ICH Q9 Risk Management (r1) in consultation

ICH Q9 (r1) is in step 2, which means it is out for comments.

Section 5, “Risk Management Methodology” is greatly expanded, with a discussion on just what level of formality means in risk management using three criteria of uncertainty, complexity, and importance. Section 5 then goes into risk based decision making to a greater depth than seen previously in guidances.

Section 6 is greatly expanded as well.

I need to read this in more depth before providing a deeper analysis.

Understanding How to Organize Process

Process drives the work we do. We can evaluate processes on two axis – complexity and strategy – that help us decide the best way to manage and improve the processes.

Process by Complexity and Strategy

Process complexity and dynamics are what types of tasks are involved in the process. Is it a simple, repetitive procedure with a few rules for handling cases outside of normal operation? Or is it a complex procedure with lots of decision points and special case rules? Think of this like driving somewhere. Driving to your local grocery is a simple procedure, with few possibilities of exceptions. Driving across the country has a ton of variables and dynamism to it.

While complexity can help drive the decision to automate, I strongly recommend that when thinking about it don’t ask if it can be automated, only ask what would be involved if a human were to do the job or how it is done with current technologies. Starting with the answer of automation leads to automation for automation’s sake, and that is a waste.

Dynamics is how much the process changes – some change rarely while others change rapidly to keep pace in response to changes in product or external factors (such as regulations).

Strategic importance asks about the value the process contributes to meeting requirements. Is the process a core competency, or an enabling process that needs to be accomplished to ensure that you can do something else that meets the core requirements? Needless to say, one company’s strategic process is another company’s routine process, which is why more and more we are looking at organizations as ecosystems.

Processes are in a hierarchy, and we use levels to describe the subdivision of processes. We’ve discussed the difference between process, procedure and task. At the process level we usually have the high-level process, the architecture level, which are the big things an organization does (e.g. research, manufacture, distribute), mid-level processes that are more discrete activities (e.g. perform a clinical study) to even more discrete processes (e.g. launch a study) which usually have several levels (e.g. select sites, manage TMF) to finally procedure and task.

Level of ProcessIncludesKey Ways to Address
High-Level ProcessHow key objectives are met, highly cross functionalOrganization design. System Design
Mid-level ProcessHow a specific set of departments do their major work blocksProcess Improvement
Low-level processHow individuals conduct their work in sub-blocksKnowledge management, task analysis, training
Levels of Process

To truly get to this level of understanding of process, we need to understand just what our process is, which is where tools like the SIPOC or Process Scope diagram can come in handy.

Process Scope Diagram

To understand a process we want to understand six major aspects: Output, Input, Enablers, Controls, Process Flow, People.

Complex and Complicated as Tools for Process Understanding

Simple processes usually follow a consistent, well-defined sequence of steps with clearly defined rules. Each step or task can be precisely defined, and the sequence lacks branches or exceptions.

More complicated processes involve branches and exceptions, usually draw on many rules, and tend to be slightly less defined. Complicated processes require more initiative on the part of human performers.

Complex processes are ones that require a high level of initiative and creativity from people. These processes rapidly change and evolve as time passes. Successful performance usually requires a connection to an evolving body of knowledge. They are highly creative and have a large degree of unpredictability. Most complex processes are viewed at the system level.

Sources

  • Benedict, T. et al. BPM CBOK Version 4.0: Guide to the Business Process Management Common Body of Knowledge. ABMP International, 2019.
  • Harmon, Paul. Business Process Change. Morgan Kaufmann, 2019.
  • Nuland, Y. and Duffy, G. Validating a Best Practice. Productivity Press, 2020

The Great Man Fallacy and Pharmaceutical Quality

Primary Investigator, Study Director, Qualified Person, Responsible Person – the pharmaceutical regulations are rife with a series of positions that are charged with achieving compliance and quality results. I tend to think of them as a giant Achilles heel created by the regulations.

The concept of an individual having all the accountability is nowhere near universal, for example, the term Quality Unit is a nice inclusive we – though I do have some quibbles on how it can end up placing the quality unit within the organization.

This is an application of the great man fallacy – the idea that one person by the brunt of education, experience, and stunning good looks can ensure product safety, efficacy and quality, and all the other aspects of patient and data integrity of trials.

That is, frankly, poppycock.

People only perform successfully when they are in a well-built system. Process drives success and leverages the right people at the right time making the right decisions with the right information. No one person can do that, and frankly thinking someone can is setting them up for failure. Which we see, a lot in the regulatory space.

Sure, the requirement exists, we need to meet it failing the agencies waking up and realizing the regulations are setting us up for failure. But we don’t need to buy into it. We build our processes to leverage the team, to democratize decisions, and to drive for reliable results.

Let’s leave the great man theory in the dustbins where it belongs.

dissolving crown

Building the Risk Team

Good risk assessments are a team effort. If done right this is a key way to reduce subjectivity and it recognizes that none of us know everything.

An effective risk team:

One of the core jobs of a process owner in risk assessment is assembling this team and ensuring they have the space to do their job. They are often called the champion or sponsor for good reason.

It is important to keep in mind that membership of this team will change, gaining and losing members and bringing on people for specific subsections, depending on the scale and scope of the risk assessment.

The more complex the scope and the more involved the assessment tool, the more important it is to have a facilitator to drive the process. This allows someone to focus on the process of the risk assessment, and the reduction of subjectivity.

GMP mistakes are costly

In the continual saga of companies making fundamental GMP mistakes, Gilead has recalled two lots of its coronavirus treatment drug Remdesivir because of the “presence of glass particulates.”

If only there existed international standards on visual inspection and there were a solid set of best practices on lyophilization.

Oh, wait there are.

But then Gilead has a multi-year track record in deficiencies in their testing and manufacturing processes. In all fairness, they are contracting manufacturing to Pfizer’s McPherson site…..oh wait that site got an FDA 483 in 2018 specifying significant violations of good manufacturing practices, such as an inadequate investigation into the detected presence of cardboard in vial samples.

We deserve better manufacturers. Companies need to take the quality of their products seriously. We are always improving or we are always one step away from the sort of press Gilead gets.