Navigating the Formality Spectrum in ICH Q9(R1)

The International Council for Harmonisation’s (ICH) Q9 Quality Risk Management (QRM) guideline was published in 2005. The guideline went through a major revision in 2023, with the European Medicine Agency (EMA) publishing its endorsement of ICH Q9(R1), to become effective on July 26, 2023. The update was prompted by changes in the pharmaceutical industry and regulatory landscape, as well as advances in science and technology and stakeholder feedback. ICH Q9’s revision provides guidance on QRM for the pharmaceutical industry and regulatory environment. Its purpose is to improve decision-making by offering a systematic approach that complements existing quality practices and guidelines. The revision focuses on the principles and tools of QRM, aiming to enable consistent and effective risk-based decisions for drug substances and products throughout their lifecycle. It does not create new expectations beyond current regulatory requirements. The document emphasizes that understanding formality in quality risk management can optimize resource usage and support risk-based decision-making by reflecting the level of importance, uncertainty, and complexity of the decision (1).

Furthermore, the revised ICH Q9 maintains alignment with other ICH guidelines, such as ICH Q8 (2), Q10 (3), and Q11 (4), which cover pharmaceutical development, quality systems, and drug substance development and manufacture, respectively.

Background

ICH Q9(R1) was revised to address formality among other topics and offer guidance on the appropriate level of formality to be used in a QRM process. The previous version of the guideline did not provide clear direction on the level of formality necessary for risk management processes, resulting in inconsistencies in how risk management was executed by different organizations.

The updated ICH Q9(R1) emphasizes the importance of balancing formality with practicality in risk management. It recommends that the degree of formality used in a risk management process should be commensurate with the potential risks involved, the complexity of the process, and the unique needs of the organization. The guideline presents examples of both formal and informal risk management processes and stresses that the level of formality used should be tailored to the specific situation (1).

Furthermore, a survey was conducted during a Pharmaceutical Inspection and Cooperation Scheme (PIC/S) QRM meeting in Taiwan in September 2018 to explore good manufacturing practice (GMP) inspectors’ understanding and views on formality in QRM. The survey involved 27 inspectors from 14 countries, and the results showed that there was a need for clarity and guidance on formal QRM and less formal QRM applications. Most of the
respondents (85%) suggested that the revision of ICH Q9 should clarify formal and informal QRM, while only 22% understood the concepts well. However, 81% of the respondents supported the use of informal risk management processes. Additionally, 76% of the inspectors felt that additional guidance was needed on what constitutes formal and informal QRM (5).

By providing guidance on the appropriate level of formality for a risk management process, ICH Q9(R1) ensures effective and efficient risk management. It also promotes consistency and transparency in risk management practices across organizations.

Formality in QRM

Formality in QRM is not a black-and-white concept, as varying degrees of formality can be applied during QRM activities, such as when making risk-based decisions. Formality can be viewed as a continuum that ranges from low to high. When deciding how much formality to apply to a QRM activity, there are several factors to consider. These factors include uncertainty, importance, and complexity (1).

Uncertainty refers to the lack of knowledge about hazards, harms, and associated risks. The level of uncertainty associated with a particular area being assessed for risk determines the level of formality required to manage potential risks. Effective knowledge management can reduce uncertainty, allowing accumulated and
new information to be used to support risk-based decisions throughout the product lifecycle.

Importance refers to the significance of the risk-based decision in relation to product quality. The higher the importance of the decision, the more formality should be applied, and the greater the need to reduce the level of uncertainty associated with it.

Complexity refers to the level of intricacy of a process or subject area involved in QRM. The higher the complexity, the more formality should be applied to ensure product quality.

Higher levels of uncertainty, importance, or complexity may require more formal QRM approaches to manage potential risks and support effective risk-based decision-making.

The level of formality used in QRM must match the potential risks being addressed, the intricacy of the process, and the specific needs of the organization. The selection of the appropriate formality level should be based on a risk-based approach and should be periodically reviewed as the process or product evolves.

In QRM, low to high formality is defined by the level of structure and documentation employed in the risk management process. A low formality QRM usually involves a less structured, informal approach relying on the experience and judgment of the team to manage potential risks. This approach may involve brainstorming sessions or discussions to identify risks and may not necessitate extensive documentation or formal risk assessment tools. Low formality QRM may be adequate for simple risks with a relatively low impact of failure.

As per ICH Q9(R1), there are degrees of formality between the lower and higher levels that can also be utilized. This allows for the concept of moderate formality QRM to be introduced.

Moderate formality QRM involves a more structured approach that uses established risk assessment tools and methods to identify and evaluate potential risks. This may entail using standardized risk assessment matrices, checklists, or other tools to assess the likelihood and severity of potential risks. Moderate formality QRM may be suitable for complex issues or processes that require a more rigorous approach.

High formality QRM involves an extremely structured approach that includes detailed documentation and formal processes for risk identification, evaluation, and control. This may entail utilizing formal risk assessment methods such as failure modes and effects analysis (FMEA) or fault tree analysis (FTA) and may necessitate extensive documentation of risk management decisions and actions taken. High formality QRM is typically used for high-risk processes or products where the impact of failure could be severe.

Understanding the degree of formality in QRM

Companies can use standard criteria to determine the level of formality required for a process according to the new ICH Q9(R1) guidance. These criteria include evaluating the level of uncertainty, importance, and complexity in a process. By establishing what constitutes low, medium, and high uncertainty and complexity, the recommended level of formality can be determined using the formula:

Uncertainty x Complexity x
Importance = Degree of Formality

Establishing pre-determined standard levels of formality is essential to ensure consistency in decision-making within the quality management system (QMS).

Formality in the QMS. The level of formality in a QMS should be appropriate to the size, complexity, and risk of the organization’s processes and products. The choice of formality level should be based on a risk-based approach and should be re-evaluated regularly to ensure the QMS remains effective and efficient (3).

Change control. Formality is an important aspect of change control processes, which are designed to ensure that changes to processes, products, or systems are managed in a controlled and systematic manner to minimize the potential adverse impact on quality, safety, or efficacy (6).

The level of formality in change control processes may vary depending on the nature and complexity of the change. The following are some examples of the degree of formality in change control:

• Low formality: Simple, well understood, low-risk changes may be managed through rationale documentation. For example, a change to a non-critical process that has a minor or no impact on the product may be approved through a rationale documented in the change and approved by applicable stakeholders.
• Moderate formality: Changes that are well understood that have a moderate impact on the product or process may require a more structured method to document potential risks, such as FTA, risk ranking and filtering (RRF), What If tool, etc.
• High formality: complex changes with minimal process knowledge that can have a significant impact on the product, process, or system may require a highly structured and use of formal tools such as process
  hazard analysis (PHA) or FMEA. For example, a change to a product formulation or manufacturing process that has a high impact on product quality or safety may require a formal more rigorous documentation process that includes detailed risk assessment, validation, and verification activities.

To ensure that the level of formality is appropriate, change control processes should follow a risk-based approach and be proportionate to the level of risk associated with the change. It is essential to document and communicate the change control process clearly to all stakeholders to ensure that changes are managed consistently and effectively. Regular review and improvement of the change control process can help to ensure its effectiveness and efficiency over time.

When evaluating the impact of a change on product quality, several factors should be considered (3):

• Potential impact on critical quality attributes (CQAs): The change may impact CQAs of the product, which are those attributes that are essential to its safety, efficacy, or performance.
• Potential impact on regulatory compliance: The change may affect the product’s compliance with regulatory requirements, such as those related to safety, efficacy, or quality.
• Potential impact on patient safety: The change may pose a risk to patient safety, such as by increasing the risk of adverse reactions or other negative outcomes.
• Potential impact on manufacturing process: The change may impact the manufacturing process, potentially leading to variability in product quality, reduced yields, or other negative outcomes.

If the potential risks of the change are deemed to outweigh the potential benefits, a decision may be made not to implement the change. However, if the change is deemed necessary, steps should be taken to mitigate the potential risks through appropriate risk management strategies, such as process validation, increased testing, or other design control measures. In any case, the decision to implement or not implement a change should be well-documented and based on a thorough evaluation of the potential risks and benefits.

A high level of formality is typically required to ensure a rigorous understanding of whether a change is expected to negatively impact product quality.

Deviations. When it comes to managing deviations, formality refers to the level of structure and documentation involved in the process of handling deviations from established procedures, processes, or specifications. Deviations can arise due to various reasons, such as equipment malfunction, human error, or environmental conditions, and can impact the quality, safety, or efficacy of products or processes.

The level of formality required in managing deviations may vary depending on the nature and severity of the deviation. For instance, minor deviations that do not significantly impact product quality, safety, or efficacy may be managed through simple documentation of root cause and remediations, while deviations that have a moderate or significant impact may require more structured and formal deviation management processes, including investigation, analysis, and corrective and preventive action.

The level of formality used in managing deviations should be based on a risk-based approach and proportionate to the level of risk associated with the deviation. The deviation management process should be documented and communicated clearly to all stakeholders to ensure that deviations are managed consistently and effectively. Regular review and improvement of the deviation management process can help to ensure that it remains effective and efficient over time.

The following are some examples of the degree of formality in managing deviations:

• Low formality: Minor deviations that do not have a significant impact on product quality, safety, or efficacy may be managed through a simple documentation of root cause of deviations and remediations. For example, a deviation that results from a missing or incorrect documentation of a non-critical parameter in a batch record review may be managed through a simple documentation of the event, cause, and remediation, such as, a missing digit in an equipment number when recording in the batch record.
• Moderate formality: Deviations that have a moderate impact on product quality, safety, or efficacy may require a more structured deviation management process that involves formal documentation and review. For example, a deviation that results in a change in a critical process parameter may require a formal deviation report, investigation, and approval process, such as, failure to agitate the solution for the full 30 minutes as required by the batch record.
• High formality: Deviations that have a significant impact on product quality, safety, or efficacy may require a highly structured and formal deviation management process. For example, a deviation that results in a failure of a critical quality attribute or parameter may require a formal investigation, root cause analysis, and corrective and preventive action (CAPA) process, such as an out of specification for an in-process test (e.g., pH, temperature).

Product complaints. When managing product complaints, formality refers to the level of structure and documentation used. Complaints can come from various sources and provide valuable feedback on product performance and customer satisfaction. The level of formality needed may vary depending on the nature and severity of the complaint. The following are some examples of the degree of formality in product complaints:

• Low formality: Simple, low-risk complaints may be managed through informal processes such as verbal communication or email exchanges. For example, a customer complaint about a minor packaging defect may be addressed through a quick discussion among the team members involved, such as complaint about the number of tablets in the bottle (contained 99 vs. labeled 100).
• Moderate formality: Complaints that have a moderate impact on product quality, safety, or efficacy may require a more structured complaint management process that involves formal documentation and review. For example, a complaint about a potential quality issue may require a formal investigation and response process, such as complaint about color of the tablets (white vs. pale yellow).
• High formality: Complaints that have a significant impact on product quality, safety, or efficacy may require a highly structured and formal complaint management process. For example, a complaint related to a serious adverse event or product recall may require a formal investigation, root cause analysis, and CAPA process, such as complaint about a patient feeling dizzy and lightheaded after taking the product.

It is essential to document and communicate the complaint management process clearly to all stakeholders to ensure consistent and effective management of complaints. Regular review and improvement of the process can ensure its effectiveness and efficiency over time. The level of formality should be based on a risk-based approach and proportionate to the level of risk associated with the complaint.

Formality in decision making. Formality can be a factor in driving effective decision-making, but it is not the only factor. The level of formality required for effective decision-making can vary depending on the nature of the decision and the level of risk associated with it.

While formality can play a role in driving effective decision-making, it is not the only factor to consider. The appropriate level of formality can vary depending on the decision’s nature and associated risks.

Formality can be beneficial in decision-making in several ways. For instance, it can increase clarity, consistency, transparency, and accountability in the process. Additionally, a formal decision-making process can help manage the level of risk associated with the decision. However, it is important to note that excessive formality can be counterproductive, leading to bureaucracy, slow decision-making, and discouraging innovation (7).

Therefore, decision-makers should strive to strike a balance between formality and flexibility. They should also consider the benefits and drawbacks of formality when designing decision-making processes. Ultimately, the level of formality required should be proportional to the level of risk associated with the decision, and the process should be adaptable to changing circumstances.

In summary, formality can be a helpful factor in driving effective decision-making, but it should be balanced with flexibility and a willingness to adapt to changing circumstances. The level of formality required should be proportionate to the level of risk associated with the decision, and decision-makers should consider both the benefits and the drawbacks of formality when designing decision-making processes.

Ensuring effective identification, assessment, and management of risks in QRM can be influenced by formality. Formal processes can aid in consistent decision-making and foster transparency and accountability, while also ensuring relevant information is considered. However, an appropriate balance between formality and practicality is necessary as excessive formality can cause unnecessary bureaucracy and delay decision-making, whereas insufficient formality can result in inconsistency and lack of transparency. The level of formality required should correspond to the level of risk associated with the product or process being assessed. It is crucial to establish decision-making processes that are well-documented, transparent, and based on sound scientific principles while maintaining flexibility. Regularly reviewing and improving these processes can help sustain their effectiveness and efficiency over time. In QRM, formality and subjectivity are both crucial considerations.

Formality and subjectivity

In QRM, formality pertains to the level of structure and documentation used in the decision-making process. A formal QRM process involves specific procedures, tools, and documentation to ensure consistency, transparency, and accountability. Conversely, an informal QRM process depends more on expert judgment and experience and may be less structured.

Subjectivity, on the other hand, refers to personal biases, opinions, and preferences that may affect the QRM process. It can occur due to a lack of objective data or different interpretations of available data. Although formality can reduce subjectivity, it cannot be eliminated. Expert judgment and experience are crucial for informed decision-making, and various stakeholders may have different perspectives on the risks and benefits of a particular product or process. To mitigate the impact of subjectivity, decision-making should be based on sound scientific principles, and all relevant information should be considered. This may include using multiple sources of data, conducting independent reviews, and obtaining input from different stakeholders.

In summary, both formality and subjectivity are essential considerations in QRM, and a balance must be maintained between the two to make informed decisions based on sound scientific principles.

Factors impacting formality

Regulatory requirements may dictate a certain level of formality in QRM activities. Therefore, it is important to ensure that the level of formality applied meets regulatory expectations. For example, FDA does not have a specific requirement for the level of formality in risk assessments but expects companies to use a risk-based approach in quality management. This includes conducting risk assessments and using the results to make decisions about product development, manufacturing, and control.

During inspections or regulatory submissions, FDA may review a company’s risk assessment and associated documentation. The level of formality in a risk assessment should be appropriate for the level of risk associated with the product or process, and the assessment should be well-documented and based on sound scientific principles. If the level of formality is not appropriate or the assessment is poorly documented or not based on sound scientific principles, FDA may require additional information or further assessment before approving the product or process. The acceptance of the risk assessment by FDA will depend on these factors, rather than the level of formality used.

The level of knowledge that is available about the product and process being assessed can also influence the level of formality required in QRM activities. The more knowledge that is available, the lower the level of uncertainty, and the lower the need for formal approaches.

At no point should the level of resources available, including time, budget, and personnel, affect the level of formality that can be applied to QRM activities.

Formality in documentation

The phrase “if it’s not documented, it did not occur” is commonly used in quality management systems to highlight the significance of documentation as a means of evidence for compliance with established procedures and requirements. Documentation is a critical component of quality management, providing a record of activities, decisions, and outcomes that can be scrutinized and audited for compliance, accountability, and continuous improvement. It can take various forms, such as standard operating procedures, work instructions, records, reports, and forms. However, it is important to recognize that documentation alone cannot ensure the effectiveness of a quality management system or the quality of a product or service. Although documentation provides evidence of compliance, it does not guarantee the effectiveness of the documented procedures or the satisfaction of customer requirements. Therefore, companies should establish robust processes for documenting activities, decisions, and outcomes and regularly review and update their procedures to ensure continued effectiveness. In addition, companies should prioritize training and communication to ensure that employees comprehend the importance of documentation and its role in ensuring quality and compliance.

When presenting to regulators, companies must demonstrate that QRM has been conducted appropriately and that the risks associated with a product or process have been adequately identified and managed, irrespective of the level of formality employed. If a low formality approach has been used, the key decisions taken during the risk management process, including the identification of potential risks, the assessment of their severity, the evaluation of available risk control options, and the implementation and monitoring of risk mitigation measures, should still be documented.

Although the level of documentation required may differ depending on the level of formality used, companies must ensure that they have adequate documentation to demonstrate that the risk management process was conducted appropriately and that the risks were efficiently managed.

When presenting to regulators, companies should furnish clear and concise documentation outlining the key decisions and the rationale behind them. This may include risk assessment reports, meeting minutes, decision logs, and other relevant documentation. To summarize, regardless of the level of formality used, documenting the key decisions made during the QRM process is essential to demonstrate that risks were effectively identified and managed by providing clear and concise documentation outlining key decisions and their rationale.

Conclusion

The revision of ICH Q9(R1) reflects the growing importance of QRM in the pharmaceutical industry and aims to support the development of safe and effective pharmaceutical products. However, implementing effective QRM can be challenging for companies due to several factors.

Firstly, a lack of understanding and commitment can lead to insufficient resources, training, and support for QRM activities. Secondly, inadequate risk assessment tools, such as templates and software, can result in inconsistent and incomplete risk assessments. Thirdly, a culture of complacency can hinder proactive identification and management of risks. Fourthly, some companies may view regulatory requirements as a barrier to effective QRM implementation, leading to a compliance-focused approach rather than truly managing risks. Finally, limited resources can make it difficult to prioritize and allocate the necessary resources for risk management.

To overcome these challenges, companies need to prioritize risk management, invest in necessary resources, and foster a culture that values QRM. This includes committing to QRM principles and understanding its benefits, using appropriate risk assessment tools, proactively identifying and managing risks, and allocating the necessary resources for risk management. By doing so, companies can ensure the safety and quality of their products and maintain regulatory compliance.

In QRM, maintaining formality is crucial as it promotes consistency, transparency, and documentation of risk assessments and decision-making processes. Formality entails adhering to established guidelines and documentation requirements that ensure all relevant factors are considered and decisions are made objectively and consistently. It also supports accountability and traceability, which are vital in regulated industries such as pharmaceuticals, where regulatory compliance is paramount. Furthermore, a formal approach to QRM can enhance communication and collaboration among various stakeholders, such as quality control, production, and regulatory affairs. Ultimately, formality in QRM can improve the quality and safety of pharmaceutical products by ensuring that the process is conducted in a rigorous and systematic manner.

References

1. ICH. Q9(R1) Quality Risk Management, final version (ICH Jan. 18, 2023).
2. ICH. Q8(R1) Pharmaceutical Development (ICH, August 2009).
3. ICH. Q10 Pharmaceutical Quality System (ICH, June 4, 2008).
4. ICH. Q11 Development and Manufacture of Drug Substances (ICH, May 1, 2012).
5. O’Donnell, K.; Tobin, D.; Butler, S.; Haddad, G.; Kelleher, D. Understanding the Concept of Formality in Quality
   Risk Management. J. Valid. Technol, 2020 Jun; 26(3).
6. FDA. Quality Systems Approach to Pharmaceutical Current Good Manufacturing Practice Regulations, Guidance for Industry (CDER, CBER, CVM, ORA, September 2006).
7. Largent, S. and Andreotti-Jones, V. ICH Guideline Q9(R1) On QRM, Part 1: Formality & Risk-based Decisions. OutsourcedPharma.com. Feb. 28, 2023.

About the authors

Ghada Haddad is executive director, Global Quality Transformation Global Quality Shared Services & Regulatory Intelligence Merck & Co.
Darshana Patel is an associate director in Global Quality at Merck & Co., Inc.

Editor’s Note:

This article was peer reviewed by a member of Pharmaceutical Technology®’s Editorial Advisory Board.

Submitted: April 20, 2023.
Accepted: May 11, 2023.

Article details

Pharmaceutical Technology
Vol. 47, No. 7
July 2023
Pages: 40-45, 49

Citation

When referring to this article, please cite it as Haddad, G. and Patel, D. Navigating the Formality Spectrum in ICH Q9(R1). Pharmaceutical Technology 2023 47 (7).