Quality Risk-Management Principles and PQRI Case Studies

A PQRI expert working group provides case study examples of risk-management applications.
Jul 02, 2011
Volume 35, Issue 7

The harmonized Q9 Quality Risk Management guideline from the International Conference on Harmonization (ICH) provides an excellent high-level framework for the use of risk management in pharmaceutical product development and manufacturing quality decision-making applications (1–2). It is a landmark document in acknowledging risk management as a standard and acceptable quality system practice to facilitate good decision-making with regard to risk identification, resource prioritization, and risk mitigation/elimination, as appropriate.

Recognizing the need to propagate and expedite holistic adoption of quality risk management across the pharmaceutical industry, the Product Quality Research Institute Manufacturing Technical Committee (PQRI–MTC) commissioned a small working group of industry and FDA representatives to seek out good case studies of actual risk-management practices used by large bio/pharmaceutical firms to share with the industry at large.

The working group spent approximately one year soliciting risk-management case studies from industry peers and contacts, and ultimately reviewed more than 20 of them. Each study was graded against six multiple criteria to assess applicability, usefulness, and alignment with ICH Q9. The highest graded case studies were measured against two additional criteria to ensure a balanced mix of examples for this report. Due to the size of a well-developed risk assessment, especially when applied to a complex problem or operating area, the presented case studies in most instances represent redacted versions of the actual assessments. Nonetheless, the provided summaries are effective in demonstrating the general thought process, risk application, and use of chosen risk methods.

As a byproduct of the working group's collaboration on risk-management practices, several common principles that reflect current industry and regulatory thinking emerged. These principles are aligned with, and in some instances expand beyond, those defined by ICH Q9 and are included in this report. In addition, several risk-management reference tools used by participating firms have been included as examples.


PQRI case studies
Risk-management principles, case studies, and supporting tools used by large bio/pharmaceutical manufacturers for effective quality oversight of product development and manufacturing operations are included in this report. Each case study notes the applicable corresponding quality system (i.e., Quality, Facilities & Engineering, Material, Production, Packaging & Labeling, or Laboratory Control) that is consistent with FDA's quality systems guidance document (3). In addition, the case studies identify the risk methodology that was used for ease of categorization, understanding, and potential application by the reader. Medical-device examples fall beyond the scope of this article, although the case studies and tools presented have relevance to device manufacturing. See the sidebar, "PQRI case studies," for details on the topics covered.

Principles and common practices

Core principles of quality risk management according to the ICH Q9 guideline include the following:

1. Compliance with applicable laws: Risk assessment should be used to assess how to ensure compliance and to determine the resulting prioritization for action—not for a decision regarding the need to fulfill applicable regulations or legal requirements.

2. Risk can only be effectively managed when it is identified, assessed, considered for further mitigation, and communicated. This principle embodies the four stages of an effective quality risk-management process as defined by ICH Q9: risk assessment (i.e., risk identification, analysis, and evaluation); risk control (i.e., risk reduction and acceptance); risk communication; and risk review.

Figure 1: Quality risk-evaluation pyramid.
3. All quality risk evaluations must be based on scientific and process-specific knowledge and ultimately linked primarily to the protection of the patient. Risk assessment is based on the strong understanding of the underlying science, applicable regulations, and related processes involved with the risk under analysis. Collectively, these components should be assessed first and foremost with regard to the potential impact to the patient (see Figure 1).

4. Effective risk management requires a sufficient understanding of the business, the potential impact of the risk, and ownership of the results of any risk-management assessment.

5. Risk assessment must take into account the probability of a negative event in combination with the severity of that event. This principle also serves as a useful working definition for risk (i.e., risk represents the combination of the probability and severity of any given event).

Figure 2: Documentation level.
6. It is not necessary or appropriate to always use a formal risk-management process (e.g., standardized tools). Rather, the use of an informal risk-management process (e.g., empirical assessment) is acceptable for areas that are less complex and that have lower potential risk. Risk decisions are made by industry every day. The complexity of the events surrounding each decision and the potential risk involved are important inputs in determining the appropriate risk-assessment methodology and corresponding level of analysis required. For less complex, less risky decisions, a qualitative analysis (e.g., decision tree) of the options may be all that is required. In general, as the complexity and/or risk increases, so should the sophistication of the risk-assessment tool used. In the same regard, the level of documentation of the risk-management process to render an appropriate risk assessment should be commensurate with the level of risk (2). See Figure 2 for details.

lorem ipsum