If you see any regulatory inspection report you will find most of the critical non-conformances are related to poor investigation of failure.

It was seen in most of the regulatory inspections that the investigation and appropriate CAPA (Corrective Action & Preventive Action) didn’t prevent the same issues happening elsewhere in the company.

Think about the following…

  • What might go wrong
  • Is the investigation carried out by digging the process effectively
  • Is there any investigation tools used or not
  • Is assignable root cause identified during investigation or not
  • Is proposed CAPA defined based on the root cause of failure
  • Are other area gap identified and captured during investigation of failure
  • Is CAPA proposed on other area also or not
  • Is investigator have the process knowledge

If you question yourself, you will find hundreds of mistakes during the investigation process and during proposal of CAPA.

Hence to avoid these types of issues and to strengthen the Quality Management System you should follow a systematic approach during any failure investigation.

  • Cross-functional investigation team
  • Selection of Investigation Tools
  • Impact Assessment
  • Gather Evidence as much as you can
  • Personal Interview
  • Use Risk Management System
  • Holistic View of CAPA
  • Communication of CAPA & Review of CAPA Effectiveness after Implementation

Systematic Approach to Digging the Root Cause

To make any failure investigation successful, a cross-functional investigation team is required. Every member should have sufficient knowledge of the process so that they can understand the type of failure and the severity.

For any investigation, selection of the right tools is required.

Gathering the Evidence

If its not documented then it did not happen, hence evidence of any cause of failure is required so whenever you do the investigation collect as much as evidence you can because after the failure.

Personal Interview

Put the individual at ease – make sure they know the primary purpose of the interview is to prevent a recurrence of the incident and that it can only be done with their help.

Avoid fingerpointing and applying blame. Treat people with tact and respect. Make them aware that they need to be thorough and truthful in their account of the incident and that you are not there to get anyone into trouble, only to find out what happened and why, so that it won’t happen again.

Let involved employees tell their story completely. Wait until they have finished their version
of events before interrupting or clarifying what was said. Then go over what they stated with them, to assure that you have their account of the story accurately and that you understand what they meant, not just what they said.

Do not make assumptions or state opinions during this process. If other people have said something different from what was stated in this interview, ask leading questions to discover more information, but do not contradict what was stated in either interview.

How To Use Quality Risk Management System in Deviation/Failure

When you have done the investigation and used the appropriate tool and you find yourself unable to identify the actual assignable root cause, e.g. if any batch failed in the microbiological analysis then you investigate all the possibilities and you find more the one gap for the possibility of microbial contamination in the final product then in that case you can not define that this is the only assignable root cause. If you dig down your process you will find alot of probable reasons for the failure of product in the microbiological analysis.

Hence it is recommended that you use the quality risk management tools to identify gaps.

Quality Risk management is a systematic tool to identify the associated risk and eliminate the identified risk by taking the appropriate action based on their severity or risk priority. The application of risk management in dealing with deviations is not only practical but provides a framework for a decision-making process based on a scientifically sound and objective approach, while also enabling decisions to be confidently upheld before the regulatory authorities.

How to use Quality Risk Management System in Deviation/ Failure

Quality Risk Management systems can be used to identify all the possible root causes or gaps in the system which can lead to further failure.

Some of the failure investigation is very simple when you know the cause of failure, in that case you can also use the Quality Risk Management system but it is suggested that in case of simple investigation where you know very well that is the assignable root of failure.

How to use QRM

A systematic approach needs to be used to make the QRM more effective.

The goals of a quality risk management program should be to better understand the process and improve the process, thereby assuring patient safety

As described in ICH Q9, a quality risk management program embodies the following concepts;

  • Risk Initiation (Team Selection & Product Analysis )
  • Risk Assessment (Risk Identification, Risk Analysis & Risk Evaluation)
  • Risk Control (Risk Reduction & Risk Acceptance)
  • Risk Communication
  • Risk Review

Risk Initiation

Prior to commencement of a risk assessment, it is important to study what is being initiated. The scope of study boundary should be defined during the planning stage. This can be achieved by creating a map within a defined boundary.

Team Selection

It is recommended that a cross functional team be assembled to use the model. This provides a level of assurance that the qualitative or quantitative evaluation of potential hazards will be as objective as possible.

Product Analysis

It is important that critical quality attributes of products are identified so that risk can be managed and reduced.

Risk Assessment

A systematic process of organizing information to support a risk decision within a risk management process. It consists of identification of hazards and the analysis and evaluation of risk associated with exposure to those hazards.

Risk Identification

Risk identification address the question “what might go wrong”

Risk Analysis

Risk analysis is a qualitative or quantitative process of linking the likelihood of occurrence to the ability to detect the failure (detectability). A ranking system may be used as a relative scale for determining the severity of the unwanted event and the occurrence and detectability of the process failure.

Risk Evaluation

Risk evaluations compare the identified and analyzed potential failure risk acceptance criteria. This includes knowledge gaps in process understanding, source of failures and the likelihood of detection of process failure.

Where a high level of uncertainty exists, it may be prudent to assume the process step poses greater risk and assign it a value accordingly. A decision needs to be made as to whether to accept the risk or pursue additional control and protective steps. This decision is based on an organization’s or manufacturing site’s acceptance level for risk for further discussion of Risk Priority No. or RPN

Risk Control

Once an assessment has been conducted to identify potential process failure, their impact, likelihood of occurrence and detection, a decision on how to address these risk should be made.

If the risk is UNACCEPTABLE then it should be reduced and controlled to an acceptable level. If identified risk is ACCEPTABLE then the process may remain the same as designed or reasonable steps to further reduce the risk may be considered to improve the process.

Risk control should continue throughout the life cycle of the process

Risk Evaluation

Risk reduction is a proactive method of addressing potential process failure through redesign, incorporation of safety features or instruction whose end result is risk reduction to the patient. As stated in ICH Q9, risk reduction might focus on the following questions:

  • Is the risk above an acceptable level?
  • What can be done to reduce or eliminate risk?
  • What is appropriate balance among benefits, risk and resources?

A corrective action and preventive action process may be used to implement risk reduction efforts and to verify their effectiveness.

Risk Acceptance

It may not be practical to try to eliminate the risk. After the process has been analyzed, a decision should be made either to accept the risk or to consider process changes and continue analysis of the change process to further reduce the risk. For some types of failure, even the best controls may not entirely eliminate the cause of the failure resulting in residual risk.

A determination will need to be made to accept the residual risk or the following action may be considered:

  • Modify the process to reduce the risk to an acceptable level
  • Enhance the method of detection to reduce the risk to an acceptable level
  • Employ a new process that has an acceptable level of risk.
  • Communicate the risk level to the appropriate stakeholders for further consideration.

If modification to the process is planned then a risk assessment should be performed on the proposed modification or new process. A CAPA process may be used to implement risk reduction efforts and to verify the effectiveness.

Risk Communication

Risk communication ensures that appropriate information is reported to the stakeholders throughout risk management. Communicating risk may vary from informal (electronic) to more formal (approved documentation), depending on the risk level and the point in the risk assessment process.

Risk Review

Quality Risk Management (QRM) should be used throughout the product lifecycle. It can be used to better understand the manufacturing process and to make decisions involved with the design of product, process and facility. QRM may be used during qualification and variance to prioritize and develop test and acceptance criteria, as well as a component of change control, failure investigation and continuous improvement.

Once appropriate controls are implemented, an evaluation should be conducted to ensure that no risks have been introduced and their performance should be reviewed to confirm their effectiveness.

“Change management program should also link to the quality risk management program”

Risk Management ModelRisk Model

(As per PDA journal of Pharmaceutical Science and Technology Vol. — 62 )

The following model can be used to carried out risk management

  • FMEA (Failure Mode Effective Analysis) Model
  • Risk Ranking Model

Failure Mode Effective Analysis

Failure Mode and Effects Analysis (FMEA) was one of the first systematic techniques for failure analysis. It was developed by reliability engineers in the 1950s to study problems that might arise from malfunctions of military systems.

RPN scoring may be a more appropriate technique when the team wishes to quantitatively rank risk that have been identified.

RPN = Severity X Occurrence X Detection (S x O x D)


If any identified risk directly impacts the patient safety then the risk number should be 10 and if it does not have any impact on patient then the risk number should be 1 or as per severity.


As per PDA risk number for occurrence shall be given as follows:

  • (8-10) – The number of interventions is frequent (more than
    one per hour)
  • (4-7) – The number of intervention is less frequent (less than one per hour)
  • (1-3) – The number of intervention is infrequent (less than one per shift)


As per PDA risk number for detection of any risk shall be given
as follows:

  • (8-10) – Intermittent testing or detection available
  • (4-7) – Intermittent automated testing
  • (1-3) – Continuous automated testing

Risk Ranking Model

(As per PDA journal of Pharmaceutical Sciience and Technollogy Voll. – 62 )

In risk ranking system Severity, Probability of occurrence and Probability of detection shall be decided as High, Medium & Low based on the criticality to the patient /customer.

Low- 1, Medium 2, High-3 if sum (You can use multiplication also) of severity and occurrence comes 4 then risk classification is Medium if below then Low and if above then High.



Risk Classification

Probability of Detection

If detection of failure is low then associated risk is high. Then Low – 3, Medium – 2 & High Detection – 3.

Based on that Risk Priority shall be decided as follows:

Risk Priority

Mitigation of all the identified risk shall be taken based on the risk priority.

Difference Between Probability of Detection & Detection

If you look at the risk assessment model (FMEA & Risk Ranking Model) you will find that in the FMEA we need to assign some number to the detection level which can be given only if you have some history of failure or data in hand of failure, otherwise you can assume. This is the difference between probability of detection and detection.

In case of Probability of Detection we assume only and incase of detection we have some realistic failure data at hand.

The Following items are necessary to start any risk assessment:

  • Cross functional team with process knowledge person
  • Process flow
  • History of Failure
  • Guideline in-place for reference

Following are the information source of QRM

  • Product Development Reports
  • Process and analytical technology transfer documentation
  • Specifications and control methods of finished product, intermediates and raw materials
  • Specifications and methods of in-process controls (IPC)
  • Process flow diagram of each operation in each process stage, including operational parameters and establishedranges
  • Defined critical parameters with their appropriate justification
  • Lists of equipment and measuring instruments to be used in the process, with their qualification, maintenance and calibration status


1. PDA journal of Pharmaceutical Science and Technology Vol. – 62
2. WHO Guideline on Handing of Deviation and Quality Risk Management