Quality Risk-Management Principles and PQRI Case Studies

Published on: 
Pharmaceutical Technology, Pharmaceutical Technology-07-02-2011, Volume 35, Issue 7

A PQRI expert working group provides case study examples of risk-management applications.

The harmonized Q9 Quality Risk Management guideline from the International Conference on Harmonization (ICH) provides an excellent high-level framework for the use of risk management in pharmaceutical product development and manufacturing quality decision-making applications (1–2). It is a landmark document in acknowledging risk management as a standard and acceptable quality system practice to facilitate good decision-making with regard to risk identification, resource prioritization, and risk mitigation/elimination, as appropriate.

Recognizing the need to propagate and expedite holistic adoption of quality risk management across the pharmaceutical industry, the Product Quality Research Institute Manufacturing Technical Committee (PQRI–MTC) commissioned a small working group of industry and FDA representatives to seek out good case studies of actual risk-management practices used by large bio/pharmaceutical firms to share with the industry at large.

The working group spent approximately one year soliciting risk-management case studies from industry peers and contacts, and ultimately reviewed more than 20 of them. Each study was graded against six multiple criteria to assess applicability, usefulness, and alignment with ICH Q9. The highest graded case studies were measured against two additional criteria to ensure a balanced mix of examples for this report. Due to the size of a well-developed risk assessment, especially when applied to a complex problem or operating area, the presented case studies in most instances represent redacted versions of the actual assessments. Nonetheless, the provided summaries are effective in demonstrating the general thought process, risk application, and use of chosen risk methods.

As a byproduct of the working group's collaboration on risk-management practices, several common principles that reflect current industry and regulatory thinking emerged. These principles are aligned with, and in some instances expand beyond, those defined by ICH Q9 and are included in this report. In addition, several risk-management reference tools used by participating firms have been included as examples.


Risk-management principles, case studies, and supporting tools used by large bio/pharmaceutical manufacturers for effective quality oversight of product development and manufacturing operations are included in this report. Each case study notes the applicable corresponding quality system (i.e., Quality, Facilities & Engineering, Material, Production, Packaging & Labeling, or Laboratory Control) that is consistent with FDA's quality systems guidance document (3). In addition, the case studies identify the risk methodology that was used for ease of categorization, understanding, and potential application by the reader. Medical-device examples fall beyond the scope of this article, although the case studies and tools presented have relevance to device manufacturing. See the sidebar, "PQRI case studies," for details on the topics covered.

PQRI case studies

Principles and common practices

Core principles of quality risk management according to the ICH Q9 guideline include the following:

1. Compliance with applicable laws: Risk assessment should be used to assess how to ensure compliance and to determine the resulting prioritization for action—not for a decision regarding the need to fulfill applicable regulations or legal requirements.


2. Risk can only be effectively managed when it is identified, assessed, considered for further mitigation, and communicated. This principle embodies the four stages of an effective quality risk-management process as defined by ICH Q9: risk assessment (i.e., risk identification, analysis, and evaluation); risk control (i.e., risk reduction and acceptance); risk communication; and risk review.

3. All quality risk evaluations must be based on scientific and process-specific knowledge and ultimately linked primarily to the protection of the patient. Risk assessment is based on the strong understanding of the underlying science, applicable regulations, and related processes involved with the risk under analysis. Collectively, these components should be assessed first and foremost with regard to the potential impact to the patient (see Figure 1).

Figure 1: Quality risk-evaluation pyramid.

4. Effective risk management requires a sufficient understanding of the business, the potential impact of the risk, and ownership of the results of any risk-management assessment.

5. Risk assessment must take into account the probability of a negative event in combination with the severity of that event. This principle also serves as a useful working definition for risk (i.e., risk represents the combination of the probability and severity of any given event).

6. It is not necessary or appropriate to always use a formal risk-management process (e.g., standardized tools). Rather, the use of an informal risk-management process (e.g., empirical assessment) is acceptable for areas that are less complex and that have lower potential risk. Risk decisions are made by industry every day. The complexity of the events surrounding each decision and the potential risk involved are important inputs in determining the appropriate risk-assessment methodology and corresponding level of analysis required. For less complex, less risky decisions, a qualitative analysis (e.g., decision tree) of the options may be all that is required. In general, as the complexity and/or risk increases, so should the sophistication of the risk-assessment tool used. In the same regard, the level of documentation of the risk-management process to render an appropriate risk assessment should be commensurate with the level of risk (2). See Figure 2 for details.

Figure 2: Documentation level.

Risk-assessment supporting tools

A key early step in the execution of a risk analysis is to determine the appropriate risk-assessment tool, or methodology. There is no single best choice for any given assessment process, and the selection of the appropriate risk methodology should be based on the depth of analysis required, complexity of the subject risk of concern, and the familiarity with the assessment tool. Based on the industry examples reviewed by the PQRI–MTC working group, risk ranking and filtering (sometimes referred to as risk matrix) and flowcharting were the most popular tools used for basic risk-assessment activities. Correspondingly, failure-mode effect analysis (FMEA) appeared to be the most frequently used methodology for more advanced risk analysis. Some examples demonstrated the power of combining tools to help with more complex analysis. For example, fault-tree analysis (FTA) or a fishbone diagram can be used to initially scope and evaluate the fault modes of a particular problem and be used to feed a hazards analysis and critical control point (HACCP), or a similar tool to evaluate overall system control and effectiveness can be used. Table I provides a list of generally well-recognized risk-management tools.

Table I: Common risk-management tools.

Each risk subject and assessment warrants consideration of the applicable descriptors of potential risk and related consequences. Ideally, firms should establish a guidance document ahead of any risk analysis, such as the one provided in Table II, to help guide the risk-assessment process and provide for consistency in decision-making company-wide.

Table II: Severity categorization.

Risk trainers. In assembling this collection of case studies, the authors recognized the benefit of providing industry with additional background on core risk methodologies. Training tools for the application of risk ranking and filtering, FMEA, FTA, and HAZOP are available online with the web version of this article at PharmTech.com/PQRIstudies. These tools are meant to facilitate greater familiarity with the risk methodology used in each corresponding case study.


The PQRI–MTC Risk Management Working Group solicited and formatted a series of best-practice case studies aligned with ICH Q9 principles. The collected case studies demonstrate that there is a wide range of applications for the use of structured risk-management analysis to facilitate effective quality-decision activities. The studies demonstrate the baseline needed to choose the appropriate risk methodology for the targeted need, taking into account the degree of complexity and risk involved for the specific subject of concern. It is equally important to predefine the potential resulting risk categorizations so as to not be influenced by the assessment results in defining appropriate response actions. Finally, once risks have been appropriately assessed and prioritized, clear risk-mitigating actions must be defined, communicated, implemented and monitored for effectiveness.

Ted Frank is with Merck & Co; Stephen Brooks, Kristin Murray* and Steve Reich are with Pfizer; Ed Sanchez is with Johnson & Johnson; Brian Hasselbalch is with the FDA Center for Drug Evaluation and Research; Kwame Obeng is with Bristol Myers Squibb; and Richard Creekmore is with AstraZeneca.

*To whom all correspondence should be addressed, kristin.murray@pfizer.com.


1. FDA Global Harmonization Task Force, "Implementation of Risk Management Principles andActivities within a Quality Management System" (Rockville, MD, 2000).

2. ICH, Q9 Quality Risk Management, 2005.

3. FDA, Guidance for Industry: Quality Systems Approach to Pharmaceutical CGMP Regulations (Rockville, MD, 2006).

4. FDA, "Risk-Based Method for Prioritizing CGMP Inspections of Pharmaceutical Manufacturing Sites–A Pilot Risk Ranking Model," (Rockville, MD, 2004).