ICH Q9:

QUALITY RISK MANAGEMENT

Seetharam Kandarpa
ASQ-
ASQ-CPGP & ASQ-
ASQ-CQA

1
 Objective
• Introduction to ICH Q9: Quality Risk
Management

• Guiding through the content of the ICH

Q9 document

• Providing some considerations, possible

interpretations and where appropriate
examples
2
 Introduction to
ICH Q9: Quality Risk Management (QRM)

• Document is available on the ICH Webpage

www.ich.org

3
 Introduction to
ICH Q9: Quality Risk Management (QRM)

ICH Q9

4
 Basic Terms
• Harm:
– Damage to health, including the damage that can occur from
loss of product quality or availability.
• Hazard:
– The potential source of harm (ISO/IEC Guide 51).
• Risk:
– The combination of the probability of occurrence of harm and the
severity of that harm (ISO/IEC Guide 51).
• Severity:
– A measure of the possible consequences of a hazard.
• Detectability:
– The ability to discover or determine the existence, presence, or
fact of a hazard.

5
 Basic Terms
• Quality:
– The degree to which a set of inherent properties of a product,
system or process fulfills requirements (see ICH Q6A definition
specifically for "quality" of drug substance and drug (medicinal)
products.)
• Quality Risk Management:
– A systematic process for the assessment, control,
communication and review of risks to the quality of the drug
(medicinal) product across the product lifecycle.
• Quality System:
– The sum of all aspects of a system that implements quality policy
and ensures that quality objectives are met.

6
 Basic Terms
• Risk Assessment:
– A systematic process of organizing information to support a risk
decision to be made within a risk management process. It
consists of the identification of hazards and the analysis and
evaluation of risks associated with exposure to those hazards.
• Risk Identification:
– The systematic use of information to identify potential sources of
harm (hazards) referring to the risk question or problem
description.
• Risk Analysis:
– The estimation of the risk associated with the identified hazards.
• Risk Evaluation:
– The comparison of the estimated risk to given risk criteria using
a quantitative or qualitative scale to determine the significance of
the risk. 7
 Basic Terms
• Risk Control:
– Actions implementing risk management decisions (ISO Guide
73).
• Risk Reduction:
– Actions taken to lessen the probability of occurrence of harm and
the severity of that harm.
• Risk Acceptance:
– The decision to accept risk (ISO Guide 73).
• Risk Management:
– The systematic application of quality management policies,
procedures, and practices to the tasks of assessing, controlling,
communicating and reviewing risk.

8
 Basic Terms
• Risk Communication:
– The sharing of information about risk and risk management
between the decision maker and other stakeholders.
• Risk Review:
– Review or monitoring of output/results of the risk management
process considering (if appropriate) new knowledge and
experience about the risk.
• Requirements:
– The explicit or implicit needs or expectations of the patients or
their surrogates (e.g., health care professionals, regulators and
legislators). In this document, “requirements” refers not only to
statutory, legislative, or regulatory requirements, but also to such
needs and expectations.

9
 Basic Terms
• Decision Maker(s):
– Person(s) with the competence and authority to make
appropriate and timely quality risk management decisions.
• Product Lifecycle:
– All phases in the life of the product from the initial development
through marketing until the product’s discontinuation.
• Trend:
– A statistical term referring to the direction or rate of change of a
variable(s).
• Stakeholder:
– Any individual, group or organization that can affect, be affected
by, or perceive itself to be affected by a risk. Decision makers
might also be stakeholders. For the purposes of this guideline,
the primary stakeholders are the patient, healthcare
professional, regulatory authority, and industry. 10
 Table of contents

1. Introduction
2. Scope
3. Principles of Quality Risk Management
4. General Quality Risk Management Process
5. Risk Management Methodology
Annex I: Risk Management Methods and Tools
6. Integration of QRM process
into Industry and Regulatory operations
Annex II: Potential Applications for QRM
7. Definitions
8. References

11
 1. Introduction

Risk Management
Quality Risk Management
Quality Systems
Harm
Severity
Stakeholder
Product Life Cycle
GMP Compliance

12
 2. Scope
This guideline provides
principles & examples of tools
of quality risk management that can be applied to
different aspects of pharmaceutical quality.
These aspects include development, manufacturing,
distribution, and the inspection and submission/review
processes throughout the lifecycle
of drug substances, drug (medicinal) products,
biological and biotechnological products
13
 2. Scope

• Drug substances,
• Drug (medicinal) products,
• Biological and biotechnological products

Including the selection and use of

– Raw materials
– Solvents
– Excipients
– Packaging and labelling materials
– Components

14
 3. Principles of Quality Risk Management

Two primary principles:

The evaluation of The level of effort,

the risk to quality formality and
should be based on documentation
scientific knowledge of the quality risk
and ultimately link management process
to the protection should be commensurate
of the patient with the level of risk

15
 4. General Quality Risk Management Process

Systematic processes
designed to
coordinate, facilitate and improve
science--based decision making
science
with respect to risk to quality

16
 4. General Quality Risk Management Process
Initiate
Quality Risk Management Process

Risk Assessment

Risk Identification

Risk Analysis

Risk Evaluation
unacceptable

Ris
on

sk Management tools
Risk Communicatio

Risk Control

Risk Reduction

Risk Acceptance

Team Output / Result of the

approach Quality Risk Management Process

Risk Review

Review Events

17
 4. General Quality Risk Management Process

Decision makers:
Person(s)
with competence and authority
to make a decision

• Ensuring that
ongoing Quality Risk Management processes operate

responsibility
Management
• Coordinating
quality risk management process
across various functions and departments
• Supporting
the team approach
18
 4. General Quality Risk Management Process

Team approach
• Usually, but not always, undertaken by interdisciplinary
teams from areas appropriate to the risk being considered
e.g.
– Quality unit
– Development
– Engineering / Statistics
– Regulatory affairs
– Production operations
– Business, Sales and Marketing
– Legal
– Medical / Clinical
– &… Individuals knowledgeable of the QRM processes
19
 4. General Quality Risk Management Process

When to initiate and plan a QRM Process

• First define the question which should be answered (e.g.
a problem and/or risk question)
– including pertinent assumptions identifying
the potential for risk
• Then assemble background information and/ or data on
the potential hazard, harm or human health impact
relevant to the risk
– Identify a leader and necessary resources Initiate Quality
Risk Management Process

– Specify a timeline, deliverables and

Risk Assessment
Risk Identification

Risk Analysis

Risk Evaluation

appropriate level of decision making

Risk Management tools

Risk Communication
unacceptable

Risk Control
Risk Reduction

Risk Acceptance

for the QRM process Output / Result of the Quality

Risk Management Process

Risk Review

20
Review Events
 When to apply Quality Risk Management?

Should risks
be assessed?
1. What might go wrong?
2. What is the likelihood (probability)
Are there clear rules it will go wrong?
No or 3. What are the consequences (severity)?
for decision making? justification needed
e.g. regulations

Can you answer

the risk assessment
questions? No
“formal RM“

Yes Agree on a team

Yes (small project)
“informal RM“
“no RM“

Risk assessment not required Initiate Risk assessment Select a Risk Management tool
(No flexibility) (risk identification, analysis & evaluation) (if appropriate e.g. see ICH Q9 Annex I)

Follow procedures Run risk control Carry out the

(e.g. Standard Operating Procedures) (select appropriate measures) quality risk management process

Document results,
decisions and actions Document the steps

21
 4. General Quality Risk Management Process

Risk Assessment
3 fundamental
• Risk Identification
questions
What might go wrong?
• Risk Analysis
What is the likelihood (probability) it will go wrong?
• Risk Evaluation
What are the consequences (severity)?
Note: People often use terms
Initiate Quality

“Risk analysis”, “Risk assessment” and

Risk Management Process

Risk Assessment
Risk Identification

Risk Analysis

“Risk management” interchangeably Risk Evaluation

Risk Management tools

Risk Communication
unacceptable

Risk Control
Risk Reduction

which is incorrect! Risk Acceptance

Output / Result of the Quality

Risk Management Process

Risk Review

22
Review Events
 4. General Quality Risk Management Process

Risk Assessment: Risk Identification

“What might go wrong?”

• A systematic use of information

to identify hazards
referring to the risk question or problem
– historical data
– theoretical analysis
Initiate Quality

– informed opinions
Risk Management Process

Risk Assessment
Risk Identification

Risk Analysis

– concerns of stakeholders
Risk Evaluation

Risk Management tools

Risk Communication
unacceptable

Risk Control
Risk Reduction

Risk Acceptance

Output / Result of the Quality

Risk Management Process

Risk Review

23
Review Events
 4. General Quality Risk Management Process

Risk Assessment: Risk Analysis

“What is the likelihood it will go wrong?”

• The estimation of the risk

associated with the identified hazards.
• A qualitative or quantitative process of linking the
likelihood of occurrence and severity of harm
• Consider detectability if applicable Initiate Quality
Risk Management Process

Risk Assessment

(used in some tools)

Risk Identification

Risk Analysis

Risk Evaluation

Risk Management tools

Risk Communication
unacceptable

Risk Control
Risk Reduction

Risk Acceptance

Output / Result of the Quality

Risk Management Process

Risk Review

24
Review Events
 4. General Quality Risk Management Process

Risk Assessment: Risk Analysis

Often data driven
Keep in mind:
Statistical approach may or may not be
used
• Maintain a robust data set!
• Start with the more extensive data set and reduce it
• Trend and use statistics (e.g. extrapolation)
• Comparing between different sets requires compatible Initiate Quality
Risk Management Process

data
Risk Assessment
Risk Identification

Risk Analysis

Risk Evaluation

Risk Management tools

Risk Communication
unacceptable

• Data must be reliable Risk Control

Risk Reduction

Risk Acceptance

Output / Result of the Quality

Risk Management Process

• Data must be accessible 25

Risk Review
Review Events
 4. General Quality Risk Management Process

Risk Assessment: Risk Evaluation

“What is the risk?”

• Compare the identified and analysed risk

against given risk criteria

• Consider the strength of evidence

for all three of the fundamental questions
– What might go wrong?
Initiate Quality

– What is the likelihood (probability) it will go wrong?

Risk Management Process

Risk Assessment
Risk Identification

Risk Analysis

– What are the consequences (severity)? Risk Evaluation

Risk Management tools

Risk Communication
unacceptable

Risk Control
Risk Reduction

Risk Acceptance

Output / Result of the Quality

Risk Management Process

Risk Review

26
Review Events
 4. General Quality Risk Management Process

Risk Assessment: Risk Evaluation

A picture of the life cycle = Risk Priority Number

Probability x Detectability x Severity

Can you find it?

Data refers to

• Frequency of
“occurences”

Impact
driven by
the number
of trials
• Degree
of belief

past today future time

27
 4. General Quality Risk Management Process

Risk Control: Decision-making activity

• Is the risk above an acceptable level?

• What can be done to reduce or eliminate risks?
• What is the appropriate balance
between benefits, risks and resources?
• Are new risks introduced as
a result of the identified Initiate Quality
Risk Management Process

Risk Assessment

risks being controlled? Risk Identification

Risk Analysis

Risk Evaluation

Risk Management tools

Risk Communication
unacceptable

Risk Control
Risk Reduction

Risk Acceptance

Output / Result of the Quality

Risk Management Process

Risk Review

28
Review Events
 4. General Quality Risk Management Process

Risk Control: Residual Risk

• The residual risk consists of e.g.

– Hazards that have been assessed and
risks that have been accepted
– Hazards which have been identified but
the risks have not been correctly assessed
– Hazards that have not yet been identified
– Hazards which are not yet linked to the patient risk
• Is the risk reduced to an acceptable level? Initiate Quality
Risk Management Process

Risk Assessment
Risk Identification

Risk Analysis

– Fulfil all legal and internal obligations Risk Evaluation

Risk Management tools

Risk Communication
unacceptable

Risk Control
Risk Reduction

– Consider current scientific knowledge & techniques Risk Acceptance

Output / Result of the Quality

Risk Management Process

Risk Review
Review Events

29
 4. General Quality Risk Management Process

Risk Control: Risk Reduction

• Mitigation or avoidance of quality risk

• Elimination of risks, where appropriate
• Focus actions on severity and/or probability
of harm; don’t forget detectability
• It might be appropriate to revisit the
risk assessment during the life cycle
Initiate Quality

for new risks or increased significance

Risk Management Process

Risk Assessment
Risk Identification

Risk Analysis

of existing risks Risk Evaluation

Risk Management tools

Risk Communication
unacceptable

Risk Control
Risk Reduction

Risk Acceptance

Output / Result of the Quality

Risk Management Process

Risk Review

30
Review Events
 4. General Quality Risk Management Process

Risk Control: Risk Acceptance

• Decision to
> Accept the residual risk
> Passively accept non specified residual risks

• May require support by (senior) management

> Applies to both industry and competent authorities Initiate Quality
Risk Management Process

Risk Assessment
Risk Identification

Risk Analysis

Risk Evaluation

Risk Management tools

Risk Communication
unacceptable

• Will always be made on a case-by-case basis Risk Control

Risk Reduction

Risk Acceptance

Output / Result of the Quality

Risk Management Process

Risk Review

31
Review Events
 4. General Quality Risk Management Process

Risk Control: Risk Acceptance

• Discuss the appropriate balance between

benefits, risks, and resources
• Focus on the patients’ interests and
good science/data
• Risk acceptance is not
– Inappropriately interpreting Initiate Quality
Risk Management Process

data and information

Risk Assessment
Risk Identification

Risk Analysis

Risk Evaluation

Risk Management tools

Risk Communication
unacceptable

– Hiding risks from management / Risk Control

Risk Reduction

Risk Acceptance

competent authorities Output / Result of the Quality

Risk Management Process

Risk Review
Review Events

32
 What is an “acceptable risk”?

Risk Control: Risk Acceptance

Who has to accept risk?
• Decision Maker(s)
– Person(s) with the competence and authority
to make appropriate and timely
quality risk management decisions
• Stakeholder
– Any individual, group or organization
that can …be affected by a risk
– Decision makers might also be stakeholders
– The primary stakeholders are the patient, healthcare
professional, regulatory authority, and industry
– The secondary stakeholders are
patient associations, public opinions, politicians
33
 4. General Quality Risk Management Process

A Risk Risk reduction step

finished
Acceptance process
1/3 Finish baseline for
risk acceptance decision
risk identification, risk analysis,
risks evaluation, risks reduction

Stakeholders
No
involved as appropiate?

Yes

Revisit All identified Initiate Quality

Risk Management Process

No Risk Assessment

risk assessment step risks assessed? Risk Identification

Risk Analysis

Risk Evaluation

Risk Management tools

Risk Communication
unacceptable

Risk Control
Risk Reduction

Yes Risk Acceptance

Output / Result of the Quality

Risk Management Process

Risk Review
Review Events

34
 4. General Quality Risk Management Process

Measures/
actions needed?

Yes

Evaluate measures
on severity, probability, detectability

Check needed resources

e.g. employee, money

A Risk No Measures / Actions Revisit

Acceptance appropriate?
No
risk reduction step

process Yes

2/3
Other hazards
Yes
caused?
Initiate Quality
Risk Management Process

Risk Assessment
Risk Identification

No Risk Analysis

Risk Evaluation

Risk Management tools

Risk Communication
unacceptable

Risk Control
Risk Reduction

Is a risk Risk Acceptance

Output / Result of the Quality

reducible? Risk Management Process

Risk Review
Review Events

35
 4. General Quality Risk Management Process

A Risk Acceptance process 3/3

Is a risk
No
reducible?

Yes

Revisit No
Accept the Yes
Advantage
risk assessment step residual risk? outweighs risk?

Yes No

Accept risk Risk not acceptable

Sign off documentation Sign off documentation

Initiate Quality
Risk Management Process

Ready for communication Risk Assessment

Risk Identification

Risk Analysis

Risk Evaluation

Risk Management tools

Risk Communication
unacceptable

Risk Control
Risk Reduction

Risk Acceptance

Output / Result of the Quality

Risk Management Process

Risk Review
Review Events

36
 4. General Quality Risk Management Process

Risk Communication
• Bi-directional sharing of information about risk and risk
management
between the decision makers and others
• Communicate at any stage of the QRM process
• Communicate and document
the output/result of the QRM process appropriately
• Communication need not be carried out
for each and every individual risk acceptance Initiate Quality
Risk Management Process

Risk Assessment
Risk Identification

Risk Analysis

• Use existing channels as specified in Risk Evaluation

Risk Management tools

Risk Communication
unacceptable

Risk Control
Risk Reduction

regulations, guidance and SOP’s Risk Acceptance

Output / Result of the Quality

Risk Management Process

Risk Review

37
Review Events
 4. General Quality Risk Management Process

Risk Communication

• Exchange or sharing of information, as appropriate

• Sometimes formal sometimes informal

– Improve ways of thinking and communicating

• Increase transparency
Initiate Quality
Risk Management Process

Risk Assessment
Risk Identification

Risk Analysis

Risk Evaluation

Risk Management tools

Risk Communication
unacceptable

Risk Control
Risk Reduction

Risk Acceptance

Output / Result of the Quality

Risk Management Process

Risk Review

38
Review Events
 Quality risk management
Communication
facilitates trust
and understanding

Regulators Industry
operation operation
- Reviews - Submissions
- Inspections - Manufacturing

39
 4. General Quality Risk Management Process

Risk review: Review Events

• Review the output / results of the QRM process

• Take into account new knowledge and experience
• Utilise for planned or unplanned events
• Implement a mechanism to review or monitor events
• Reconsideration of risk acceptance decisions,
as appropriate
Initiate Quality
Risk Management Process

Risk Assessment
Risk Identification

Risk Analysis

Risk Evaluation

Risk Management tools

Risk Communication
unacceptable

Risk Control
Risk Reduction

Risk Acceptance

Output / Result of the Quality

Risk Management Process

Risk Review

40
Review Events
5. Risk Management Methodology

One method
“all inclusive”?

Initiate Quality
Risk Management Process

Risk Assessment
Risk Identification

Risk Analysis

Risk Evaluation

Risk Management tools

Risk Communication
unacceptable

Risk Control
Risk Reduction

Risk Acceptance

Output / Result of the Quality

Risk Management Process

Risk Review

41
Review Events
 Expectations on methods and tools

• Supports science-based decisions

• A great variety are listed but other existing or
new ones might also be used
• No single tool is appropriate for all cases
• Specific risks do not always require the same tool
• Using a tool the level of detail of an investigation will vary
according to the risk from case to case
• Different companies, consultancies and competent
authorities may promote use of different tools based on
their culture and experiences
42
 Contributing items to manage quality risks

• System Risk (facility & people)

– e.g. interfaces, operators risk, environment,
components such as equipment, IT, design elements

• System Risk (organisation)

– e.g. Quality systems, controls, measurements,
documentation, regulatory compliance
• Process Risk
– e.g. process operations and quality parameters

• Product Risk (safety & efficacy)

– e.g. quality attributes:
measured data according to specifications
43
 5. Risk Management Methodology

• Supports a scientific and practical approach to

decision-making

• Accomplishing steps of the QRM process

– Provides documented, transparent and
reproducible methods
– Assessing current knowledge
– Assessing probability, severity and
sometimes detectability Initiate Quality
Risk Management Process

Risk Assessment
Risk Identification

Risk Analysis

Risk Evaluation

Risk Management tools

Risk Communication
unacceptable

Risk Control
Risk Reduction

Risk Acceptance

Output / Result of the Quality

Risk Management Process

Risk Review

44
Review Events
 5. Risk Management Methodology

• Adapt the tools for use in specific areas

• Combined use of tools may provide flexibility
• The degree of rigor and formality of QRM
– Should be commensurate with the complexity and
/ or criticality of the issue to be addressed and
reflect available knowledge
• Informal ways Initiate Quality
Risk Management Process

Risk Assessment

– empirical methods and / or Risk Identification

Risk Analysis

Risk Evaluation

Risk Management tools

Risk Communication
unacceptable

internal procedures Risk Control

Risk Reduction

Risk Acceptance

Output / Result of the Quality

Risk Management Process

Risk Review

45
Review Events
 Annex I: Risk Management Methods and Tools

• Provides a general overview of

and references for some of the primary tools
• Might be used in QRM by industry and regulators
• This is not an exhaustive list
• No one tool or set of tools is applicable to every situation
in which a QRM procedure is used
• For each of the tools
– Short description & reference Initiate Quality
Risk Management Process

Risk Assessment
Risk Identification

– Strength and weaknesses

Risk Analysis

Risk Evaluation

Risk Management tools

Risk Communication
unacceptable

Risk Control
Risk Reduction

– Purely illustrative examples Risk Acceptance

Output / Result of the Quality

Risk Management Process

Risk Review

46
Review Events
 Overview: Some tools and their key words

• Failure Mode Effects Analysis (FMEA)

– Break down large complex processes into manageable steps
• Failure Mode, Effects and Criticality Analysis (FMECA)
– FMEA & links severity, probability & detectability to criticality
• Fault Tree Analysis (FTA)
– Tree of failure modes combinations with logical operators
• Hazard Analysis and Critical Control Points (HACCP)
– Systematic, proactive, and preventive method on criticality
• Hazard Operability Analysis (HAZOP)
– Brainstorming technique
• Preliminary Hazard Analysis (PHA) Initiate Quality
Risk Management Process

Risk Assessment
Risk Identification

– Possibilities that the risk event happens Risk Analysis

Risk Evaluation

Risk Management tools

Risk Communication
unacceptable

Risk Control

• Risk ranking and filtering Risk Reduction

Risk Acceptance

Output / Result of the Quality

– Compare and prioritize risks with factors for each risk

Risk Management Process

Risk Review

47
Review Events
 5. Risk Management Methodology

• Supporting statistical tools

– Acceptance Control Charts (see ISO 7966)
– Control Charts (for example)

Control Charts with Arithmetic Average and
Warning Limits (see ISO 7873)

Cumulative Sum Charts; “CuSum” (see ISO 7871)

Shewhart Control Charts (see ISO 8258)

Weighted Moving Average
– Design of Experiments (DOE)

Pareto Charts
Initiate Quality

– Process Capability Analysis

Risk Management Process

Risk Assessment
Risk Identification

Risk Analysis

– Histograms
Risk Evaluation

Risk Management tools

Risk Communication
unacceptable

Risk Control
Risk Reduction

Risk Acceptance

– Use others that you are familiar with…. Output / Result of the Quality
Risk Management Process

Risk Review

48
Review Events
 5. Risk Management Methodology

Q9 does not provide

“drivers licences”
49
 6. Integration into
Industry and Regulatory Operations

• Foundation for “science-based” decisions

• Does not obviate industry’s obligation
to comply with regulatory requirements
• May affect the extent and level
of direct regulatory oversight
• Degree of rigor and formality commensurate with the
complexity and/or criticality of the issue
• Implement QRM principles when updating
existing guidelines

50
 Annex II: Potential Applications for QRM

This Annex is intended to identify potential uses of quality risk

management principles and tools by industry and regulators.

However, the selection of particular risk management tools is

completely dependent upon specific facts and circumstances.

These examples are provided for illustrative purposes and

only suggest potential uses of quality risk management.

This Annex is not intended to create any new expectations

beyond the current regulatory requirements.
51
 Annex II: Potential Applications for QRM

Quality risk management as part of

• Integrated quality management
– Documentation
Competent
– Training and education authorities
– Quality defects
Industry
– Auditing / Inspection
– Periodic review
– Change management / change control
– Continual improvement

52
 Annex II: Potential opportunities
for conducting quality risk management

Quality risk management as part of

• Regulatory operations Competent
authorities
> Inspection and assessment activities

• Industry operations
– Development
– Facilities, equipment and utilities Industry
– Materials management
– Production Competent
authorities
– Laboratory control and stability testing
– Packaging and labelling
53
 COMMUNICATION

Preliminary Hazard Analysis

Fault Tree Analysis FTA

Failure Mode, Effects & Criticality Analysis FMECA

Failure Mode Effect Analysis FMEA

ICH Q9
TOOLS PRODUCTION
Hazard Operatibility Analysis Quality Risk
MATERIALS
Hazard Analysis & Critical Control Points Management

QUALITY SYSTEM
54
 Initiate
Quality Risk Management Process

Risk Assessment

Risk Identification

Risk Analysis

Risk Evaluation
unacceptable

Risk Managem
mmunication

Risk Control

Risk Reduction
Risk Com

ment tools
Risk Acceptance

Output / Result of the

Quality Risk Management Process

Risk Review

Review Events

Use the right “risk” expression

55
please!
Thanks

56