Impact & Risk Assessment Specification
This specification defines the Quality Unit–approved requirements governing identification, evaluation, and documentation of quality, regulatory, and operational risk associated with GMP-impacting changes.
Authoritative Quality Control specification defining impact and risk assessment governance and decision authority. This document does not define specific risk tools, scoring models, or assessment templates.
1. Purpose
To establish Quality Unit–approved governance requirements ensuring that proposed changes are evaluated for potential impact and risk prior to approval, enabling informed, proportionate, and defensible change decisions.
2. Scope
This specification applies to all GMP-impacting changes subject to change control, including changes to materials, processes, analytical methods, equipment, facilities, systems, documents, and quality controls.
Applicable Business Domains include:
- Quality Control (QC)
- Quality Assurance (QA)
- Production (PROD)
- Packaging (PKG)
- Laboratory Operations
- Engineering & Facilities
- Information Technology (IT)
- Regulatory Affairs
3. Ownership & Governance
- Owner: Quality Control (Quality Unit)
- Approver: Quality Control Operations (QCO)
- Change Control: Quality Management System (QMS)
- Requirement Authority: QC-REQ-IDX
- QC-REQ-IDX Reference: QC-CHG-002
Impact and risk assessment requirements defined in this specification shall not be bypassed, minimized, or retrospectively applied outside approved QMS change control.
4. Impact & Risk Assessment Requirements
| Assessment Element | Requirement | Applicability |
|---|---|---|
| Change Impact Identification | Proposed changes shall be evaluated to identify potential impact to product quality, regulatory commitments, data integrity, and patient or consumer safety. | All GMP changes |
| Risk Evaluation | Identified impacts shall be evaluated for likelihood, severity, and detectability using an appropriate risk-based approach. | All GMP changes |
| Scope Determination | Risk assessment outcomes shall inform the scope of validation, verification, monitoring, or controls required. | All approved changes |
| Risk Mitigation | Where risk is identified, appropriate mitigation measures shall be defined prior to change implementation. | Moderate to high-risk changes |
| Documentation | Impact and risk assessments shall be documented, reviewed, and retained as part of the change record. | All GMP changes |
Risk assessment depth and rigor shall be proportionate to the potential impact of the change.
5. Decision Logic
- Changes with acceptable and mitigated risk may be approved.
- Changes with unmitigated or unacceptable risk shall not be approved.
- Risk assessment outcomes may require additional controls, validation, or monitoring prior to approval.
- Final determinations regarding risk acceptability reside with the Quality Unit.
6. Escalation Requirements
Quality Assurance must escalate to Quality Control or QCO when any of the following occur:
- Disagreement regarding change impact or risk classification
- High-risk changes proposed without adequate mitigation
- Incomplete or superficial risk assessments
- Emerging risks identified during implementation
7. Records & Evidence
Records supporting compliance with this specification include, but are not limited to:
- Impact and risk assessment records
- Risk mitigation plans
- Quality Unit approvals of risk acceptability
- Change control records referencing assessment outcomes