September 2015EMA/CHMP/ICH/24235/2006Committee for Human Medicinal ProductsICH guideline Q9 on quality risk managementStep 5Transmission to CHMPJune 2005Transmission to interested partiesJune 2005Deadline for commentsOctober 2005Final adoption by CHMPNovember 2005Date for coming into effectJanuary 2006Link to: ICH Q8/Q9/Q10 Training materialLink to: ICH Q8/Q9/Q10 Points to consider30 Churchill Place Canary Wharf London E14 5EU United KingdomTelephone 44 (0)20 3660 6000 Facsimile 44 (0)20 3660 5505Send a question via our website www.ema.europa.eu/contactAn agency of the European Union European Medicines Agency, 2015. Reproduction is authorised provided the source is acknowledged.
ICH guideline Q9 on quality risk managementTable of contents1. Introduction . 32. Scope. 33. Principles of quality risk management . 44. General quality risk management process . 44.1. Responsibilities . 54.2. Initiating a quality risk management process . 54.3. Risk assessment . 54.4. Risk control . 64.5. Risk communication . 74.6. Risk review . 75. Risk management methodology . 76. Integration of quality risk management into industry and regulatoryoperations . 87. Definitions . 98. References . 11Annex I: risk management methods and tools . 12I.1Basic risk management facilitation methods . 12I.2Failure Mode Effects Analysis (FMEA) . 12I.3Failure Mode, Effects and Criticality Analysis (FMECA) . 12I.4Fault Tree Analysis (FTA) . 13I.5Hazard Analysis and Critical Control Points (HACCP) . 13I.6Hazard Operability Analysis (HAZOP) . 14I.7Preliminary Hazard Analysis (PHA) . 14I.8Risk ranking and filtering . 14I.9Supporting statistical tools . 15Annex II: Potential applications for quality risk management . 15II.1Quality risk management as part of integrated quality management . 15II.2Quality risk management as part of regulatory operations . 16II.3Quality risk management as part of development . 17II.4Quality risk management for facilities, equipment and utilities . 17II.5Quality risk management as part of materials management . 18II.6Quality risk management as part of production . 19II.7Quality risk management as part of laboratory control and stability studies . 19II.8Quality risk management as part of packaging and labelling . 20ICH guideline Q9 on quality risk managementEMA/CHMP/ICH/24235/2006Page 2/20
1. IntroductionRisk management principles are effectively utilized in many areas of business and governmentincluding finance, insurance, occupational safety, public health, pharmacovigilance, and by agenciesregulating these industries. Although there are some examples of the use of quality risk managementin the pharmaceutical industry today, they are limited and do not represent the full contributions thatrisk management has to offer. In addition, the importance of quality systems has been recognized inthe pharmaceutical industry and it is becoming evident that quality risk management is a valuablecomponent of an effective quality system.It is commonly understood that risk is defined as the combination of the probability of occurrence ofharm and the severity of that harm. However, achieving a shared understanding of the application ofrisk management among diverse stakeholders is difficult because each stakeholder might perceivedifferent potential harms, place a different probability on each harm occurring and attribute differentseverities to each harm. In relation to pharmaceuticals, although there are a variety of stakeholders,including patients and medical practitioners as well as government and industry, the protection of thepatient by managing the risk to quality should be considered of prime importance.The manufacturing and use of a drug (medicinal) product, including its components, necessarily entailsome degree of risk. The risk to its quality is just one component of the overall risk. It is important tounderstand that product quality should be maintained throughout the product lifecycle such that theattributes that are important to the quality of the drug (medicinal) product remain consistent withthose used in the clinical studies. An effective quality risk management approach can further ensurethe high quality of the drug (medicinal) product to the patient by providing a proactive means toidentify and control potential quality issues during development and manufacturing. Additionally, use ofquality risk management can improve the decision making if a quality problem arises. Effective qualityrisk management can facilitate better and more informed decisions, can provide regulators withgreater assurance of a company’s ability to deal with potential risks and can beneficially affect theextent and level of direct regulatory oversight.The purpose of this document is to offer a systematic approach to quality risk management. It servesas a foundation or resource document that is independent of, yet supports, other ICH Qualitydocuments and complements existing quality practices, requirements, standards, and guidelines withinthe pharmaceutical industry and regulatory environment. It specifically provides guidance on theprinciples and some of the tools of quality risk management that can enable more effective andconsistent risk based decisions, both by regulators and industry, regarding the quality of drugsubstances and drug (medicinal) products across the product lifecycle. It is not intended to create anynew expectations beyond the current regulatory requirements.It is neither always appropriate nor always necessary to use a formal risk management process (usingrecognized tools and/ or internal procedures e.g., standard operating procedures). The use of informalrisk management processes (using empirical tools and/ or internal procedures) can also be consideredacceptable. Appropriate use of quality risk management can facilitate but does not obviate industry’sobligation to comply with regulatory requirements and does not replace appropriate communicationsbetween industry and regulators.2. ScopeThis guideline provides principles and examples of tools for quality risk management that can beapplied to different aspects of pharmaceutical quality. These aspects include development,manufacturing, distribution, and the inspection and submission/review processes throughout theICH guideline Q9 on quality risk managementEMA/CHMP/ICH/24235/2006Page 3/20
lifecycle of drug substances, drug (medicinal) products, biological and biotechnological products(including the use of raw materials, solvents, excipients, packaging and labeling materials in drug(medicinal) products, biological and biotechnological products).3. Principles of quality risk managementTwo primary principles of quality risk management are: The evaluation of the risk to quality should be based on scientific knowledge and ultimately link tothe protection of the patient; and The level of effort, formality and documentation of the quality risk management process should becommensurate with the level of risk.4. General quality risk management processQuality risk management is a systematic process for the assessment, control, communication andreview of risks to the quality of the drug (medicinal) product across the product lifecycle. A model forquality risk management is outlined in the diagram (Figure 1). Other models could be used. Theemphasis on each component of the framework might differ from case to case but a robust process willincorporate consideration of all the elements at a level of detail that is commensurate with the specificrisk.Figure 1. Overview of a typical quality risk management processInitiateQuality Risk Management ProcessRisk AssessmentRisk IdentificationRisk AnalysisRisk EvaluationRisk CommunicationRisk ControlRisk ReductionRisk AcceptanceRisk Management toolsunacceptableOutput / Result of theQuality Risk Management ProcessRisk ReviewReview EventsDecision nodes are not shown in the diagram above because decisions can occur at any point in theprocess. These decisions might be to return to the previous step and seek further information, toadjust the risk models or even to terminate the risk management process based upon information thatsupports such a decision. Note: “unacceptable” in the flowchart does not only refer to statutory,legislative or regulatory requirements, but also to the need to revisit the risk assessment process.ICH guideline Q9 on quality risk managementEMA/CHMP/ICH/24235/2006Page 4/20
4.1. ResponsibilitiesQuality risk management activities are usually, but not always, undertaken by interdisciplinary teams.When teams are formed, they should include experts from the appropriate areas (e.g., quality unit,business development, engineering, regulatory affairs, production operations, sales and marketing,legal, statistics and clinical) in addition to individuals who are knowledgeable about the quality riskmanagement process.Decision makers should take responsibility for coordinating quality risk management across various functions anddepartments of their organization; and assure that a quality risk management process is defined, deployed and reviewed and thatadequate resources are available.4.2. Initiating a quality risk management processQuality risk management should include systematic processes designed to coordinate, facilitate andimprove science-based decision making with respect to risk. Possible steps used to initiate and plan aquality risk management process might include the following: Define the problem and/or risk question, including pertinent assumptions identifying the potentialfor risk; Assemble background information and/ or data on the potential hazard, harm or human healthimpact relevant to the risk assessment; Identify a leader and necessary resources; Specify a timeline, deliverables and appropriate level of decision making for the risk managementprocess.4.3. Risk assessmentRisk assessment consists of the identification of hazards and the analysis and evaluation of risksassociated with exposure to those hazards (as defined below). Quality risk assessments begin with awell-defined problem description or risk question. When the risk in question is well defined, anappropriate risk management tool (see examples in section 5) and the types of information needed toaddress the risk question will be more readily identifiable. As an aid to clearly defining the risk(s) forrisk assessment purposes, three fundamental questions are often helpful:1. What might go wrong?2. What is the likelihood (probability) it will go wrong?3. What are the consequences (severity)?Risk identification is a systematic use of information to identify hazards referring to the risk questionor problem description. Information can include historical data, theoretical analysis, informed opinions,and the concerns of stakeholders. Risk identification addresses the “What might go wrong?” question,including identifying the possible consequences. This provides the basis for further steps in the qualityrisk management process.ICH guideline Q9 on quality risk managementEMA/CHMP/ICH/24235/2006Page 5/20
Risk analysis is the estimation of the risk associated with the identified hazards. It is the qualitativeor quantitative process of linking the likelihood of occurrence and severity of harms. In some riskmanagement tools, the ability to detect the harm (detectability) also factors in the estimation of risk.Risk evaluation compares the identified and analyzed risk against given risk criteria. Risk evaluationsconsider the strength of evidence for all three of the fundamental questions.In doing an effective risk assessment, the robustness of the data set is important because itdetermines the quality of the output. Revealing assumptions and reasonable sources of uncertainty willenhance confidence in this output and/or help identify its limitations. Uncertainty is due to combinationof incomplete knowledge about a process and its expected or unexpected variability. Typical sources ofuncertainty include gaps in knowledge gaps in pharmaceutical science and process understanding,sources of harm (e.g., failure modes of a process, sources of variability), and probability of detection ofproblems.The output of a risk assessment is either a quantitative estimate of risk or a qualitative description of arange of risk. When risk is expressed quantitatively, a numerical probability is used. Alternatively, riskcan be expressed using qualitative descriptors, such as “high”, “medium”, or “low”, which should bedefined in as much detail as possible. Sometimes a "risk score" is used to further define descriptors inrisk ranking. In quantitative risk assessments, a risk estimate provides the likelihood of a specificconsequence, given a set of risk-generating circumstances. Thus, quantitative risk estimation is usefulfor one particular consequence at a time. Alternatively, some risk management tools use a relat
quality risk management can improve the decision making if a quality problem arises. Effective quality risk management can facilitate better and more informed decisions, can provide regulators with ... risk ranking. In quantitative risk assessments, a risk estimate provides the likelihood of a specific .