Quality Risk Management
(ICH Q9)
Neeraj Shrivastava
Quality Assurance

Goals:
• Risk Management (priorities, resources
allocation and setting regulatory requirements).
• Science-based regulatory approaches (conduct
scientific risk assessment.
• Strong public health focus.
• Assessment and implementation of appropriate
quality management systems.
• Integrated product quality regulatory practice
(review and inspection processes).

The Expectations:
• The evaluation of the risk should ultimately link
back to the potential risk to the patient.
• The extent of the risk management process
should be commensurate with the level of risk
associated with the decision.
• Assembling background information and data on
the hazard, harm or human health impact
relevant to the assessment.
• A more robust data set will lead to lower
uncertainty.

• People who apply risk management should have
the appropriate training, skills and experience.
• The risk management process should be
appropriately documented and verifiable.
• Defining specifically the risk management problem
or question, including the assumptions leading to
the question.
• Assembling background information and data on
the hazard, harm or human health impact relevant
to the assessment.
The Expectations:

The Expectations
• Identifying the necessary resources, members of the
team who have the appropriate expertise, with the
leader clearly identified.
• Asking the right risk assessment questions.
• Stating clearly the assumptions in the risk
assessment.
• Assessing the quality and sufficiency of relevant
data.
• Specifying and deliverables for the risk assessment.

Risk Management Tools
Use the
appropriate
tool(s)!
No one tool
is
“all inclusive”!

Principles
1. The evaluation of the risk to quality
should be based on scientific
knowledge and ultimately link to the
protection of the patient.
2. The level of effort, formality and
documentation of the quality risk
management process should be
commensurate with the level of risk.

Risk Assessment and Control
Tools:
• Basic risk management facilitation
methods (flowcharts, check sheets etc.)
• Failure Mode Effects Analysis (FMEA)
• Failure Mode, Effects and Criticality
Analysis (FMECA)
• Fault Tree Analysis (FTA)

Risk Assessment and Control
Tools: continue..
• Hazard Analysis and Critical Control
Points (HACCP)
• Hazard Operability Analysis (HAZOP)
• Preliminary Hazard Analysis (PHA)
• Risk ranking and filtering
• Supporting statistical tools

Experience or Institution based approach
• Traditionally used, as it requires.
• No factual analysis or observations.
• Biased.
Symptom Remedy
Investigative Tools:

Data based approach
• Scientific.
• Methodical.
• Unbiased.
Symptom Root cause Remedy
Investigative Tools:

Investigative Tools: for QRM
USE CORRECT TOOL
FOR CORRECT WORK

Initiating a QRM Process
• Quality risk management is
systematic process designed to
coordinate, facilitate and improve
science-based decision making for the
assessment, control, communication
and review of risks to the quality of the
drug (medicinal) product across the
product lifecycle.

Initiating a QRM Process
• Define the problem and/or risk question,
including pertinent assumptions identifying
the potential for risk.
• Assemble background information and/ or
data on the potential hazard, harm or human
health impact relevant to the risk assessment
• Specify a timeline, deliverables and
appropriate level of decision making for the
risk management process.

Risk Review
RiskCommunication
Risk Assessment
Risk Evaluation
unacceptable
Risk Control
Risk Analysis
Risk Reduction
Risk Identification
Review Events
Risk Acceptance
Initiate
Quality Risk Management Process
Output / Result of the
Quality Risk Management Process
RiskManagementtools
RiskManagement
Process

Risk Assessment
• What can go wrong?
• What is the likelihood (probability) it
would go wrong?
• What are the consequences?
• Identification of hazards, analysis and
evaluation of risks associated with
exposure to those hazards.

Related Terminology:
• Risk Analysis is a systematic use of information
to identify specific sources of harm (hazard) and
to estimate the risk.
• Risk evaluation compares the estimated risk
against risk criteria using a quantitative or
qualitative scale to determine the significance of
the risk.
• Risk management focuses on a reduction of
severity of harm.
• Risk acceptance is a decision to accept risk, i,e,
no additional risk control activities are necessary
at that time.

• Focuses on processes for mitigation or
avoidance of quality risk when it exceeds
a specified (acceptable) level. Risk
reduction might include actions taken to
mitigate the severity and probability of
harm. Processes that improve the
detectability of hazards and quality risks
might also be used as part of a risk
control strategy.
Risk Control

• Is the risk above an acceptable level?
• What can be done to reduce or
eliminate risks?
• What is the appropriate balance
among benefits, risks and resources?
• Are new risks introduced as a result of
the identified risks being controlled?
Risk Reduction

• Some types of harms, even the best
quality risk management practices might
not entirely eliminate risk. In these
circumstances, it might be agreed that
an appropriate quality risk management
strategy has been applied and that
quality risk is reduced to a specified
(acceptable) level, will depend on many
parameters and should be decided on a
case-by-case basis
Risk Acceptance

• The sharing of information about risk and risk
management between the decision makers
and others can communicate at any stage of
the risk management process. The result of
the quality risk management process should
be appropriately communicated and
documented. The included information might
relate to the existence, nature, form,
probability, severity, acceptability, control,
treatment, detectability or other aspects of
risks to quality.
Risk Communication

• The results of the risk management process
should be reviewed to take into account new
knowledge and experience. Once a quality risk
management process has been initiated, that
process should continue to be utilized for events
that might impact the original quality risk
management decision, whether these events are
planned (e.g. results of product review,
inspections, audits, change control) or
unplanned (e.g. root cause from failure
investigations, recall).
Risk Review

QRM Methodology
QRM supports a scientific and practical
approach to decision-making. It provides
documented, transparent and reproducible
methods to accomplish steps of the quality
risk management process based on current
knowledge about assessing the probability,
severity and sometimes detectability of the
risk.

severity
probability
Parameters for evaluating risks

Probability Detectability or
Detection time
Severity
past today future
Refersto
time
Refersto
Refersto
= Risk Priority Number
x x
Risk Priority Number

Action based on RPN
RPN (Risk Priority
Number
Risk Action
RPN No.: ≤ 4 Low Not required
RPN No.: 5 – 8 Medium To be decided by
team if necessary
RPN No.: ≥ 9 High Must be done

Severity of Effect (S)
Severity of Effect Rating Example
No relevant
consequences.
1 No effect on
Quality, equipment.
Might have effect on
product, personnel.
2 Out of calibration of
component, loss of
Product.
Harm to people, quality
of product, damage to
equipment
3 Must be done

Probability of Occurrence (O)
Severity of Effect Rating Example
Very unlikely 1 Failure are very rare
(1/10000-Failure)
Unlikely 2 Failure are rare (1/1000-
Failure)
Likely 3 Failure are unknown have
experience of happening
it in past (1/100-Failure)

Detection Time (D)
Detection Time Rating Example
Immediately 1 In-process control with
100% Test of check.
Later 2 Periodic monitoring,
weekly checks, release
testing.
Never 3 No checks or test might
detect or identify the
failure.

Risk Assessment Evaluation
• Quality risk management methods and
the supporting statistical tools can be
used in combination (e.g. Probabilistic
Risk Assessment). Combined use
provides flexibility that can facilitate the
application of quality risk management
principles.

The weakest linkin the chain
will no longer be a problem

Anything that
has the potential
to harm patients,
product quality
or the business
(loss,
interruption,
image)
Potential threat
- chemical reaction
- manufacturing issues
- facilities and equipment
System defect
- not detected
- insufficiently prevented
- emerges by degree
Failure
- technical breakdown
- human breakdown
- extrinsic effect
hazard
Definition: Hazard

• Understand and influence the factors (hazards)
which impact regulators and industry business
• Create awareness and a culture
• Supports an effective pro-active behaviour
– Open factual dialogue
– Make decisions traceable and consistent
• Provide assurance
– Risks are adequately managed
– Compliance to external and internal requirements
• Recognise risks at a desired level
– Zero risk not possible
QRM- Scientific Activity

Quality
Risk
Management
Proactive
disclosure
build trust and
understanding
Improve
communication
through sharing best
practice and science
based knowledge
• An appropriate integrated approach
helps to meet requirements more efficiently
Master complexity
Convert data into knowledge
e.g. by using methodology and tools
Empowerment & Flexibility

• Hiding risks
• Writing half the truth (e.g. in an
investigation report)
• A means of removing industry’s obligation
to comply with regulatory requirements.
• Both Companies & Inspectors have to
think and not simply follow black and
white rules.
Concerns regarding QRM

Say, what you do
Do, what you say
Gain experience
Improve it
Approval
Manufacture
for market
Analyse root cause:
Continuous
improvement
Update
documentation
Quality Risk
Management
(QRM)
(Risk of) Failure ?
Integrate QRM during product
life cycle

However, if you don’t use it,
you will not gain the benefits
Quality Risk Management is
mandatory is an expectation of EU
& PICs GMP – but ICH Q9 is not

Change in behaviour
Sharing information
Sharing information