The Challenges Ahead for Quality

Discussions about Industry 4.0 and Quality 4.0 often focus on technology. However, technology is just one of the challenges that Quality organizations face. Many trends are converging to create constant disruption for businesses, and the Quality unit must be ready for these changes. Rapid changes in technology, work, business models, customer expectations, and regulations present opportunities to improve quality management but also bring new risks.

The widespread use of digital technology has raised the expectations of stakeholders beyond what traditional quality management can offer. As the lines between companies, suppliers, and customers become less distinct, the scope of quality management must expand beyond the traditional value chain. New work practices, such as agile teams and remote work, are creating challenges for traditional quality management governance and implementation strategies. To remain relevant, Quality leaders must adapt to these changes..

The traditional Value Proposition of quality management is no longer sufficient to meet the expectations of stakeholders. With the rise of a digitally native workforce, there are new expectations for how work is done and managed. Business leaders expect quality leaders to have full command of operational data, diagnosing and anticipating quality problems. Regulators also expect high data transparency and traceability.

The value proposition of quality management lies in predicting problems rather than reacting to them. The primary objective of quality management should be to find hidden value by addressing the root causes of quality issues before they manifest. Quality organizations who can anticipate and prevent operational problems will meet or exceed stakeholder expectations.

Our organizations are on a journey towards utilizing predictive capabilities to unlock value, rather than one that retroactively solves problems. Our scope needs to be based on quality being predictive, connected, flexible, and embedded. For me this is the heart of Qualty 4.0.

Quality management should be applied across a multitude of systems, devices, products, and partners to create a seamless experience. This entails transforming quality from a function into an interdisciplinary, participatory process. The expanded scope will reach new risks in an increasingly complex ecosystem. The Quality unit cannot do this on its own; it’s all about breaking down silos and building autonomy within the organization.

To achieve this transformation, we need to challenge ourselves to move beyond top-down and regimented Governance Models and Implementation Strategies. We need to balance our core quality processes and workflows to achieve repeatability and consistency while continually adjusting as situations evolve. We need to build autonomy, critical thinking, and risk-based thinking into our organizational structures.

One way to achieve this is by empowering end-users to solve their own quality challenges through participatory quality management. This encourages personal buy-in and enables quality governance to adapt in real-time to different ways of working. By involving end-users in the process of identifying and solving quality issues, we can build a culture of continuous improvement and foster a sense of ownership over the quality of our products and services.

The future of quality management lies in being predictive, connected, flexible, and embedded.

Predictive: The value proposition of quality management needs to be predicting problems over problem-solving.
Connected: The scope of quality management needs to extend beyond the value chain and connect across the ecosystem
Flexible: The governance model needs to be based on an open-source model, rather than top-down.
Embedded: The implementation strategy needs to shift from viewing quality as a role to quality as a skill.

By embracing these principles and involving all stakeholders in the process of continuous improvement, we can unlock hidden value and exceed stakeholder expectations.

Deaing with these challenges and implications requires the Quality organization to treat transformation like a Program. This program should have four main initiative areas:

Build the capacity for targeted prevention through targeted data insights. This includes building alliances with IT and other teams to have the right data available in flexible ways but it also includes the building of capacity to actually use the data.
Expand quality management to cover the entire value network.
Localize Risk Management to Make Quality Governance Flexible and Open Source.
Distribute Tasks and Knowledge to Embed Quality Management in the Business.

Across these pillars the program approach will:

Assess the current state: Identify areas requiring attention and improvement by examining existing People, Processes, Policies and Platforms. This comprehensive assessment will provide a clear understanding of the organization’s current situation and help pinpoint areas where projects can have the most significant impact
Establish clear objectives: Establish clear objectives to h provide a clear roadmap for success.
Prioritize foundational elements: Prioritize building foundational elements. Avoid bells-and-whistles for their own sake.
Develop a phased approach: This is not an overnight process. Develop a phased approach that allows for gradual implementation, with clear milestones and measurable outcomes. This ensures that the organization can adapt and adjust as needed while maintaining ongoing operations and minimizing disruptions.
Collaborate with stakeholders: Engage stakeholders from across the organization,to ensure alignment and buy-in. Create a shared vision for the initiative to ensure that everyone is working towards the same goals. Regular communication and collaboration among stakeholders will foster a sense of ownership and commitment to the transformation process.
Continuously monitor progress: Regularly review the progress, measuring outcomes against predefined objectives. This enables organizations to identify any potential issues or roadblocks and make adjustments as necessary to stay on track. Establishing key performance indicators (KPIs) will help track progress and determine the effectiveness of the Program.
Embrace a culture of innovation: Encourage a culture that embraces innovation and continuous improvement. This helps ensure that the organization remains agile and adaptive, making it better equipped to take advantage of new technologies and approaches as they emerge. Fostering a culture of innovation will empower employees to seek out new ideas and solutions, driving long-term success.
Invest in employee training and development: It is crucial to provide employees with the necessary training and development opportunities to adapt to new technologies and processes. This will ensure that employees are well-equipped to handle the changes brought about by these challenges and contribute to the organization’s overall success.
Evaluate and iterate: As the Program unfolds, it is essential to evaluate the results of each phase and make adjustments as needed. This iterative approach allows organizations to learn from their experiences and continuously improve their efforts, ultimately leading to greater success.

To do this leverage the eight accelerators to change.

Business Continuity Planning

The pharmaceutical regulations call, repeatedly for business continuity plans. For example, the FDA calls for fairly significant requirements for Medically Necessary Products:

Medically necessary drug products and their components are manufactured all over the world. An emergency situation anywhere in the world thus might affect the availability of drug products in the United States and result in drug shortages. Emergency preparedness for situations that could result in high employee absenteeism is an important goal for manufacturers of drug products and their components. For example, in an influenza pandemic, widespread human outbreaks of illness would be expected in the United States and around the world, resulting in widespread high absenteeism that could hinder normal production activities and cause shortages in the supply of drug products, packaging materials, and drug components. It is therefore vital for industry to prepare before an emergency situation occurs and to develop plans to ensure continuity of operations during emergencies (including, for example, an influenza pandemic, natural disaster, or personnel issue) that would prevent a significant portion of the work force from reporting. It is especially important for manufacturers of finished drug products to be aware of their suppliers’ and contractors’ responses to personnel shortages and, when appropriate, work with them to ensure the availability of high quality materials and services that contribute to the manufacture of MNPs.
FDA, Guidance for Industry Planning for the Effects of High Absenteeism to Ensure Availability of Medically Necessary Drug Products

You can find less definitive requirements throughout the various health authorities’ regulations and guidances.

So what do we mean by business continuity?

Business continuity is the holistic management process that ensures operations continue and that products and services are delivered at predefined levels (e.g. no shortages, no halt to an ongoing clinical trial). This approach is aligned with ISO 22301 Business Continuity Management Systems.

Business continuity management is an ongoing process based on the plan-do-check-act methodology that is made up of 4 key elements:

Emergency Action and Response Plans
Disaster Recovery Plans
Crisis Management Plans
Business Continuity Plans

Emergency Action Plans

An emergency action plan is designed to respond to an emergency with mitigating procedures to protect, secure and evacuate people to safety. This is more an OSHA thing; chances are your average Quality unit doesn’t end up owning it. Unless you have no HS&E unit, and then you write one.

This plan includes procedures for detecting, warning, and responding to specific potential emergencies such as fire, severe weather, earthquake, medical emergencies, workplace violence, and other potential threats.

Disaster Recovery Plan

Disaster recovery plans are designed to recover from a disaster, usually related to equipment, infrastructure, and information technology. Something big goes boom, how do you restore this vital support system or equipment as soon as possible and minimize downtime and loss of data. Very important for computer system lifecycle, disaster recovery plans should include specific plans for recovery functions, resumption strategies, critical personnel, equipment, services, and external and internal communications.

Crisis Management Plans

Crisis management is all about planning and mitigating situations that have risk, and are usually a lot of management of communications internally and externally. This includes with regulators, health care providers, etc. When we implement SOPs for health authority notifications we are engaging in crisis management planning.

Business Continuity Plans

Business continuity planning identifies and plans for disasters to events that could negatively an organization’s business functions, objectives, income, reputation, and ultimate survival. This planning takes place in advance of the potential disasters or events that could harm an organization. It takes potential disasters and events into consideration with their effects on suppliers, vendors customers, and the organization’s other stakeholders.

In a GxP environment, we are looking at the potential impact of disasters on drug supply and clinical study outcomes (amongst other key activities).

The BCP is all about minimizing the effects of the disaster or event on the organization and returning to normal operations as soon as possible.

These Plans are Interrelated

All four plans are interrelated and should be coordinated. The plans can be combined, but as there are usually very different owners they are often separated.

Documented Plans

The business continuity planning process should result in formal, documented plans that serve as a reference guide in the event of a disaster or event. The existence of the business continuity plans should be well communicated, with individuals with responsibilities having ready access and additional training.

Applying the Risk Management Process

The Business Continuity process should leverage existing risk assessments and sit around it.

Select Team

The team should be multifunctional and very knowledgeable about the organization’s business and the risks it faces. This should be a permanent team, not ad hoc, as this is a living process. You can always bring in ad hoc members for specific questions.

Define Context, Purpose, Scope

At a minimum you are tackling the disruption to product supply and cessation of critical GxP data but there may be other business requirements to tackle. Make sure everyone agrees on these.

Define Terminology

Make sure everyone is on the same page with just what disaster, event, crisis, stakeholder, and business continuity plan (and other important concepts) are.

Agree on the scales for likelihood and severity.

Critical Function Assessment

Identify the business functions that are sensitive to downtime, fulfill regulatory obligations and are vital for maintaining product supply.

Threat Assessment

Identify the threats to the performance of the critical functions.

Identify Hazards and Risks

There are three major categories of hazards:

Natural Hazards
- Meteorological
- Geological
- Biological
Human-Caused Hazards
- Accidents
- Intentional acts
Technological Hazards
- Information technology
- Utility
- Fire/explosion
- Hazardous material
- Supply Chain interruption

Utilize a risk matrix to assess the likelihood and severity of the identified hazards and risks.

Develop Business Continuity Plan(s)

After the hazards and risks have been identified, the impact understood and the risks assessed it is time to develop the business continuity plan (BCP). The BCP allows the organziation to survive the event or disaster with minimal disruption. The BCP focuses on mitigating the consequences of the event or disaster that could not be prevented. Recovery strategies for these cosnequences are determined, developed and become part of the BCP.

When many potential risks have been identified, use the risk score to prioritize.

BCPs cover management commitment, team ientification, team responsibilities, mitigation plans, recovery strategies, training, testing and evaluation and continious improvement. Basically the same thing any good plan does.

Mitigation plans are intended to lessen the negative effectis of an event or disaster.

Provide appropriate awareness training to everyone impacted, with more substantial trining to the BCP team.

Verify it periodically and ensure it is continues to be relevant.

Whenever relevant, procceduralize these BCP instructions.

Bow-Tie Diagram

The bow-tie method is a powerful tool for visualizing and managing risks. Named after its distinctive shape, this tool is used to analyze the causes and consequences of potential risks.

At the center of the bow-tie diagram is the “top event,” which represents the risk being analyzed. On the left side of the diagram are the potential causes of the top event, while on the right side are the potential consequences. The diagram also includes barriers or controls that can be put in place to prevent or mitigate the risk.

To create a bow-tie diagram identify the “top event” representing the risk being analyzed. This is placed at the center of the diagram.

Next, you identify the potential causes of the top event and place them on the left side of the diagram. These causes can be further broken down into sub-causes if necessary.

On the right side of the diagram, you identify the potential consequences of the top event. These can also be further broken down into sub-consequences if necessary.

Once you have identified the causes and consequences of the top event, you can then add barriers or controls to the diagram. These are measures that can be put in place to prevent or mitigate the risk. Barriers can be placed between the causes and the top event to prevent it from occurring, while controls can be placed between the top event and its consequences to mitigate their impact.

The bow-tie method works by providing a clear and concise visual representation of a risk and its potential impacts. This allows stakeholders to better understand the risk and identify areas where additional controls may be needed.

This tool also works nicely with desirable consequences.

This picture showed up when I typed bow-tie on my computer. It’s relevant

Detectability in Risk Management is a “Sort of” “Sometimes” thing

I’ve recently seen a few audits that point out something along the line of “Recommendation to revise Quality Risk Management Process/Procedure to include detectability as a variable in determining Risk Priority Numbers (RPNs). The current process only includes the frequency and severity of impact in the calculation. However, ICH Q9 also recognizes the use of risk management tools which include the ability to detect harm (detectability) in the estimation of risk (refer to the section titled “Risk analysis”).”

So, first of all, that’s not what Q9 says. Q9 (R1) is actually pretty clear here, stating “Risk analysis is the estimation of the risk associated with the identified hazards. It is the qualitative or quantitative process of linking the likelihood of occurrence and severity of harms. In some risk management tools, the ability to detect the harm (detectability) also factors in the estimation of risk.”

Q9 later goes on to state “Quality risk management supports a scientific and practical approach to decision-making. It provides documented, transparent and reproducible methods to accomplish steps of the quality risk management process based on current knowledge about assessing the probability, severity and sometimes detectability of the risk.”

Q9 clearly recognizes that detectability is useful sometimes, with specific tools in specific cases. This is in alignment with risk management thinking in general, for example ISO 31000:2018 states that Risk analysis should consider factors such as:

— the likelihood of events and consequences;
— the nature and magnitude of consequences;
— complexity and connectivity;
— time-related factors and volatility;
— the effectiveness of existing controls;
— sensitivity and confidence levels.

Detectability is then one of several methods to consider in risk analysis. The selection criteria for tools should take into account situations when detectability is desired and drive to use of those tools, for example, the FMEA which is built to determine how and when a failure can be detected. In other tools, detectability is usually built into the evaluation of current controls and is often captured in likelihood or somewhere else

When it comes to risk, avoid a one-size fits all. Think of what the intent is and use the right tool for the job.

The Risks of Nonspecificity in Work-As-Prescribed

There are a lot of ways to discuss uncertainty, and narrow down on vaguess and unspecificity, following Smithson’s model of Ignorance.

Different Kinds of Unknowns, Source: Smithson (1989, p. 9); also in Bammer et al. (2008, p. 294).

An alternative way to look at uncertainty is offered by Klir, which adds discord to the mix.

Work-As-Prescribed can be a real avenue for all three of these uncertainties. But by using risk management to examine the possibilities of these uncertainties we can truly interrogate. This is one of the things we mean by risk management and knowledge management being bound at the hip as enablers.

To do this we need to make sure that:

There is the management of information quality. Management of information quality is crucial in risk management because uncertainty is prevalent. Uncertainty, as a state for which we lack information, means that uncertainty analysis should play an integral part in risk management to ensure that the uncertainty in the risk management process is kept at a feasible level.
There is explicit management of either existing knowledge that can be applied to improve the quality of the analyses or to improve the knowledge acquired in the process that can be used in the follow-up process. Knowledge management is pivotal to ensuring an effective risk management process by providing context and learning possibilities. In essence, risk management is not just about managing risks – the entire context surrounding the risks must be understood and managed effectively.

Challenge	Means	Impact to Quality Management	How to Prepare
Advanced Analytics	The increase in data sources and improved data processing has led to higher expectations from customers, regulators, business leaders, and employees. They expect companies to use data analytics to provide advanced insights and improve decision-making.	Requires a holistic approach that allows quality professionals to access, analyze and apply insights from structured and unstructured data Quality excellence will be determined by how quickly data can be captured, analyzed, shared and applied	Develop a talent strategy to recruit, develop, rent or borrow individuals with data analytics capabilities, such as data science, coding and data visualization
Hyper-Automation	To become more efficient and agile in a competitive market, companies will increasingly use technologies like RPA, AI, and ML. These technologies will automate or enhance tasks that were previously done by humans. In other words, if a task can be automated, it will be.	How to ensure these systems meet intended use and all requirements Algorithm-error generated root causes	Develop a hyperautomation vision for quality management that highlights business outcomes and reflects the use cases of relevant digital technology Perform a risk based assessment with appropriat experts to identify critical failure points in machine and algorithm decision making
Virtualization of Work	The shift to remote work due to COVID-19, combined with advancements in cloud computing and AR/VR technology, will make work increasingly digital.	Rethink how quality is executed and governed in a digital environment.	Evaluate current quality processes for flexibility and compatibility with virtual work and create an action plan. Uncover barriers to driving a culture of quality in a virtual working environment and incorporate virtual work-relevant objectives, metrics and activities into your strategy.
Shift to Resilient Operations	Prioritizing capabilities that improve resilience and agility.	Adapt in real-time to changing and simultaneously varying levels of risk without sacrificing the core purpose of Quality	Enable employees to make faster decisions without sacrificing quality by developing training to build quality-informed judgment and embedding quality guidance in employee workflows. Identify quality processes that may prevent operational resilience and reinvent them by starting from scratch, ruthlessly challenging the necessity of every step and requirement. Ensure employees and new hires have the right skill sets to design, build and operate a responsive network environment.
Rise of Inter-connected Ecosystems	The growth of interconnected networks of people, businesses, and devices allows companies to create value by expanding their systems to include customers, suppliers, partners, and other organizations.	Greater connectivity between customers, suppliers, and partners provides more visibility into the value chain. However, it also increases risk because it can be difficult to understand and manage different views of quality within the ecosystem.	Map out the entire quality management ecosystem model and its participants, as well as their interactions with customers. Co-develop critical-to-quality behaviors with strategic partners. Strengthen relationships with partners across the ecosystem to capture and leverage relevant information and data, while at the same time addressing data privacy concerns.
Digitally Native Workforce	Shift from digital immigrants (my generation and older) to digital natives who are those people who have grown up and are comfortable with computers and the internet. Unlike other generations, digital natives are so used to using technology in all areas of their lives that it is (and always has been) an integral, necessary part of their day-to-day.	Increased flexibility leads to a need to rethink the way we monitor, train, and incentivize quality. Connecting the 4 Ps: People, Processes, Policies and Platforms	Identify and target existing quality processes to digitize to offer desired flexibility. Adjust messages about the importance of quality to connect with values employees care about (e.g., autonomy, innovation, social issues).
Customer Expectation Multiplicity	Customer expectations evolve quickly and expand into new-in-kind areas as access to information and global connectedness increases.	Develop product portfolios, internal processes and company cultures that can quickly adapt to rapidly changing customer expectations for quality.	Identify where hyperautomation and predictive capabilities of quality management can enhance customer experience and prevent issues before they occur.
Increasing Regulatory Complexity	The global regulatory landscape is becoming more complex as countries introduce new regulations at different rates. Increased push for localization.	Need strong system to efficiently implement changes across different systems, locations, and regions while maintaining consistent quality management throughout the ecosystem.	Coordinate a structured regulatory tracking approach to monitor changing regulatory developments — highly regulated industries require a more comprehensive approach compared to organizations in a moderate regulatory environment