In the start-up and planningphase, ICH Q9 describes the activities that could be performed as follows:

• define the problem and/or risk situation, including the relevant assumptions to identify the risk potential;
• identify personnel and leadership;
• outline the expected results;
• specify a timeline, documents and an adequate level of decision-making for the risk management process;
• collect basic information and/or data on the potential danger, damage or impact on human health that is relevant for the Risk Assessment.

The ICHQ9 guideline does not indicate when or under what circumstances the Quality risk management process should be initiated, or which triggers could activate this first critical step.

Risk Assessment

The Risk Assessment consists of identifying hazards andanalysing and assessing the risks associated with exposure to these hazards. It is typically based on the use of risk management tools, which allow a methodical and structured means of identifying and analysing risks.

The Quality Risk Assessment begins with a well-defined description of the problem or risk issue. At this point, a risk management tool and the type of information needed to address the risk will be more easily identified.

To define the risks, it is useful to answer 3 questions:

1. What could go wrong? (Risk identification). Systematic use of information (historical data, theoretical analysis, knowledge-based opinions, stakeholder concerns) to identify dangers related to a problem.
2. What is the probability that it will go wrong? (Risk Analysis). Each hazard is analysed to determine its relative criticality, using the risk equation (probability x severity = risk). It is a qualitative or quantitative process that links the probability of occurrence and the severity of damage.
3. What are the consequences (severity)? (Risk Evaluation) Finally, the identified and analysed risks are compared with predefined criteria to determine their acceptability (risk assessment).

Our Risk Assessment Advice

In carrying out an effective Risk Assessment, the robustness of the data set is important because it determines the quality of the output. Showing assumptions and reasonable sources of uncertainty increases confidence in this output and/or helps to identify its limitations.

The uncertainty is due to the combination of:

• incompleteknowledge of a process and its expected or unexpected variability;
• knowledge gaps in pharmaceutical science and in the understanding of the process, in the sources of harm (e.g. failure modes of a process, sources of variability) and in the probability of identifying problems.

The output of a Risk Assessment is a quantitative estimate of the risk or a qualitative description of a series of risks.

Risk Control

In this phase,the risks are reduced to an acceptable level. This is perhaps the most important stage, as it is the point in the process where control strategies are identified, implemented and continuously improved; risk control is the phase that guarantees adequate patient protection.

The main activities are:

• Risk reduction – actions taken to reduce the probability of damage occurrence and severity. Focuses on quality risk mitigation and prevention processes;
• Risk acceptance – Confirmation that risk mitigation actions have not adversely affected the overall risk profile by introducing new risks or increasing risk levels, the risks are adequately controlled (i.e., that risk mitigation actions and other risk controls are effective) and the resulting risks are acceptable. Risk acceptance consists of a formal decision to accept the residual risk or a passive decision in which the residual risk is not specified.

In the event that the risk remains unacceptable following risk reduction, the cycle returns to the risk assessment stage and the process can be repeated.

Our advice for the Risk Control phase

The amount of work and resources invested in risk control should be proportional to the magnitude of the risk. Decision-makers can use several processes, including cost-benefit analysis, to understand the optimal level of risk control.

Risk Control could focus on the following questions:

1. Is the risk above an acceptable level?
2. What can be done to reduce or eliminate the risks?
3. What is the right balance between the benefits, risks and resources?
4. Did the new risks start as a result of the identified risks being controlled?

---

After risk control, there is an output. Although included in the QRM life cycle, ICH Q9 does not provide any narrative description of what such an output or result might entail.

Generally, at this stage a report is compiled on the results of the risk assessment and risk control, the risk reduction efforts undertaken and the acceptability of the residual risk.

Risk Review

Once the risk control has been completed and the results documented, the risk review phase begins. The goal is to ensure that previous activities and associated deliverables remain accurate, relevant and complete in light of changing conditions. Knowledge gained during the product lifecycle, ongoing activities, such as product, process or system changes, unplanned events, such as customer deviations and complaints, and changes in internal and external business and regulatory climate can impact the decisions taken in the risk assessment and acceptance phases.

Risk review, therefore, involves aperiodic or event-driven review to determine whether the original risk assessment needs to be updated and whether risk acceptability will therefore be affected. In this sense, ICH Q9 presents the risk review as an opportunity to confirm the continued validity of decisions made within the QRM process.

The review frequency should be based on the level of risk.

Risk Communication

A critical and often overlooked element of the QRM lifecycle is risk communication. The objective is to ensure that all interested parties are aware of the information on risks, including aspects such as “existence, nature, form, probability, severity, acceptability, control, treatment, detectability or other aspects of quality risks”.

Such communication occurs most commonly in the output phase of the QRM lifecycle, through documentation associated with risk assessment and control activities as the primary communication mechanism; however, risk communication can and should occur at other stages of the QRM lifecycle, depending on the nature and criticality of the identified risks.

A significant challenge in quality risk communication lies in the relatively limited options for communication between QRM professionals, decision-makers and the patient. Unlike intrinsic risks (such as known adverse reactions), which are typically communicated through product labelling, extrinsic risks, including quality risks, have no defined communication mechanism.

Our advice for the Risk Communication phase

In Risk Communication, it is important to take into account the following elements:

• stakeholders must communicate in all stages of the Risk Management process;
• the result of the Risk Management process must be adequately communicated and documented;
• the information contained in the report may relate to the existence, nature, form, probability, severity, acceptability, control, treatment, recognition or other aspects of risks;
• communication is not required for each acceptance of risk;
• between industry and regulatory authorities, communication relating to Quality Risk Management decisions can be made through existing channels, as specified by the regulations and guidelines

References:

ICH. ICH Q9: Quality Risk Management. June 2005
Quality Risk Management 101: ICH Q9 In Context – Pharmaceutical Online – March 28, 2018

How can we help you?

Specialist Consultancy for Computer System Validation & Data Integrity

Specialist consultancy for Equipment Qualifications, environments and utilities