Page 1 of 12

SEV PHARMACEUTICALS LIMITED

STANDARD OPERATING PROCEDURE SOP No.:

(SOP) REVISION No.:
TITLE: SOP FOR QUALITY RISK MANAGEMENT SUPERCEDES:
DATE OF IMPLEMENTATION: REVIEW DATE:
Written by: Checked by:
Designation: Designation:
Signature: Signature:

PURPOSE
To lay down the procedure for the assessment, control, communication and review of risks to the quality
of medicine(s) across the entire life cycle in order to ensure its quality, safety, integrity and purity.

APPLICATION

This SOP is applicable to the identification of the potential quality risks involved in any process,
equipment, facilities and systems involved in medicine production at SEV pharmaceuticals Ltd.

RESPONSIBILITY

Quality Risk Management (QRM) Team shall Identify all perceived failures with respect to process,
equipment, facilities and system.

Responsible for identification of risk and communication of risk to Quality Risk Management (QRM) team.

All HODs shall be responsible to follow this SOP for ………..

Head QA shall be responsible for compliance/implementation of this SOP.

DEFINITIONS
Risk: Combination of the probability of occurrence of harm and severity of the harm

Quality risk management: A systematic process for the assessment, control communication, and review
of risks to the quality of the pharmaceutical product across the product life-cycle.

KEY CONSIDERATIONS
The two primary principles of Quality Risk Management (QRM) are that:
 The evaluation of the risk to quality should be based on scientific knowledge and ultimately linked
to the protection of the patient.
 The level of effort, formality and documentation of the Quality Risk Management (QRM) process
should be commensurate with the level of risk.

PROCEDURE
1. The Quality Risk Management process shall be conducted through the following steps:

1.1 Initiating a Quality Risk Management (QRM) process

1.1.1 The possible steps to be taken in initiating and planning a Quality Risk Management (QRM)
process might include the following:

# Designation Name Signature Date

Approved by: QA MANAGER
Authorised by: PHARMACIST
 STANDARD OPERATING PROCEDURE Page 2 of 12
TITLE: SOP FOR QUALITY RISK MANAGEMENT SOP No.:
DATE OF IMPLEMENTATION: REVIEW DATE:

1.1.1.2 Defining the problem or risk question, including pertinent assumptions and identifying the
potential for risk.
1.1.1.3 Assembling background information or data on the potential hazard, harm or human health impact
relevant to the risk assessment.
1.1.1.4 Identifying a leader (QRM Team) and the necessary resources.
1.1.1.5 Specifying a timeline, the deliverables, and an appropriate level of decision-making for the risk
management process.
1.1.1.6 In case of major and Critical Risk CAPA shall be logged within 3 days and closure of the same
shall be done within 30 days.
1.1.1.7 If the CAPA of the Risk demand investment it shall be closed within 6 months of CAPA logging.
1.1.1.8 Output/result of the formal risk assessment process shall be communicated to concerned
department through risk assessment report, for implementation of action recommended.
1.1.1.9 Risk review shall be done after the recommended action taken.

1.2 Risk Assessment

1.2.1 Risk assessment shall involve the identification of hazards and the analysis and evaluation of
risks associated with exposure to those hazards.
1.2.2 The steps will include risk identification, risk analysis and risk evaluation.
1.2.3 As an aid to clearly defining the risk(s) for risk assessment purposes, four fundamental questions
shall be addressed:
1.1.1.1 What might go wrong?
1.1.1.2 The nature of possible risks?
1.1.1.3 The probability of their occurrence and how easy is it to detect them?
1.1.1.4 What are the consequences (the severity)?
1.1.2 Risk identification is a systematic use of information to identify hazards referring to the risk
question or problem description.
1.1.3 Information shall include historical data, theoretical analysis, informed opinions, and the concerns
of stakeholders.
1.1.4 Risk identification addresses the “What will go wrong?” question, including identifying the possible
consequences.
1.1.5 Risk analysis is the estimation of the risk associated with the identified hazards.
1.1.6 Risk evaluation compares the identified and analysed risk against given risk criteria.
1.1.7 A quantitative process will be used to assign the severity, probability and detectability of a risk as
described below:

1.1.7.1 Severity of a risk

1.1.7.1.1 Severity is defined as a measure of the possible consequences of a hazard.
1.1.7.1.2 Assess the severity and effect of failure on the product or process.
1.1.7.1.3 The effect of the severity criteria is given below:

Value Description Criteria

1 Irrelevant No impact on patient safety
3 Important Noticeable impact to product quality
5 Disastrous Batch failure, birth defect, can cause death or severe

Designation Name Signature Date

Approved by:

Authorised by:
 disabilities to the patient

STANDARD OPERATING PROCEDURE Page 3 of 12

TITLE: SOP FOR QUALITY RISK MANAGEMENT SOP No.:
DATE OF IMPLEMENTATION: REVIEW DATE:

1.1.7.1.4 Identify the possible causes of each failure mode.

1.1.7.1.5 Quantify the probability of occurrence of each of the causes of a failure mode.

1.1.7.2 Probability/Occurrence
1.1.7.2.1 The probability of occurrence evaluates the frequency that potential risk will
occur for a given system or situation.
1.1.7.2.2 The probability score is rated against the probability that the effect occurs as a
result of a failure mode is given below:

Value Description Criteria

1 An unlikely probability of Failure has never been seen but it is
occurrence theoretically possible
3 An occasional probability Failure potential has been noted. If procedures
of occurrence are followed the failure potential is minimal
5 A high probability of Failure potential has been noted. An active non-
occurrence standard feedback control loop may be required

1.1.7.2.3 Identify all existing controls (current controls) that contribute to the prevention of
the occurrence of each of the causes of a failure mode.
1.1.7.2.4 Determine the ability of each of listed controls in preventing or detecting the
failure mode or its cause. Assign a ranking score to indicate the detection
effectiveness of each control.

1.1.7.3 Detectability (likelihood)

1.1.7.3.1 The ability to discover or determine the existence, presence or fact of a hazard.
1.1.7.3.2 The detectability score is rated against the ability to detect the effect of the
failure mode or the ability to detect the failure mode itself is given below:

Value Description Criteria

1 High degree of A. Validated automatic system that is a direct measure of
delectability failure
B. Two or more manual operated validated detection
systems, direct or indirect
3 Likely to detect Single manually operated validated detection system that
is not a direct measure of failure.
5 Low or no No ability to detect the failure
detectability

Designation Name Signature Date

Approved by:

Authorised by:
 STANDARD OPERATING PROCEDURE Page 4 of 12
TITLE: SOP FOR QUALITY RISK MANAGEMENT SOP No.:
DATE OF IMPLEMENTATION: REVIEW DATE:

1.1.8 Calculation of Risk Priority Number (RPN)

1.1.8.1 The composite risk for each unit operation step is the product of its three individual
component ratings: severity, probability and detectability.
1.1.8.2 This composite risk is called as risk priority number (RPN).

RPN = Severity(S) x Probability (P) x Detection (D)

Rating Risk Priority

1 – 25 Minor
26-75 Major
76-125 Critical

1.1.8.3 Identify actions to address perceived failure modes that have a high RPN
1.1.8.4 In case the calculated RPN rating is greater than 25 that particular failure is not acceptable
and necessary controls and procedures shall be implemented based on the area to reduce
the severity of risk.
1.1.8.5 The procedure and control shall be defined based on the outcome of risk assessment
evaluation by respective Risk assessment team.
1.1.8.6 If the risk priority number obtained is higher than 75, formal risk assessment shall be done
(Refer to Annexure-I).
1.1.8.7 If the risk index is between 26 and 75, formal risk assessment shall be considered if the
detectability is low or no detectability.
1.1.8.8 In case the risk priority number is lower than 25, no further formal risk assessment shall be
required.

1.2 Risk control

1.3.1 Risk control involves decision making to reduce and/or accept risks.
1.3.2 The purpose of risk control is to reduce the risk to an acceptable level.
1.3.3 The amount of effort used for risk control shall be proportional to the significance of the risk.
1.3.4 During risk control activities the following key questions should be asked:
1.3.4.1 What can be done to reduce or eliminate risks?
1.3.4.2 What is the appropriate balance between benefits, risks and resources?
1.3.4.3 Are new risks introduced as a result of the identified risks being controlled?
1.3.5 Risk control can include:
1.3.5.1 Not proceeding with the risky activity
1.3.5.2 Taking the risk
1.3.5.3 Removing the risk source
1.3.5.4 Changing the likelihood of the risk
1.3.5.5 Changing the consequences of the risk
1.3.5.6 Sharing the risk with another party (e.g. Contractor)
1.3.5.7 Retaining the risk by informed decision.
1.3.6 Risk reduction will focus on processes for mitigation or avoidance of quality risk when it exceeds
an acceptable level.
Designation Name Signature Date

Approved by:

Authorised by:
1.3.7 Risk reduction will include actions taken to mitigate the severity and probability of harm.

STANDARD OPERATING PROCEDURE Page 5 of 12

TITLE: SOP FOR QUALITY RISK MANAGEMENT SOP No.:
DATE OF IMPLEMENTATION: REVIEW DATE:

1.3.8 Processes that improve the detectability of hazards and quality risks will also be used as part of a
risk control strategy.
1.3.9 Risk reduction measures, may introduce new risk into the system or increase existing risk.
1.3.10 Therefore, it shall be continuous process to evaluate any possible change in risk.
1.3.11 Risk acceptance is a decision to accept risk.
1.3.12 Risk acceptance shall be a formal decision to accept the residual risk.
1.3.13 Wherever it will not be possible to entirely eliminate risk, in these circumstances, it will be ensured
that optimal quality risk management strategy is applied and that quality risk is reduced to an
acceptable level.
1.3.14 This acceptable level will depend on many parameters and shall be decided on a case-by-case
basis.

1.4 Risk Communication

1.4.1 After assessment of risk, the same shall be concluded and communicated to concerned
department head.
1.4.2 Communication might include those among interested parties, e.g. regulators and industry,
industry and the patient, within a company, industry or regulatory authority.
1.4.3 The information related to existence, nature, form, probability, severity, acceptability, control,
treatment, detectability or other aspect of risk to quality.
1.4.4 Communication need not be carried out for each and every risk acceptance.

1.5 Risk review

1.5.1 The output/results of the risk management process shall be reviewed to take into account new
knowledge and experience.
1.5.2 Once a quality risk management process has been initiated, that process shall continue to be
utilized for events that will impact the original quality risk management decision whether these are
planned (e.g., results of annual product review, inspections, audits, change control) or unplanned
(e.g., root cause from failure investigations, recall).
1.5.3 Risk management shall be an ongoing quality management process and a mechanism to perform
periodic review of events shall be implemented.
1.5.4 The frequency of the review shall be based upon the level of risk.
1.5.5 Risk review will include reconsideration of risk acceptance decisions.

1.6 Verification of Quality Risk Management (QRM) process and methodologies

1.6.1 The established Quality Risk Management (QRM) process and methodologies need to be verified.
1.6.2 Verification and auditing methods, procedures and tests, including random sampling and analysis,
can be used to determine whether the QRM process is working appropriately.
1.6.3 The frequency of verification should be sufficient to confirm the proper functioning of the QRM
process. Verification activities include:
1.6.3.1 Review of the Quality Risk Management (QRM) process and its records;
1.6.3.2 Review of deviations and product dispositions (management control);
1.6.3.3 Confirmation that identified risks are being kept under control.

Designation Name Signature Date

Approved by:

Authorised by:
1.6.4 Initial verification of the planned Quality Risk Management (QRM) activities is necessary to
determine whether they are scientifically and technically sound, that all risks have been identified
and that, if the Quality Risk Management (QRM) activities are properly completed, the risks will be
effectively controlled.

STANDARD OPERATING PROCEDURE Page 6 of 12

TITLE: SOP FOR QUALITY RISK MANAGEMENT SOP No.:
DATE OF IMPLEMENTATION: REVIEW DATE:

1.7 Mitigation Plan/Risk reduction

1.7.1 Identify the current control measure available for the identified risk. If the risks are not accepted,
the proposed mitigation/control measure to reduce the risk to an acceptable level.
1.7.2 Risk reduction focuses on processes for mitigation or avoidance of quality risk when the risk
exceeds an acceptable level. Risk reduction includes:
1.7.2.1 Action taken to mitigate the severity and probability of risk:
1.7.2.2 Processes or methods that improve the ability to detect risk implementation of risk
reduction measures may introduce new risks into the systems or increases the
significance of other existing risks

1.8 Risk Management Methods and Tools

1.8.1 The tool which is used for risk management is Failure Mode, Effects and Criticality Analysis
(FMECA)/Risk Assessment.
1.8.2 FMECA is a systematic method of identifying and preventing product and process problems
before they occur.
1.8.3 List all perceived failure modes for each item (product component or process step) under the
“failure mode” column in Annexure–I.
1.8.4 Identify all potential failure modes associated with the product component or process step.
1.8.5 Describe the effects of each of listed failure modes and assess the severity of each of these
effects on the product or process.

1.9 Documentation
1.9.1 QA manager shall form the Quality Risk Management (QRM) team leader and QRM team subject
matter expert from concern departments.
1.9.2 QRM which are triggered from deviation, change control or any QMS activity shall be assessed as
per attached Annexure- VII (Risk assessment for the quality events) which shall be issued
along with the quality events.
1.9.3 A formal risk assessment shall be prepared as per Annexure–I and copy of same shall be
enclosed along with that document.
1.9.4 All employees working in the area can identify the risk and shall communicate to Quality Risk
Management (QRM) team on Annexure-II.
1.9.5 Quality Risk Management (QRM) team shall evaluate and analyze the risk.
1.9.6 List all the perceived failure modes for each item, process, product, equipment etc. under the
failure mode.
1.9.7 Describe the potential effect of each of listed failure modes and assess the severity of each of
these effects on the product or process.
1.9.8 Assign the quantitative value of severity to potential effect of each failure.
1.9.9 List the potential causes of failure.
1.9.10 Assign the quantitative value of probability of each failure.
1.9.11 List the current control measures of failure.
1.9.12 Assign the quantitative value of detectability to each failure.
Designation Name Signature Date

Approved by:

Authorised by:
 STANDARD OPERATING PROCEDURE Page 7 of 12
TITLE: SOP FOR QUALITY RISK MANAGEMENT SOP No.:
DATE OF IMPLEMENTATION: REVIEW DATE:

1.10 Calculate the RPN No. and assign the category.

1.10.1 If the risks are not accepted then QRM team shall assign the new control measures for the
unaccepted risks, along with responsibility and target date of completion of action.
1.10.2 After assigning new control, QRM team shall again do the risk analysis using above process, shall
calculate the RPN No. and assign category.
1.10.3 After compilation of the QRM, QRM team leader shall review the Quality risk management and
after review shall forward the QRM to Head QA for approval.
1.10.4 The accepted risks and additional monitoring plan shall be communicated to concerned
department on Annexure-V.
1.10.5 The corrective and preventive actions, reference documents, abbreviations and relevant
attachments associated with the particular risk shall be enclosed with the risk assessment
documents.
1.10.6 Training to concerned personnel shall be imparted upon analysis and evaluation of the risk
management for the particular process / system / equipment / instrument.
1.10.7 It shall be ensured that the recommended corrective and preventive actions for the identified risks
are in place, before closing the particular Risk Management documents.

1.11 Quality Risk Management (QRM) integration with Key quality system elements
1.11.1 If the risk assessment is initiated from any change control or deviations it shall be treated as
standalone documents, A copy of the same shall be kept along with respective change control or
deviations.
1.11.2 Example of some Quality Risk Management (QRM) in respect of operation and covered area for
risk assessment are given below but not limited to:

Designation Name Signature Date

Approved by:

Authorised by:
 STANDARD OPERATING PROCEDURE Page 8 of 12
TITLE: SOP FOR QUALITY RISK MANAGEMENT SOP No.:
DATE OF IMPLEMENTATION: REVIEW DATE:

S. No. Area of Operation Area Covered

1. Integrated Quality Management Documentation,
Training & Education,
Quality Defects,
Auditing & Inspections,
Periodic Review,
Change Management & CAPA,
Continual Improvement
2 Quality Risk Management (QRM) Inspection and assessment activities
. as part of Regulatory Operations

3 Quality Risk Management (QRM) To design a quality product and its

. as part of development manufacturing process to consistently
deliver the intended performance of the
product.

4 Facilities, Equipment and Utilities Design of facility/equipment,

. – Quality Risk Management Hygiene aspects in facilities,
(QRM) Qualification of facility/equipment/utilities,
Cleaning of equipment and environmental
control,
Calibration/preventive maintenance,
Computer system and computer-controlled
equipment
5 Quality Risk Management Assessment and evolution of suppliers and
. (QRM)as part of material contract manufacturers,
management Stating material,
Use of materials,
Storage, logistics and distribution conditions
6 As part of production Quality Validation,
. Risk Management (QRM) In-process sampling and testing,
Production planning
7 Quality Risk Management (QRM) Out of specification Results,
. as part of Laboratory control and Retest period/expiration date
stability studies

Designation Name Signature Date

Approved by:

Authorised by:
 8 Quality Risk Management as part Design of packages,
. of Container Closer System Selection of container closer system,
Label control

STANDARD OPERATING PROCEDURE Page 9 of 12

TITLE: SOP FOR QUALITY RISK MANAGEMENT SOP No.:
DATE OF IMPLEMENTATION: REVIEW DATE:

7.0 Annexures:
Annexure – I: Failure Mode and Effect Critical Criticality Analysis (Risk assessment)

Subject: Department:

FMECA No.: Date:

Risk Status as on perceived

Sr. Process Perceive Severity Probability Detectability RPN Risk

No Functio d Failure acceptanc
. n Mode Potential S Potentia P Current D (SXPXD) e
Effect l causes control /
(Process/ End measure Category Yes / No
users or s
consequences
)

Risk after corrective action

Recommended Responsibility & S P D RPN (SXPXD)/Category

Action Target date of
completion

S – Severity rating, P – Probability rating, D – Detection rating, RPN – Risk Priority Number
Conclusion:

QRM TEAM REVIEWED BY APPROVED BY

Annexure – II: Identification and communication of risk

Risk identified:

Department/ Area:
Designation Name Signature Date

Approved by:

Authorised by:
 Risk identified by:

Comments of QRM Team leader:

STANDARD OPERATING PROCEDURE Page 10 of 12

TITLE: SOP FOR QUALITY RISK MANAGEMENT SOP No.:
DATE OF IMPLEMENTATION: REVIEW DATE:

Annexure – III: QRMS Flow chart

Designation Name Signature Date

Approved by:

Authorised by:
 STANDARD OPERATING PROCEDURE Page 11 of 12
TITLE: SOP FOR QUALITY RISK MANAGEMENT SOP No.:
DATE OF IMPLEMENTATION: REVIEW DATE:

Annexure – IV: FMECA Log

Sr Risk Date Issu Risk Risk Logg Ref. Stat Complet Remar
. Assessm of ed Relat Trigger ed CC or us ion Date ks
N ent No. initiati to ed to ed By Deviati
o. on Dept from on No.
.

Annexure – V: Risk conclusion and communication

Department: Date:

Subject:

FMECA Document no.:

Risk assessment conclusion:

Review the Risk:

Risk communication:

Annexure – VI: Process flow chart for risk assessment

Formation of QRM Team

Identification and communication of risk

Initiation risk assessment process

Risk evaluation

Risk analysis
Designation Name Signature Date

Approved by:

Authorised by:
 ⇓
Risk reduction/ mitigation
⇓
Documentation

Risk communication and conclusion

STANDARD OPERATING PROCEDURE Page 12 of 12

TITLE: SOP FOR QUALITY RISK MANAGEMENT SOP No.:
DATE OF IMPLEMENTATION: REVIEW DATE:

Annexure – VI: Risk assessment for the quality events.

Identified risk:
Risk initiated by:
Subject of issue (√): Equipment/system/utility/product/procedure/facility/other
Source of issue: Deviation/Change control/market complain/CAPA/Recall/Others
Document Number:

Risk assessment by QRM team (QRM team to be filled by Head –QA/Designee)

Department Name Designation Sign/date

Risk assessment by FMECA (Tick the Appropriate)

Assessment of probability Detection (D)

5 (low or no detectability) 3 (likely to detect) 1(High detectability)

Assessment of risk likelihood (Occurrence) (O)

5(High) 3(An occasional) 1(unlikely probability)

Assessment of risk severity (S)

5(Disastrous) 3(Important) 1(Irrelevant)

RPN = D x O x S = 76-125 (Critical) 26-75(Major) < 25(Minor)

Designation Name Signature Date

Approved by:

Authorised by: