A Guide to Supply Chain Risk Management for Suppliers to the Pharmaceutical, Medical Device and Allied Industries

Transcription

1 Part 2 - Risk Management Toolbox Under development Description Page 2.1/2.2 Introduction to the Toolbox 2.3 Risk Identification Tools 2.4 Risk Analysis Tools 2.5 Risk Evaluation Tools 2.6 Risk Reduction Tools 2.7 Risk Acceptance Tools 2.8 Risk Communication Tools 2.9 Risk Review Tools Page 1 of 21

2 2.1/2.2 Introduction to the Toolbox These tools have been used in a variety of industries successfully and are proven effective methods. They comprise mainly of simple tools commonly used to gather / organise data, structure, project manage and facilitate decision making. Some tools in, 6-sigma and right first time are similar but here are applied in different ways. They are useful in the overall Risk Management process whether the intention is the application of simple or more advanced analysis tools. The drivers for which tool to use when is dependent on: Scope Experience of the user The level of Risk or Hazard identified Availability of appropriate data Time Some tools are very effective in all areas of Risk Management and some are better employed for specific areas. This toolbox provides guidance in use and some examples where appropriate. There will be other tools / methodologies not mentioned in this guide which may be appropriate to use and new techniques will always be developed. Care must be exercised as some tools appear suitable but are designed for retrospective analysis (Root Cause Analysis), whilst Risk Management tools are intended to be prospective tools to determine the potential future consequences. Page 2 of 21

3 2.3 Risk Identification Tools This section describes some of the tools that are useful for identifying potential risks at the Risk Identification stage of the Risk Management process. Brainstorming What If? & SWIFT (Structured what If checklist) Mind Mapping Checksheets Flowcharting Process Mapping Value Stream Mapping Cause and Effect/Fishbone Diagrams HEA ((Human Error Analysis) Brainstorming Brainstorming is often referred to as a creative technique and aims to achieve quality through quantity. The technique is usually utilised where you have a group of people trying to find a solution to a problem. It provides a means of capturing a wide spectrum of ideas from all stakeholders in an open and encouraging atmosphere. The method is simple, requires little in terms of resources but there are a number of simple rules that should be followed to gain the most value from this technique: Appoint a facilitator it is beneficial to assign one individual as a facilitator to ensure that all participants voices are heard. Encourage a focus on quantity aim to ensure that a large number of ideas are generated in relation to solving the risk problem - the more potential risks identified the more comprehensive subsequent analysis and evaluation will be. No discouragement / no criticism all ideas no matter how unusual should get a fair hearing. It also encourages participation of all stakeholders and prevents areas or items being overlooked. Combine and Improve as the list of ideas increases, it is prudent to review the ideas being put forward and group those that are identical or similar under a single heading. The environment and atmosphere in which brainstorming is conducted can be very important, and should wherever possible be removed from external distractions. A means of capturing ideas is important e.g. using a whiteboard or flipcharts or other means. The method for recording ideas generated during the brainstorming session should be set out for everyone to understand. The facilitator should open the session with a clear description of the subject to be brainstormed e.g., this session is focused on identifying risks with repacking sodium chloride before distribution to our customers. Often people find it beneficial to make use of colour or symbols or other distinguishing means to collate ideas into subgroups e.g., all risks identified with machinery in black ink, all risks associated with raw materials in red ink etc. The final output of the exercise should be a list of ideas as to what risks can occur. These can then be subjected to the subsequent steps of the risk management process. What If? What if? is a technique commonly used in Engineering to determine hazards associated with a facility, equipment or a process. It is easily adopted as a risk identification tool. What if? is similar to brainstorming. The process under review is broken down into sub-processes and a series of questions is brainstormed by asking what if there is a failure in the sub-process or Page 3 of 21

4 what if there is a failure in the operation of the sub-process? The answers to the questions will highlight if a potential hazard exists. For example a process may contain the sub-processes of equipment, people, materials etc. What if questions for Equipment sub-process would be; What if the agitator fails? product does not meet specification => hazard What if the seals leak? product becomes contaminated => hazard What if the valve is left open? product is lost => hazard Mind Mapping Mindmaps are diagrammatic representations of ideas arranged radially around a central idea or theme. They have been used as study aids, problem solving and decision making tools. Mindmaps can be constructed manually by hand-drawing or electronically using freely available software packages. This tool promotes the brainstorming / idea generation sub processes by way of its structure leading to the capture of large volumes of information in a concise visual representation. To construct a mind map a central idea is placed in the centre. Branches are drawn from the central theme or concept radially. Each branch represents a single sub idea of the main idea. On each of these branches are drawn sub branches, each one drilling down further into the idea represented by the main branch. Experts promote the use of colour for different branch trees as well as graphics to aid the conceptualisation process in the brain. It is also recommended that the least number of words is used to describe each idea or branch in the diagram. Page 4 of 21

5 Check-sheets Check-sheets are tools that allow collection of information from a process in a systematic, organised way in real time at the location where data is generated. Check-sheets are commonly used and the data collected on check-sheets is easily used as an input to other tools. Date can be collected quantitatively e.g. counts or qualitatively e.g. attributes like yes / no or go / no go type data. There are 4 main types of check-sheets commonly used. These are: Item Check-sheets used to identify what type of risks are occurring in the process e.g. the check-sheet will have a list of potential problems and provision to count occurrences or frequency Location Check-sheets used to identify potential areas or location in the process where risk occurs. E.g. the check-sheet may be a diagrammatic flowchart of the sale and distribution of a product that illustrates the main processing steps involved. A mark is placed on the location where the problem occurs most often giving data on counts / frequency. Defect Check-sheets used to try and identify causes of risk e.g. may be used to identify the potential causes associated with mislabelling of products and provides means of recording data about the operators, labelling machines, batch code printers etc. Checklist Check-sheets used to identify risk by checking if procedures are followed e.g. check-sheet will have a list of tasks that need to be performed or risk to be mitigated. Page 5 of 21

6 Flowcharting Flowcharting is the process of charting a process / information by representing the individual steps as boxes and displaying the order of occurrence by connecting each box with an arrow showing the direction of process / information flow. It is through process understanding that flowcharts can be used to aid risk identification in identifying potential issues, defects, bottlenecks, restrictions. Flowcharting of processes is often more commonly known as process mapping. Process Mapping A process map is a diagrammatic representation of a process that utilises geometric shapes representing actions or stages interconnected by flow-lines. Over the years various conventions have been adopted by various organisations on the shapes and symbols to be used for representing steps such as start and end points of the process, individual actions, decision steps and documentation steps. It is not necessary to adopt any of these conventions. Process mapping enables interactions and flow of materials, people and services to be visualised and is useful tool to map supply chains. It helps prevent oversights and omissions in considering potential sources of risk. Diagram x shows a typical process map Insert Example Diagram Process maps can help further identify risk when they are stratified into lanes. For example each lane can be a unit of a business or an organisation s structure which has defined responsibilities for the steps / stages of the process falling into that lane. This helps identify risks associated with cross-functions in organisations e.g. risk associated with communication between departments, risk associated with inter-dependency of business units. Diagram Y illustrates a process map showing lanes. Insert Example Diagram The final output of the exercise should be full diagrammatic representation of the process that provides process understanding and a means to identify where risks can occur in that mechanism. The risks identified can then be subjected to the subsequent steps of the risk management process. Value Stream Mapping This is an allied tool to flowcharting and process mapping which is the process of mapping the information and raw material flows involved with producing a deliverable for the customer. The steps to value stream mapping are typically Identify the system to be mapped in terms of identifying risk this will be the focus subject of the risk management process. Map the current state of the process i.e. what is the process now Capture and eliminate risks in the current process i.e. identify the risks associated with the current process and eliminate them from it. Draw the future process state map the desired future process in applying this tool to the risk management process this may involve performing the risk analysis and risk evaluation stages of the process first. Implement the desired future process by mitigating or eliminating the identified risks in applying this tool to the risk management process this may involve performing the risk reduction and risk acceptance stages of the process first. Insert example diagram Page 6 of 21

7 Cause and Effect/Fishbone Diagrams Fishbone Diagrams (also known as cause and effect diagrams or Ishikawa diagrams) are primarily used to identify causes associated with an event, but are easily adopted to identify potential risks associated with an event. Diagram Z illustrates a typical fishbone diagram. Insert Example Diagram The diagram is constructed with a box on the right hand side (the head of the fish). This box contains the subject under examination. The spine of the fish has a number of main bones coming off it. Each one represents a subject category. These can be tailored to specific needs but some commonly used categories are the 6M s, 8P s or 4S s 6M s = Materials, Man (People), Machinery (Equipment), Method (Procedures), Maintenance (Management), Mother Nature (Environment) 8P s = Price, Promotion, People, Processes, Place/Plant, Policies, Procedures, Product 4S s = Surroundings, Suppliers, Systems and Skills Finer bones come off each category bone to list potential risks associated with for example materials. Often the more populated the bone is the more influential that category is to overall risk. This technique is very powerful when used in conjunction other tools such as brainstorming and Pareto analysis, The final output of the exercise should be a list of ideas as to what risks can occur. These can then be subjected to the subsequent steps of the risk management process. Page 7 of 21

8 2.4 General Risk Analysis & Assessment Tools These tools require input whether hard data from statistical analysis or soft data from more subjective analysis The Tools in this section range from Simple Complex Advanced Statistical tools Control Charts Pareto Charts Process Capability Description: Enable effective data assessment and aid in determining the significance of the data set(s). Basic Analysis tools The following two methods are simple methods to analyse risks Risk Ranking and Filtering Description: Under construction A method to compare and rank hazards/risks, typically involving evaluation of multiple diverse quantitative and qualitative factors for each hazard / risk, weighting factors and risk scores. Example: Prioritizing sites for audit / assessment or comparing suppliers based on cause and effect. Useful for situations when the hazards / risks and underlying consequences are diverse and difficult to compare using a single tool. Potential Risks (Risk Identification) Risk Analysis Risk Evaluation Probability Severity Score Risk 1 Low (1) High (3) Low (3) Risk 2 Med (2) Low (1) Low (2) Risk 3 Med (2) Med (2) Med (4) Risk 4 Med (2) High (3) High (6) Risk 5 Low (1) Low (1) Low (1) Risk 6 High (3) High (3) High (9) Risk 7 Low (1) Low (1) Low (1) Page 8 of 21

9 A Practical example of its use in Supply chain management for a manufacturer is given below A set of key parameters is determined where the probability of an event based on a history or event occurs in a quality metric and is measured against the likely severity if a failure or event occurs. For the purposes of having a simple measure to high- medium and Low, the Medium Risk defined as between High and Low Risk. Note that lack of adequate measurement defaults to higher risk. No Measurement or new Supplier defaults to highest risk element. Risk* Probability of event Risk Element High Medium Low Weight Score cgmp Compliance History 3 Quality System Processes Complaints Investigations Change Management > Significant quantity and/or severity of regulatory observations > Adverse Regulatory Status (e.g., FDA Consent Decree, Severe or multiple Warning Letters, Official Action Indicated) > An Area of Special Concern > Several Major Findings > Past Due CAPA items > High number of deviations per batch > Significant deviations > Multiple events requiring a major quality review > Product recall and/or market actions > Significant reprocessing of manufacturing step indicating a requirement to change process step > Customer complaints as a result of significant failure of manufacturing controls and associated quality systems > Not thorough or poorly written, > No or greatly inadequate root cause analysis > Not completed in a timely manner > Scope is not adequately defined > The number, type & frequency of deviations suggest systemic cgmp and/or quality issues > CAPA s are not identified, are not effective or are well overdue > Changes are not communicated > Change control documentation is routinely incomplete and/or inaccurate > Changes implemented without X approval > Significant gaps with regulatory file/license due to contractor > Few or no regulatory observations > Few Findings > CAPA on target per schedule > Audit closed on time > Few to no deviations/significant deviations > No market related events > Few to no reworks or reprocessing > Few or no complaints justifiable based on failure of manufacturing controls and associated quality system > High quality investigations that are RFT, > Root cause analysis clear and effective > Well documented and written > Prompt response and timely completion > Appropriate number of investigations > CAPA s are identified, implemented in a timely manner and are effective > Changes are communicated in a proactive manner with complete and accurate documentation > Changes are implemented in a timely manner after the appropriate regulatory approval > No gaps with regulatory file/license Page 9 of 21

10 Consequences of Risk Risk* Risk Element High Medium Low Weight Score Quality/ > Supplier is not willing to accept X > Supplier is in compliance with 2 Technical terms in the quality agreement all the significant requirements of > Significant deviation(s) from the the quality agreement Agreement quality agreement > No Quality Agreement or Quality Agreement not effective Technical Capabilities Quality and Risk Culture Supply Chain Security Communicatio ns with X Product Criticality Supply Chain continuity > Older facility with Poorly operating equipment > None or significance Non adherence to maintenance schedule > Lack capable personnel and high staff turnover > Significant Items for SQRT due to technical & supply issues > Infrequent volume - 3 or less batches per year > Newer product - Less experience with product > Lack of RFT throughout facility operations > Poor Risk Assessment (i.e., Quality Management is ineffective in assuring appropriate decisions) > Lack of continuous improvement (e.g., trending, CAPA) > Lack of internal audit and external supplier audit program > Financially unstable, privately held, low investment willingness > Broker in supply chain (Complex) material origin from area of high concern > supply of API from area of high concern > Supply of excipients from area of high concern > Supplier deficient in reacting to and notifying X of deviations/changes affecting X products > Difficult to visit, contact/liaise with. > Critical device or injectable/parenteral for X > Highly potent narrow therapeutic range > Controlled release pharmaceutical > Life-saving product > Sterile API for use in a non terminally Sterilized Finished product > No or very limited product for supply > Top value product (may have relative low volume) > Critical markets > Newer facility with contemporary technology and automation > Highly capable, well-trained personnel > Low staff turnover > High volume (non necessarily company X brand) > Long-term experience with product > RFT environment > Risk assessment is accurate (e.g., Science-based compliance decisions) > Quality Management applies appropriate control at the facility > Continuous improvement (e.g., trending, CAPA) > Strong internal audit and external supplier audit program > Financially stable, demonstrated willingness to invest > Supply of API from area of high quality regulatory control > Supply of excipients from area of high quality regulatory control > non complex supply chain > All issues requiring notification to X are communicated in a timely manner per the appropriate agreement. > visits are readily accepted and communication lines smooth > Non-registered products > Tablets, capsules and topicals (Non sterile products and API) > Not medically critical > High Therapeutic Index > No issues with supply of Product to markets > Non-critical product or market This is plotted onto a Risk Evaluation score matrix of the X Y plot with Probability the Y axis and Consequences the X axis. Some companies may wish to have one total score however this can lead to distortion of the scoring and the obscuring of a critical risk. Where approach is of value is to use as a metric on just the probability of an event scoring (single axis) and revisit on a very regular basis. Page 10 of 21

11 Preliminary Hazard Analysis (PHA) Under construction Description: PHA applies prior experience and knowledge of a hazard or failure to identify future hazards or failures. Examples: Useful when analyzing existing systems where circumstances prevent a more extensive technique from being used. Useful early in the development of a project when there is little information, knowledge, design details, or operating procedures. Can be used on product, process, or facility design Risk Threshold examples High Risk must be reduced Intermediate Reduce risk to As Low As Reasonably Possible (ALARP) or otherwise termed As Low As Reasonably Achievable (ALARA) Low Reduce risk according to ALARP principles considering cost vs benefit criteria or determine if acceptable risk. Trivial Generally acceptable level of risk with no action required. Reference for ALARP/ALARA International Commission on Radiological Protection (ICRP) in Publication 26 (ICRP 1977) as quoted in Textbook of Radiopharmacy, Theory and practice Ed. Charles B Sampson 3 rd Page 11 of 21

12 Moderate to Advanced Risk Management Tools Hazard Analysis and Critical Control Points (HACCP) HACCP was developed in early 1970s by NASA protecting food safety for astronauts using science-based controls to prevent hazards that could cause food-borne illnesses. Well established as a requirement within the food industry, its application is increasing in other industries including pharmaceutical. In preparing for HACCP: Assemble team Describe product / process Identify intended use Construct process flow diagram (see earlier in tool box) Confirm flow diagram on-site. HACCP is a seven step process that provide for both Risk Assessment and Risk Control. In essence it is a detailed process flowchart map from raw materials to finished product and testing, with each identified critical control point on the flowchart identified. The seven steps are as follows: 1. Conduct hazard analysis A hazard is defined as the potential to harm the consumer (safety and for pharmaceuticals also efficacy) or danger to the product (contamination). In considering hazard analysis, all hazards should be listed that reasonably may occur from incoming materials, production, testing, distribution up to point of use. Hazard analysis identifies which hazards are such that elimination or reduction to acceptable levels is essential. It is advisable to separately identify quality, safety and business risks. Note: FMEA (see below) may be an appropriate hazard analysis tool. 2. Determine critical control points (CCP) A critical control point is defined as a stage in the manufacturing process (including all raw materials), which, if not controlled correctly, will cause a threat to safety or a contamination issue. Having identified the hazards on the flowchart, determine if there are any that have no critical controls need to install controls at these points. 3. Establish target levels and critical limits Specify critical limits for each CCP. Typical criteria for measurement could be temperature, time, etc or subjective criteria. Data should be scientifically based and more than one limit may be necessary for a CCP. 4. Establish system to monitor critical control points Monitoring must detect loss of control at a CCP and should be recorded. Real time monitoring enables timely response to trends and prevents deviation from the limit. 5. Establish corrective actions when critical limit deviation occurs; 6. Establish record keeping system; and 7. Establish procedures to verify HACCP system is working correctly. HACCP is unlikely to be a single document! Page 12 of 21

13 Example: Common use is to identify and manage physical, chemical and biological (including microbiological contamination) related risks in a process and assess impact of change. This has been used in the Food industry to identity the key areas in supply and production chain. In the supply chain can look at multiple supplier chain from a high end customer down to the base supplier or as part of the whole process flow of components to final service or product For further information refer to WHO Technical Report 908 (37th Report of expert Committee on Specifications for Pharmaceutical preparations, 2003). Reference Microbiology for the analytical chemist, RK Dart, 1996, RSC p Hazard Operability Analysis (HAZOP) Description: HAZOP assumes that risk events are caused by deviations from the design and operating intentions, and uses a systematic technique to help identify potential deviations from normal use or design intentions. Examples: Evaluate manufacturing processes, facilities, and equipment; one of the most common Risk tools known used to evaluate safety hazards in Environmental Health and Safety. For further information refer to IEC (first edition, 2001) Failure Mode Effects Analysis (FMEA) Under construction example to be included Description: Evaluates potential failure modes for processes, and the likely effect on outcomes and/or product performance. Once failure modes are known, risk reduction can be used to eliminate, reduce, or control potential failures. Relies upon product and process understanding as both product and process FMEA should be performed. Output is a relative risk score for each failure mode. Examples: Evaluate equipment and facilities; analyze a manufacturing process to identify high risk steps/critical parameters. Page 13 of 21

14 For more detailed information refer to IEC (1985) Failure Mode, Effects and Criticality Analysis (FMECA) Under construction Description: FMECA extends FMEA to incorporate the degree of severity for consequences and the respective probability/detect-ability of each consequence. Product and process specifications should be established to utilize FMECA Examples: Typically used in failures, and risks associated with manufacturing processes. Fault Tree Analysis (FTA) Description: FTA is a method to identify all root causes of an assumed failure or problem. The method evaluates system/sub-system failures one at a time, but can combine multiple causes of failure by identifying causal chains. FTA relies upon process understanding to identify causal factors. Examples: Investigating complaints or deviations. Page 14 of 21

15 2.5 Risk Evaluation and Control Part of Risk Evaluation is can the Risk Acceptance step be taken. ALARA & ALARP Risk management has been widely practised in the field of Nuclear medicine and the nuclear industry, from which the principles of ALARA (As Low As Reasonably Achievable) were developed for safety of personnel. It is more commonly referred to a ALARP (As Low As Reasonably Practical) in the UK from UK Health and safety legislation. The ALARP principle is that the residual risk shall be as low as reasonably practicable. To apply the principle it must be possible to show that the cost or practicality would be grossly disproportionate to the benefit gained. The principle arises from the fact that infinite resources (time, money, effort) could used to try and reduce a risk but that is not achievable in the real world. It is not a simple quantitative measure of benefit against detriment. It is interlinked to the assessment if a risk is tolerable and/or controllable. In the determining that a risk has been reduced to ALARP, an assessment of the risk to be avoided is carried out and compared with the actions involved in taking measures to avoid that risk, otherwise known as a Cost Benefit Analysis. Carrot Diagram A carrot diagram is often used to display risks. The high risks (to be reduced) are at the top and the low risks at the bottom. The middle risks may be described as the tolerable region as the risks are not insignificant but not practically reduced. Page 15 of 21

16 Brainstorming This is a key tool to evaluate the risk and identify possible controls. More detail is given in section The 4T s Risk acceptance is part of risk evaluation and a more details are provided in section Page 16 of 21

17 2.6 Risk Reduction Root Cause Analysis Many of the tools described in 2.3 were initially developed as methods of determining root cause for events that have already occurred e.g. Fishbone Diagrams, Brainstorming etc. Risk Management aims to be proactive process in addressing risk before it occurs. However in terms of risk reduction, root cause can be applied to the determination of potential root causes for potential risks and then strategies or actions can be taken to address these root causes. By addressing the root causes identified risk is reduced or potential for a hazard to constitute a risk. Basic steps to application of root cause analysis irrespective of the tool used are as follows; Define the risk to be reduced = output of Risk Evaluation Define potential root causes for this risk to occur Define which root causes if removed will prevent or reduce the risk Implement risk reduction measures = address the root causes Document & observe the effect of implementing the risk reduction measures Review and repeat as required CAPA CAPA (Corrective and Preventative Action) is a term used in Quality Management Systems such as ISO in a variety of industries but is often poorly understood. Essentially there are three elements to CAPA. Correction = correction of effect of an event to bring the process, product or service back into a state of compliance with specification Corrective Action = implementation of an action to address root cause of an event to prevent reoccurrence of that event in the future (reactive) Preventative Action = implementation of an action to address the root cause of an event to prevent that event ever occurring (proactive) In terms of Risk Reduction CAPA is a process that compliments other techniques such as Root Cause Analysis. In order to utilise CAPA for Risk Reduction these basic steps are followed. Define the risk to be reduced = output of Risk Evaluation Define the appropriate action i.e. correction, corrective action, preventative action Document the CAPA to be taken including, responsible person(s) and due date. Implement the CAPA Document and observe the effect of the CAPA implemented Review and repeat as required. Risk Management aims to be proactive approach. It is likely then that once embedded in an organisations culture the majority of CAPAs being implemented as risk reduction measures will be preventative actions rather than corrections or corrective actions. Risk Avoidance Strategy Risk avoidance strategy is a risk reduction technique commonly exploited in financial and business arenas. It involves the elimination of risk by avoiding the process or activity that Page 17 of 21

18 carries the risk e.g. not driving a car so as not to have a traffic accident. It could be argued that this strategy is the safest option to avoid risk completely. In reality however it is difficult to take this approach to many activities as this strategy would simply mean no process, no product or no service. Every risk avoided in this way is a loss in potential gain in terms of business, profit, end-user benefit and/or customer satisfaction. Risk avoidance is a practical and sometimes only viable approach to risk reduction. However it must be applied cautiously to ensure the benefit outweighs any alternatives. Page 18 of 21

19 2.7 Risk Acceptance Risk Acceptance is a stage that can incorporate information from the tools in risk Evaluation and control and it is decision are we at a tolerable level and is it controlled When deciding to accept a risk there is always the no as a possible answer so risk evaluation is interlinked to acceptance. An additional tool for ALARA (2.5.1)and carot diagrams (2.5.2) is the 4Ts Mitigation strategy and actions based on the "4 T s": TREAT a risk to prevent it occurring or reduce its potential impact. Have processes in place that improve the control effectiveness. The amount of effort to control risk should be proportional to the significance of the risk TRANSFER the risk to someone else Risk financing, insurance, contracting out, etc. Some of the impact of the risk is transferred, not the responsibility the business has for managing the risk. TERMINATE the risk i.e. stop doing whatever it is that is exposing the business to the risk. TOLERATE the risk after deciding that the risk has been reduced to an acceptable level. Checklist See 2.3 for general detail but a checklist would assist in determining if all steps have been completed and a decision can be made. Check the Pareto example in risk acceptance in original versions RACI A RACI matrix will ensure that people and their responsibilities in the process are clearly defined. [LINK] Page 19 of 21

20 2.8 Risk Communication The method of communication depends what is being exchanged, audience (external or internal) and importance regardless if related to risk or other management activity. Below are common methods used: 1. Contracts: The most formal method is a business contract however this is normally the method of communicating legal and basic business expectations. A supplementary technical agreement is a regulatory requirement for pharmaceutical industry to agree, control and define such matters as: communications, information flow, capabilities, regulatory requirements and expectations, duties and responsibilities, however the main sections of these can be torturous to amend quickly. 2. Letter/memo: A formal communication normally reserved for agreeing or approving actions and expectations. It may contain formal certificates, specifications, processes and other technical information These may contain electronic copies of draft documents and scanned agreements, technical information, certificates etc, may be used for agreeing, requesting or discuss information. This now takes the place of a letter in most matters as well as being a vehicle for less formal communications. 4. Telephone: Ideas, arrangements, informal agreement and discussion. These may be added to by use of net meetings and video conferencing if appropriate to the task. 5. Fax: Normally considered as formal as a letter but its use is being replaced by the use of Internet: this is a way of advertising and a source of information however care should taken to verify information freely adaptable in this way. 7. Face to face meeting to exchange ideas, presentations, carry out audits and come up with assignments, actions and agreements, Agreements and actions should formally recorded in minutes or a letter. 8. Minutes are formal records of any type of meeting (or conference) that includes decisions, agreements and actions. These should be retained as documents in a Quality management system for audit of a decision or review. An example of this practice is the retention of meeting minutes for development and design of Medical devices as part of the device master file. 9. Presentations including graphs, mapping and plans may be shared to show general proposals and action points but these reflect the author(s) ideas and situation progress. This is a common way of quickly getting essential points across to explain a situation or proposal for a wider, possibly less knowledgeable, audience or to get outline management approval, not normally detailed plans. Page 20 of 21

21 2.8 Risk Review 6sigma CAPA KPI, Performance metrics Key Performance Indicators (KPI) are measures or metrics used to help an organization define and evaluate how successful has been in meeting targets, typically in terms of making progress towards its long-term goals. KPIs can be specified by answering the question, "What is really important to different stakeholders?". KPIs may be used to assess the present state of the process or business and to assist in prescribing a course of action. The act of monitoring KPIs in real-time is known as business activity monitoring (BAM). KPIs are frequently used to "value" difficult to measure activities such as the benefits of, engagement, service, and satisfaction. The type and number of KPIs used differ depending on the nature of the organization, the process/es being monitored, outputs of the organisation and future strategy. They assist in evaluating progress towards objectives, especially toward difficult to quantify knowledgebased goals. However care must be exercised in specifying the correct parameters and criticality. Too many indicators may swamp the critical indicator that some thing is awry with a supplier. A KPI is a key part of a measurable objective, and may be used as a tool in a bench marking process. Benchmarking (see section on proactive and reactive) Benchmarking is the process of comparing the performance of a specific process or method to another that is widely considered to be an industry standard or best practice. Essentially, benchmarking provides help in understand where you are in relation to a particular requirement. The result often leads to changes in order to make improvements. Bench marking has been described as "learning, sharing information and adopting best practices to bring about step changes in performance. It has a subset of tools which can be adapted depending on what is being benchmarked: "Improving ourselves by learning from others". Bench marking is most used to measure performance using a specific indicator resulting in a metric of performance that is then compared to others. This then allows organizations to develop plans on how to make improvements or adopt best practice, usually with the aim of increasing some aspect of performance Benchmarking usually involves: Regular comparison of functions or processes with best practice examples The identification of gaps in performance Exploring new ways of improving how things are done Introducing and using the improved processes Monitoring and reviewing of processes, measuring progress and beneficial outcomes. Page 21 of 21