INTERNATIONAL COUNCIL FOR HARMONISATION OF TECHNICAL REQUIREMENTS FOR PHARMACEUTICALS FOR HUMAN USE
ICH HARMONISED GUIDELINE
Q UALITY R ISK M ANAGEMENT
Q9(R1)
Draft version
Endorsed on 18 November 2021 Currently under public consultation
At Step 2 of the ICH Process, a consensus draft text or guideline, agreed by the appropriate ICH Expert Working Group, is transmitted by the ICH Assembly to the regulatory authorities of the ICH regions for internal and external consultation, according to national or regional procedures.
Q9(R1) Document History
Q9
Code History Date
Q9 Approval by the Steering Committee under Step 4 and recommendation for adoption to the three ICH regulatory bodies.
9 November 2005
Revision of Q9
Code History Date
Q9(R1) Endorsement by the Members of the ICH Assembly under Step 2 and release for public consultation (document dated day/month/year).
18 November 2021
Legal notice: This document is protected by copyright and may, with the exception of the ICH logo, be used, reproduced, incorporated into other works, adapted, modified, translated or distributed under a public license provided that ICH's copyright in the document is acknowledged at all times. In case of any adaption, modification or translation of the document, reasonable steps must be taken to clearly label, demarcate or otherwise identify that changes were made to or based on the original document. Any impression that the adaption, modification or translation of the original document is endorsed or sponsored by the ICH must be avoided.
The document is provided "as is" without warranty of any kind. In no event shall the ICH or the authors of the original document be liable for any claim, damages or other liability arising from the use of the document.
The above-mentioned permissions do not apply to content supplied by third parties. Therefore, for documents where the copyright vests in a third party, permission for reproduction must be obtained from this copyright holder.
ICH H
ARMONISEDG
UIDELINEQ UALITY R ISK M ANAGEMENT
Q9(R1)
ICH Consensus Guideline
TABLE OF CONTENTS
1. INTRODUCTION ... 1
2. SCOPE ... 3
3. PRINCIPLES OF QUALITY RISK MANAGEMENT ... 3
4. GENERAL QUALITY RISK MANAGEMENT PROCESS ... 3
4.1 Responsibilities ... 4
4.2 Initiating a Quality Risk Management Process ... 5
4.3 Risk Assessment ... 6
4.4 Risk Control ... 7
4.5 Risk Communication ... 8
4.6 Risk Review ... 8
5. RISK MANAGEMENT METHODOLODY ... 9
5.1 Formality in Quality Risk Management ... 10
5.2 Risk-based Decision Making ...11
6. INTEGRATION OF QUALITY RISK MANAGEMENT INTO INDUSTRY AND REGULATORY OPERATIONS ... 13
7. DEFINITIONS ... 16
8. REFERENCES ... 18
ANNEX I: QUALITY RISK MANAGEMENT METHODS AND TOOLS ... 20
I.1 Basic Risk Management Facilitation Methods ... 20
I.2 Failure Mode Effects Analysis (FMEA) ... 20
I.3 Failure Mode, Effects and Criticality Analysis (FMECA) ... 21
I.4 Fault Tree Analysis (FTA) ... 21
I.5 Hazard Analysis and Critical Control Points (HACCP) ... 22
I.6 Hazard Operability Analysis (HAZOP) ... 23
I.7 Preliminary Hazard Analysis (PHA) ... 23
I.8 Risk Ranking and Filtering ... 24
ANNEX II: QUALITY RISK MANAGEMENT AS PART OF INTEGRATED QUALITY
MANAGEMENT ... 25
II.1 Quality Risk Management as Part of Integrated Quality Management ... 25
II.2 Quality Risk Management as Part of Regulatory Operations ... 27
II.3 Quality Risk Management as Part of development ... 27
II.4 Quality Risk Management for Facilities, Equipment and Utilities ... 28
II.5 Quality Risk Management as Part of Materials Management... 30
II.6 Quality Risk Management as Part of Production ... 31
II.7 Quality Risk Management as Part of Laboratory Control and Stability Studies... 31
II.8 Quality Risk Management as Part of Packaging and Labelling ... 31
II.9 Quality Risk Management as Part of Supply Chain Control ... 32
1. INTRODUCTION
1
Risk management principles are effectively utilized in many areas of business and government
2
including finance, insurance, occupational safety, public health, pharmacovigilance, and by
3
agencies regulating these industries. In the pharmaceutical sector, the principles and framework
4
of ICH Q9, coupled with the official ICH training material that supports this guideline, are
5
instrumental in enhancing the application of effective quality risk management by industry and
6
regulators. The importance of quality systems has been recognized in the pharmaceutical
7
industry and it is evident that quality risk management is a valuable component of an effective
8
quality system.
9
It is commonly understood that risk is defined as the combination of the probability of
10
occurrence of harm and the severity of that harm. However, achieving a shared understanding
11
of the application of risk management among diverse stakeholders is difficult because each
12
stakeholder might perceive different potential harms, place a different probability on each harm
13
occurring and attribute different severities to each harm. In addition, subjectivity can directly
14
impact the effectiveness of risk management activities and the decisions made. In relation to
15
pharmaceuticals, although there are a variety of stakeholders, including patients and medical
16
practitioners as well as government and industry, the protection of the patient by managing the
17
risk to quality and availability, when availability risks arise from quality/manufacturing issues,
18
should be considered of prime importance.
19
The manufacturing and use of a drug (medicinal) product, including its components,
20
necessarily entail some degree of risk. The risk to its quality is just one component of the overall
21
risk. It is important to understand that product quality is assured based on appropriate risk-
22
based decision-making throughout the product lifecycle, such that the attributes that are
23
important to the quality of the drug (medicinal) product are maintained and the product remains
24
safe and effective.
25
An effective quality risk management approach can further ensure the high quality of the drug
26
(medicinal) product to the patient by providing a proactive means to identify and control
27
potential quality issues during development and manufacturing. A proactive approach to
28
quality risk management facilitates continual improvement and is of strategic importance in
29
achieving an effective pharmaceutical quality system. Additionally, use of quality risk
30 31
scenarios, so that appropriate risk control can be decided upon during technology transfer, for
33
use during the commercial manufacturing phase. In this context, knowledge is used to make
34
informed risk-based decisions, trigger re-evaluations and stimulate continual improvements.
35
Effective and proactive quality risk management can facilitate better, more informed and timely
36
decisions throughout the lifecycle. This can provide regulators with greater assurance of a
37
company’s ability to deal with potential risks and avert problems, and can beneficially affect
38
the extent and level of direct regulatory oversight.
39
The application of digitalization and emerging technologies in the manufacture and control of
40
medicinal products can present certain challenges. The application of quality risk management
41
to the design, validation and technology transfer of advanced production processes and
42
analytical methods, advanced data analysis methods and computerized systems is important.
43
The purpose of this document is to offer a systematic approach to quality risk management for
44
better, more informed, and timely decisions. It serves as a foundation or resource document
45
that is independent of, yet supports, other ICH Quality documents and complements existing
46
quality practices, requirements, standards, and guidelines within the pharmaceutical industry
47
and regulatory environment. It specifically provides guidance on the principles and some of
48
the tools of quality risk management that can enable more effective and consistent risk based
49
decisions, both by regulators and industry, regarding the quality of drug substances and drug
50
(medicinal) products across the product lifecycle. It is not intended to create any new
51
expectations beyond the current regulatory requirements.
52
An understanding of formality in quality risk management (see Chapter 5 below) may lead to
53
resources being used more efficiently, where lower risk issues are dealt with via less formal
54
means, freeing up resources for managing higher risk issues and more complex problems that
55
may require increased levels of rigour and effort. An understanding of formality can also
56
support risk-based decision-making, where the level of formality that is applied may reflect the
57
degree of importance of the decision, as well as the level of uncertainty, complexity and
58
criticality which may be present.
59
Appropriate use of quality risk management can facilitate but does not obviate industry’s
60
obligation to comply with regulatory requirements and does not replace appropriate
61
communications between industry and regulators. Quality risk management should not be used
62
in a manner where decisions are made that justify a practice that would otherwise, in
63
accordance with official guidance and/or regulations, be deemed unacceptable.
64
65
2. SCOPE
66
This guideline provides principles and examples of tools for quality risk management that can
67
be applied to different aspects of pharmaceutical quality. These aspects include development,
68
manufacturing, distribution, and the inspection and submission/review processes throughout
69
the lifecycle of drug substances, drug (medicinal) products, biological and biotechnological
70
products (including the use of raw materials, solvents, excipients, packaging and labeling
71
materials in drug (medicinal) products, biological and biotechnological products).
72
73
3. PRINCIPLES OF QUALITY RISK MANAGEMENT
74
Two primary principles of quality risk management are:
75
• The evaluations of the risk to quality should be based on scientific knowledge and
76
ultimately link to the protection of the patient. (Note: Risk to quality includes situations
77
where product availability may be impacted, leading to potential patient harm.)
78
• The level of effort, formality and documentation of the quality risk management process
79
should be commensurate with the level of risk.
80
81
4. GENERAL QUALITY RISK MANAGEMENT PROCESS
82
Quality risk management is a systematic process for the assessment, control, communication
83
and review of risks to the quality of the drug (medicinal) product across the product lifecycle.
84
A model for quality risk management is outlined in the diagram (Figure 1). Other models could
85
be used. The emphasis on each component of the framework might differ from case to case but
86
a robust process will incorporate consideration of all the elements at a level of detail that is
87
commensurate with the specific risk.
88
Figure 1: Overview of a typical quality risk management process
89
90
Decision nodes are not shown in the diagram above because decisions can occur at any point
91
in the process. These decisions might be to return to the previous step and seek further
92
information, to adjust the risk models or even to terminate the risk management process based
93
upon information that supports such a decision. Note: “unacceptable” in the flowchart does not
94
only refer to statutory, legislative or regulatory requirements, but also to the need to revisit the
95
risk assessment process.
96
4.1 Responsibilities 97
Quality risk management activities are usually, but not always, undertaken by interdisciplinary
98
teams. When teams are formed, they should include experts from the appropriate areas (e.g.,
99
quality unit, business development, engineering, regulatory affairs, production operations,
100
sales and marketing, supply chain, legal, statistics and clinical) in addition to individuals who
101
are knowledgeable about the quality risk management process.
102
Subjectivity can impact every stage of a quality risk management process, especially the
103
identification of hazards and estimates of their probabilities of occurrence, the estimation of
104
risk reduction and the effectiveness of decisions made from quality risk management activities.
105
Subjectivity can be introduced in quality risk management through differences in how risks are
106
assessed and in how hazards, harms and risks are perceived by different stakeholders.
107
Risk Assessment Initiate
Quality Risk Management Process
Hazard Identification Risk Analysis
Risk Evaluation
Risk Management tools
Risk Communication Risk Control
Risk Reduction
Output / Result of the Quality Risk Management Process
Risk Review
Risk Acceptance
unacceptable
Review Events
Subjectivity can also be introduced through the use of tools with poorly designed risk scoring
108
scales. While subjectivity cannot be completely eliminated from quality risk management
109
activities, it may be controlled by addressing bias, the proper use of quality risk management
110
tools and maximising the use of relevant data and sources of knowledge (see ICH Q10, Section
111
II.E.1).
112
All participants involved with quality risk management activities should acknowledge,
113
anticipate, and address the potential for subjectivity.
114
Decision makers should
115
• take responsibility for coordinating quality risk management across various functions and
116
departments of their organization; and
117
• assure that a quality risk management process is defined, deployed and reviewed and that
118
adequate resources and knowledge are available;
119
• assure that subjectivity in quality risk management activities is controlled and minimised,
120
to facilitate scientifically robust risk-based decision making.
121
4.2 Initiating a Quality Risk Management Process 122
Quality risk management should include systematic processes designed to coordinate, facilitate
123
and improve science-based decision making with respect to risk. Possible steps used to initiate
124
and plan a quality risk management process might include the following:
125
• Define the problem and/or risk question, including pertinent assumptions identifying the
126
potential for risk;
127
• Assemble background information and/ or data on the potential hazard, harm or human
128
health impact relevant to the risk assessment;
129
• Identify a leader and necessary resources;
130
• Specify a timeline, deliverables and appropriate level of decision making for the risk
131
management process.
132
4.3 Risk Assessment 133
Risk assessment consists of the identification of hazards and the analysis and evaluation of
134
risks associated with exposure to those hazards (as defined below). Quality risk assessments
135
begin with a well-defined problem description or risk question. When the risk in question is
136
well defined, an appropriate risk management tool (see examples in Section 5) and the types
137
of information needed to address the risk question will be more readily identifiable. As an aid
138
to clearly defining the risk(s) for risk assessment purposes, three fundamental questions are
139
often helpful:
140
1. What might go wrong?
141
2. What is the likelihood (probability) it will go wrong?
142
3. What are the consequences (severity)?
143
Hazard identification is a systematic use of information to identify hazards referring to the risk
144
question or problem description. Information can include historical data, theoretical analysis,
145
informed opinions, and the concerns of stakeholders. Hazard identification addresses the “What
146
might go wrong?” question, including identifying the possible consequences. This provides the
147
basis for further steps in the quality risk management process.
148
Risk analysis is the estimation of the risk associated with the identified hazards. It is the
149
qualitative or quantitative process of linking the likelihood of occurrence and severity of harms.
150
In some risk management tools, the ability to detect the harm (detectability) also factors in the
151
estimation of risk.
152
Risk evaluation compares the identified and analyzed risk against given risk criteria. Risk
153
evaluations consider the strength of evidence for all three of the fundamental questions.
154
In doing an effective risk assessment, the robustness of the data set is important because it
155
determines the quality of the output. Revealing assumptions and reasonable sources of
156
uncertainty will enhance confidence in this output and/or help identify its limitations.
157
Uncertainty is due to combination of incomplete knowledge about a process and its expected
158
or unexpected variability. Typical sources of uncertainty include gaps in knowledge gaps in
159
pharmaceutical science and process understanding, sources of harm (e.g., failure modes of a
160
process, sources of variability), and probability of detection of problems.
161
The output of a risk assessment is either a quantitative estimate of risk or a qualitative
162
description of a range of risk. When risk is expressed quantitatively, a numerical probability is
163
used. Alternatively, risk can be expressed using qualitative descriptors, such as “high”,
164
“medium”, or “low”, which should be defined in as much detail as possible. Sometimes a "risk
165
score" is used to further define descriptors in risk ranking. In quantitative risk assessments, a
166
risk estimate provides the likelihood of a specific consequence, given a set of risk-generating
167
circumstances. Thus, quantitative risk estimation is useful for one particular consequence at a
168
time. Alternatively, some risk management tools use a relative risk measure to combine
169
multiple levels of severity and probability into an overall estimate of relative risk. The
170
intermediate steps within a scoring process can sometimes employ quantitative risk estimation.
171
4.4 Risk Control 172
Risk control includes decision making to reduce and/or accept risks. The purpose of risk
173
control is to reduce the risk to an acceptable level. The amount of effort used for risk control
174
should be proportional to the significance of the risk. Decision makers might use different
175
processes, including benefit-cost analysis, for understanding the optimal level of risk control.
176
Risk control might focus on the following questions:
177
• Is the risk above an acceptable level?
178
• What can be done to reduce or eliminate risks?
179
• What is the appropriate balance among benefits, risks and resources?
180
• Are new risks introduced as a result of the identified risks being controlled?
181
Risk reduction focuses on processes for mitigation or avoidance of quality risk when it exceeds
182
a specified (acceptable) level (see Fig. 1). Risk reduction might include actions taken to
183
mitigate the severity and probability of harm. Processes that improve the detectability of
184
hazards and quality risks might also be used as part of a risk control strategy. The
185
implementation of risk reduction measures can introduce new risks into the system or increase
186
the significance of other existing risks. Hence, it might be appropriate to revisit the risk
187
assessment to identify and evaluate any possible change in risk after implementing a risk
188
reduction process.
189
Risk acceptance is a decision to accept risk. Risk acceptance can be a formal decision to accept
190
the residual risk or it can be a passive decision in which residual risks are not specified. For
191
some types of harms, even the best quality risk management practices might not entirely
192
eliminate risk. In these circumstances, it might be agreed that an appropriate quality risk
193
management strategy has been applied and that quality risk is reduced to a specified
194
(acceptable) level. This (specified) acceptable level will depend on many parameters and
195
should be decided on a case-by-case basis.
196
4.5 Risk Communication 197
Risk communication is the sharing of information about risk and risk management between
198
the decision makers and others. Parties can communicate at any stage of the risk management
199
process (see Fig. 1: dashed arrows). The output/result of the quality risk management process
200
should be appropriately communicated and documented (see Fig. 1: solid arrows).
201
Communications might include those among interested parties; e.g., regulators and industry,
202
industry and the patient, within a company, industry or regulatory authority, etc. The included
203
information might relate to the existence, nature, form, probability, severity, acceptability,
204
control, treatment, detectability or other aspects of risks to quality. Communication need not
205
be carried out for each and every risk acceptance. Between the industry and regulatory
206
authorities, communication concerning quality risk management decisions might be effected
207
through existing channels as specified in regulations and guidances.
208
4.6 Risk Review 209
Risk management should be an ongoing part of the quality management process. A mechanism
210
to review or monitor events should be implemented.
211
The output/results of the risk management process should be reviewed to take into account new
212
knowledge and experience. Once a quality risk management process has been initiated, that
213
process should continue to be utilized for events that might impact the original quality risk
214
management decision, whether these events are planned (e.g., results of product review,
215
inspections, audits, change control) or unplanned (e.g., root cause from failure investigations,
216
recall). The frequency of any review should be based upon the level of risk. Risk review might
217
include reconsideration of risk acceptance decisions (section 4.4).
218 219
5. RISK MANAGEMENT METHODOLODY
220
Quality risk management supports a scientific and practical approach to decision-making. It
221
provides documented, transparent and reproducible methods to accomplish steps of the quality
222
risk management process based on current knowledge about assessing the probability, severity
223
and sometimes detectability of the risk.
224
Traditionally, risks to quality have been assessed and managed in a variety of informal ways
225
(empirical and/ or internal procedures) based on, for example, compilation of observations,
226
trends and other information. Such approaches continue to provide useful information that
227
might support topics such as handling of complaints, quality defects, deviations and allocation
228
of resources.
229
Additionally, the pharmaceutical industry and regulators can assess and manage risk using
230
recognized risk management tools and/ or internal procedures (e.g., standard operating
231
procedures). Below is a non-exhaustive list of some of these tools (further details in Annex 1
232
and chapter 8):
233
• Basic risk management facilitation methods
234
(flowcharts, check sheets etc.);
235
• Failure Mode Effects Analysis (FMEA);
236
• Failure Mode, Effects and Criticality Analysis (FMECA);
237
• Fault Tree Analysis (FTA);
238
• Hazard Analysis and Critical Control Points (HACCP);
239
• Hazard Operability Analysis (HAZOP);
240
• Preliminary Hazard Analysis (PHA);
241
• Risk ranking and filtering;
242
• Supporting statistical tools.
243
It might be appropriate to adapt these tools for use in specific areas pertaining to drug substance
244
statistical tools can be used in combination (e.g., Probabilistic Risk Assessment). Combined
246
use provides flexibility that can facilitate the application of quality risk management principles.
247
The degree of rigor and formality of quality risk management should reflect available
248
knowledge and be commensurate with the complexity and/ or criticality of the issue to be
249
addressed.
250
5.1 Formality in Quality Risk Management 251
Formality in quality risk management is not a binary concept (i.e. formal/informal); varying
252
degrees of formality may be applied during quality risk management activities, including when
253
making risk-based decisions. In this way, formality can be considered a continuum (or
254
spectrum), ranging from low to high.
255
When determining how much formality to apply to a given quality risk management activity,
256
certain factors may be considered. These may include, for example, the following:
257
• Uncertainty: The term “uncertainty” in quality risk management means lack of knowledge
258
about risks. The level of uncertainty that is associated with the area being risk assessed
259
informs how much formality may be required to manage potential risks. Systematic
260
approaches for acquiring, analysing, storing and disseminating scientific information are
261
essential for generating knowledge, which in turn informs all quality risk management
262
activities. Uncertainty may be reduced via effective knowledge management, which enables
263
accumulated and new information (both internal and external) to be used to support risk-
264
based decisions throughout the lifecycle.
265
• Importance: The more important a risk-based decision is, the higher the level of formality
266
that should be applied, and the greater the need to reduce the level of uncertainty associated
267
with it.
268
• Complexity: The more complex a process or subject area is to a quality risk management
269
activity, the higher the level of formality that should be applied to assure product quality.
270
In general, higher levels of uncertainty, importance or complexity require more formal quality
271
risk management approaches to manage potential risks and to support effective risk-based
272
decision making.
273
The overall approach for determining how much formality to apply during quality risk
274
management activities should be described within the quality system. Resource constraints
275
should not be used to justify the use of lower levels of formality in the quality risk management
276
process. Regardless of how much formality is applied, the robust management of risk is the
277
goal of the process. This should be based on evidence, science and knowledge, where risk
278
scores, ratings or assessments are supported by data or by an appropriate justification or
279
rationale.
280
The following may be characteristics of higher levels of formality:
281
• All parts of the quality risk management process (Risk Assessment, Risk Control, Risk
282
Review and Risk Communication) are explicitly performed, and stand-alone quality risk
283
management reports (or related documents) which address all aspects of the process may be
284
generated and are documented (e.g., within the quality system).
285
• Recognized or other quality risk management tools are used in some or all parts of the
286
process.
287
• A cross-functional team is assembled for the quality risk management activity. Use of a
288
trained quality risk management facilitator may be integral to a higher formality process.
289
The following may be characteristics of lower levels of formality:
290
• One or more parts of the quality risk management process are not performed as stand-alone
291
activities but are addressed within other elements of the quality system which may have risk
292
assessment and risk control activities embedded within them.
293
• Recognized or other quality risk management tools might not be used in some or all parts
294
of the process. A cross functional team might not be necessary.
295
• Stand-alone quality risk management reports might not be generated. The outcome of the
296
quality risk management process is usually documented in the relevant parts of the quality
297
system.
298
Note: Degrees of formality between the above higher and lower levels also exist and may be
299
used.
300 301
essential foundation for decision makers in an organization. Effective risk-based decision
303
making begins with determining the level of effort, formality and documentation that should
304
be applied during the quality risk management process. The outputs of quality risk management
305
activities include decisions in relation to what hazards exist, the risks associated with those
306
hazards, the risk controls required, the acceptability of the residual risk after risk controls, the
307
communication and review of quality risk management activities and outputs.
308
Approaches to risk-based decision-making are beneficial, because they address uncertainty
309
through the use of knowledge, facilitating informed decisions by regulators and the
310
pharmaceutical industry in a multitude of areas, including when allocating resources. They also
311
help recognize where uncertainty remains, so that appropriate risk controls (including
312
improved detectability) may be identified to enhance understanding of those variables and
313
further reduce the level of uncertainty.
314
As all decision making relies on the use of knowledge, see ICH Q10 for guidance in relation
315
to Knowledge Management. It is important also to ensure the integrity of the data that are used
316
for risk-based decision making.
317
Approaches to risk-based decision-making:
318
There are different processes that may be used to make risk-based decisions; these are directly
319
related to the level of formality that is applied during the quality risk management process.
320
(See Section 5.1 above for guidance on what constitutes formality in quality risk management.)
321
In general, higher levels of formality in quality risk management require higher levels of
322
structure in relation to risk-based decision making. There can be varying degrees of structure
323
with regard to approaches for risk-based decision making. These degrees of structure can be
324
considered to be on a continuum (or spectrum). Below are descriptions for highly structured
325
vs. less structured processes, and for rule-based processes when making risk-based decisions:
326
• Some risk-based decision making processes are highly structured and can involve a formal
327
analysis of the available options that exist before making a decision. They involve an in-
328
depth consideration of relevant factors associated with the available options. Such processes
329
might be used when there is a high degree of importance associated with the decision, and
330
when the level of uncertainty and/or complexity is high.
331
• Other risk-based decision making processes are less structured; here, simpler approaches
332
are used to arrive at decisions, and they primarily make use of existing knowledge to support
333
an assessment of hazards, risks and any required risk controls. Such processes might still be
334
used when there is a high degree of importance associated with the decision, but the degree
335
of uncertainty and/or complexity is lower.
336
• Decisions might also be made using rule-based (or standardised) approaches, which do not
337
require a new risk assessment to make such decisions. This is where there are SOPs, policies
338
or well understood requirements in place which determine what decisions must be made.
339
Here, rules (or limits) may be in place which govern such decisions; these may be based on
340
a previously obtained understanding of the relevant risks and they usually lead to
341
predetermined actions or expected outcomes.
342
343
6. INTEGRATION OF QUALITY RISK MANAGEMENT INTO INDUSTRY AND
344
REGULATORY OPERATIONS
345
Quality risk management is a process that supports science-based and practical decisions when
346
integrated into quality systems (see Annex II). As outlined in the introduction, appropriate use
347
of quality risk management does not obviate industry’s obligation to comply with regulatory
348
requirements. However, effective quality risk management can facilitate better and more
349
informed decisions, can provide regulators with greater assurance of a company’s ability to
350
deal with potential risks, and might affect the extent and level of direct regulatory oversight. In
351
addition, quality risk management can facilitate better use of resources by all parties.
352
Training of both industry and regulatory personnel in quality risk management processes
353
provides for greater understanding of decision-making processes and builds confidence in
354
quality risk management outcomes.
355
Quality risk management should be integrated into existing operations and documented
356
appropriately. While manufacturing and supply chain diversity can be enablers of product
357
availability, increasingly complex supply chains lead to interdependencies that can introduce
358
systemic quality/manufacturing risks impacting supply chain robustness. Application of quality
359
risk management can proactively mitigate these risks. Preventive measures supporting product
360
availability may be identified through quality risk management activities.
361
Annex II provides examples of situations in which the use of the quality risk management
362
process might provide information that could then be used in a variety of pharmaceutical
363
operations. These examples are provided for illustrative purposes only and should not be
364
considered a definitive or exhaustive list. These examples are not intended to create any new
365
expectations beyond the requirements laid out in the current regulations.
366
Examples for industry and regulatory operations (see Annex II):
367
• Quality management.
368
Examples for industry operations and activities (see Annex II):
369
• Development;
370
• Facility, equipment and utilities;
371
• Materials management;
372
• Production;
373
• Laboratory control and stability testing;
374
• Packaging and labeling;
375
• Supply Chain Control.
376
Examples for regulatory operations (see Annex II):
377
• Inspection and assessment activities.
378
While regulatory decisions will continue to be taken on a regional basis, a common
379
understanding and application of quality risk management principles could facilitate mutual
380
confidence and promote more consistent decisions among regulators on the basis of the same
381
information. This collaboration could be important in the development of policies and
382
guidelines that integrate and support quality risk management practices.
383 384 385
The role of Quality Risk Management in addressing Product Availability Risks
386
Quality/manufacturing issues, including non-compliance with Good Manufacturing Practice
387
(GMP), are a frequent cause of product availability issues (e.g., product shortages). The
388
interests of patients are served by risk-based drug shortage prevention and mitigation activities
389
that help to proactively manage supply chain complexities and ensure availability of needed
390
medicines. An effective pharmaceutical quality system drives both supply chain robustness and
391
sustainable GMP compliance. It also uses quality risk management and knowledge
392
management to provide an early warning system that supports effective oversight and response
393
to evolving quality/manufacturing risks from the pharmaceutical company or its external
394
partners. The level of formality applied to risk-based drug shortage prevention and mitigation
395
activities may vary (see Chapter 5). Factors that can affect supply reliability, and hence product
396
availability, include the following:
397
Manufacturing Process Variation and State of Control (internal and external):
398
Processes that exhibit excessive variability (e.g., process drift, non-uniformity) have capability
399
gaps that can result in unpredictable outputs and may adversely impact quality, timeliness,
400
yield, and consequently product availability. Quality risk management can help design
401
monitoring systems that are capable of detecting departures from a state of control and
402
deficiencies in manufacturing processes, so they can be investigated to address root causes.
403
Manufacturing Facilities:
404
A robust facility infrastructure can facilitate reliable supply; it includes suitable equipment and
405
well-designed facilities for manufacturing and packaging. Robustness can be affected by
406
multiple factors, such as an aging facility, insufficient maintenance or an operational design
407
that is vulnerable to human error. Risks to supply can be reduced by addressing these factors,
408
as well as through use of modern technology, such as digitalization, automation, isolation
409
technology, amongst others.
410
Oversight of Outsourced Activities and Suppliers:
411
Quality system governance includes assuring the acceptability of supply chain partners over
412
the product lifecycle. Approval and oversight of outsourced activities and material suppliers is
413
informed by risk assessments, effective knowledge management, and an effective monitoring
strategy for supply chain partner performance. A successful manufacturing partnership is
415
strengthened by appropriate communication and collaboration mechanisms. When substantial
416
variability is identified in the quality and safety of supplied materials or in the services
417
provided, enhanced review and monitoring activities are justified (See Section 2.7 of ICH
418
Q10). In some cases, it may be necessary to identify a new supply chain entity (e.g. a pre-
419
qualified backup option) to perform a function.
420
421
7. DEFINITIONS
422
Decision Maker(s):
423
Person(s) with the competence and authority to make appropriate and timely quality risk
424
management decisions.
425
Detectability:
426
The ability to discover or determine the existence, presence, or fact of a hazard.
427
Harm:
428
Damage to health, including the damage that can occur from loss of product quality or
429
availability.
430
Hazard:
431
The potential source of harm (ISO/IEC Guide 51).
432
Hazard Identification:
433
The systematic use of information to identify potential sources of harm (hazards) referring to
434
the risk question or problem description.
435
Product Lifecycle:
436
All phases in the life of the product from the initial development through marketing until the
437
product’s discontinuation.
438
Quality:
439
The degree to which a set of inherent properties of a product, system or process fulfills
440
requirements (see ICH Q6A definition specifically for "quality" of drug substance and drug
441
(medicinal) products.)
442
Quality Risk Management:
443
A systematic process for the assessment, control, communication and review of risks to the
444
quality of the drug (medicinal) product across the product lifecycle.
445
Quality System:
446
The sum of all aspects of a system that implements quality policy and ensures that quality
447
objectives are met.
448
Requirements:
449
The explicit or implicit needs or expectations of the patients or their surrogates (e.g., health
450
care professionals, regulators and legislators). In this document, “requirements” refers not only
451
to statutory, legislative, or regulatory requirements, but also to such needs and expectations.
452
Risk:
453
The combination of the probability of occurrence of harm and the severity of that harm
454
(ISO/IEC Guide 51).
455
Risk Acceptance:
456
The decision to accept risk (ISO Guide 73).
457
Risk Analysis:
458
The estimation of the risk associated with the identified hazards.
459
Risk Assessment:
460
A systematic process of organizing information to support a risk decision to be made within a
461
risk management process. It consists of the identification of hazards and the analysis and
462
evaluation of risks associated with exposure to those hazards.
463
An approach or process that considers knowledge about risks relevant to the decision and
465
whether risks are at an acceptable level.
466
Risk Communication:
467
The sharing of information about risk and risk management between the decision maker and
468
other stakeholders.
469
Risk Control:
470
Actions implementing risk management decisions (ISO Guide 73).
471
Risk Evaluation:
472
The comparison of the estimated risk to given risk criteria using a quantitative or qualitative
473
scale to determine the significance of the risk.
474
475
8. REFERENCES
476
1. ICH Q8 Pharmaceutical Development.
477
2. ICH Q10 Pharmaceutical Quality System.
478
3. ISO/IEC Guide 73:2002 - Risk Management - Vocabulary - Guidelines for use in
479
Standards.
480
4. ISO/IEC Guide 51:2014 - Safety Aspects - Guideline for their inclusion in standards.
481
5. IEC 61025 - Fault Tree Analysis (FTA).
482
6. IEC 60812:2018 Failure modes and effects analysis (FMEA and FMECA).
483
7. IEC 61882:2016 - Hazard and operability studies (HAZOP studies) – Application guide.
484
8. ISO 14971:2019 – Medical devices -Application of risk management to medical devices.
485
9. ISO 7870-1:2019 - Control Charts
486
10. ISO 7870-4:2021- Cumulative Sum Charts.
487
11. ISO 7870-3:2020 - Acceptance Control Charts.
488
12. ISO 7870-2:2013 - Shewhart Control Charts.
489
13. WHO Technical Report Series No 908, 2003, Annex 7 Application of Hazard Analysis
490
and Critical Control Point (HACCP) methodology to pharmaceuticals.
491
14. What is Total Quality Control?; The Japanese Way, Kaoru Ishikawa (Translated by David
492
J. Liu), 1985, ISBN 0139524339.
493
15. Failure Mode and Effect Analysis, FMEA from Theory to Execution, 2nd Edition 2003, D.
494
H. Stamatis, ISBN 0873895983.
495
16. Process Mapping by the American Productivity & Quality Center, 2002, ISBN
496
1928593739.
497
17. Parenteral Drug Association. Technical Report No. 54 Implementation of quality risk
498
management for pharmaceutical and biotechnology manufacturing operations. 2012.
499
18. Parenteral Drug Association. Points to consider for aging facilities. 2017.
500
19. Parenteral Drug Association. Technical Report No. 68. Risk-based approach for
501
prevention and management of drug shortages. 2014.
502
20. International Society for Pharmaceutical Engineering. Report on the ISPE Drug shortages
503
survey. 2013.
504
21. International Society for Pharmaceutical Engineering. Drug shortages prevention plan.
505
2014.
506
22. Tabersky D, Woelfle M, Ruess J, Brem S, Brombacher S. Recent regulatory trends in
507
pharmaceutical manufacturing and their impact on the industry. CHIMIA,
508
2018;72(3):146-150.
509
23. O’Donnell K, Tobin D, Butler S, Haddad G, Kelleher D. Understanding the concept of
510
formality in quality risk management. J. Valid. Technol, 2020 Jun; 26(3).
511 512
ANNEX I: QUALITY RISK MANAGEMENT METHODS AND TOOLS
513
The purpose of this annex is to provide a general overview of and references for some of the
514
primary tools that might be used in quality risk management by industry and regulators. The
515
references are included as an aid to gain more knowledge and detail about the particular tool.
516
This is not an exhaustive list. It is important to note that no one tool or set of tools is applicable
517
to every situation in which a quality risk management procedure is used.
518
It is neither always appropriate nor always necessary to use highly formal quality risk
519
management methods and tools. The use of less formal quality risk management methods and
520
tools can also be considered acceptable. See Chapter 5 for guidance on what constitutes
521
formality in quality risk management.
522
I.1 Basic Risk Management Facilitation Methods 523
Some of the simple techniques that are commonly used to structure risk management by
524
organizing data and facilitating decision-making are:
525
• Flowcharts;
526
• Check Sheets;
527
• Process Mapping;
528
• Cause and Effect Diagrams (also called an Ishikawa diagram or fish bone diagram).
529
I.2 Failure Mode Effects Analysis (FMEA) 530
FMEA (see IEC 60812) provides for an evaluation of potential failure modes for processes and
531
their likely effect on outcomes and/or product performance. Once failure modes are
532
established, risk reduction can be used to eliminate, contain, reduce or control the potential
533
failures. FMEA relies on product and process understanding. FMEA methodically breaks down
534
the analysis of complex processes into manageable steps. It is a powerful tool for summarizing
535
the important modes of failure, factors causing these failures and the likely effects of these
536
failures.
537
Potential Areas of Use(s)
538
FMEA can be used to prioritize risks and monitor the effectiveness of risk control activities.
539
FMEA can be applied to equipment and facilities and might be used to analyze a manufacturing
540
operation and its effect on product or process. It identifies elements/operations within the
541
system that render it vulnerable. The output/ results of FMEA can be used as a basis for design
542
or further analysis or to guide resource deployment.
543
I.3 Failure Mode, Effects and Criticality Analysis (FMECA) 544
FMEA might be extended to incorporate an investigation of the degree of severity of the
545
consequences, their respective probabilities of occurrence, and their detectability, thereby
546
becoming a Failure Mode Effect and Criticality Analysis (FMECA; see IEC 60812). In order
547
for such an analysis to be performed, the product or process specifications should be
548
established. FMECA can identify places where additional preventive actions might be
549
appropriate to minimize risks.
550
Potential Areas of Use(s)
551
FMECA application in the pharmaceutical industry should mostly be utilized for failures and
552
risks associated with manufacturing processes; however, it is not limited to this application.
553
The output of an FMECA is a relative risk “score” for each failure mode, which is used to rank
554
the modes on a relative risk basis.
555
I.4 Fault Tree Analysis (FTA) 556
The FTA tool (see IEC 61025) is an approach that assumes failure of the functionality of a
557
product or process. This tool evaluates system (or sub-system) failures one at a time but can
558
combine multiple causes of failure by identifying causal chains. The results are represented
559
pictorially in the form of a tree of fault modes. At each level in the tree, combinations of fault
560
modes are described with logical operators (AND, OR, etc.). FTA relies on the experts’ process
561
understanding to identify causal factors.
562
Potential Areas of Use(s)
563
FTA can be used to establish the pathway to the root cause of the failure. FTA can be used to
564
investigate complaints or deviations in order to fully understand their root cause and to ensure
565
that intended improvements will fully resolve the issue and not lead to other issues (i.e. solve
566
one problem yet cause a different problem). Fault Tree Analysis is an effective tool for
567
evaluating how multiple factors affect a given issue. The output of an FTA includes a visual
568
representation of failure modes. It is useful both for risk assessment and in developing
569
monitoring programs.
570
I.5 Hazard Analysis and Critical Control Points (HACCP) 571
HACCP is a systematic, proactive, and preventive tool for assuring product quality, reliability,
572
and safety (see WHO Technical Report Series No 908, 2003 Annex 7). It is a structured
573
approach that applies technical and scientific principles to analyze, evaluate, prevent, and
574
control the risk or adverse consequence(s) of hazard(s) due to the design, development,
575
production, and use of products.
576
HACCP consists of the following seven steps:
577
(1) conduct a hazard analysis and identify preventive measures for each step of the process;
578
(2) determine the critical control points;
579
(3) establish critical limits;
580
(4) establish a system to monitor the critical control points;
581
(5) establish the corrective action to be taken when monitoring indicates that the critical
582
control points are not in a state of control;
583
(6) establish system to verify that the HACCP system is working effectively;
584
(7) establish a record-keeping system.
585
Potential Areas of Use(s)
586
HACCP might be used to identify and manage risks associated with physical, chemical and
587
biological hazards (including microbiological contamination). HACCP is most useful when
588
product and process understanding is sufficiently comprehensive to support identification of
589
critical control points. The output of a HACCP analysis is risk management information that
590
facilitates monitoring of critical points not only in the manufacturing process but also in other
591
life cycle phases.
592 593
I.6 Hazard Operability Analysis (HAZOP) 594
HAZOP (see IEC 61882) is based on a theory that assumes that risk events are caused by
595
deviations from the design or operating intentions. It is a systematic brainstorming technique
596
for identifying hazards using so-called “guide-words”. “Guide-words” (e.g., No, More, Other
597
Than, Part of, etc.) are applied to relevant parameters (e.g., contamination, temperature) to help
598
identify potential deviations from normal use or design intentions. It often uses a team of people
599
with expertise covering the design of the process or product and its application.
600
Potential Areas of Use(s)
601
HAZOP can be applied to manufacturing processes, including outsourced production and
602
formulation as well as the upstream suppliers, equipment and facilities for drug substances and
603
drug (medicinal) products. It has also been used primarily in the pharmaceutical industry for
604
evaluating process safety hazards. As is the case with HACCP, the output of a HAZOP analysis
605
is a list of critical operations for risk management. This facilitates regular monitoring of critical
606
points in the manufacturing process.
607
I.7 Preliminary Hazard Analysis (PHA) 608
PHA is a tool of analysis based on applying prior experience or knowledge of a hazard or
609
failure to identify future hazards, hazardous situations and events that might cause harm, as
610
well as to estimate their probability of occurrence for a given activity, facility, product or
611
system. The tool consists of: 1) the identification of the possibilities that the risk event happens,
612
2) the qualitative evaluation of the extent of possible injury or damage to health that could
613
result and 3) a relative ranking of the hazard using a combination of severity and likelihood of
614
occurrence, and 4) the identification of possible remedial measures.
615
Potential Areas of Use(s)
616
PHA might be useful when analyzing existing systems or prioritizing hazards where
617
circumstances prevent a more extensive technique from being used. It can be used for product,
618
process and facility design as well as to evaluate the types of hazards for the general product
619
type, then the product class, and finally the specific product. PHA is most commonly used early
620
in the development of a project when there is little information on design details or operating
621
procedures; thus, it will often be a precursor to further studies. Typically, hazards identified in
622
the PHA are further assessed with other risk management tools such as those in this section.
623