ICH Q9 (R1), ICH guideline, Quality Risk Management, Risk Assessment, Risk Control, Risk management methodology, Risk analysis, Risk evaluation, Failure Mode Effects Analysis (FMEA)
In the pharmaceutical industry, ensuring product quality and patient safety is paramount. This is where ICH Guideline Q9 (R1) on Quality Risk Management plays a crucial role. This guideline provides a systematic framework for assessing, controlling, communicating, and reviewing risks throughout the entire product lifecycle. By implementing effective quality risk management (QRM), pharmaceutical companies can ensure that their products consistently meet stringent quality standards and patient needs.
Principles of Quality Risk Management
Two primary principles of quality risk management are:
- The evaluation of the risk to quality should be based on scientific knowledge and considering safety of the patient.
- The level of effort, work and documentation of the quality risk management process should be corresponding with the level of risk.
Quality risk management process
Quality risk management is a systematic process for the assessment, control, communication and review of risks to the quality of the drug (medicinal product) across the product lifecycle.
Following are the components of the Quality risk management process.
- Responsibilities
- Initiating a Quality Risk Management Process
- Risk Assessment
- Risk Control
- Risk management methodology
- Risk Communication
- Risk Review
Overview of a typical quality risk management process
1. Responsibilities
Quality risk management activities are usually undertaken by interdisciplinary teams. Quality risk management should include experts from all the appropriate areas (e.g., Production or Product development, Quality Assurance, Quality Control, engineering, regulatory affairs, supply chain, legal, statistics and clinical) who are knowledgeable about the quality risk management process.
2. Initiating a Quality Risk Management Process
Quality risk management should include systematic processes designed to coordinate, facilitate and improve science-based decision-making with respect to risk.
Possible steps used to initiate and plan a quality risk management process might include the following:
- Define the problem and/ identifying the potential for risk;
- Assemble background information on the potential hazard or health impact relevant to the risk;
- Specify a timeline for the risk management process.
3. Risk Assessment
Risk assessment consists of the identification of hazards and the analysis and evaluation of risks associated with exposure to those hazards.
- Hazard identification
- Risk analysis
- Risk evaluation
To clearly defining the risks for risk assessment purposes, three fundamental questions are often helpful:
- What might go wrong?
- What is the likelihood (probability) it will go wrong?
- What are the consequences (severity)?
Hazard identification is a systematic use of information to identify hazards. Information can include historical data, theoretical analysis, informed opinions, and the concerns of individuals. Hazard identification addresses the “What might go wrong?” question, including identifying the possible consequences.
Risk analysis is the estimation of the risk associated with the identified hazards. It is the qualitative or quantitative process of linking the likelihood of occurrence and severity of harms. In some risk management tools, the ability to detect the harm (detectability) also factors in the estimation of risk.
Risk evaluation compares the identified and analyzed risk against given risk criteria. Risk evaluations consider the strength of evidence for all three of the fundamental questions. In doing an effective risk assessment, the robustness of the data set is important because it determines the quality of the output. Revealing assumptions and reasonable sources of uncertainty will enhance confidence in this output and/or help identify its limitations.
The output of a risk assessment is either a quantitative estimate of risk or a qualitative description of a range of risk. When risk is expressed quantitatively, a numerical probability is used. Alternatively, risk can be expressed using qualitative descriptors, such as “high”, “medium”, or “low”.
4. Risk Control
Risk control includes decision-making to reduce and/or accept risks. The purpose of risk control is to reduce the risk to an acceptable level. The amount of effort used for risk control should be proportional to the significance of the risk. Decision makers might use different processes, including benefit-cost analysis, for understanding the optimal level of risk control.
Risk control might focus on the following questions:
- Is the risk above an acceptable level?
- What can be done to reduce or eliminate risks?
- What is the appropriate balance among benefits, risks and resources?
- Are new risks introduced as a result of the identified risks being controlled?
Risk reduction focuses on processes for mitigation or avoidance of quality risk when it exceeds a specified (acceptable) level. Risk reduction might include actions taken to mitigate the severity and probability of harm. Processes that improve the detectability of hazards and quality risks might also be used as part of a risk control strategy. The implementation of risk reduction measures can introduce new risks into the system or increase the significance of other existing risks. Hence, it might be appropriate to revisit the risk assessment to identify and evaluate any possible change in risk after implementing a risk reduction process.
Risk acceptance is a decision to accept risk. For some types of harms, even the best quality risk management practices might not entirely eliminate risk. In these circumstances, it might be agreed that an appropriate quality risk management strategy has been applied and that quality risk is reduced to a specified (acceptable) level. This (specified) acceptable level will depend on many parameters and should be decided on a case-by-case basis.
5. Risk management methodology
Quality risk management supports a scientific and practical approach to decision-making. It provides documented, transparent and reproducible methods to accomplish steps of the quality risk management process based on current knowledge about assessing the probability, severity and sometimes detectability of the hazards, and their associated risks.
The pharmaceutical industry and regulators can assess and manage risk using recognized risk management tools or internal procedures (e.g., standard operating procedures). Below are the list of some of these tools:
- Basic risk management facilitation methods (flowcharts, check sheets etc.);
- Failure Mode Effects Analysis (FMEA);
- Failure Mode, Effects and Criticality Analysis (FMECA);
- Fault Tree Analysis (FTA);
- Hazard Analysis and Critical Control Points (HACCP);
- Hazard Operability Analysis (HAZOP);
- Preliminary Hazard Analysis (PHA);
- Risk ranking and filtering;
- Supporting statistical tools
6. Risk Communication
Risk communication is the sharing of information about risk and risk management between the decision makers and others. Parties can communicate at any stage of the risk management process. The output/result of the quality risk management process should be appropriately communicated and documented.
7. Risk Review
Risk management should be an ongoing part of the quality management process. A mechanism to review or monitor events should be implemented.
The output/results of the risk management process should be reviewed to take into account new knowledge and experience. Once a quality risk management process has been initiated, that process should continue to be utilized for events that might impact the original quality risk management decision, whether these events are planned (e.g., results of product review, inspections, audits, change control) or unplanned (e.g., root cause from failure investigations, recall).
The frequency of any review should be based upon the level of risk. Risk review might include reconsideration of risk acceptance decisions.