QRM Part 3 - Hazard and Risk - A Practical Approach for Sponsors
As a Sponsor, you have ultimate responsibility for the safety, efficacy and quality of your product.
With this in mind, it is always useful to be able to supplement investigations conducted by your CMOs with your own risk assessment which will check that appropriate controls are in place and also demonstrate that you have oversight of your CMO.
So, where do you start?
Make sure you avoid the SATNAV approach to risk assessment – i.e. manipulating the assessment so the outcome is what you want it to be or think it should be, rather than what the science, data and evidence shows it to be.
When conducting any risk assessment, it is important to first understand the difference between what constitutes a hazard, and what constitutes risk. There are several sources available to help with this. For example, the definitions from the ISO/IEC Guide 51:2014 state:
Hazard: The potential source of harm
Harm: Damage to health, including the damage that can occur from loss of product quality or availability.
(the definition of HARM could be expanded to include damage from a loss of data integrity, when the data is relied on for critical decisions).
Risk: The combination of the probability of occurrence of harm and the severity of that harm
In the recent update to ICHQ9 Quality Risk Management guideline, ‘risk identification’ was changed to ‘hazard identification’. This change in nomenclature has helped to differentiate between two distinct steps which, when combined, form a Risk Assessment:
Identify the hazard that requires assessing, and
Determine the risk rating based on the consequence (severity) of the hazard occurring, and whether the hazard is likely to occur (occurrence).
So how do you identify a hazard?
It is essential to identify the hazard correctly so that the risk assessment is effective. In our experience, many risk assessments demonstrate a misunderstanding of the definition of hazard and will instead assess a scenario.
For example, consider the following scenarios:
A label not stating the product name is not in itself a source of harm, however, if it leads to product mix up there is potential for patient safety to be impacted. Thus, the hazard in this case is product mix up and the controls and checks need to be in place to ensure this does not occur.
Practical approach for performing risk assessments:
There are several formats available for conducting risk assessments, but in our experience keeping them simple and easy to follow is more effective when communicating the hazards and identifying controls to reduce risk. We have, therefore, developed a three-step process to assess risk:
1. Decide on the severity rating:
What level of danger, harm or loss is the hazard/problem statement likely to cause?
High = Likely to affect product quality, data quality and/or patient safety
Medium = Potential to affect product quality and data quality, unlikely to affect patient safety
Low = Unlikely to affect product quality, data quality or patient safety
2. Decide on the likelihood of occurrence:
What control measures are currently in place to prevent the hazard from occurring?
How likely is it that the hazard will occur given the current controls in place?
Have there been previous occasions when the hazard has occurred?
High = No controls in place to prevent the hazard from occurring or there are controls in place, but they are not effective. The hazard occurs regularly or has the potential to occur regularly.
Medium = Some controls are in place. There is a trend developing of the hazard occurring or there is potential for the hazard to occur more than once.
Low = Controls are in place to prevent the hazard occurring. Rare occurrence – no trend of the hazard occurring and is unlikely to occur.
3. Decide on the (non) detectability rating:
What checks are there in the process to detect the hazard?
Are the checks effective in highlighting when controls are failing?
Is the hazard/problem statement capable of being detected before harm/damage/loss occurs?
High = No checks in place or the checks are not effective in detecting the hazard. The hazard is unlikely to be detected if it occurs.
Medium = some checks are in place, but there is potential for the hazard to go undetected before harm/damage/loss occurs.
Low = checks in place are effective and the hazard is likely to be detected if it occurs.
Severity rating x Occurrence Rating x Detectability Rating = Risk Rating
By documenting the controls and checks currently in place, you can more easily recognise where there may be gaps in control.
Finally, KEEP ANY SCORING SYSTEM SIMPLE – it reduces the chance for subjectivity and bias towards a preferred outcome. And remember, make sure you avoid the SATNAV approach to risk assessment! That way you can be confident you have all the appropriate controls and checks in place to ensure your product is safe and fit for purpose.