ICH Q9 GUIDELINE : QUALITY RISK MANAGEMENT

INTRODUCTION:
 Risk management principles are effectively utilized in many areas of business and
government including finance, insurance, occupational safety, public health,
pharmacovigilance, and by agencies regulating these industries. In addition, the
importance of quality systems has been recognized in the pharmaceutical industry
and it is becoming evident that quality risk management is a valuable component of
an effective quality system.

 It is commonly understood that risk is defined as the combination of the probability

of occurrence of harm and the severity of that harm.

 In relation to pharmaceuticals, although there are a variety of stakeholders, including

patients and medical practitioners as well as government and industry, the
protection of the patient by managing the risk to quality should be considered of
prime importance.
 The manufacturing and use of a drug (medicinal) product, including its components,
necessarily entail some degree of risk. The risk to its quality is just one component of
the overall risk. It is important to understand that product quality should be
maintained throughout the product lifecycle such that the attributes that are
important to the quality of the drug (medicinal) product remain consistent with
those used in the clinical studies. An effective quality risk management approach can
further ensure the high quality of the drug (medicinal) product to the patient by
providing a proactive means to identify and control potential quality issues during
development and manufacturing. Additionally, use of quality risk management can
improve the decision making if a quality problem arises. Effective quality risk
management can facilitate better and more informed decisions, can provide
regulators with greater assurance of a company’s ability to deal with potential risks
and can beneficially affect the extent and level of direct regulatory oversight.

PURPOSE
 The purpose of this document is to offer a systematic approach to quality risk
management. It serves as a foundation or resource document that is independent of,
yet supports, other ICH Quality documents and complements existing quality
practices, requirements, standards, and guidelines within the pharmaceutical
industry and regulatory environment.
 It specifically provides guidance on the principles and some of the tools of quality risk
management that can enable more effective and consistent risk based decisions,
both by regulators and industry, regarding the quality of drug substances and drug
(medicinal) products across the product lifecycle. It is not intended to create any new
expectations beyond the current regulatory requirements.
SCOPE
 This guideline provides principles and examples of tools for quality risk management
that can be applied to different aspects of pharmaceutical quality. These aspects
include development, manufacturing, distribution, and the inspection and
submission/review processes throughout the lifecycle of drug substances, drug
(medicinal) products, biological and biotechnological products (including the use of
raw materials, solvents, excipients, packaging and labeling materials in drug
(medicinal) products, biological and biotechnological products).

PRINCIPLES OF QUALITY RISK MANAGEMENT

Two primary principles of quality risk management are:
 The evaluation of the risk to quality should be based on scientific knowledge and
ultimately link to the protection of the patient; and
 The level of effort, formality and documentation of the quality risk management
process should be commensurate with the level of risk.

GENERAL QUALITY RISK MANAGEMENT PROCESS

Quality risk management is a systematic process for the assessment, control, communication
and review of risks to the quality of the drug (medicinal) product across the product
lifecycle. A model for quality risk management is outlined in the diagram (Figure 1). Other
models could be used. The emphasis on each component of the framework might differ
from case to case but a robust process will incorporate consideration of all the elements at a
level of detail that is commensurate with the specific risk.
Initiating a Quality Risk Management Process
Quality risk management should include systematic processes designed to coordinate,
facilitate and improve science-based decision making with respect to risk. Possible steps
used to initiate and plan a quality risk management process might include the following :
  Define the problem and/or risk question, including pertinent assumptions
identifying the potential for risk;
 Assemble background information and/ or data on the potential hazard, harm
or human health impact relevant to the risk assessment;
 Identify a leader and necessary resources;
 Specify a timeline, deliverables and appropriate level of decision making for
the risk management process.

1.Risk Assessment
Risk assessment consists of the identification of hazards and the analysis and evaluation of
risks associated with exposure to those hazards. Quality risk assessments begin with a well-
defined problem description or risk question. When the risk in question is well defined, an
appropriate risk management tool and the types of information needed to address the risk
question will be more readily identifiable. As an aid to clearly defining the risk(s) for risk
assessment purposes, three fundamental questions are often helpful:
1. What might go wrong?
2. What is the likelihood (probability) it will go wrong?
3. What are the consequences (severity)?

1.a. Risk identification

 It is a systematic use of information to identify hazards referring to the risk question
or problem description. Information can include historical data, theoretical analysis,
informed opinions, and the concerns of stakeholders.
 Risk identification addresses the “What might go wrong?” question, including
identifying the possible consequences. This provides the basis for further steps in
the quality risk management process.

1.b. Risk analysis

 It is the estimation of the risk associated with the identified hazards. It is the
qualitative or quantitative process of linking the likelihood of occurrence and severity
of harms.
 In some risk management tools, the ability to detect the harm (detectability) also
factors in the estimation of risk.

1.c. Risk evaluation

 compares the identified and analyzed risk against given risk criteria. Risk evaluations
consider the strength of evidence for all three of the fundamental questions. In
doing an effective risk assessment, the robustness of the data set is important
because it determines the quality of the output. Revealing assumptions and
reasonable sources of uncertainty will enhance confidence in this output and/or
help identify its limitations. Uncertainty is due to combination of incomplete
 knowledge about a process and its expected or unexpected variability. Typical
sources of uncertainty include gaps in knowledge gaps in pharmaceutical science
and process understanding, sources of harm (e.g., failure modes of a process,
sources of variability), and probability of detection of problems.

 The output of a risk assessment is either a quantitative estimate of risk or a

qualitative description of a range of risk. When risk is expressed quantitatively, a
numerical probability is used. Alternatively, risk can be expressed using qualitative
descriptors, such as “high”, “medium”, or “low”, which should be defined in as much
detail as possible. Sometimes a "risk score" is used to further define descriptors in
risk ranking. In quantitative risk assessments, a risk estimate provides the likelihood
of a specific consequence, given a set of risk-generating circumstances. Thus,
quantitative risk estimation is useful for one particular consequence at a time.
Alternatively, some risk management tools use a relative risk measure to combine
multiple levels of severity and probability into an overall estimate of relative risk.
The intermediate steps within a scoring process can sometimes employ quantitative
risk estimation

2.Risk Control
 Risk control includes decision making to reduce and/or accept risks. The purpose of
risk control is to reduce the risk to an acceptable level. The amount of effort used for
risk control should be proportional to the significance of the risk. Decision makers
might use different processes, including benefit-cost analysis, for understanding the
optimal level of risk control. Risk control might focus on the following questions:
 Is the risk above an acceptable level?
 What can be done to reduce or eliminate risks?
 What is the appropriate balance among benefits, risks and resources?
 Are new risks introduced as a result of the identified risks being controlled?

2.a. Risk reduction

 it focuses on processes for mitigation or avoidance of quality risk when it exceeds a
specified (acceptable) level, Risk reduction might include actions taken to mitigate
the severity and probability of harm. Processes that improve the detectability of
hazards and quality risks might also be used as part of a risk control strategy.
 The implementation of risk reduction measures can introduce new risks into the
system or increase the significance of other existing risks. Hence, it might be
appropriate to revisit the risk assessment to identify and evaluate any possible
change in risk after implementing a risk reduction process

2.b. Risk acceptance

 It is a decision to accept risk. Risk acceptance can be a formal decision to accept the
residual risk or it can be a passive decision in which residual risks are not specified.
 For some types of harms, even the best quality risk management practices might not
entirely eliminate risk.
 In these circumstances, it might be agreed that an appropriate quality risk
management strategy has been applied and that quality risk is reduced to a specified
(acceptable) level. This (specified) acceptable level will depend on many parameters
and should be decided on a case-by-case basis.

Risk Communication
 Risk communication is the sharing of information about risk and risk management
between the decision makers and others. Parties can communicate at any stage of
the risk management process (see Fig. 1: dashed arrows).
 The output/result of the quality risk management process should be appropriately
communicated and documented (see Fig. 1: solid arrows). Communications might
include those among interested parties; e.g., regulators and industry, industry and
the patient, within a company, industry or regulatory authority, etc. The included
information might relate to the existence, nature, form, probability, severity,
acceptability, control, treatment, detectability or other aspects of risks to quality.
 Communication need not be carried out for each and every risk acceptance. Between
the industry and regulatory authorities, communication concerning quality risk
management decisions might be effected through existing channels as specified in
regulations and guidances.

3.Risk Review
 Risk management should be an ongoing part of the quality management process. A
mechanism to review or monitor events should be implemented. The output/results
of the risk management process should be reviewed to take into account new
knowledge and experience.
 Once a quality risk management process has been initiated, that process should
continue to be utilized for events that might impact the original quality risk
management decision, whether these events are planned (e.g., results of product
review, inspections, audits, change control) or unplanned (e.g., root cause from
failure investigations, recall). The frequency of any review should be based upon the
level of risk. Risk review might include reconsideration of risk acceptance decisions

RISK MANAGEMENT METHODOLOGY

 Quality risk management supports a scientific and practical approach to
decisionmaking. It provides documented, transparent and reproducible methods to
accomplish steps of the quality risk management process based on current
knowledge about assessing the probability, severity and sometimes detectability of
the risk.
 Traditionally, risks to quality have been assessed and managed in a variety of
informal ways (empirical and/ or internal procedures) based on, for example,
compilation of observations, trends and other information. Such approaches
 continue to provide useful information that might support topics such as handling of
complaints, quality defects, deviations and allocation of resources.
 Additionally, the pharmaceutical industry and regulators can assess and manage risk
using recognized risk management tools and/ or internal procedures (e.g., standard
operating procedures). Below is a non-exhaustive list of some of these tools :

 Basic risk management facilitation methods (flowcharts, check sheets etc.);

 Failure Mode Effects Analysis (FMEA);
 Failure Mode, Effects and Criticality Analysis (FMECA);
 Fault Tree Analysis (FTA);
 Hazard Analysis and Critical Control Points (HACCP);
 Hazard Operability Analysis (HAZOP);
 Preliminary Hazard Analysis (PHA);
 Risk ranking and filtering;
 Supporting statistical tools.
It might be appropriate to adapt these tools for use in specific areas pertaining to drug
substance and drug (medicinal) product quality. Quality risk management methods and the
supporting statistical tools can be used in combination (e.g., Probabilistic Risk Assessment).
Combined use provides flexibility that can facilitate the application of quality risk
management principles.