By adding quality risk management into your processes, especially at the design and planning phase, you can take actions to ensure that anticipated problems don’t occur or have steps in place to deal with them when they do. The saying goes that an ounce of prevention is worth a pound of cure, and equally, an hour identifying potential risks can be worth several days scurrying around trying to deal with an unexpected problem. The initial investment in the risk management process will prevent the loss of time, money, brand image due to unanticipated product failures.
There are 2 types of risk management when you are handling QMS.
The risks associated with failure or breakdown of the QMS processes.There are requirements in the new ISO9001:2015 standard to address the risks and opportunities. Also there are requirements in ISO13485:2016 to address the risk of breakdowns of QMS processes.
The risk of product failure or quality issues. This type of quality risk management is required for compliance with ISO13485, 21 CFR 820, 21 CFR210/211 requirements.
In this article, we will cover the basic principles and methods involved for managing risk management both for QMS processes and Quality issues.
Who is Responsible?
Quality Assurance manager or the General Manager or the designee shall:
01. Be responsible for identification, analysis, evaluation of hazards in the QMS processes
02. Be responsible for initiating corrective actions, when the risk analysis shows that the processes in the QMS are not suitable, adequate or effective
03. Be responsible for presenting the updates and summary data from the Risk Management process at the Management Review.
What is Risk Management in QMS?
The Quality System Risk management is a systematic process for identification, assessment, control, communication and review of risks to the quality system processes.
It is just acknowledging that risk happens, and taking measures to ensure you’re completely prepared for it.
Risk Management Process
01. Risk Identification
02. Risk Analysis
03. Risk Control
04. Risk Evaluation
05. Risk Reduction
06. Risk Acceptance
07. Risk Communication
08. Risk Review
To identify the hazards, create a list the potential areas of concerns or foreseeable hazards in the QMS sub process areas, based upon historical data, theoretical analysis, informed opinions, and the concerns of stakeholders. Risk identification addresses the “What might go wrong?” question, including identifying the possible consequences. This provides the basis for further steps in the quality system risk management process.
Risk analysis is the estimation of the risk associated with the identified hazards. It is the qualitative or quantitative process of linking the likelihood of occurrence and severity of harms.
This is essential for understanding the impact of risk on business goals and objectives, as well as how likely it is the risks could happen, and when.
Assessing risks is also important for making sure that the risks that are being recorded are actually credible. This is the time when scrutiny can be applied, and methods of qualitative and predictive analysis can be used to better understand which risks should be taken most seriously.
The goal of risk analysis is to help top management understand where to focus their most immediate attention
Risk control includes decision making to reduce and/or accept risks. The purpose of risk control is to reduce the risk to an acceptable level. The amount of effort used for risk control should be proportional to the significance of the risk. Decision makers might use different processes, including benefit-cost analysis, for understanding the optimal level of risk control.
The Risk control measures usually focus on the following areas.
01. Is the risk above an acceptable level? What can be done to reduce or eliminate risks?
02. What is the appropriate balance among benefits, risks and resources?
03. Are new risks introduced as a result of the identified risks being controlled?
Risk evaluation compares the identified and analyzed risk against given risk criteria. The Risk evaluations consider the strength of evidence for the following fundamental questions.
01. What might go wrong?
02. What is the likelihood (probability) it will go wrong?
03. What are the consequences (severity)?
Risk reduction focuses on processes for mitigation or avoidance of quality risk when it exceeds a specified (acceptable) level .Risk reduction might include actions taken to mitigate the severity and/or probability of harm.Processes that improve the detect-ability of hazards might also be used as part of a risk control strategy.The implementation of risk reduction measures can introduce new risks into the system or increase the significance of other existing risks.
Hence, it might be appropriate to revisit the risk assessment to identify and evaluate any possible change in risk after implementing a risk reduction process.
Risk acceptance is a decision to accept risk. Risk acceptance can be a formal decision to accept the residual risk or it can be a passive decision in which residual risks are not specified.
For some types of harms, even the best quality risk management practices might not entirely eliminate risk. In these circumstances, it might be agreed that an appropriate quality risk management strategy has been applied and that quality risk is reduced to a specified (acceptable) level, this will be referred to as tolerable risk.
Risk communication is the sharing of information about risk and risk management between the decision makers and others. Parties can communicate at any stage of the risk management process.
Risk management should be an ongoing part of the quality management process. The updates and status of action items from the Risk Management process shall be presented in the Management Review meetings.
Example of a Risk Management Template:
1. Following templates will be used for evaluation and analysis of risk in the QMS sub processes.
1.1 Definition of Severity Scale:
1.2 Definition of Occurrence Scale:
1.3 Risk Analysis Matrix: Using the following formula, calculate the overall risk level of the hazards. The Overall Risk Level of Hazard = Severity of the harm x Occurrence of the harm. Then compare the Overall Risk Level with the values from Risk Analysis matrix. If the results of overall risk are in the Intolerable region, then define action plan to bring down the overall Risk Level to Acceptable region.
1.4Justification for Tolerable Risk Levels:There may be instances where, after the implementation of action plans, the risk levels cannot be brought to Acceptable values, the risk levels may be accepted as tolerable. In such instances, justification or rationale shall be documented for tolerable risk levels.
2.0Risk Identification: Hazard Identification- Additional numbering to be added as needed.
2.1 List of foreseeable hazards
3.0Risk Evaluation: For the hazards listed in section 2.1 assign the ranks for severity and occurrence based on the values from section 1.1 and section 1.2. Additional rows can be used as needed.
3.1 List of hazards with assessment ranks:
4. 0Risk Control: Risk control is achieved through the implementation of action plan.
4.1Risk Reduction: Define the action plan to mitigate the risk.
4.2 Residual Risk Evaluation and Justification for Acceptability
Risk control measures identified in Section 4.1 will be evaluated against risk acceptability matrix. Justification of acceptability as well as residual risk will be completed in the following table. Additional hazards identified (if any) shall be transferred to Section 3.0 for risk evaluation.
5.0 Risk Review: Completeness of Risk Assessment: All hazards in Section 2.1 shall be reviewed for completeness of risk evaluation. Additional risks identified will be documented below and added to Section 3.1
5.1 Additional list of hazards
6.0Risk Management Report Approval
Risks identified have been completed and judged to be acceptable.
The following agree that QMS Risk Management has been completed on identified (sub) system. Action in this document (see below) are complete and correct.
01. Function / Purpose of (sub) System Identified
02. Identification of potential or known hazards
03. Risk Evaluation of identified (sub) System
04. Risk Reduction of identified (sub) System
05. Residual Risk identified, acceptability of risk justified
Quality and Regulatory Management Professional with more than 20 years experience in Quality System, Quality Engineering, Supplier Quality Management, Regulatory Compliance and Operational Excellence in the Life Science industry. Strong knowledge and expertise in the FDA Regulations including 21 CFR 820, 21 CFR 210, 21 CFR 211, 21 CFR Part 11 compliance requirements. Sanjay has been a trusted advisor for many Medical Technology and Life Science companies.
Sanjay is a recognized leader in the QMS area and holds following certifications from American Society of Quality (ASQ).
* Certified Six Sigma Black Belt (CSSBB), Certified Quality Engineer (CQE), Certified Quality Auditor (CQA)