a)      Validation: To determine the extent for follow-up activities. (eg: sampling, monitoring and Continuous verification).

To distinguish between critical and non-critical process steps to facilitate design of a   validation study.

b)     In-process sampling & testing: To evaluate the frequency and extent of in-process control testing.

c)      Production planning: To determine appropriate production planning (eg: dedicated, campaign and concurrent production process sequences).

7.1.6     Laboratory control and Stability studies:

a)      Out of specification results: To identify potential root causes and corrective actions during the investigation of out of specification results.

b)     Retest period/Expiration date: To evaluate adequacy of storage and testing of intermediates, Excipients and starting materials.


7.1.7     Packaging and Labeling:

a)      Design of packages: To design the secondary package for the protection of primary packaged product.

b)     Selection of container closure system: To determine the critical parameters of the container closure system.

c)      Label controls: To design label control procedures based on the potential for mix-ups involving different product labels, including different versions of the same label.


7.2           Planning:

7.2.1     The scope of the risk assessment shall be discussed with cross functional team at planning stage. Pre-risk assessment shall be done prior to the activity and post risk assessment shall be done after completion of activity.

7.2.2     Risk assessment shall be conducted for the change management as per the criteria mentioned in point number 7.1, Critical complaints, Critical incidents, during CAPA management (If required) and if any critical observations during self-inspections / Customer audits / Regulatory audits.   

7.2.3     If any like to like changes i.e. existing risk assessment supports the proposed changes. In such cases, existing risk assessment can be considered as a supporting document.

7.2.4     The risk to the Product, Personnel and to the environment shall be taken as order of priority while performing the risk assessment.

7.2.5     During risk assessment planning the chances of mix-ups, cross contamination and containment methodology shall be evaluated.


7.3         Team Selection:

7.3.1   Personnel from User department along with the cross functional team shall form as a quality risk assessment team.  In addition to the above, individuals who are subject matter expert about the quality risk assessment shall also be part of the team.


7.4           Risk Assessment Program:

7.4.1     Risk Assessment: Risk Assessment consists of the identification of hazards and the analysis and evaluation of risk associated with exposure to those hazards. The steps include risk identification, risk analysis and risk evaluation. Quality assessment begin with a well defined problem description or risk question .When the risk in question is well defined an appropriate risk management tool and the types of information needed to address the risk in question will be more readily identifiable.

As an aid to clearly defining the risk(s) for risk assessment purpose. Three fundamental questions are often helpful.

1.      What might to go wrong?

2.      What is the likelihood (Probability) it will go wrong?

3.      What are the consequences (Severity)?

7.4.2     Risk identification: Risk identification is a systematic use of information to identify hazards referring to the risk question or problem description. Information can include historical data, theoretical analysis, informed opinions, and the concerns of stakeholders. Risk identification addresses the “What might go wrong?” question, including identifying the possible consequences. This provides the basis for further steps in the quality risk management process.

7.4.3    Risk analysis: Risk analysis is the estimation of the risk associated with the identified hazards. It is the qualitative or quantitative process of linking the likelihood of occurrence and severity of harms. In some risk management tools, the ability to detect the harm also factors in the estimation of risk.

7.4.4    Risk evaluation: Risk evaluation compares the identified and analyzed risk against given risk criteria. Risk evaluations consider the strength of evidence for all three of the fundamental questions.

In doing an effective risk assessment, the robustness of the data set is important because it determines the quality of the output. Revealing assumptions and reasonable sources of uncertainty will enhance confidence in this output and /or help identify its limitations. Uncertainty is due to combination of incomplete knowledge about a process and its expected or unexpected variability. Typical sources of uncertainty include gaps in knowledge gaps in pharmaceutical science and process understanding sources of harm (eg: failure modes of a process, sources of variability) and probability of detection of problems.

Reference document number and reason for the execution of risk assessment shall be addressed in Annexure no.: GQA/039/A02.

7.4.5     Risk management Methods and tools:

It provides documented, transparent and reproducible methods to accomplish steps of the quality risk management process based on current knowledge about assessing the probability, severity and sometimes detectability of the risk. Additionally, the pharmaceutical industry and regulators can assess and manage risk using recognized risk management tools and/ or internal procedures (e.g., standard operating procedures). Below is a non-exhaustive list of some of these tools.

§  Basic risk management facilitation methods: Flowcharts, Check sheets, Process mapping and Cause & effect diagram etc.

§  Failure Mode Effects Analysis (FMEA): FMEA can be applied to equipment and facilities and might be used to analyze a manufacturing operation and its effect on product or process.

§  Failure Mode, Effects and Criticality Analysis (FMECA): FMECA application utilized for failures and risks associated with manufacturing process.

§  Fault Tree Analysis (FTA): FTA can be used to establish the pathway to the root cause of the failure. FTA can be used to investigate complaints or deviations in order to fully understand their root cause. It is useful both for risk assessment and in developing monitoring programs.

§  Hazard Analysis and Critical Control Points (HACCP): HACCP is most useful when product and process understanding is sufficiently comprehensive to support identification of critical control points.

§  Hazard Operability Analysis (HAZOP): HAZOP can be applied to manufacturing processes, including outsourced production and formulation. It has also been used primarily in the pharmaceutical industry for evaluating process safety hazards.

§  Preliminary Hazard Analysis (PHA): PHA is most commonly used early in the development of a project when there is little information on design details or operating procedure.

§  Risk ranking and filtering: Risk ranking is useful when management needs to evaluate both quantitatively-assessed and qualitatively-assessed risks within the same organizational framework.

§  Supporting statistical tools: They can enable effective data assessment, aid in determining the significance of the data set(s), and facilitate more reliable decision making.

It is important to note that no one tool or set of tools is applicable to every situation in which a quality risk management procedure is used.

FMEA (Failure mode and effective analysis) is a prevention tool used to assess, manage, and reduce risk associated with failure or potential failure of products, process, services and other systems. This is comprised of the assignment of probabilities to three factors-the likelihood of occurrence, the likelihood of detection of failures and the severity of a failure. The output of an FMEA is a relative risk “score” for each failure mode that is used to rank these modes on a risk basis. Risk assessment tool extrapolate the failure mode towards three main components.


1.    Severity of risk: Severity (S) refers to an assessment of the seriousness of a failure as it affects the end user. A higher severity rating may be assigned to process steps that involved manual operations or interventions as compared to done by automatic machine. The higher rating is necessary because of a quality failure or introduction of contamination during these steps will result in a higher risk to the product safety and the end-user. The lower the severity the lower the risk involved. The rating for determining severity is shown in the table below.


Severity of product risk





Predicted to cause significant impact on quality Eg: Failure to meet specification.



Predicted to cause minor impact on quality



Predicted to have no/minor impact on quality of product.



2.    Probability of occurrence: Occurrence refers to the Probability that a specific failure mode. The term failure in this case refers to the probability of the specific failure mode occurring. The lower the occurrence the lower the risk involved. The rating scale for determining the occurrence rating is shown in the table. 

Severity of product risk



Frequent (F)


Expected to happen regularly eg: Monthly, weekly.

Occasional (O)


Expected to happen infrequently eg: Quarterly.

Rare (R)


Unlikely to happen eg:3-5 years.


3.    Detectability: Detection (D) refers to the ability to detect the failure mode for contamination risk prior to the customer receiving the finished product. The lower the detection the higher the risk involved. The rating scale for determining the detectability rating is shown in the table.

Severity of product risk



Cannot be detected(ND)


Failure very likely to be over locked hence not detected no identifiable controls in place.

Regularly detected(RD)


Failure can normally be detected.

Always detected(D)


Failure can be detected easily in all cases.


Calculation of risk priority number (RPN):

Calculate the Risk priority number as the multiplication of the risk numbers of severity, probability and occurrence.


Risk Priority number = Severity(S) x Occurrence (O) x Detection (D).


Percentage representation of RPN is taken up for easy interpretation of results.

Worst case scenario where RPN obtained could be 125 is assumed.

Risk percentage R %=( Obtained RPN of failure X100)/Maximum obtainable RPN for a failure.

Risk in a worst case scenario (I.e Severity (s) is 5 x Probability (P) is 5 X detectability (D) is 5 =125.)

R% 125 (Max obtainable for a failure on a worst case basis =100%).

The %Risk Priority Number (%RPN) changes based upon the risk. The risk assessment team shall decide the acceptance criteria. For an exam the Risk Priority Number (%RPN) is categorized as below:

Risk percentage %

Acceptance criteria

Mitigation status

Below 5%


No mitigation is required


Un Acceptable

Mitigation shall be taken


20% and above

In tolerance

To be resolved with actions


         After risk analysis process to mitigate the evaluated risks, team members shall meet to arrive at a formal decision to accept the residual risk

7.4.6     Risk control: Risk control includes decision making to reduce and/or accept risk .The purpose of risk control is to reduce the risk to an acceptable level. The amount of effort used for risk control should be proportional to the significance of the risk. Decision makers might use different processes, including benefit–cost analysis, for understanding the optimal level of risk control.

Risk control might focus on the following questions.

1.      Is the risk above an acceptable level?

2.      What can be done to reduce or eliminate risks?

3.      What is the appropriate balance among benefits, risks and resources?

4.      Are new risks introduced as a result of the identified risks being controlled?     If any mitigation actions identified to reduce / eliminate the risk, respective actions shall be addressed in GQA/039/A02 with responsible department.     Implementation and effectiveness verification of identified actions (If any) shall be done through as per the CAPA SOP GQA/043 procedure.

7.4.7           Risk Summary / Conclusion:     Once all agreed mitigation measures / actions are completed, the same is checked by the department Head and verified by QA and acknowledges in summary and conclusion report as per Annexure No.: GQA/039/A02.     During the risk summary /conclusion, the risk reduction measures /actions taken to mitigat