Managing Quality: AstraZeneca Focuses on Risk, Knowledge, and Change Control

Note: The views expressed in this post are those of the author and do not necessarily represent those of AstraZeneca.

The concept of risk management has been around for a long time, but quality risk as part of a quality systems approach is more recent. In the early 2000s, FDA leaders realized that traditional approaches to quality were limiting the use of new technologies, impeding agility, modernization, and continuous improvement. In 2002, the agency proposed a risk-based approach to modernize pharmaceutical manufacturing and product quality regulations to:

  • Promote early adoption of new technological advances
  • Facilitate modern quality management
  • Encourage a risk-based approach that focused on areas critical to quality 1

Subsequently, the International Council for Harmonization (ICH) released ICH-Q9 “Quality Risk” and ICH-Q10 “Pharmaceutical Quality Systems” guidelines to help companies implement this approach. The concept continues to evolve with ICH Q-12 guidance on considerations for pharmaceutical product lifecycle management and FDA’s knowledge-aided assessment and structured application (KASA) that aims to help companies capture and manage information about inherent risk and control approaches for product design, manufacturing, and facilities, in a structured format.2

Figure 1

Figure 1 AstraZeneca

Leading life sciences companies like AstraZeneca have embraced risk-based quality management approaches to increase agility and improve quality across the entire product lifecycle.

This post explains AstraZeneca’s approach to risk-based quality management through a centralized Enterprise Quality Vault (EQV) system across different functions.

Ensuring success by preventing failure

The key concept of the quality risk program is understanding the quality, compliance, and supply reliability goals of each GxP process or system aiming to achieve as part of the overall product lifecycle. For example, the elements of quality each process or system contributes to the products and their importance to patients.

Once these two elements—quality goals and threats to patients if they are not achieved—are understood, risk management is simply:

  • Identifying how these processes and systems may fail to meet these goals
  • Evaluating the current controls that are in place to protect patients (controls that reduce likelihood of failing, and/or detect quality impacts before they can reach patients)
  • Scoring the level of residual “threat” to patients
  • And if the score is unacceptable (i.e., there is still a level of unacceptable threat to patients), then deciding on additional controls to either further reduce the potential for failure or improve detection before these failures impact patients.

Figure 2: AZ’s risk-based quality management approach

Figure 2 AZs risk based quality management approach

For risks that are already appropriately controlled (low score or low threat to patients), the risk is accepted and moved to the controlled category. It means that the risk exists, but it is well controlled and doesn’t pose any threat to patients.

This systematic approach to determining a risk level and developing appropriate controls establishes a baseline for continuous quality improvement.

Using knowledge and risk to achieve stable processes

The risk program and its associated data drive continuous improvement to ensure that processes and systems are successful and pose no threats to patients. This enables us to drive a proactive culture of “right first time” and “on time” that ensures a reliable supply of quality, compliant products to patients.

Two other elements that are integral to the success of the risk program are the management of change and the connection to elements that support our defense against risk, as shown in Figure 3.

Figure 3: Knowledge, Business Processes, Risk Based Strategies

Figure 3 Knowledge Business Processes Risk Based Strategies

Defense of risk

Another important element of the risk program is the connection to elements that support and “defend” the risks that we are accepting, such as:

  1. Knowledge objects: Characterization studies, technical reports, or scientific justifications written to evaluate, defend, or demonstrate that potential product or process risks do not occur when processes are controlled within defined limits.
  2. Business processes: Support risk programs by executing standardized risk-control processes and practices to manage threats such as supplier assessments, material or excipient assessment, distribution route assessment, etc.
  3. Risk-based strategies: The use of predefined “risk factors” to define quality strategy. For example, determine most appropriate sampling locations for an environmental monitoring program considering the following factors:
    • Material, waste, and personnel flows in the area
    • The process being executed, and points where the process is exposed to the environment
    • The equipment and systems used
    • The HVAC and facility design

The combination of risks, knowledge, and other supporting processes provide a powerful way to defend various types of risk-management approaches and drive continuous process improvement.

Identifying and controlling new risks

Change management, the third pillar of the program, identifies and controls new risks that have been introduced by process or system changes. It assesses the impact of changes on a system, especially in terms of risk, and enables the quality department to build appropriate controls to manage it.

The end goal is to achieve a stable process for which all identified risks are under control.

Next steps: Unifying quality and risk management

A modern approach to managing quality risks requires sharing critical quality and manufacturing information at the right time with the right departments across the organization. For the past 18 months, AstraZeneca has been collaborating with Veeva to build a modern Enterprise Quality Vault (EQV) system.

Figure 4: Enterprise Quality Vault (EQV)

Figure 4 Enterprise Quality Vault

The EQV rollout started with Quality Risk Management (QRM) as the core process. Subsequently, audits and inspections and change control went live, and the project is now transitioning to validation and documentation. We are also building quality events and working to integrate EQV with Veeva’s existing supporting applications. The aim is to bring together all the individual processes into a unified quality system that can be seamlessly managed.

Having all the processes within the same platform will allow us to ensure and defend quality and to drive continuous improvements. For example, with EQV a change control that requires validation and documentation changes can now be seamlessly managed in a single workflow for greater efficiency and control.

We now have a much better opportunity to simplify business processes and drive continuous improvements.

Learn more about Quality Risk Management.


Interested in learning more about how Veeva can help?