Guest Column | October 2, 2024

What To Do When Your Regulatory Findings Need Quality Risk Management Action

By Virginia Andreotti-Jones, Danica Brown, and Heather DeMilto

Caution-warning-GettyImages-2148936206

The pharmaceutical industry is experiencing an increased focus on and enforcement of quality risk management (QRM) applications. Between January 2022 and April 2024, more than half of all warning letters issued by the FDA include citations for absent or incomplete risk assessments.1 The increased focus on risk assessments likely has multiple influencing factors, including increased regulator awareness and knowledge of QRM principles, and the emphasis on QRM in the recent update to Annex 1.

Determining an appropriate response to regulatory findings related to risk assessments can be challenging. Many organizations will automatically choose to do a single risk assessment, which is only appropriate in some cases. Depending on the scope of the agency findings, a range of responses may apply, from a simple justification to multiple risk assessments.

What Are Regulators Looking For In Risk Assessments?

Regulatory requirements and guidance to industry are rarely explicit in describing the format needed for a risk assessment. When regulators find that an organization must assess the risk associated with a topic, it is not surprising that the format is not dictated. It is possible that more than one document will be needed to best respond or that the response will not require use of a traditional QRM tool.

Following ICH Q9(R1), the formality associated with a QRM activity should be a function of influencing factors, which include uncertainty, importance, and complexity.2 Note that in QRM, importance is related to product quality, not the visibility a risk assessment will receive. A citation may include an instance where a less formal risk assessment or simple justification is warranted and use of a QRM tool is not necessary.

The most appropriate response may involve a risk-based decision, an often-overlooked element of QRM. Documenting risk-based decisions provides context for a third party. They may be authored proactively in the quality system or reactively following a regulatory observation. ICH Q9(R1) instructs that the same influencing factors used to determine formality are appropriate to determine the structure for a risk-based decision. The structure for a risk-based decision may range from:

  • using existing knowledge to support an assessment of hazards, risks, and required control
  • developing a rule-based approach that can be proceduralized and followed routinely
  • customizing a tool that includes formal consideration of multiple relevant factors associated with the decision.2

In cases where more formal risk assessments are required, an organization needs to determine the number and type of assessments to appropriately address the citation. First, consider the scope of the topic for which the finding was issued. Suppose the finding was for deficiencies throughout an extensive program with many inputs and outputs, like a process control strategy (PCS) or contamination control strategy (CCS). In that case, multiple risk assessments should be performed to address the various risk questions associated with the overarching program. A single assessment would be appropriate if the finding is narrowly focused or specific to a single input or output of a larger program. In these cases, a single risk question would need to be answered.

Once the scope of the assessment has been decided, consider the risk question(s) needing evaluation. Specific QRM tools are suited to different types of risk questions. The popular failure modes and effects analysis (FMEA) tool is well suited to understanding process risk. A hazard analysis and critical control points (HACCP) is more appropriate for addressing contamination risk, and a risk-based impact assessment (RBIA)3 is best suited to determine the risk of potential impact from an undesirable event.

The speed with which an organization can fully address the regulatory finding is dependent on the approach needed. QRM outputs may easily meet the timeline for the initial response if they are targeted, use existing knowledge, and follow an established or easily adopted methodology. However, for citations that are broad in topic, require multiple outputs, generate new information, or use a new methodology, a formalized plan may be needed to outline deliverables and timelines for execution. We recommend a formalized approach over attempting to force a broad topic into a less suitable format to meet the initial response timeline.

It is clear that knowledge and experience with sound QRM principles are needed to determine the best course of action. Therefore, it is imperative to involve a QRM subject matter expert in the response process before committing to an approach. A skilled QRM practitioner will effectively translate regulators’ desired outputs into an approach that completely and appropriately addresses the finding. Failure to engage QRM experts early in the response process increases the likelihood that the final deliverable will be inadequate or inappropriate for the situation.

Below are four case studies from FDA warning letters issued in 2024.1 These scenarios illustrate typical findings and outline appropriate QRM approaches. Each example summarizes the FDA finding, evaluates it from a QRM perspective, and discusses a suitable response.

Case Studies

Case Study #1

  • Summary of Finding
    Your quality system does not adequately ensure the accuracy and integrity of data to support the safety, effectiveness, and quality of the drugs you manufacture. Provide a current risk assessment of the potential effects of the observed failures on the quality of your drugs. Include analyses of the risks to patients caused by the release of drugs affected by a lapse of data integrity and analyses of the risks posed by ongoing operations.
     
  • QRM Response Strategy
    This finding is narrowly focused to the impact of an event captured within an existing quality system. An impact assessment supported by risk is appropriate to determine the risk of potential effects associated with the observed deficiency. The observation does not call out deficiencies with the entire system but within the evaluation of impact following an undesirable event.

Based on these factors, a single risk assessment is appropriate. The risk assessment methodology should use a risk-based framework to evaluate the potential impacts of the failure by determining what impacts may have occurred from the failure and evaluating the likelihood of the impact occurring and the severity if the impact occurs. If the evaluation determines the risk of potential impact is unacceptable, action such as rejection or remediation must follow.

Case Study #2

  • Summary of Finding
    Your firm failed to conduct at least one test to verify the identity of each component of a drug product. Your firm also failed to validate and establish the reliability of your component supplier’s test analyses at appropriate intervals. Provide a detailed risk assessment addressing the hazards posed by distributing drug products manufactured with expired components. Include a summary of all results obtained from testing retain samples from each batch of impacted product. If such testing reveals substandard quality drug products, take rapid corrective actions.
     
  • QRM Response Strategy
    This observation highlights two deficiencies with differing scopes:
    • A broad issue with the programs for supplier and material qualification, as the observation cites a lack of component testing and supplier reliability.
    • A targeted issue with the manufacture of drug product using expired components and the associated effects.

To address the program gap, develop and proceduralize a risk-based decision-making tool. This tool should define a risk-based supplier qualification strategy and provide an approach for incoming component analysis. A plan of execution for this approach should be included in the initial response.

The response for the targeted issue should follow the approach outlined in Case Study #1, where a risk assessment is used to evaluate the potential impacts of a failure. In this case, the data from testing of product retain samples should be used to inform the likelihood ratings and subsequent actions based on the potential risk of impact.

Case Study #3

  • Summary of Finding
    Your firm failed to perform operations within specifically defined areas of adequate size and to have separate or defined areas or such other control systems necessary to prevent contamination or mix-ups in aseptic processing areas. A vigilant ongoing EM program, and supporting laboratory, are essential to detect and respond to potential product contamination hazards in your manufacturing environment in a timely manner. Loss of environmental control in an aseptic manufacturing facility can ultimately pose a serious hazard to patients.

In response to this letter, provide a comprehensive, independent risk assessment of all contamination hazards with respect to your aseptic processes, equipment, and facilities.

  • QRM Response Strategy
    This finding highlights multiple significant deficiencies with the organization’s CCS, which has numerous inputs and outputs. A comprehensive CCS is informed by answering multiple risk questions, commonly addressed through multiple tools. Therefore, multiple risk assessments are required to fully address this finding. These assessments include, but may not be limited to:
    • Environmental contamination risk assessment to determine risk of contamination hazard and strength of controls
    • Risk-based approach to identify appropriate environmental sampling locations
    • Determination of relative risk associated with operator interactions within ISO 5 (e.g., interventions)
    • Process contamination risk assessment
    • Risk-based approach to identify in-process sample points
    • Cross-contamination risk assessment(s) to identify the possible causes of product-to-product and batch-to-batch cross-contamination and evaluate the cumulative strength of controls

The completion of multiple risk assessment of this scope and complexity will take a significant amount of time and resources. A plan for execution of this approach should be included in the initial response.

Case Study #4

  • Summary of Finding
    Your firm failed to establish adequate written procedures for production and process control designed to assure that the drug products you manufacture have the identity, strength, quality, and purity they purport or are represented to possess, and to follow all of your written production and process control procedures.

Perform an assessment of each drug product process to ensure that there is a data-driven and scientifically sound program that identifies and controls all sources of variability, such that your production processes will consistently meet appropriate specifications and manufacturing standards.

  • QRM Response Strategy
    This observation highlights several deficiencies with the PCS, which is a complex program with numerous input and outputs. A comprehensive PCS is informed by answering multiple risk questions, commonly addressed with multiple tools. Therefore, multiple risk assessments are required to completely address this finding. These assessments include, but may not be limited to:
    • Process risk assessment(s) to evaluate potential process failures and strength of controls
      • The scope and number of risk assessments can be based on process steps or by product.
    • Cross-contamination risk assessment(s) to identify the possible causes of product-to-product and batch-to-batch cross-contamination and evaluate the cumulative strength of controls

Completing multiple risk assessment of this scope and complexity will take a significant amount of time and resources. The completion timeline will depend on the total number of process risk assessments. As in Case Study #3, a plan of execution for this approach should be included in the initial response.

Conclusion

Despite the long-running QRM expectations in 21 CFR 211 and Annex 1, the pharmaceutical industry has seen increased scrutiny on its application, resulting in regulatory citations. Organizations often misstep in response to regulatory feedback by opting for a single risk assessment when multiple are needed.

Regulatory guidance and citations related to risk assessments typically lack specificity about required format, leaving organizations to choose the most suitable approach based on factors like uncertainty, importance, and complexity. While some issues may require formal risk assessments, others might be addressed with less formal methods or simple justifications.

Overall, we recommend engaging quality risk management experts early to properly align response strategies with regulatory expectations and ensure thorough, well-documented risk assessments.

References

  1. U.S. FDA Warning Letters. https://www.fda.gov/inspections-compliance-enforcement-and-criminal-investigations/compliance-actions-and-activities/warning-letters
  2. ICH Q9 (R1). “Quality Risk Management” Jan 2023
  3. Waldron, K. “Integration of Risk Management Principles into the Quality System: Risk-based Impact Assessment.” Journal of GxP Compliance. Volume 17, Number 2. Spring 2013

About The Authors:

Virginia Andreotti-Jones is a seasoned expert in pharmaceutical and biopharmaceutical quality risk management (QRM) and quality systems at ValSource, Inc. With over 15 years in the biotechnology industry and a decade of experience in QRM and risk assessment methodologies, she has led the development and deployment of quality systems, created QRM programs, and successfully navigated regulatory inspections. She has expertise in quality systems design, human error reduction, and data integrity. Her skills extend to root cause investigations, contamination control, and the creation of robust training and qualification programs. As a board member of the PDA Pacific Northwest Chapter, Andreotti-Jones has been instrumental in advancing quality culture and regulatory excellence. She can be reached at vandreottijones@valsource.com.

Danica Brown is a consultant with ValSource, Inc., with expertise in the development and deployment of customized solutions to QRM, including program design, development of risk-based approaches, and integration of QRM within quality systems. Her expertise also spans quality functions in the pharmaceutical, biopharmaceutical, and medical device industries, including quality strategy and process improvements, deviations/investigations, and design verification and validation. She has a B.S. in biochemistry from Simmons College and an MBA from the University of Massachusetts. Brown is an ASQ Certified Quality Engineer and Lean Six Sigma Green Belt. She is also an active member with PDA and a participant on its Knowledge Management task force. She can be reached at dbrown@valsource.com.

Heather DeMilto is a consultant at ValSource Inc., where she delivers solutions in quality risk management (QRM). With extensive expertise in the pharmaceutical industry, she specializes in a broad range of quality functions, including aseptic manufacturing, sterility assurance, and contamination control strategies. Her proficiency extends to environmental monitoring, microbiology, and quality oversight. She is well-versed in applying Kepner Tregoe problem solving tools, ensuring data integrity, and performing in-depth root cause analysis. DeMilto’s experience also encompasses corrective and preventive actions (CAPA), change controls, and human error reduction. She can be reached at hdemilto@valsource.com.