Understanding Risk Analysis

Risk management is naturally essential in medical device regulations, and it is equally important in the pharmaceutical industry. However, risk management in pharmaceuticals is specifically focused on risks that affect product quality and is referred to as “Quality Risk Management” (QRM). This differs from medical device risk management, which encompasses a broader scope including harm to patients, users, and other persons, as well as damage to property and the environment.

The first step in risk management is “risk analysis.” What exactly does “risk analysis” entail?

Practical Example of Risk Analysis: PC Projector Case

Let us consider analyzing the risks associated with a PC projector. In risk analysis, we first identify hazards inherent in the product (which may include equipment, devices, facilities, or systems).

A hazard is defined as a potential source of harm (according to ISO 14971:2019). For a PC projector, hazards might include “light,” “heat,” “hot air,” “electricity,” “electromagnetic waves,” and “gravity.” For instance, an electrical leak could cause electrocution, and a fall from the ceiling or desk could result in injury.

Here, we will focus on “heat” as an example for conducting risk analysis.

Progression from Hazard to Harm

When the hazard of heat reaches high temperatures, it creates a “hazardous situation.” ISO 14971:2019 defines this as “circumstances in which people, property, or the environment are exposed to one or more hazards.”

If a person comes into contact with an area in a hazardous situation (i.e., high temperature state), “harm” in the form of burns may occur. The possibility of harm occurring indicates the existence of risk.

Definition and Calculation of Risk

Let us review the definition of risk. According to ISO 14971:2019, risk is the combination of the probability of occurrence of harm and the severity of that harm.

Severity Assessment

First, regarding severity, since we are dealing with burns, let us classify this as moderate (approximately level 3 on a 5-point scale). Depending on the organization, severity may be expressed using qualitative descriptors such as “negligible,” “minor,” “moderate,” “serious,” or “catastrophic.”

Probability Assessment

Next comes the probability assessment, which is difficult to calculate. For a PC projector, the probability of exposure to the hazard (i.e., reaching a high temperature state) (hereinafter, p1) would likely be 100%.

However, the probability we need to determine is the probability of harm occurring. In other words, unless a person comes into contact with the high-temperature area, harm such as burns will not occur. What would be the probability of a person coming into contact with the high-temperature area (hereinafter, p2)? This is likely impossible for anyone to determine accurately.

Since risk concerns problems that have not yet occurred, calculating the probability of occurrence is inherently difficult.

Initial Risk Setting

In the initial state (before risk control), it is acceptable to adopt the maximum value for p2 (expressed as a decimal: 1.0, or 100% as a percentage). The probability of harm occurring would be p1(1) × p2(1) = 1, meaning we assume it to be 100% (level 5 on a 5-point scale).

In risk analysis, the key is not to accurately determine the initial probability of occurrence, but rather to determine how much the probability can be reduced after implementing risk control measures (safety countermeasures).

For example, if an acrylic panel is installed to prevent human contact (p2 = 0), the probability of occurrence would become 0. This is an example of “risk control.”

Risk Calculation and Evaluation

For the PC projector, the risk of suffering burns is: severity 3 × probability 5 = 15. When plotted on a risk matrix (R-MAP) used by many organizations, a value of 15 would likely be classified as moderate risk.

Whether this risk value is acceptable is determined by comparing it against pre-established risk acceptance criteria defined by the organization. If the risk is not acceptable, additional risk control measures must be considered.

Definition of Risk Analysis

Thus, risk analysis refers to the systematic process of estimating hazardous situations from hazards, estimating harms, and analyzing and evaluating risks.

ISO 14971:2019 and ICH Q9(R1) define the risk management process as follows:

Process Element	Description
Risk Assessment	Overall process including risk analysis and risk evaluation
Risk Analysis	Identification of hazards, estimation of hazardous situations, estimation of harms, calculation of risks
Risk Evaluation	Comparing calculated risks against risk acceptance criteria to determine acceptability
Risk Control	Decision-making and implementation to reduce or accept risks
Risk Communication	Sharing risk information among stakeholders
Risk Review	Continuous review of risks based on production and post-production information

Latest Regulatory Developments

Key Changes in ISO 14971:2019

The third edition, published in December 2019, incorporated the following significant changes:

1. Emphasis on Benefit-Risk Ratio: Clarification of the requirement to evaluate residual risks against the clinical benefits of the medical device
2. Enhanced Post-Production Information: Significantly strengthened emphasis on collecting and reviewing information from production and post-market phases
3. Risk Management Review: Added requirement to verify, prior to market release, the implementation status of the risk management plan, acceptability of overall residual risk, and establishment of post-production information collection systems

Key Updates in ICH Q9(R1) 2023

In the pharmaceutical sector, ICH Q9(R1), adopted in January 2023, strengthened the following aspects:

1. Formality in QRM: Clarification of applying appropriate levels of formality commensurate with the significance of risks
2. Objectivity: Managing subjectivity in QRM activities and promoting more objective risk assessments
3. Risk-Based Decision-Making: Emphasis on the importance of structured decision-making processes
4. Pharmaceutical Supply Continuity: Addition of addressing product availability risks due to manufacturing quality issues

Conclusion

Risk analysis is a fundamental process for systematically ensuring product safety. For medical devices, ISO 14971:2019 serves as the latest international standard, while for pharmaceuticals, ICH Q9(R1) mandates the implementation of risk management throughout the product lifecycle. By understanding these basic concepts and the latest regulatory requirements, even beginners can implement effective risk management practices.