Quality Risk Management in the Pharmaceutical Industry
Definition of Risk in ICH Q9(R1)
In ICH Q9(R1) (revised in January 2023 and implemented in July 2023), risk is defined as “the combination of the probability of occurrence of harm and the severity of that harm.” This definition is adopted directly from ISO/IEC Guide 51, a common standard between the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). It is important to note that the definition emphasizes “harm” rather than simply “hazard,” reflecting a focus on patient impact.
The ICH Q9(R1) revision addressed four key areas for improvement identified in quality risk management (QRM) practice: high levels of subjectivity in risk assessments and QRM outputs, failure to adequately manage supply and product availability risks, lack of understanding as to what constitutes formality in QRM work, and lack of clarity on risk-based decision-making.
In our daily lives, we constantly perform this multiplication calculation without conscious thought. For example, when we consider using an airplane for business travel, everyone understands that if an airplane were to crash, the consequences would be catastrophic (severity = high). However, we believe that the probability of an airplane crash is extremely low (probability of occurrence = extremely small). In this manner, we continuously assess risk in our minds by multiplying severity and probability of occurrence.
Risk in the Pharmaceutical Context
The critical aspect of risk in pharmaceuticals is that risk must necessarily target patient or consumer health impacts. When a pharmaceutical product with some quality defect is administered to a patient, it is essential to manage what health harm might occur to that patient. Quality risk management, therefore, must always trace back to potential patient harm.
An important principle to understand is that risk can never be tested. For instance, it is not permissible to experiment by deliberately introducing foreign matter into a product to observe what health harm might result. This ethical constraint makes risk assessment a predictive and preventive discipline rather than an experimental one.
Fundamental Principles of Equipment Failure and Human Error
Two fundamental truths must be acknowledged in quality risk management:
First, facilities and equipment will inevitably fail at some point. No matter how well-designed or well-maintained, all mechanical systems and equipment have a finite probability of malfunction or breakdown.
Second, humans will inevitably make errors. Human fallibility is an inherent characteristic that must be factored into any quality system design.
Key Elements of Quality Risk Management
Given these realities, quality risk management focuses on two critical objectives:
The first objective is to reduce the probability of equipment failure. This involves proper design, maintenance, calibration, and monitoring of manufacturing facilities and equipment to minimize the likelihood of malfunction.
The second objective is to increase the probability of detecting failures when they occur. Even with the best preventive measures, failures will occasionally happen. Therefore, systems must be designed to detect these failures quickly and reliably before they impact product quality or patient safety.
Similarly, for human error, quality risk management must reduce the probability of errors occurring through proper training, standardized procedures, ergonomic design, and error-prevention systems. Equally important is increasing the probability of detecting errors when they do occur through checking systems, process controls, and verification procedures.
Industry Challenges with Risk Management Implementation
The author, with many years of experience providing risk management consultation to pharmaceutical and medical device companies, has observed that many companies fail to understand the essence of risk management.
A concerning example can be found in materials published on the website of the Pharmaceuticals and Medical Devices Agency (PMDA) under the study titled “Research on the Utilization of Quality Management Systems and Implementation of Pharmaceutical Quality Systems at Pharmaceutical Manufacturing Sites.” According to the description, this research aimed to “propose mechanisms for broadly introducing the concept of quality risk management, which is an important element for realizing pharmaceutical quality systems and their activities, to domestic manufacturing sites.”
Among these materials, a Risk Assessment Sheet was provided as a tool to promote the utilization of quality risk management. Upon reviewing its content, the author was astonished to find numerous examples that must be considered inappropriate for proper risk management.
Critical Analysis of Common Risk Assessment Errors
The Problem with Listing Omissions as Risks
For example, the sheet listed items such as “User Requirements Specification (URS) not created” and “Design Qualification (DQ) not performed” as risk examples. These represent acts of omission or non-compliance. Creating user requirement specifications and performing design qualification are mandatory requirements. Treating the failure to perform these required activities as “risks” is fundamentally inappropriate. Compliance with regulatory requirements and standard operating procedures (SOPs) is a basic prerequisite, not a risk to be assessed.
Risk assessment should focus on what can go wrong when required activities are properly performed, not on whether required activities are performed at all. The absence of required documentation or qualification activities represents non-compliance with good manufacturing practice (GMP) regulations, which should be addressed through compliance programs rather than risk assessment processes.
Missing Critical Risk Assessment Elements
Furthermore, this Risk Assessment Sheet lacked columns for recording severity, probability of occurrence, and probability of detection. These are fundamental components of any proper risk assessment methodology.
Proper Risk Assessment Methodology
A proper risk assessment sheet must enumerate what types of equipment failures or operational errors might occur with the relevant facilities and equipment under consideration. This requires a detailed understanding of the equipment design, operation, and potential failure modes.
When such failures or errors occur, the assessment must estimate what impact on product quality would result. This involves understanding the relationship between equipment function and product critical quality attributes.
Subsequently, the assessment must evaluate what health harm might occur to patients if pharmaceutical products with quality defects resulting from these failures were released and administered to patients. This patient-centric perspective is essential and distinguishes pharmaceutical quality risk management from risk management in other industries.
The Relationship Between Probability of Harm Components
ICH Q9(R1) provides clarity on the relationship between various probability components in risk assessment. The probability of occurrence of harm can be understood as comprising multiple sequential probabilities:
| Risk Component | Description | Example Consideration |
| P1: Probability of Hazardous Situation | What is the probability that conditions leading to exposure occur? | Will the equipment failure actually result in affected product reaching the manufacturing process? |
| P2: Probability of Harm Given Hazardous Situation | If exposure occurs, what is the probability that harm will result? | If a patient receives the affected product, what is the probability they will experience actual health harm? |
| Probability of Occurrence of Harm (POH) | Overall probability combining all factors | POH = P1 × P2 (and potentially additional sequential probabilities) |
Understanding this sequential probability model helps avoid the common mistake of conflating equipment failure probability with patient harm probability. A high probability of equipment failure does not automatically translate to high probability of patient harm if subsequent barriers and controls are effective.
The Importance of Detectability in Risk Assessment
Many risk assessment methodologies, particularly those adapted from Failure Mode and Effects Analysis (FMEA), include detectability as a key parameter. The probability of detecting a problem before it reaches the patient is crucial for determining residual risk. However, detectability should not be confused with probability of occurrence. These are independent dimensions of risk that serve different purposes in the overall assessment.
High detectability can mitigate risk but does not eliminate the underlying hazard. Risk controls should focus first on prevention (reducing probability of occurrence and severity) and second on detection (increasing probability of identifying problems before patient impact).
Call for Proper Understanding and Implementation
It is hoped that regulatory authorities, industry consultants, and pharmaceutical companies will develop a proper understanding of the essence of quality risk management and provide appropriate implementation examples that align with both the spirit and letter of ICH Q9(R1). The revision of ICH Q9 to Q9(R1) in 2023 was specifically intended to address issues such as excessive subjectivity and lack of formality understanding, making it even more critical that industry guidance materials reflect these improvements.
Formality in Quality Risk Management
ICH Q9(R1) introduces important guidance on the appropriate level of formality in quality risk management processes. The degree of formality should be commensurate with the level of risk, uncertainty, complexity, and importance of the decision being made. Not all risk assessments require the same level of documentation, analysis depth, or approval authority.
Organizations should establish clear criteria for determining when formal, documented risk assessments are necessary versus when less formal approaches are appropriate. This proportionate approach helps optimize resource allocation while maintaining effective risk management throughout the product lifecycle.
Conclusion
Quality risk management is not merely a compliance exercise or documentation requirement. It is a scientific, systematic approach to protecting patient safety by identifying, analyzing, evaluating, controlling, and monitoring risks to product quality throughout the pharmaceutical product lifecycle. Proper implementation requires understanding the fundamental principles, avoiding common pitfalls such as confusing non-compliance with risk, and applying appropriate methodologies that trace all risks back to potential patient harm.
The pharmaceutical industry must move beyond superficial compliance with quality risk management requirements and develop genuine capability in identifying equipment failure modes, human error possibilities, and their potential patient impacts. Only through this deeper understanding can the full benefits of quality risk management envisioned by ICH Q9(R1) be realized, ultimately serving the primary goal of protecting patient safety while ensuring reliable supply of quality medicines.
Note: This article reflects the author’s professional observations and opinions regarding quality risk management implementation in the pharmaceutical industry. It is intended to promote discussion and improvement of risk management practices in alignment with ICH Q9(R1) guidance.
Comment