The harmonized Q9 Quality Risk Management guideline from the International Conference on Harmonization (ICH) provides an excellent high-level framework for the use
of risk management in pharmaceutical product development and manufacturing quality decision-making applications (1–2). It
is a landmark document in acknowledging risk management as a standard and acceptable quality system practice to facilitate
good decision-making with regard to risk identification, resource prioritization, and risk mitigation/elimination, as appropriate.
Recognizing the need to propagate and expedite holistic adoption of quality risk management across the pharmaceutical industry,
the Product Quality Research Institute Manufacturing Technical Committee (PQRI–MTC) commissioned a small working group of
industry and FDA representatives to seek out good case studies of actual risk-management practices used by large bio/pharmaceutical
firms to share with the industry at large.
The working group spent approximately one year soliciting risk-management case studies from industry peers and contacts, and
ultimately reviewed more than 20 of them. Each study was graded against six multiple criteria to assess applicability, usefulness,
and alignment with ICH Q9. The highest graded case studies were measured against two additional criteria to ensure a balanced
mix of examples for this report. Due to the size of a well-developed risk assessment, especially when applied to a complex
problem or operating area, the presented case studies in most instances represent redacted versions of the actual assessments.
Nonetheless, the provided summaries are effective in demonstrating the general thought process, risk application, and use
of chosen risk methods.
As a byproduct of the working group's collaboration on risk-management practices, several common principles that reflect current
industry and regulatory thinking emerged. These principles are aligned with, and in some instances expand beyond, those defined
by ICH Q9 and are included in this report. In addition, several risk-management reference tools used by participating firms
have been included as examples.
Risk-management principles, case studies, and supporting tools used by large bio/pharmaceutical manufacturers for effective
quality oversight of product development and manufacturing operations are included in this report. Each case study notes the
applicable corresponding quality system (i.e., Quality, Facilities & Engineering, Material, Production, Packaging & Labeling,
or Laboratory Control) that is consistent with FDA's quality systems guidance document (3). In addition, the case studies
identify the risk methodology that was used for ease of categorization, understanding, and potential application by the reader.
Medical-device examples fall beyond the scope of this article, although the case studies and tools presented have relevance
to device manufacturing. See the sidebar, "PQRI case studies," for details on the topics covered.
PQRI case studies
Principles and common practices
Core principles of quality risk management according to the ICH Q9 guideline include the following:
1. Compliance with applicable laws: Risk assessment should be used to assess how to ensure compliance and to determine the
resulting prioritization for action—not for a decision regarding the need to fulfill applicable regulations or legal requirements.
2. Risk can only be effectively managed when it is identified, assessed, considered for further mitigation, and communicated.
This principle embodies the four stages of an effective quality risk-management process as defined by ICH Q9: risk assessment
(i.e., risk identification, analysis, and evaluation); risk control (i.e., risk reduction and acceptance); risk communication;
and risk review.
3. All quality risk evaluations must be based on scientific and process-specific knowledge and ultimately linked primarily
to the protection of the patient. Risk assessment is based on the strong understanding of the underlying science, applicable
regulations, and related processes involved with the risk under analysis. Collectively, these components should be assessed
first and foremost with regard to the potential impact to the patient (see Figure 1).
Figure 1: Quality risk-evaluation pyramid.
4. Effective risk management requires a sufficient understanding of the business, the potential impact of the risk, and ownership
of the results of any risk-management assessment.
5. Risk assessment must take into account the probability of a negative event in combination with the severity of that event.
This principle also serves as a useful working definition for risk (i.e., risk represents the combination of the probability
and severity of any given event).
6. It is not necessary or appropriate to always use a formal risk-management process (e.g., standardized tools). Rather, the
use of an informal risk-management process (e.g., empirical assessment) is acceptable for areas that are less complex and
that have lower potential risk. Risk decisions are made by industry every day. The complexity of the events surrounding each
decision and the potential risk involved are important inputs in determining the appropriate risk-assessment methodology and
corresponding level of analysis required. For less complex, less risky decisions, a qualitative analysis (e.g., decision tree)
of the options may be all that is required. In general, as the complexity and/or risk increases, so should the sophistication
of the risk-assessment tool used. In the same regard, the level of documentation of the risk-management process to render
an appropriate risk assessment should be commensurate with the level of risk (2). See Figure 2 for details.
Figure 2: Documentation level.