evaluation of identified potential failure modes
Some advantages are: for processes, and the likely effect of outcomes and / or product
Glossary performance. Once these failure modes are identified, Risk Reduction
identifies the points of potential failure for a given process or product
can be used to eliminate, reduce, or control potential failures. It relies
Bibliography a formatted analysis tool suitable for use in other processes e.g. upon product and process understanding.
HACCP or as a stand alone tool
provides structured and sensitive scoring with a Risk Priority Number The output is a relative risk score for each failure mode as a structured
(RPN) with relativities between risks visible score with a RPN. The calculation of the RPN for a failure mode is
Severity x Likelihood of Occurrence x Detectability.
helps communication and builds trust across different functions and
interfaces
Severity (S) what is the consequence with a number assigned in the
can ignore failure interactions range 1 to 10 with 1 being of minimal impact and 10 being the most
has risk detection as an inherent part of the process disastrous impact.

Foreword
Structure & Acknowledgements Before Action After Action(s) taken
Contents
Occurrence
Occurrence
Risk Score
Risk score
Detection
Detection
Severity
Severity
General Introduction Failure Effect of Potential Current Recommended
Risk
Mode Failure causes controls action

3.3 Risk Assessment
3.3.2 Risk Analysis Tools Table 12 - A typical blank FMEA table
3.4 Risk Control
Likelihood (O) is the Probability of Occurrence with a number assigned This tool also accounts for detection of the risk event. Thus if an event
in the range 1 to 10 with 1 being a probability of near zero of occurrence is easily detectable, then the risk is lower than if it is not detectable at all 61
Filtering for Contractor management and 10 reflecting that it will routinely always occur. until after the full impact is realised. Thus Likelihood and Detectability are
Appendix 2 -Worked example: Medical Device considered inversely related.
Probability of Detection (D) of the occurrence of a risk event in the range
Priority using Risk Assessment of 10 to 1 with 10 as undetectable if it occurred to 1 as highly visible. This approach provides priorities for action with risks with large RPN
prioritised first and smaller RPNs later if there is determined a need for
Supply Chain Examples Some interpretations of FMEA require the 3 criteria to have a number action. Table 12 (above) is an example of a typical FMEA table layout.
Glossary assigned depending on the basis of high, medium or low (with sub- An example of the use of FMEA in the medical device industry is given in
sets within). Assignment of high, medium or low should be applied Part 3, appendix 2. Open Example
Bibliography consistently. When following these models care should be exercised, as
severity does not carry the same weighting as Likelihood and Detection.
It has been advised for a RPN to then use a 3, 2, 1 weighting scheme Failure Mode, Effects and Criticality Analysis (FMECA)
with Severity as 3 (highest) and Detectability as 1 (lowest). Overview
FMECA extends FMEA to incorporate the degree of criticality to the
Cautionary note: These scales are invented to assist prioritisation. severity of consequences and the respective probability / detectability
The numbers are not obtained by direct measurement and have led to of each consequence. Product and process specifications should be
some organisations inappropriately expecting fixed threshold limits for established to utilise FMECA.
acceptable / unacceptable RPNs. This has caused FMEA teams to adjust
the Severity, Likelihood or Detection values to achieve RPNs above or Typically used in failures, and risks associated with manufacturing
below the threshold. processes. It has the similar strengths and limitations as FMEA. There
are other variations for other tasks.

Foreword
3.3.3 - Risk Evaluation Tools Some disadvantages are:
This is part of Risk Assessment that enables data to provide for a yes or an organisation may use inappropriately low targets to set acceptance
Contents no decision. Some of the analysis tools will generate a level of risk which criteria on grounds of perceived investment required.
requires evaluation for the risk acceptance decision and establish the
criteria why a risk may or may not be acceptable. It may also establish The practice of ALARP
the residual risk level. Either risk is then deemed acceptable or Risk The ALARP principle is that the residual risk shall be as low as
Reduction has to be applied. reasonably practical. To apply the principle it should be possible to show
Supply Chain Considerations that the investment or practicality would be grossly disproportionate to the
Some tools included are: benefit gained. The principle arises from the fact that infinite resources
Risk Management Process (time, money, effort) could be used to try and reduce a risk that is not
ALARA / ALARP
achievable realistically. It is not a simple quantitative measure of benefit
Risk Management Toolbox Carrot Diagrams against detriment. It is interlinked to the assessment of whether a risk is
Brainstorming (page 46) tolerable and / or controllable. If so the resulting level of residual risk has
3.2 Approach to Implementation to be accepted.
3.3 Risk Assessment Pareto analysis (page 54)
3.3.2 Risk Analysis Tools In determining that a risk has been reduced to ALARP, an assessment
The tools used for Risk Evaluation are fewer and focus on justifying
3.3.3 Risk Evaluation Tools of the risk to be avoided should be carried out and compared with the
the level below where little or no actions are appropriate. However it is
3.4 Risk Control actions involved in taking measures to avoid that risk totally.
3.4.1 Risk Reduction Tools always advisable, if resources allow, to take simple, often low cost steps
3.4.2 Risk Acceptance Tools to reduce identified residual risks until they become negligible.
Risk Threshold examples:
3.6 Risk Review Tools High risk should be reduced if possible or avoided 62
Filtering for Contractor management ALARA & ALARP Intermediate reduce risk to ALARP
Appendix 2 -Worked example: Medical Device Overview
Risk Assessment using a Simplified FMEA Low reduce risk according to ALARP principles considering cost
Appendix 3 - Worked example: Supplier Audit Risk Management has been widely practised in the field of nuclear versus benefit criteria or determine if it is an acceptable risk
Priority using Risk Assessment medicine and the nuclear industry, from which the principles of ALARA
(As Low As Reasonably Achievable) were developed for safety of Trivial generally acceptable level of risk with no action required
Supply Chain Examples personnel from exposure to excessive levels of radiation. It is more
Glossary commonly referred to as ALARP (As Low As Reasonably Practical) in the
UK from UK Health and Safety legislation.
Bibliography
residual risk is known and the basis of the acceptance of the residual
risk is clearly defined
baseline established of what can be achieved versus effect, available
resources, and technical capability, investment requirements and level
of technology

Foreword
Carrot Diagram
Overview
Contents A carrot diagram is often used to visually display risks and place in
tolerable or intolerable regions (see Figure 10 below).
Advantages:
simple tool to use
visual presentation to enable clear decision making
Risk Management Process sets a zone of tolerable and residual risk
Disadvantages
3.2 Approach to Implementation Requires knowledge to set the tolerable regions and placement of risks
3.3 Risk Assessment
3.3.1 Risk Identification Tools Process in use
3.3.2 Risk Analysis Tools The high risks (to be reduced) are at the top and the low risks at the
bottom. The middle risks may be described as the tolerable region as the
3.4 Risk Control
risks are not insignificant but not practically reduced.
63
Increasing individual risks and societal concerns
Appendix 2 -Worked example: Medical Device Unacceptable

Risk Assessment using a Simplified FMEA region
Glossary
Bibliography Tolerable
region
Broadly acceptable
region
Figure 10 Carrot diagram

Foreword
Contents

3.4 Risk Control
Risk Management Toolbox Risk control encompasses the two phases of Risk Management
Risk Reduction and Risk Acceptance
3.3 Risk Assessment
3.3.1 Risk Identification Tools Risk acceptance may be accomplished without risk reduction however an organisation should always endeavour to maximise risk benefit by reducing
3.3.2 Risk Analysis Tools risk to a minimum.
3.4 Risk Control

3.4.1 Risk Reduction Tools Risk Management is a proactive process in addressing risk before
it occurs. However in terms of Risk Reduction, knowledge and
3.5 Risk Communication Tools This section describes some of the tools that are useful for assessing
understanding of the risk enables the appropriate action to be taken to
3.6 Risk Review Tools what controls or actions should be put in place to reduce the occurrence 64
Appendix 1 - Worked example: Ranking and mitigate the risk (see CAPA following page).
or severity of a risk. Now that a risk is identified some retrospective
Appendix 2 -Worked example: Medical Device investigational tools are useful. It may be appropriate to use two or more
Risk Assessment using a Simplified FMEA tools used in combination. Tools included are as follows:
Appendix 3 - Worked example: Supplier Audit prevents recurrence through Risk Reduction actions focused on root
Priority using Risk Assessment Root Cause Analysis (RCA)
cause and not symptom effects
Supply Chain Examples Corrective Action and Preventive Action (CAPA)
demonstrates full understanding of the root cause and related events
The 4Ts
Glossary structures interrelated events
Risk avoidance strategy
provides a record
Bibliography
Brainstorming (see page 46)
retrospective and reactive
Root Cause Analysis
Overview assumptions may be taken leading to incorrect identification of the
Many of the tools described in 3.3 were initially developed as methods to root cause
determine the root cause(s) for events that have already occurred such training and knowledge is required to apply RCA effectively
as Fishbone Diagrams, Brainstorming etc. Others such as 5 Whys may
be found when studying Root Cause Analysis.

Foreword
Use of RCA Use of CAPA
Structure & Acknowledgements Basic steps to application of root cause analysis irrespective of the tool Essentially there are three elements to CAPA as shown in Table 13.
used are as follows:
Contents
1. define the risk to be reduced = output of Risk Evaluation Correction Correction of the effect of an event so as to bring
2. define potential root causes for this risk to occur the process, product or service back into a state
of compliance with the specification (reactive)
General Introduction 3. define which root causes if removed will prevent or reduce the risk
Corrective Implementation of an action to address the root
Supply Chain Considerations 4. implement risk reduction measures = address the root causes
Action cause of an event to prevent recurrence of that
5. document & observe the effect of implementing the Risk Reduction event in the future (reactive)
measures
Preventive Preventive action - action to eliminate the cause
Risk Management Toolbox 6. review and repeat as required Action of a potential nonconformity or other undesirable
3.1 Introduction to the Toolbox potential situation.
3.2 Approach to Implementation NOTE 1 There can be more than one cause for a potential
3.3 Risk Assessment nonconformity.
3.3.1 Risk Identification Tools Corrective Action and Preventive Action (CAPA) NOTE 2 Preventive action is taken to prevent occurrence
3.3.2 Risk Analysis Tools whereas corrective action is taken to prevent recurrence.
Overview
CAPA is a term used in Quality Management Systems such as The
3.4 Risk Control
International Organization for Standardization (ISO) and whilst used in a Table 13 Elements of CAPA
3.4.2 Risk Acceptance Tools variety of industries, it is often poorly understood. To use effectively after
3.5 Risk Communication Tools an event has occurred, RCA should be used in combination with CAPA In terms of Risk Reduction CAPA is a process that compliments other
3.6 Risk Review Tools techniques such as Root Cause Analysis. In order to utilise CAPA for Risk
65
Some advantages are: Reduction these basic steps should be followed:
Appendix 2 -Worked example: Medical Device prevents recurrence if applied effectively 1. define the risk to be reduced = output of Risk Evaluation or the RCA
Appendix 3 - Worked example: Supplier Audit provides a structured plan to address identified issues 2. define the appropriate action i.e. correction, corrective action,
Priority using Risk Assessment preventative action
provides for continuous improvement and effective use may result in
Supply Chain Examples proactive actions being taken 3. document the CAPA to be taken including, the responsible person(s)
and the timeline for completion
Glossary provides a record
4. implement the CAPA
Bibliography Some disadvantages are: 5. document and observe the effect of the CAPA implemented
retrospective for correction and corrective actions 6. review and repeat as required
not a stand alone tool
Risk Management aims to be a proactive approach. It is likely then that
training and knowledge are required to apply effectively and
once embedded in an organisations culture the majority of CAPAs being
understand the differences between Correction and Corrective and
implemented as Risk Reduction measures will be preventive actions
Preventive action
rather than corrections or corrective actions.
requires established standards and controls for a baseline to be set

Foreword
Mitigation strategy and actions based on the 4 Ts: Brainstorming
Overview This is a key tool to identify possible control actions for risk reduction.
Contents The four Ts are a useful technique in Risk Control. More detail is given in section 3.3.1. See Brainstorming
TREAT a risk to prevent it occurring or reduce its potential impact.

have processes in place that improve the control effectiveness 3.4.2 - Risk Acceptance Tools
Risk Acceptance is a stage that incorporates information from the Risk
the amount of effort to control risk should be proportional to the Evaluation and Control steps. It is the decision that risk is at a tolerable
significance of the risk level and sufficient, adequate controls are in place. When deciding to
Risk Management Process accept a risk there is still always no as a possible answer, causing
TRANSFER the risk to someone else a return to perform or improve risk reduction, so risk evaluation is
risk financing, insurance, contracting out, etc. interlinked to acceptance. This represents the approval of the results of
3.1 Introduction to the Toolbox Risk Evaluation and Control.
3.2 Approach to Implementation some of the impact of the risk is transferred, not the responsibility that
3.3 Risk Assessment the business has for managing the risk
Risk acceptance decisions are performed by the responsible and
3.3.2 Risk Analysis Tools accountable persons that should be defined at the start of the Risk
TERMINATE the risk i.e. stop doing whatever it is that is exposing the
3.3.3 Risk Evaluation Tools Management process such as in a RACI matrix Part 2 section 2.4, Table
business to the risk.
3.4 Risk Control 3. Clear decision making and documenting of those decisions is key here.
3.4.1 Risk Reduction Tools See RACI.
3.4.2 Risk Acceptance Tools TOLERATE the risk after deciding that the risk has been reduced to an
3.5 Risk Communication Tools acceptable level. See Risk Acceptance
66
Appendix 2 -Worked example: Medical Device Risk Avoidance Strategy
Overview
Priority using Risk Assessment Risk avoidance strategy is a risk reduction technique commonly exploited
in financial and business arenas. It involves the elimination of risk by
Supply Chain Examples avoiding the process or activity that carries the risk e.g. not using a supplier
so as not to have a future incident but has limited use in the manufacturing
Glossary
arena. It could be argued that this strategy is the safest option to avoid
Bibliography risk completely. In reality however it is difficult to take this approach to
many activities as this strategy would simply mean no process or no
product. Every risk avoided in this way is a loss in potential gain in terms of
business, profit, end-user benefit and / or customer satisfaction.
Risk avoidance is a practical and sometimes only viable approach to risk

reduction. However it should be applied cautiously to ensure the benefit
outweighs any alternatives.

Foreword
Contents

Risk Management Toolbox The method of communication depends upon what is being exchanged, audience / recipients (external or internal) and the importance of the
3.1 Introduction to the Toolbox information regardless whether it is if related to risk or other management activities. Table 14 (below) provides examples of some of the common
3.2 Approach to Implementation methods of communication.
3.3 Risk Assessment
Contracts: The most formal method is a business contract however this is normally the method of communicating legal and
3.4 Risk Control basic business expectations. A supplementary technical agreement is a regulatory requirement for organisations
3.4.1 Risk Reduction Tools to agree, control and define such matters as: communications, information flow, capabilities, regulatory
3.4.2 Risk Acceptance Tools requirements and expectations, duties and responsibilities; however the main sections of these can be very
3.5 Risk Communication Tools difficult to amend quickly.
67
Appendix 1 - Worked example: Ranking and Letter / memo: A formal communication normally reserved for agreeing or approving actions and expectations. It may contain
formal certificates, specifications, processes and other technical information.
E-mail: These may contain electronic copies of draft documents and scanned agreements, technical information,
Priority using Risk Assessment certificates etc, that may be used for agreeing, requesting or discussing information. This now takes the place of
a letter in most matters as well as being a vehicle for less formal communications.
Telephone: Ideas, arrangements, informal agreement and discussion. These may be added to by use of teleconferences,
Glossary internet meetings and video conferencing if appropriate to the task. Teleconferences are frequently used by
global organisations or where there are multiple sites that need to communicate. Although cost effective (i.e. no
Bibliography travel involved), it is good wherever possible to at least have periodic face to face meetings.
Fax: Normally considered as formal as a letter but its use is being replaced by the use of e-mail.
Internet: This is a way of advertising and a source of information however care should taken to verify information freely
available in this way.
Face to face meeting To exchange ideas, presentations, carry out audits and come up with assignments, actions and agreements.
Agreements and actions should formally recorded in minutes or a letter.
Minutes Formal records of any type of meeting (or conference) that includes decisions, agreements and actions. These
should be retained as documents in a quality management system for audit of a decision or review. An example
of this practice is the retention of meeting minutes for development and design of medical devices as part of the
device master file.

Foreword
Structure & Acknowledgements Presentations Including graphs, mapping and plans that may be shared to show general proposals and action points but these
reflect the author(s) ideas and situation progress. This is a common and visually effective way of quickly getting
Contents essential points across to explain a situation or proposal for a wider, possibly less knowledgeable, audience or to
get outline management approval. These do not normally include detailed plans.
Reports Reports are formal records which have been authorised and can be circulated both internally and externally.
General Introduction These can summarise the Risk Management activities performed and highlight decisions taken (mitigation,
acceptance and actions to acknowledge or respond to risks can be included).
RACI Responsibility diagram.
Risk Management Toolbox Table 14 Common Methods of Communication

3.3 Risk Assessment
3.4 Risk Control
68
Glossary
Bibliography

Foreword
Contents

Risk Management Toolbox Risk Review utilises techniques and tools to measure the success or failure A KPI is a key part of a measurable objective, and may be used as a tool
of the Risk Management process. Risk review is a monitoring process and in a bench marking process.
can use information drawn from measurement tools. There should also
3.3 Risk Assessment be a simple set of guidelines in a procedure set out as to how and when a
3.3.1 Risk Identification Tools review should be carried out. Examples of measurement tools are: Benchmarking
Performance metrics / Key Performance Indicators (KPIs) Overview
Benchmarking is the process of comparing the performance of a specific
3.4 Risk Control Bench Marking
3.4.1 Risk Reduction Tools process or method to another that is widely considered to be an industry
3.4.2 Risk Acceptance Tools standard or best practice. Essentially, benchmarking provides help in
3.5 Risk Communication Tools understanding where you are in relation to a particular requirement or a
3.6 Risk Review Tools Key Performance Indicators, Performance metrics
definition of success. The result often leads to changes in order to make 69
Filtering for Contractor management Overview improvements. Bench marking has been described as learning, sharing
Appendix 2 -Worked example: Medical Device Key Performance Indicators (KPI) are measures or metrics used to help information and adopting best practices to bring about step changes in
an organization define and evaluate how successful it has been in meeting performance. It has a subset of tools which can be adapted depending on
Priority using Risk Assessment targets, typically in terms of maintaining key areas of performance and what is being benchmarked: Improving ourselves by learning from others.
making progress towards its long-term goals.
Supply Chain Examples Benchmarking is used to measure performance using a specific indicator
KPIs can be specified by answering the question, What is really resulting in a metric of performance that is then compared to others. This
Glossary
important to different stakeholders? KPIs may be used to assess the then allows organisations to develop plans on how to make improvements
Bibliography present state of the process or business and to assist in prescribing a or adopt best practice, usually with the aim of increasing some aspect of
course of action. The act of monitoring KPIs in real-time is known as performance
business activity monitoring (BAM). KPIs are frequently used to value
difficult to measure activities such as the benefits of engagement, service, Benchmarking usually involves:
and satisfaction. regular comparison of functions / processes with best practice examples
The type and number of KPIs used differ depending on the nature of the identification of gaps in performance
the organization, the processes being monitored, industry requirements, exploring new ways of improving how things are done
outputs of the organisation and future strategy. They assist in evaluating introducing and using the improved processes
progress towards objectives, especially toward difficult to quantify
knowledge-based goals. However care should be exercised in specifying monitoring and reviewing of processes, measuring progress and
the correct parameters and their criticality. Too many indicators may beneficial outcomes
swamp the critical indicator that something is awry with a supplier.

Foreword
Contents

Appendix 1
Worked Example: Ranking and Filtering example for Contractor Management
This is a practical example of the use of risk ranking in supply chain Some elements can be easy to set given criteria. Some are subjective
3.3 Risk Assessment
3.3.1 Risk Identification Tools management for contract manufacturing. scores converted into figures.
3.3.2 Risk Analysis Tools The score for the individual element is the identified risk level
3.3.3 Risk Evaluation Tools A set of key parameters was determined from quality focused elements, multiplied by its weighting factor.
3.4 Risk Control where the probability of an undesirable event based on historical data
or possible undesirable events could occur. The consequences are The total cumulative score for Probability of event and the total
3.4.2 Risk Acceptance Tools cumulative score for Consequences is plotted onto a Risk Evaluation
3.5 Risk Communication Tools dependent on the product characteristics, regulatory requirements and
customer impact from an event. score matrix of the X Y plot with Probability the Y axis and
Appendix 1 - Worked example: Ranking and Consequences the X axis. Note this also converts some subjective 70
A series of criteria for use is required as follows: qualitative data into quantitative data. Please note that the axiss are not
Appendix 2 -Worked example: Medical Device of the same scale so cannot be a simplified into a single column table.
Risk Assessment using a Simplified FMEA To give defined boundaries between the 3 levels of risk, only the High
and Low Risk criteria are required to be defined. If the risk level is The Y axis is a business axis for Consequences of failure so key
greater than the Low level but doesnt meet any of the High risk criteria or large volumes are easier to highlight and therefore there is
Supply Chain Examples then the level of risk will be Medium Risk (defined as between High discrimination of low volumes or activities from activities with higher
and Low Risk). inherent risk. If a single axis is used then Consequences are not easy
Glossary to see and key risks factors are hidden.
A lack of adequate measurement or lack of data means that the
Bibliography risk defaults to High Risk until evidence of performance over time To maintain the Rank Ranking as being accurate and current this
(approximately one year in operation) can be collected. Thus any new should be regularly reviewed and have any new event factored in, in
supplier or gap in data defaults to High Risk in a given risk element. addition to a routine recheck frequency to monitor performance. The
assumption is that all risks are detectable.
The risk score for that risk element is the identified risk level multiplied
by a weighting factor. Not all the risk elements have the same degree
of risk or have the same level of consequences in the event of an
issue occurring. For example technical capabilities are weighted 1
against communications weighted 3.
Some elements are separated due to their importance.
Some areas are interrelated e.g. complaints, investigations and recalls.

Foreword
Risk*
Risk Element High = 5 Medium = 2 Low = 0.5 Weight Score
Contents cGMP Significant quantity and / or severity of regulatory observations Few or no regulatory observations
Compliance Adverse Regulatory Status (e.g., FDA Consent Decree, Severe or 3
History multiple Warning Letters, Official Action Indicated)
Quality System An Area of Special Concern Few Findings
Processes Several Major Findings CAPA on target per schedule
General Introduction Past Due CAPA items Audit closed on time
High number of deviations per batch Few to no deviations / significant deviations
Significant deviations No market related events 2
Supply Chain Considerations Multiple events requiring a major quality review Few to no reworks or reprocessing
Product recall and / or market actions
Significant reprocessing of manufacturing step indicating a
Risk Management Process requirement to change process step
Complaints Customer complaints as a result of significant failure of manufacturing Few or no complaints justifiable based on failure of manufacturing
Risk Management Toolbox controls and associated quality systems controls and associated quality system
2
Investigations Not thorough or poorly written, High quality investigations that are RFT,
3.1 Introduction to the Toolbox No or greatly inadequate Root Cause analysis Root Cause Analysis clear and effective
3.2 Approach to Implementation Not completed in a timely manner Well documented and written
Scope is not adequately defined Prompt response and timely completion 2
3.3 Risk Assessment The number, type & frequency of deviations suggest systemic cGMP Appropriate number of investigations
3.3.1 Risk Identification Tools and / or quality issues CAPAs are identified, implemented in a timely manner and are
CAPAs are not identified, are not effective or are well overdue effective
Probability of event
Change Changes are not communicated Changes are communicated in a proactive manner with complete and
Management Change control documentation is routinely incomplete and / or accurate documentation
3.4 Risk Control inaccurate Changes are implemented in a timely manner after the appropriate
3
3.4.1 Risk Reduction Tools Changes implemented without Client approval regulatory approval
Significant gaps with regulatory file / license due to contractor No gaps with regulatory file / license
3.5 Risk Communication Tools Quality / Supplier is not willing to accept Client terms in the Quality Agreement Supplier is in compliance with all the significant requirements of the
3.6 Risk Review Tools Technical Significant deviation(s) from the quality agreement Quality Agreement 2
Agreement No Quality Agreement or Quality Agreement not effective 71
Filtering for Contractor management Technical Older facility with poorly operating equipment Newer facility with contemporary technology and automation
Capabilities None or significant non adherence to maintenance schedule Highly capable, well-trained personnel
Appendix 2 -Worked example: Medical Device Lack capable personnel and high staff turnover Low staff turnover
Risk Assessment using a Simplified FMEA 1
Significant events due to technical & supply issues High volume (non necessarily Client company brand)
Appendix 3 - Worked example: Supplier Audit Infrequent volume - 3 or less batches per year Long-term experience with product
Priority using Risk Assessment Newer product - Less experience with product
Quality and Risk Lack of RFT throughout facility operations RFT environment
Culture Poor Risk Assessment (i.e., Quality Management is ineffective in Risk assessment is accurate (e.g., Science-based compliance
Supply Chain Examples assuring appropriate decisions) decisions)
Lack of continuous improvement (e.g., trending, CAPA) Quality Management applies appropriate control at the facility 3
Lack of internal audit and external supplier audit program Continuous improvement (e.g., trending, CAPA)
Glossary Financially unstable, low investment willingness Strong internal audit and external supplier audit program
Financially stable, demonstrated willingness to invest
Bibliography Supply Chain Broker in supply chain (Complex) material origin from area of high Supply of API from area of high quality regulatory control
Security concern Supply of excipients from area of high quality regulatory control
1
Supply of API from area of high concern Non complex supply chain
Supply of excipients from area of high concern
Communications Supplier deficient in reacting to and notifying X of deviations / changes All issues requiring notification to X are communicated in a timely
with X affecting X products manner per the appropriate agreement. 3
Difficult to visit, contact / liaise with. visits are readily accepted and communication lines smooth
Product Critical device or injectable / parenteral for X Non-registered products

Criticality or Highly potent narrow therapeutic range Tablets, capsules and topicals (Non sterile products and API)
Consequences
administration Controlled release pharmaceutical Not medically critical 4

of Risk
Life-saving product High Therapeutic Index

Sterile API for use in a non terminally sterilized Finished product
Supply Chain No or very limited product for supply No issues with supply of Product to markets
continuity Top value product (may have relative low volume) Non-critical product or market 5
Critical markets
Table 15: Risk elements and Risk Scorecard

Foreword
Structure & Acknowledgements Return to Page 61
Contents

Appendix 2 Example template
Worked Example: Medical Device Risk Product Description Wound management system
Assessment using a simplified FMEA Product / Process or Component(s) Complete assembly
3.2 Approach to Implementation analyzed
3.3 Risk Assessment
Intended Use(s) / Intended Purpose Treatment of chronic wounds
3.3.1 Risk Identification Tools This example defines the scope, the product, and the relevant
3.3.2 Risk Analysis Tools departments needed to provide input. It provides a way of recording the Participants: Quality management
assessment and allows traceability. See below the inclusion of questions (persons and organization) Regulatory affairs
3.4 Risk Control
3.4.1 Risk Reduction Tools for Hazard Identification, Clinical affairs
3.4.2 Risk Acceptance Tools Marketing
are there any similar products where lessons may be used or output
3.5 Risk Communication Tools Manufacturing
referenced?
External independent 72
Appendix 1 - Worked example: Ranking and how could it be misused? Research and Development
Appendix 2 -Worked example: Medical Device what can go wrong? Date:
Originator:
Signed & Date
Glossary Similar products / process used for None

identification of potential hazards
Bibliography
Potential misuses identified Use of secondary topical
treatments...
List of ALL hazards identified Does not function as intended...
(include a consideration of
hazards due to misuse and design
characteristics see table on the
following page for examples)
This list should be continually
reviewed and updated to include
new hazards identified during the
FMEA process.
Table 16 - Risk Management: Risk Estimation and Evaluation example header form

Foreword
Structure & Acknowledgements Evaluation

PART CHARACTERISTICS OF FAILURE / HAZARD Estimation
and Control
Contents
Effects of failure Risk Evaluation
Part Name Causes of
Function Failure Mode on Part / System Current Controls Po S Control (Accept
/# Failure
/ User / Reduce Risk)
Component X Device Active Does not Insufficient Delayed wound Process controls 1 3 Accept
Supply Chain Considerations Component function as component X healing Process validation
intended Maceration
Wrong device Single device size 1 3 Accept
version used for all applications
Wrong active Delayed wound Active component 1 4 ALARP
3.1 Introduction to the Toolbox component used healing characteristic
3.2 Approach to Implementation Infection controlled
3.3 Risk Assessment
in material
3.3.2 Risk Analysis Tools specification
Incorrect degree Delayed wound Processing 1 3 Accept
3.4 Risk Control
3.4.1 Risk Reduction Tools of mixing healing conditions
3.4.2 Risk Acceptance Tools controlled to give
3.5 Risk Communication Tools consistent mixing
Appendix 1 - Worked example: Ranking and Incorrect Delayed wound Instructions 2 3 ALARP 73
Filtering for Contractor management application healing For Use (IFU)
Risk Assessment using a Simplified FMEA included with
Appendix 3 - Worked example: Supplier Audit pack detailing the
Priority using Risk Assessment suitable types of
wound
Interference of Delayed wound IFU included 2 4 ALARP
Glossary
secondary topical healing with pack, use of
Bibliography treatment with Infection topical treatment
active component Misuse included in
warning section
Table 17 - Example Failure Mode And Effect Analysis (FMEA) / Design format
Po = Probability of Occurrence (Scale 1 to 5)

S = Severity (Scale 1 to 5)
Risk Assessment is a combination of the Severity and the Probability of Occurrence See Tables 18 and 19 on following page.
Detectability level in this example has not been assessed.

Foreword
Calculate / estimate the number of individual uses (or manufacturing operations) that would be required to cause one event of the hazard.
Contents OCCURRENCE RANKING PROBABILITY (Po) CRITERIA

REMOTE 1 LESS THAN 1 IN 500,000 (P<0.000002) FAILURE UNLIKELY
LOW 2 Up to 1 in 500,000 (P>0.000002) RELATIVELY FEW FAILURES
MODERATE 3 Up to 1 in 20,000 (P>0.00005) OCCASIONAL FAILURES
HIGH 4 Up to 1 in 2,000 (P>0.0005) FREQUENT FAILURES
VERY HIGH 5 Up to 1 in 20 (P>0.05) PERSISTENT FAILURES
3.1 Introduction to the Toolbox Table 18 - Example rankings for Risk Estimation
3.3 Risk Assessment
3.3.1 Risk Identification Tools Note: Probability is an estimate of the probability of the hazard reaching the user and causing harm. It should take into account Detectability.
3.4 Risk Control When possible it should be based on information from similar products, clinical results, scientific literature, etc.
EFFECT RANKING CRITERIA
MINIMAL 1 cosmetic or 74
Filtering for Contractor management no effect on product function
Risk Assessment using a Simplified FMEA SLIGHT 2 gross cosmetic defect or
Priority using Risk Assessment some effect on product function
Supply Chain Examples MODERATE 3 product performance compromised or

customer experiences temporary impairment of bodily function or body structure but does not
Glossary
require medical intervention additional to routine care
Bibliography MAJOR 4 potential compliance issue not resulting in field action or
the failure necessitates medical intervention by healthcare professional to preclude permanent
damage to body
SERIOUS 5 compliance issue resulting in field action or
the failure results in a complication that is life threatening
Table 19 - Severity Criteria for FMEA

Foreword
Structure & Acknowledgements RISK EVALUATION
Contents Severity
Occurrence Minimal Slight Moderate Major Serious
1 2 3 4 5
General Introduction Very high 5 ALARP ALARP Decision Decision Decision
Supply Chain Considerations High 4 ALARP ALARP ALARP Decision Decision
Risk Management Process Moderate 3 Accept ALARP ALARP Decision Decision
Risk Management Toolbox Low 2 Accept Accept ALARP ALARP Decision
3.1 Introduction to the Toolbox Remote 1 Accept Accept Accept ALARP Decision
3.3 Risk Assessment
Table 20 - Example of Two dimensional acceptance criteria chart for Risk Evaluation
If the ranking falls in the Accept region, there is no requirement to
3.4 Risk Control
3.4.1 Risk Reduction Tools conduct Risk Control activities.
3.4.2 Risk Acceptance Tools If the ranking falls in the As Low As Reasonably Practicable
(ALARP) region, risk control activities may not be required. However,
Appendix 1 - Worked example: Ranking and the rationale for concluding that no further mitigation is reasonably 75
Filtering for Contractor management practicable should be included.
Risk Assessment using a Simplified FMEA If the ranking falls in the Decision region, Risk Control activities
Appendix 3 - Worked example: Supplier Audit should be conducted.
In cases where the probability of occurrence is ranked 1 but it is
Supply Chain Examples considered to be extremely remote given the number of products
(i.e. an inconceivable event) and the severity is ranked 5, the residual
Glossary
risk remains in the decision region. Although a risk benefit analysis is
Bibliography required it does not need to be signed by the Heads of R&D, Global
Quality and Regulatory Affairs and Clinical Affairs.

Foreword
Contents

Appendix 3
Worked Example: Supplier Audit Priority Risk Assessment
3.3 Risk Assessment Company Name : Y
3.3.2 Risk Analysis Tools Location : Somewhere
3.4 Risk Control Material sourced : Bulk finished product for packaging
Low Medium High
3.5 Risk Communication Tools Route of Final product Topical Oral Parenteral
3.6 Risk Review Tools X
Administration 76
Critical Care No X Yes Yes
Previous supply history > 3 years < 3 years X None
Quality System Regulatory GMP X ISO 9001 or equivalent None
Supply Chain Examples Type of operation Service (no material) Repackager Manufacturer X
Glossary Country of operation EU / US Developed rest of World X Developing rest of the world
Bibliography Number of products on site Single Multiple Multiple with high potency or
X
sensitivity
Previous audit < 3 years >3 years X None or > 5 years
Supplier rating (A) (B) Unapproved or (C) major X
Approved no issues Approved some minor issues issues
API No X Not applicable Yes
Sole / strategic source Not applicable X No Yes
Weighting factor Total x 1 4 Total x 2 5 Total x 3 2
Table 21 - An Example of a Simplified Application to Set Audit Priority of Suppliers based on Perceived Risk (adapted from GMP Review Vol. 2, No. 4, Jan 2004)

Foreword
Total Score = a summation of all the scores in the individual columns
Structure & Acknowledgements multiplied by the weighting factor and then the 3 scores added together
(Low + Medium + High totals) to give a final risk score.
Contents
Total score = 4 + 10 + 6 = 20
General Introduction This example gives a score that can be used as a risk level for
comparison in a scoring system, to prioritise frequency of visits against
other suppliers, including maximum deadlines for the next visit. The full
Risk Management Process model should be more searching in requirements and incorporate a Risk
Evaluation of audit duration and minimum objectives for the audit. A more
Risk Management Toolbox detailed example may be found on the MHRA website as the basis for
3.1 Introduction to the Toolbox regulatory audits performed according to a Risk Assessment.
3.2 Approach to Implementation MHRA reference
3.3 Risk Assessment
3.4 Risk Control
77
Glossary
Bibliography

Foreword
Contents

Supply Chain
4.1 Product Contamination
4.2 Management of Second Tier Suppliers
Examples
4.3 Verification of Artwork Part 4
4.4 Warehouse Operations & Pest Control
4.5 Temperature Controlled Transportation
4.6 Change Control - Process
4.7 Fraudulent Activities in the Supply Chain
4.8 Errors in Proof Reading
4.9 Change Control Source of Material 4.1 Active Pharmaceutical Ingredient (API) Supplier 78
4.10 Implementation of a New Process
4.11 Multiple uses of a Material
Product Contamination
4.12 High Bioburden
4.13 Inconsistent Analytical Results
4.14 Continuity of Supply Scenario: 20%. The contaminant was not detectable using the standard testing
4.15 Lack of Formal Contracts procedures already in use.
4.16 Effect of Global Supply Chains Between November 2007 and February 2008 there was an increase in
4.17 Effect of not knowing all the links in a the number of recorded deaths following injection of heparin. The US The supply of heparin was severely interrupted throughout the world
Transport Chain
regulator Food and Drug Administration (FDA) focused on the supply and stock was in very short supply.
4.18 Raw Material Source of Origin
of multi-dose and single-dose vials of heparin sodium produced by a FDA found several breaches in compliance and contamination of
4.19 Reuse and Potential Infection
global pharmaceutical company. heparin relating to inadequate processing, testing and equipment.
Glossary As a result the organisation initiated a product recall of the heparin Further it was established that the heparin came from an undisclosed
products. manufacturer which had since closed down.
Bibliography
FDAs investigation led them to suppliers of the API which had been This heparin had been through several wholesalers and been
manufactured in China. Subsequently, several other companies were repackaged within the supply chain.
found to have made or handled products contaminated with a heparin- Other customers using this material had to initiate internal
like compound. At least ten Chinese Companies were involved in the investigations, introduce new test methods and further risk
supply chain for contaminated heparin. assessments of their existing heparin supply chain to determine the
Using a new and sophisticated test method, the contaminant was impact for them of this situation, including similar risks.
identified as a large molecule similar to heparin and was found in Reference to FDA investigation
samples tested, and levels found in the API were between 5% and

Foreword
Learning points:
This case demonstrates how important it is for the accountable
Contents organisation to understand in detail the sources and the supply chain
for raw materials and active ingredients. This includes knowledge of
proceedings at all wholesalers and re-packagers in the supply chain. It
General Introduction is especially important in less regulated countries.
The accountable organisation should be sure of the standards that
suppliers might claim to operate, and might be able to demonstrate
Risk Management Process from time to time, are actually being practised all of the time.
The supplier at the very start of the supply chain may be unaware of
the application to which their material may ultimately be used. For
Supply Chain Examples example, the company who extracts the heparin from pigs (source of
heparin) may not have any idea that the end point of their work is a
life-saving anticoagulant drug. They are unlikely to be aware of GMP
4.3 Verification of Artwork or be in a position to practice it.
The accountable organisation is responsible for the product and as
such has a duty to ensure that the quality of materials and supply
4.7 Fraudulent Activities in the Supply Chain chain security are maintained through a programme of supplier
4.8 Errors in Proof Reading assurance involving the necessary key stakeholders.
4.9 Change Control Source of Material
79
4.12 High Bioburden
4.14 Continuity of Supply
4.15 Lack of Formal Contracts
4.16 Effect of Global Supply Chains
4.17 Effect of not knowing all the links in a
Transport Chain
Glossary
Bibliography

Foreword
Contents

4.2 Plastics Supplier
Management of Second Tier Suppliers
Supply Chain Examples Scenario: Learning Points:

During finished product manufacture, a customer found black Most supply chains involve more than one tier of supply.
4.3 Verification of Artwork contamination moulded within red plastic components used in It is important for the accountable organisation to understand the
4.4 Warehouse Operations & Pest Control packaging. The issue was reported back to the 1st tier supplier and the entire supply chain for its products even to the lowest tier in order to
4.5 Temperature Controlled Transportation components quarantined, pending the outcome of the investigation by assess the potential hazards and determine the level of risk involved.
the supplier.
4.7 Fraudulent Activities in the Supply Chain Each supplier within the supply chain also has a responsibility to have
4.8 Errors in Proof Reading The source of the identified quality issue was traced back to the 2nd supplier assurance in place.
4.9 Change Control Source of Material tier supplier of the plastic colorant, where the material had separated
80
during storage. The black contamination was part of the colorant
4.12 High Bioburden
material and therefore presented no risk to this finished product or end
4.13 Inconsistent Analytical Results user. This was a considered a cosmetic defect.
This issue led to significant delays in manufacture as the plastic
components had to be returned to the supplier for sorting. The 2nd
4.17 Effect of not knowing all the links in a tier supplier was audited as a consequence of this event and other
Transport Chain non compliances identified. As a long term action the 2nd tier supplier
decided to transfer manufacture of the colorant to another site.
Due to significant audit findings by a number of different customers
Glossary resulting in capital investment needed to ensure to meet the required
standards, the original site was closed.
Bibliography

Foreword
Contents

4.3 Printed Artwork Supplier
Verification of Artwork

A pharmaceutical manufacturer had printed labels produced from All printing processes utilise digital files / images and there is much
4.3 Verification of Artwork artwork supplied by an external artwork house. reliance on the security and quality of the electronic transfer of such
During the production of some printed labels, the label manufacturer files.
performed a routine QC check and identified an error with some of This reiterates the importance of installing a robust data transfer
4.7 Fraudulent Activities in the Supply Chain the text on the labels. They contacted their client who verified that verification process.
4.8 Errors in Proof Reading the original approved artwork and the supporting documentation was With the increased reliance on electronic methods of data transfer, the
4.9 Change Control Source of Material correct.
integrity of such files is paramount. 81
4.11 Multiple uses of a Material Further investigation highlighted that the error occurred during the It was fortunate that the routine QC checks detected this error and
4.12 High Bioburden transfer of an electronic file from the artwork supplier to the label reinforces the criticality of such checks.
4.13 Inconsistent Analytical Results manufacturer. A check was performed by both the artwork supplier and
label manufacturer which independently confirmed that the contents of
the electronic file had been corrupted.
4.17 Effect of not knowing all the links in a This issue delayed the production of the labels and those already
Transport Chain
4.18 Raw Material Source of Origin printed had to be destroyed. Both the artwork supplier and label
4.19 Reuse and Potential Infection manufacturer reviewed their processes and initiated corrective actions.
Glossary
Bibliography

Foreword
Contents

4.4 Primary Packaging Supplier
Warehouse Operations & Pest Control

Two dead mice were found inside the pallet wrapping of a All suppliers will use warehouse facilities to store materials and they
4.3 Verification of Artwork consignment of plastic bottles to be used for a low margin antiseptic may not have the same standard of pest control processes as their
4.4 Warehouse Operations & Pest Control liquid product. customers.
This caused major disruption to the output of the pharmaceutical Warehouse facilities including those used remotely, should be
4.7 Fraudulent Activities in the Supply Chain filling plant. All the stock of bottles had to be manually inspected for maintained to the appropriate standards and checked on a regular
4.8 Errors in Proof Reading contamination. It was necessary to audit the supplier and its remote basis.
4.9 Change Control Source of Material warehouse. Immediate action involved the relocation of bottle storage
Regardless of the value of the product, the accountable organisation 82
back into the main factory. still needs to consider potential hazards within the supply chain and
4.12 High Bioburden The root cause was identified as inadequate warehouse pest control at apply Risk Management.
4.13 Inconsistent Analytical Results the suppliers remote warehouse. It prompted an extensive programme
of work to improve standards at the supplier.
Transport Chain
Glossary
Bibliography

Foreword
Contents

4.5 Distribution
Temperature Controlled Transportation

A contract manufacturer shipped product using its approved Many companies use contract manufacturers and distributors.
4.3 Verification of Artwork transportation service provider. The product required shipment at a Contracting out does not absolve an organisation of its responsibility to
4.4 Warehouse Operations & Pest Control temperature of 2C - 8C as specified by the customer. ensure the quality of products.
On receipt of the product, the customer found that it was frozen due to The risks that transportation can pose to the final stages of a product
4.7 Fraudulent Activities in the Supply Chain incorrect temperature setting. supply chain should not be underestimated.
The root cause was determined to be the lack of a check to verify the It is important to ensure that all the defined requirements of parties
temperature settings after loading of the vehicle. The product had to within the supply chain do not pose any risks to the finished product 83
4.11 Multiple uses of a Material be rejected and destroyed resulting in significant delay and failure to and should be regularly reviewed and audited.
4.12 High Bioburden meet market demand. Transportation requirements should be clearly defined and covered by
4.14 Continuity of Supply Additional costs included replacement of product and disruption to a formal agreement.
4.15 Lack of Formal Contracts production schedules. Temperature control is critical for many products in the pharmaceutical
and medical device industries. Consideration should be given to
Transport Chain transport conditions throughout the supply chain, in particular where a
4.18 Raw Material Source of Origin number of organisations are involved, such as distributors and brokers
4.19 Reuse and Potential Infection etc.
Glossary
Another example of unsatisfactory conditions during transport leading to
Bibliography a Class 2 drug alert and precautionary product recall can be found at the
following link.
http://www.mhra.gov.uk/Publications/Safetywarnings/DrugAlerts/CON054589

Foreword
Contents

4.6 Solvent Supplier
Change Control

A well established supplier delivers solvents to all customers in Never rely on one method of control which is subject to only periodic
4.3 Verification of Artwork drums which are returned to the supplier, when empty. The drums oversight by audit. Audit is an essential tool but is only part of the
4.4 Warehouse Operations & Pest Control are recycled by washing thoroughly to ensure no cross-contamination controls.
4.5 Temperature Controlled Transportation from either solvents or additional uses by clients. The drums are not Expectations on events, specifications and change management at
dedicated to a client or a solvent. suppliers should be controlled by a Quality / Technical Agreement
4.8 Errors in Proof Reading The supplier is regularly audited by clients and subjected to strict even if the material is processed out of the final product being
4.9 Change Control Source of Material Environmental Health and Safety regulations in the country of main manufactured.
84
operations. The importance of communication, especially with long standing
4.12 High Bioburden After an Environmental Health and Safety inspection the solvent suppliers, should not be underestimated.
4.13 Inconsistent Analytical Results supplier was ordered to discontinue the washing of drums on grounds
4.14 Continuity of Supply Regular communication should be maintained at an appropriate
of staff exposure to highly volatile solvents. The residual content was frequency to ensure that as the customer supplier relationship
instead allowed to dissipate on standing as the contents were highly develops, both parties still fully understand the sometimes changing
4.17 Effect of not knowing all the links in a volatile. requirements of each other.
Transport Chain
4.18 Raw Material Source of Origin The clients were given no notification of this change as a result of the
4.19 Reuse and Potential Infection audit because no formal agreements were in place.
A major client then noticed a cross-contamination issue in the
Glossary
manufacture of several batches of an Active Pharmaceutical
Bibliography Ingredient. Extensive investigation identified the contaminant to be
from residual solvent in the drums.
This contamination was difficult to process out and was present at
a regulated stage of the process adding complexity to the recovery
process as well as investigation costs.

Foreword
Contents

4.7 Active Pharmaceutical Ingredient (API) Supplier
Fraudulent Activities in Supply Chain

A pharmaceutical manufacturer, Company A, had outsourced the An increasing number of companies look for ways to minimise costs.
4.3 Verification of Artwork manufacture of an Active Pharmaceutical Ingredient to a supplier This often involves looking at Cost Competitive Countries as sources
4.4 Warehouse Operations & Pest Control (Company B) that was based in a part of the world with cultural and of supply where manufacturing standards vary significantly. Some
4.5 Temperature Controlled Transportation ethical differences. In recognition of the risks associated with this suppliers based in these countries may falsify documents for various
particular supplier, Company A set up a team to control and manage reasons.
Company B. In the regulated industry requiring a secure supply chain, such
4.9 Change Control Source of Material During one of Company As routine technical visits at Company Bs practices can lead to serious consequences including recall of product.
85
premises, it was discovered that a third party, Company C, who were It is important during the supplier selection and evaluation process to
4.12 High Bioburden
not approved by Company A, was actually manufacturing some of ensure that all aspects of the supply chain are as ethical, robust and
4.13 Inconsistent Analytical Results the product and that Company B had generated batch records as if as secure as possible.
4.14 Continuity of Supply Company B had made the product instead of Company C.
4.15 Lack of Formal Contracts Appreciation is required of potential ethical issues when a supplier
4.16 Effect of Global Supply Chains tenders for business and strict monitoring should be implemented prior
4.17 Effect of not knowing all the links in a to the suppliers approval.
Transport Chain
4.18 Raw Material Source of Origin The accountable organisation should be sure that the standards that
4.19 Reuse and Potential Infection suppliers might claim to operate, and might be able to demonstrate
from time to time, are actually being practised all of the time.
Glossary
Bibliography

Foreword
Contents

4.8 Packaging Supplier
Errors in Proof Reading
Supply Chain Examples Scenario: Learning Outcome:

A printers proof for artwork relating to a heart condition medicinal Reading proofs is still a key part of the printing process and anyone
4.3 Verification of Artwork product was incorrectly read by the supplier as Approved when it was can make a mistake.
4.4 Warehouse Operations & Pest Control actually Rejected. No process is infallible; therefore it is important to identify any potential
As a consequence, the wrong file was used to make replacement risks in a process and to implement corrective / preventive action to
4.7 Fraudulent Activities in the Supply Chain printing plates and cartons were printed which indicated on one mitigate those risks.
4.8 Errors in Proof Reading end flap 14 tablets instead of 28 and were used by an outsourced It is important that critical data is independently verified and that such
4.9 Change Control Source of Material packager.
check points are identified using a Risk Management approach. 86
4.11 Multiple uses of a Material The stock had to be recalled from the all distribution centres to enable
4.12 High Bioburden a full rework programme to be initiated.
4.14 Continuity of Supply This delayed the critical medicinal product reaching the market.
4.15 Lack of Formal Contracts Working together, the customer and supplier were able to reconstruct
the complete sequence of events. In addition to awareness training,
Transport Chain the rules regarding issuing artwork and file management between the
4.18 Raw Material Source of Origin supplier and the plate-maker were updated and the process improved.
Glossary
Bibliography

Foreword
Contents

4.9 Label Supplier
Change Control

At a pharmaceutical customers premises, self-adhesive labels were It is easy to make the assumption that an alternative material is the
4.3 Verification of Artwork failing to stick to glass vials. This had been caused by the supplier same as the original material without performing any verification
4.4 Warehouse Operations & Pest Control switching their source of unprinted label material. activities. A simple verification such as a line trial may have captured
The raw material was thought to be of equivalent quality and no extra this before introduction.
4.7 Fraudulent Activities in the Supply Chain quality checks were performed at Goods-Inwards. Many companies do not have formal agreements in place with their
This change was introduced without informing the customer therefore, suppliers and so there is no legal requirement for the supplier to notify
4.9 Change Control Source of Material their customers of changes. Even changes that a supplier considers as
no formal Change Control or Risk Assessment could be performed by 87
the customer. minor, could have a large impact on its customers.
4.12 High Bioburden
The problem caused chaos on the customers packing line and it It is important for both customers and suppliers to understand each
4.13 Inconsistent Analytical Results others processes and requirements.
4.14 Continuity of Supply was not certain how well the labels were affixed to apparently
4.15 Lack of Formal Contracts satisfactorily packed vials. To clearly define roles and responsibilities within some form of simple
The label printing company pursued the quality issue with its supplier agreement or contract, as a minimum, is a starting point for agreeing
4.17 Effect of not knowing all the links in a which changes require notification / approval.
Transport Chain and trials of alternatives were subsequently conducted with the
4.18 Raw Material Source of Origin pharmaceutical company. In addition, revisions were made to the
4.19 Reuse and Potential Infection Change Control system.
Glossary
Bibliography

Foreword
Contents

4.10 Active Pharmaceutical Ingredient (API) Supplier
Implementation of a New Process
Supply Chain Examples Scenario: - The process did not introduce any impurities by side reactions
4.1 Product Contamination or the natural chemistry of the process, provided the purification
Company A was planning the installation of a new process for the step was performed in virgin Solvent A. If any other solvents were
4.3 Verification of Artwork manufacture of Active Pharmaceutical Ingredients (APIs). The process present the batch would fail for impurities.
4.4 Warehouse Operations & Pest Control had a number of stages involving chemical reaction, crude isolation,
- No introduction of foreign solvent to the process could occur, as the
4.5 Temperature Controlled Transportation purification by re-crystallisation, isolation by filtration and drying of the
4.6 Change Control - Process automated system should only open the correct valve to charge the
final API bulk powder.
4.7 Fraudulent Activities in the Supply Chain solvent to the correct tank.
4.8 Errors in Proof Reading The process utilised a number of different solvents at different
As a result the most probable risk identified was the quality of the raw
4.9 Change Control Source of Material stages. Delivery of solvents to the purification vessel is automatically
4.10 Implementation of a New Process materials. 88
controlled by an operator using a computer terminal. The different
4.11 Multiple uses of a Material A few weeks after implementation, a number of batches began failing
4.12 High Bioburden
solvents are piped through a single manifold system before branching
out for delivery to the various vessels. for impurities, and residual solvent appeared that was foreign to the
4.14 Continuity of Supply process.
To implement the new process, an interdisciplinary team was
4.15 Lack of Formal Contracts An investigation could not determine the root cause of the batch failures.
assembled with the following experts:
4.17 Effect of not knowing all the links in a - R&D Chemist who was familiar with the chemistry of the process. A production operator was invited to the meeting where the team
Transport Chain
- Process Engineer who was familiar with the plant construction reviewed all the information previously reviewed in setting up the
4.19 Reuse and Potential Infection and especially the automated control system. process.
- Quality Assurance Specialist who was familiar with Quality The production operator quickly noted that the valve on the solvent
Glossary Management System and Quality Control testing. feed-line to the purification vessel was hand actuated and not controlled
Bibliography At the team meetings, discussions were held about potential issues by the automated system. It was discovered by further investigation
(identifying the risks). that the failed batches were all contaminated with Solvent B. This
was because the hand valve had been left in the open position when
Based on the knowledge of the experts it was concluded that:
Solvent B was being charged to adjacent processes and the foreign
- The raw materials did not introduce anything foreign to the process solvent was able to travel along the line into the purification vessel.
and once they were QC passed, would deliver product of the
correct quality.

Foreword
Learning Points:
The implementation of many new systems or processes fail due to the
Contents lack of involvement of the relevant people right at the beginning. It is
important to consider all stakeholders.
Even a large company with abundant resources, finances, large
General Introduction departments with well-defined and separated roles can overlook the
importance of key knowledge holders. The personnel involved should
have a suitable level of process knowledge in the operation of the
Risk Management Process process.
Sufficient unbiased scientific data or information about all potential
risks in implementing any new process should be gathered to define
Supply Chain Examples the limits of a Risk Assessment. It is not enough to rely on the gut
feel of a process expert.
4.2 Management of Second Tier Suppliers Appropriate resources should be allocated and a team leader
4.3 Verification of Artwork identified who has clear responsibility for the co-ordination of all
activities.
4.6 Change Control - Process Project deliverables and set timelines will give focus to the Risk
4.7 Fraudulent Activities in the Supply Chain Management process and allow the management of larger processes.
89
4.12 High Bioburden
Transport Chain
Glossary
Bibliography

Foreword
Contents

4.11 Raw Material Manufacturer
Multiple uses of a Material
Supply Chain Examples Scenario:

Company B supplied salt (Sodium Chloride) to various types of The owner of Company B now had a different perspective of the risks
4.3 Verification of Artwork industry. 60% of Company Bs business is supplying salt to local in the manufacturing process for the supply of pharmaceutical grade
4.4 Warehouse Operations & Pest Control County Councils for gritting roads. The remaining 40% of the business salt.
4.5 Temperature Controlled Transportation is supplying salt to the pharmaceutical industry for use in sterile
injection products.
4.8 Errors in Proof Reading The business owner purchases salt in bulk from a manufacturer and Learning Points:
4.9 Change Control Source of Material repacks it into 25 Kg bags for their customers. A process review was Many materials particularly excipients have multiple uses and are often 90
conducted of the supply chain and customers to maximise business used in both pharmaceutical and non-pharmaceutical manufacture.
4.12 High Bioburden
potential.
It is important to ensure that formal specifications and other
4.13 Inconsistent Analytical Results The owner in reviewing the process used brainstorming to decide expectations are agreed between both parties to ensure that the
what the problems / questions were. The first major fact was the 60:40 supplier fully understands the need for high quality materials.
split of the business. If considered alone it would appear that the 60%
A full Risk Management review of the complete supply chain should be
4.17 Effect of not knowing all the links in a was the more important client base. The 60:40 split was based on
Transport Chain conducted to identify potential hazards and associated risks, and the
quantities only and didnt reflect the income from the business.
4.18 Raw Material Source of Origin actions to be taken to eliminate or mitigate those risks.
4.19 Reuse and Potential Infection The County Council only needed salt for 3 months of the year,
A supplier should consider the end use of the material supplied to its
however, the pharmaceutical customers purchased all year round.
Glossary customers and the risks to the customers who use the final product.
Company B charged 25 per bag for the pharmaceutical customers
but could only charge 15 per bag to the councils. Thus if Company
Bibliography
B sold 100 bags this year the company will receive 2500 from the
pharmaceutical customers and 1500 from the council customers.
The owner talked to the buyers from both the council and
pharmaceutical customers to understand how important the supply
of salt was to them. The council had no real requirements and would
accept any grade of salt supplied. The pharmaceutical customers
however explained that they should receive salt of a pharmacopoeial
grade to reduce the risk of contamination to sterile products and the
consequences to the patient.

Foreword
Contents

4.12 Medical Device Supplier
High Bioburden

A medical device manufacturer Company Y had developed a new It is important to ensure that all risks relating to product are established
4.3 Verification of Artwork product (wound dressing) that used a material not commonly used in at the design stage. Control in design includes selection of material,
4.4 Warehouse Operations & Pest Control the medical device sector. manufacturing process and sterilisation validation (ISO 14971:2007
After a series of trials on the functionality of the material, the Table E). Harm should have been identified as potential bioburden in a
development team selected Company Z to supply. patient leading to infection or the wound not healing.
The manufacturing process was successfully initiated, however, during Specifications should define maximum allowable limits.
routine incoming analysis of the material, the bio-burden (i.e. microbial Risk Analysis of the supply chain here would have identified 91
4.11 Multiple uses of a Material contamination) of the material was found to exceed acceptable limits the need for the suppliers processing facility to be audited and
4.12 High Bioburden causing a delay to the product launch. the manufacturing process qualified with respect to GMP and
4.13 Inconsistent Analytical Results environmental control. Some industry sectors will be unfamiliar with
4.14 Continuity of Supply A facility inspection of Company Z identified that although the
company had a good Quality Management System (QMS) and GMP and / or medical device requirements even though they may
4.16 Effect of Global Supply Chains cross-contamination controls, it did not have adequate environmental have their own established quality standards.
4.17 Effect of not knowing all the links in a controls in place to minimise the potential bio-burden of the product in Controls in manufacture should then be included in Supplier Quality or
Transport Chain
4.18 Raw Material Source of Origin question. Technical Agreement.
4.19 Reuse and Potential Infection A follow up technical visit and discussion led to an agreed change In the development of new products, new materials / technologies are
in the temperature and storage parameters during the conditioning often required which may not have been used in a regulated industry
Glossary
process that significantly reduced the bioburden. previously even though these materials / technologies may have a
Bibliography As an additional and precautionary measure, a sterilisation process proven track record in other industries.
was introduced downstream. Early involvement of key stakeholders from other functions such as
Quality Assurance would help ensure that requirements such as GMP
or special requirements are specified and understood.
In selecting materials and suppliers with no medical device experience,
it is important that the process steps at the supplier are evaluated
carefully against specifications and final product requirements.

Foreword
Contents

4.13 Raw Material Supplier
Inconsistent Analytical Results

Company A has purchased a chemical excipient from Supplier C for It is so important to assess the potential analytical differences between
4.3 Verification of Artwork many years. The material is used in an oral dosage product and there testing laboratories and to perform trend analysis.
4.4 Warehouse Operations & Pest Control have been no reported quality issues. This material is not purchased The importance of regular communication, especially with historical
4.5 Temperature Controlled Transportation as a pharmaceutical grade and there is limited communication suppliers, should not be underestimated and assumptions should be
between the two companies. avoided.
4.8 Errors in Proof Reading Company A analysed a recent delivery and found an Out of Even if a material is considered low risk from historical data, it should
4.9 Change Control Source of Material Specification result for one of the test results. This was reported
always be re-evaluated at a defined timeline. 92
to Supplier C as a complaint, for investigation and root cause
4.11 Multiple uses of a Material Some form of supply contract or agreement should have been
4.12 High Bioburden
identification. During the investigation, it was identified that the
suppliers results for this particular test were consistently lower than generated and approved which clearly stated the roles and
4.14 Continuity of Supply those obtained by Company A. responsibilities between both parties, especially in the event of a
4.15 Lack of Formal Contracts dispute.
Further reviews of the analytical differences confirmed the trend and
that there was the potential for high results to be within the acceptable There should be agreement on the requirements (specifications) to
Transport Chain limits for Supplier C, but to be outside the acceptable limits for ensure that a supplier can meet customer requirements.
Company A Where appropriate a review of the analytical methods should be
This created a stalemate situation where both parties confirmed their conducted to identify any potential differences with equipment or
Glossary relevant results. It also meant a delay in the availability of material for methods.
use in production, whilst investigations were ongoing. Supplier C was As time progresses many Industry Standards and chemical tests
Bibliography
the only source of this material so it was important to Company A that evolve so the importance of periodic communication and review is vital
the situation was resolved. to ensure the continuity of a successful supply chain.
Discussions were held to assess the risks associated with the In this case, the material used was cosmetic grade which may have
manufacture and supply of this material. As part of the risk mitigation been the only one available at the time of product development;
strategy, it was agreed that Supplier C would provide a pre-shipment however more and more suppliers are now offering pharmaceutical
sample for any future deliveries that could be analysed and approved grade alternatives.
before final shipment was made. This would avoid any material
rejections and maintain the supply chain to Company A.

Foreword
Contents

4.14 Aluminium Tube Supplier
Continuity of Supply

Supplier A has manufactured aluminium tubes for the pharmaceutical The financial stability of suppliers and the potential affects on the
4.3 Verification of Artwork industry for many years. Company B purchases tubes from Supplier A supply chain should be assessed as part of regular Risk Management.
4.4 Warehouse Operations & Pest Control for use with a topical product and has never had issues with the supply In theory this should not have come as a surprise. However in practice
4.5 Temperature Controlled Transportation chain or quality. it is often difficult to predict the financial stability of a supplier. There
4.7 Fraudulent Activities in the Supply Chain The relationship between the two companies was managed from are various ways of verifying a companys financial status however
4.8 Errors in Proof Reading a distance with little or no contact. Suddenly, Company B received these may not always reveal the full picture. The key here is to always
4.9 Change Control Source of Material a phone call from Supplier A to say that they had gone into maintain open channels of communication and to conduct regular
93
administration and sold their tube business to another company with reviews of suppliers based on risk evaluation outcome. Just talking to
4.12 High Bioburden
immediate effect! Company B had no knowledge or experience of suppliers often yields interesting and open discussions that give each
4.13 Inconsistent Analytical Results this new Supplier C and had no choice in the transfer to Supplier C. party an insight into the way the other one works.
4.14 Continuity of Supply The tubes supplied were classed as primary packaging as the inner The importance of building a good relationship cannot be ignored
4.15 Lack of Formal Contracts surface of the tubes were in direct contact with the product. It was
and looking at the bigger picture for any signs that the supplier is
therefore important to establish that the specification for the tubes in trouble is paramount for example: were there any delivery issues?
Transport Chain remained unchanged and that they would be manufactured under Was it difficult to get hold of people to ask questions? Was there any
4.18 Raw Material Source of Origin cGMP conditions. information communicated by the supplier that was missed?
An audit of Supplier Cs facility had to be quickly organised, as this Where feasible and available, the identification of a second source
Glossary was required before the next delivery which would be manufactured by of supply to strengthen the supply chain would ultimately reduce the
Supplier C. In addition, confirmation was required that the specification risks to supply. The use of a sole source of supply will always present
Bibliography was exactly the same as before. To meet legislative requirements, a risk and should be avoided if possible. If there is no alternative, then
product manufactured using the new tubes were put on stability trials that makes the use of a Risk Management process even more vital
to verify that there was no effect on the product. to an organisation. At the very least, a risk mitigation plan should be
This change, without prior notification by Supplier A, forced Company formulated to consider the what if scenario? It is important to fully
B to initiate a number of priority activities and caused delays in the understand what activities would need to be completed and the impact
production of this topical product. Customer service was dramatically on an organisation if a particular supplier went out of business.
affected.

Foreword
Contents

4.15 Distribution Supplier
Lack of Formal Contracts

Company A does not have its own transportation so it relies on a local It is important to ensure that all suppliers fully understand and
4.3 Verification of Artwork haulage company to collect and deliver its products. document their customers requirements and what their roles /
A customer had recently complained to Company A about the receipt responsibilities are in the supply chain.
of a damaged pallet of goods. The customer provided photographic It is essential that the hauliers insurance cover is adequate to cover
4.7 Fraudulent Activities in the Supply Chain evidence of the issue which identified that the damage was not just costs should a claim be initiated.
4.8 Errors in Proof Reading superficial but severe. The pallet had apparently been re-wrapped by
4.9 Change Control Source of Material the haulier.
94
4.11 Multiple uses of a Material Company A contacted the haulage company to investigate the
4.12 High Bioburden complaint. The investigation identified the fact that there was no formal
4.13 Inconsistent Analytical Results contract between the two companies that clearly defined the roles and
responsibilities of each party, that the hauliers did not fully understand
the importance of their role in the supply chain and the impact /
4.17 Effect of not knowing all the links in a consequences of their actions. Therefore they had not reported the
Transport Chain issue where a forklift truck had damaged the pallet and thought they
were doing the right thing by re-wrapping the pallet.
There was no transport specification defined that included the details
Glossary of such areas as:
Bibliography - Transportation routes
- Storage conditions
- Handling methods
- Documentation
- Reporting process for issues
- Key contact information at both companies
The pallet was returned to Company A and the product had to be
rejected at a cost to Company A as the level of company insurance
was not adequate to cover the cost of this product.

Foreword
Contents

4.16 Chemical Supplier
Effect of Global Supply Chains

During the manufacture of plastic parts for cars, a by-product called Events in a seemingly unrelated industry sector can have an indirect
4.3 Verification of Artwork acetonitrile is produced which is used by many pharmaceutical and knock on effect in other industries
4.4 Warehouse Operations & Pest Control device companies during product manufacture and QC testing. The risks to a supply chain should be assessed throughout all tiers.
During an economic downturn, the volume of manufactured car parts Even if a material is used in laboratory analysis, it is still vital to
4.7 Fraudulent Activities in the Supply Chain reduced due to the drop in car sales. This led to a supply shortage for understand its importance to a manufacturing process and the ability
4.8 Errors in Proof Reading acetonitrile producers and ultimately a supply shortage for consumers. to meet customers requirements.
There was a global shortage of the material and customers were 95
4.11 Multiple uses of a Material unable to maintain their regular supply.
4.12 High Bioburden
Prices increased significantly and the effect led to severe delays in
4.14 Continuity of Supply manufacture and analysis. This in turn led to late or missed orders by
4.15 Lack of Formal Contracts manufacturers.
Transport Chain
Glossary
Bibliography

Foreword
Contents

4.17 Cold Chain Transport
Effect of not knowing all the links in a Transport Chain
Supply Chain Examples Scenario: There may be more than one supplier involved in an event or
4.1 Product Contamination transactional movement.
Pharmaceutical products were manufactured and shipped from UK to
Spain using cold chain transport. Even if transport of the finished product is considered as low risk, there
4.3 Verification of Artwork
is a need to understand its possible complexity and importance in the
The products were collected from the contract manufacturing site by a final supply links to market.
haulage company understood to be the designated haulage contractor
of the client. The lorry appeared to be a clean, controlled temperature For pharmaceutical products adherence to Good Distribution Practice
4.8 Errors in Proof Reading vehicle. applies in transit as well as in storage.
The products arrived after a few days at the Spanish warehouse of Assumptions should not be made that a transport company knows 96
the client pharmaceutical company. The products were stored in the how to protect their customers products appropriately. Standards
4.12 High Bioburden recesses of a refrigerated lorry containing sides of meat. The outer of care should be set and applied to transport companies, their sub
4.13 Inconsistent Analytical Results containers of the pallets were contaminated with particles of meat and contractors and transit locations. These should include clear definition
blood that were adhering to the boxes. of roles & responsibilities, expectations on protection from various
4.15 Lack of Formal Contracts contamination sources, specific storage conditions, handling or
4.16 Effect of Global Supply Chains After taking photographic evidence of event, the receiving warehouse documentation requirements and the regulatory standards under which
4.17 Effect of not knowing all the links in a quarantined the consignment which was eventually destroyed due
Transport Chain the operations occur.
4.18 Raw Material Source of Origin to contaminated packaging. The product had to be reordered from
the manufacturer and the market was out of stock of the needed Transit routes for products should be agreed, and if possible, where
pharmaceutical product. products may be stored / located with other goods to save on transit
Glossary costs.
From the investigation, it was not clear where or why the cross-
docking event had occurred onto the meat lorry or the transit route Activities should be monitored at the transport hubs / cross-dock
Bibliography
taken between manufacturing site and final destination warehouse. locations. One vehicle may not collect in one country and deliver direct
in another.
A process for reporting of issues should be agreed to ensure that the
Learning Points: communication channels are established.
It is important to ensure that all suppliers fully understand what the The hauliers insurance coverage should be checked that it is
requirements are and what their role / responsibility is in the supply adequate to cover costs should a claim be initiated.
chain. Investigation reports and events should be circulated for future
learning by different quality units in a complex chain.

Foreword
Contents

4.18 Brokers in Raw Material Supply Chains
Raw Material Source of Origin

A range of sterile eye drop products was expanded from one market to It is important to know the source of raw materials and the security of a
4.3 Verification of Artwork several new markets. reliable source especially with historical suppliers.
The product was registered as a medical device with a key complex Assumptions should not be made - just because there have been no
ingredient of natural origin obtained from a supplier that was listed detectable issues doesnt mean that everything is alright. A thorough
4.7 Fraudulent Activities in the Supply Chain as the processor of the plant extract. It was critical that during the evaluation of the risks involved should be conducted even if a material
4.8 Errors in Proof Reading manufacturing process, the ingredient forms a certain crystalline is considered low risk from a product perspective.
4.9 Change Control Source of Material structure. There were other crystalline structures formed by different
A supply contract or Technical Agreement should be in place which 97
processes but were not detectable in the specification. includes specifications and all quality requirements including key
4.12 High Bioburden The manufacturer ordered a 10-fold increase in raw material to build processing requirements and which clearly state the roles and
4.13 Inconsistent Analytical Results stock for launch into new markets, which was delivered on time. The responsibilities between client and supplier
supplied material passed all specification tests. Non-pharmaceuticals can be a source of adverse events.
4.16 Effect of Global Supply Chains During the pre-launch promotional trials, there were a large number of Supplier audits should be performed to ensure that a supplier has full
4.17 Effect of not knowing all the links in a adverse events from the test markets causing soreness and worsening
Transport Chain traceability of their supply chain.
4.18 Raw Material Source of Origin of the original condition.
Discussions should take place that clearly define what the
4.19 Reuse and Potential Infection Extensive laboratory tests of the product and materials failed to identify requirements (capacity, specifications and processing) are to ensure
any differences until specialist crystallography testing was performed.
Glossary that a supplier can meet customer requirements.
The key ingredient supplier was questioned and revealed that their
supplier was a broker purchasing from different sources. To meet the If possible and feasible, a review of the analytical methods should be
Bibliography
increased demand, the supplier had sourced additional material from a conducted to identify potential differences with equipment or methods.
different source which used an alternative crystallization process. Regular communication should be maintained, at an appropriate
Some batches were known as to which material source they came frequency to ensure that the customersupplier relationship develops
from, and others were not known, so as the materials were mixed it and that both parties fully understand the requirements of each other.
was not clear which batches were fit for purpose and which were not. The supply chain should be re-evaluated on a regular basis and,
The launch was severely delayed with large additional costs for the if feasible and cost effective, new or alternative methods of supply
investigation. should be investigated with an appreciation of the impact of making
such a change and the potential risks that it may cause.

Foreword
Contents

4.19 Medical Device Service Supplier
Reuse Potential Infection Problem
Supply Chain Examples Scenario Learning / Recommendations

The FDA in the USA has warned of a potential infection problem with If the health care facility is responsible for cleaning, disinfecting and /
4.3 Verification of Artwork medical devices that are rented or leased by health care facilities. or sterilising equipment for reuse, it should ensure that all appropriate
The FDA reported their concerns that reusable (non-disposable) personnel are aware of these hazards, are responsible and properly
medical devices rented or leased from third parties may not be properly trained and equipped to perform the required tasks appropriately.
4.7 Fraudulent Activities in the Supply Chain cleaned, disinfected and / or sterilised prior to delivery to the health If the Rental / leasing company or health care facility (Contract Giver)
4.8 Errors in Proof Reading care facility. Also, when health care facilities exchange equipment uses a third party as responsible for cleaning, disinfecting and / or
4.9 Change Control Source of Material with other institutions, the equipment may be improperly cleaned, sterilising equipment for reuse, they should periodically review the third
98
disinfected and / or sterilized either before or after patient use. partys operating procedures to determine that its facilities, equipment,
4.12 High Bioburden It is uncertain how often this occurs, or which devices are most likely processes and personnel are adequate to perform these operations.
4.13 Inconsistent Analytical Results to be involved, but the potential seriousness of the problem warrants The Contract Giver should be sure that the third party is familiar with
attention. Improper handling of devices between uses can contaminate the manufacturers instructions for cleaning, disinfecting and sterilising
4.15 Lack of Formal Contracts the device.
facilities and expose individuals, including health care providers
4.17 Effect of not knowing all the links in a and couriers who come into contact with this equipment, as well as Additionally, if a third party is responsible for cleaning, disinfecting and
Transport Chain patients, to infectious, biohazardous material. Also, the presence of / or sterilising equipment for reuse, the Contract Giver must ensure
residual organic material on such equipment may compromise the that its own personnel are properly trained and equipped to handle,
effectiveness of sterilisation procedures. package, and label contaminated equipment for shipment back to the
Glossary Rental / leasing contracts between health care facilities and third supplier.
parties may fail to clearly identify the party responsible for cleaning, In some cases, third-party suppliers may also reprocess or refurbish
Bibliography
disinfecting and / or sterilising used medical equipment. In some medical devices between uses. When the contract calls for these
cases, no contract or agreement may exist. services, the contract giver should ensure that the supplier is familiar
It may be unclear whether health care facility personnel who handle with the device manufacturers specifications for the product. Health
this equipment should clean, disinfect, and / or sterilize it after use, care facilities may wish to establish quality assurance procedures
before it is returned to the third party supplier. to be sure that reprocessed or refurbished devices fulfil these
specifications before use.
Reference to FDA report

Foreword
Contents
Glossary
Glossary
Bibliography
Term Definition
99
Accountable Within each supply chain, there is an organisation that is legally accountable. Each competent and regulatory
organisation authority ultimately holds one manufacturer primarily responsible for meeting regulatory and quality requirements for
the product(s) supplied. This accountable organisation (pharmaceutical or medical device) has ultimate responsibility
and cannot relinquish or delegate (contractually or otherwise) its obligation and responsibility over any or all functions
to its suppliers.
Active Pharmaceutical Any substance or mixture of substances intended to be used in the manufacture of a drug (medicinal) product and
Ingredient (API) (or Drug that, when used in the production of a drug, becomes an active ingredient of the drug product. Such substances
Substance) are intended to furnish pharmacological activity or other direct effect in the diagnosis, cure, mitigation, treatment, or
prevention of disease or to affect the structure and function of the body. [ICH Q7]
Batch (or lot) A defined quantity of the product, manufactured in one process or series of processes, so that the product qualities
and characteristics are expected to be uniform and consistent.
...Continued on following page

Foreword
Structure & Acknowledgements Term Definition

Corrective Action and Reference ISO 9000:2005
Contents
Preventive Action
(CAPA) Correction
action to eliminate a detected nonconformity.
General Introduction NOTE 1 A correction can be made in conjunction with a corrective action.
NOTE 2 A correction can be, for example, rework or regrade.
Corrective action
Risk Management Process action to eliminate the cause of a detected nonconformity or other undesirable situation.
NOTE 1 There can be more than one cause for a nonconformity.
NOTE 2 Corrective action is taken to prevent recurrence whereas preventive action is taken to prevent occurrence.
Supply Chain Examples NOTE 3 There is a distinction between correction and corrective action.
Glossary Preventive action

action to eliminate the cause of a potential nonconformity or other undesirable potential situation.
Bibliography NOTE 1 There can be more than one cause for a potential nonconformity.
NOTE 2 Preventive action is taken to prevent occurrence whereas corrective action is taken to prevent recurrence.
Contamination Contamination is any kind of unwanted materials that may be incorporated into the product. Contamination may be
physical (e.g. extraneous dirt or dust), chemical (e.g. processing aids, lubricants) or biological (e.g. mould, fungus,
bacterial). This may be introduced, for example, from equipment, air systems or personnel, during production,
100
sampling, packaging, storage and distribution.
Contract (or agreement) A legally binding document agreed between organisations on the provision of products or services. Specifications and
Technical Agreements may form part of a contract.
Contract Acceptor The party accepting the requirements of another party as defined in a written contract or agreement.
Contract Giver The party communicating its requirements to another party as defined in a written contract or agreement.
Counterfeit A copy produced without authority with the intention of deceiving a user as to its true origin.
Detectability The ability to discover or determine the existence, presence, or fact of a hazard.
Decision maker Person(s) with the competence and authority to make appropriate and timely Quality Risk Management decisions.
Excipient An inactive substance used as a carrier for the active ingredient(s) of a medicinal product.
FDA Food and Drug Administration USA Regulatory Body.
Good Manufacturing GMP is that part of quality assurance which ensures that products are consistently produced and controlled to the
Practice (GMP) quality standard appropriate to their intended use as required by the product specification.
GxP A collective term for good practices (including GMP) covered by the regulations or guidance that ensure and control
quality, safety and efficacy at different stages of the product lifecycle and supply chain
X = clinical (GCP); distribution (GDP); laboratory (GLP / GCLP); manufacturing (GMP).

Foreword

Harm Damage to health, including the damage that can occur from loss of product quality or availability.
Contents
Hazard The potential source of harm.
ICH International Conference on Harmonisation. An organisation comprising representatives from 3 major pharmaceutical
General Introduction regulatory bodies and 3 industry representative bodies.
Supply Chain Considerations Management System - The set of interrelated elements that establish policy, processes, procedures and objectives which direct and control
Business an organisation with regard to all management activities.
Management System - Quality Management System is a subset of interrelated elements that establish policy, processes, procedures and
Risk Management Toolbox Quality objectives which direct and control an organisation with regard to quality.
Supply Chain Examples Manufacture All operations including purchase and receipt of materials and products, production, quality control, release, storage,
distribution and related records.
Glossary
Origination Origination is all the preparative activities prior to print. These include concept, design, graphics, reprographics, film,
Bibliography plate making, silk screens and digital files and masters.
Outsource Outsourcing is the use of another supplier to conduct all or part of an activity and may also be referred to as
subcontracting.
Process Set of interrelated or interacting activities which transforms inputs into outputs.
Product The result of a process.
101
Product Lifecycle All phases in the life of the product from the initial development through marketing until the products discontinuation.
Quality The degree to which a set of inherent properties of a product, system or process fulfils requirements
See also ICH Q6A definition specifically for quality of drug substance and drug (medicinal) products.
Quality Risk A systematic process for the assessment, control, communication and review of risks to the quality of the product
Management across the product lifecycle.
Raw Material A general term used to denote starting materials, reagents and solvents intended for use in the production of
intermediates, sub-assembly or finished product.
Residual Risk Risk remaining after Risk Control measures have been taken. (ISO 14971: 2007)
Requirements The explicit or implicit needs or expectations of customers (e.g. patients, health care professionals, regulators and
legislators). In this guide, requirements refers not only to statutory, legislative, or regulatory requirements, but also to
such needs and expectations.
Risk The combination of the probability of occurrence of harm and the severity of that harm. (ICH Q9)
Risk Acceptance The decision to accept risk. (ICH Q9)
Risk Analysis The estimation of the risk associated with the identified hazards. (ICH Q9)

Foreword

Risk Assessment A systematic process of organizing information to support a risk decision to be made within a risk management
Contents
process. It consists of the identification of hazards and the analysis and evaluation of risks associated with exposure
to those hazards. (ICH Q9)
Risk Assessment Tool A recognised technique for the identification, prioritisation and management of key risks for example, Failure Mode
Effects Analysis (FMEA), Fault Tree Analysis (FTA) and Risk Ranking and Filtering.
Risk Communication The sharing of information about risk and risk management between the decision maker and other stakeholders
Risk Management Process (internal or external).
Risk Control Actions implementing Risk Management decisions. (ICH Q9)
Risk Evaluation The comparison of the estimated risk to given risk criteria using a quantitative or qualitative scale to determine the
significance of the risk. (ICH Q9)
Glossary Risk Identification The systematic use of information to identify potential sources of harm (hazards) referring to the risk question or
problem description. (ICH Q9)
Bibliography
Risk Management The systematic application of quality management policies, procedures, and practices to the tasks of assessing,
controlling, communicating and reviewing risk. (ICH Q9)
Risk Reduction Actions taken to lessen the probability of occurrence of harm and the severity of that harm. (ICH Q9)
Risk Review Review or monitoring of output / results of the Risk Management process considering (if appropriate) new knowledge 102
and experience about the risk. (ICH Q9)
Risk Score A number that indicates the likelihood of an event occurring and the severity of the events impact.
Severity A measure of the possible consequences of a hazard.
Specification A description of the material(s) using a designated name and unique code reference, stating the physical attributes and
performance and, in some instances, the chemical and biological attributes required of a material or product. It typically
lists attributes in terms of appearance and variable characteristics, stipulating values, ranges and limits. It should either
refer to or include test methods and, where appropriate, sampling plans, acceptance quality limits, associated defect
classifications, storage conditions and precautions and the maximum period of storage before re-examination.
Stakeholder Any individual, group or organization that can affect, be affected by, or perceive itself to be affected by a risk.
Decision makers might also be stakeholders. For the purposes of this guide, the primary stakeholders are the patient,
healthcare professional, regulatory authority, and industry.
Supplier Includes all providers of materials or services throughout the supply chain that are important to the users organisation
based on risk including:
Products (materials, components etc.);
Services (e.g. calibration, cleaning, pest control, freight);
Contractors (manufacturers, packing, warehouse, distributors, agents etc.).
Supply Chain A system of organisations, people, technology, activities, information and resources involved in moving a product from
supplier to a customer.

Foreword
Contents
Bibliography
Glossary
Bibliography
1. ASTM E2476 09 Standard Guide for Risk Assessment and Risk 9. Guidelines for Failure Modes and Effects Analysis (FMEA) for
Control as it Impacts the Design, Development, and Operation of Medical Devices, 2003 Dyadem Press, ISBN 0849319102 103
PAT Processes for Pharmaceutical Manufacture 10. International Conference on Harmonisation (ICH) Q8
2. BS 31100:2008 Risk Management. Code of Practice Pharmaceutical Development
3. BS IEC 61882:2001 - Hazard and operability studies (HAZOP 11. International Conference on Harmonisation (ICH) Q9 Quality Risk
studies) application guide Management
4. Code of Federal Regulations, 21 CFR 210 / 211, 600, 820 12. International Conference on Harmonisation (ICH) Q10
Part 820; 820.50: Purchasing Controls Pharmaceutical Quality System
Reference 13. IEC 61025 Fault Tree Analysis (FTA)
5. EU Guide to GMP 14. IEC 61882 Hazard Operability Analysis (HAZOP)
6. Failure Mode and Effect Analysis, FMEA from Theory to Execution, 15. International Commission on Radiological Protection (ICRP)
2nd Edition 2003, D. H. Stamatis, ISBN 0873895983 in Publication 26 (ICRP 1977) as quoted in Textbook of
7. Food and Drug Administration (FDA), FDAs Ongoing Heparin Radiopharmacy, Theory and Practice Ed. Charles B Sampson 3rd
Investigation 1999 relating to ALARP / ALARA
8. Global Harmonisation Task Force (GHTF) Quality Management 16. ISO/IEC Guide 73 Risk Management Vocabulary Guideline for
System Medical Devices - Guidance on the control of products Use in Standards
and services obtained from suppliers, GHTF/SG3/N17:2008. 17. ISO/IEC 17025:2005 General Requirements for the Competence
of Testing and Calibration Laboratories

Foreword
18. ISO 7870:1993 Control Charts. 36. Quality Risk Management, British Association of Research Quality
Structure & Acknowledgements Assurance (BARQA) 2008, ISBN: 978-1-904610-10-6
19. ISO 7871:1997 Cumulative Sum Charts
Contents 20. ISO 7966:1993 Acceptance Control Charts http://www.barqa.com
21. ISO 8258:1991 Shewhart Control Charts 37. Risk Assessment in Supply Chain Management, Ian Williams, GMP
Review Vol. 2 No. 4, January 2004
22. ISO 9000:2005 Fundamentals and Vocabulary
General Introduction 38. Rules and Guidance for Pharmaceutical Manfacturers and
23. ISO 9001:2008 Quality Management Systems - Requirements Distributors 2007 (Orange Guide)
24. ISO 9004:2009 Managing for Sustainability A Quality 39. The Basics of FMEA, Robin McDermott, Raymond J. Mikulak,
Risk Management Process Management Approach Michael R. Beauregard 1996, ISBN 0527763209
25. ISO 13485:2003 Medical Devices Quality Management 40. The Development of a Quality Risk Management Solution designed
Systems Requirements for Regulatory Purposes to Facilitate Compliance with the Risk-based Qualification,
Supply Chain Examples 26. ISO 14971:2007 Medical Devices Application of Risk Validation & Change Control GMP Requirements of the EU
Management to Medical Devices ODonnell, K, February 2008.
Glossary
27. ISO 15378:2006 Primary Packaging Materials for Medicinal 41. Weak Links 2009 - A Survey Suggests that Manufacturers dont
Bibliography Products Particular Requirements for the Application of ISO have as much Control over Supply Chain Security as they think
9001:2000 with reference to Good Manufacturing Practice (GMP) they do, Carla Reed.
28. ISPE GAMP-5 Good Automated Manufacturing Practice Reference
29. Medical Device Directive (EU Directive 93/42/EEC) 42. WHO Technical Report Series No 908, 2003, Annex 7 Application of
Hazard Analysis and Critical Control Point (HACCP) Methodology to 104
30. MLX 357 Public Consultation on Measures to Strengthen the
Pharmaceuticals
Medicines Supply Chain and Reduce the Risk from Counterfeit
Medicines 43. ICH Q9 Briefing Pack
www.mhra.gov.uk
31. Pharmaceutical Technology Europe Regulatory Report Is the
Pharmaceutical Supply Chain Safe? Philip Payne, July 2008
32. Process Mapping by the American Productivity & Quality Center,
2002, ISBN 1928593739.
33. PS 9000:2001: The application of ISO 9001 and ISO 9004 to
Pharmaceutical Packaging Materials. IQA ISBN 0 906810 73 6.
34. PS 9004: A Guide to the GMP Requirements of PS 9000:2001
Pharmaceutical Packaging Materials. 2004, IQA. ISBN 0 906810795
35. PS 9100:2002: Pharmaceutical excipients, The application of ISO
9001:2000 and GMP guide for pharmaceutical excipients.
IQA ISBN 0 906810 83 3
This electronic document was developed for publication

for PQG by Design Inc, 01784 410380

Return to General Introduction Page 9
Continual improvement of the quality management system

Organizations Organizations
leading to sustained success
Environment Environment
ISO 9004
Clause 4
Managing for
Interested Interested
the sustained
Parties Parties
success
ISO 9004
ISO 9004
Clause 9
Needs & Clause 5
Improvement,
expectations Strategy and ISO 9001
innovation and
policy Clause 5
learning
Management
Facility
ISO 9004 ISO 9004 Cl.

ISO 9001 ISO 9001 Cl. 8
Clause 6 8 Monitoring,
Clause 6
Resource ISO 9001 Measurement, measuring Satisfaction
Resource analysis and
management analysis and
management improvement
(extended) review
ISO 9001
Customers Clause 7 Customers
Product Product
realization
Needs & ISO 9004

expectations
ISO 9004
Clause 7
Process
management
Information flow
Foundation: Quality management principles (ISO 9000)
Value-adding
activities
Figure 1 An extended model of a process-based quality management system[1]

Return to General Introduction Page 10
Return to Risk Management Process 2.2 Page 25
Return to Risk Management Process 2.2.2 Page 27
Initiate Return to Risk Management Process 2.2.3 Page 29
Quality Risk Management Process Return to Risk Management Process 2.3 Page 31
Risk Assessment
Risk Identification
Risk Analysis
unacceptable
Risk Evaluation
Risk Management tools

Risk Communication
Risk Control
Risk Reduction
Risk Acceptance
Output / Result of the

Quality Risk Management Process
Risk Review
Review Events
Figure 2 Quality Risk Management Overview (ICH Q9)

Return to Supply Chain Considerations Page 13
Internal Support Services (examples): Quality, EHS, Engineering, Facilities, IT
Product / Service
Supplied materials Manufacturing Warehouse End user
Design & Packaging
/ products & Testing & Distribution / customer
Development
External Contracted Services

E.g. manufacturing, testing, artwork & origination, packaging, warehousing & distribution, calibration, etc
Figure 3 Example of Functional Activities and Support Services within an Organisation

End customer
/ patient
Transport / Distribution
Wholesale / retailer
/ pharmacy
Transport / Distribution
Pharmaceutical and
Medical Device
Industry
Brokers / Distributors /
Tier 1 suppliers
Transport companies
Supplier A Tier 2 suppliers Supplier B
Brokers /
Tier 3 suppliers Distributors /
Transport companies
Supplier C Tier 4 suppliers Supplier D
Figure 4 - Typical supply chain hierarchy

Return to Risk Management Toolbox 3.3.1 Page 51
Objective evidence
Product specifications / part
requirements, instructions
Planning
Identify potential Potential supplier contact details
Identify technical & Product / Process
Describe requirements supplier(s) (existing Identify controls Risk Assessment
process information Risk Assessment
approved / new) Product / process controls
Selection criteria for suppliers /

rationale
selection
Supplier
Review existing suppliers
Plan for evaluation Select potential Investigate operational Identify business
Due diligence / audit report
& selection criteria supplier(s) capability of supplier(s) capability of supplier(s)
Supplier capability detail
NO Evaluation & selection

evaluation &
finalisation
Establish:
Supplier
Evaluate supplier(s) Acceptance & verification activities

Review audit Communication with Supplier Purchasing information
ability to fulfil specified YES Questionnaire / Audit report
requirements potential supplier(s) acceptable? Controls (acceptance
requirements
activities, verification etc) Contact / Supply / Technical Quality /
Technical Agreement
Decision & rationale
Records of monitoring: supply, receipt,

measurement
inspection, acceptance
Performance
Performance measurement
Corrective Receive product Data analysis
Problems Periodic re-evaluation
action YES Acceptance criteria Records of corrections / investigations
identified? of supplier
required? Measurement & monitoring
Analyse data
YES
NO
NO
YES Manufacturer &/or supplier
communication
correspondence
Feedback &
Corrective Action / Records of corrective & preventive

Satisfactory Feedback and action(s)
Preventive Action performance? YES
communication
by supplier Change control notification / approval
NO
Review impact on other products
supplied
Supplier exit
strategy
Archive data & documents

Termination YES NO Termination of Product left in marked support
Exit strategy?
strategy for Supplier Product market
Continuity arrangements and
reiteration of cycle if replacement
supplier
Figure 5 Guidance on Control of Products during Supplier Lifecycle Management (adapted from GHTF/SG3/N17:2008)
Data / Information
Hard Data / Information Soft Data / Information
Facts Observation
Measurements Experience
Assumptions
Analysis results
(based on experience)
Trends Key
= Qualitative
Variables
= Quantitative
Attributes = Both
Figure 6 - Sources of Information that can be used in Risk Identification

Ba
View la n
ce
d
ca l
Resu cti
a
1 lt
tional
Pr
o
2 Follow Persona Em
Action -u
p
l ues
3 Iss
Def
4
Plan
in
plore
e
Ex Fe
eli Other
s
ng s
Time
Requ
irements SO
LU L EM S
B Own
TI
Money ath
O
ON
G
er
PR
s
o ur ce
Re s t
hs Fa c
s
gt Creative
Solutions
Stren
ple
Peo
Opinions
Idea
TE
3
s A ID
se A LU EA
Weaknes EV S Change
Strengths
itu
S
Id
2 knesses ation
Wea
ea
Idea 1
s
en 1
G
St
se
ren erate 2
es
Weakn gths
3
8
4
7
6 5
Figure 7 Example of a mind map

Medical Device Organisation Outsourced Conversion Outsourced Sterilisation
Supplier 1 Stage A Supplier 9

Raw Materials Bulk Chemical Conversion Raw Materials
Stage B Mechanical Conversion

Bulk Chemical Conversion
Supplier 2 Supplier 3
Raw Materials Raw Materials
Stage 1 Stage 1
Sub-Assembly B Sub-Assembly A
Stage 2 Sub-Assembly C
Sub-Assembly B
Supplier 4 Final Device Assembly

Raw Materials
Supplier 5 Primary Packing

Raw Materials
Supplier 6 Secondary Packing

Raw Materials
Supplier 7 Tertiary Packing Terminal Sterilisation

Raw Materials
Product Testing & Release
Supplier 8 Warehouse
Distribution
Figure 8 Flowchart of a Medical Device Manufacture showing Suppliers & Contractors

Identify Risks GMP Regulatory Medical

and verify that
each potential
risk is related
to the Risk
Question.
Risk
Question
Assess the
frequency of
occurrence
and potential
severity of
each risk. Legal Environment People
Figure 9 Example of Ishikawa / Fish-bone Diagram

Increasing individual risks and societal concerns

Unacceptable
region
Tolerable
region
Broadly acceptable
region
Figure 10 Carrot diagram

External Internal
Increase / decrease in demand Non-conformity
Capacity / resources changes Rejection of a batch
Fluctuating exchange rates Product recall
Political climate / instability Capacity / resource issues
Greater exposure to global Reduced inventory
social, political and financial Cost reduction programmes
environments
Single sourcing versus dual
Takeovers / mergers sourcing
Legal status (regulatory Inadequate supplier selection /
restrictions in individual qualification process
markets and of supplier)
Longer / more complex supply
Environmental responsibilities chains
Counterfeiting / fraud Complex processes
Facility disaster disaster Inadequate monitoring process
planning or oversight controls / interface
Materials, product, service Non-conformance with
supply interruption contracts / agreements
Termination of materials or Staying with poorly performing
services supplier & not progressing
Uncontrolled variation in improvement or exit strategy
materials Inadequate communication
Unexpected contaminants in Facility disaster
supplied product
Transportation / storage
Deliberate or accidental events
adulteration
Lack of technical knowledge
Unknown or poorly controlled
Personnel / organisational
use of brokers / agents
changes
Distribution / transportation /
Lack of adequate
storage events
Inadequate communication
Increasing process variability
Lack of adequate
Complex processes
Table 2 - Examples of hazards / events creating risks that are either external or internal to an organisation
Return to Risk Management Toolbox 3.2 Page 45
Role Responsibility
Responsible Those who do the work to achieve the task. There is typically one role with a participation type of Responsible,
although others can be delegated to assist in the work required.
Accountable There should be only one Accountable person specified for each task or deliverable. An Accountable signs off
(also Approver / Final Approver) (approves) the work provided by Responsible person(s).
Consulted Those whose opinions are sought; and with whom there is two-way communication
Informed Those who are kept up-to-date on progress, often only on completion of the task or deliverable, or at key
milestones; communication is typically just one-way.
Table 3 RACI roles and responsibilities

Guia QRM Cadena de Suministro (Proveedores)

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Guia QRM Cadena de Suministro (Proveedores)

Caricato da

Copyright:

Formati disponibili

Foreword

Structure & Acknowledgements

Supply Chain Considerations

Risk Management Process

Risk Management Toolbox

Supply Chain Examples

Supply Chain Risk Management

2010 The Chartered Quality Institute

Structure & Acknowledgements

Supply Chain Considerations

Risk Management Process

Risk Management Toolbox

Supply Chain Examples

2010 The Chartered Quality Institute

2010 The Chartered Quality Institute

Structure & Acknowledgements

Supply Chain Considerations

Risk Management Process

Risk Management Toolbox

2010 The Chartered Quality Institute

Structure & Acknowledgements

Supply Chain Considerations

Risk Management Process

Risk Management Toolbox

Basic structure of this Risk Management guide

2010 The Chartered Quality Institute

2010 The Chartered Quality Institute

Structure & Acknowledgements

Supply Chain Considerations

Risk Management Process

Risk Management Toolbox

2010 The Chartered Quality Institute

Structure & Acknowledgements

Supply Chain Considerations

Risk Management Process

Risk Management Toolbox

2010 The Chartered Quality Institute

2010 The Chartered Quality Institute

Structure & Acknowledgements Continual improvement of the quality management system

Bibliography ISO 9004 ISO 9004 Cl.

Needs & ISO 9004

Figure 1 An extended model of a process-based quality management system[1]

2010 The Chartered Quality Institute

Risk Management tools

Output / Result of the monitoring, reviewing and continual improvement

The level of Risk Management awareness will develop with practice

Figure 2 Quality Risk Management Overview (ICH Q9)

2010 The Chartered Quality Institute

Bibliography Table 1 Risk Management Maturity

The above table is a simple representation of Risk Management maturity.

2010 The Chartered Quality Institute

Structure & Acknowledgements

Supply Chain Considerations

Risk Management Toolbox

Supply Chain Examples

2010 The Chartered Quality Institute

Internal Support Services (examples): Quality, EHS, Engineering, Facilities, IT

External Contracted Services

Figure 3 Example of Functional Activities and Support Services within an Organisation

2010 The Chartered Quality Institute

Figure 4 - Typical supply chain hierarchy

2010 The Chartered Quality Institute

2010 The Chartered Quality Institute