ich q9 quality risk management

ICH Q9:QUALITY RISK MANAGEMENTQUALITY RISK MANAGEMENT

1

Seetharam Kandarpa Seetharam Kandarpa Seetharam Kandarpa Seetharam Kandarpa

ASQASQASQASQ----CPGP & ASQCPGP & ASQCPGP & ASQCPGP & ASQ----CQACQACQACQA

Objective

• Introduction to ICH Q9: Quality RiskManagement

• Guiding through the content of the ICH• Guiding through the content of the ICHQ9 document

• Providing some considerations, possibleinterpretations and where appropriateexamples

2

Introduction to

ICH Q9: Quality Risk Management (QRM)

• Document is available on the ICH Webpage

www.ich.org

3

Introduction to

ICH Q9: Quality Risk Management (QRM)

ICH Q9ICH Q9

4

Basic Terms

• Harm:

– Damage to health, including the damage that can occur fromloss of product quality or availability.

• Hazard:

– The potential source of harm (ISO/IEC Guide 51).

• Risk:• Risk:

– The combination of the probability of occurrence of harm and theseverity of that harm (ISO/IEC Guide 51).

• Severity:

– A measure of the possible consequences of a hazard.

• Detectability:

– The ability to discover or determine the existence, presence, orfact of a hazard.

5

Basic Terms

• Quality:

– The degree to which a set of inherent properties of a product,system or process fulfills requirements (see ICH Q6A definitionspecifically for "quality" of drug substance and drug (medicinal)products.)

• Quality Risk Management:

– A systematic process for the assessment, control,– A systematic process for the assessment, control,communication and review of risks to the quality of the drug(medicinal) product across the product lifecycle.

• Quality System:

– The sum of all aspects of a system that implements quality policyand ensures that quality objectives are met.

6

Basic Terms

• Risk Assessment:

– A systematic process of organizing information to support a riskdecision to be made within a risk management process. Itconsists of the identification of hazards and the analysis andevaluation of risks associated with exposure to those hazards.

• Risk Identification:

– The systematic use of information to identify potential sources of– The systematic use of information to identify potential sources ofharm (hazards) referring to the risk question or problemdescription.

• Risk Analysis:

– The estimation of the risk associated with the identified hazards.

• Risk Evaluation:

– The comparison of the estimated risk to given risk criteria usinga quantitative or qualitative scale to determine the significance ofthe risk. 7

Basic Terms

• Risk Control:

– Actions implementing risk management decisions (ISO Guide73).

• Risk Reduction:

– Actions taken to lessen the probability of occurrence of harm andthe severity of that harm.

Risk Acceptance:• Risk Acceptance:

– The decision to accept risk (ISO Guide 73).

• Risk Management:

– The systematic application of quality management policies,procedures, and practices to the tasks of assessing, controlling,communicating and reviewing risk.

8

Basic Terms

• Risk Communication:

– The sharing of information about risk and risk managementbetween the decision maker and other stakeholders.

• Risk Review:

– Review or monitoring of output/results of the risk managementprocess considering (if appropriate) new knowledge andexperience about the risk.experience about the risk.

• Requirements:

– The explicit or implicit needs or expectations of the patients ortheir surrogates (e.g., health care professionals, regulators andlegislators). In this document, “requirements” refers not only tostatutory, legislative, or regulatory requirements, but also to suchneeds and expectations.

9

Basic Terms

• Decision Maker(s):

– Person(s) with the competence and authority to makeappropriate and timely quality risk management decisions.

• Product Lifecycle:

– All phases in the life of the product from the initial developmentthrough marketing until the product’s discontinuation.

Trend:• Trend:

– A statistical term referring to the direction or rate of change of avariable(s).

• Stakeholder:

– Any individual, group or organization that can affect, be affectedby, or perceive itself to be affected by a risk. Decision makersmight also be stakeholders. For the purposes of this guideline,the primary stakeholders are the patient, healthcareprofessional, regulatory authority, and industry. 10

Table of contents

1. Introduction

2. Scope

3. Principles of Quality Risk Management

4. General Quality Risk Management Process

5. Risk Management Methodology5. Risk Management MethodologyAnnex I: Risk Management Methods and Tools

6. Integration of QRM process into Industry and Regulatory operationsAnnex II: Potential Applications for QRM

7. Definitions

8. References

11

1. Introduction

Risk ManagementQuality Risk Management

Quality Systems

Harm

SeveritySeverity

Stakeholder

Product Life Cycle

GMP Compliance

12

This guideline provides

principles & examples of tools

of quality risk management that can be applied to

different aspects of pharmaceutical quality.

2. Scope

different aspects of pharmaceutical quality.

These aspects include development, manufacturing,

distribution, and the inspection and submission/review

processes throughout the lifecycle

of drug substances, drug (medicinal) products,

biological and biotechnological products

13

2. Scope

• Drug substances,

• Drug (medicinal) products,

• Biological and biotechnological products

Including the selection and use of Including the selection and use of

– Raw materials

– Solvents

– Excipients

– Packaging and labelling materials

– Components

14

3. Principles of Quality Risk Management

Two primary principles:

The evaluation of the risk to quality

The level of effort, formality and the risk to quality

should be based on scientific knowledgeand ultimately link to the protection of the patient

formality and documentation of the quality risk management process should be commensurate with the level of risk

15


Systematic processes designed to designed to

coordinate, facilitate and improve sciencescience--based decision makingbased decision making

with respect to risk to quality

16

on

Risk Assessment

Risk Evaluation

unacceptable

Risk Analysis

Risk Identification

Initiate

Quality Risk Management Process

Ris


Team approach

Risk Review

Ris

kC

om

mu

nic

ati

o

Risk Control

Risk Reduction

Review Events

Risk Acceptance

Output / Result of the

Quality Risk Management Process

skM

anagem

entto

ols

17

Decision makers:Person(s)

with competence and authority to make a decision


• Ensuring that

ongoing Quality Risk Management processes operate

• Coordinating

quality risk management process

across various functions and departments

• Supporting

the team approach

Ma

na

ge

me

nt

res

po

ns

ibility

18


Team approach

• Usually, but not always, undertaken by interdisciplinary

teams from areas appropriate to the risk being considered

e.g.– Quality unit– Quality unit

– Development

– Engineering / Statistics

– Regulatory affairs

– Production operations

– Business, Sales and Marketing

– Legal

– Medical / Clinical

– &… Individuals knowledgeable of the QRM processes

19


When to initiate and plan a QRM Process

• First define the question which should be answered (e.g.

a problem and/or risk question)

– including pertinent assumptions identifying the potential for risk

Risk Review

Ris

kC

om

mu

nic

ati

on

Risk Assessment

Risk Evaluationunacceptable

Risk Control

Risk Analysis

Risk Reduction

Risk Identification

Review Events

Risk Acceptance

Initiate Quality

Risk Management Process

Output / Result of the QualityRisk Management Process

Ris

kM

an

ag

em

en

tto

ols

the potential for risk

• Then assemble background information and/ or data on

the potential hazard, harm or human health impact

relevant to the risk

– Identify a leader and necessary resources

– Specify a timeline, deliverables and appropriate level of decision making for the QRM process

20

Should risks

be assessed?

Are there clear rules

for decision making?e.g. regulations

When to apply Quality Risk Management?

1. What might go wrong?2. What is the likelihood (probability)

it will go wrong?3. What are the consequences (severity)?No or

justification needed

Can you answerthe risk assessment

questions? No

Yes

“no RM“

Risk assessment not required(No flexibility)

Follow procedures(e.g. Standard Operating Procedures)

Document results,

decisions and actions

questions?

Yes“informal RM“

Initiate Risk assessment(risk identification, analysis & evaluation)

Run risk control(select appropriate measures)

Agree on a team(small project)

Select a Risk Management tool(if appropriate e.g. see ICH Q9 Annex I)

No

“formal RM“

Carry out the

quality risk management process

Document the steps

21


• Risk Identification

What might go wrong?

• Risk Analysis

Risk Assessment

3 fundamental questions

Risk Review

Ris

kC

om

mu

nic

ati

on

Risk Assessment


Risk Control

Risk Analysis

Risk Reduction

Risk Identification

Review Events

Risk Acceptance

Initiate Quality



Ris

kM

an

ag

em

en

tto

ols

What is the likelihood (probability) it will go wrong?

• Risk Evaluation

What are the consequences (severity)?

Note: People often use terms

“Risk analysis”, “Risk assessment” and

“Risk management” interchangeably

which is incorrect!

22


“What might go wrong?”

• A systematic use of information

Risk Assessment: Risk Identification

Risk Review

Ris

kC

om

mu

nic

ati

on

Risk Assessment


Risk Control

Risk Analysis

Risk Reduction

Risk Identification

Review Events

Risk Acceptance

Initiate Quality



Ris

kM

an

ag

em

en

tto

ols

• A systematic use of information

to identify hazards

referring to the risk question or problem

– historical data

– theoretical analysis

– informed opinions

– concerns of stakeholders

23


“What is the likelihood it will go wrong?”

• The estimation of the risk

Risk Assessment: Risk Analysis

Risk Review

Ris

kC

om

mu

nic

ati

on

Risk Assessment


Risk Control

Risk Analysis

Risk Reduction

Risk Identification

Review Events

Risk Acceptance

Initiate Quality



Ris

kM

an

ag

em

en

tto

ols

• The estimation of the risk

associated with the identified hazards.

• A qualitative or quantitative process of linking the

likelihood of occurrence and severity of harm

• Consider detectability if applicable

(used in some tools)

24


Risk Assessment: Risk Analysis

Often data driven

Keep in mind: Statistical approach may or may not be usedused

• Maintain a robust data set!

• Start with the more extensive data set and reduce it

• Trend and use statistics (e.g. extrapolation)

• Comparing between different sets requires compatible

data

• Data must be reliable

• Data must be accessible Risk Review

Ris

kC

om

mu

nic

ati

on

Risk Assessment


Risk Control

Risk Analysis

Risk Reduction

Risk Identification

Review Events

Risk Acceptance

Initiate Quality



Ris

kM

an

ag

em

en

tto

ols

25


“What is the risk?”

• Compare the identified and analysed risk

against given risk criteria

Risk Assessment: Risk Evaluation

Risk Review

Ris

kC

om

mu

nic

ati

on

Risk Assessment


Risk Control

Risk Analysis

Risk Reduction

Risk Identification

Review Events

Risk Acceptance

Initiate Quality



Ris

kM

an

ag

em

en

tto

ols

against given risk criteria

• Consider the strength of evidence

for all three of the fundamental questions

– What might go wrong?

– What is the likelihood (probability) it will go wrong?

– What are the consequences (severity)?

26


Risk Assessment: Risk Evaluation

A picture of the life cycle

Probability Detectability Severity

= Risk Priority Number

x x

past today future

Data

refe

rs to

time

Impact

Can y

ou fin

d it?

• Frequency of

“occurences”

driven by

the number

of trials

• Degree

of belief

27


Risk Control: Decision-making activity

• Is the risk above an acceptable level?

• What can be done to reduce or eliminate risks?

Risk Review

Ris

kC

om

mu

nic

ati

on

Risk Assessment


Risk Control

Risk Analysis

Risk Reduction

Risk Identification

Review Events

Risk Acceptance

Initiate Quality



Ris

kM

an

ag

em

en

tto

ols

• What can be done to reduce or eliminate risks?

• What is the appropriate balancebetween benefits, risks and resources?

• Are new risks introduced as a result of the identified risks being controlled?

28


Risk Control: Residual Risk

• The residual risk consists of e.g.

– Hazards that have been assessed and

risks that have been accepted

– Hazards which have been identified but

the risks have not been correctly assessed

– Hazards that have not yet been identified

– Hazards which are not yet linked to the patient risk

• Is the risk reduced to an acceptable level?

– Fulfil all legal and internal obligations

– Consider current scientific knowledge & techniquesRisk Review

Ris

kC

om

mu

nic

ati

on

Risk Assessment


Risk Control

Risk Analysis

Risk Reduction

Risk Identification

Review Events

Risk Acceptance

Initiate Quality



Ris

kM

an

ag

em

en

tto

ols

29


Risk Control: Risk Reduction

• Mitigation or avoidance of quality risk

• Elimination of risks, where appropriate

Risk Review

Ris

kC

om

mu

nic

ati

on

Risk Assessment


Risk Control

Risk Analysis

Risk Reduction

Risk Identification

Review Events

Risk Acceptance

Initiate Quality



Ris

kM

an

ag

em

en

tto

ols

• Focus actions on severity and/or probability of harm; don’t forget detectability

• It might be appropriate to revisit the risk assessment during the life cycle for new risks or increased significance of existing risks

30


Risk Control: Risk Acceptance

• Decision to

> Accept the residual risk

Risk Review

Ris

kC

om

mu

nic

ati

on

Risk Assessment


Risk Control

Risk Analysis

Risk Reduction

Risk Identification

Review Events

Risk Acceptance

Initiate Quality



Ris

kM

an

ag

em

en

tto

ols

> Passively accept non specified residual risks

• May require support by (senior) management

> Applies to both industry and competent authorities

• Will always be made on a case-by-case basis

31



• Discuss the appropriate balance between

benefits, risks, and resources

• Focus on the patients’ interests and

good science/data

• Risk acceptance is not

– Inappropriately interpreting data and information

– Hiding risks from management / competent authorities

Risk Review

Ris

kC

om

mu

nic

ati

on

Risk Assessment


Risk Control

Risk Analysis

Risk Reduction

Risk Identification

Review Events

Risk Acceptance

Initiate Quality



Ris

kM

an

ag

em

en

tto

ols

32

What is an “acceptable risk”?


Who has to accept risk?

• Decision Maker(s)– Person(s) with the competence and authority

to make appropriate and timely quality risk management decisions

• Stakeholder– Any individual, group or organization

that can …be affected by a risk

– Decision makers might also be stakeholders

– The primary stakeholders are the patient, healthcare professional, regulatory authority, and industry

– The secondary stakeholders are patient associations, public opinions, politicians

33


A Risk

Acceptance process

1/3 Finish baseline for

risk acceptance decisionrisk identification, risk analysis,risks evaluation, risks reduction

Risk reduction step

finished

Risk Review

Ris

kC

om

mu

nic

ati

on

Risk Assessment


Risk Control

Risk Analysis

Risk Reduction

Risk Identification

Review Events

Risk Acceptance

Initiate Quality



Ris

kM

an

ag

em

en

tto

ols

Yes

Stakeholders

involved as appropiate?

Revisit

risk assessment step

All identified

risks assessed?No

Yes

No

34


A Risk

Evaluate measureson severity, probability, detectability

Check needed resourcese.g. employee, money

Measures/

actions needed?

Yes

A Risk

Acceptance

process

2/3

Risk Review

Ris

kC

om

mu

nic

ati

on

Risk Assessment


Risk Control

Risk Analysis

Risk Reduction

Risk Identification

Review Events

Risk Acceptance

Initiate Quality



Ris

kM

an

ag

em

en

tto

ols

Measures / Actions

appropriate?No

Yes

Revisit

risk reduction step

Other hazards

caused?Yes

Is a risk

reducible?

No

No

35


A Risk Acceptance process 3/3

Is a risk

reducible?

Yes

No

Risk Review

Ris

kC

om

mu

nic

ati

on

Risk Assessment


Risk Control

Risk Analysis

Risk Reduction

Risk Identification

Review Events

Risk Acceptance

Initiate Quality



Ris

kM

an

ag

em

en

tto

ols

Accept theresidual risk?

Ready for communication

Accept risk

Sign off documentation

Advantageoutweighs risk?

Yes No

Yes

Risk not acceptable

Sign off documentation

Revisitrisk assessment step

No

36


• Bi-directional sharing of information about risk and risk

management

between the decision makers and others

Risk Communication

Risk Review

Ris

kC

om

mu

nic

ati

on

Risk Assessment


Risk Control

Risk Analysis

Risk Reduction

Risk Identification

Review Events

Risk Acceptance

Initiate Quality



Ris

kM

an

ag

em

en

tto

ols

• Communicate at any stage of the QRM process

• Communicate and document

the output/result of the QRM process appropriately

• Communication need not be carried out

for each and every individual risk acceptance

• Use existing channels as specified in

regulations, guidance and SOP’s

37


• Exchange or sharing of information, as appropriate

Risk Communication

Risk Review

Ris

kC

om

mu

nic

ati

on

Risk Assessment


Risk Control

Risk Analysis

Risk Reduction

Risk Identification

Review Events

Risk Acceptance

Initiate Quality



Ris

kM

an

ag

em

en

tto

ols

• Sometimes formal sometimes informal

– Improve ways of thinking and communicating

• Increase transparency

38

Quality risk management

Communicationfacilitates trust

and understanding

Industryoperation- Submissions

- Manufacturing

Regulatorsoperation

- Reviews- Inspections

39


Risk review: Review Events

• Review the output / results of the QRM process

• Take into account new knowledge and experience

Risk Review

Ris

kC

om

mu

nic

ati

on

Risk Assessment


Risk Control

Risk Analysis

Risk Reduction

Risk Identification

Review Events

Risk Acceptance

Initiate Quality



Ris

kM

an

ag

em

en

tto

ols

• Take into account new knowledge and experience

• Utilise for planned or unplanned events

• Implement a mechanism to review or monitor events

• Reconsideration of risk acceptance decisions,

as appropriate

40

5. Risk Management Methodology

One method

Risk Review

Ris

kC

om

mu

nic

ati

on

Risk Assessment


Risk Control

Risk Analysis

Risk Reduction

Risk Identification

Review Events

Risk Acceptance

Initiate Quality



Ris

kM

an

ag

em

en

tto

ols

One method “all inclusive”?

41

Expectations on methods and tools

• Supports science-based decisions

• A great variety are listed but other existing or

new ones might also be used

• No single tool is appropriate for all cases• No single tool is appropriate for all cases

• Specific risks do not always require the same tool

• Using a tool the level of detail of an investigation will vary

according to the risk from case to case

• Different companies, consultancies and competent

authorities may promote use of different tools based on

their culture and experiences

42

Contributing items to manage quality risks

• System Risk (facility & people)– e.g. interfaces, operators risk, environment,

components such as equipment, IT, design elements

• System Risk (organisation)– e.g. Quality systems, controls, measurements, – e.g. Quality systems, controls, measurements,

documentation, regulatory compliance

• Process Risk

– e.g. process operations and quality parameters

• Product Risk (safety & efficacy)– e.g. quality attributes:

measured data according to specifications43


• Supports a scientific and practical approach to

decision-making

• Accomplishing steps of the QRM process

Risk Review

Ris

kC

om

mu

nic

ati

on

Risk Assessment


Risk Control

Risk Analysis

Risk Reduction

Risk Identification

Review Events

Risk Acceptance

Initiate Quality



Ris

kM

an

ag

em

en

tto

ols

– Provides documented, transparent and reproducible methods

– Assessing current knowledge

– Assessing probability, severity and sometimes detectability

44


• Adapt the tools for use in specific areas

• Combined use of tools may provide flexibility

• The degree of rigor and formality of QRM

Risk Review

Ris

kC

om

mu

nic

ati

on

Risk Assessment


Risk Control

Risk Analysis

Risk Reduction

Risk Identification

Review Events

Risk Acceptance

Initiate Quality



Ris

kM

an

ag

em

en

tto

ols

• The degree of rigor and formality of QRM

– Should be commensurate with the complexity and / or criticality of the issue to be addressed and reflect available knowledge

• Informal ways

– empirical methods and / or internal procedures

45

Annex I: Risk Management Methods and Tools

• Provides a general overview of

and references for some of the primary tools

• Might be used in QRM by industry and regulators

• This is not an exhaustive list

Risk Review

Ris

kC

om

mu

nic

ati

on

Risk Assessment


Risk Control

Risk Analysis

Risk Reduction

Risk Identification

Review Events

Risk Acceptance

Initiate Quality



Ris

kM

an

ag

em

en

tto

ols

• This is not an exhaustive list

• No one tool or set of tools is applicable to every situation

in which a QRM procedure is used

• For each of the tools

– Short description & reference

– Strength and weaknesses

– Purely illustrative examples

46

Overview: Some tools and their key words

• Failure Mode Effects Analysis (FMEA)

– Break down large complex processes into manageable steps

• Failure Mode, Effects and Criticality Analysis (FMECA)

– FMEA & links severity, probability & detectability to criticality

• Fault Tree Analysis (FTA)– Tree of failure modes combinations with logical operators

Risk Review

Ris

kC

om

mu

nic

ati

on

Risk Assessment


Risk Control

Risk Analysis

Risk Reduction

Risk Identification

Review Events

Risk Acceptance

Initiate Quality



Ris

kM

an

ag

em

en

tto

ols

– Tree of failure modes combinations with logical operators

• Hazard Analysis and Critical Control Points (HACCP)

– Systematic, proactive, and preventive method on criticality

• Hazard Operability Analysis (HAZOP)

– Brainstorming technique

• Preliminary Hazard Analysis (PHA)

– Possibilities that the risk event happens

• Risk ranking and filtering

– Compare and prioritize risks with factors for each risk47


• Supporting statistical tools

– Acceptance Control Charts (see ISO 7966)

– Control Charts (for example)

� Control Charts with Arithmetic Average andWarning Limits (see ISO 7873)

Risk Review

Ris

kC

om

mu

nic

ati

on

Risk Assessment


Risk Control

Risk Analysis

Risk Reduction

Risk Identification

Review Events

Risk Acceptance

Initiate Quality



Ris

kM

an

ag

em

en

tto

ols

� Cumulative Sum Charts; “CuSum” (see ISO 7871)

� Shewhart Control Charts (see ISO 8258)

� Weighted Moving Average

– Design of Experiments (DOE)

� Pareto Charts

– Process Capability Analysis

– Histograms

– Use others that you are familiar with….48


Q9 does not provide “drivers licences”

49

6. Integration into Industry and Regulatory Operations

• Foundation for “science-based” decisions

• Does not obviate industry’s obligation

to comply with regulatory requirements

• May affect the extent and level • May affect the extent and level

of direct regulatory oversight

• Degree of rigor and formality commensurate with the

complexity and/or criticality of the issue

• Implement QRM principles when updating

existing guidelines

50

Annex II: Potential Applications for QRM

This Annex is intended to identify potential uses of quality risk

management principles and tools by industry and regulators.

However, the selection of particular risk management tools is

completely dependent upon specific facts and circumstances. completely dependent upon specific facts and circumstances.

These examples are provided for illustrative purposes and

only suggest potential uses of quality risk management.

This Annex is not intended to create any new expectations

beyond the current regulatory requirements.

51

Annex II: Potential Applications for QRM

Quality risk management as part of

• Integrated quality management

– Documentation

– Training and educationCompetent authorities– Training and education

– Quality defects

– Auditing / Inspection

– Periodic review

– Change management / change control

– Continual improvement

authorities

Industry

52

Annex II: Potential opportunities

for conducting quality risk management

Competent authorities

Quality risk management as part of

• Regulatory operations

> Inspection and assessment activities

• Industry operations

– Development

– Facilities, equipment and utilities

– Materials management

– Production

– Laboratory control and stability testing

– Packaging and labelling

Competent authorities

Industry

53

COMMUNICATION

Failure Mode, Effects & Criticality Analysis FMECA

FTA

Preliminary Hazard Analysis

Fault Tree Analysis

QUALITY SYSTEM

ICH Q9Quality Risk Management

TOOLS

FMEA

Hazard Analysis & Critical Control Points

Failure Mode Effect Analysis

Hazard Operatibility Analysis

MATERIALS

PRODUCTION

54

mm

un

icat i

on

Risk Assessment

Risk Evaluation

unacceptable

Risk Control

Risk Analysis

Risk Reduction

Risk Identification

InitiateQuality Risk Management Process

Ris

kM

an

ag

em

Use the right “risk” expressionUse the right “risk” expressionplease!

Risk Review

Ris

kC

om

Review Events

Risk Acceptance

Output / Result of theQuality Risk Management Process

men

tto

ols

55

Thanks

56

ich q9 quality risk management

Health & Medicine