cqe on line - marks master set of slides · 9,,$ 5lvn 2yhuvljkw %r. 5lvn 2yhuvljkw 3odqqlqj dqg...
TRANSCRIPT
Certified Quality Engineer Refresher Course
BoK VII. Risk Management
Copyright © 2017 Mark Lindsey 1
CQE Body of KnowledgeTopic # Questions
I. Management and Leadership 18II. Quality System 16III. Product, Process, and Service Design 23IV. Product and Process Control 25V. Continuous Improvement 27VI. Quantitative Methods and Tools 36VII. Risk Management 15
Copyright © 2017 Mark Lindsey 2
Materials recommended for this Course and Exam
These slides are based on the Body of Knowledge (BoK) on the exam.
To prepare for the open book exam, other materials are highly recommended*.– Quality Council of Indiana Primer and Solution Text
which is an extensive resource for the examhttp://www.qualitycouncil.com
– ASQ various publicationshttp://asq.org/cert
Copyright © 2017 Mark Lindsey 3
VII. Risk Management (15 questions)3 Sub-Topics to Cover
A. Risk Oversight
B. Risk Assessment
C. Risk Control
Copyright © 2017 Mark Lindsey 4
VIIA. Risk Oversight (BoK)
Risk Oversight
1. Planning and oversight– Understand identification, planning, prioritization,
and oversight of risk. (Understand)
2. Metrics– Identify and apply evaluation metrics. (Apply)
3. Mitigation planning– Apply and interpret risk mitigation plan. (Evaluate)
Copyright © 2017 Mark Lindsey 5
Risk Oversight Planning
Risk management is an increasingly important business driver and stakeholders have become more concerned about risk.
Risk may be a driver of strategic decisions, it may be a cause of uncertainty in the organization or it may be embedded in the activities of the organization.
Copyright © 2017 Mark Lindsey 6
Risk Oversight Planning
An enterprise-wide approach to risk management enables an organization to consider the potential impact of all types of risks on all processes activities, stakeholders, products and services.
Implementing a comprehensive approach will result in an organization benefiting from what is often referred to as the “upside of risk” aka “rewards”.
Copyright © 2017 Mark Lindsey 7
Risk Oversight Planning
Risk management standards have been published, such as the ISO 31000 “Risk management –Principles and guidelines”. – This guide draws together developments to provide a
structured approach to implementing enterprise riskmanagement (ERM).
– This presentation uses content from this publication.
Copyright © 2017 Mark Lindsey 8
EU14971:2003 Corporate Risk Management Program
Copyright © 2017 Mark Lindsey 9
Implementation ofRisk Control
Measures
Culture on RiskCommunication
RMPolicy
An Integrated RiskManagement Process
(for all phases of the life of the product)
TrainingOf
Personnel
PostProductionMonitoring
RiskGraph
ResidualRisk
Risk Hazard
Cause
VerificationOf
Effectiveness
Risk Oversight Planning
FDA issued an Industry guidance document in 2006 called “Q9 Quality Risk Management.– http://www.fda.gov/ucm/groups/fdagov-public/@fdagov-drugs-
gen/documents/document/ucm073511.pdf
– This presentation uses content from this publication.
Copyright © 2017 Mark Lindsey 10
Risk Oversight Planning
Copyright © 2017 Mark Lindsey 11
Risk Oversight Planning
There is a need to understand the risks being taken when seeking to achieve objectives and attain the desired level of reward.
Organizations need to understand the overall level of risk embedded within their processes and activities.
It is important for organizations to recognize and prioritize significant risks and identify the weakest critical controls.
When setting out to improve risk management performance, the expected benefits of the risk management initiative should be established in advance. Copyright © 2017 Mark Lindsey 12
Risk Oversight Planning
Copyright © 2017 Mark Lindsey 13
FDA Q9 Quality Risk Management
Risk Oversight PlanningThe outputs from successful risk management include:– Compliance
– Assurance
– Well informed decision-making.
These outputs will provide benefits by way of improvements in the efficiency of operations, effectiveness of tactics and strategy of the organization.
Copyright © 2017 Mark Lindsey 14
Risk Oversight Planning
A defined risk management process will allow your organization to:– Effectively achieve its key objectives
– Oversee the entire risk management process
– Ensure risks are managed proactively in specificareas and activities
– Gain assurance about the effectiveness of yourcompany’s risk management
– Successfully respond to change in a timely fashion
Copyright © 2017 Mark Lindsey 15
Risk Management Process Overview1. Identify
2. Analyze
3. Plan
Copyright © 2017 Mark Lindsey 16
4. Track
5. Control
6. Learn & Mitigatehttps://i-technet.sec.s-msft.com/dynimg/IC119053.gif
https://technet.microsoft.com/en-us/library/cc535304.aspx
Risk Oversight PlanningRewards and Risks can be expressed in terms related to Confidence and Uncertainties (probabilities of an event and its effects).
Risk has three primary components1. An event (i.e. undesirable change, failure)
2. Probability of the occurrence of the event
3. The impact of the event (severity)
Copyright © 2017 Mark Lindsey 17
Risk Management Process OverviewSix Steps of the Risk Management Process
1. Identify
2. Analyze
3. Plan
4. Track
5. Control
6. Mitigate
Copyright © 2017 Mark Lindsey 18
QCI CQE Primer
Risk Management Process StepsThe following is a brief overview of the six steps of the Risk Management process.
1. Identify - Risk identification allowsindividuals to identify risks so theybecome aware of potential problems.Risk identification be undertakenearly and repeated at different stagesand changes.– Risk Statements – is an expression of a
causal relationship between a real condition(cause) and a potential effect.
– Root Cause - Should consider the root causeor originating source, of the risk condition.Understanding root causes can help to identifyadditional related risks.
Copyright © 2017 Mark Lindsey 19
Risk Management Process Steps
2. Analyze and Prioritize
– Risk analysis transforms theestimates or data about specificrisks that developed during riskidentification into a consistentform that can be used to makedecisions around prioritization.
– Risk prioritization enablesoperations to commit resources tomanage the most important risks.
Copyright © 2017 Mark Lindsey 20
Risk Management Process Steps
3. Plan and Schedule
– Risk planning takes theinformation obtained fromrisk analysis and uses it toformulate strategies, plans,change requests, andactions.
– Risk scheduling ensures thatthese plans are approvedand then incorporated intothe standard day-to-dayprocesses and infrastructure.
Copyright © 2017 Mark Lindsey 21
Risk Management Process Steps
4. Track and Report
– Risk tracking monitors thestatus of specific risks and theprogress in their respectiveaction plans.
– Also includes monitoring theprobability, impact, exposure,and other measures of risk forchanges that could change thepriority or risk plans.
– Risk reporting ensures that theManagement and otherstakeholders are aware of thestatus of top risks and the plansto manage them. Copyright © 2017 Mark Lindsey 22
Risk Management Process Steps
Risk Tracking - monitors three main changes:1. Trigger values – If the event occurs, the contingency plan
needs to be executed.
2. The risk's condition, consequences, probability, andimpact - If any of these change (or are found to beinaccurate), they need to be re-evaluated.
3. The progress of a mitigation plan - If the plan is behindschedule or is not having the desired effect, it needs to bere-evaluated.
Monitors above changes on three main time frames:1. Constant - Monitored constantly or at least many times
each day.
2. Periodic - Review the top risks list, looking for changes inthe major elements. This often happens at meetings.
3. As-needed - Someone notices that part of a risk haschanged.
Copyright © 2017 Mark Lindsey 23
Risk Management Process Steps
Risk Status Reporting - should operate at two levels-Internal and External. Regular risk status reports should consider four possible risk management situations for each risk:1. Resolution - A risk is resolved, completing the risk action
plan.
2. Consistency - Risk actions are consistent with the riskmanagement plan, in which case the risk plan actionscontinue as planned.
3. Variance - Some risk actions are at variance with the riskmanagement plan, in which case corrective measuresshould be defined and implemented.
4. Changeability - The situation has changed significantly withrespect to one or more risks and will usually involve re-analyzing the risks or re-planning an activity.
Copyright © 2017 Mark Lindsey 24
Risk Management Process Steps
5. Control
– Risk control is the process ofexecuting risk action plans andtheir associated status reporting.
– Also includes initiating changecontrol requests when changes inrisk status or risk plans couldaffect the availability of the serviceor service level agreement (SLA).
• Monitor risk action plans.
• Correct for variations from plans.
• Respond to triggering events.
Copyright © 2017 Mark Lindsey 25
Risk Management Process Steps
6. Mitigate and Learn - Formalizesthe lessons learned and uses toolsto capture, categorize and shareknowledge.– New risks – If an issue that had not
been identified earlier as a risk, itshould review whether any signs(leading indicators) could have helpedto predict the risk.
– Mitigation strategies - The other keylearning point is to captureexperiences of strategies that havebeen used successfully (or evenunsuccessfully) to mitigate risks. Useof a standard risk classificationprovides a meaningful way to grouprelated risks.
Copyright © 2017 Mark Lindsey 26
Risk Oversight - Metrics
Study by Stanford University on Corporate Governance shows the below metrics. https://www.gsb.stanford.edu/sites/gsb/files/publication-pdf/cgri-quick-guide-06-strategy-risk-oversight.pdf
– Most companies do not integrate risk managementand strategy. Is often delegated (internal audit, riskmanagement function, etc.) resulting in lessvisibility to the senior executives.
– 50% have no enterprise risk management in place.
– 20% describe their risk management as “mature” or“robust.”
– 45% have no structure for identifying and reportingrisk to the board.
– 38% do no formal risk assessment whendeveloping strategy.
Copyright © 2017 Mark Lindsey 27
Risk Oversight – Metrics
Software security/hazard analysis is performed during the requirements definition, specification, and design processes.
Consists of attributes that prevents unauthorized access
Copyright © 2017 Mark Lindsey 28
Risk Oversight – Metrics
The Software Risk Evaluation (SRE) is a process for identifying, analyzing, and developing mitigation strategies for risks in a software-intensive system while it is in development.
Refer to the Software Engineering Institute at Carnegie Mellon which receives funding from the Department of Defense (DoD). – http://www.sei.cmu.edu/productlines/frame_report/technicalRM.htm
– SEI Software Risk Evaluationhttp://www.sei.cmu.edu/reports/99tr029.pdf
Copyright © 2017 Mark Lindsey 29
Risk Oversight – Mitigation Planning
Risk Response - Assign responsibilities for each critical risk and have them develop contingency plans. Four strategies.
1. Avoidance
2. Transference
3. Mitigation
4. Acceptance
Copyright © 2017 Mark Lindsey 30
Risk Oversight – Mitigation Planning
Copyright © 2017 Mark Lindsey 31
Risk Management Process StepsQCI CQE Primer
Copyright © 2017 Mark Lindsey 32
VIIB. Risk Assessment (BoK)Risk Assessment
Apply categorization methods and evaluation tools to assess risk. (Analyze)
Copyright © 2017 Mark Lindsey 33
Hazard Risk Category Table - Example
Copyright © 2017 Mark Lindsey 34
Hazard Classification Matrix - example
Copyright © 2017 Mark Lindsey 35
Hazard Classification Matrix - example
Copyright © 2017 Mark Lindsey 36
Risk Management ToolsBelow is a partial listing of various Risk Management Tools. Most are covered in more detail in other presentations.– Standard Operating Procedures, Flow Charts,
Process Mapping, Check Sheets, Cause & EffectDiagrams, etc.
– Failure Mode Effects Analysis (FMEA)
– Fault Tree Analysis (FTA)
– Hazard Analysis and Critical Control Points(HACCP)
– Hazard Operability Analysis (HAZOP)
– Preliminary Hazard Analysis (PHA)
– Risk ranking and filtering
– Supporting statistical toolsCopyright © 2017 Mark Lindsey 37
FTA, FMEA, & Control Plans
Copyright © 2017 Mark Lindsey 38
FMEA versus FTA
FMEA FTAType of Analysis
“Bottoms-up”Considers failure modes at the lowest level and determines effects at the highest level
“Top down”Considers failure modes at the highest level and works down to determine causes at the lowest level
Type of Use
Typically used if there are multiple effects at the system level of comparable severityTop events cannot be explicitly definedThe identification of all failure modes is important
Typically used if there is one extremely critical top-level event.Product functionality is highly complexProduct is not repairable once initiated
Type of Use Copyright © 2017 Mark Lindsey 39
Fault Tree Analysis
Copyright © 2017 Mark Lindsey 40
Fault Tree Analysis
Fault Tree Analysis involves the following 7 steps:1. Define the top event.
2. Know the system.
3. Construct the tree.
4. Validate the tree.
5. Evaluate the tree.
6. Study tradeoffs.
7. Consider alternatives and recommendaction.
Copyright © 2017 Mark Lindsey 41
Ranking Guide Example
Copyright © 2017 Mark Lindsey 42
Failure Mode Effects Analysis (FMEA)
A FMEA or FMECA is a detailed analysis of a system down to the component or feature level.All items are classified as to the: 1. Failure Mode2. Effect of Failure3. Probability failure will occur4. Controls in place to prevent or detect the
failure
After classification, the items are then rated as to their level of risk on an matrix shown as a RPN (Risk Priority Number).
Copyright © 2017 Mark Lindsey 43
FMEA – RPN (Risk Priority Number) Calculation
SxOxD = RPNS = Severity of the effect of the failure on the rest of the system if the failure occurs. Rating is 1 – 10 (10 being worst).
O = probability of Occurrence this failure mode will occur. Rating is 1 – 10 (10 being worst). SxO = Criticality
D = ability of Detection. Effectiveness of the current controls to prevent or detect the occurrence. Rating is 1 – 10 (10 being least likely to detect).
Copyright © 2017 Mark Lindsey 44
FMEA – Key Steps / Questions
Copyright © 2017 Mark Lindsey 45
Design FMEA – Example
Copyright © 2017 Mark Lindsey 46
Design FMEA – Occurrence of Causes
Likelihood that the cause will occur
Use statistics from manufacturing and field performance to maintain this rating.New technology with no history = very highPrevention controls = very low
Copyright © 2017 Mark Lindsey 47
Design FMEA – Detection of Controls
Likelihood that the causewill be detected by the controls
No control = 10
Failure prevented by design control = 1
Copyright © 2017 Mark Lindsey 48
Process FMEA – Example
Copyright © 2017 Mark Lindsey 49
Process FMEA Occurrence Ranking
Likelihood that the cause will occurUse statistics from manufacturing and field performance to maintain this rating.New technology with no history = very highPrevention controls = very low
Copyright © 2017 Mark Lindsey 50
P-FMEA Detection RankingProbability that the cause will be detected by the controls
No control = 10
Failure prevented by design control = 1
Copyright © 2017 Mark Lindsey 51
Actions for High RPNs
Remember to also assess and mitigate risks that have a high Severity x Probability (SxO).
Actions for high RPNs include:– Eliminate the Occurrence
– Reduce the Severity
– Reduce the Occurrence
– Improve Detection
– Include it in the Process Control Plan
Copyright © 2017 Mark Lindsey 52
P-FMEA Linkages
P-FMEA is not a “stand-alone” document!
Design concept documents and D-FMEA are predecessors.
Process Control Plan and other documents are successors.
Copyright © 2017 Mark Lindsey 53
Control Plans
Control Plans are used to document and communicate the plan for monitoring and controlling the process and include:– Station/Operation Number and process description.
– Machinery, equipment, or fixtures.
– Reference drawing numbers.
– Product or process characteristic to be controlled.
– Evaluation method (gages, visual checks, etc.).
– Sample size and sample frequency.
– Control method (control chart, fixture, go and no-go,poka-yoke/mistake proofing, etc.).
– Reaction plan to be followed if a problem is detected.Copyright © 2017 Mark Lindsey 54
Control Plans - Example
Copyright © 2017 Mark Lindsey 55
Hazard Analysis and Critical Control Points (HACCP) (FDA Q9)
HACCP is a systematic, proactive, and preventive tool for assuring product quality, reliability, and safety.
It is a structured approach that applies technical and scientific principles to analyze, evaluate, prevent, and control the risk or adverse consequence(s) of hazard(s) due to the design, development, production, and use of products.
Copyright © 2017 Mark Lindsey 56
Hazard Analysis and Critical Control Points (HACCP)
Copyright © 2017 Mark Lindsey 57
Hazard Analysis and Critical Control Points (HACCP) (FDA Q9)
HACCP consists of the following seven steps:1. Conduct a hazard analysis and identify preventive
measures for each step of the process
2. Determine the critical control points
3. Establish critical limits
4. Establish a system to monitor the critical controlpoints
5. Establish the corrective action to be taken whenmonitoring indicates that the critical control pointsare not in a state of control
6. Establish system to verify that the HACCP systemis working effectively
7. Establish a record-keeping systemCopyright © 2017 Mark Lindsey 58
Hazard Analysis and Critical Control Points (HACCP) (FDA Q9)
Potential Areas of Use(s)– HACCP might be used to identify and manage risks
associated with physical, chemical, and biologicalhazards (including microbiological contamination).
– HACCP is most useful when product and processunderstanding is sufficiently comprehensive tosupport identification of critical control points.
– The output of a HACCP analysis is riskmanagement information that facilitates monitoringof critical points not only in the manufacturingprocess but also in other lifecycle phases.
Copyright © 2017 Mark Lindsey 59
Hazard Operability Analysis (HAZOP)(FDA Q9)
HAZOP is based on a theory that assumes that risk events are caused by deviations from the design or operating intentions.
HAZOP often uses a team of people with expertise covering the design of the process or product and its application.
Copyright © 2017 Mark Lindsey 60
Hazard Operability Analysis (HAZOP)(FDA Q9)
Is a systematic brainstorming technique for identifying hazards using Guide Words.
Guide Words (e.g., No, More, Other Than, Part of) are applied to relevant parameters (e.g., contamination, temperature) to help identify potential deviations from normal use or design intentions.
Copyright © 2017 Mark Lindsey 61
Hazard Operability Analysis (HAZOP)
Copyright © 2017 Mark Lindsey 62
Hazard Operability Analysis (HAZOP)
Copyright © 2017 Mark Lindsey 63
Hazard Operability Analysis (HAZOP)(FDA Q9)
Potential Areas of Use(s)– HAZOP can be applied to manufacturing processes,
including outsourced production and formulation aswell as the upstream suppliers, equipment andfacilities for substances and products.
– As is the case with HACCP, the output of a HAZOPanalysis is a list of critical operations for riskmanagement. This facilitates regular monitoring ofcritical points in the manufacturing process.
Copyright © 2017 Mark Lindsey 64
Preliminary Hazard Analysis (PHA)(FDA Q9)
PHA is a tool of analysis based on applying prior experience or knowledge of a hazard or failure to identify future hazards, hazardous situations and events that might cause harm, as well as to estimate their probability of occurrence for a given activity, facility, product, or system.
Copyright © 2017 Mark Lindsey 65
Preliminary Hazard Analysis (PHA)
Copyright © 2017 Mark Lindsey 66
Preliminary Hazard Analysis (PHA)(FDA Q9)The tool consists of 4 steps:
1. The identification of the possibilities that the riskevent happens
2. The qualitative evaluation of the extent of possibleinjury or damage to health that could result
3. Relative ranking of the hazard using a combinationof severity and likelihood of occurrence.
4. The identification of possible remedial measures
Copyright © 2017 Mark Lindsey 67
Preliminary Hazard Analysis (PHA)(FDA Q9)
Potential Areas of Use(s)– PHA might be useful when analyzing existing
systems or prioritizing hazards where circumstancesprevent a more extensive technique being used.
– It can be used for product, process and facilitydesign as well as to evaluate the types of hazardsfor the general product type, then the product class,and finally the specific product.
– Commonly used early in the development of aproject when there is little information on designdetails or operating procedures.
– Typically, hazards identified in the PHA are furtherassessed with other risk management tools.
Copyright © 2017 Mark Lindsey 68
Risk Ranking and Filtering (FDA Q9)
Risk ranking of complex systems typically involves evaluation of diverse quantitative and qualitative factors for each risk.
The tool involves breaking down a basic risk question into as many components as needed to capture factors involved in the risk.
Copyright © 2017 Mark Lindsey 69
Risk Ranking and Filtering (FDA Q9)
These factors are combined into a single relative risk score that can then be used for ranking risks.
“Filters,” in the form of weighting factors or cut-offs for risk scores, can be used to scale or fit the risk ranking to management or policy objectives.
Copyright © 2017 Mark Lindsey 70
Risk Ranking and Filtering
Copyright © 2017 Mark Lindsey 71
Risk Ranking and Filtering (FDA Q9)
Potential Areas of Use(s)– Risk ranking and filtering can be used to prioritize
manufacturing sites for inspection/audit byregulators or industry.
– Risk ranking methods are particularly helpful insituations in which the portfolio of risks and theunderlying consequences to be managed arediverse and difficult to compare using a single tool.
– Risk ranking is useful for management to evaluateboth quantitatively-assessed and qualitatively-assessed risks within the same organizationalframework.
Copyright © 2017 Mark Lindsey 72
Supporting Statistical Tools (FDA Q9)
They can enable effective data assessment, aid in determining the significance of the data set(s), and facilitate more reliable decision making.
A listing of some statistical tools commonly used is provided (covered in detail in other presentations):– Histograms
– Control charts
– Pareto charts
– Process capability analysis
– Design of experiments (DOE)
Copyright © 2017 Mark Lindsey 73
Supporting Statistical Tools (FDA Q9)
Copyright © 2017 Mark Lindsey 74
Aligning Risk Management Tools
Copyright © 2017 Mark Lindsey 75
Risk Analysis
• Intended Purpose Identification• Hazard Identification• Risk Estimation
Risk Evaluation
• Risk Acceptability Decision
Risk Control• Options analysis• Implementation• Residual Risk Evaluation• Overall Risk Acceptance
Post-production Information• Post-production experience• Systemic Procedures• Identification of new Hazards• Change Control & Feedback Loop
RiskAssessment
RiskManagement
Preliminary Hazard Analysis
Fault Tree AnalysisFunctional Analysis
Tolerability of RiskCost-Benefit AnalysisSocio/Ethical Analysis
FMECAHACCPHAZOPPAT
Six SigmaSPCCAPAComplaint Mgmt.
Copyright © 2017 Mark Lindsey 76
Strength
PurityQuality
Identity
Potency
FailureMode
Cause Effect
Ishikawa
PotentialFailure Mode and Effects Analysis
(Design FMEA)__ System__ Subsystem__ Component
Model Year/Vehicle(s):Core Team:
Design ResponsibilityKey Date:
FMEA N umber:Page 1 or 1Prepared by: Lee D awsonFMEA D ate (Orig.):
Item
Function
PotentialFailureMode
PotentialEffect(s) of
Failure
Potential Cause(s)/
Mechanism(s)Of Failure
CurrentDesign
ControlsPrevention
CurrentDesign
ControlsDetection
RecommendedAction(s)
Responsibility& Target
CompletionDate
ActionsTaken
Action ResultsSEV
CLASS
OCCUR
DETEC
R.P.N.
SEV
OCC
DET
R.P.N.
PotentialFailure Mode and Effects Analysis
(Design FMEA)__ System__ Subsystem__ Component
Model Year/Vehicle(s):Core Team:
Design ResponsibilityKey Date:
FMEA N umber:Page 1 or 1Prepared by: Lee D awsonFMEA D ate (Orig.):
Item
Function
PotentialFailureMode
PotentialEffect(s) of
Failure
Potential Cause(s)/
Mechanism(s)Of Failure
CurrentDesign
ControlsPrevention
CurrentDesign
ControlsDetection
RecommendedAction(s)
Responsibility& Target
CompletionDate
ActionsTaken
Action ResultsSEV
CLASS
OCCUR
DETEC
R.P.N.
SEV
OCC
DET
R.P.N.
FMECA
0123456789
10
A. Very High B. High C. Moderate D. Low E. Remote
I. Catastrophic
II. Critical
III. Marginal
IV. Minor
Probability of OccuranceCriticality Matrix
DOE
Multivariate Analysis
SPC
RawMaterial
Dispensing Granulation Drying Milling Mixing Tabletting Coating
Source: ISPE-Boston, Feb. 2005
Aligning Risk Management Tools
VIIA. Risk Control (BoK)Risk Control
1. Identification and documentation– Identify and document risks, gaps and
controls. (Analyze)
2. Auditing and Testing– Apply auditing techniques and testing of
controls. (Evaluate)
Copyright © 2017 Mark Lindsey 77
Risk Control (FDA Q9)
Risk control includes decision making to reduce and/or accept risks.
The purpose of risk control is to reduce the risk to an acceptable level.
Amount of effort used for risk control should beproportional to the significance of the risk.
Decision makers might use different processes,including cost-benefit analysis for understanding the optimal level of risk control.
Copyright © 2017 Mark Lindsey 78
Risk Control
Copyright © 2017 Mark Lindsey 79
Cost-Benefit Analysis – choosing options for the optimal level of control.
Risk Control (FDA Q9)
Risk control might focus on the following questions:– Is the risk above an acceptable level?
– What can be done to reduce or eliminate risks?
– What is the appropriate balance among benefits,risks and resources?
– Are new risks introduced as a result of the identifiedrisks being controlled?
Copyright © 2017 Mark Lindsey 80
Risk Control - example
Copyright © 2017 Mark Lindsey 81
Risk Control (FDA Q9)
Risk reduction focuses on processes for mitigation or avoidance of quality risk when it exceeds a specified (acceptable) level.
Risk reduction might include actions taken to mitigate the severity and probability of harm.
Processes that improve the detectability of hazards and quality risks might also be used as part of a risk control strategy.
The implementation of risk reduction measures can introduce new risks into the system or increase the significance of other existing risks so it is important to re-assess.
Copyright © 2017 Mark Lindsey 82
Risk Control
Copyright © 2017 Mark Lindsey 83
Risk Control (FDA Q9)
Risk acceptance can be a formal decision to accept the residual risk or it can be a passive decision in which residual risks are not specified. – In these circumstances, it might be agreed that an
appropriate quality risk management strategy hasbeen applied and that quality risk is reduced to aspecified (acceptable) level.
– This (specified) acceptable level will depend onmany parameters and should be decided on a case-by-case basis.
Copyright © 2017 Mark Lindsey 84
Risk Control Identification and Documentation (FDA Q9)
Quality risk management should be integrated into existing operations and documented appropriately.
Examples:– Quality Management
– Development
– Facility, equipment, and utilities
– Materials management
– Production
– Laboratory control and stability testing
– Packaging and labeling
– Inspection and assessment activities
Copyright © 2017 Mark Lindsey 85
Risk Mgmt as part of Integrated Quality Mgmt(FDA Q9)
Documentation– To review current interpretations and application of
regulatory expectations.
– To determine the desirability of and/or develop thecontent for SOPs, Guidelines, etc.
Training and Education– Determine the appropriateness of training based on
education, experience, and working habits of staff,as well as on a periodic assessment of previoustraining (e.g., its effectiveness).
– To identify the training, experience, qualifications,and physical abilities that allow personnel toperform an operation reliably and with no adverseimpact on the quality of the product.
Copyright © 2017 Mark Lindsey 86
Risk Mgmt as part of Integrated Quality Mgmt(FDA Q9)
Quality defects– To provide the basis for identifying, evaluating, and
communicating the potential quality impact of asuspected quality defect, complaint, trend, deviation,investigation, out of specification, etc.
– To facilitate risk communications and determineappropriate action to address significant productdefects, in conjunction with regulatory authorities(e.g., recall).
Copyright © 2017 Mark Lindsey 87
Risk Mgmt as part of Integrated Quality Mgmt(FDA Q9)
Auditing/Inspection– To define the frequency and scope of audits, both
internal and external. Factors such as:• Existing legal requirements
• Compliance status and history of the company or facility
• Robustness of a company’s quality risk management
• Complexity of the site
• Complexity of the manufacturing process
• Complexity of the product and its therapeutic significance
• Number and significance of quality defects (e.g., recall)
• Results of previous audits/inspections
• Major changes of building, equipment, processes, keypersonnel
• Experience with manufacturing of a product
• Test results from laboratoriesCopyright © 2017 Mark Lindsey 88
Risk Mgmt as part of Integrated Quality Mgmt(FDA Q9)
Periodic review– To select, evaluate, and interpret trend results of
data within the product quality review
– To interpret monitoring data (e.g., to support anassessment of the appropriateness of revalidationor changes in sampling)
Copyright © 2017 Mark Lindsey 89
Risk Mgmt as part of Integrated Quality Mgmt(FDA Q9)
Change management/Change control– To manage changes based on knowledge and
information accumulated in development andduring manufacturing
– To evaluate the impact of the changes on theavailability of the final product
Copyright © 2017 Mark Lindsey 90
Risk Mgmt as part of Integrated Quality Mgmt(FDA Q9)
Change management/Change control– To evaluate the impact on product quality of
changes to the facility, equipment, material,manufacturing process, or technical transfers
– To determine appropriate actions preceding theimplementation of a change, e.g., additional testing,re-qualification, re-validation, or communicationwith regulators
Copyright © 2017 Mark Lindsey 91
Risk Mgmt as part of Integrated Quality Mgmt(FDA Q9)
Continual improvement– To facilitate continual improvement in processes
throughout the product lifecycle
Other areas covered in FDA Q9: – Regulatory Operations
– Development
– Facilities, Equipment and Utilities
– Materials Management
– Production
– Packaging and Labeling
Copyright © 2017 Mark Lindsey 92
OSHA's Nationally Recognized Testing Laboratory (NRTL) Program
Recognizes private sector organizations to perform certification for certain products to ensure that they meet the requirements of both the construction and general industry OSHA electrical standards.
Each NRTL has a scope of test standards that they are recognized for, and each NRTL uses its own unique registered certification mark(s) to designate product conformance to the applicable product safety test standards.
After certifying a product, the NRTL authorizes the manufacturer to apply a registered certification mark to the product.
Copyright © 2017 Mark Lindsey 93
Risk Mgmt – Process EvaluationGoals
Product quality and performance achieved and assured by design of robust processes that are:– Effective (minimal variation)*
– Efficient (time and cost)*
– Adaptable (ability to recover or improve)*• *Juran’s Dimensions of Success
Product specifications based on satisfying the customers and also based on process capabilities.
Continuous assurance of quality
94Copyright © 2017 Mark Lindsey
Risk Mgmt – Process EvaluationSources of Variation (based on the IPO model, Juran’sdefinition of a Process and Ishikawa’s Cause & Effect Diagram)
95
Materials
MethodsMan
Medium
Machine
Measurement
Input Process Output
Copyright © 2017 Mark Lindsey
Risk Mgmt – Process EvaluationSources of Variation (based on the IPO model, Juran’sdefinition of a Process and Ishikawa’s Cause & Effect Diagram)
96
INPUTS
(x)
Machine
Methods
Measure System
Prior Ops
Mater ials
Man
Machine - Equipment
Method - Process
Medium - Environment
Materials
Measurement
Man - People Inputs to the process control variability
of the output
Output
y = f(x)y
Variability - source of the “Process” risks to the product
Example50 Products
X10 Operations
X10 Orders per Year
X10 Lots/Batches/Units per Order
X12 Months (30 days per order)
X10 Transactions per Unit per Operation
=6,000,000 Transactions per year
Spec Limit Percent
Defects per Opportunity
(traditionally PPM)
+/- 1 sigma 30.23 697,700
+/- 2 sigma 69.13 308,700
+/- 3 sigma 93.32
(many companies)
66,810
+/- 4 sigma 99.379 6,210
+/- 5 sigma 99.97670 233
+/- 6 sigma (near perfect)
99.9997
(top companies)
3.4
Copyright © 2017 Mark Lindsey
Risk Mgmt – Process EvaluationValue Added and Non-Value Added Activities(NVA – 7 Wastes known as Over Inventory, Over Production, Processing, Motion, Waiting, Defects, Transportation)
Copyright © 2017 Mark Lindsey 97
Work Processes
AbnormalNormal
Non Value Add
UnnecessaryNecessary
EliminateReduce
Value Add
Flow
eliminate the abnormal and the unnecessary non-value added tasks
reduce the non-value added but necessary, e.g. regulatory
place the value-added processes into a natural sequence
Risk Mgmt – Process EvaluationCAPA Example
Copyright © 2017 Mark Lindsey 98Source: GHTF. 2005
Quality Risk Management – End
Copyright © 2017 Mark Lindsey 99