Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Contents
General Introduction
Glossary
A Guide to
Bibliography
V.1.0 2010
Foreword
Contents
General Introduction
Glossary
Bibliography
The Chartered Quality Institute, 12 Grosvenor Crescent, London SW1X 7EE, UK.
Foreword
Contents
General Introduction
Glossary
Bibliography
A Guide to Supply Chain Risk Management for the Pharmaceutical and Medical Device
3
Industries and their Suppliers
The provision of medicines and medical devices to the UK is now a Management should play a key role in the supplier selection, approval
global business. Active pharmaceutical ingredients, components and and management process if the quality and continuity of supply of
even finished products are sourced from many different countries. The medicines and medical devices is to be assured.
increasingly complex supply chain for these items exposes the limitations
of regulatory oversight by any individual country. This serves to reinforce This PQG Guide provides an important reference text to assist medicinal
the need for all in the supply chain to understand their role and work to product and medical device manufacturers and their suppliers understand
implement and maintain a robust and comprehensive quality system. their respective responsibilities. The examples, in particular, should
help each party to understand the expectations of the other. Company
The MHRA has implemented a risk based approach to the inspection assessments will form a key element of the MHRAs assessment of risk
of pharmaceutical operations as a key element of its Better Regulation and thereby enable regulations to target our resources in co-operation
initiative. This approach recognises to a greater degree the ownership with Industry to further enhance consumer safety.
of pharmaceutical companies of the quality assurance of their total
manufacturing and supply processes. The industry, therefore, is being Risks are part of life, but it is imperative that processes are in place to
expected to take overall responsibility for the quality of its output. identify and manage them in such a way that patients and healthcare
professionals can continue to enjoy a reliable supply of safe and effective
The pressure on the industry to fund research into new products and medicines and medical devices.
embrace technological advances while containing costs and maintaining
material and component availability is challenging and these days Gerald W Heddell, Director
inevitably involves outsourcing to a greater or lesser extent. Risk Inspection, Enforcement & Standards Division, MHRA
Foreword
Contents
General Introduction
Glossary
& Acknowledgements
Bibliography
Part 2 provides an overview of the Risk Management process and Please Note
emphasises that this is a living and reiterative process. The stages follow The authors would like to remind the reader that the guidance given here
a consistent format: is advisory. It is recommended that users supplement their understanding
of Risk Management from some of the publications listed in the
Bibliography.
Purpose Inputs Process Outputs
Foreword
Note about definitions Specific acknowledgements are given for the contributions of the
Structure & Acknowledgements following people:
Although the glossary defines certain terms used throughout this guide,
Contents it is important to make a special point here about possible confusion
over the terms risk, harm and hazard. The definitions of these are taken Authors
from International Conference on Harmonisation (ICH) Q9 as follows: Jill Jenkins, Justin Ahern, David Cock, Sharon Shutler, Richard Smalley,
Sharon Hooper
General Introduction
Risk is defined as:
Supply Chain Considerations QA reviewers
The combination of the probability of occurrence of harm and
severity of that harm. [ICH Q9] Phil Butson, Tony Harper, Rowland Lewis, Linda Nield, Kevin
Risk Management Process MacKenzie, James Pink
Risk Management Toolbox Harm is defined as:
PQG Steering Group
Damage to health, including the damage that can occur from loss
Supply Chain Examples Steve Moss, Ashley McCraight, Norman Randall, Ian Richardson
of product quality or availability. [ICH Q9]
Glossary
Hazard is defined as: Contributors
Bibliography Nina Abbassi, Dr Tim Bateman, Ian Birch, Richard Bream,
The potential source of harm. [ICH Q9]
John Cooper, Annie Dallison, John Evans, Adolfo Ferreira,
Mark Francom, Roland Gassmann, Esme Gibb, Peter Gough,
The first step in the Risk Management process is known widely as
Michael Grunow, Gerard McAteer, Stephen Mitchell, David Mogg,
Risk Identification. This should actually be Hazard Identification, but
Jeff Monk, Iain Moore, Dr Ray Noy, Caroline OBrien, Kevin ODonnell,
for consistency with the ICH Q9 and other international standards the
Richard OKeeffe, Bronwyn Phillips, Patricia Rafidison, 5
authors have kept it as Risk Identification.
Stephan Roenninger, Sandra Routledge, Sandra Skarratt, Neil Smith,
Tony Storey, Lorna Third, Tony Trill, Neil Wayman
Foreword
Contents
General Introduction
Glossary
Bibliography
0 General Introduction p7 Part 3 Risk Management Toolbox p42 Part 4 Supply Chain Examples p78
3.1 Introduction to the Toolbox p42 4.1 Product Contamination p78
Part 1 Supply Chain Considerations p12 3.2 Approach to Implementation p44 4.2 Management of Second Tier Suppliers p80
Appendix 1 - Examples of Different Supply p19 3.3 Risk Assessment p46 4.3 Verification of Artwork p81
Categories and Key Controls 3.3.1 Risk Identification Tools p46 4.4 Warehouse Operations & Pest Control p82
6
3.3.2 Risk Analysis Tools p53 4.5 Temperature Controlled Transportation p83
Part 2 Risk Management Process p23 3.3.3 Risk Evaluation Tools p62 4.6 Change Control - Process p84
2.1 Risk Management Team and p23 3.4 Risk Control p64 4.7 Fraudulent Activities in the Supply p85
Responsibilities 3.4.1 Risk Reduction Tools p64 Chain
2.2 Risk Assessment p25 3.4.2 Risk Acceptance Tools p66 4.8 Errors in Proof Reading p86
2.2.1 Risk Identification p25 3.5 Risk Communication Tools p67 4.9 Change Control Source of Material p87
2.2.2 Risk Analysis p27 3.6 Risk Review Tools p69 4.10 Implementation of a New Process p88
2.2.3 Risk Evaluation p29 Appendix 1 - Worked example: Ranking p70 4.11 Multiple uses of a Material p90
2.3 Risk Control p31 and Filtering for Contractor 4.12 High Bioburden p91
2.3.1 Risk Reduction p31 Management 4.13 Inconsistent Analytical Results p92
2.3.2 Risk Acceptance p33 Appendix 2 -Worked example: Medical p72 4.14 Continuity of Supply p93
2.4 Risk Communication p35 Device Risk Assessment using a 4.15 Lack of Formal Contracts p94
2.5 Risk Review p39 Simplified FMEA 4.16 Effect of Global Supply Chains p95
Appendix 3 - Worked example: Supplier p76 4.17 Effect of not knowing all the links in a p96
Audit Priority using Risk Assessment Transport Chain
4.18 Raw Material Source of Origin p97
4.19 Reuse and Potential Infection p98
Glossary p99
Bibliography p103
Foreword
Contents
General Introduction
Glossary
Introduction
Bibliography
Threats to the supply chain feature in the top ten risks of most companies. 7
Globalisation and the quest for ever more cost effective means of supply 2. Emphasise to the pharmaceutical and medical device industries and
have greatly increased the complexity of the supply chain which can their suppliers the need to
often reduce both the knowledge and understanding of the exposure to a. apply Risk Management when making sourcing decisions (from
risk. The 2009 credit crunch and financial crisis significantly raised the development through to commercial manufacture and distribution)
level of risk of failure of key suppliers. Within the context of globalisation, b. involve the relevant people (procurement, technical, quality,
outsourcing and complex supply chains, there is an increasing emphasis environment, health and safety, etc.) when making sure that
on controls around product quality assurance and security of supply. It adequate and appropriate controls are in place
is the responsibility of each organisation to ensure that their suppliers
3. Encourage suppliers to:
provide products that are fit for purpose throughout the product lifecycle,
from design and development through to supply to the end-user. a. understand the regulatory requirements and expectations of the
pharmaceutical and medical device industries
The objective of this document is to provide guidance on Supply Chain b. use Risk Management as a tool to understand their customer needs
Risk Management and therefore: better
c. identify potential hazards and the risks arising from those hazards
1. Support organisations with varying levels of experience in Risk
that may exist during the manufacture and supply of product (from
Management to apply the principles, by minimising supply chain risk
raw materials to finished goods)
and securing both quality and continuity of supply
Foreword
Risk Management can help organisations safeguard the quality and Figure 1 (following page) shows the ISO 9004:2009 process-based
Structure & Acknowledgements supply of product to customers and ultimately the end user. It is about model, incorporating continual improvement throughout a lifecycle
anticipating hazards and controlling risk through an ongoing process of approach. It shows the importance of information flow between the
Contents
risk awareness, reduction and / or acceptance, and review. This approach organisation and its customers and the value in activities that meet
can help justify improvement and investment where it is needed, and customers needs and expectations.
prevent both potential problems for customers (e.g. product recalls, or
General Introduction even patient harm) and loss of business. The International Conference on Harmonisation (ICH) describes a
pharmaceutical quality system (ICH Q10), which importantly extends
Supply Chain Considerations
Applying the principles of Risk Management can provide many of the to the control and review of any outsourced activities and quality of
Risk Management Process following benefits: purchased materials. It defines the accountable organisation as being
improve and develop business relationships between customers and ultimately responsible for ensuring that processes are in place to assure
Risk Management Toolbox the control of outsourced activities and quality of purchased materials. It
their suppliers, thereby supporting business continuity and security of
product supply requires that these processes incorporate Quality Risk Management as
Supply Chain Examples
defined in ICH Q9 and includes:
reduce costs
Glossary Assessing (prior to outsourcing operations or selecting material
minimise cost of non-conformance suppliers) the suitability and competence of the other party to carry out
Bibliography
improve business efficiency the activity or provide the material using a defined supply chain by use
of, for example, audits, material evaluations and qualification
increase confidence of customers and regulators
Defining the responsibilities and communication processes for quality-
reduce liability
related activities of the involved parties. For outsourced activities, this
increase security of supply should be included in a written agreement between the contract giver 8
avoid waste and scrap and contract acceptor
Monitoring and review of the performance of the contract acceptor or
With respect to outsourcing, ISO 9001:2008 states that: the quality of the material from the provider, and the identification and
where an organisation chooses to outsource any process that implementation of any needed improvements
affects product conformity to requirements, the organisation shall Monitoring incoming ingredients and materials to ensure they are from
ensure control over such processes; and that the type and extent of approved sources using the agreed supply chain
control to be applied shall be defined.
This guide to Supply Chain Risk Management does not introduce new
It further states that outsourced processes do not absolve the concepts; rather it provides guidance on the practical application of
organisation of the: existing risk management models to the supply chain. It is consistent with
responsibility of conformity to all customer, statutory and currently developing industry standards and expectations. Supply Chain
regulatory requirements. Risk Management should be an integrated part of the organisations
business and quality management system.
The Medical Device Directive (Directive 93/42/EEC) has been revised
(Directive 2007/47/EC) and compliance effective from 21st March 2010.
One of the requirements is for organisations to have control over sub-
contractors and third parties. It also requires post market surveillance for
products already in the market.
Foreword
ISO 9004
General Introduction Clause 4
Managing for
Interested Interested
Supply Chain Considerations Parties
the sustained
Parties
success
ISO 9004
Risk Management Process ISO 9004
Clause 9
Needs & Clause 5
Improvement,
Risk Management Toolbox expectations Strategy and ISO 9001
innovation and
policy Clause 5
learning
Supply Chain Examples Management
Facility
Glossary
9
ISO 9001
Customers Clause 7 Customers
Product Product
realization
Information flow
Foundation: Quality management principles (ISO 9000)
Value-adding
activities
1 - Figure 1 is taken from BS EN ISO 9004:2009 and reproduced here with permission from BSI. No other use of this material is permitted. The complete British Standard can be purchased from
the BSI online shop - BS EN ISO 9004:2009
Foreword
This document is based on the pharmaceutical Quality Risk Management The level of effort invested will vary from case to case and should
Structure & Acknowledgements model detailed in ICH Q9 in Figure 2 (below), where Risk Management is be commensurate with the level of risk. Internationally, regulators
defined as: are incorporating official guidance on Risk Management into their
Contents
The systematic application of quality management policies, requirements, and have identified the supply chain as an area of criticality.
procedures and practices to the tasks of assessing, controlling,
communicating and reviewing risk.
General Introduction Implementing Risk Management
Risk Management should be an integrated part of any business and for
Supply Chain Considerations
successful implementation the following are key foundations:
Risk Management Process Initiate there should be top level management support and commitment
Quality Risk Management Process
Risk Management Toolbox start simply and avoid complexity
look at internal and external risks
Supply Chain Examples
Risk Assessment follow the cycle several times, learn, evolve and embed in the
Glossary organisation culture
Risk Identification
Bibliography
Senior management are responsible for ensuring that the key risks to
Risk Analysis the organisation are properly identified, assessed and managed. Their
commitment is required to ensure the risk management framework is
viable and maintained, and that valuable resource is invested correctly
unacceptable
Risk Evaluation and not subsequently wasted. Risk Management should not be
considered as a one off project or event, but as the implementation of a 10
Risk Control
The risk management development activities should provide a
Risk Reduction systematic, effective and efficient way by which risk management can be
embedded and maintained throughout the organisation. These activities
should, as a minimum, comprise the following steps:
Risk Acceptance
planning
implementation and maintenance
Foreword
Structure & Acknowledgements Risk Maturity Level Risk Processes Attitude Behaviour Skills & Knowledge
Scepticism No Formal Processes Accidents will happen Fear of Blame Culture Unconscious
Contents
Incompetence
Awareness Ad hoc use of Stand Alone Suspended Belief Reactive, Fire fighting Conscious Incompetence
Processes
General Introduction
Understanding & Tick Box Approach Passive Acceptance Compliance, reliance on Conscious Competence
Supply Chain Considerations
Application registers
Risk Management Process Embedding & Integration Risk Management Active Engagement Risk-based decision Unconscious Competence
embedded in Business making
Risk Management Toolbox
Robust Risk Management Regular review & Champion Innovation, Confident Expert
Supply Chain Examples
Improvement & appropriate Risk
Glossary Management
Foreword
Contents
General Introduction
Bibliography
A general understanding of how supply chains work and how suppliers are managed is 12
required to provide organisations with a basis from which to implement a structured Risk
Management process. An effective Risk Management process will protect the continuity of
product supply and ensure that end-users receive products that are fit for purpose.
Media focus on contaminated products, for example heparin supplied the health and wellbeing of patients and maintain business continuity. This
from China in 2007, and other supply-related incidents, such as is especially important during times of economic downturn, since cost-
counterfeiting, have emphasised the challenge of managing supply saving measures can increase risk.
chains that extend around the world, where there is great variation in
the standards and controls used. With respect to the heparin issue, the Within each supply chain, there is an organisation that is legally
Food and Drug Administration (FDA) in the US investigated reports of accountable. Each competent and regulatory authority ultimately holds
serious and some fatal adverse events following the use in products of one manufacturer primarily responsible for meeting regulatory quality
heparin supplied from China. Distribution was halted and product recalled requirements. This accountable organisation (pharmaceutical or medical
from the market. The investigation identified that a contaminant molecule device) has ultimate responsibility and cannot relinquish or delegate
similar to heparin was found using a non-routine test. This contaminant (contractually or otherwise) its obligation and responsibility over any or all
was not previously detectable using conventional routine standard functions to their suppliers of products. The accountable organisation is
test methods, and levels between 5% and 20% were found in the final responsible for sourcing suitable suppliers who will support the supply of
product. See page 78 for more detail. its product(s) to the market. It is essential that the relevant functions within
an organisation such as procurement, technical, development, quality,
Sourcing new materials and outsourcing manufacturing or other activities manufacturing and Environment Health and Safety (EHS) work together to
for the supply of product to the end-user requires careful evaluation. All source materials based on agreed and appropriate criteria.
parties in the supply chain need to ensure that their activities both support
Foreword
Competent and regulatory authorities and third parties will assess the The rigour with which a supplier is managed does not exempt
Structure & Acknowledgements accountable organisation to confirm that they have objective evidence responsibility of the supplier for the provision of adequate controls and
of adequate control of their suppliers. The regulators expect that the quality of products, wherever they fit in the supply chain hierarchy.
Contents
organisation complies with requirements, which include evaluating
and approving their suppliers. There is an expectation to see effective All suppliers should recognise their role in assuring mutual business
interfaces between the accountable organisation and each of its suppliers. continuity and take an ethically responsible approach to the potential
General Introduction This holds true regardless of the regulatory standard of the industry sector impact of their actions or inaction. Feedback and communication is
required for the product. Failure to have or to provide access to any essential between the procuring organisation and its suppliers in terms
Supply Chain Considerations
objective evidence of the controls associated with products from suppliers, of requirements, expectations, product end-use, performance measures,
Appendix 1 - Examples of Different Supply could result in the accountable organisations quality system being non- health and safety etc.
Categories and Key Controls
compliant. Depending on the nature of the deficiencies identified, this can
Risk Management Process have significant and serious consequences for the organisation and their Supply chains themselves can be short and simple, or long and
business continuity. convoluted. However, as a result of increasing globalisation and the
Risk Management Toolbox risks inherent in long and complex supply chains, the regulators are
Some suppliers may also undergo some form of oversight by a regulatory encouraging organisations to keep their supply chains short, simple and
Supply Chain Examples
authority, or a third party acting on behalf of a regulatory authority. under good control. A survey published in 2009 by Carla Reed has shown
Glossary This oversight does not absolve an accountable organisation of the that increased outsourcing is challenging product safety and security,
responsibility to establish controls and provide evidence for compliance of largely due to the complexity of outsourcing models, and in particular
Bibliography products obtained from such suppliers. inconsistency in controls at the outsourced facilities.
See Reference No.41
Sourcing decisions should be based on agreed, specified requirements
appropriate to the following stages of product lifecycle: Figure 3 (below) shows the various functional activities and the 13
experimental design supporting services that may be involved in product development
and supply. An organisation may choose to outsource part or all of
investigational or clinical trial material their activities. It is essential that organisations understand how their
commercialised product supply chains and interfaces work. This should apply throughout all
phases of the product lifecycle from design and development to routine
manufacture, supply and discontinuation.
Product / Service
Supplied materials Manufacturing Warehouse End user
Design & Packaging
/ products & Testing & Distribution / customer
Development
Foreword
Figure 4 (left) illustrates a typical supply chain based upon hierarchical
Structure & Acknowledgements End customer tiers, where suppliers can be far removed from the ultimate end-user
/ patient and can still potentially have a significant impact. The more complex the
Contents
supply chain, the more difficult it is to control, and the greater the risk of a
Transport / Distribution supply chain impact on the quality of the end product.
General Introduction Wholesale / retailer Hazards and their associated risks can be present anywhere throughout
/ pharmacy the supply chain. Risks may be compounded or increased by further
Supply Chain Considerations
processing, thus creating a hazard at a later stage. In the worst case,
Appendix 1 - Examples of Different Supply Transport / Distribution those hazards may not become apparent until too late, after finished
Categories and Key Controls
product has been released to the market. For example, there may be an
Pharmaceutical and adverse effect on long-term stability. Therefore, it is in the interests of all
Risk Management Process Medical Device
Industry stakeholders, including regulatory authorities, that hazards are identified
Risk Management Toolbox and the resultant risks are managed throughout every tier of the supply
chain. Good communication between all parties is required to do this
Supply Chain Examples
effectively.
Brokers / Distributors /
Glossary Transport companies
Tier 1 suppliers
Various problems can manifest themselves at any part of the product
Bibliography lifecycle, from the source of raw materials used to manufacture the
product through to the compliance of the end-user using the product
correctly. Problems in the supply chain can have an impact on products
Supplier A Tier 2 suppliers Supplier B as well as business continuity, product performance and security of 14
supply. In order to protect both the end user and the accountable
organisation, it is necessary to identify the potential hazards and assess
their resultant risks, before implementing ways to control or mitigate them.
Brokers /
Tier 3 suppliers Distributors / For the accountable organisation and its suppliers to manage risk
Transport companies effectively, it is worth reflecting that the sources of risk throughout the
tiers of supply can be both external and internal to the organisation
and its suppliers. Some examples are shown in Table 2 (following
page) where the column on the left lists some external risks that can
Supplier C Tier 4 suppliers Supplier D be mitigated through planning and action, leaving only a few that are
unknown or outside of the organisations control. The column on the right
identifies some internal risks which can be managed and mitigated.
Foreword
The objectives of a global supply chain are to deliver products to the
Structure & Acknowledgements External Internal
market whilst saving cost, time and resources. This has increased the
Increase / decrease in demand Non-conformity level of risk and the likelihood of impact from supply chain disruption.
Contents
Capacity / resources changes Rejection of a batch The contamination of heparin will have far reaching ramifications for
accountable organisations and the regulators. At the very least it serves
Fluctuating exchange rates Product recall
as a warning to the industry that nothing can be taken for granted when
General Introduction Political climate / instability Capacity / resource issues sourcing materials and outsourcing manufacture or other critical activities.
Greater exposure to global Reduced inventory Related examples on page 78 and page 85
Supply Chain Considerations
social, political and financial Cost reduction programmes
Appendix 1 - Examples of Different Supply Medicines and medical device counterfeiting is a growing threat
Categories and Key Controls
environments
Single sourcing versus dual worldwide. It was estimated by the World Health Organisation (WHO)
Takeovers / mergers sourcing
Risk Management Process in 2006 to be 30% of total supply in South America, sub-Saharan Africa
Legal status (regulatory Inadequate supplier selection / and India. Regulators have been investigating incidents where batches of
Risk Management Toolbox restrictions in individual qualification process counterfeit medicines have reached pharmacies and patients. A number
markets and of supplier) of these have been found at wholesale dealer level. Supply chains can be
Supply Chain Examples Longer / more complex supply
Environmental responsibilities chains long and convoluted, involving a number of storage or transit locations and
Glossary Counterfeiting / fraud a variety of transport systems. In the UK, MHRA has developed proposals
Complex processes
in response to the need to raise standards of practice in some sectors of
Bibliography Facility disaster disaster Inadequate monitoring process the supply chain in order to bring all operators up to the required standard.
planning or oversight controls / interface See Reference No. 30
Materials, product, service Non-conformance with
supply interruption contracts / agreements The European Medicines Agencys (EMEA) GMP / GDP Inspectors 15
Termination of materials or Working Group are working on a revision to Chapter 7 of the EU GMP
Staying with poorly performing
services Guide, contract manufacture and analysis. This is in response to a lack
supplier & not progressing
of clarity, both within industry and inspectorates, regarding the scope
Uncontrolled variation in improvement or exit strategy
of activities that should fall under this chapter, and what constitutes
materials Inadequate communication satisfactory documented arrangements for contracted activities. In
Unexpected contaminants in Facility disaster addition to manufacturing, packing and analytical activities, this chapter
supplied product will be relevant to the following:
Transportation / storage
Deliberate or accidental events artwork generation and print ready material
adulteration
Lack of technical knowledge assessment and sourcing of starting and packaging materials
Unknown or poorly controlled
Personnel / organisational washing and depyrogenation and / or sterilisation of packaging
use of brokers / agents
changes materials used in manufacture
Distribution / transportation /
Lack of adequate storage and distribution
storage events
documentation control
Inadequate communication maintenance and calibration of equipment and premises
Increasing process variability
Lack of adequate qualification and validation work for new premises
documentation control professional services for GMP audits of suppliers
Complex processes hosting of IT functions
Table 2 - Examples of hazards / events creating risks that are either external or document archiving and storage
internal to an organisation
Foreword
High potential risk in complex processes and systems Consideration of hazards and their associated risks in
Structure & Acknowledgements the supply chain
National Aeronautics and Space Administration (NASA) defined systems
or processes that are time dependent, rigidly ordered, requiring precision, As part of planning activities, the organisation should identify any hazards
Contents
and with only one path to a successful outcome, as being tightly coupled associated with the products to be procured. Some examples of key
(closely linked). They identified that where such systems or processes questions are as follows:
are complex and activities closely linked, failures can arise due to many is the product off-the-shelf or custom made?
General Introduction
seemingly unconnected events and may go undetected.
how complex is the product to manufacture?
Supply Chain Considerations
A good example is the control of changes relating to the packaging and is the process adequately defined and understood?
Appendix 1 - Examples of Different Supply
Categories and Key Controls artwork of medical products. Such changes can sometimes be highly what is the criticality of the product to the compliance of the end-
complex, because inputs can be required from a number of internal product?
Risk Management Process and external stakeholder groups prior to implementation. Stakeholders
would any product specification failure be detectable by the
can include manufacturing, marketing, regulatory affairs and printing
Risk Management Toolbox organisation prior to use?
contractors. Interactions are necessary in order to communicate and
Supply Chain Examples schedule product manufacturing activities with the changed packaging or what is the detectability of non-conformity in the product supplied and
labelling component. how it can be corrected?
Glossary is packaging, storage and distribution fit for the product characteristics?
Complex systems and processes often present high risk for organisations.
Bibliography is the supplier currently approved to supply products to the
Many regulatory non-conformities have been identified over recent years
organisation or are they a new supplier?
in the areas of product packaging and labelling. These were frequently
attributed to the poor management of changes in packaging and artwork what is the percentage of supply to the organisations business sector?
components, resulting in the cessation of batch release activities in some 16
organisations, and subsequent market shortages of medical products. Information about potential suppliers should be used to determine
Investigations revealed that procedures and systems in place for additional potential supply and business risks and include the following:
packaging and artwork change control were usually: financial viability of supplier
highly convoluted continuity of supply
had many interdependencies liability
subject to tight timelines amount of work awarded to supplier in view of the suppliers overall
described as being complex and tightly coupled capacity
technical capability
Within a single organisation there can be a lack of clarity or understanding
of how the whole process works and how different groups are involved distribution and transportation considerations
or interact in that process. When more organisations are involved this agents and brokers (potential for agents and brokers to change source
becomes increasingly difficult. of supply)
capital investment needed
Decoupling and reducing system complexity can be a useful risk mitigation
strategy particularly in critical manufacturing environments and supply single source suppliers i.e. vulnerability
chains. Process mapping or flowcharting is a useful tool to use here, and supplier company legal status (licensing)
by involving the relevant key stakeholders, a shared understanding of the
ethical / political acceptability
overall process can help to identify potential hazards particularly across
functional interfaces. See Example Flowchart does the supplier have a disaster / contingency plan for supply?
Foreword
does the supplier manage their suppliers adequately? The following lists some items that should be considered during sourcing
Structure & Acknowledgements and supply chain review:
does the supplier have a culture of continuous improvement?
Contents knowledge of the complete supply chain and all organisations within it
The procuring organisation is responsible for communicating and change control and notification from suppliers
agreeing the product requirements with the supplier. It may request
data and / or sample product in order that the potential supplier can supplier audits or technical visits (note that this requirement should be
General Introduction included in any agreement for a critical supplier)
demonstrate their ability to meet the specified requirements. When
Supply Chain Considerations defining initial supplier arrangements, the relevant information should be control of second or further tier suppliers via specifications or
communicated for consideration. The organisation should ensure that Agreements
Appendix 1 - Examples of Different Supply
Categories and Key Controls the relevant people are involved in specifying, reviewing and evaluating
sampling / testing / verification
information and should include as a minimum, technical and quality
Risk Management Process representatives. Certificates of Analysis / Conformity
formal requirements (e.g. specific certificates, accreditation, contracts /
Risk Management Toolbox
Technical Agreements etc)
Supply Chain Examples Consideration of controls for managing the supply chain
methods for measuring performance e.g. process capability indices
Risk Management is an effective means of identifying the necessary
Glossary controls required. To do this requires knowledge of the complete supply correction, reworking, investigations
chain and all the organisations involved within it. Then the activities of the batch / lot sizes
Bibliography
organisations in the supply chain should be reviewed to identify what is
inventory control; (First-In-First-Out (FIFO), time limit / target)
critical to the product and what could go wrong.
traceability (process, product, equipment, operators)
In some instances it may be necessary for the organisation to ensure 17
Radio Frequency Identification (RFID) or other security tag system
control beyond the first tier supplier due to potentially serious effects
document / sample retention periods
of changes made by a second, third or fourth tier supplier see Figure 4
(page 14). The organisation should ensure when developing controls, protection of intellectual property
that they comply with relevant regulatory requirements such as Good
Manufacturing Practices (GMPs); occupational health and safety Different categories of supplier and examples of some of the key controls
legislation, environmental protection legislation etc. are shown in Appendix 1 of this Part.
Examples of controls are included in Figure 5 (following page) which is The organisation should seek to continually improve the quality and
adapted from the Global Harmonisation Task Forces guidance on the delivery of products based on periodic supplier performance evaluation,
control of products and services obtained from suppliers. On the right feedback and consideration of cost. It is important to continually review
hand side under objective evidence some of the controls are listed. and strengthen relationships with suppliers, while balancing the short
Reference GHTF Guidance and long term objectives. Risk Management activities provide a basis for
sharing identified hazards and mitigating the risks resulting from those
hazards throughout the product and supplier lifecycle. It demonstrates
that all parties are taking a responsible approach in ensuring product
quality and safety and security of supply. Auditors or assessors expect
organisations to be able to demonstrate that they manage their supply
chains effectively and risk management provides the means to do this.
Foreword
Objective evidence
Structure & Acknowledgements
Product specifications / part
requirements, instructions
Contents
Planning
Identify potential Potential supplier contact details
Identify technical & Product / Process
Describe requirements supplier(s) (existing Identify controls Risk Assessment
process information Risk Assessment
approved / new) Product / process controls
General Introduction
selection
Supplier
Categories and Key Controls Review existing suppliers
Plan for evaluation Select potential Investigate operational Identify business
Due diligence / audit report
& selection criteria supplier(s) capability of supplier(s) capability of supplier(s)
Risk Management Process Supplier capability detail
Purchasing information
Risk Management Toolbox
inspection, acceptance
Performance
Performance measurement
Corrective Receive product Data analysis
Problems Periodic re-evaluation
action YES Acceptance criteria Records of corrections / investigations
identified? of supplier
required? Measurement & monitoring
Analyse data
YES
NO
NO
YES Manufacturer &/or supplier
communication
correspondence
Feedback &
NO
Review impact on other products
supplied
Supplier exit
strategy
Figure 5 Guidance on Control of Products during Supplier Lifecycle Management (adapted from GHTF/SG3/N17:2008)
Foreword
Contents
Foreword
Structure & Acknowledgements Supply Category Additional examples of key requirements for Suppliers
Raw Materials Industry standards where relevant.
Contents
Adequate product testing performed to confirm compliance with customer specifications .
Appropriate Quality / Technical Agreement to define roles & responsibilities of each party (contract giver / contract
General Introduction acceptor).
Full traceability of raw materials to the site of origin, including processing aids used in manufacturing
Supply Chain Considerations
processes with respect to animal / non-animal derivation and safeguards against Transmissible Spongiform
Appendix 1 - Examples of Different Supply Encephalopathies (TSE), and phthalates.
Categories and Key Controls
Cross-contamination control precautions in place e.g. cleaning, line-clearance, appropriate segregation of activities
Risk Management Process and good housekeeping.
Risk Management Toolbox Manufacturing / Packaging Effective quality documentation system compliant with required regulatory standard e.g. EU Guide to GMP part 1
contractors or 2, 21-CFR -210 / 211, 600, 820 as appropriate.
Supply Chain Examples
Quality / Technical Agreement to define roles & responsibilities of each party (contract giver / contract acceptor).
Glossary
Supply agreement or commercial contract to define business requirements.
Bibliography Appropriate licensing and regulatory history.
Clear lines of communication.
Control of outsourced activities (Quality / Technical Agreements, specifications etc.). 20
Effective control measures, staffing and facility appropriate to the product being manufactured.
Laboratory / Analytical Operate to appropriate industry standard e.g. ISO 17025, Good Control Laboratory Practice (GCLP), Good
Testing contractors Laboratory Practice (GLP), Good Clinical Practice (GCP).
Quality / Technical Agreement to define roles & responsibilities of each party (contract giver / contract acceptor).
Appropriate licensing and regulatory history.
Full traceability of customer samples.
Testing performed to customer and pharmacopoeial specifications.
Effective out-of-specification result management procedure.
Packaging component Reference, ISO 15378, PS 9000, PS 9004, also country specific legislation relevant to the product e.g. GMP
manufacturers (primary, differences.
secondary, tertiary) Certification scheme.
Quality / Technical Agreement to define roles & responsibilities of each party (contract giver / contract acceptor).
Effective mechanisms in place for customer approval of labels and prevention of mix-ups.
Planned preventative maintenance and calibration of automated packaging lines.
Foreword
Structure & Acknowledgements Supply Category Additional examples of key requirements for Suppliers
Printed Packaging suppliers Effective quality documentation system compliant with required regulatory standard e.g. EU Guide to GMP, PS
Contents
(artwork, origination) 9000.
Certification scheme.
General Introduction Quality / Technical Agreement to define roles & responsibilities of each party (contract giver / contract acceptor).
Participants in approved Certification scheme.
Supply Chain Considerations
Appendix 1 - Examples of Different Supply
Manufacturers of product Appropriate materials of construction for product contact component (e.g. pharmacopoeial recognised plastic or
Categories and Key Controls contact consumables food grade).
Risk Management Process Full traceability of raw materials to the site of origin, including processing aids used in manufacturing
processes with respect to animal / non-animal derivation and safeguards against Transmissible Spongiform
Risk Management Toolbox Encephalopathies (TSE).
Supply Chain Examples Adequate product testing performed to confirm compliance with customer specifications and industry standards
where relevant.
Glossary
Free from chemical and microbial / particulate contamination and easy to clean / sterilise.
Bibliography Manufacturers of product Legible & fully completed documentation covering factory acceptance testing, calibration certificates and material
contact equipment conformity certificates.
Agreed customer requirements.
21
Appropriate materials of construction used for product contact surfaces (e.g. 316L stainless steel, pharmacopoeial
recognised plastic) that are easy to clean and sterilise.
Instruments used for calibration are traceable to international standards e.g. United Kingdom Accreditation
Services (UKAS) / National Association of Measurement and Sampling (NAMAS).
Minimal particle generation produced by moving parts (e.g. pumps).
Wholesalers, Warehouse & Reference Good Distribution Practice (GDP) and appropriate country legal requirements for the product e.g. MLX
Distributors 357, FDA Globalisation Act.
Approved, contractual agreement with customer.
Designated Responsible Person where appropriate.
Effective stocktaking, security, pest and segregation controls at storage facility with good housekeeping.
Temperature control and monitoring of storage area and distribution.
Full traceability of chain of custody for the customers product; effective recall procedures.
Service providers (e.g. Approved contractual agreement with customer.
calibration, utility, pest Specification of work and controls.
control, cleaning etc)
Defined service level with traceability appropriate to reference standards for materials and instruments used.
Appropriate training for service provided.
Foreword
Structure & Acknowledgements Supply Category Additional examples of key requirements for Suppliers
Software, automated systems EU GMP part 1 annexes 11 and 15; Code of Federal Regulations (CFR) Part 11.
Contents
and IT Knowledge of a risk-based approach to compliant GxP systems (Good Automated Manufacturing Practice
Guidelines) (ISPE GAMP-5).
General Introduction Complete and legible documentation with traceability of software changes from initial development to master copy.
Availability of master copy of software for back up purposes and disaster planning.
Supply Chain Considerations
Agreement on ownership of source code.
Appendix 1 - Examples of Different Supply
Categories and Key Controls Provision of technical support.
Risk Management Process Consultants Full curriculum vitae available for review.
22
Foreword
Contents
General Introduction
Glossary For the product / process being assessed it is fundamental that the relevant process
Bibliography
experts are consulted to ensure accurate and complete data / information. It is
recommended that the risk management process is undertaken by interdisciplinary teams
(people with the necessary expertise representing relevant operational functions within the
organisation or supply chain).
Involvement of individuals may vary from stage to stage. Note that in Stakeholders are commonly divided into four categories: Responsible,
smaller organisations / supply chains this may be limited to just a couple Accountable, Consulted and Informed (RACI). This division can aid
of people. appropriate communication (see Table 3 following page). It is beneficial
to develop a matrix to identify the roles of different individuals associated
Consider the example which illustrates the importance of having the right with the risk management process at the beginning so that responsibilities
team. See Example throughout the process are clear.
Foreword
Contents Responsible Those who do the work to achieve the task. There is typically one role with a participation type of Responsible,
although others can be delegated to assist in the work required.
Accountable There should be only one Accountable person specified for each task or deliverable. An Accountable signs off
General Introduction (also Approver / Final Approver) (approves) the work provided by Responsible person(s).
Supply Chain Considerations Consulted Those whose opinions are sought; and with whom there is two-way communication.
Informed Those who are kept up-to-date on progress, often only on completion of the task or deliverable, or at key
Risk Management Process
milestones; communication is typically just one-way.
2.1 Risk Management Team and
Responsibilities
2.2 Risk Assessment Table 3 RACI roles and responsibilities
2.2.1 Risk Identification
2.2.2 Risk Analysis
2.2.3 Risk Evaluation
2.3 Risk Control
2.3.1 Risk Reduction
2.3.2 Risk Acceptance
2.4 Risk Communication
2.5 Risk Review
Glossary
Bibliography
Foreword
Contents
General Introduction
Input
2.2.1 - Risk Identification QRM Overview Risk Identification requires information about the process to be assessed.
The scope should be defined to ensure focus and appropriate use of
Purpose resource. This will also help to define what data / information may be
Risk identification is defined as: relevant and / or should be examined to identify potential hazards.
Foreword
In terms of the supply chain the following should be considered: Process
Structure & Acknowledgements
each supplier within the whole supply chain Risk Identification is the process of identifying hazards and their related
Contents what is supplied (material / product / service) risks. Brainstorming is a useful tool to use to generate information
and ask what can go wrong? for each step in the process. Whatever
the structure of the supply chain and interfaces between / within the activity being assessed, it is recommended to map the process
organisations, their suppliers and suppliers to the suppliers concerned. This enables potential risk areas to be easily identified,
General Introduction
security of the supply chain (potential for contamination or tampering) agreed and visualised by the appointed interdisciplinary team. It is
Supply Chain Considerations important for completeness to ensure that interfaces between processes
internal processes used to manage the organisations suppliers
are also identified as this is where problems may easily go undetected.
Risk Management Process internal production processes Information to support Risk Identification can come from various sources,
2.1 Risk Management Team and such as for example:
Responsibilities Data / information can take many forms, for example:
2.2 Risk Assessment
internal and external factors throughout the supply chain Open Table
quantitative data / information - numbers, figures, measurements and
2.2.1 Risk Identification known deviations / non-conformities
2.2.2 Risk Analysis variables
2.2.3 Risk Evaluation near miss events (valuable source of potential risk areas)
qualitative data / information attributes (yes / no, go / no go)
2.3 Risk Control
complaints
2.3.1 Risk Reduction soft data / information subjective opinions / historical / experience /
2.3.2 Risk Acceptance process complexity and interactions between processes internal / external audits
2.4 Risk Communication
2.5 Risk Review components of the process under assessment, such as:
Many professionals and organisations often assume that all relevant
- people, premises, equipment, materials
Risk Management Toolbox information takes the form of formalised (hard) quantitative and qualitative
- QA / QC 26
data / information. This information is valuable and easily evaluated,
Supply Chain Examples however, soft data / information should also be included otherwise it is - services
likely to leave many gaps. See Figure 6 for sources of information. - utilities
Glossary - transportation, logistics
Bibliography Data / Information - agents and brokers in supply chain
- environmental factors
Hard Data / Information Soft Data / Information
business stability / continuity:
Facts Observation - capacity increase / decrease versus capability
- rate at which the company has expanded / contracted
Measurements Experience - staff turnover etc
quality system and technical capabilities
Assumptions
Analysis results management review
(based on experience)
opportunities for cross-contamination
Trends Key
inherent process risks
= Qualitative
Variables knowledge in the public domain (e.g. news, regulatory actions,
= Quantitative legislation, etc)
Attributes = Both supplier performance e.g. Key Performance Indicators (KPI) / Critical
Process Parameters (CPP)
Figure 6 - Sources of Information that can be used in Risk Identification
Foreword
Output 2.2.2 - Risk Analysis QRM Overview
Structure & Acknowledgements
The output of the Risk Identification stage is a list of known and potential
Contents sources of harm (hazards), referring to the risk question, and their Purpose
associated risks, based on the information available at that time. There Risk Analysis is defined as:
is no guarantee that all hazards and associated risks can be identified at
any given time as processes may change. It is important to understand The estimation of the risk associated with the identified hazards.
General Introduction [ICH Q9]
that these changes and other events may influence the outcome and
Supply Chain Considerations will require further review and reassessment, to determine the level of
risk based on the combination of the probability of occurrence and the This step of the Risk Management process attempts to estimate the level
Risk Management Process severity of that harm. Depending on the Risk Identification tool used and of risk in terms of severity of harm, likelihood of occurrence and detection.
2.1 Risk Management Team and the scope of the assessment, potential risks may be categorised prior to It provides a quantitative or qualitative estimate of each risk.
Responsibilities analysis. For example:
2.2 Risk Assessment
2.2.1 Risk Identification product quality risks
2.2.2 Risk Analysis
Input
business risks
2.2.3 Risk Evaluation Prerequisites
2.3 Risk Control risks associated with raw materials Following the completion of the Risk Identification stage there should
2.3.1 Risk Reduction
risks associated with machinery be sufficient confidence that at least the significant hazards have been
2.3.2 Risk Acceptance
2.4 Risk Communication captured.
risks associated with people etc
2.5 Risk Review
Corporate Social Responsibility - environmental / social risk e.g. The most appropriate Risk Analysis tool or combination of tools should be
Risk Management Toolbox dealing with low price suppliers who pollute the environment or exploit chosen. As there may be only limited data during the early stages of Risk
27
their workforce. Management, the choice of tool may be restricted. As experience grows,
Supply Chain Examples
there may be a transition to the use of various and more complex tools.
Glossary At completion of this step there should be confidence in answering
the question What might go wrong? for the product / process under Part 3, the Toolbox gives examples of a range of available tools and
Bibliography techniques from simple to complex. Open Toolbox
assessment. At this stage risks will not be evaluated as critical or non-
critical as this level of risk understanding will be achieved through the
Risk Analysis and Risk Evaluation stages. However, it is important to note Considerations
that different mitigation approaches may be used depending on the nature Both qualitative and quantitative input data can be processed using the
of the risks identified. Be aware that there will be unidentified and / or chosen tools. Some risk tools require hard data rather than soft data
unidentifiable risks to the organisation. (subjective opinion) therefore it may be necessary to have a mechanism
to convert soft data into hard data where possible. This can be achieved
The output from Risk Identification should be agreed, documented and by generating comparative scoring to produce semi-quantitative data.
communicated to relevant stakeholders.
The relevant operational experts should provide detailed and up-to-
date knowledge of current and historical process performance. Where
knowledge does not exist or data is unavailable, then methods to source
this information should be initiated in the long term. In the short term, best
estimates can be made on the basis of assumptions, provided these are
clearly identified, explained and considered at the review stage. Significant
decisions based on subsequent recommendations should always reference
the original assumptions and further reviews should be scheduled.
Foreword
Table 4 (above) illustrates the advantages and disadvantages of different It is recommended that where an organisation has little or no experience
Risk Management Toolbox
types of Risk Analysis tools. It also demonstrates that limited data may of any particular tools, or are not required by customers to use a certain 28
Supply Chain Examples exist in early stages of implementing Risk Management. With experience, tool, then they initially use a qualitative tool. Once expertise in the
there may be a transition from the use of Qualitative to Quantitative tool has been gained and supporting systems established, then the
Glossary tools. Both techniques are equally valid and fit for purpose. However organisation can progress with the use of increasingly more quantitative
Quantitative tools are often perceived to be beneficial after several full tools. This approach means, that for the same investment of time, at each
Bibliography
cycles of the Risk Management process as more information is obtained repetition of Risk Analysis, an increasing percentage of time is dedicated
and accuracy is demanded. to improving the confidence of the risk estimation, and therefore adding
more value and confidence in the output each and every time.
Ultimately the decision of which Risk Analysis tool to use depends upon:
the risks identified Example of subjective assessment: Company A does not have a supplier
complaints system. The logistics manager knows that Supplier X is the
the precision of the data or opinions that define the risks worst offender for late deliveries because the logistics team are always
what tools customers / suppliers use complaining about them. However, the logistics manager does not know
how they compare with Supplier Y as there is no data to show how each
how accurate the output needs to be
is performing. This demonstrates a gap in the organisations systems and
how quickly the output is required supplier performance metrics / data related to risk management.
Foreword
Foreword
Process Output
Structure & Acknowledgements
In order to compare the Risk Analyses against an agreed level of tolerable No final decision is made in this step. The output consists of two data sets
Contents risk, it is easier to rank or sort these in order of descending risk. (above and below the level of tolerable risk) that can be checked further or
The Risk Evaluation process is summarised as follows: be used as the basis for either Risk Reduction or Risk Acceptance.
1. Rank or sort risks from the Risk Analysis step
The output should be communicated to all relevant stakeholders especially
General Introduction 2. Check that the data is complete and valid the Risk Control owner. Formal records should be retained for a suitably
Supply Chain Considerations 3. Determine if the level of tolerable risk is appropriate defined period to provide evidence of the basis for any decisions made and
enable ongoing reiteration / review.
4. Review the Risk Analysis output against the level of tolerable risk
Risk Management Process
5. Compare the output to see if it is acceptable or higher than the level
2.1 Risk Management Team and
Responsibilities of tolerable risk
2.2 Risk Assessment
6. Document the evaluation
2.2.1 Risk Identification
2.2.2 Risk Analysis 7. Communicate the findings to the necessary people
2.2.3 Risk Evaluation Open Risk Communication
2.3 Risk Control
2.3.1 Risk Reduction
2.3.2 Risk Acceptance The Risk Analysis output should be organised (filtered, ranked etc) to
2.4 Risk Communication ensure that those of most significance (i.e. above the level of agreed
2.5 Risk Review tolerable risk) are identified for Risk Reduction. Those below the level of
tolerable risk can go forward as residual risk for the Risk Acceptance stage.
Risk Management Toolbox
In some tools using a simple two-dimensional arithmetic scale, risk can be 30
Supply Chain Examples ranked as high / medium / low risks and the combination of probability and
severity can be evaluated, by simply multiplying the factors. Those risks
Glossary which have a higher score can be highlighted for immediate mitigation.
There are more sophisticated models for setting a more precise level of
Bibliography
tolerable risk. Setting a level of tolerable risk is probably the step where
both experience and evolution of the risk management process can provide
most value.
Foreword
Contents
General Introduction
Foreword
Process Output
Structure & Acknowledgements
Where risks have been evaluated as requiring action, a decision has to Decisions and actions relating to Risk Reduction should be documented
Contents be made as to whether or not: and approved. Approval should endorse resource allocation, timelines
the organisation (or its stakeholders) require each risk to be controlled and implementation strategy, and be communicated to all relevant
stakeholders including any residual risk.
the feasibility to technically, safely or economically reduce each of the
General Introduction risks Examples of reducing risk in the supply chain include the following:
Supply Chain Considerations define / map the supply chain to provide visibility of controls including
It is important to note that at this stage several theoretically possible
solutions to reduce or eliminate risks may be identified. However not all security and authenticity of materials and services
Risk Management Process
actions will be practical to implement in either a reasonable timeframe, implement a robust supplier qualification process
2.1 Risk Management Team and
Responsibilities at a reasonable cost, or even be technically possible. At this point, the implement a supply contract to ensure consistent supply and
2.2 Risk Assessment principles of As Low As Reasonably Practical (ALARP) may be applied. controlled costs
2.2.1 Risk Identification Some actions may be possible or preferable to others, and these may
2.2.2 Risk Analysis
reduce the risk to an acceptable level (see Risk Acceptance section). implement a Quality Agreement or Technical Agreement to ensure
2.2.3 Risk Evaluation responsibilities are clearly defined and understood by all parties with
2.3 Risk Control
When determining actions it is important to consider the following with clear specifications
2.3.1 Risk Reduction
2.3.2 Risk Acceptance input from the relevant experts: ensure that the supplier understands what the products / services they
2.4 Risk Communication supply are used for
2.5 Risk Review
available resources
capability (organisation, suppliers and suppliers to suppliers) have regular meetings between both parties to ensure effective
Risk Management Toolbox communication, better understanding and co-operation in making
policy (EHS, quality, finance and ethics) 32
improvements to control risks
Supply Chain Examples
There may also be both primary and secondary risks, where for example influence the supplier to ensure that they develop a proactive risk
Glossary the supplier may be the primary risk and their supplier may be a management process
Bibliography secondary risk; both may need to be reduced. implement metrics / key performance indicators that are tracked by
both parties
Risk Reduction actions that are identified for implementation should
identify and implement a second source of supply that is not subject
be examined in terms of their impact on the overall Risk Management
to the same risks as the original source of supply e.g. does not
process. Consider the following questions:
manufacture in the same region, does not have the same suppliers or
are any new risks introduced as a result of the identified risks being is not subject to the same energy or transport limitations
controlled?
identify and qualify a new supplier where the existing supplier is
is one significant risk being replaced by another? currently not capable and / or cannot be improved in an acceptable
should a reiteration or part of the Risk Assessment process be timeframe
performed?
Foreword
Different strategies can be applied to manage and control risk. For Reduction in risk is beneficial and to be encouraged, however there
Structure & Acknowledgements example, the supply from one company to another can be disrupted may be circumstances where there is no reasonably practicable way
or cease in the event that the original site of manufacture closes. The of reducing it or no added value at this time based on prioritisation. The
Contents
transfer of production to another site where the material / product has risk still exists therefore senior management need to formally accept this
not been made before presents a potentially high risk to the business. decision and its implications.
Technically it is possible (unless the skills and knowledge have been
General Introduction lost). The decisions of one organisation on both economic and technical Being aware of risks at least enables an organisation to monitor the
grounds, can present a significant and direct impact on the organisations situation and be more able to respond in an appropriate way should the
Supply Chain Considerations
customers and / or suppliers and their ability to function. In any case, situation change. Once known some risks can be mitigated further along
Risk Management Process another way will need to be found to ensure product continuity. in the supply chain as a holding situation, whilst longer term improvements
are implemented. For example, to reduce the risk of receiving material that
2.1 Risk Management Team and
Responsibilities Where the impacted customer is a pharmaceutical or device does not meet specification, the organisation may increase testing and
2.2 Risk Assessment manufacturer, the risk is not only one that could prevent manufacture, but inspection in order to mitigate the risk until there is assurance of supplier
2.2.1 Risk Identification could require lengthy and costly changes to the product licence or device capability.
2.2.2 Risk Analysis registration. Delays in supply to the market could result in the inability to
2.2.3 Risk Evaluation
meet a patients medical needs and / or severe criticism or fines from the
2.3 Risk Control
2.3.1 Risk Reduction regulatory authorities where this could seriously impact the end-user, the Input
2.3.2 Risk Acceptance patient. Risk Evaluation should have been completed and the list of risks above
2.4 Risk Communication
the agreed tolerable level should have undergone Risk Reduction, unless
2.5 Risk Review In many cases, the ways of reducing risk are simple and do not have this has been decided not to be appropriate. Before taking the decision to
significant costs, if these are identified and planned for in sufficient time. accept or reject, the following questions should be considered:
Risk Management Toolbox
Costly risk reductions are usually the result of insufficient planning or 33
have the right people been involved?
Supply Chain Examples insufficient co-operation between customers and suppliers. For example,
calling an equipment supplier in response to the breakdown of critical have the right tools and techniques been used?
Glossary equipment can be costly and cause delays in manufacture compared with has anything been missed?
having a Planned Preventive Maintenance (PPM) programme in place.
Bibliography is all the information available?
are the assumptions valid?
2.3.2 - Risk Acceptance QRM Overview
Purpose Process
Risk Acceptance is defined as: Once the risks are understood and appropriate actions proposed, a
formal review should be performed. Risk Acceptance is a decision by an
The decision to accept risk [ISO Guide 73]
organisation to continue to operate without any action to reduce a given
risk on the grounds of either:
Whereas Risk Reduction is a decision step to agree to take action, Risk
Acceptance is a decision step to accept the level of risk or residual risk the risk was below the tolerable level (either before or after risk
or to take no further action. A key part of Risk Acceptance is to formally mitigation)
record the decision by management and communicate this to the business the risk cannot be reduced at this time
and relevant stakeholders. Open RACI
Foreword
Output
Structure & Acknowledgements
Once the consequences and costs of any action or inaction have been
Contents explored and accepted as being appropriate, then these need to be
formally communicated within and between the respective organisations.
Records should be maintained.
General Introduction
An example of a risk that may be accepted is where a product is to be
Supply Chain Considerations discontinued. If the risk mitigation decision involved making a change
of supplier or investment, this may not be feasible for this product and
Risk Management Process therefore the risk may be accepted with no action.
2.1 Risk Management Team and
Responsibilities The continued acceptability of risks from this stage should be part of
2.2 Risk Assessment Risk Review.
2.2.1 Risk Identification
2.2.2 Risk Analysis
2.2.3 Risk Evaluation
2.3 Risk Control
2.3.1 Risk Reduction
2.3.2 Risk Acceptance
2.4 Risk Communication
2.5 Risk Review
Glossary
Bibliography
Foreword
Contents
General Introduction
Foreword
Who? What?
Structure & Acknowledgements
The first step in any successful communication process is to identify the The information that requires communicating may change over time as
Contents relevant stakeholders, for example those in Table 6 (below). These will inputs and outputs to the Risk Management process develop. The who,
be the individuals, parties, groups and / or functions who; when and how may also change over time.
have an impact (direct or indirect) on the product / service
Communication can be formal or informal. This will depend on the
General Introduction have an interest in the activities or project following:
Supply Chain Considerations have to act on the outputs of the Risk Management process the needs of the parties involved
Risk Management Process the stage / step of the Risk Management process
These stakeholders need to be identified and included where and when
2.1 Risk Management Team and necessary at each Risk Management stage. It is useful to document such the nature of the inputs / outputs (e.g. data, information)
Responsibilities
2.2 Risk Assessment
stakeholders as part of the overall process. This is common practice in the timelines & urgencies
2.2.1 Risk Identification project management activities.
2.2.2 Risk Analysis Important points can be captured in meeting minutes, but key decisions
2.2.3 Risk Evaluation from Risk Control should be formally documented to permit traceability
2.3 Risk Control Internal External
and review. The type of information to communicate may be determined
2.3.1 Risk Reduction
2.3.2 Risk Acceptance
Contract Management / Customers using a variety of basic tools including brainstorming and gap analysis
2.4 Risk Communication Procurement Suppliers / Contractors techniques.
2.5 Risk Review
Manufacturing / production Regulatory Authorities Table 7 (following page) illustrates what may be communicated in terms
Risk Management Toolbox Testing / QC Notified Bodies of inputs and outputs at the various stages of the Risk Management 36
Supply Chain Examples Quality Assurance Certification Bodies Process. The level of detail communicated should be commensurate with
Warehouse & Distribution the intended stakeholders needs and expectations. Enough information
Glossary Consultants should be provided to allow for informed decision or assessment but too
Sales & Marketing much or too little information can be counter-productive.
Bibliography
Finance
For example:
Table 6 Examples of some stakeholders / key parties senior management usually do not require a detailed history, rather
a concise summary of the situation with outputs of analysis and any
decisions required
Not all information needs to be communicated; it should be appropriate
those preparing the summary will need detailed information / technical
and relevant to the recipient. It is useful to appoint someone responsible
detail to base the analysis and recommendations on
for communication who understands that confidentiality, contractual and
regulatory obligations should be respected at all stages. recipients of the decision may just require a brief / letter outlining the
decision and guidance for future action
A RACI is a useful tool to define responsibilities within the Risk the provider of the original information may require communication by
Management process. Open RACI way of feedback that appropriate action has been taken
there should be appropriate acknowledgement of actions and
responsibility taken through communication and feedback
Foreword
Contents
Note:
1 - Assumptions are made when little or no data is available at that time. This should be used with extreme caution as it could impact on the Risk Management process if they are found to be
incorrect. It is important to document assumptions so that the inherent risk in their usage can be considered by recipients of the communication. Always aim to replace any assumptions at the
next iteration of Risk Management or when information becomes available.
2 - Formal risk information should be communicated in writing to a defined circulation list and kept on record.
Foreword
When? In summary it is important to ensure that:
Structure & Acknowledgements Communication should take place throughout the Risk Management the correct audience and stakeholders are identified
Contents process whenever appropriate to do so. Fundamentally these activities the communication is suitable for the recipients concise, clear and
will occur at the beginning and end of each stage. Communication is traceable to all parties
required when the following situations arise:
communication is timely for the intended recipients or stakeholders
General Introduction unexpected developments where urgent issues, events or new
information comes to light, which may change previous information feedback is requested that communication has been received,
Supply Chain Considerations / assumptions and require the initiation of a review of previously understood and acknowledged
completed Risk Management stages ensure records are maintained
Risk Management Process
routine developments as per a defined plan or in accordance with appropriate documentary evidence is available for stakeholder scrutiny
2.1 Risk Management Team and
Responsibilities the process in the scope of the Risk Management process
2.2 Risk Assessment
as per the needs of the stakeholders
2.2.1 Risk Identification
2.2.2 Risk Analysis at set milestones such as the point of Risk Evaluation, Risk Control,
2.2.3 Risk Evaluation Risk Review and so on
2.3 Risk Control
2.3.1 Risk Reduction as part of periodic risk management review
2.3.2 Risk Acceptance
2.4 Risk Communication
2.5 Risk Review
How?
Risk Management Toolbox The method of Risk Communication should be clearly established at
each stage in the Risk Management process. Key decisions should be 38
Supply Chain Examples communicated formally. Elsewhere less formal methods will be sufficient.
When there is an increased risk or event, it is important to have a process
Glossary
that enables an appropriate response to be made, so that the relevant
Bibliography stakeholders receive accurate and timely information to make decisions
and / or take action.
Foreword
Contents
General Introduction
Foreword
An effective Risk Review process should accommodate the ability to regulatory actions or incidents, such as Warning Letters, Consent
Structure & Acknowledgements respond to both Proactive and Reactive events. Decrees or other unexpected events
changes in markets supplied and in volumes produced A key member of staff at a contract manufacturer leaves and the
communication lines, flow of information and ability to interact between
ramp up / down in production organisations breaks down.
serious complaint / adverse event and / or recall A Product Review highlights an unexpected series of deviations, or a
trend relating to a service or material supplied.
Foreword
The level of significance of an event or new information should determine In summary
Structure & Acknowledgements if a review is required. Risks and risk indicators can change with time Risk Management is an ongoing cyclical process, and not a one-off
and, with the change some risks require re-evaluation. activity. It should enable control or elimination of significant risks as well
Contents
as the identification of any new risks and processes. The process should
Some key questions to ask are as follows: continue to be used for events that might impact on the original Risk
has the probability of occurrence changed? Assessment decisions, whether planned or unplanned. As experience
General Introduction
has the impact or significance of known risks changed? with the Risk Management process in use grows, more advanced tools
Supply Chain Considerations and methods may be used.
are there any new areas to include in the Risk Assessment that have
Risk Management Process not been captured before?
2.1 Risk Management Team and are there any risk indicators that are no longer applicable due to
Responsibilities changes in processes, equipment, suppliers, services, materials,
2.2 Risk Assessment
circumstances etc.?
2.2.1 Risk Identification
2.2.2 Risk Analysis are there any new risk indicators or risk tools that should be used (Risk
2.2.3 Risk Evaluation Management process improvement)?
2.3 Risk Control
2.3.1 Risk Reduction as well as having good communication and regular feedback relating
2.3.2 Risk Acceptance to Risk Review, a process should be defined for the escalation of
2.4 Risk Communication urgent matters to key stakeholders and decision makers including both
2.5 Risk Review
criteria and timescale.
Risk Management Toolbox
41
Supply Chain Examples Output
Glossary The output / results of the Risk Review is not the end of the process. It is
an iterative process that has a number of different outcomes:
Bibliography no action is required at present as all risks are known and under
control, next review should be determined based on risk (about one
year) or where new information / changes are made
new risks are identified or assumptions are shown to be invalid or
requiring reassessment
a significant event, improvements or major gaps are identified that
invalidate the original assessment resulting in a new Risk Assessment
for that supplier or product
Foreword
Contents
General Introduction
Foreword
Some tools are very effective in all areas of Risk Management while
Structure & Acknowledgements others are better employed for specific areas of the process. Some tools
utilised in Lean, 6-Sigma and Right First Time may be the same or similar
Contents
to Risk Management tools. This toolbox provides guidance on their use
with examples, where appropriate.
Foreword
Contents
General Introduction
Foreword
A sub-tool within project management is the charter or objective
Structure & Acknowledgements statement which should include the following:
Contents scope for the Risk Management team (what is and what is not in
scope) - in the supply chain this would identify the limits of the supply
chain or the section of the supply chain to focus on
General Introduction objectives and performance criteria - these will detail any special
performance targets and what is expected as the steady state
Supply Chain Considerations any known management or operational obstacles
Risk Management Process budget requirements
Foreword
Contents
General Introduction
Foreword
Using Brainstorming: interrogated by asking what if there is a failure in the sub-process?
Structure & Acknowledgements or what if there is a failure in the operation of the sub-process? The
appoint a facilitator it is beneficial to assign one individual as a
facilitator to ensure that all participants voices are heard and the answers to the questions will identify if potential hazards exist. The
Contents
process is managed effectively technique is more structured than a brainstorming session.
ensure the appropriate people from the relevant functions are present Some advantages are:
General Introduction (interdisciplinary team)
simple method
provide an environment and atmosphere removed from external
Supply Chain Considerations requires few resources
distractions
Risk Management Process the facilitator should open the session with a clear description of the participants require minimal training
subject to be brainstormed e.g. this session is focused on identifying very effective for defined processes
Risk Management Toolbox
risks with repacking sodium chloride before distribution to our may identify areas where knowledge gaps need to be filled
3.1 Introduction to the Toolbox customers
3.2 Approach to Implementation
3.3 Risk Assessment utilise a means of capturing ideas e.g. using a whiteboard or flipcharts Some disadvantages are:
3.3.1 Risk Identification Tools or other means and share with everyone involved requires active participation to be successful
3.3.2 Risk Analysis Tools
3.3.3 Risk Evaluation Tools encourage a focus on quantity aim to ensure that a large number of can generate large quantities of data where processes are long or
3.4 Risk Control ideas are generated complex
3.4.1 Risk Reduction Tools
keep each idea succinct and separate is of limited use where processes are undefined or unknown (however
3.4.2 Risk Acceptance Tools
3.5 Risk Communication Tools there should be no discouragement or criticism all ideas no matter this may lead to identifying a list of what is required)
3.6 Risk Review Tools how unusual should be heard - this encourages input from all
Appendix 1 - Worked example: Ranking and requires effective brainstorming to generate relevant and effective 47
Filtering for Contractor management participants, and prevents areas or ideas for solving the risk problem What if? questions about sub-processes
Appendix 2 -Worked example: Medical Device from being overlooked
Risk Assessment using a Simplified FMEA requires substantial knowledge of the process under scrutiny in the
Appendix 3 - Worked example: Supplier Audit the more hazards and associated risks that are identified, the more first place
Priority using Risk Assessment comprehensive the subsequent analysis and evaluation will be,
however be careful to stay in scope and remain focused Using What If
Supply Chain Examples
as the list of ideas increases, review the ideas put forward and group What if is easily adopted in supply chain scenarios, for example an
Glossary those that are identical or similar under a single heading - make use asthma inhaler (pressurised Metered Dose Inhalator - pMDI) has many
of colour or symbols or other distinguishing means to collate ideas complex parts in addition to the medicine it dispenses. What If questions
Bibliography
into subgroups e.g. all risks identified with machinery in black, all risks can be formulated for every part of the operation:
associated with raw materials in red etc. what if the temperature in the distribution warehouse rises above 35C?
The final output should be a list of ideas which can be developed what if the No actuation detector on the packaging line develops an
further and subjected to risk assessment intermittent fault?
what if the moulded plastic actuator supplier has used a different
plastic mould release agent after an unusual breakdown than the one
What If? approved for the product?
Overview
What if? is a technique commonly used in engineering to determine what if the master-batch supplier of the plastic granules for the
hazards associated with a facility, equipment or a process. The process device has used a different supplier of raw materials to reduce costs or
under review is broken down into sub-processes and each step ensure delivery on time?
Foreword
Mind Mapping Some advantages are:
Structure & Acknowledgements
Overview promotes the brainstorming / idea generation sub-processes by way of
Contents Mind maps are diagrammatic representations of ideas arranged radially its structure
around a central idea or theme. They have been used as study aids, for allows the capture of information in a concise visual representation
problem solving and as decision making tools.
fast process for recording data / information
General Introduction
ce
d
ca l
Risk Management Toolbox Resu cti
a
1 lt
tional
Pr
3.1 Introduction to the Toolbox o
3.2 Approach to Implementation 2 Follow
-u
Persona
l Em s
Action p ue
Iss
3.3 Risk Assessment
3.3.1 Risk Identification Tools 3
Def
3.3.2 Risk Analysis Tools
4
Plan
in
3.3.3 Risk Evaluation Tools
plore
e
3.4 Risk Control Ex Fe
eli Other
s
3.4.1 Risk Reduction Tools ng s
Time
irements SO MS
3.4.2 Risk Acceptance Tools Requ LU B
LE Own
3.5 Risk Communication Tools TI
Money ath
O
ON
G
3.6 Risk Review Tools er
PR
48
Appendix 1 - Worked example: Ranking and s
Filtering for Contractor management rce
Resou hs Fa c
t
s
Appendix 2 -Worked example: Medical Device
gt Creative
Risk Assessment using a Simplified FMEA Stren Solutions
ple
TE
3
s A ID
se A LU EA
Glossary Weaknes EV S Change
Bibliography Strengths
itu
S
Id
2 knesses ation
Wea
ea
Idea 1
s
en 1
G
St
se
ren erate 2
es
Weakn gths
3
8
4
7
6 5
Foreword
Some disadvantages are: data generated lends itself well as an input mechanism to other tools
Structure & Acknowledgements
may require training of personnel to become effective users of the provides objective evidence to counteract opinion and assumptions
Contents technique
not all people find this technique useful Some disadvantages are:
use of colour / symbols / diagrams can make the resultant mind map relies heavily on people recording data accurately
General Introduction prone to misinterpretation by persons not involved with its construction can become cumbersome and lengthy for complex processes
Supply Chain Considerations limited scope in terms of volumes of data with large quantities of relies upon good check-sheet design
data a single diagram may become too complex and cumbersome to may become limited by design if there is insufficient scope to record
Risk Management Process work with data some items of data may get missed out
Risk Management Toolbox
Use of mind maps Use of Check-sheets
3.1 Introduction to the Toolbox
3.2 Approach to Implementation Mind maps can be constructed manually by hand-drawing or There are four main types of check-sheets commonly used:
3.3 Risk Assessment electronically using software packages. 1. Item check-sheets used to capture identified hazards in the process
3.3.1 Risk Identification Tools
e.g. the check-sheet will have a list of potential problems and provision
3.3.2 Risk Analysis Tools
3.3.3 Risk Evaluation Tools The key topic is placed in the centre. Branches are drawn from the key to count occurrences or frequency
3.4 Risk Control topic radially. Each branch represents a single sub-idea of the main idea 2. Location check-sheets used to identify potential areas or locations
3.4.1 Risk Reduction Tools relating to the key topic. On each of these branches are drawn sub- in the process where a hazard and its associated risks occur, e.g.
3.4.2 Risk Acceptance Tools branches, each one drilling down further into the idea represented by the
3.5 Risk Communication Tools the check-sheet may be a diagrammatic flowchart of the sale and
main branch. Experts promote the use of colour for different branch trees distribution of a product that illustrates the main processing steps
3.6 Risk Review Tools
as well as graphics to aid the conceptualisation process in the brain. 49
Appendix 1 - Worked example: Ranking and involved - a mark is placed on the location where the problem occurs
Filtering for Contractor management
most often giving data on counts and / or frequency
Appendix 2 -Worked example: Medical Device It is also recommended that the least number of words is used to
Risk Assessment using a Simplified FMEA 3. Defect check-sheets used to try and identify causes of risk e.g. may
Appendix 3 - Worked example: Supplier Audit describe each idea or branch in the diagram. Related ideas or issues can
Priority using Risk Assessment also be linked from one branch to another, illustrating interactions or inter- be used to identify the potential causes associated with mislabelling of
relations. An example of a mind map is given in Figure 7 (previous page). products and provides a means of recording data about the operators,
Supply Chain Examples labelling machines, batch code printers etc.
simple
fast process for recording data / information
Foreword
Flowcharting
Structure & Acknowledgements
Overview
Contents Flowcharting is the process of charting a process or information by representing the individual steps as boxes and displaying the order of occurrence
by connecting each box with an arrow showing the direction of process / information flow. It is through process understanding that flowcharts can be
used to aid Risk Identification in identifying potential issues, hazards, defects, bottlenecks and restrictions.
General Introduction
Medical Device Organisation Outsourced Conversion Outsourced Sterilisation
Supply Chain Considerations
Supplier 1 Stage A Supplier 9
Risk Management Process Raw Materials Bulk Chemical Conversion Raw Materials
Supplier 8 Warehouse
Distribution
Foreword
Flowcharting is a simple tool to map out the supply chain. Figure 8 How to Process Map:
Structure & Acknowledgements (previous page) illustrates a simple integrated flowchart used to show Most process maps begin with a start point and end with a termination
the flow of materials in the manufacture of a Medical Device with links point for the process or sub-process. A decision needs to be made on the
Contents
between organisations performing key outsourced manufacturing steps in level of detail required. An example of a process map is shown in Part 1,
the process. Figure 5. Open Process Map
General Introduction Each of the 9 different suppliers and the outsourced organisations in the The final output of the exercise should be full diagrammatic
flowchart in Figure 8 (previous page) can also be individually flowcharted representation of the process that provides process understanding and
Supply Chain Considerations
to provide an accurate picture of the process and related risks. a means to identify where risks can occur in that mechanism. The risks
Risk Management Process identified can then be subjected to the subsequent steps of the risk
Flowcharting of processes in more detail is more commonly known as management process.
Risk Management Toolbox process mapping.
3.1 Introduction to the Toolbox
3.2 Approach to Implementation Cause and Effect / Fishbone Diagrams
3.3 Risk Assessment Process Mapping Overview
3.3.1 Risk Identification Tools
3.3.2 Risk Analysis Tools
Overview Fishbone Diagrams (also known as cause and effect diagrams or
3.3.3 Risk Evaluation Tools A process map is a diagrammatic representation of a process that Ishikawa diagrams) are primarily used to identify causes associated with
3.4 Risk Control utilises geometric shapes representing actions or stages interconnected an event, but are easily adopted to identify hazards / risks associated
3.4.1 Risk Reduction Tools by flow-lines. Over the years various conventions have been adopted with an event.
3.4.2 Risk Acceptance Tools
on the shapes and symbols to be used for representing steps such as
3.5 Risk Communication Tools
3.6 Risk Review Tools
start and end points of the process, individual actions, decision steps Some advantages are:
Appendix 1 - Worked example: Ranking and and documentation steps. It is not necessary to adopt any of these 51
simple method
Filtering for Contractor management conventions; however it may assist in understanding when sharing
Appendix 2 -Worked example: Medical Device
process maps with customers or suppliers. requires few resources
Risk Assessment using a Simplified FMEA
Appendix 3 - Worked example: Supplier Audit participants require little training
Priority using Risk Assessment Some advantages are:
organises related ideas into groups
Supply Chain Examples useful tool to define the supply chains
can identify knowledge gaps
prevents oversights and omissions in considering potential sources of
Glossary very effective for defined processes
risk within and associated with a process
Bibliography enable interactions, flow of materials, people and services to be Some disadvantages are:
characterised and visualised
requires active participation to be successful
Some disadvantages / constraints are: can generate large quantities of data where processes are long or
complex
takes time to accurately map the process
limited use where processes are undefined or unknown (however can
need to have the process experts available to capture the process
identify the knowledge gaps)
correctly
requires substantial knowledge of the process under scrutiny in the
first place
Foreword
Use of Fishbone Diagrams: Hazard Operability Analysis (HAZOP)
Structure & Acknowledgements The diagram is constructed with a box on the right hand side (the head Overview
of the fish) see Figure 9 (below). This box contains the subject under HAZOP was developed in the chemical industry in the 1960s for health
Contents
examination, for example the Risk Question. and safety Risk Analysis and the control of chemical processes. It is one
of the most commonly known risk tools used to evaluate safety hazards
The spine of the fish has a number of main bones coming off it. Each one in Environmental Health and Safety. It is considered a simple but highly
General Introduction represents a subject category. These can be tailored to specific needs but structured hazard identification tool. Therefore organisations may already
some commonly used categories are the 6Ms, 8Ps or 4Ss: have personnel skilled in the use of this tool.
Supply Chain Considerations
6Ms = Materials, Men (People), Machinery (Equipment), Methods
Risk Management Process (Procedures), Maintenance (Management), Mother Nature Using the HAZOP approach assumes that events and hazards that
(Environment) generate risks are caused by deviations from the established mapped
Risk Management Toolbox
8Ps = Price, Promotion, People, Processes, Place / Plant, Policies, design and operating intentions, and uses a systematic technique to help
3.1 Introduction to the Toolbox
Procedures, Product identify potential deviations from normal use or design intentions in use.
3.2 Approach to Implementation It can be considered as an example of a possible combination package
3.3 Risk Assessment 4Ss = Surroundings, Suppliers, Systems and Skills covering several Risk Management stages and incorporates some of the
3.3.1 Risk Identification Tools
3.3.2 Risk Analysis Tools previous identification tools and techniques.
3.3.3 Risk Evaluation Tools Finer bones come off each category bone to list potential hazards and
3.4 Risk Control risks associated with for example materials. Often the more populated the Some advantages are:
3.4.1 Risk Reduction Tools
bone is the more influential that category is to overall risk. This technique may be used as a overall Risk Management tool for initial
3.4.2 Risk Acceptance Tools
3.5 Risk Communication Tools
is very powerful when used in conjunction with other tools such as implementation
3.6 Risk Review Tools Brainstorming and Pareto analysis.
Appendix 1 - Worked example: Ranking and
captures and retains product and process knowledge for an 52
Filtering for Contractor management organisation
Appendix 2 -Worked example: Medical Device
Risk Assessment using a Simplified FMEA safeguards against repeat error (reactive analysis) and facilitates rapid
Appendix 3 - Worked example: Supplier Audit detection and correction as a quick reference for problem solving
Priority using Risk Assessment Identify Risks GMP Regulatory Medical
and verify that
may be used to test a suppliers manufacturing processes or facilities
Supply Chain Examples each potential for robustness
risk is related
Glossary to the Risk can handle significant amounts of data
Question. uses brainstorming, process mapping etc. in a structured manner
Bibliography Risk
Question can be used for situations when the hazards and associated risks and
Assess the underlying consequences are diverse and difficult to compare using a
frequency of single tool
occurrence
and potential widely used
severity of
each risk. Legal Environment People
Foreword
Some of the disadvantages are: Complex Tools:
Structure & Acknowledgements
it is a tool originally designed for evaluating engineering or chemical Fault Tree Analysis (FTA)
Contents processes and equipment and therefore has to be significantly Preliminary Hazard Analysis (PHA)
modified for alternative uses
Hazard Analysis and Critical Control Points (HACCP)
it requires combination with a hazard analysis tool and has some
limitations in its scope Failure Modes Effect Analysis (FMEA)
General Introduction
it doesnt generate quantitative data but relies on key words Failure Modes Effect and Criticality Analysis (FMECA)
Supply Chain Considerations
it lacks a technique to sort and categorise the risk level All these tools require data input. This may be hard data, such as that
Risk Management Process
within computerised systems or generated by statistical analysis, or soft
Use of HAZOP data from more subjective analysis or semi-quantitative data analysis.
Risk Management Toolbox
An outline of the basic steps in HAZOP are: Data analysis can be a complex area of the Risk Management process.
3.1 Introduction to the Toolbox
3.2 Approach to Implementation
1. Collect applicable documents and drawings Therefore the tools employed in Risk Analysis range from simple to
3.3 Risk Assessment 2. Break the process into manageable sections complex. Selection of which tool to use is a decision based on the
3.3.1 Risk Identification Tools suitability of the tool for the task and competency of the user in its use.
3.3.2 Risk Analysis Tools 3. Prepare a list of parameters and operations to be examined
3.3.3 Risk Evaluation Tools
4. For each section create deviations There are three elements to Risk Analysis:
3.4 Risk Control
3.4.1 Risk Reduction Tools 5. List and record causes for each deviation severity of event
3.4.2 Risk Acceptance Tools
3.5 Risk Communication Tools 6. List and record consequences for each cause frequency of occurrence
3.6 Risk Review Tools detectability of risk
7. List and record safeguards or controls that may prevent either the 53
Appendix 1 - Worked example: Ranking and
Filtering for Contractor management cause or the consequence
Appendix 2 -Worked example: Medical Device Not all tools account for the detectability of the risk. The use of any
Risk Assessment using a Simplified FMEA
8. List any future actions or recommendations that should be
Appendix 3 - Worked example: Supplier Audit implemented particular tool is dependent on the objectives of the Risk Management
Priority using Risk Assessment programme and doesnt detract from the power of some of the simple
tools applied correctly such as ranking and filtering. This is a very
Supply Chain Examples
3.3.2 - Risk Analysis Tools powerful, simple technique similar to Failure Mode and Effect Analysis
Glossary This section describes some of the tools that are useful for assessing the (FMEA) and can be very successful when used appropriately. Some of
identified risks for their level of impact at the Risk Analysis stage of the the tools given can be used in combination to produce a hybrid set of
Bibliography tools e.g. HACCP and FMEA.
Risk Management process.
Some tools included are: The more complex tools may be applied when more information is
Simple Tools: available and there is knowledge and confidence to use more advanced
and specific tools for Risk Management.
Control charts
Pareto charts
Risk ranking and filtering
Foreword
Simple Tools - Control Charts data falling outside these limits indicates the process is statistically out
Structure & Acknowledgements of control and that a special cause of variation exists
Overview:
Contents Control charts are simple charts used to determine if a process is in a
state of statistical control or not. Perhaps the best known control chart Often the lines depicted as Upper Warning and Lower Warning Limits
is the Shewhart Chart. This simple chart allows special cause variation (UWL and LWL) are set at the mean +/- 2 standard deviations. These
to be differentiated from common cause (natural) variation, and can aid lines are referred to as warning limits and data falling between these
General Introduction limits and the control limits can be indicative of a process approaching
prediction of the future state of the process. It is this characteristic of the
Shewhart Chart that makes it a useful tool in analysing risks associated a statistically uncontrolled state. Inclusion of these warning limits aids
Supply Chain Considerations
with a process. detection of trends, variation, bias or change, e.g. a number of points
Risk Management Process above or below the mean or a set of consecutive points showing a
Some advantages are: decreasing or increasing trend.
Risk Management Toolbox
reasonably simple method to master Over the years organisations have developed rules to aid detection of
3.1 Introduction to the Toolbox
3.2 Approach to Implementation requires few resources modern statistical software generates it in trends and special cause variation. In Risk Analysis, data that indicates
3.3 Risk Assessment seconds trends, special cause variation, a breach of warning or control limits, are
3.3.1 Risk Identification Tools data that may be pointing towards hazards and associated risks with /
3.3.2 Risk Analysis Tools high visual impact in determining trends, patterns or state of control
within a process. ICH Q9 briefing pack
3.3.3 Risk Evaluation Tools
personnel require little training
3.4 Risk Control
3.4.1 Risk Reduction Tools statistically based
3.4.2 Risk Acceptance Tools Pareto Charts
3.5 Risk Communication Tools
Some of the disadvantages are: Overview
3.6 Risk Review Tools
The Pareto principle (also known as the 80-20 rule), states that for many 54
Appendix 1 - Worked example: Ranking and limited to processes that comply with the statistical model (normal
Filtering for Contractor management
distribution) events, approximately 80% of the effects come from 20% of the causes.
Appendix 2 -Worked example: Medical Device
Risk Assessment using a Simplified FMEA
A Pareto chart is the graphical representation of data, containing a bar
is only a statistical tool, requires the use of an additional tool for Risk
Appendix 3 - Worked example: Supplier Audit chart and a line chart in one diagram.
Priority using Risk Assessment Assessment to be completed
will highlight potential special cause variation being present but will not Some advantages are:
Supply Chain Examples
identify why it is present (root cause)
reasonably simple method to master
Glossary requires a statistically significant number of data points to provide
requires few resources modern statistical software generates
useful information
Bibliography charts in seconds
may be biased by error in the measurement method used for the data
high visual impact
being analysed
aids minimising effort for maximum benefit
there is no way of measuring risk as a detectable event
based on scientifically sound statistics
Use of Control Charts combined with ALARP (see page 62) or similar tool may be used for
A control chart has a number of common features: determining risk tolerance levels
the central line represents the mean for the data set
the Upper Control Limit (UCL) and Lower Control Limit (LCL) lines
represent limits of the mean +/- 3 standard deviations and are referred
to as the control limits
Foreword
Some disadvantages are: high visual impact allowing the easy ranking of risks against their
Structure & Acknowledgements outcomes, leading to a view of the risk as high, medium or low, which
the basic underlying mathematics may result in a low frequency
hazard with a high impact (therefore an unacceptable risk) being aids the targeting of resources to minimise high risks
Contents
ignored permits the setting of targets for Risk Reduction in specific areas
limited use where individual factors are evenly frequent or significant can handle significant amounts of data
General Introduction is only a statistical tool, requires the use of an additional tool for Risk can be used for situations when the risks and underlying
Assessment consequences are diverse and difficult to compare using a single tool
Supply Chain Considerations
data may be easily biased by selection of incorrect weighting factors based on the principles of cause and effect
Risk Management Process
doesnt reflect consequence unless a factoring or a weighting applied allows quantification of soft data in a usable format
Risk Management Toolbox which has to be validated can be simple or more complex as the situation requires
3.1 Introduction to the Toolbox no way of measuring risk as a detectable event can be used to provide many levels of risks (e.g. very low, low,
3.2 Approach to Implementation
medium, high, very high)
3.3 Risk Assessment Use of Pareto Charts
3.3.1 Risk Identification Tools
The left hand vertical access represents a parameter frequency for Some disadvantages are:
3.3.2 Risk Analysis Tools
3.3.3 Risk Evaluation Tools the subject being analysed. The right hand vertical axis represents
the cumulative percentage of the occurrences of that parameter. The has limitations in discrimination where individual factors may be
3.4 Risk Control
3.4.1 Risk Reduction Tools horizontal axis represents the categories of parameter under analysis and evened out by frequency or significance
3.4.2 Risk Acceptance Tools represents each in the form of a bar chart in order of decreasing values. data may be easily biased by the level of filters selected
3.5 Risk Communication Tools
3.6 Risk Review Tools consequences should be fully recognised
Appendix 1 - Worked example: Ranking and This tool can be used in Risk Assessment to set an agreed tolerance 55
Filtering for Contractor management level. However the level set is not based on tolerable risk but focuses on detection of risk has to be built in as it assumes that all risks are
Appendix 2 -Worked example: Medical Device resource and effort where improvement and risk migration actions will detectable events
Risk Assessment using a Simplified FMEA
Appendix 3 - Worked example: Supplier Audit provide the greatest cost benefit. Such an approach is possible when
Priority using Risk Assessment combined with ALARP principles to identify and target exposure to risk. Use of Risk Ranking and Filtering
ICH Q9 briefing pack The technique works by assigning values to probability of occurrence
Supply Chain Examples
and the severity of the outcome to give a two-dimensional view. In its
Glossary simplest form, a risk that is present but highly unlikely to occur has a
Risk Ranking and Filtering low probability with a score of 1 assigned. Account should also be taken
Bibliography Overview of what the consequences would be if the risk did become reality i.e.
Risk Ranking is a method used to compare risks and typically involves severity. If the consequences were severe in effect then this would be
evaluation of multiple quantitative and qualitative factors for each assigned a severity of high with a score of 3. This translates as a risk
identified risk, e.g. weighting factors and risk scores. This in its simplest score 1 x 3 = 3 (medium).
form leads to a two-dimensional diagram of probability of occurrence
measured against the severity of the consequences if it did occur. This For each identified risk the probability and severity are multiplied to give a
technique is widely used in health and safety Risk Management. risk score, with 1 as the lowest and 9 as the highest score in the simplest
model illustrated on the next page. Once scored, the risks can be ranked
Some advantages are: and a risk score assigned for each identified undesirable event. The
weightings for severity and frequency can be modified to give a different
reasonably simple
spread of risk depending on the application and focus required.
requires few resources
Foreword
In Table 9 (below left), a score of 1 for Low, 2 for Medium and 3 for High
Structure & Acknowledgements High 3 6 9 is used for the Probability and Severity of an individual risk / hazardous
Increasing probability
of an error or failure
event occurring, with thresholds of 3 and 6 as risk boundaries. More
Contents
Medium 2 4 6 complex models with 5 or more levels can be used. This allows for
ranking for immediate action or finer discrimination. However within some
situations, even remote risks are unacceptable with outcomes such as
General Introduction Low 1 2 3 serious injury or patient death.
Foreword
Some advantages are: The thresholds between frequencies or severity can be defined using a
Structure & Acknowledgements scaling system. For example in frequency of occurrence:
uses other risk tools such as ranking and filtering
Contents prioritises hazards Remote = 1 incidence every 20 years or in a very large number of
useful when analysing existing systems where there is little deliveries or batches.
information, knowledge, design details, or operating procedures Occasional = 1 incidence every 5 years.
General Introduction Probable = 1 incidence every 2 years.
can be used on product, process, or facility design
Frequent >/= 1 incidence every 6 months.
Supply Chain Considerations permits the setting of risk thresholds for risk reduction in specific areas
Risk Management Process visual impact These thresholds are set based on the process the technique is applied
to and as information increases, should be reviewed for effectiveness.
allows quantification of soft data in a usable format
Risk Management Toolbox
3.1 Introduction to the Toolbox The following rules can then be applied from ALARP principles (See
Some disadvantages are:
3.2 Approach to Implementation ALARP Principles):
3.3 Risk Assessment provision of preliminary information only
High Risk should be reduced if possible or avoided
3.3.1 Risk Identification Tools
data may be easily biased by selection of filter levels
3.3.2 Risk Analysis Tools Intermediate Reduce risk to As Low As Reasonably Possible
3.3.3 Risk Evaluation Tools does not measure levels of detection of an event (ALARP) principles or otherwise termed As Low As Reasonably
3.4 Risk Control
3.4.1 Risk Reduction Tools requires additional follow up Achievable (ALARA)
3.4.2 Risk Acceptance Tools Low Reduce risk according to ALARP principles considering cost vs.
3.5 Risk Communication Tools Use of PHA benefit criteria or determine if it is an acceptable risk
3.6 Risk Review Tools
As in Risk Ranking, the technique works by assigning values to 57
Appendix 1 - Worked example: Ranking and Very Low Generally acceptable level of risk with no further action
Filtering for Contractor management probability of occurrence and the severity of the outcome using key words
required
Appendix 2 -Worked example: Medical Device (see Table 10 (below)).
Risk Assessment using a Simplified FMEA
Appendix 3 - Worked example: Supplier Audit This can then be tabulated and hazards with their current or future risk
Priority using Risk Assessment A hazard that is present but which is highly unlikely to occur has a
controls identified (see Table 11 following page).
remote probability of occurrence when rated against its severity and if the
Supply Chain Examples consequences are negligible then the rating is that of a very low risk. It
leads to a simplified automatic Risk Evaluation.
Glossary
Bibliography
Frequency of Severity
Occurrence Negligible Minor Major Severe
Frequent Low Risk Intermediate Risk High Risk High Risk
Occasional Very Low Risk Intermediate Risk Intermediate Risk High Risk
Remote Very Low Risk Low Risk Intermediate Risk Intermediate Risk
Table 10 - Example of a PHA matrix for assigning the Risk status for an identified hazard
Foreword
Foreword
Hazard Analysis and Critical Control Points (HACCP) Use of HACCP
Structure & Acknowledgements In preparation for HACCP the following prerequisites are required:
Overview
Contents HACCP was developed in the early 1970s by NASA as part of a food 1. Assemble a team of relevant experts
safety initiative for astronauts using science-based controls to prevent 2. Describe product / processes in detail
hazards that could cause food-borne illnesses. It is well established as a
requirement within the food industry, whilst its application is increasing in 3. Identify intended use / objectives
General Introduction
other industries including pharmaceutical. Its objective is to reduce any 4. Construct detailed process flow diagram Open Process Map
Supply Chain Considerations emphasis on testing for failure at the end of a process when it is more
5. Confirm the flow diagram and level of detail
difficult to detect.
Risk Management Process
HACCP is a seven step process that provides for both Risk Assessment
Some advantages are:
Risk Management Toolbox and Risk Control. In essence it is a detailed process flowchart map for
it caters for both Risk Assessment and Risk Control in one tool, as manufacturing from raw materials to finished product and testing, with
3.1 Introduction to the Toolbox
3.2 Approach to Implementation
it identifies the Critical Control Points (CCP) in a process. It is also each identified critical control point on the flowchart identified. It is often
3.3 Risk Assessment useful in the Risk Reduction phase extended into the supply chain and also projected to the end user. The
3.3.1 Risk Identification Tools
may be used as an overall Risk Management tool for the supplier seven steps are as follows:
3.3.2 Risk Analysis Tools
3.3.3 Risk Evaluation Tools
management process 1. Conduct hazard analysis
3.4 Risk Control captures and retains product and process knowledge for an A hazard is defined as the potential to harm the consumer (safety
3.4.1 Risk Reduction Tools
organisation and for pharmaceuticals also efficacy) or danger to the product
3.4.2 Risk Acceptance Tools
3.5 Risk Communication Tools safeguards against repeat error (reactive analysis) and facilitates rapid (contamination).
3.6 Risk Review Tools detection and correction as a quick reference for problem solving In considering hazard analysis, all hazards should be listed that
Appendix 1 - Worked example: Ranking and
59
Filtering for Contractor management may be used to test a suppliers processes reasonably may occur from incoming materials, production, testing,
Appendix 2 -Worked example: Medical Device distribution up to point of use. Hazard analysis identifies which hazards
Risk Assessment using a Simplified FMEA proactive are such that elimination or reduction to acceptable levels is essential.
Appendix 3 - Worked example: Supplier Audit
Priority using Risk Assessment can handle a large amount of data It is advisable to separately identify quality, safety and business risks.
can be used for situations when the hazards / risks and underlying Note: FMEA (see following page) may be used as an appropriate
Supply Chain Examples hazard analysis tool.
consequences are diverse and difficult to compare using a single tool
Glossary emphasises the detectability of a risk 2. Determine critical control points (CCP)
A critical control point is defined as a stage in the manufacturing
Bibliography
process (including all raw materials), which, if not controlled correctly,
Some disadvantages are: will cause a threat to safety or a contamination issue. Having identified
designed for evaluating manufacturing processes and often used for the hazards on the flowchart, determine if there are any stages which
contamination risks compensate for earlier hazards or for those that have no critical
controls (if there is a need to install controls at these points).
it has to be modified for other applications
3. Establish target levels and critical limits
requires combination with other tools to quantify and categorise level
of risks Specify critical limits for each CCP. Typical criteria for measurement
could be temperature, time, etc or subjective criteria. Data should be
requires resource and preparation to carry out
scientifically based and more than one limit may be necessary for a
may require external training CCP.
Foreword
4. Establish a system to monitor critical control points once performed it provides a quick reference for problem solving and
Structure & Acknowledgements is easily updated
Monitoring should detect loss of control at a CCP and should be
Contents recorded. Real time monitoring enables timely response to trends and minimises unforeseen failures
prevents deviation from the limit. allows for qualitative data to be converted to semi-quantitative
5. Establish corrective actions when critical limit deviation occurs information for input
General Introduction 6. Establish a record keeping system can be utilised for quantitative and semi-quantitative information to
7. Establish procedures to verify that the HACCP system is working produce a near-quantitative result
Supply Chain Considerations
correctly
Risk Management Process Some disadvantages are:
Its common use is to identify and manage physical, chemical and requires significant information for input into the tool
Risk Management Toolbox
biological (including possible sources of microbiological) contamination it is not quick to develop or perform
3.1 Introduction to the Toolbox related risks in a process, which may well be a mapped current supply
3.2 Approach to Implementation
chain or a production process, and also assess the impact of any change. limitations in assessing where there are multiple risks involved
3.3 Risk Assessment
3.3.1 Risk Identification Tools it is a complex tool requiring significant user competency and training
3.3.2 Risk Analysis Tools From a supply chain perspective it can look from customer through tiers for effective and efficient use
3.3.3 Risk Evaluation Tools to the base supplier or as part of the whole process flow of components
the number scales are not obtained by direct measurement and the
3.4 Risk Control to final product.
3.4.1 Risk Reduction Tools output may be misinterpreted as purely quantitative when in reality is
3.4.2 Risk Acceptance Tools not fully quantitative
3.5 Risk Communication Tools
Failure Mode and Effects Analysis (FMEA) the three components of the RPN; likelihood, severity and detectability
3.6 Risk Review Tools
Appendix 1 - Worked example: Ranking and are not all equally weighted, and likelihood and detectability are 60
Overview
Filtering for Contractor management inversely related
Appendix 2 -Worked example: Medical Device FMEA has its origins in the military in the 1940s and, with its later
Risk Assessment using a Simplified FMEA extension Failure Mode Effects and Criticality Analysis (FMECA), FMEA over analysis can lead to paralysis
Appendix 3 - Worked example: Supplier Audit is often used in the automotive industry with success as a suitable Risk
Priority using Risk Assessment
Analysis tool. Use of FMEA
Supply Chain Examples FMEA uses the evaluation of identified potential failure modes
Some advantages are: for processes, and the likely effect of outcomes and / or product
Glossary performance. Once these failure modes are identified, Risk Reduction
identifies the points of potential failure for a given process or product
can be used to eliminate, reduce, or control potential failures. It relies
Bibliography a formatted analysis tool suitable for use in other processes e.g. upon product and process understanding.
HACCP or as a stand alone tool
provides structured and sensitive scoring with a Risk Priority Number The output is a relative risk score for each failure mode as a structured
(RPN) with relativities between risks visible score with a RPN. The calculation of the RPN for a failure mode is
Severity x Likelihood of Occurrence x Detectability.
helps communication and builds trust across different functions and
interfaces
Severity (S) what is the consequence with a number assigned in the
can ignore failure interactions range 1 to 10 with 1 being of minimal impact and 10 being the most
has risk detection as an inherent part of the process disastrous impact.
Foreword
Contents
Occurrence
Occurrence
Risk Score
Risk score
Detection
Detection
Severity
Severity
General Introduction Failure Effect of Potential Current Recommended
Risk
Mode Failure causes controls action
Supply Chain Considerations
Foreword
3.3.3 - Risk Evaluation Tools Some disadvantages are:
Structure & Acknowledgements
This is part of Risk Assessment that enables data to provide for a yes or an organisation may use inappropriately low targets to set acceptance
Contents no decision. Some of the analysis tools will generate a level of risk which criteria on grounds of perceived investment required.
requires evaluation for the risk acceptance decision and establish the
criteria why a risk may or may not be acceptable. It may also establish The practice of ALARP
the residual risk level. Either risk is then deemed acceptable or Risk The ALARP principle is that the residual risk shall be as low as
General Introduction
Reduction has to be applied. reasonably practical. To apply the principle it should be possible to show
Supply Chain Considerations that the investment or practicality would be grossly disproportionate to the
Some tools included are: benefit gained. The principle arises from the fact that infinite resources
Risk Management Process (time, money, effort) could be used to try and reduce a risk that is not
ALARA / ALARP
achievable realistically. It is not a simple quantitative measure of benefit
Risk Management Toolbox Carrot Diagrams against detriment. It is interlinked to the assessment of whether a risk is
3.1 Introduction to the Toolbox
Brainstorming (page 46) tolerable and / or controllable. If so the resulting level of residual risk has
3.2 Approach to Implementation to be accepted.
3.3 Risk Assessment Pareto analysis (page 54)
3.3.1 Risk Identification Tools
3.3.2 Risk Analysis Tools In determining that a risk has been reduced to ALARP, an assessment
The tools used for Risk Evaluation are fewer and focus on justifying
3.3.3 Risk Evaluation Tools of the risk to be avoided should be carried out and compared with the
the level below where little or no actions are appropriate. However it is
3.4 Risk Control actions involved in taking measures to avoid that risk totally.
3.4.1 Risk Reduction Tools always advisable, if resources allow, to take simple, often low cost steps
3.4.2 Risk Acceptance Tools to reduce identified residual risks until they become negligible.
Risk Threshold examples:
3.5 Risk Communication Tools
3.6 Risk Review Tools High risk should be reduced if possible or avoided 62
Appendix 1 - Worked example: Ranking and
Filtering for Contractor management ALARA & ALARP Intermediate reduce risk to ALARP
Appendix 2 -Worked example: Medical Device Overview
Risk Assessment using a Simplified FMEA Low reduce risk according to ALARP principles considering cost
Appendix 3 - Worked example: Supplier Audit Risk Management has been widely practised in the field of nuclear versus benefit criteria or determine if it is an acceptable risk
Priority using Risk Assessment medicine and the nuclear industry, from which the principles of ALARA
(As Low As Reasonably Achievable) were developed for safety of Trivial generally acceptable level of risk with no action required
Supply Chain Examples personnel from exposure to excessive levels of radiation. It is more
Glossary commonly referred to as ALARP (As Low As Reasonably Practical) in the
UK from UK Health and Safety legislation.
Bibliography
Some advantages are:
residual risk is known and the basis of the acceptance of the residual
risk is clearly defined
baseline established of what can be achieved versus effect, available
resources, and technical capability, investment requirements and level
of technology
Foreword
Carrot Diagram
Structure & Acknowledgements
Overview
Contents A carrot diagram is often used to visually display risks and place in
tolerable or intolerable regions (see Figure 10 below).
Advantages:
General Introduction
simple tool to use
Supply Chain Considerations
visual presentation to enable clear decision making
Risk Management Process sets a zone of tolerable and residual risk
Risk Management Toolbox
Disadvantages
3.1 Introduction to the Toolbox
3.2 Approach to Implementation Requires knowledge to set the tolerable regions and placement of risks
3.3 Risk Assessment
3.3.1 Risk Identification Tools Process in use
3.3.2 Risk Analysis Tools The high risks (to be reduced) are at the top and the low risks at the
3.3.3 Risk Evaluation Tools
bottom. The middle risks may be described as the tolerable region as the
3.4 Risk Control
3.4.1 Risk Reduction Tools
risks are not insignificant but not practically reduced.
3.4.2 Risk Acceptance Tools
3.5 Risk Communication Tools
3.6 Risk Review Tools
Appendix 1 - Worked example: Ranking and
63
Filtering for Contractor management
Increasing individual risks and societal concerns
Glossary
Bibliography Tolerable
region
Broadly acceptable
region
Foreword
Contents
General Introduction
Foreword
Use of RCA Use of CAPA
Structure & Acknowledgements Basic steps to application of root cause analysis irrespective of the tool Essentially there are three elements to CAPA as shown in Table 13.
used are as follows:
Contents
1. define the risk to be reduced = output of Risk Evaluation Correction Correction of the effect of an event so as to bring
2. define potential root causes for this risk to occur the process, product or service back into a state
of compliance with the specification (reactive)
General Introduction 3. define which root causes if removed will prevent or reduce the risk
Corrective Implementation of an action to address the root
Supply Chain Considerations 4. implement risk reduction measures = address the root causes
Action cause of an event to prevent recurrence of that
5. document & observe the effect of implementing the Risk Reduction event in the future (reactive)
Risk Management Process
measures
Preventive Preventive action - action to eliminate the cause
Risk Management Toolbox 6. review and repeat as required Action of a potential nonconformity or other undesirable
3.1 Introduction to the Toolbox potential situation.
3.2 Approach to Implementation NOTE 1 There can be more than one cause for a potential
3.3 Risk Assessment nonconformity.
3.3.1 Risk Identification Tools Corrective Action and Preventive Action (CAPA) NOTE 2 Preventive action is taken to prevent occurrence
3.3.2 Risk Analysis Tools whereas corrective action is taken to prevent recurrence.
Overview
3.3.3 Risk Evaluation Tools
CAPA is a term used in Quality Management Systems such as The
3.4 Risk Control
International Organization for Standardization (ISO) and whilst used in a Table 13 Elements of CAPA
3.4.1 Risk Reduction Tools
3.4.2 Risk Acceptance Tools variety of industries, it is often poorly understood. To use effectively after
3.5 Risk Communication Tools an event has occurred, RCA should be used in combination with CAPA In terms of Risk Reduction CAPA is a process that compliments other
3.6 Risk Review Tools techniques such as Root Cause Analysis. In order to utilise CAPA for Risk
Appendix 1 - Worked example: Ranking and
65
Some advantages are: Reduction these basic steps should be followed:
Filtering for Contractor management
Appendix 2 -Worked example: Medical Device prevents recurrence if applied effectively 1. define the risk to be reduced = output of Risk Evaluation or the RCA
Risk Assessment using a Simplified FMEA
Appendix 3 - Worked example: Supplier Audit provides a structured plan to address identified issues 2. define the appropriate action i.e. correction, corrective action,
Priority using Risk Assessment preventative action
provides for continuous improvement and effective use may result in
Supply Chain Examples proactive actions being taken 3. document the CAPA to be taken including, the responsible person(s)
and the timeline for completion
Glossary provides a record
4. implement the CAPA
Bibliography Some disadvantages are: 5. document and observe the effect of the CAPA implemented
retrospective for correction and corrective actions 6. review and repeat as required
not a stand alone tool
Risk Management aims to be a proactive approach. It is likely then that
training and knowledge are required to apply effectively and
once embedded in an organisations culture the majority of CAPAs being
understand the differences between Correction and Corrective and
implemented as Risk Reduction measures will be preventive actions
Preventive action
rather than corrections or corrective actions.
requires established standards and controls for a baseline to be set
Foreword
Mitigation strategy and actions based on the 4 Ts: Brainstorming
Structure & Acknowledgements
Overview This is a key tool to identify possible control actions for risk reduction.
Contents The four Ts are a useful technique in Risk Control. More detail is given in section 3.3.1. See Brainstorming
Foreword
Contents
General Introduction
Fax: Normally considered as formal as a letter but its use is being replaced by the use of e-mail.
Internet: This is a way of advertising and a source of information however care should taken to verify information freely
available in this way.
Face to face meeting To exchange ideas, presentations, carry out audits and come up with assignments, actions and agreements.
Agreements and actions should formally recorded in minutes or a letter.
Minutes Formal records of any type of meeting (or conference) that includes decisions, agreements and actions. These
should be retained as documents in a quality management system for audit of a decision or review. An example
of this practice is the retention of meeting minutes for development and design of medical devices as part of the
device master file.
Foreword
Structure & Acknowledgements Presentations Including graphs, mapping and plans that may be shared to show general proposals and action points but these
reflect the author(s) ideas and situation progress. This is a common and visually effective way of quickly getting
Contents essential points across to explain a situation or proposal for a wider, possibly less knowledgeable, audience or to
get outline management approval. These do not normally include detailed plans.
Reports Reports are formal records which have been authorised and can be circulated both internally and externally.
General Introduction These can summarise the Risk Management activities performed and highlight decisions taken (mitigation,
acceptance and actions to acknowledge or respond to risks can be included).
Supply Chain Considerations
RACI Responsibility diagram.
Risk Management Process
Glossary
Bibliography
Foreword
Contents
General Introduction
The type and number of KPIs used differ depending on the nature of the identification of gaps in performance
the organization, the processes being monitored, industry requirements, exploring new ways of improving how things are done
outputs of the organisation and future strategy. They assist in evaluating introducing and using the improved processes
progress towards objectives, especially toward difficult to quantify
knowledge-based goals. However care should be exercised in specifying monitoring and reviewing of processes, measuring progress and
the correct parameters and their criticality. Too many indicators may beneficial outcomes
swamp the critical indicator that something is awry with a supplier.
Foreword
Contents
General Introduction
Foreword
Risk*
Structure & Acknowledgements
Risk Element High = 5 Medium = 2 Low = 0.5 Weight Score
Contents cGMP Significant quantity and / or severity of regulatory observations Few or no regulatory observations
Compliance Adverse Regulatory Status (e.g., FDA Consent Decree, Severe or 3
History multiple Warning Letters, Official Action Indicated)
Quality System An Area of Special Concern Few Findings
Processes Several Major Findings CAPA on target per schedule
General Introduction Past Due CAPA items Audit closed on time
High number of deviations per batch Few to no deviations / significant deviations
Significant deviations No market related events 2
Supply Chain Considerations Multiple events requiring a major quality review Few to no reworks or reprocessing
Product recall and / or market actions
Significant reprocessing of manufacturing step indicating a
Risk Management Process requirement to change process step
Complaints Customer complaints as a result of significant failure of manufacturing Few or no complaints justifiable based on failure of manufacturing
Risk Management Toolbox controls and associated quality systems controls and associated quality system
2
Investigations Not thorough or poorly written, High quality investigations that are RFT,
3.1 Introduction to the Toolbox No or greatly inadequate Root Cause analysis Root Cause Analysis clear and effective
3.2 Approach to Implementation Not completed in a timely manner Well documented and written
Scope is not adequately defined Prompt response and timely completion 2
3.3 Risk Assessment The number, type & frequency of deviations suggest systemic cGMP Appropriate number of investigations
3.3.1 Risk Identification Tools and / or quality issues CAPAs are identified, implemented in a timely manner and are
CAPAs are not identified, are not effective or are well overdue effective
3.3.2 Risk Analysis Tools
Probability of event
Change Changes are not communicated Changes are communicated in a proactive manner with complete and
3.3.3 Risk Evaluation Tools
Management Change control documentation is routinely incomplete and / or accurate documentation
3.4 Risk Control inaccurate Changes are implemented in a timely manner after the appropriate
3
3.4.1 Risk Reduction Tools Changes implemented without Client approval regulatory approval
Significant gaps with regulatory file / license due to contractor No gaps with regulatory file / license
3.4.2 Risk Acceptance Tools
3.5 Risk Communication Tools Quality / Supplier is not willing to accept Client terms in the Quality Agreement Supplier is in compliance with all the significant requirements of the
3.6 Risk Review Tools Technical Significant deviation(s) from the quality agreement Quality Agreement 2
Appendix 1 - Worked example: Ranking and
Agreement No Quality Agreement or Quality Agreement not effective 71
Filtering for Contractor management Technical Older facility with poorly operating equipment Newer facility with contemporary technology and automation
Capabilities None or significant non adherence to maintenance schedule Highly capable, well-trained personnel
Appendix 2 -Worked example: Medical Device Lack capable personnel and high staff turnover Low staff turnover
Risk Assessment using a Simplified FMEA 1
Significant events due to technical & supply issues High volume (non necessarily Client company brand)
Appendix 3 - Worked example: Supplier Audit Infrequent volume - 3 or less batches per year Long-term experience with product
Priority using Risk Assessment Newer product - Less experience with product
Quality and Risk Lack of RFT throughout facility operations RFT environment
Culture Poor Risk Assessment (i.e., Quality Management is ineffective in Risk assessment is accurate (e.g., Science-based compliance
Supply Chain Examples assuring appropriate decisions) decisions)
Lack of continuous improvement (e.g., trending, CAPA) Quality Management applies appropriate control at the facility 3
Lack of internal audit and external supplier audit program Continuous improvement (e.g., trending, CAPA)
Glossary Financially unstable, low investment willingness Strong internal audit and external supplier audit program
Financially stable, demonstrated willingness to invest
Bibliography Supply Chain Broker in supply chain (Complex) material origin from area of high Supply of API from area of high quality regulatory control
Security concern Supply of excipients from area of high quality regulatory control
1
Supply of API from area of high concern Non complex supply chain
Supply of excipients from area of high concern
Communications Supplier deficient in reacting to and notifying X of deviations / changes All issues requiring notification to X are communicated in a timely
with X affecting X products manner per the appropriate agreement. 3
Difficult to visit, contact / liaise with. visits are readily accepted and communication lines smooth
Foreword
Contents
General Introduction
Foreword
Table 17 - Example Failure Mode And Effect Analysis (FMEA) / Design format
Foreword
Calculate / estimate the number of individual uses (or manufacturing operations) that would be required to cause one event of the hazard.
Structure & Acknowledgements
Foreword
Contents Severity
Occurrence Minimal Slight Moderate Major Serious
1 2 3 4 5
General Introduction Very high 5 ALARP ALARP Decision Decision Decision
Supply Chain Considerations High 4 ALARP ALARP ALARP Decision Decision
Risk Management Process Moderate 3 Accept ALARP ALARP Decision Decision
3.1 Introduction to the Toolbox Remote 1 Accept Accept Accept ALARP Decision
3.2 Approach to Implementation
3.3 Risk Assessment
Table 20 - Example of Two dimensional acceptance criteria chart for Risk Evaluation
3.3.1 Risk Identification Tools
3.3.2 Risk Analysis Tools
3.3.3 Risk Evaluation Tools
If the ranking falls in the Accept region, there is no requirement to
3.4 Risk Control
3.4.1 Risk Reduction Tools conduct Risk Control activities.
3.4.2 Risk Acceptance Tools If the ranking falls in the As Low As Reasonably Practicable
3.5 Risk Communication Tools
(ALARP) region, risk control activities may not be required. However,
3.6 Risk Review Tools
Appendix 1 - Worked example: Ranking and the rationale for concluding that no further mitigation is reasonably 75
Filtering for Contractor management practicable should be included.
Appendix 2 -Worked example: Medical Device
Risk Assessment using a Simplified FMEA If the ranking falls in the Decision region, Risk Control activities
Appendix 3 - Worked example: Supplier Audit should be conducted.
Priority using Risk Assessment
In cases where the probability of occurrence is ranked 1 but it is
Supply Chain Examples considered to be extremely remote given the number of products
(i.e. an inconceivable event) and the severity is ranked 5, the residual
Glossary
risk remains in the decision region. Although a risk benefit analysis is
Bibliography required it does not need to be signed by the Heads of R&D, Global
Quality and Regulatory Affairs and Clinical Affairs.
Foreword
Contents
General Introduction
Bibliography Number of products on site Single Multiple Multiple with high potency or
X
sensitivity
Previous audit < 3 years >3 years X None or > 5 years
Supplier rating (A) (B) Unapproved or (C) major X
Approved no issues Approved some minor issues issues
API No X Not applicable Yes
Sole / strategic source Not applicable X No Yes
Weighting factor Total x 1 4 Total x 2 5 Total x 3 2
Table 21 - An Example of a Simplified Application to Set Audit Priority of Suppliers based on Perceived Risk (adapted from GMP Review Vol. 2, No. 4, Jan 2004)
Foreword
Total Score = a summation of all the scores in the individual columns
Structure & Acknowledgements multiplied by the weighting factor and then the 3 scores added together
(Low + Medium + High totals) to give a final risk score.
Contents
Total score = 4 + 10 + 6 = 20
General Introduction This example gives a score that can be used as a risk level for
comparison in a scoring system, to prioritise frequency of visits against
Supply Chain Considerations
other suppliers, including maximum deadlines for the next visit. The full
Risk Management Process model should be more searching in requirements and incorporate a Risk
Evaluation of audit duration and minimum objectives for the audit. A more
Risk Management Toolbox detailed example may be found on the MHRA website as the basis for
3.1 Introduction to the Toolbox regulatory audits performed according to a Risk Assessment.
3.2 Approach to Implementation MHRA reference
3.3 Risk Assessment
3.3.1 Risk Identification Tools
3.3.2 Risk Analysis Tools
3.3.3 Risk Evaluation Tools
3.4 Risk Control
3.4.1 Risk Reduction Tools
3.4.2 Risk Acceptance Tools
3.5 Risk Communication Tools
3.6 Risk Review Tools
Appendix 1 - Worked example: Ranking and
77
Filtering for Contractor management
Appendix 2 -Worked example: Medical Device
Risk Assessment using a Simplified FMEA
Appendix 3 - Worked example: Supplier Audit
Priority using Risk Assessment
Glossary
Bibliography
Foreword
Contents
General Introduction
Foreword
Learning points:
Structure & Acknowledgements
This case demonstrates how important it is for the accountable
Contents organisation to understand in detail the sources and the supply chain
for raw materials and active ingredients. This includes knowledge of
proceedings at all wholesalers and re-packagers in the supply chain. It
General Introduction is especially important in less regulated countries.
The accountable organisation should be sure of the standards that
Supply Chain Considerations
suppliers might claim to operate, and might be able to demonstrate
Risk Management Process from time to time, are actually being practised all of the time.
The supplier at the very start of the supply chain may be unaware of
Risk Management Toolbox
the application to which their material may ultimately be used. For
Supply Chain Examples example, the company who extracts the heparin from pigs (source of
heparin) may not have any idea that the end point of their work is a
4.1 Product Contamination
4.2 Management of Second Tier Suppliers
life-saving anticoagulant drug. They are unlikely to be aware of GMP
4.3 Verification of Artwork or be in a position to practice it.
4.4 Warehouse Operations & Pest Control
The accountable organisation is responsible for the product and as
4.5 Temperature Controlled Transportation
4.6 Change Control - Process
such has a duty to ensure that the quality of materials and supply
4.7 Fraudulent Activities in the Supply Chain chain security are maintained through a programme of supplier
4.8 Errors in Proof Reading assurance involving the necessary key stakeholders.
4.9 Change Control Source of Material
4.10 Implementation of a New Process
79
4.11 Multiple uses of a Material
4.12 High Bioburden
4.13 Inconsistent Analytical Results
4.14 Continuity of Supply
4.15 Lack of Formal Contracts
4.16 Effect of Global Supply Chains
4.17 Effect of not knowing all the links in a
Transport Chain
4.18 Raw Material Source of Origin
4.19 Reuse and Potential Infection
Glossary
Bibliography
Foreword
Contents
General Introduction
Foreword
Contents
General Introduction
Glossary
Bibliography
Foreword
Contents
General Introduction
Glossary
Bibliography
Foreword
Contents
General Introduction
Foreword
Contents
General Introduction
Foreword
Contents
General Introduction
Bibliography
Foreword
Contents
General Introduction
Glossary
Bibliography
Foreword
Contents
General Introduction
Bibliography
Foreword
Contents
General Introduction
Supply Chain Examples Scenario: - The process did not introduce any impurities by side reactions
4.1 Product Contamination or the natural chemistry of the process, provided the purification
4.2 Management of Second Tier Suppliers
Company A was planning the installation of a new process for the step was performed in virgin Solvent A. If any other solvents were
4.3 Verification of Artwork manufacture of Active Pharmaceutical Ingredients (APIs). The process present the batch would fail for impurities.
4.4 Warehouse Operations & Pest Control had a number of stages involving chemical reaction, crude isolation,
- No introduction of foreign solvent to the process could occur, as the
4.5 Temperature Controlled Transportation purification by re-crystallisation, isolation by filtration and drying of the
4.6 Change Control - Process automated system should only open the correct valve to charge the
final API bulk powder.
4.7 Fraudulent Activities in the Supply Chain solvent to the correct tank.
4.8 Errors in Proof Reading The process utilised a number of different solvents at different
As a result the most probable risk identified was the quality of the raw
4.9 Change Control Source of Material stages. Delivery of solvents to the purification vessel is automatically
4.10 Implementation of a New Process materials. 88
controlled by an operator using a computer terminal. The different
4.11 Multiple uses of a Material A few weeks after implementation, a number of batches began failing
4.12 High Bioburden
solvents are piped through a single manifold system before branching
out for delivery to the various vessels. for impurities, and residual solvent appeared that was foreign to the
4.13 Inconsistent Analytical Results
4.14 Continuity of Supply process.
To implement the new process, an interdisciplinary team was
4.15 Lack of Formal Contracts An investigation could not determine the root cause of the batch failures.
4.16 Effect of Global Supply Chains
assembled with the following experts:
4.17 Effect of not knowing all the links in a - R&D Chemist who was familiar with the chemistry of the process. A production operator was invited to the meeting where the team
Transport Chain
- Process Engineer who was familiar with the plant construction reviewed all the information previously reviewed in setting up the
4.18 Raw Material Source of Origin
4.19 Reuse and Potential Infection and especially the automated control system. process.
- Quality Assurance Specialist who was familiar with Quality The production operator quickly noted that the valve on the solvent
Glossary Management System and Quality Control testing. feed-line to the purification vessel was hand actuated and not controlled
Bibliography At the team meetings, discussions were held about potential issues by the automated system. It was discovered by further investigation
(identifying the risks). that the failed batches were all contaminated with Solvent B. This
was because the hand valve had been left in the open position when
Based on the knowledge of the experts it was concluded that:
Solvent B was being charged to adjacent processes and the foreign
- The raw materials did not introduce anything foreign to the process solvent was able to travel along the line into the purification vessel.
and once they were QC passed, would deliver product of the
correct quality.
Foreword
Learning Points:
Structure & Acknowledgements
The implementation of many new systems or processes fail due to the
Contents lack of involvement of the relevant people right at the beginning. It is
important to consider all stakeholders.
Even a large company with abundant resources, finances, large
General Introduction departments with well-defined and separated roles can overlook the
importance of key knowledge holders. The personnel involved should
Supply Chain Considerations
have a suitable level of process knowledge in the operation of the
Risk Management Process process.
Sufficient unbiased scientific data or information about all potential
Risk Management Toolbox
risks in implementing any new process should be gathered to define
Supply Chain Examples the limits of a Risk Assessment. It is not enough to rely on the gut
feel of a process expert.
4.1 Product Contamination
4.2 Management of Second Tier Suppliers Appropriate resources should be allocated and a team leader
4.3 Verification of Artwork identified who has clear responsibility for the co-ordination of all
4.4 Warehouse Operations & Pest Control
activities.
4.5 Temperature Controlled Transportation
4.6 Change Control - Process Project deliverables and set timelines will give focus to the Risk
4.7 Fraudulent Activities in the Supply Chain Management process and allow the management of larger processes.
4.8 Errors in Proof Reading
4.9 Change Control Source of Material
4.10 Implementation of a New Process
89
4.11 Multiple uses of a Material
4.12 High Bioburden
4.13 Inconsistent Analytical Results
4.14 Continuity of Supply
4.15 Lack of Formal Contracts
4.16 Effect of Global Supply Chains
4.17 Effect of not knowing all the links in a
Transport Chain
4.18 Raw Material Source of Origin
4.19 Reuse and Potential Infection
Glossary
Bibliography
Foreword
Contents
General Introduction
Foreword
Contents
General Introduction
Foreword
Contents
General Introduction
Foreword
Contents
General Introduction
Foreword
Contents
General Introduction
Foreword
Contents
General Introduction
Glossary
Bibliography
Foreword
Contents
General Introduction
Supply Chain Examples Scenario: There may be more than one supplier involved in an event or
4.1 Product Contamination transactional movement.
4.2 Management of Second Tier Suppliers
Pharmaceutical products were manufactured and shipped from UK to
Spain using cold chain transport. Even if transport of the finished product is considered as low risk, there
4.3 Verification of Artwork
4.4 Warehouse Operations & Pest Control
is a need to understand its possible complexity and importance in the
The products were collected from the contract manufacturing site by a final supply links to market.
4.5 Temperature Controlled Transportation
4.6 Change Control - Process
haulage company understood to be the designated haulage contractor
of the client. The lorry appeared to be a clean, controlled temperature For pharmaceutical products adherence to Good Distribution Practice
4.7 Fraudulent Activities in the Supply Chain
4.8 Errors in Proof Reading vehicle. applies in transit as well as in storage.
4.9 Change Control Source of Material
The products arrived after a few days at the Spanish warehouse of Assumptions should not be made that a transport company knows 96
4.10 Implementation of a New Process
the client pharmaceutical company. The products were stored in the how to protect their customers products appropriately. Standards
4.11 Multiple uses of a Material
4.12 High Bioburden recesses of a refrigerated lorry containing sides of meat. The outer of care should be set and applied to transport companies, their sub
4.13 Inconsistent Analytical Results containers of the pallets were contaminated with particles of meat and contractors and transit locations. These should include clear definition
4.14 Continuity of Supply
blood that were adhering to the boxes. of roles & responsibilities, expectations on protection from various
4.15 Lack of Formal Contracts contamination sources, specific storage conditions, handling or
4.16 Effect of Global Supply Chains After taking photographic evidence of event, the receiving warehouse documentation requirements and the regulatory standards under which
4.17 Effect of not knowing all the links in a quarantined the consignment which was eventually destroyed due
Transport Chain the operations occur.
4.18 Raw Material Source of Origin to contaminated packaging. The product had to be reordered from
the manufacturer and the market was out of stock of the needed Transit routes for products should be agreed, and if possible, where
4.19 Reuse and Potential Infection
pharmaceutical product. products may be stored / located with other goods to save on transit
Glossary costs.
From the investigation, it was not clear where or why the cross-
docking event had occurred onto the meat lorry or the transit route Activities should be monitored at the transport hubs / cross-dock
Bibliography
taken between manufacturing site and final destination warehouse. locations. One vehicle may not collect in one country and deliver direct
in another.
A process for reporting of issues should be agreed to ensure that the
Learning Points: communication channels are established.
It is important to ensure that all suppliers fully understand what the The hauliers insurance coverage should be checked that it is
requirements are and what their role / responsibility is in the supply adequate to cover costs should a claim be initiated.
chain. Investigation reports and events should be circulated for future
learning by different quality units in a complex chain.
Foreword
Contents
General Introduction
Foreword
Contents
General Introduction
Foreword
Contents
General Introduction
Glossary
Supply Chain Examples
Glossary
Bibliography
Term Definition
99
Accountable Within each supply chain, there is an organisation that is legally accountable. Each competent and regulatory
organisation authority ultimately holds one manufacturer primarily responsible for meeting regulatory and quality requirements for
the product(s) supplied. This accountable organisation (pharmaceutical or medical device) has ultimate responsibility
and cannot relinquish or delegate (contractually or otherwise) its obligation and responsibility over any or all functions
to its suppliers.
Active Pharmaceutical Any substance or mixture of substances intended to be used in the manufacture of a drug (medicinal) product and
Ingredient (API) (or Drug that, when used in the production of a drug, becomes an active ingredient of the drug product. Such substances
Substance) are intended to furnish pharmacological activity or other direct effect in the diagnosis, cure, mitigation, treatment, or
prevention of disease or to affect the structure and function of the body. [ICH Q7]
Batch (or lot) A defined quantity of the product, manufactured in one process or series of processes, so that the product qualities
and characteristics are expected to be uniform and consistent.
Foreword
Foreword
Supply Chain Considerations Management System - The set of interrelated elements that establish policy, processes, procedures and objectives which direct and control
Business an organisation with regard to all management activities.
Risk Management Process
Management System - Quality Management System is a subset of interrelated elements that establish policy, processes, procedures and
Risk Management Toolbox Quality objectives which direct and control an organisation with regard to quality.
Supply Chain Examples Manufacture All operations including purchase and receipt of materials and products, production, quality control, release, storage,
distribution and related records.
Glossary
Origination Origination is all the preparative activities prior to print. These include concept, design, graphics, reprographics, film,
Bibliography plate making, silk screens and digital files and masters.
Outsource Outsourcing is the use of another supplier to conduct all or part of an activity and may also be referred to as
subcontracting.
Process Set of interrelated or interacting activities which transforms inputs into outputs.
Product The result of a process.
101
Product Lifecycle All phases in the life of the product from the initial development through marketing until the products discontinuation.
Quality The degree to which a set of inherent properties of a product, system or process fulfils requirements
See also ICH Q6A definition specifically for quality of drug substance and drug (medicinal) products.
Quality Risk A systematic process for the assessment, control, communication and review of risks to the quality of the product
Management across the product lifecycle.
Raw Material A general term used to denote starting materials, reagents and solvents intended for use in the production of
intermediates, sub-assembly or finished product.
Residual Risk Risk remaining after Risk Control measures have been taken. (ISO 14971: 2007)
Requirements The explicit or implicit needs or expectations of customers (e.g. patients, health care professionals, regulators and
legislators). In this guide, requirements refers not only to statutory, legislative, or regulatory requirements, but also to
such needs and expectations.
Risk The combination of the probability of occurrence of harm and the severity of that harm. (ICH Q9)
Risk Acceptance The decision to accept risk. (ICH Q9)
Risk Analysis The estimation of the risk associated with the identified hazards. (ICH Q9)
Foreword
Foreword
Contents
General Introduction
Bibliography
Supply Chain Examples
Glossary
Bibliography
1. ASTM E2476 09 Standard Guide for Risk Assessment and Risk 9. Guidelines for Failure Modes and Effects Analysis (FMEA) for
Control as it Impacts the Design, Development, and Operation of Medical Devices, 2003 Dyadem Press, ISBN 0849319102 103
PAT Processes for Pharmaceutical Manufacture 10. International Conference on Harmonisation (ICH) Q8
2. BS 31100:2008 Risk Management. Code of Practice Pharmaceutical Development
3. BS IEC 61882:2001 - Hazard and operability studies (HAZOP 11. International Conference on Harmonisation (ICH) Q9 Quality Risk
studies) application guide Management
4. Code of Federal Regulations, 21 CFR 210 / 211, 600, 820 12. International Conference on Harmonisation (ICH) Q10
Part 820; 820.50: Purchasing Controls Pharmaceutical Quality System
Reference 13. IEC 61025 Fault Tree Analysis (FTA)
5. EU Guide to GMP 14. IEC 61882 Hazard Operability Analysis (HAZOP)
6. Failure Mode and Effect Analysis, FMEA from Theory to Execution, 15. International Commission on Radiological Protection (ICRP)
2nd Edition 2003, D. H. Stamatis, ISBN 0873895983 in Publication 26 (ICRP 1977) as quoted in Textbook of
7. Food and Drug Administration (FDA), FDAs Ongoing Heparin Radiopharmacy, Theory and Practice Ed. Charles B Sampson 3rd
Investigation 1999 relating to ALARP / ALARA
8. Global Harmonisation Task Force (GHTF) Quality Management 16. ISO/IEC Guide 73 Risk Management Vocabulary Guideline for
System Medical Devices - Guidance on the control of products Use in Standards
and services obtained from suppliers, GHTF/SG3/N17:2008. 17. ISO/IEC 17025:2005 General Requirements for the Competence
of Testing and Calibration Laboratories
Foreword
18. ISO 7870:1993 Control Charts. 36. Quality Risk Management, British Association of Research Quality
Structure & Acknowledgements Assurance (BARQA) 2008, ISBN: 978-1-904610-10-6
19. ISO 7871:1997 Cumulative Sum Charts
Contents 20. ISO 7966:1993 Acceptance Control Charts http://www.barqa.com
21. ISO 8258:1991 Shewhart Control Charts 37. Risk Assessment in Supply Chain Management, Ian Williams, GMP
Review Vol. 2 No. 4, January 2004
22. ISO 9000:2005 Fundamentals and Vocabulary
General Introduction 38. Rules and Guidance for Pharmaceutical Manfacturers and
23. ISO 9001:2008 Quality Management Systems - Requirements Distributors 2007 (Orange Guide)
Supply Chain Considerations
24. ISO 9004:2009 Managing for Sustainability A Quality 39. The Basics of FMEA, Robin McDermott, Raymond J. Mikulak,
Risk Management Process Management Approach Michael R. Beauregard 1996, ISBN 0527763209
25. ISO 13485:2003 Medical Devices Quality Management 40. The Development of a Quality Risk Management Solution designed
Risk Management Toolbox
Systems Requirements for Regulatory Purposes to Facilitate Compliance with the Risk-based Qualification,
Supply Chain Examples 26. ISO 14971:2007 Medical Devices Application of Risk Validation & Change Control GMP Requirements of the EU
Management to Medical Devices ODonnell, K, February 2008.
Glossary
27. ISO 15378:2006 Primary Packaging Materials for Medicinal 41. Weak Links 2009 - A Survey Suggests that Manufacturers dont
Bibliography Products Particular Requirements for the Application of ISO have as much Control over Supply Chain Security as they think
9001:2000 with reference to Good Manufacturing Practice (GMP) they do, Carla Reed.
28. ISPE GAMP-5 Good Automated Manufacturing Practice Reference
29. Medical Device Directive (EU Directive 93/42/EEC) 42. WHO Technical Report Series No 908, 2003, Annex 7 Application of
Hazard Analysis and Critical Control Point (HACCP) Methodology to 104
30. MLX 357 Public Consultation on Measures to Strengthen the
Pharmaceuticals
Medicines Supply Chain and Reduce the Risk from Counterfeit
Medicines 43. ICH Q9 Briefing Pack
www.mhra.gov.uk
31. Pharmaceutical Technology Europe Regulatory Report Is the
Pharmaceutical Supply Chain Safe? Philip Payne, July 2008
32. Process Mapping by the American Productivity & Quality Center,
2002, ISBN 1928593739.
33. PS 9000:2001: The application of ISO 9001 and ISO 9004 to
Pharmaceutical Packaging Materials. IQA ISBN 0 906810 73 6.
34. PS 9004: A Guide to the GMP Requirements of PS 9000:2001
Pharmaceutical Packaging Materials. 2004, IQA. ISBN 0 906810795
35. PS 9100:2002: Pharmaceutical excipients, The application of ISO
9001:2000 and GMP guide for pharmaceutical excipients.
IQA ISBN 0 906810 83 3
ISO 9004
Clause 4
Managing for
Interested Interested
the sustained
Parties Parties
success
ISO 9004
ISO 9004
Clause 9
Needs & Clause 5
Improvement,
expectations Strategy and ISO 9001
innovation and
policy Clause 5
learning
Management
Facility
ISO 9001
Customers Clause 7 Customers
Product Product
realization
Information flow
Foundation: Quality management principles (ISO 9000)
Value-adding
activities
Risk Identification
Risk Analysis
unacceptable
Risk Evaluation
Risk Control
Risk Reduction
Risk Acceptance
Risk Review
Review Events
Product / Service
Supplied materials Manufacturing Warehouse End user
Design & Packaging
/ products & Testing & Distribution / customer
Development
End customer
/ patient
Transport / Distribution
Wholesale / retailer
/ pharmacy
Transport / Distribution
Pharmaceutical and
Medical Device
Industry
Brokers / Distributors /
Tier 1 suppliers
Transport companies
Brokers /
Tier 3 suppliers Distributors /
Transport companies
Objective evidence
Product specifications / part
requirements, instructions
Planning
Identify potential Potential supplier contact details
Identify technical & Product / Process
Describe requirements supplier(s) (existing Identify controls Risk Assessment
process information Risk Assessment
approved / new) Product / process controls
Purchasing information
finalisation
Establish:
Supplier
inspection, acceptance
Performance
Performance measurement
Corrective Receive product Data analysis
Problems Periodic re-evaluation
action YES Acceptance criteria Records of corrections / investigations
identified? of supplier
required? Measurement & monitoring
Analyse data
YES
NO
NO
YES Manufacturer &/or supplier
communication
correspondence
Feedback &
NO
Review impact on other products
supplied
Supplier exit
strategy
Figure 5 Guidance on Control of Products during Supplier Lifecycle Management (adapted from GHTF/SG3/N17:2008)
Return to Risk Management Process 2.2.1 Page 26
Data / Information
Facts Observation
Measurements Experience
Assumptions
Analysis results
(based on experience)
Trends Key
= Qualitative
Variables
= Quantitative
Attributes = Both
Ba
View la n
ce
d
ca l
Resu cti
a
1 lt
tional
Pr
o
2 Follow Persona Em
Action -u
p
l ues
3 Iss
Def
4
Plan
in
plore
e
Ex Fe
eli Other
s
ng s
Time
Requ
irements SO
LU L EM S
B Own
TI
Money ath
O
ON
G
er
PR
s
o ur ce
Re s t
hs Fa c
s
gt Creative
Solutions
Stren
ple
Peo
Opinions
Idea
TE
3
s A ID
se A LU EA
Weaknes EV S Change
Strengths
itu
S
Id
2 knesses ation
Wea
ea
Idea 1
s
en 1
G
St
se
ren erate 2
es
Weakn gths
3
8
4
7
6 5
Supplier 2 Supplier 3
Raw Materials Raw Materials
Stage 1 Stage 1
Sub-Assembly B Sub-Assembly A
Stage 2 Sub-Assembly C
Sub-Assembly B
Supplier 8 Warehouse
Distribution
Tolerable
region
Broadly acceptable
region
External Internal
Increase / decrease in demand Non-conformity
Capacity / resources changes Rejection of a batch
Fluctuating exchange rates Product recall
Political climate / instability Capacity / resource issues
Greater exposure to global Reduced inventory
social, political and financial Cost reduction programmes
environments
Single sourcing versus dual
Takeovers / mergers sourcing
Legal status (regulatory Inadequate supplier selection /
restrictions in individual qualification process
markets and of supplier)
Longer / more complex supply
Environmental responsibilities chains
Counterfeiting / fraud Complex processes
Facility disaster disaster Inadequate monitoring process
planning or oversight controls / interface
Materials, product, service Non-conformance with
supply interruption contracts / agreements
Termination of materials or Staying with poorly performing
services supplier & not progressing
Uncontrolled variation in improvement or exit strategy
materials Inadequate communication
Unexpected contaminants in Facility disaster
supplied product
Transportation / storage
Deliberate or accidental events
adulteration
Lack of technical knowledge
Unknown or poorly controlled
Personnel / organisational
use of brokers / agents
changes
Distribution / transportation /
Lack of adequate
storage events
documentation control
Inadequate communication
Increasing process variability
Lack of adequate
documentation control
Complex processes
Table 2 - Examples of hazards / events creating risks that are either external or internal to an organisation
Return to Risk Management Process 2.3.2 Page 33
Return to Risk Management Process 2.4 Page 36
Return to Risk Management Toolbox 3.2 Page 45
Return to Risk Management Toolbox 3.4.2 Page 66
Role Responsibility
Responsible Those who do the work to achieve the task. There is typically one role with a participation type of Responsible,
although others can be delegated to assist in the work required.
Accountable There should be only one Accountable person specified for each task or deliverable. An Accountable signs off
(also Approver / Final Approver) (approves) the work provided by Responsible person(s).
Consulted Those whose opinions are sought; and with whom there is two-way communication
Informed Those who are kept up-to-date on progress, often only on completion of the task or deliverable, or at key
milestones; communication is typically just one-way.