About Risk
What is Risk?
The introduction to the “Guideline on Quality Risk Management,” first published in November 2005 and revised in January 2023 as ICH Q9(R1), states: “Generally, risk is understood to be a combination of the probability of occurrence of harm and the severity of that harm.”
An important point here is that this refers to the probability of harm occurring, not the probability of defects occurring.
In other words, risk does not refer to defects arising in a company’s products, but rather to events that cause some form of harm.
Generally, problems must be solved, while risks must be avoided or mitigated. This is because problems have already occurred, whereas risks have not yet materialized.
The antonym of “risk” is “certainty.” In other words, risk refers to uncertainty. In economics, risk is said to encompass both unexpectedly poor economic performance and unexpectedly good performance.
Consider the following example: “A small enterprise has been driven to the point where it will go bankrupt unless it can secure 10 million yen by the end of the day. After exhausting all options, it has only managed to gather 5 million yen.” At first glance, this might appear to present a significant risk of bankruptcy. However, for this enterprise, bankruptcy is a foregone conclusion and is no longer a risk.
Risk in the Healthcare Industry
In the pharmaceutical and medical device industries, “risk” refers to “health hazards to patients and users.”
In the healthcare industry, the term used is not simply “Risk Management (RM)” but “Quality Risk Management (QRM).” This means that when quality problems occur, the potential health hazards to patients and users must be estimated and either avoided in advance or reduced to an acceptable level.
Quality Risk Management in the Pharmaceutical Industry
Surprisingly, despite the high-risk nature of the pharmaceutical industry, there were no standards or guidelines for risk management until the end of the 20th century. It was not until 2005 that the “Guideline on Quality Risk Management” was agreed upon under ICH Q9.
About the ICH Q9(R1) Revision
In January 2023, after approximately 18 years, ICH Q9 was revised and released as ICH Q9(R1). This revision included the following important topics:
Key Points of the Revision:
- Quality Risk Management Formality: The importance of selecting appropriate levels of formality and documentation according to the level of risk has been clarified.
- Risk-Based Decision Making: Guidance on various approaches and criteria for their selection has been added.
- Managing and Minimizing Subjectivity: Strategies for recognizing subjectivity in risk assessment and controlling it, including addressing biases and behavioral factors, have been presented.
- Addressing Product Supply Risks: The role of quality risk management in addressing product supply risks arising from quality and manufacturing issues has been added.
Key Principles of Quality Risk Management in ICH Q9
The two key principles of quality risk management in ICH Q9 are as follows:
| Principle | Content | Perspective |
| Principle 1 | The evaluation of the risk to quality should be based on scientific knowledge and ultimately link to the protection of the patient | Patient perspective (regulatory authority) |
| Principle 2 | The level of effort, formality, and documentation of the quality risk management process should be commensurate with the level of risk | Pharmaceutical industry perspective |
Thus, ICH Q9 was agreed upon with the interests of both regulatory authorities and the pharmaceutical industry aligned.
Quality Risk Management in the Medical Device Industry
In the medical device industry, risk analysis became mandatory under the EU Medical Device Directive (MDD) in 1993. Subsequently, ISO 14971 was established as an international standard in 1998.
About the Revision of ISO 14971
ISO 14971 was first published in 2000 as the first edition, with the second edition published in 2007. It was then revised as the third edition (ISO 14971:2019) in December 2019. This latest version strengthened the following aspects:
Key Revisions:
- Greater emphasis on benefit-risk analysis of medical devices
- Strengthened requirements for documentation of reasonably foreseeable misuse
- Clarified requirements for review of risk management activities
- Strengthened requirements for production and post-production activities
- Improved consistency throughout the risk management process
In Japan, it has been adopted as the domestic standard JIS T 14971:2020.
Integration with Quality Management Systems
Under the ISO 13485 standard and Medical Device QMS regulations, the application and activities of risk management are mandatory. ISO 13485:2016 requires the integration of risk management throughout the entire product lifecycle.
Trends in Quality Management Regulations at the US FDA
It should be noted that the US FDA’s 21 CFR Part 820 “Quality System Regulation (QSR)” requires risk analysis, rather than risk management, in design controls.
Important Regulatory Amendment:
On February 2, 2024, the FDA published the final rule for 21 CFR Part 820, renaming the former Quality System Regulation (QSR) as the “Quality Management System Regulation (QMSR).” This amendment achieves harmonization with international standards by incorporating ISO 13485:2016 by reference.
Key Changes in QMSR (New Part 820):
| Item | Changes |
| Effective Date | February 2, 2026 |
| International Harmonization | Incorporates ISO 13485:2016 by reference |
| Risk Management | Strengthens risk-based decision making throughout product lifecycle |
| Documentation Structure | Removes explicit requirements for DMR (Device Master Record), DHR (Device History Record), DHF (Design History File), transitioning to MDF (Medical Device File) concept |
This amendment advances international harmonization of quality management system requirements in major markets including the United States, EU, Japan, and China.
Risk Management in Medical Device Software
According to IEC 62304, the safety classes for software incorporated in medical devices are classified as follows:
| Safety Class | Definition |
| Class A | No injury or harm to health possible |
| Class B | Non-serious injury possible |
| Class C | Death or serious injury possible |
Special Characteristics of Software Risk Management
While risk is a combination of the probability of harm occurring and the severity of that harm when manifested, it is difficult to quantitatively determine the “probability of occurrence” of bugs and other issues in software. Therefore, software risk analysis adopts an approach that evaluates based on the severity of impact should potential failures occur, and treats probability conservatively (assuming worst-case scenarios).
Relationship Between IEC 62304 and ISO 14971
IEC 62304 prescribes risk management activities throughout the software development lifecycle, based on the risk management process defined in ISO 14971. For Class B and Class C software, more rigorous implementation of risk management processes is required.
Conclusion
Risk management in the healthcare industry requires a systematic approach based on scientific evidence, with patient safety as the top priority. Recent regulatory trends include the revision of ICH Q9(R1), the publication of ISO 14971:2019, and the implementation of the FDA QMSR, advancing international harmonization and further strengthening of risk-based approaches.
Pharmaceutical and medical device companies are required to understand these latest regulatory requirements and establish and maintain appropriate quality risk management systems to ensure patient safety and guarantee product quality.
Comment