Quality Risk Management ICH Q9

Introduction :

Risk managementprinciples are effectively utilized in many areas of business and government including finance, insurance, occupational safety, public health, pharmacovigilance, and by agencies regulating these industries.

Quality risk management is used in the pharmaceutical industries and it is becoming evident that quality risk management is a valuable component of an effective quality system.

Advantages of Quality risk Management:

An effective quality risk management approach can further ensure the high quality of the drug (medicinal) product to the patient by providing a proactive means to identify and control potential quality issues during development and manufacturing.

The use of quality risk management can improve the decision making if a quality problem arises.

Effective quality risk management can facilitate better and more informed decisions, can provide regulators with greater assurance of a company’s ability to deal with potential risks and can beneficially affect the extent and level of direct regulatory oversight.

Scope of Quality risk Management:

This guideline provides principles and examples of tools for quality risk management that can be applied to different aspects of pharmaceutical quality. These aspects include development, manufacturing, distribution, and the inspection and submission/review processes throughout the lifecycle of drug substances, drug (medicinal) products, biological and biotechnological products (including the use of raw materials, solvents, excipients, packaging and labeling materials in drug (medicinal) products, biological and biotechnological products).

Principle of Quality risk Management:

Two primary principles of quality risk management are:

The evaluation of the risk to quality should be based on scientific knowledge and ultimately link to the protection of the patient;

The level of effort, formality and documentation of the quality risk management process should be equal with the level of risk.

General Quality risk Management Process:

Quality risk management is a systematic process for the assessment, control, communication and review of risks to the quality of the drug (medicinal) product across the product lifecycle.

A model for quality risk management is outlined in the diagram (Figure 1). Other models could be used. The emphasis on each component of the framework might differ from case to case but a robust process will incorporate consideration of all the elements at a level of detail that is commensurate with the specific risk.

Figure 1

Responsibilities :

Quality risk management activities are usually, but not always, undertaken so When teams are formed, they should include experts from the appropriate areas (e.g., quality unit, business development, engineering, regulatory affairs, production operations, sales and marketing, legal, statistics and clinical) in addition to individuals who are knowledgeable about the quality risk management process.

Initiating a Quality Risk Management Process :

Quality risk management should include systematic processes designed to coordinate, facilitate and improve science-based decision making with respect to risk.

Possible steps used to initiate and plan a quality risk management process might include the following:

 Define the problem and/or risk question, including pertinent assumptions identifying the potential for risk;

 Assemble background information and/ or data on the potential hazard, harm or human health impact relevant to the risk assessment;

 Identify a leader and necessary resources;

 Specify a timeline, deliverables and appropriate level of decision making for the risk management process.

Risk Assessment:

Risk assessment consists of the identification of hazards and the analysis and evaluation of risks associated with exposure to those hazards (as defined below).

Quality risk assessments begin with a well-defined problem description or risk question.

When the risk in question is well defined, an appropriate risk management tool  and the types of information needed to address the risk question will be more readily identifiable. As an aid to clearly defining the risk(s) for risk assessment purposes, three fundamental questions are often helpful:

1. What might go wrong?

2. What is the likelihood (probability) it will go wrong?

3. What are the consequences (severity)?

Risk identification:

It is a systematic use of information to identify hazards referring to the risk question or problem description. Information can include historical data, theoretical analysis, informed opinions, and the concerns of stakeholders. Risk identification addresses the “What might go wrong?” question, including identifying the possible consequences. This provides the basis for further steps in the quality risk management process.

Risk Analysis:

It is the estimation of the risk associated with the identified hazards. It is the qualitative or quantitative process of linking the likelihood of occurrence and severity of harms. In some risk management tools, the ability to detect the harm (detectability) also factors in the estimation of risk.

In this stage, it shall be determined that what are the worst potential “effect” or consequence of the failure mode.

Risk Evaluation :

Based on risk identification and analysis data, risk evaluation shall be done using Risk Priority Number (RPN) that is multiplication of “severity rating”, “Probability of Occurrence Rating” and “Detection Rating”. These “severity rating”, “Occurrence Rating” and “Detection Rating” but it can be vary case to case.

Based on above rating Risk Priority Number (RPN) shall be calculated by multiplication of “Severity Rating (S)”, “Probability Of Occurrence Rating (P) and “Detection Rating (D), i.e. S X P X D. Level of risk i.e. unacceptable, high, moderate, low or acceptable based on Risk Priority Number (RPN).

RPNRisk level
Less than or equal to 80Low or Acceptable

Risk Control :

Risk control includes decision making to reduce and/or accept risks.

The purpose of risk control is to reduce the risk to an acceptable level and amount of effort used for risk control should be proportional to the significance of the risk.  Decision makers might use different processes, including benefit-cost analysis, for understanding the optimal level of risk control.

Risk control might focus on the following questions:

 Is the risk above an acceptable level?

 What can be done to reduce or eliminate risks?

 What is the appropriate balance among benefits, risks and resources?

 Are new risks introduced as a result of the identified risks being controlled?

Risk Reduction :

 It focuses on processes for mitigation or avoidance of quality risk when it exceeds a specified (acceptable) level (see Fig. 1). Risk reduction might include actions taken to mitigate the severity and probability of harm. Processes that improve the detectability of hazards and quality risks might also be used as part of a risk control strategy.

The implementation of risk reduction measures can introduce new risks into the system or increase the significance of other existing risks. Hence, it might be appropriate to revisit the risk assessment to identify and evaluate any possible change in risk after implementing a risk reduction process.

Risk acceptance:

It  is a decision to accept risk and risk acceptance can be a formal decision to accept the residual risk or it can be a passive decision in which residual risks are not specified.

 For some types of harms, even the best quality risk management practices might not entirely eliminate risk. In these circumstances, it might be agreed that an appropriate quality risk management strategy has been applied and that quality risk is reduced to a specified (acceptable) level. This (specified) acceptable level will depend on many parameters and should be decided on a case-by-case basis.

Risk Communication:

Risk communication is the sharing of information about risk and risk management between the decision makers and others. Parties can communicate at any stage of the risk management process (see Fig. 1: dashed arrows).

The output/result of the quality risk management process should be appropriately communicated and documented (see Fig. 1: solid arrows). Communications might include those among interested parties; e.g., regulators and industry, industry and the patient, within a company, industry or regulatory authority, etc. The included information might relate to the existence, nature, form, probability, severity, acceptability, control, treatment, detectability or other aspects of risks to quality.

Communication need not be carried out for each and every risk acceptance. Between the industry and regulatory authorities, communication concerning quality risk management decisions might be effected through existing channels as specified in regulations and guidance’s.

Risk Review:

Risk management should be an ongoing part of the quality management process.

The output/results of the risk management process should be reviewed to take into account new knowledge and experience. Once a quality risk management process has been initiated, that process should continue to be utilized for events that might impact the original quality risk management decision, whether these events are planned (e.g., results of product review, inspections, audits, change control) or unplanned (e.g., root cause from failure investigations, recall). The frequency of any review should be based upon the level of risk. Risk review might include reconsideration of risk acceptance decisions .

Risk Management Methodology :

Quality risk management supports a scientific and practical approach to decision-making. It provides documented, transparent and reproducible methods to accomplish steps of the quality risk management process based on current knowledge about assessing the probability, severity and sometimes detectability of the risk.

Traditionally, risks to quality have been assessed and managed in a variety of informal ways (empirical and/ or internal procedures) based on, for example, compilation of observations, trends and other information.

The pharmaceutical industry and regulators can assess and manage risk using recognized risk management tools and/ or internal procedures (e.g., standard operating procedures). Below is a non-exhaustive list of some of these tools….

Basic risk management facilitation methods (flowcharts, check sheets etc.)

 Failure Mode Effects Analysis (FMEA);

 Failure Mode, Effects and Criticality Analysis (FMECA);

 Fault Tree Analysis (FTA);

 Hazard Analysis and Critical Control Points (HACCP);

 Hazard Operability Analysis (HAZOP);

 Preliminary Hazard Analysis (PHA);

 Risk ranking and filtering;

 Supporting statistical tools.

Definitions :


The ability to discover or determine the existence, presence, or fact of a hazard.


Damage to health, including the damage that can occur from loss of product quality or availability.


The potential source of harm (ISO/IEC Guide 51).

Product Lifecycle:

All phases in the life of the product from the initial development through marketing until the product’s discontinuation.


The degree to which a set of inherent properties of a product, system or process fulfills requirements (see ICH Q6A definition specifically for “quality” of drug substance and drug (medicinal) products.)

Quality Risk Management:

A systematic process for the assessment, control, communication and review of risks to the quality of the drug (medicinal) product across the product lifecycle.

Quality System:

The sum of all aspects of a system that implements quality policy and ensures that quality objectives are met.


The combination of the probability of occurrence of harm and the severity of that harm (ISO/IEC Guide 51).

Risk Acceptance:

The decision to accept risk (ISO Guide 73).

Risk Analysis:

The estimation of the risk associated with the identified hazards.

Risk Assessment:

A systematic process of organizing information to support a risk decision to be made within a risk management process. It consists of the identification of hazards and the analysis and evaluation of risks associated with exposure to those hazards.

Risk Communication:

The sharing of information about risk and risk management between the decision maker and other stakeholders.

Risk Control:

Actions implementing risk management decisions (ISO Guide 73).

Risk Evaluation:

The comparison of the estimated risk to given risk criteria using a quantitative or qualitative scale to determine the significance of the risk.

Risk Identification:

The systematic use of information to identify potential sources of harm (hazards) referring to the risk question or problem description.

Risk Management:

The systematic application of quality management policies, procedures, and practices to the tasks of assessing, controlling, communicating and reviewing risk.

Risk Reduction:

Actions taken to lessen the probability of occurrence of harm and the severity of that harm.

Risk Review:

Review or monitoring of output/results of the risk management process considering (if appropriate) new knowledge and experience about the risk.


A measure of the possible consequences of a hazard.

Reference : https://www.fda.gov/regulatory-information/search-fda-guidance-documents/q9-quality-risk-management


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s