Upload
mmiirroo-oo
View
13
Download
3
Tags:
Embed Size (px)
DESCRIPTION
risk assessment
Citation preview
A Guide toSupply Chain Risk Managementfor the Pharmaceutical and Medical Device Industries and their Suppliers
V.1.0 2010
Foreword
Structure & Acknowledgements
Contents
General Introduction
Supply Chain Considerations
Risk Management Process
Risk Management Toolbox
Supply Chain Examples
Glossary
Bibliography
2010 The Chartered Quality Institute
2Foreword
Structure & Acknowledgements
Contents
General Introduction
Supply Chain Considerations
Risk Management Process
Risk Management Toolbox
Supply Chain Examples
Glossary
Bibliography
A Guide to Supply Chain Risk Management for the Pharmaceutical and Medical Device Industries and their Suppliers
2010 The Chartered Quality Institute
2010 The Chartered Quality Institute All rights reserved. This document may be freely downloaded from the Pharmaceutical Quality Group website at www.pqg.org. The contents of this document should not be sold in whole or in part in any form or by any means. Extracts from this document may be quoted for the purpose of reference or criticism provided full acknowledgement of its source is given. Any other usage of the content of this document requires written permission from The Chartered Quality Institute. The Chartered Quality Institute, 12 Grosvenor Crescent, London SW1X 7EE, UK.
3Foreword
Structure & Acknowledgements
Contents
General Introduction
Supply Chain Considerations
Risk Management Process
Risk Management Toolbox
Supply Chain Examples
Glossary
Bibliography
2010 The Chartered Quality Institute
A Guide to Supply Chain Risk Management for the Pharmaceutical and Medical Device Industries and their Suppliers
Foreword
The provision of medicines and medical devices to the UK is now a global business. Active pharmaceutical ingredients, components and even finished products are sourced from many different countries. The increasingly complex supply chain for these items exposes the limitations of regulatory oversight by any individual country. This serves to reinforce the need for all in the supply chain to understand their role and work to implement and maintain a robust and comprehensive quality system.
The MHRA has implemented a risk based approach to the inspection of pharmaceutical operations as a key element of its Better Regulation initiative. This approach recognises to a greater degree the ownership of pharmaceutical companies of the quality assurance of their total manufacturing and supply processes. The industry, therefore, is being expected to take overall responsibility for the quality of its output.
The pressure on the industry to fund research into new products and embrace technological advances while containing costs and maintaining material and component availability is challenging and these days inevitably involves outsourcing to a greater or lesser extent. Risk
Management should play a key role in the supplier selection, approval and management process if the quality and continuity of supply of medicines and medical devices is to be assured.
This PQG Guide provides an important reference text to assist medicinal product and medical device manufacturers and their suppliers understand their respective responsibilities. The examples, in particular, should help each party to understand the expectations of the other. Company assessments will form a key element of the MHRAs assessment of risk and thereby enable regulations to target our resources in co-operation with Industry to further enhance consumer safety.
Risks are part of life, but it is imperative that processes are in place to identify and manage them in such a way that patients and healthcare professionals can continue to enjoy a reliable supply of safe and effective medicines and medical devices.
Gerald W Heddell, DirectorInspection, Enforcement & Standards Division, MHRA
A Guide to Supply Chain Risk Management for the Pharmaceutical and Medical Device Industries and their Suppliers
4Foreword
Structure & Acknowledgements
Contents
General Introduction
Supply Chain Considerations
Risk Management Process
Risk Management Toolbox
Supply Chain Examples
Glossary
Bibliography
A Guide to Supply Chain Risk Management for the Pharmaceutical and Medical Device Industries and their Suppliers
2010 The Chartered Quality Institute
Structure & Acknowledgements
Basic structure of this Risk Management guideThis interactive guide comprises a general introduction followed by 4 parts, a glossary and bibliography. It is easy to navigate around the guide using the recurring index which is hyperlinked to the respective topics. In addition there are links within the contents that allow the user to look at related information. There are both internal and external hyperlinks. Internal links allow navigation of information within the guide and external links permit access to external websites and information.
Part 1 considers specifically the challenges with supply chains and provides an overview of some of the types of controls that can be applied to increase assurance of quality, safety and security of supply.
Part 2 provides an overview of the Risk Management process and emphasises that this is a living and reiterative process. The stages follow a consistent format:
Part 3 gives an overview of a number of readily available Risk Management tools and techniques that have been used in many industries, with guidance on their use and some worked examples and / or templates. The format for each tool provides an overview, some advantages and disadvantages, and advisory notes on its use.
Part 4 provides 19 real-life examples relating to supply chain events. It gives an overview of the scenario and some learning points. The reader may well identify more learning points, and these should serve as a useful tool in order to consider how such events could have been prevented.
Please NoteThe authors would like to remind the reader that the guidance given here is advisory. It is recommended that users supplement their understanding of Risk Management from some of the publications listed in the Bibliography.OutputsProcessInputsPurpose
5Foreword
Structure & Acknowledgements
Contents
General Introduction
Supply Chain Considerations
Risk Management Process
Risk Management Toolbox
Supply Chain Examples
Glossary
Bibliography
A Guide to Supply Chain Risk Management for the Pharmaceutical and Medical Device Industries and their Suppliers
2010 The Chartered Quality Institute
Note about definitionsAlthough the glossary defines certain terms used throughout this guide, it is important to make a special point here about possible confusion over the terms risk, harm and hazard. The definitions of these are taken from International Conference on Harmonisation (ICH) Q9 as follows:
Risk is defined as:
The combination of the probability of occurrence of harm and severity of that harm. [ICH Q9]
Harm is defined as:
Damage to health, including the damage that can occur from loss of product quality or availability. [ICH Q9]
Hazard is defined as:
The potential source of harm. [ICH Q9]
The first step in the Risk Management process is known widely as Risk Identification. This should actually be Hazard Identification, but for consistency with the ICH Q9 and other international standards the authors have kept it as Risk Identification.
Specific acknowledgements are given for the contributions of the following people:
AuthorsJill Jenkins, Justin Ahern, David Cock, Sharon Shutler, Richard Smalley, Sharon Hooper
QA reviewersPhil Butson, Tony Harper, Rowland Lewis, Linda Nield, Kevin MacKenzie, James Pink
PQG Steering GroupSteve Moss, Ashley McCraight, Norman Randall, Ian Richardson
ContributorsNina Abbassi, Dr Tim Bateman, Ian Birch, Richard Bream, John Cooper, Annie Dallison, John Evans, Adolfo Ferreira, Mark Francom, Roland Gassmann, Esme Gibb, Peter Gough, Michael Grunow, Gerard McAteer, Stephen Mitchell, David Mogg, Jeff Monk, Iain Moore, Dr Ray Noy, Caroline OBrien, Kevin ODonnell, Richard OKeeffe, Bronwyn Phillips, Patricia Rafidison, Stephan Roenninger, Sandra Routledge, Sandra Skarratt, Neil Smith, Tony Storey, Lorna Third, Tony Trill, Neil Wayman
6Foreword
Structure & Acknowledgements
Contents
General Introduction
Supply Chain Considerations
Risk Management Process
Risk Management Toolbox
Supply Chain Examples
Glossary
Bibliography
A Guide to Supply Chain Risk Management for the Pharmaceutical and Medical Device Industries and their Suppliers
2010 The Chartered Quality Institute
p7
p12p19
p23p23
p25p25p27p29p31p31p33p35p39
p42p42p44p46p46p53p62p64p64p66p67p69p70
p72
p76
p78p78p80p81p82p83p84p85
p86p87p88p90p91p92p93p94p95p96
p97p98
p99
p103
0 General Introduction
Part 1 Supply Chain ConsiderationsAppendix 1 - Examples of Different Supply
Categories and Key Controls
Part 2 Risk Management Process2.1 Risk Management Team and
Responsibilities2.2 Risk Assessment 2.2.1 RiskIdentification 2.2.2 Risk Analysis 2.2.3 Risk Evaluation 2.3 Risk Control 2.3.1 RiskReduction 2.3.2 RiskAcceptance2.4 Risk Communication2.5 Risk Review
Part 3 Risk Management Toolbox3.1 Introduction to the Toolbox3.2 Approach to Implementation3.3 Risk Assessment 3.3.1 RiskIdentificationTools 3.3.2 RiskAnalysisTools 3.3.3 RiskEvaluationTools3.4 Risk Control 3.4.1 RiskReductionTools 3.4.2 RiskAcceptanceTools3.5 Risk Communication Tools3.6 Risk Review Tools Appendix 1 - Worked example: Ranking
andFilteringforContractorManagement
Appendix2-Workedexample:MedicalDeviceRiskAssessmentusingaSimplifiedFMEA
Appendix 3 - Worked example: Supplier Audit Priority using Risk Assessment
Part 4 Supply Chain Examples4.1 Product Contamination4.2 Management of Second Tier Suppliers4.3 Verification of Artwork4.4 Warehouse Operations & Pest Control4.5 Temperature Controlled Transportation4.6 Change Control - Process4.7 Fraudulent Activities in the Supply
Chain4.8 Errors in Proof Reading4.9 Change Control Source of Material4.10 Implementation of a New Process4.11 Multiple uses of a Material4.12 High Bioburden4.13 Inconsistent Analytical Results4.14 Continuity of Supply4.15 Lack of Formal Contracts4.16 Effect of Global Supply Chains4.17 Effect of not knowing all the links in a
Transport Chain4.18 Raw Material Source of Origin4.19 Reuse and Potential Infection
Glossary
Bibliography
Contents
7Foreword
Structure & Acknowledgements
Contents
General Introduction
Supply Chain Considerations
Risk Management Process
Risk Management Toolbox
Supply Chain Examples
Glossary
Bibliography
A Guide to Supply Chain Risk Management for the Pharmaceutical and Medical Device Industries and their Suppliers
2010 The Chartered Quality Institute
GeneralIntroduction
Threats to the supply chain feature in the top ten risks of most companies.Globalisation and the quest for ever more cost effective means of supply have greatly increased the complexity of the supply chain which can often reduce both the knowledge and understanding of the exposure to risk. The 2009 credit crunch and financial crisis significantly raised the level of risk of failure of key suppliers. Within the context of globalisation, outsourcing and complex supply chains, there is an increasing emphasis on controls around product quality assurance and security of supply. It is the responsibility of each organisation to ensure that their suppliers provide products that are fit for purpose throughout the product lifecycle, from design and development through to supply to the end-user.
The objective of this document is to provide guidance on Supply Chain Risk Management and therefore:
1. Support organisations with varying levels of experience in Risk Management to apply the principles, by minimising supply chain risk and securing both quality and continuity of supply
2. Emphasise to the pharmaceutical and medical device industries and their suppliers the need toa. apply Risk Management when making sourcing decisions (from
development through to commercial manufacture and distribution) b. involve the relevant people (procurement, technical, quality,
environment, health and safety, etc.) when making sure that adequate and appropriate controls are in place
3. Encourage suppliers to:a. understand the regulatory requirements and expectations of the
pharmaceutical and medical device industriesb. use Risk Management as a tool to understand their customer needs
betterc. identify potential hazards and the risks arising from those hazards
that may exist during the manufacture and supply of product (from raw materials to finished goods)
8Foreword
Structure & Acknowledgements
Contents
General Introduction
Supply Chain Considerations
Risk Management Process
Risk Management Toolbox
Supply Chain Examples
Glossary
Bibliography
A Guide to Supply Chain Risk Management for the Pharmaceutical and Medical Device Industries and their Suppliers
2010 The Chartered Quality Institute
Risk Management can help organisations safeguard the quality and supply of product to customers and ultimately the end user. It is about anticipating hazards and controlling risk through an ongoing process of risk awareness, reduction and / or acceptance, and review. This approach can help justify improvement and investment where it is needed, and prevent both potential problems for customers (e.g. product recalls, or even patient harm) and loss of business.
Applying the principles of Risk Management can provide many of the following benefits:
improve and develop business relationships between customers and their suppliers, thereby supporting business continuity and security of product supply
reduce costs
minimise cost of non-conformance
improve business efficiency
increase confidence of customers and regulators
reduce liability
increase security of supply
avoid waste and scrap
With respect to outsourcing, ISO 9001:2008 states that:
where an organisation chooses to outsource any process that affects product conformity to requirements, the organisation shall ensure control over such processes; and that the type and extent of control to be applied shall be defined.
It further states that outsourced processes do not absolve the organisation of the:
responsibility of conformity to all customer, statutory and regulatory requirements.
The Medical Device Directive (Directive 93/42/EEC) has been revised (Directive 2007/47/EC) and compliance effective from 21st March 2010. One of the requirements is for organisations to have control over sub-contractors and third parties. It also requires post market surveillance for products already in the market.
Figure 1 (following page) shows the ISO 9004:2009 process-based model, incorporating continual improvement throughout a lifecycle approach. It shows the importance of information flow between the organisation and its customers and the value in activities that meet customers needs and expectations.
The International Conference on Harmonisation (ICH) describes a pharmaceutical quality system (ICH Q10), which importantly extends to the control and review of any outsourced activities and quality of purchased materials. It defines the accountable organisation as being ultimately responsible for ensuring that processes are in place to assure the control of outsourced activities and quality of purchased materials. It requires that these processes incorporate Quality Risk Management as defined in ICH Q9 and includes:
Assessing (prior to outsourcing operations or selecting material suppliers) the suitability and competence of the other party to carry out the activity or provide the material using a defined supply chain by use of, for example, audits, material evaluations and qualification
Defining the responsibilities and communication processes for quality-related activities of the involved parties. For outsourced activities, this should be included in a written agreement between the contract giver and contract acceptor
Monitoring and review of the performance of the contract acceptor or the quality of the material from the provider, and the identification and implementation of any needed improvements
Monitoring incoming ingredients and materials to ensure they are from approved sources using the agreed supply chain
This guide to Supply Chain Risk Management does not introduce new concepts; rather it provides guidance on the practical application of existing risk management models to the supply chain. It is consistent with currently developing industry standards and expectations. Supply Chain Risk Management should be an integrated part of the organisations business and quality management system.
9Foreword
Structure & Acknowledgements
Contents
General Introduction
Supply Chain Considerations
Risk Management Process
Risk Management Toolbox
Supply Chain Examples
Glossary
Bibliography
A Guide to Supply Chain Risk Management for the Pharmaceutical and Medical Device Industries and their Suppliers
2010 The Chartered Quality Institute
Organizations Environment
Interested Parties
Needs & expectations
Needs & expectations
Information flow
Value-adding activities
Customers
Organizations Environment
Interested Parties
Satisfaction
Customers
ISO 9001
ISO 9004
Continual improvement of the quality management systemleading to sustained success
Foundation: Quality management principles (ISO 9000)
ISO 9001 Clause 6 Resource
management
ISO 9001 Cl. 8 Measurement, analysis and improvement
ISO 9004 Clause 7 Process
management
ISO 9004 Clause 4
Managing for the sustained
successISO 9004 Clause 5
Strategy and policy
ISO 9004 Clause 9
Improvement, innovation and
learning
ISO 9004 Clause 6 Resource
management (extended)
ISO 9004 Cl. 8 Monitoring,
measuring analysis and
review
Product
ISO 9001 Clause 5
Management Facility
ISO 9001 Clause 7 Product
realization
1 - Figure 1 is taken from BS EN ISO 9004:2009 and reproduced here with permission from BSI. No other use of this material is permitted. The complete British Standard can be purchased from the BSI online shop - BS EN ISO 9004:2009
Figure 1 An extended model of a process-based quality management system[1]
10
Foreword
Structure & Acknowledgements
Contents
General Introduction
Supply Chain Considerations
Risk Management Process
Risk Management Toolbox
Supply Chain Examples
Glossary
Bibliography
A Guide to Supply Chain Risk Management for the Pharmaceutical and Medical Device Industries and their Suppliers
2010 The Chartered Quality Institute
This document is based on the pharmaceutical Quality Risk Management model detailed in ICH Q9 in Figure 2 (below), where Risk Management is defined as:
The systematic application of quality management policies, procedures and practices to the tasks of assessing, controlling, communicating and reviewing risk.
The level of effort invested will vary from case to case and should be commensurate with the level of risk. Internationally, regulators are incorporating official guidance on Risk Management into their requirements, and have identified the supply chain as an area of criticality.
Implementing Risk ManagementRisk Management should be an integrated part of any business and for successful implementation the following are key foundations:
there should be top level management support and commitment
start simply and avoid complexity
look at internal and external risks
follow the cycle several times, learn, evolve and embed in the organisation culture
Senior management are responsible for ensuring that the key risks to the organisation are properly identified, assessed and managed. Their commitment is required to ensure the risk management framework is viable and maintained, and that valuable resource is invested correctly and not subsequently wasted. Risk Management should not be considered as a one off project or event, but as the implementation of a mutually beneficial culture within and between organisations.
The risk management development activities should provide a systematic, effective and efficient way by which risk management can be embedded and maintained throughout the organisation. These activities should, as a minimum, comprise the following steps:
planning
implementation and maintenance
monitoring, reviewing and continual improvement
reporting
The level of Risk Management awareness will develop with practice and experience. Table 1 (following page) illustrates the progression organisations will make as they gain experience in the use and application of Risk Management.
Risk Assessment
Risk Reduction
Risk Acceptance
Risk Control
Ris
k C
omm
unic
atio
n
Risk M
anagement tools
Review Events
Risk Review
Risk Identification
Risk Analysis
Risk Evaluation
unacceptable
InitiateQuality Risk Management Process
Output / Result of theQuality Risk Management Process
Figure 2 Quality Risk Management Overview (ICH Q9)
11
Foreword
Structure & Acknowledgements
Contents
General Introduction
Supply Chain Considerations
Risk Management Process
Risk Management Toolbox
Supply Chain Examples
Glossary
Bibliography
A Guide to Supply Chain Risk Management for the Pharmaceutical and Medical Device Industries and their Suppliers
2010 The Chartered Quality Institute
The above table is a simple representation of Risk Management maturity. It does not take into account the different functions and their individual involvement with Risk Management. In terms of the level of skills and knowledge in the right hand column, consider the analogy of learning to drive a car:
unconscious incompetence: person who has not yet got into the driving seat and therefore is not competent to drive nor do they know what is needed.
conscious Incompetence: person has started to learn to drive, is not competent but has some awareness of what they need to do to learn.
conscious competence: person has learned to drive and passed their test and should be competent and confident to drive.
unconscious competence: person has been driving for some time and can drive to their destination without having to think about compliance with the road regulations or the mechanics of driving the car, such as changing gear, indicating and choosing the correct lane at junctions.
Risk Maturity Level Risk Processes Attitude Behaviour Skills & Knowledge
Scepticism No Formal Processes Accidents will happen Fear of Blame Culture Unconscious Incompetence
Awareness Ad hoc use of Stand Alone Processes
Suspended Belief Reactive, Fire fighting Conscious Incompetence
Understanding & Application
Tick Box Approach Passive Acceptance Compliance, reliance on registers
Conscious Competence
Embedding & Integration Risk Management embedded in Business
Active Engagement Risk-based decision making
Unconscious Competence
Robust Risk Management Regular review & Improvement
Champion Innovation, Confident & appropriate Risk Management
Expert
Table 1 Risk Management Maturity
12
Foreword
Structure & Acknowledgements
Contents
General Introduction
Supply Chain ConsiderationsAppendix 1 - Examples of Different Supply Categories and Key Controls
Risk Management Process
Risk Management Toolbox
Supply Chain Examples
Glossary
Bibliography
A Guide to Supply Chain Risk Management for the Pharmaceutical and Medical Device Industries and their Suppliers
2010 The Chartered Quality Institute
Supply Chain ConsiderationsPart 1
A general understanding of how supply chains work and how suppliers are managed is required to provide organisations with a basis from which to implement a structured Risk Management process. An effective Risk Management process will protect the continuity of product supply and ensure that end-users receive products that are fit for purpose.Media focus on contaminated products, for example heparin supplied from China in 2007, and other supply-related incidents, such as counterfeiting, have emphasised the challenge of managing supply chains that extend around the world, where there is great variation in the standards and controls used. With respect to the heparin issue, the Food and Drug Administration (FDA) in the US investigated reports of serious and some fatal adverse events following the use in products of heparin supplied from China. Distribution was halted and product recalled from the market. The investigation identified that a contaminant molecule similar to heparin was found using a non-routine test. This contaminant was not previously detectable using conventional routine standard test methods, and levels between 5% and 20% were found in the final product. See page 78 for more detail.
Sourcing new materials and outsourcing manufacturing or other activities for the supply of product to the end-user requires careful evaluation. All parties in the supply chain need to ensure that their activities both support
the health and wellbeing of patients and maintain business continuity. This is especially important during times of economic downturn, since cost-saving measures can increase risk.
Within each supply chain, there is an organisation that is legally accountable. Each competent and regulatory authority ultimately holds one manufacturer primarily responsible for meeting regulatory quality requirements. This accountable organisation (pharmaceutical or medical device) has ultimate responsibility and cannot relinquish or delegate (contractually or otherwise) its obligation and responsibility over any or all functions to their suppliers of products. The accountable organisation is responsible for sourcing suitable suppliers who will support the supply of its product(s) to the market. It is essential that the relevant functions within an organisation such as procurement, technical, development, quality, manufacturing and Environment Health and Safety (EHS) work together to source materials based on agreed and appropriate criteria.
13
Foreword
Structure & Acknowledgements
Contents
General Introduction
Supply Chain ConsiderationsAppendix 1 - Examples of Different Supply Categories and Key Controls
Risk Management Process
Risk Management Toolbox
Supply Chain Examples
Glossary
Bibliography
A Guide to Supply Chain Risk Management for the Pharmaceutical and Medical Device Industries and their Suppliers
2010 The Chartered Quality Institute
Competent and regulatory authorities and third parties will assess the accountable organisation to confirm that they have objective evidence of adequate control of their suppliers. The regulators expect that the organisation complies with requirements, which include evaluating and approving their suppliers. There is an expectation to see effective interfaces between the accountable organisation and each of its suppliers. This holds true regardless of the regulatory standard of the industry sector required for the product. Failure to have or to provide access to any objective evidence of the controls associated with products from suppliers, could result in the accountable organisations quality system being non-compliant. Depending on the nature of the deficiencies identified, this can have significant and serious consequences for the organisation and their business continuity.
Some suppliers may also undergo some form of oversight by a regulatory authority, or a third party acting on behalf of a regulatory authority. This oversight does not absolve an accountable organisation of the responsibility to establish controls and provide evidence for compliance of products obtained from such suppliers.
Sourcing decisions should be based on agreed, specified requirements appropriate to the following stages of product lifecycle:
experimental design
investigational or clinical trial material
commercialised product
The rigour with which a supplier is managed does not exempt responsibility of the supplier for the provision of adequate controls and quality of products, wherever they fit in the supply chain hierarchy.
All suppliers should recognise their role in assuring mutual business continuity and take an ethically responsible approach to the potential impact of their actions or inaction. Feedback and communication is essential between the procuring organisation and its suppliers in terms of requirements, expectations, product end-use, performance measures, health and safety etc.
Supply chains themselves can be short and simple, or long and convoluted. However, as a result of increasing globalisation and the risks inherent in long and complex supply chains, the regulators are encouraging organisations to keep their supply chains short, simple and under good control. A survey published in 2009 by Carla Reed has shown that increased outsourcing is challenging product safety and security, largely due to the complexity of outsourcing models, and in particular inconsistency in controls at the outsourced facilities.See Reference No.41
Figure 3 (below) shows the various functional activities and the supporting services that may be involved in product development and supply. An organisation may choose to outsource part or all of their activities. It is essential that organisations understand how their supply chains and interfaces work. This should apply throughout all phases of the product lifecycle from design and development to routine manufacture, supply and discontinuation.
Internal Support Services (examples): Quality, EHS, Engineering, Facilities, IT
Supplied materials/ products
Product / ServiceDesign &
Development
Manufacturing& Testing Packaging
Warehouse& Distribution
End user/ customer
External Contracted ServicesE.g. manufacturing, testing, artwork & origination, packaging, warehousing & distribution, calibration, etc
Figure 3 Example of Functional Activities and Support Services within an Organisation
14
Foreword
Structure & Acknowledgements
Contents
General Introduction
Supply Chain ConsiderationsAppendix 1 - Examples of Different Supply Categories and Key Controls
Risk Management Process
Risk Management Toolbox
Supply Chain Examples
Glossary
Bibliography
A Guide to Supply Chain Risk Management for the Pharmaceutical and Medical Device Industries and their Suppliers
2010 The Chartered Quality Institute
Figure 4 (left) illustrates a typical supply chain based upon hierarchical tiers, where suppliers can be far removed from the ultimate end-user and can still potentially have a significant impact. The more complex the supply chain, the more difficult it is to control, and the greater the risk of a supply chain impact on the quality of the end product. Hazards and their associated risks can be present anywhere throughout the supply chain. Risks may be compounded or increased by further processing, thus creating a hazard at a later stage. In the worst case, those hazards may not become apparent until too late, after finished product has been released to the market. For example, there may be an adverse effect on long-term stability. Therefore, it is in the interests of all stakeholders, including regulatory authorities, that hazards are identified and the resultant risks are managed throughout every tier of the supply chain. Good communication between all parties is required to do this effectively.
Various problems can manifest themselves at any part of the product lifecycle, from the source of raw materials used to manufacture the product through to the compliance of the end-user using the product correctly. Problems in the supply chain can have an impact on products as well as business continuity, product performance and security of supply. In order to protect both the end user and the accountable organisation, it is necessary to identify the potential hazards and assess their resultant risks, before implementing ways to control or mitigate them.
For the accountable organisation and its suppliers to manage risk effectively, it is worth reflecting that the sources of risk throughout the tiers of supply can be both external and internal to the organisation and its suppliers. Some examples are shown in Table 2 (following page) where the column on the left lists some external risks that can be mitigated through planning and action, leaving only a few that are unknown or outside of the organisations control. The column on the right identifies some internal risks which can be managed and mitigated.
Tier 3 suppliersBrokers /
Distributors /Transport companies
Supplier A Tier 2 suppliers Supplier B
Brokers / Distributors /Transport companies Tier 1 suppliers
Pharmaceutical andMedical Device
Industry
Wholesale / retailer/ pharmacy
End customer/ patient
Supplier C Tier 4 suppliers Supplier D
Transport / Distribution
Transport / Distribution
Figure 4 - Typical supply chain hierarchy
15
Foreword
Structure & Acknowledgements
Contents
General Introduction
Supply Chain ConsiderationsAppendix 1 - Examples of Different Supply Categories and Key Controls
Risk Management Process
Risk Management Toolbox
Supply Chain Examples
Glossary
Bibliography
A Guide to Supply Chain Risk Management for the Pharmaceutical and Medical Device Industries and their Suppliers
2010 The Chartered Quality Institute
The objectives of a global supply chain are to deliver products to the market whilst saving cost, time and resources. This has increased the level of risk and the likelihood of impact from supply chain disruption. The contamination of heparin will have far reaching ramifications for accountable organisations and the regulators. At the very least it serves as a warning to the industry that nothing can be taken for granted when sourcing materials and outsourcing manufacture or other critical activities. Related examples on page 78 and page 85
Medicines and medical device counterfeiting is a growing threat worldwide. It was estimated by the World Health Organisation (WHO) in 2006 to be 30% of total supply in South America, sub-Saharan Africa and India. Regulators have been investigating incidents where batches of counterfeit medicines have reached pharmacies and patients. A number of these have been found at wholesale dealer level. Supply chains can be long and convoluted, involving a number of storage or transit locations and a variety of transport systems. In the UK, MHRA has developed proposals in response to the need to raise standards of practice in some sectors of the supply chain in order to bring all operators up to the required standard. See Reference No. 30
The European Medicines Agencys (EMEA) GMP / GDP Inspectors Working Group are working on a revision to Chapter 7 of the EU GMP Guide, contract manufacture and analysis. This is in response to a lack of clarity, both within industry and inspectorates, regarding the scope of activities that should fall under this chapter, and what constitutes satisfactory documented arrangements for contracted activities. In addition to manufacturing, packing and analytical activities, this chapter will be relevant to the following:
artwork generation and print ready material
assessment and sourcing of starting and packaging materials
washing and depyrogenation and / or sterilisation of packaging materials used in manufacture
storage and distribution
maintenance and calibration of equipment and premises
qualification and validation work for new premises
professional services for GMP audits of suppliers
hosting of IT functions
document archiving and storage
External Internal
Increase / decrease in demand
Capacity / resources changes
Fluctuating exchange rates
Political climate / instability
Greater exposure to global social, political and financial environments
Takeovers / mergers
Legal status (regulatory restrictions in individual markets and of supplier)
Environmental responsibilities
Counterfeiting / fraud
Facility disaster disaster planning
Materials, product, service supply interruption
Termination of materials or services
Uncontrolled variation in materials
Unexpected contaminants in supplied product
Deliberate or accidental adulteration
Unknown or poorly controlled use of brokers / agents
Non-conformity
Rejection of a batch
Product recall
Capacity / resource issues
Reduced inventory
Cost reduction programmes
Single sourcing versus dual sourcing
Inadequate supplier selection / qualification process
Longer / more complex supply chains
Complex processes
Inadequate monitoring process or oversight controls / interface
Non-conformance with contracts / agreements
Staying with poorly performing supplier & not progressing improvement or exit strategy
Inadequate communication
Facility disaster
Transportation / storage events
Lack of technical knowledge
Personnel / organisational changes
Lack of adequate documentation control
Increasing process variability
Distribution / transportation / storage events
Inadequate communication
Lack of adequate documentation control
Complex processes
Table 2 - Examples of hazards / events creating risks that are either external or internal to an organisation
16
Foreword
Structure & Acknowledgements
Contents
General Introduction
Supply Chain ConsiderationsAppendix 1 - Examples of Different Supply Categories and Key Controls
Risk Management Process
Risk Management Toolbox
Supply Chain Examples
Glossary
Bibliography
A Guide to Supply Chain Risk Management for the Pharmaceutical and Medical Device Industries and their Suppliers
2010 The Chartered Quality Institute
High potential risk in complex processes and systemsNational Aeronautics and Space Administration (NASA) defined systems or processes that are time dependent, rigidly ordered, requiring precision, and with only one path to a successful outcome, as being tightly coupled (closely linked). They identified that where such systems or processes are complex and activities closely linked, failures can arise due to many seemingly unconnected events and may go undetected.
A good example is the control of changes relating to the packaging and artwork of medical products. Such changes can sometimes be highly complex, because inputs can be required from a number of internal and external stakeholder groups prior to implementation. Stakeholders can include manufacturing, marketing, regulatory affairs and printing contractors. Interactions are necessary in order to communicate and schedule product manufacturing activities with the changed packaging or labelling component.
Complex systems and processes often present high risk for organisations. Many regulatory non-conformities have been identified over recent years in the areas of product packaging and labelling. These were frequently attributed to the poor management of changes in packaging and artwork components, resulting in the cessation of batch release activities in some organisations, and subsequent market shortages of medical products. Investigations revealed that procedures and systems in place for packaging and artwork change control were usually:
highly convoluted
had many interdependencies
subject to tight timelines
described as being complex and tightly coupled
Within a single organisation there can be a lack of clarity or understanding of how the whole process works and how different groups are involved or interact in that process. When more organisations are involved this becomes increasingly difficult.
Decoupling and reducing system complexity can be a useful risk mitigation strategy particularly in critical manufacturing environments and supply chains. Process mapping or flowcharting is a useful tool to use here, and by involving the relevant key stakeholders, a shared understanding of the overall process can help to identify potential hazards particularly across functional interfaces. See Example Flowchart
Consideration of hazards and their associated risks in the supply chainAs part of planning activities, the organisation should identify any hazards associated with the products to be procured. Some examples of key questions are as follows:
is the product off-the-shelf or custom made?
how complex is the product to manufacture?
is the process adequately defined and understood?
what is the criticality of the product to the compliance of the end-product?
would any product specification failure be detectable by the organisation prior to use?
what is the detectability of non-conformity in the product supplied and how it can be corrected?
is packaging, storage and distribution fit for the product characteristics?
is the supplier currently approved to supply products to the organisation or are they a new supplier?
what is the percentage of supply to the organisations business sector?
Information about potential suppliers should be used to determine additional potential supply and business risks and include the following:
financial viability of supplier
continuity of supply
liability
amount of work awarded to supplier in view of the suppliers overall capacity
technical capability
distribution and transportation considerations
agents and brokers (potential for agents and brokers to change source of supply)
capital investment needed
single source suppliers i.e. vulnerability
supplier company legal status (licensing)
ethical / political acceptability
does the supplier have a disaster / contingency plan for supply?
17
Foreword
Structure & Acknowledgements
Contents
General Introduction
Supply Chain ConsiderationsAppendix 1 - Examples of Different Supply Categories and Key Controls
Risk Management Process
Risk Management Toolbox
Supply Chain Examples
Glossary
Bibliography
A Guide to Supply Chain Risk Management for the Pharmaceutical and Medical Device Industries and their Suppliers
2010 The Chartered Quality Institute
does the supplier manage their suppliers adequately?
does the supplier have a culture of continuous improvement?
The procuring organisation is responsible for communicating and agreeing the product requirements with the supplier. It may request data and / or sample product in order that the potential supplier can demonstrate their ability to meet the specified requirements. When defining initial supplier arrangements, the relevant information should be communicated for consideration. The organisation should ensure that the relevant people are involved in specifying, reviewing and evaluating information and should include as a minimum, technical and quality representatives.
Consideration of controls for managing the supply chainRisk Management is an effective means of identifying the necessary controls required. To do this requires knowledge of the complete supply chain and all the organisations involved within it. Then the activities of the organisations in the supply chain should be reviewed to identify what is critical to the product and what could go wrong.
In some instances it may be necessary for the organisation to ensure control beyond the first tier supplier due to potentially serious effects of changes made by a second, third or fourth tier supplier see Figure 4 (page 14). The organisation should ensure when developing controls, that they comply with relevant regulatory requirements such as Good Manufacturing Practices (GMPs); occupational health and safety legislation, environmental protection legislation etc.
Examples of controls are included in Figure 5 (following page) which is adapted from the Global Harmonisation Task Forces guidance on the control of products and services obtained from suppliers. On the right hand side under objective evidence some of the controls are listed.Reference GHTF Guidance
The following lists some items that should be considered during sourcing and supply chain review:
knowledge of the complete supply chain and all organisations within it
change control and notification from suppliers
supplier audits or technical visits (note that this requirement should be included in any agreement for a critical supplier)
control of second or further tier suppliers via specifications or Agreements
sampling / testing / verification
Certificates of Analysis / Conformity
formal requirements (e.g. specific certificates, accreditation, contracts / Technical Agreements etc)
methods for measuring performance e.g. process capability indices
correction, reworking, investigations
batch / lot sizes
inventory control; (First-In-First-Out (FIFO), time limit / target)
traceability (process, product, equipment, operators)
Radio Frequency Identification (RFID) or other security tag system
document / sample retention periods
protection of intellectual property Different categories of supplier and examples of some of the key controls are shown in Appendix 1 of this Part.
The organisation should seek to continually improve the quality and delivery of products based on periodic supplier performance evaluation, feedback and consideration of cost. It is important to continually review and strengthen relationships with suppliers, while balancing the short and long term objectives. Risk Management activities provide a basis for sharing identified hazards and mitigating the risks resulting from those hazards throughout the product and supplier lifecycle. It demonstrates that all parties are taking a responsible approach in ensuring product quality and safety and security of supply. Auditors or assessors expect organisations to be able to demonstrate that they manage their supply chains effectively and risk management provides the means to do this.
18
Foreword
Structure & Acknowledgements
Contents
General Introduction
Supply Chain ConsiderationsAppendix 1 - Examples of Different Supply Categories and Key Controls
Risk Management Process
Risk Management Toolbox
Supply Chain Examples
Glossary
Bibliography
A Guide to Supply Chain Risk Management for the Pharmaceutical and Medical Device Industries and their Suppliers
2010 The Chartered Quality Institute
Sup
plie
r exi
tst
rate
gyFe
edba
ck &
com
mun
icat
ion
Per
form
ance
mea
sure
men
t
Sup
plie
rev
alua
tion
&fin
alis
atio
n
Sup
plie
rse
lect
ion
Pla
nnin
g
Product specifications / part requirements, instructions
Potential supplier contact details
Risk Assessment
Product / process controls
Objective evidence
Selection criteria for suppliers / rationale
Review existing suppliers
Due diligence / audit report
Supplier capability detail
Purchasing information
Evaluation & selection
Purchasing information
Acceptance & verification activities
Questionnaire / Audit report
Contact / Supply / Technical Quality / Technical Agreement
Decision & rationale
Records of monitoring: supply, receipt, inspection, acceptance
Data analysis
Records of corrections / investigations
Manufacturer &/or suppliercorrespondence
Records of corrective & preventive action(s)
Change control notification / approval
Review impact on other products supplied
Archive data & documents
Product left in marked support
Continuity arrangements and reiteration of cycle if replacement supplier
Describe requirementsIdentify technical &process information
Identify potentialsupplier(s) (existing
approved / new)
Product / ProcessRisk Assessment
Identify controls
Corrective Action /Preventive Action
by supplier
Feedback andcommunication
Terminationstrategy for Supplier
Termination ofProduct market
Periodic re-evaluationof supplier
Performance measurementReceive product
Acceptance criteriaMeasurement & monitoring
Analyse data
Review auditrequirements
Communication withpotential supplier(s)
Evaluate supplier(s)ability to fulfil specified
requirements
Supplieracceptable?
Problemsidentified?
Satisfactoryperformance?
Exit strategy?
Correctiveaction
required?
Establish:Purchasing informationControls (acceptance
activities, verification etc)
Plan for evaluation& selection criteria
Select potentialsupplier(s)
Investigate operationalcapability of supplier(s)
Identify businesscapability of supplier(s)
YES
YES
YES
YES
YES
YES
NO
NONO
NO
NO
Figure 5 Guidance on Control of Products during Supplier Lifecycle Management (adapted from GHTF/SG3/N17:2008)
19
Foreword
Structure & Acknowledgements
Contents
General Introduction
Supply Chain ConsiderationsAppendix 1 - Examples of Different Supply Categories and Key Controls
Risk Management Process
Risk Management Toolbox
Supply Chain Examples
Glossary
Bibliography
A Guide to Supply Chain Risk Management for the Pharmaceutical and Medical Device Industries and their Suppliers
2010 The Chartered Quality Institute
Appendix 1 Examples of Supply Categories & Key Controls
All suppliers should have an effective quality management system in place that is, where appropriate, certified to ISO 9001:2008, ISO 13485, or relevant industry standards e.g. ICH Q10.
Suppliers should have their own appropriate assessments in place to manage their supply chains.
The level of requirement depends on the level of potential risk to the product (criticality).
Supply Category Additional examples of key requirements for Suppliers
Manufacturers of Active Pharmaceutical Ingredients (API)
Controls in place to meet requirements of EU GMP Guide part 2 or ICH Q7A, and Active Pharmaceutical Ingredient Council (APIC) recommendations.
Quality / Technical Agreement to define roles & responsibilities of each party (contract giver / contract acceptor).
Adequate product testing performed to confirm compliance with customer and where appropriate pharmacopoeial specifications.
Cross-contamination control precautions in place e.g. use of dedicated manufacturing equipment or effective cleaning verification of non-dedicated equipment.
Full traceability of Raw Materials to the site of origin, including processing aids used in manufacturing processes with respect to animal / non-animal derivation and safeguards against Transmissible Spongiform Encephalopathies (TSE).
Excipients Refer to International Pharmaceutical Excipients Council/Pharmaceutical Quality Group, Pharmaceutical Excipients GMPs, 2006.
Appropriate Quality / Technical Agreement to define roles & responsibilities of each party (Contract Giver / Contract Acceptor).
Full traceability of Raw Materials to the site of origin, including processing aids used in manufacturing processes with respect to animal / non-animal derivation and safeguards against Transmissible Spongiform Encephalopathies (TSE).
Adequate product testing performed to confirm compliance with customer and pharmacopoeial specifications.
Cross-contamination control precautions in place e.g. use of dedicated manufacturing equipment or effective cleaning verification of non-dedicated equipment.
20
Foreword
Structure & Acknowledgements
Contents
General Introduction
Supply Chain ConsiderationsAppendix 1 - Examples of Different Supply Categories and Key Controls
Risk Management Process
Risk Management Toolbox
Supply Chain Examples
Glossary
Bibliography
A Guide to Supply Chain Risk Management for the Pharmaceutical and Medical Device Industries and their Suppliers
2010 The Chartered Quality Institute
Supply Category Additional examples of key requirements for Suppliers
Raw Materials Industry standards where relevant.
Adequate product testing performed to confirm compliance with customer specifications .
Appropriate Quality / Technical Agreement to define roles & responsibilities of each party (contract giver / contract acceptor).
Full traceability of raw materials to the site of origin, including processing aids used in manufacturing processes with respect to animal / non-animal derivation and safeguards against Transmissible Spongiform Encephalopathies (TSE), and phthalates.
Cross-contamination control precautions in place e.g. cleaning, line-clearance, appropriate segregation of activities and good housekeeping.
Manufacturing / Packaging contractors
Effective quality documentation system compliant with required regulatory standard e.g. EU Guide to GMP part 1 or 2, 21-CFR -210 / 211, 600, 820 as appropriate.
Quality / Technical Agreement to define roles & responsibilities of each party (contract giver / contract acceptor).
Supply agreement or commercial contract to define business requirements.
Appropriate licensing and regulatory history.
Clear lines of communication.
Control of outsourced activities (Quality / Technical Agreements, specifications etc.).
Effective control measures, staffing and facility appropriate to the product being manufactured.
Laboratory / Analytical Testing contractors
Operate to appropriate industry standard e.g. ISO 17025, Good Control Laboratory Practice (GCLP), Good Laboratory Practice (GLP), Good Clinical Practice (GCP).
Quality / Technical Agreement to define roles & responsibilities of each party (contract giver / contract acceptor).
Appropriate licensing and regulatory history.
Full traceability of customer samples.
Testing performed to customer and pharmacopoeial specifications.
Effective out-of-specification result management procedure.
Packaging component manufacturers (primary, secondary, tertiary)
Reference, ISO 15378, PS 9000, PS 9004, also country specific legislation relevant to the product e.g. GMP differences.
Certification scheme.
Quality / Technical Agreement to define roles & responsibilities of each party (contract giver / contract acceptor).
Effective mechanisms in place for customer approval of labels and prevention of mix-ups.
Planned preventative maintenance and calibration of automated packaging lines.
21
Foreword
Structure & Acknowledgements
Contents
General Introduction
Supply Chain ConsiderationsAppendix 1 - Examples of Different Supply Categories and Key Controls
Risk Management Process
Risk Management Toolbox
Supply Chain Examples
Glossary
Bibliography
A Guide to Supply Chain Risk Management for the Pharmaceutical and Medical Device Industries and their Suppliers
2010 The Chartered Quality Institute
Supply Category Additional examples of key requirements for Suppliers
Printed Packaging suppliers (artwork, origination)
Effective quality documentation system compliant with required regulatory standard e.g. EU Guide to GMP, PS 9000.
Certification scheme.
Quality / Technical Agreement to define roles & responsibilities of each party (contract giver / contract acceptor).
Participants in approved Certification scheme.
Manufacturers of product contact consumables
Appropriate materials of construction for product contact component (e.g. pharmacopoeial recognised plastic or food grade).
Full traceability of raw materials to the site of origin, including processing aids used in manufacturing processes with respect to animal / non-animal derivation and safeguards against Transmissible Spongiform Encephalopathies (TSE).
Adequate product testing performed to confirm compliance with customer specifications and industry standards where relevant.
Free from chemical and microbial / particulate contamination and easy to clean / sterilise.
Manufacturers of product contact equipment
Legible & fully completed documentation covering factory acceptance testing, calibration certificates and material conformity certificates.
Agreed customer requirements.
Appropriate materials of construction used for product contact surfaces (e.g. 316L stainless steel, pharmacopoeial recognised plastic) that are easy to clean and sterilise.
Instruments used for calibration are traceable to international standards e.g. United Kingdom Accreditation Services (UKAS) / National Association of Measurement and Sampling (NAMAS).
Minimal particle generation produced by moving parts (e.g. pumps).
Wholesalers, Warehouse & Distributors
Reference Good Distribution Practice (GDP) and appropriate country legal requirements for the product e.g. MLX 357, FDA Globalisation Act.
Approved, contractual agreement with customer.
Designated Responsible Person where appropriate.
Effective stocktaking, security, pest and segregation controls at storage facility with good housekeeping.
Temperature control and monitoring of storage area and distribution.
Full traceability of chain of custody for the customers product; effective recall procedures.
Service providers (e.g. calibration, utility, pest control, cleaning etc)
Approved contractual agreement with customer.
Specification of work and controls.
Defined service level with traceability appropriate to reference standards for materials and instruments used.
Appropriate training for service provided.
22
Foreword
Structure & Acknowledgements
Contents
General Introduction
Supply Chain ConsiderationsAppendix 1 - Examples of Different Supply Categories and Key Controls
Risk Management Process
Risk Management Toolbox
Supply Chain Examples
Glossary
Bibliography
A Guide to Supply Chain Risk Management for the Pharmaceutical and Medical Device Industries and their Suppliers
2010 The Chartered Quality Institute
Supply Category Additional examples of key requirements for Suppliers
Software, automated systems and IT
EU GMP part 1 annexes 11 and 15; Code of Federal Regulations (CFR) Part 11.
Knowledge of a risk-based approach to compliant GxP systems (Good Automated Manufacturing Practice Guidelines) (ISPE GAMP-5).
Complete and legible documentation with traceability of software changes from initial development to master copy.
Availability of master copy of software for back up purposes and disaster planning.
Agreement on ownership of source code.
Provision of technical support.
Consultants Full curriculum vitae available for review.
Approved contract to define scope of work.
Evidence of experience and expertise required for customers project.
Professional indemnity insurance.
Third party liability and Non-Disclosure Agreement (NDA) or confidentiality agreement.
23
Foreword
Structure & Acknowledgements
Contents
General Introduction
Supply Chain Considerations
Risk Management Process2.1 Risk Management Team and
Responsibilities2.2 Risk Assessment 2.2.1 RiskIdentification 2.2.2 Risk Analysis 2.2.3 Risk Evaluation 2.3 Risk Control 2.3.1 RiskReduction 2.3.2 RiskAcceptance2.4 Risk Communication2.5 Risk Review
Risk Management Toolbox
Supply Chain Examples
Glossary
Bibliography
A Guide to Supply Chain Risk Management for the Pharmaceutical and Medical Device Industries and their Suppliers
2010 The Chartered Quality Institute
Risk Management ProcessPart 2
2.1 Risk Management Team and Responsibilities
For the product / process being assessed it is fundamental that the relevant process experts are consulted to ensure accurate and complete data / information. It is recommended that the risk management process is undertaken by interdisciplinary teams (people with the necessary expertise representing relevant operational functions within the organisation or supply chain).
Involvement of individuals may vary from stage to stage. Note that in smaller organisations / supply chains this may be limited to just a couple of people.
Consider the example which illustrates the importance of having the right team. See Example
Stakeholders are commonly divided into four categories: Responsible, Accountable, Consulted and Informed (RACI). This division can aid appropriate communication (see Table 3 following page). It is beneficial to develop a matrix to identify the roles of different individuals associated with the risk management process at the beginning so that responsibilities throughout the process are clear.
24
Foreword
Structure & Acknowledgements
Contents
General Introduction
Supply Chain Considerations
Risk Management Process2.1 Risk Management Team and
Responsibilities2.2 Risk Assessment 2.2.1 RiskIdentification 2.2.2 Risk Analysis 2.2.3 Risk Evaluation 2.3 Risk Control 2.3.1 RiskReduction 2.3.2 RiskAcceptance2.4 Risk Communication2.5 Risk Review
Risk Management Toolbox
Supply Chain Examples
Glossary
Bibliography
A Guide to Supply Chain Risk Management for the Pharmaceutical and Medical Device Industries and their Suppliers
2010 The Chartered Quality Institute
Role Responsibility
Responsible Those who do the work to achieve the task. There is typically one role with a participation type of Responsible, although others can be delegated to assist in the work required.
Accountable (also Approver / Final Approver)
There should be only one Accountable person specified for each task or deliverable. An Accountable signs off (approves) the work provided by Responsible person(s).
Consulted Those whose opinions are sought; and with whom there is two-way communication.
Informed Those who are kept up-to-date on progress, often only on completion of the task or deliverable, or at key milestones; communication is typically just one-way.
Table 3 RACI roles and responsibilities
25
Foreword
Structure & Acknowledgements
Contents
General Introduction
Supply Chain Considerations
Risk Management Process2.1 Risk Management Team and
Responsibilities2.2 Risk Assessment 2.2.1 RiskIdentification 2.2.2 Risk Analysis 2.2.3 Risk Evaluation 2.3 Risk Control 2.3.1 RiskReduction 2.3.2 RiskAcceptance2.4 Risk Communication2.5 Risk Review
Risk Management Toolbox
Supply Chain Examples
Glossary
Bibliography
A Guide to Supply Chain Risk Management for the Pharmaceutical and Medical Device Industries and their Suppliers
2010 The Chartered Quality Institute
2.2 Risk Assessment
Risk Assessment is defined as:
A systematic process of organizing information to support a risk decision to be made within a risk management process. It consists of the identification of hazards and the analysis and evaluation of risks associated with exposure to those hazards. [ICH Q9]
Quality risk assessments begin with a well-defined problem description or risk question. When the risk in question is well defined, the appropriate risk management tools and the types of information needed to address the risk question will be easier to identify. Open Toolbox
As an aid to clearly defining the risk(s) for risk assessment purposes, four fundamental questions are often helpful:
1. What might go wrong?
2. What is the likelihood (probability) it will go wrong?
3. What are the consequences (severity)?
4. What is the detectability?
2.2.1 - Risk Identification
Purpose Risk identification is defined as:
The systematic use of information to identify potential sources of harm (hazards) referring to the risk question or problem description. [ICH Q9]
Take water and the hazard of drowning as a simple example. The probability of drowning whilst drinking a cup of water is very low, though not zero; the probability of drowning whilst rowing a boat across the Atlantic Ocean is much higher as there is a far greater quantity of water and other adverse elements, such as wind and waves, make a contribution. The material is the same, the hazard of drowning is the same, but the probabilities, and thus the risks, are different.
Risk = Hazard x Probability of Occurrence
The purpose of the Risk Identification stage in the overall Risk Management process is to determine what might go wrong?
Initiation and planning of the Risk Identification stage represents an important starting point in the overall Risk Management process and forms the foundation for the remaining stages. Potential hazards identified as outputs from the Risk Identification stage are subject to detailed examination during the Risk Analysis and Evaluation stages.
Input Risk Identification requires information about the process to be assessed. The scope should be defined to ensure focus and appropriate use of resource. This will also help to define what data / information may be relevant and / or should be examined to identify potential hazards.
QRM Overview
QRM Overview
makiHighlight
26
Foreword
Structure & Acknowledgements
Contents
General Introduction
Supply Chain Considerations
Risk Management Process2.1 Risk Management Team and
Responsibilities2.2 Risk Assessment 2.2.1 RiskIdentification 2.2.2 Risk Analysis 2.2.3 Risk Evaluation 2.3 Risk Control 2.3.1 RiskReduction 2.3.2 RiskAcceptance2.4 Risk Communication2.5 Risk Review
Risk Management Toolbox
Supply Chain Examples
Glossary
Bibliography
A Guide to Supply Chain Risk Management for the Pharmaceutical and Medical Device Industries and their Suppliers
2010 The Chartered Quality Institute
In terms of the supply chain the following should be considered:
each supplier within the whole supply chain
what is supplied (material / product / service)
the structure of the supply chain and interfaces between / within organisations, their suppliers and suppliers to the suppliers
security of the supply chain (potential for contamination or tampering)
internal processes used to manage the organisations suppliers
internal production processes
Data / information can take many forms, for example:
quantitative data / information - numbers, figures, measurements and variables
qualitative data / information attributes (yes / no, go / no go)
soft data / information subjective opinions / historical / experience / process complexity and interactions between processes
Many professionals and organisations often assume that all relevant information takes the form of formalised (hard) quantitative and qualitative data / information. This information is valuable and easily evaluated, however, soft data / information should also be included otherwise it is likely to leave many gaps. See Figure 6 for sources of information.
ProcessRisk Identification is the process of identifying hazards and their related risks. Brainstorming is a useful tool to use to generate information and ask what can go wrong? for each step in the process. Whatever the activity being assessed, it is recommended to map the process concerned. This enables potential risk areas to be easily identified, agreed and visualised by the appointed interdisciplinary team. It is important for completeness to ensure that interfaces between processes are also identified as this is where problems may easily go undetected.Information to support Risk Identification can come from various sources, such as for example:
internal and external factors throughout the supply chain Open Table
known deviations / non-conformities
near miss events (valuable source of potential risk areas)
complaints
internal / external audits
components of the process under assessment, such as:- people, premises, equipment, materials- QA / QC- services- utilities- transportation, logistics- agents and brokers in supply chain- environmental factors
business stability / continuity:- capacity increase / decrease versus capability- rate at which the company has expanded / contracted- staff turnover etc
quality system and technical capabilities
management review
opportunities for cross-contamination
inherent process risks
knowledge in the public domain (e.g. news, regulatory actions, legislation, etc)
supplier performance e.g. Key Performance Indicators (KPI) / Critical Process Parameters (CPP)
Hard Data / Information
Facts
Measurements
Analysis results
Trends
Variables
Attributes
Soft Data / Information
Observation
Experience
Assumptions(based on experience)
Key
= Qualitative
= Quantitative
= Both
Data / Information
Figure 6 - Sources of Information that can be used in Risk Identification
makiHighlight
27
Foreword
Structure & Acknowledgements
Contents
General Introduction
Supply Chain Considerations
Risk Management Process2.1 Risk Management Team and
Responsibilities2.2 Risk Assessment 2.2.1 RiskIdentification 2.2.2 Risk Analysis 2.2.3 Risk Evaluation 2.3 Risk Control 2.3.1 RiskReduction 2.3.2 RiskAcceptance2.4 Risk Communication2.5 Risk Review
Risk Management Toolbox
Supply Chain Examples
Glossary
Bibliography
A Guide to Supply Chain Risk Management for the Pharmaceutical and Medical Device Industries and their Suppliers
2010 The Chartered Quality Institute
OutputThe output of the Risk Identification stage is a list of known and potential sources of harm (hazards), referring to the risk question, and their associated risks, based on the information available at that time. There is no guarantee that all hazards and associated risks can be identified at any given time as processes may change. It is important to understand that these changes and other events may influence the outcome and will require further review and reassessment, to determine the level of risk based on the combination of the probability of occurrence and the severity of that harm. Depending on the Risk Identification tool used and the scope of the assessment, potential risks may be categorised prior to analysis. For example:
product quality risks
business risks
risks associated with raw materials
risks associated with machinery
risks associated with people etc
Corporate Social Responsibility - environmental / social risk e.g. dealing with low price suppliers who pollute the environment or exploit their workforce.
At completion of this step there should be confidence in answering the question What might go wrong? for the product / process under assessment. At this stage risks will not be evaluated as critical or non-critical as this level of risk understanding will be achieved through the Risk Analysis and Risk Evaluation stages. However, it is important to note that different mitigation approaches may be used depending on the nature of the risks identified. Be aware that there will be unidentified and / or unidentifiable risks to the organisation.
The output from Risk Identification should be agreed, documented and communicated to relevant stakeholders.
2.2.2 - Risk Analysis
Purpose Risk Analysis is defined as:
The estimation of the risk associated with the identified hazards. [ICH Q9]
This step of the Risk Management process attempts to estimate the level of risk in terms of severity of harm, likelihood of occurrence and detection. It provides a quantitative or qualitative estimate of each risk.
InputPrerequisitesFollowing the completion of the Risk Identification stage there should be sufficient confidence that at least the significant hazards have been captured. The most appropriate Risk Analysis tool or combination of tools should be chosen. As there may be only limited data during the early stages of Risk Management, the choice of tool may be restricted. As experience grows, there may be a transition to the use of various and more complex tools.
Part 3, the Toolbox gives examples of a range of available tools and techniques from simple to complex. Open Toolbox
ConsiderationsBoth qualitative and quantitative input data can be processed using the chosen tools. Some risk tools require hard data rather than soft data (subjective opinion) therefore it may be necessary to have a mechanism to convert soft data into hard data where possible. This can be achieved by generating comparative scoring to produce semi-quantitative data.
The relevant operational experts should provide detailed and up-to-date knowledge of current and historical process performance. Where knowledge does not exist or data is unavailable, then methods to source this information should be initiated in the long term. In the short term, best estimates can be made on the basis of assumptions, provided these are clearly identified, explained and considered at the review stage. Significant decisions based on subsequent recommendations should always reference the original assumptions and further reviews should be scheduled.
QRM Overview
makiHighlight
makiHighlight
makiHighlight
28
Foreword
Structure & Acknowledgements
Contents
General Introduction
Supply Chain Considerations
Risk Management Process2.1 Risk Management Team and
Responsibilities2.2 Risk Assessment 2.2.1 RiskIdentification 2.2.2 Risk Analysis 2.2.3 Risk Evaluation 2.3 Risk Control 2.3.1 RiskReduction 2.3.2 RiskAcceptance2.4 Risk Communication2.5 Risk Review
Risk Management Toolbox
Supply Chain Examples
Glossary
Bibliography
A Guide to Supply Chain Risk Management for the Pharmaceutical and Medical Device Industries and their Suppliers
2010 The Chartered Quality Institute
Table 4 (above) illustrates the advantages and disadvantages of different types of Risk Analysis tools. It also demonstrates that limited data may exist in early stages of implementing Risk Management. With experience, there may be a transition from the use of Qualitative to Quantitative tools. Both techniques are equally valid and fit for purpose. However Quantitative tools are often perceived to be beneficial after several full cycles of the Risk Management process as more information is obtained and accuracy is demanded.
Ultimately the decision of which Risk Analysis tool to use depends upon:
the risks identified
the precision of the data or opinions that define the risks
what tools customers / suppliers use
how accurate the output needs to be
how quickly the output is required
It is common for accurate or precise data to be missing in one or more areas, allowing the expert in that area to have some understanding of the level of risk, but not be able to support opinion with factual evidence or data.
It is recommended that where an organisation has little or no experience of any particular tools, or are not required by customers to use a certain tool, then they initially use a qualitative tool. Once expertise in the tool has been gained and supporting systems established, then the organisation can progress with the use of increasingly more quantitative tools. This approach means, that for the same investment of time, at each repetition of Risk Analysis, an increasing percentage of time is dedicated to improving the confidence of the risk estimation, and therefore adding more value and confidence in the output each and every time.
Example of subjective assessment: Company A does not have a supplier complaints system. The logistics manager knows that Supplier X is the worst offender for late deliveries because the logistics team are always complaining about them. However, the logistics manager does not know how they compare with Supplier Y as there is no data to show how each is performing. This demonstrates a gap in the organisations systems and supplier performance metrics / data related to risk management.
Tool Type of information Advantages Disadvantages
Qualitative May be subjective opinion based on experience.
QuickCan use soft data / opinionLimited training neededAppears easy to verify
Output may not be preciseDoes not differentiate well between levels of risk or types of risk Opinion may be biased on previous or historical experience not considering current capability
Semi quantitative
Mixture of data / opinion. Use comparison techniques to get estimations.
Differentiates better between risks than the Qualitative approachGood balance of advantages and disadvantages of the other tools
Output may not be precise enough for a mature Risk Management process
Quantitative Significant data and figures
Output is preciseGood differentiation between risks Provides clear prioritisation of all risks Includes detectability assessment
Relies upon hard dataTraining and experience are neededConfusion can occur because the differences between failure mode and effect are not well understoodTakes time to perform, especially the first timeReliant upon experts to agree scores and calibrate accurately
Table 4 Types of information advantages and disadvantages
29
Foreword
Structure & Acknowledgements
Contents
General Introduction
Supply Chain Considerations
Risk Management Process2.1 Risk Management Team and
Responsibilities2.2 Risk Assessment 2.2.1 RiskIdentification 2.2.2 Risk Analysis 2.2.3 Risk Evaluation 2.3 Risk Control 2.3.1 RiskReduction 2.3.2 RiskAcceptance2.4 Risk Communication2.5 Risk Review
Risk Management Toolbox
Supply Chain Examples
Glossary
Bibliography
A Guide to Supply Chain Risk Management for the Pharmaceutical and Medical Device Industries and their Suppliers
2010 The Chartered Quality Institute
ProcessHaving identified the hazards and associated risks and decided on the Risk Analysis tool to be used, the next step is to assign a rank or score to each of the identified risks. The interdisciplinary team, with knowledge of the identified risk areas, should agree ranking or scores for each one, following the rules and guidance for the tool being used. If necessary, input can be provided remotely, but this is only effective where hard data is available and is being entered or converted into a risk level. Where opinion / soft data is being used, agreement through discussion and compromise is necessary.
Identified risks are normally assessed using the same tool. It is advantageous to assess all risks at the same time / same stage of the process.
Risk Assessment can sometimes be initiated and performed on an ad hoc basis in addition to the routine periodic cycle of Risk Management, when external or internal events occur. At such times, the generation of a Risk Assessment level or score will enable the correct evaluation and risk acceptance / mitigation decision to be made.
Output / deliverable The output should include information on missing data and any assumptions made. A level or a score for each identified risk should be generated and documented. It is essential that this output is communicated to those responsible for the Risk Evaluation step in a timely manner. Rapid escalation and communication of the Risk Analysis output should occur for any confirmed high risks.
Note that where ad hoc assessments are made, immediate communication should be performed for any confirmed high risk events.
2.2.3 - Risk Evaluation
Purpose Risk evaluation is defined as:
The comparison of the estimated risk to given risk criteria using a quantitative or qualitative scale to determine the significance of the risk. [ICH Q9]
Risk Evaluation is the process that organises the information from Risk Analysis to allow the decision making step of Risk Reduction or Risk Acceptance to be made. To achieve this, a level of tolerable risk should be defined against which the Risk Analysis output can be compared.
Input The prerequisites for this step are that:
Risk Analysis has been completed
data is organised in the most appropriate way according to the Risk Analysis tool used
a tolerance level has been set so that the Risk Analysis output can be compared against
The level of tolerable risk depends on the product and the criticality of its application. A simple way of setting the level of tolerable risk is to identify the highest risk groups or most frequent type, or create a Pareto chart, and select the top 20% (and hopefully cover 80% of issues). The method for setting the level should be explained and documented so that it can be reviewed over time. Be aware however that if analysis shows that 25% of the identified risks have a high probability of causing patient harm, there is a need to act on all of these. Conversely, if none of the risks have more than a low probability of causing a minor non-compliance that would not impact the patient, no further action may be decided. Open Toolbox - Risk Analysis
QRM Overview
makiHighlight
30
Foreword
Structure & Acknowledgements
Contents
General Introduction
Supply Chain Considerations
Risk Management Process2.1 Risk Management Team and
Responsibilities2.2 Risk Assessment 2.2.1 RiskIdentification 2.2.2 Risk Analysis 2.2.3 Risk Evaluation 2.3 Risk Control 2.3.1 RiskReduction 2.3.2 RiskAcceptance2.4 Risk Communication2.5 Risk Review
Risk Management Toolbox
Supply Chain Examples
Glossary
Bibliography
A Guide to Supply Chain Risk Management for the Pharmaceutical and Medical Device Industries and their Suppliers
2010 The Chartered Quality Institute
Process In order to compare the Risk Analyses against an agreed level of tolerable risk, it is easier to rank or sort these in order of descending risk. The Risk Evaluation process is summarised as follows:
1. Rank or sort risks from the Risk Analysis step
2. Check that the data is complete and valid
3. Determine if the level of tolerable risk is appropriate
4. Review the Risk Analysis output against the level of tolerable risk
5. Compare the output to see if it is acceptable or higher than the level of tolerable risk
6. Document the evaluation
7. Communicate the findings to the necessary people Open Risk Communication
The Risk Analysis output should be organised (filtered, ranked etc) to ensure that those of most significance (i.e. above the level of agreed tolerable risk) are identified for Risk Reduction. Those below the level of tolerable risk can go forward as residual risk for the Risk Acceptance stage. In some tools using a simple two-dimensional arithmetic scale, risk can be ranked as high / medium / low risks and the combination of probability and severity can be evaluated, by simply multiplying the factors. Those risks which have a higher score can be highlighted for immediate mitigation.There are more sophisticated models for setting a more precise level of tolerable risk. Setting a level of tolerable risk is probably the step where both experience and evolution of the risk management process can provide most value. Although a sense check of the information / data may have been performed already in the Risk Analysis stage, anomalous results can often be detected more easily during this stage. For example, outputs that look too high or too low can be checked for calculation errors, missing data, incorrect data, and then either corrected or verified as being accurate.Finally, this step categorises the risks into those that are above or below the level of tolerable risk. Failure to perform this step correctly can lead to poor decision making at the Risk Reduction and Acceptance steps.
OutputNo final decision is made in this step. The output consists of two data sets (above and below the level of tolerable risk) that can be checked further or be used as the basis for either Risk Reduction or Risk Acceptance.
The output should be communicated to all relevant stakeholders especially the Risk Control owner. Formal records should be retained for a suitably defined period to provide evidence of the basis for any decisions made and enable ongoing reiteration / review.
31
Foreword
Structure & Acknowledgements
Contents
General Introduction
Supply Chain Considerations
Risk Management Process2.1 Risk Management Team and
Responsibilities2.2 Risk Assessment 2.2.1 RiskIdentification 2.2.2 Risk Analysis 2.2.3 Risk Evaluation 2.3 Risk Control 2.3.1 RiskReduction 2.3.2 RiskAcceptance2.4 Risk Communication2.5 Risk Review
Risk Management Toolbox
Supply Chain Examples
Glossary
Bibliography
A Guide to Supply Chain Risk Management for the Pharmaceutical and Medical Device Industries and their Suppliers
2010 The Chartered Quality Institute
2.3 Risk Control
Risk Control is defined as:
Actions implementing risk management decisions [ISO Guide 73; ICH Q9]
Risk Control encompasses the decision-making activities that result in action (Risk Reduction) or justified inaction (Risk Acceptance).
The purpose of risk control is to reduce the risk to an acceptable level. The amount of effort used for risk control should be proportional to the significance of the risk i.e. serious high risks require decisive, timely and effective action. Decision makers might use different processes, including benefit-cost analysis, for understanding the optimal level of risk control.
Risk control might focus on the following questions:
is the risk above an acceptable level?
what