Quality Risk Management

Quality Risk Management (QRM) and ICHQ9 – Part 1


Quality Risk Management (QRM) and ICHQ9 – Part 1

Quality Risk Management (QRM) and ICHQ9 – Part 1

The International Conference on Harmonisation (ICH) guideline Q,  Quality Risk Management, is the first internationally recognised guideline that specifically addresses QRM for the pharmaceutical and biopharmaceutical industries. 

Published in June 2005, the guideline offers an overview of the general principles of quality risk management, an example of a risk management lifecycle, a discussion of the activities that occur at each stage of the cycle and a list of tools and areas of the quality control system to which QRM can be applied.

ICH Q9’s intention is to focus the behaviour of industry and regulators on the two primary principles of Quality Risk Management, which are:

  • quality risk assessment should be based on scientific knowledge and related to patient care;
  •  the effort level and documentation of the Quality Risk Management process must be commensurate with the level of risk.

There is no Zero risk

Risk is defined as the combination of the probability of damage occurring and its severity. The ICH Q9 Guideline debunks a myth found in previous industrial and regulatory cultures: the concept of zero risk. In the old quality paradigms, drug manufacturers sought to eliminate risk from their products and processes, taking their cue from regulators who implied, through publications and regulatory inspections, that no degree of risk was acceptable. However, ICH recognises that “the manufacture and use of a drug (medicine), including its components, necessarily involves a degree of risk”, which must be managed to protect product quality and patient safety. The challenge, therefore, shifts from achieving an almost impossible concept of ‘perfect’ quality to understanding what constitutes an acceptable risk and attempting to reach that state.

Moreover, risk management is not necessarily linked to the use of rigorous and detailed tools, such as FMEA, instead the guideline explains how to apply the principles of risk management to the practice of risk management itself; the use of formal or less formal approaches is acceptable, provided that the effort is proportionate to the risk of the product, process or system to be assessed. This enables the industry to incorporate risk management into all aspects of operations without the need to undertake a formal, staff-intensive exercise. 

QRM does not replace regulatory requirements

Furthermore, Q9 is quite clear that “the appropriate use of quality risk management can facilitate but does not remove the industry’s obligation to comply with regulatory requirements and is not a substitute for appropriate dialogue between industry and regulators”. Moreover, compliance with all applicable laws is mandatory; risk management cannot be used to justify non-compliance or to argue why a regulatory requirement need not be met. 

Rather, QRM can be used to offer perspectives on how to best comply with standards and to characterise aspects of quality that are not specifically associated with compliance.

More info: Tools and tips to make the best use of Quality Risk Management 

Advantages of a QRM approach 

  • Improved product quality assurance through proactive identification and avoidance or minimisation of quality risks
  • Identifying sources of variation in the product and production process that can be targeted for continuous improvement;
  • Improved decision making as QRM provides a lens through which scientific data and information can be viewed to better evaluate options and understand the potential outcomes of a given decision; 
  • It has a positive impact on the scope and level of regulatory oversight, increasing confidence in the authorities.


ICH. ICH Q9: Quality Risk Management. June 2005
Quality Risk Management 101: ICH Q9 In Context – Pharmaceutical Online – March 28, 2018

More info: Quality Risk Management Lifecycle – Part 2

How can we help you?

Specialist Consultancy for Computer System Validation & Data Integrity

Specialist consultancy for Equipment Qualifications, environments and utilities


Subscribe to our newsletter

Increase your knowledge, join a community of professionals and stay up to date each week on the latest industry news.

deviation management

Reducing the impact of Deviations and simplifying their management using digital technology


Reducing the impact of Deviations and simplifying their management using digital technology

Reducing the impact of Deviations and simplifying their management using digital technology

Deviations are very frequent within Life Science companies, arising when unforeseen events or problems deviate from an approved GMP process and/or from what is required/accepted in terms of GMP.

Deviations have a significant impact on the entire corporate system. They can result in the blocking or rejection of entire batches, lead to several departments being involved in investigations and generate CAPAs with actions that cascade throughout the company.

They also require  very careful management because they can affect the identity, strength, quality, purity, safety, efficacy, performance, reliability or durability of a drug or device. This is another reason why deviations receive a lot of attention during inspections .

Each unforeseen event or problem must therefore be documented, evaluated and, where necessary, investigated in order to determine its causes and avoid any recurrence.

In the following paragraphs, we will outline useful tools and approaches for reducing the impact of deviations and simplifying their management using a digital system.Interesting question: Are Non-Compliances and Deviations the same thing?

Tools and approaches to lessen the impact of deviations

As we have said, deviations can impact the production of drugs and devices, can be detected by anyone in the company and the resulting actions can affect every department.

Keeping track of the number of deviations and seeking to reduce them is paramount for the productivity and efficiency of the company. Shifting from a reactive to a proactive approach improves the quality control system, reduces costs and increases company productivity.

The Quality risk management tool is required to support quality processes by an increasing number of inspection bodies. This is complemented by an in-depth analysis of Trends, as well as an increased focus on staff training.

As far as deviation management is concerned, the complex task of keeping track of all activities, deadlines and documents produced can be reduced by using a  digital system , which provides essential support to QA Compliance for the execution and supervision of the process.

Quality Risk Management and Deviations

Quality Risk Management (QRM) as a strategic, systemic and documented approach to risk management has become a key requirement for modern GMP and is recommended by international standards such as WHO or ICH Q9.

An efficient deviation management system should implement a mechanism to differentiate events based on their relevance and objective categorisation, thus focusing resources and efforts on only investigating the root causes of relevant deviations.

Even a robust CAPA system depends on efficient deviation management upstream, which assesses the event according to the associated risk, classifies it and acts accordingly and in a timely manner, checking the effectiveness of the actions taken.

QRM, as a formal or informal tool applied to deviations, offers the ability to determine the impact of a deviation on a process or product in an objective manner, so as to categorise and facilitate its management. ICH Q9 recommends using this approach for different purposes, such as identifying root causes and corrective actions during OOS investigations, complaints, quality defects, deviations, trends, etc.

In the document “Deviation Handling and Quality Risk Management”, the World Health Organisation, proposes a possible strategy for using QRM to differentiate non-significant events that have no impact on product quality from events that violate standards and procedures and deviations with a probable impact on product quality.

MORE INFO Tools and advice to make the best use of Quality Risk ManagementInteresting question: Who initiates deviations? Centralised vs decentralised initiation

Human error and Staff Training

Human error is one of the most frequent causes of deviations. The employee was given the procedure, maybe even trained and qualified, but nothing came of it. Errare Humanum Est (To err is Human). Most of the time they are assigned a CAPA action retraining course.

However, many procedures, training courses or processes are not well understood by staff and often even retraining is not sufficient to prevent recurrence. There might also be other causes behind human error, such as a process that is not designed to prevent error or an environment that hinders optimal staff performance. 

One suggestion is to delve into the root cause of human error by going beyond simple retraining.

With regard to the latter in particular, it is also important to assess the effectiveness of training. Here are some questions that might be useful:

  • Does the training reflect the content of the procedure? Do the operators and staff all perform the tasks in the same way?
  • Did the staff member perform the task alone the first time?
  • Did the staff member practice the task enough, or was the training quick?
  • Was the training time used for appropriate training activities?
  • Did the trainer check the staff member’s ability to perform each required part of the task? According to what standard?
  • Can the staff member freely access the information needed to perform the task?
  • Did the trainer show the staff member how to correctly perform the task? Does the trainer have the knowledge and skills required to teach? 

Another suggestion is to also review the reference procedure:

  • Does the procedure have a clear, simple description of the actions? 
  • Could there be errors or ambiguities,  or could the procedure be inadequate and impossible to perform?

Management of deviations with a digital system

Managing deviations along with other processes in a single digital system is now a necessary measure for quality control in the company, in order to keep processes under control and to avoid unpleasant situations in the event of an inspection.

Companies that choose the path of a digital system for the management of deviations and other processes can also count on the availability of a large amount of data, to carry out in-depth analysis, cross-referencing, measuring performance indices and improving risk calculation from historical data, as well as for structuring targeted strategies and preventive actions.


PRAGMA4U is a modular and scalable Workflow Management System platform that digitises work processes in compliance with FDA and cGxP guidelines.

It enables companies to: have documentation that is protected, always up-to-date, organised and linked to the source processes; assign and implement workactivities directly on the platform; easily share information between departments; keep processes under control using KPIs; and compile reports  and dossiers  that will be useful for inspections.

The platform can contain multiple processes, creating a true digital map of the company. It also integrates with other systems, such as ERP, simplifying the compilation and updating of data.


Subscribe to our newsletter

Increase your knowledge, join a community of professionals and stay up to date each week on the latest industry news.

digital transformation

Digital Transformation in Life Science companies: impacts and opportunities


Digital Transformation in Life Science companies: impacts and opportunities

Digital Transformation in Life Science companies: impacts and opportunities

Digital Transformation: we have all heard these words at least once. Especially in recent months, in the light of the pandemic. Many companies are dealing with remote contactsoverproduction and the adoption of digital tools in order to continue their business.

Digital Transformation,  however, goes beyond the introduction of new technologies, leading rather to a total rethinking of the organisation and posing more cultural than technological challenges.

In the following paragraphs, we will analyse the meaning and impact of digital transformation and what scenarios and challenges lie ahead for the Life Science businesses.

Digital Transformation

Digital Transformation has been talked about since the late 1990s, as an approach that involves the whole company and introduces changes in the business at a technological, cultural, organisational, social, creative and managerial level.

Digital Transformation encourages participants to share, be transparent and inclusive in the process and places the recipient of the final service at the centre of the development, if not actually participating in it.

Digital Transformation is a ‘gateway’ to the future and to maintaining competitiveness in the marketplace. Companies that have already implemented projects related to the use of new technologies achieve “a profitability that is 26% higher than other companies and a market value increase in the region of 12%”.

According to a SAP report, most companies understand the importance of digital change, but only 3% have implemented digital transformation projects within the company.

Companies that are considered leaders in Digital Transformation have the following characteristics:

  • they consider Digital Transformation to be at the very core of their business (96%) and technology as highly important for achieving a competitive advantage (93%). With this in mind, leaders are also rethinking their business models;
  • they prioritise customer contact activities. The 92% of leaders in Digital Transformation have already set up strategies and processes for improving customer experience. Generally speaking, they consider the latter to be the gateway to successful digital transformation;
  • they invest heavily in digital research and training of employees, so as to be ready for change. The 71% of leaders also state that investing in digital transformation makes it easier to attract and retain talent;
  • they are built on a bimodal structure. This is an organisational model that takes into account a company’s technological tradition and brings this element together with the more typically innovation-oriented aspects. This enables the business to be run efficiently while at the same time introducing new technologies to remain competitive, especially Big Data and Analytics (94%), Machine Learning (50%) and Internet of Things (76%).

Departments that are most often digitised in the Life Sciences sector


For Life Science companies in particular, being part of a digital ecosystem implies easier communication and sharing of data, extending from regulating bodies right up to the patient.


Of great interest in this respect is a study conducted by KPGM on digitisation within the Life Science businesses of Germany, Switzerland and Austria. The research looked at 75 companies, including pharmaceutical, medtech and other Life Science companies. 

The departments with the greatest digitisation are IT and Quality Assurance. Quality Assurance is also the area where most digitisation projects are planned. The areas least affected at the time of the research were logistics and production. Although in recent months, there has been a sharp increase in interest and projects in these areas.

Just the increase in efficiency is, according to the research, one of the major benefits of deploying digital technologies, including the agile design of R&D processes (39%). Closely followed by the advantage of optimising Quality & Compliance processes (28%).


Efficient internal processes and an agile approach


Before implementing a technological solution, it is advisable to reflect on our own internal processes. How they can be simplified. Only then should we ask how a digital tool can fit in. Without this prerequisite, there is a risk that instead of increasing productivity, the technologies will lead to further wasted time for the staff using them.

Another issue to consider is transversal collaboration with internal and external stakeholders who will make use of the technology, even if not managing it directly. The advice is to involve them and create cross-functional teams within the company and the group to jointly evaluate and test the new technology, the impacts it will have and how to manage them.

The agile approach can help with tackling the uncertainty of a new technology and the change it entails, as it allows the best solution to be implemented gradually while making quick decisions.  The agile approach involves setting up working groups that are horizontal to the organisation’s hierarchy for rapid prototyping and testing of the best solutions.

Culture and digital skills

Amongst the biggest challenges for more than80% of Life Science companies (KPGM report), are the lack of digital skills and acceptance of new technologies on the part of employees.

The introduction of new technologies might in fact be  seen as replacing human activities with the consequent risk of job losses. Therefore, fear of this may lead, consciously or unconsciously, to employees’ resistance to change. If this is the case, management should intercept the fear and convey the message that Digital Transformation is an opportunity to increase one’s skills, remain competitive in the labour market and have the opportunity of changing a repetitive job for a more valuable one within the company.

Companies often employ coaches to help them establish a culture of digital change.

When it comes to lack of digital skills, many companies have undertaken to retrain their employees. Starting with an assessment, they have provided personalised routes for digital growth. Training of this kind certainly involves a significant investment. Many companies in KPMG’s research expressed considerable doubt about their ability to develop such skills.

In this respect, a critical parameter in the digital transformation process is a clear definition of the qualified employee profile that will be required in the future. The training system must therefore adapt to these requirements with specific training programmes.


Subscribe to our newsletter

Increase your knowledge, join a community of professionals and stay up to date each week on the latest industry news.

Quality risk management

Quality Risk Management Lifecycle – Part 2


Quality Risk Management Lifecycle – Part 2

Quality Risk Management Lifecycle – Part 2

According to ICH Q9, the benefits of risk management are to be achieved through the application of a QRM lifecycle. This is an iterative process consisting of four primary phases (risk assessment, risk control, risk review, risk communication), each facilitated by the application of risk management tools.

While ICH Q9 recognises that other lifecycle models can be used, most companies have adopted the model contained in the guidelines.

In the start-up and planningphase, ICH Q9 describes the activities that could be performed as follows:

  • define the problem and/or risk situation, including the relevant assumptions to identify the risk potential;
  • identify personnel and leadership;
  • outline the expected results;
  • specify a timeline, documents and an adequate level of decision-making for the risk management process;
  • collect basic information and/or data on the potential danger, damage or impact on human health that is relevant for the Risk Assessment.

The ICHQ9 guideline does not indicate when or under what circumstances the Quality risk management process should be initiated, or which triggers could activate this first critical step.

Risk Assessment

The Risk Assessment consists of identifying hazards andanalysing and assessing the risks associated with exposure to these hazards. It is typically based on the use of risk management tools, which allow a methodical and structured means of identifying and analysing risks.

The Quality Risk Assessment begins with a well-defined description of the problem or risk issue. At this point, a risk management tool and the type of information needed to address the risk will be more easily identified.

To define the risks, it is useful to answer 3 questions:

  1. What could go wrong? (Risk identification). Systematic use of information (historical data, theoretical analysis, knowledge-based opinions, stakeholder concerns) to identify dangers related to a problem.
  2. What is the probability that it will go wrong? (Risk Analysis). Each hazard is analysed to determine its relative criticality, using the risk equation (probability x severity = risk). It is a qualitative or quantitative process that links the probability of occurrence and the severity of damage.
  3. What are the consequences (severity)? (Risk Evaluation) Finally, the identified and analysed risks are compared with predefined criteria to determine their acceptability (risk assessment).

Our Risk Assessment Advice

In carrying out an effective Risk Assessment, the robustness of the data set is important because it determines the quality of the output. Showing assumptions and reasonable sources of uncertainty increases confidence in this output and/or helps to identify its limitations.

The uncertainty is due to the combination of:

  • incompleteknowledge of a process and its expected or unexpected variability;
  • knowledge gaps in pharmaceutical science and in the understanding of the process, in the sources of harm (e.g. failure modes of a process, sources of variability) and in the probability of identifying problems.

The output of a Risk Assessment is a quantitative estimate of the risk or a qualitative description of a series of risks.

Risk Control

In this phase,the risks are reduced to an acceptable level. This is perhaps the most important stage, as it is the point in the process where control strategies are identified, implemented and continuously improved; risk control is the phase that guarantees adequate patient protection.

The main activities are:

  • Risk reduction – actions taken to reduce the probability of damage occurrence and severity. Focuses on quality risk mitigation and prevention processes;
  • Risk acceptance – Confirmation that risk mitigation actions have not adversely affected the overall risk profile by introducing new risks or increasing risk levels, the risks are adequately controlled (i.e., that risk mitigation actions and other risk controls are effective) and the resulting risks are acceptable. Risk acceptance consists of a formal decision to accept the residual risk or a passive decision in which the residual risk is not specified.

In the event that the risk remains unacceptable following risk reduction, the cycle returns to the risk assessment stage and the process can be repeated.

Our advice for the Risk Control phase

The amount of work and resources invested in risk control should be proportional to the magnitude of the risk. Decision-makers can use several processes, including cost-benefit analysis, to understand the optimal level of risk control.

Risk Control could focus on the following questions:

  1. Is the risk above an acceptable level?
  2. What can be done to reduce or eliminate the risks?
  3. What is the right balance between the benefits, risks and resources?
  4. Did the new risks start as a result of the identified risks being controlled?

Quality Risk Management Output/Result

After risk control, there is an output. Although included in the QRM life cycle, ICH Q9 does not provide any narrative description of what such an output or result might entail.

Generally, at this stage a report is compiled on the results of the risk assessment and risk control, the risk reduction efforts undertaken and the acceptability of the residual risk.

Risk Review

Once the risk control has been completed and the results documented, the risk review phase begins. The goal is to ensure that previous activities and associated deliverables remain accurate, relevant and complete in light of changing conditions. Knowledge gained during the product lifecycle, ongoing activities, such as product, process or system changes, unplanned events, such as customer deviations and complaints, and changes in internal and external business and regulatory climate can impact the decisions taken in the risk assessment and acceptance phases.

Risk review, therefore, involves aperiodic or event-driven review to determine whether the original risk assessment needs to be updated and whether risk acceptability will therefore be affected. In this sense, ICH Q9 presents the risk review as an opportunity to confirm the continued validity of decisions made within the QRM process.

The review frequency should be based on the level of risk.

Risk Communication

A critical and often overlooked element of the QRM lifecycle is risk communication. The objective is to ensure that all interested parties are aware of the information on risks, including aspects such as “existence, nature, form, probability, severity, acceptability, control, treatment, detectability or other aspects of quality risks”.

Such communication occurs most commonly in the output phase of the QRM lifecycle, through documentation associated with risk assessment and control activities as the primary communication mechanism; however, risk communication can and should occur at other stages of the QRM lifecycle, depending on the nature and criticality of the identified risks.

A significant challenge in quality risk communication lies in the relatively limited options for communication between QRM professionals, decision-makers and the patient. Unlike intrinsic risks (such as known adverse reactions), which are typically communicated through product labelling, extrinsic risks, including quality risks, have no defined communication mechanism.

Our advice for the Risk Communication phase

In Risk Communication, it is important to take into account the following elements:

  • stakeholders must communicate in all stages of the Risk Management process;
  • the result of the Risk Management process must be adequately communicated and documented;
  • the information contained in the report may relate to the existence, nature, form, probability, severity, acceptability, control, treatment, recognition or other aspects of risks;
  • communication is not required for each acceptance of risk;
  • between industry and regulatory authorities, communication relating to Quality Risk Management decisions can be made through existing channels, as specified by the regulations and guidelines


ICH. ICH Q9: Quality Risk Management. June 2005
Quality Risk Management 101: ICH Q9 In Context – Pharmaceutical Online – March 28, 2018


Subscribe to our newsletter

Increase your knowledge, join a community of professionals and stay up to date each week on the latest industry news.

ALCOA data integrity principles

What are the ALCOA principles and why are they crucial in Data Integrity?


What are the ALCOA principles and why are they crucial in Data Integrity?

What are the ALCOA principles and why are they crucial in Data Integrity?

The ALCOA principles are an important reference model in the pharmaceutical sector, and ensure the integrity of both printed and electronic data.

Data Integrity

There is no single definition of Data Integrity, but the various bodies have given similar definitions, with the ALCOA principles at the centre.

According to the World Health Organisation (WHO):

“Data integrity is the degree to which data are complete, consistent, accurate, trustworthy, reliable and that these characteristics of the data are maintained throughout the data life cycle. The data should be collected and maintained in a secure manner, so that they are attributable, legible, contemporaneously recorded, original (or a true copy) and accurate. Assuring data integrity requires appropriate quality and risk management systems, including adherence to sound scientific principles and good documentation practices”.

The definition is also used by MHRA, the regulatory agency for medicines and health products in the UK.

We find a similar definition in the FDA document “Data Integrity and Compliance with Drug CGMP. Questions and Answers Guidance for Industry”:

“Data integrity refers to the completeness, consistency, and accuracy of data. Complete, consistent, and accurate data should be attributable, legible, contemporaneously recorded, original or a true copy, and accurate (ALCOA)”.

ALCOA+ principles

According to the FDA guidelines, ALCOA stands for Attributable, Legible, Contemporaneous, Original and Accurate.

In recent years, these five principles have been supplemented with four more: Complete, Consistent, Enduring and Available. This is why we talk about ALCOA+.



“Who acquired the data or performed an action following the acquisition, and when?”

All data created or collected must be attributable to a person or computer system. This includes who performed the action and when, thus recording the collection or generation date. Recording can be done manually on paper or automatically through the audit trail in a computer system.


“Can you read the data and all the metadata or all the manual transcripts on paper?”

All recorded data must be legible and permanent, ensuring that it is easily accessible throughout the data lifecycle. This aspect of the data is certainly more easily manageable through electronic systems than on paper.



“Is the action documented (on paper or electronically) at the same time as the activity?”

It is essential that individuals or systems record the data at the very moment in which the activity or sequence of activities is carried out. This is a common practice with automated electronic systems, whereas on paper it is more subject to backdating or postdating.



“Certified compliant printouts or copies, electronic records of an activity including the metadata”

The data should be original rather than copies or transcripts. This is especially true for paper records. For example, it is not appropriate to write partial information on a piece of paper, with the intention of completing the record later on in an official document, as this can cause errors. The original record of the data should appear on the master record, regardless of whether that record is on paper or on a digital system.



The data should reflect the reality of what actually happened, be complete and error-free.

Any changes must not obscure or erase the original information. The use of a corrector on paper records is therefore not permitted. Any changes , whether made electronically or on paper, must be signed by the person making the change, dated and provided with a written explanation.



Omissions are regulatory violations! Omission is not so different from “hiding”

A record must contain all the information available up to that moment. All electronically recorded data requires proof that no information has been deleted or lost.



The data/document must be consistent with the use made of it and with the specific features it is expected to have.



The data/document must be long-lasting and therefore adequately preserved.



The data must not only exist, it must be accessible. Electronic data recording is normally the most efficient way to achieve this.


Subscribe to our newsletter

Increase your knowledge, join a community of professionals and stay up to date each week on the latest industry news.

quality risk management

Tools and advice to make the best use of Quality Risk Management


Tools and advice to make the best use of Quality Risk Management

Tools and advice to make the best use of Quality Risk Management

Quality Risk Management is a forecasting model and a systematic process for assessing, controlling, communicating and reviewing risks to the quality (understood as safety and effectiveness) of a product or service throughout its life, from development to marketing.

QRM can be applied to different types of industries, such as Automotive and Food, but also to different areas of the company, from quality control to human resources.

Quality Risk Management is important for providing a structured and objective approach to the management of information and decision-making, through documented, consistent and communicative methods that support the development and production phases of the product or service.

In the Life Science sector, QRM is addressed in the ICH Q9guidelines, in Part III of the GMP Guidelines, where the development of science and risk-based approaches to quality is encouraged.

4 advantages of Quality Risk Management

1. Quality

Effective implementation of the entire Quality Risk Management process ensures high-quality medication for the patient. This is achieved through a proactive approach of identifying and controlling possible quality problems that may occur during its development and production (including raw ingredients and packaging materials).

2. Decision making

Systematic application of QRM also improves decision-making and increases confidence in the company’s ability to deal with potential risks.

3. Productivity

Furthermore, when well applied, Quality Risk Management significantly reduces the costs of pharmaceutical product development and production by reducing an organisation’s workload and focusing efforts on the most critical areas leading to higher product quality and patient safety chains.

4. Knowledge anagement

QRM can also be successfully used to enhance knowledge management by providing a comprehensive overview of processes or systems, their weaknesses and the critical controls that have been put in place to prevent problems from occurring.

Some methods and tools to support QRM

5 Whys

The method is to repeatedly ask the question “why” until you come to understand all the symptoms of a problem and get to the root. The method is usually used during problem-solving activities or in conjunction with other tools, such as the cause and effect diagram.

Ishikawa Diagram (fishbone diagram)

So-called because it looks like a fishbone with a rectangle at the end containing the effect or problem. In the manufacturing field, the causes or factors that influence a production process are often organised into four macro groups, which are: labour, machines (including the energy used and working and measuring instruments), materials (raw and auxiliary materials) and methods (procedures or operating practices). It can be used in brainstorming sessions with the team.

Fault Tree Analysis (FTA)

This helps determine the cause of failure or tests the reliability of a system by logically checking for a series of events. The FTA starts from failure to logically arrive at the causes. It can be used for:

  • establishing the route to the right cause of failure;
  • evaluating the system or subsystem of failures one at a time, although it can also combine several causes of failure by identifying causal chains;
  • investigating complaints and deviations so as to fully understand their cause and ensure that the planned improvements will solve the problem and not lead to others;
  • evaluating how different factors influence a certain problem. It is useful for both risk assessment and monitoring development programmes.
  • It relies on a total understanding of the process so as to identify causative factors.

Failure Mode and Effect Analysis (FMEA)

Methodology used to analyse failure or defect modes of a process, product or system, analyse their causes and assess their effects on the whole system/plant. Generally (but not necessarily) the analysis is carried out beforehand and is therefore based on theoretical and not experimental considerations. It allows organisations to anticipate possible defects and errors in process design during the design phase.

It can be used for:

  • designing a new product, process or service;
  • planning to carry out an existing process in a different way;
  • when you have the objective of improving the quality of a specific process;
  • when you need to understand and “improve” the errors in a process.


Tool based on the theory that risk events are caused by deviations from the design or operational goals. It uses a systematic technique to identify potential deviations. It is often used by a team that already knows the design of a process or product and its application.

It can be used for:

  • production processes;
  • equipment and services;
  • finished products and raw materials;
  • assessing the dangers within safety processes;
  • as a starting point for the HACCP methodology;


Identifies and implements process controls that consistently and effectively prevent the occurrence or spread of dangerous conditions. It emphasises problem prevention rather than its detection, which is why it is recommended for proactive and non-reactive applications.

It can be used for:

  • identifying and managing the risks associated with physical, chemical and biological hazards (including microbiological contamination);
  • supporting the identification of critical control points (critical variables/parameters) when product and process knowledge is comprehensive;
  • facilitating the monitoring of critical points in production processes.

Preliminary Hazard Analysis (PHA)

Analysis tool that applies experience or prior knowledge of the hazard or failure to identify future hazards, hazardous situations and events that could cause harm and to assess their likelihood of occurrence in relation to a certain activity, product functionality or system.

It can be used for:

  • analysing existing systems or prioritising hazards where conditions preclude the use of a more extensive technique;
  • products, processes and functionalities and to assess the types of hazard by product type or class and for the specific product;
  • the development of a project when there is little information on the detail of the design or operational procedures (i.e. it is often a predecessor of later studies);
  • in general, the hazards identified are assessed with other risk management methods

MORE INFO: The challenges of Change Control including sharing, documentation, training and digitisation

Risk Ranking and Filtering

Method used to compare and classify risks. It usually includes the evaluation of several quantitative and qualitative factors for each risk and risk weighting and scoring.

Can be used:

  • to prioritise production sites for inspections and audits by regulatory bodies or the industry;
  • in situations where the portfolio of risks and the underlying consequences to be managed are different and difficult to compare using a single instrument;
  • when management needs to address both qualitative and quantitative risks in the same organisational structure.

To learn more about other tools, we recommend the World Health Organisation’s Quality Risk Management Guidelines.


QRM management with a digital system




PRAGMA4U is a modular and scalable Workflow Management System platform that digitises work processes in compliance with FDA and cGxP guidelines.

It enables companies to: have documentation that is protected, always up-to-date, organised and linked to the source processes; assign and implement workactivities directly on the platform; easily share information between departments; keep processes under control using KPIs; and compile reports and dossiers that will be useful for inspections.

The platform can contain multiple processes, creating a true digital map of the company. It also integrates with other systems, such as ERP, simplifying the compilation and updating of data.


Subscribe to our newsletter

Increase your knowledge, join a community of professionals and stay up to date each week on the latest industry news.