The Necessity of Risk-Based Approach

What is Risk-Based Approach?

Risk-based approach refers to the FDA’s new regulatory oversight strategy for the pharmaceutical industry, articulated in the “cGMPs for the 21st Century Initiative” (Current Good Manufacturing Practices Initiative for the 21st Century).

In 1997, the “FDA Modernization Act” (FDAMA), which amended the Federal Food, Drug, and Cosmetic (FDC) Act with the aim of reforming FDA administration, passed through the United States Congress. It was signed into law by President Clinton on November 21, 1997, and became effective the same day. This amendment focused primarily on strengthening and relaxing regulations concerning drugs and medical devices. It required the revision or establishment of numerous rules and the creation of guidance documents, calling for an unprecedented breadth of reform. Following the law’s enactment, the FDA completed most of the work required by the statute on rules and guidance documents within three years.

Within the comprehensive program of the “cGMPs for the 21st Century Initiative,” the FDA committed to addressing quality management systems and risk-based approaches. The cGMP Initiative was substantially launched in August 2002, specifically on August 21, 2002, when the FDA announced this significant new initiative.

In the FDA News Letter dated August 22, 2002, the agency declared: “The first goal is to face potential risks to public health head-on by expanding cGMP requirements and applying additional regulatory requirements and agency resources to those aspects of production that pose more significant potential risks.”

The Dilemma: Regulatory Strengthening and Patient Burden

Regulatory authorities must strengthen regulatory requirements to ensure patient safety. However, when regulatory requirements are strengthened, pharmaceutical companies are forced to bear the burden of compliance costs. The compliance costs paid by companies are passed on to drug prices, ultimately becoming a burden on patients. To put it in extreme terms, this could result in “healthcare that can only save wealthy individuals.”

While regulatory authorities must strengthen regulations to ensure patient safety, they must not unnecessarily increase compliance costs. This presents a genuine dilemma.

The solution to this dilemma is the “risk-based approach.” This approach recognizes that substantial compliance costs must be invested in the manufacturing and quality testing of high-risk drugs, but for low-risk drugs, compliance costs commensurate with the level of risk are acceptable.

Regulatory authorities conduct approval reviews and inspections according to risk levels and provide guidance commensurate with the risk.

Specifically, different products present different risks. For example, vitamins and nutritional supplements likely present lower risks, while anticancer drugs, psychotropic drugs, vaccines, and blood products present higher risks. Additionally, different processes present different risks. For instance, in temperature and humidity control between raw material warehouses and finished product warehouses, the finished product warehouse presents higher risk.

Through the risk-based approach, resources related to regulatory authority inspections and pharmaceutical company quality assurance can be concentrated on higher-risk processes.

From Standards to Risk-Based Approach

In Japan, GMP is called “Standards for Manufacturing Control and Quality Control of Drugs, etc.” In other words, GMP is a standard. However, it is not sufficient to manufacture any drug according to a uniform standard.

Most recent regulatory requirements adopt a risk-based approach. Unlike the past, regulatory requirements no longer provide “standards”; instead, each pharmaceutical company must define its own standards according to “risk.”

What is critical in this context is “risk assessment.” Companies must properly evaluate the risks of the products they manufacture and investigate the magnitude of those risks. They must also investigate which processes among all processes present higher risks. In other words, regulatory authorities require documentation of justified risk assessments.

International Harmonization: ICH Q9 Quality Risk Management

To support the implementation of risk-based approaches globally, the International Council for Harmonisation (ICH) developed the Q9 Quality Risk Management guideline. ICH Q9 was approved in November 2005 and adopted by the FDA and other regulatory authorities in 2006. This guideline provides a systematic approach to quality risk management that can be applied to different aspects of pharmaceutical quality throughout the product lifecycle.

ICH Q9 established foundational principles including:

• Risk management should be based on scientific knowledge and ultimately link to the protection of the patient
• The level of effort, formality, and documentation of the quality risk management process should be commensurate with the level of risk

In January 2023, ICH Q9 was revised as ICH Q9(R1) to address evolving industry needs and provide enhanced clarity on several key topics, including:

• Formality in quality risk management activities
• Risk-based decision-making processes
• Managing subjectivity in risk assessments
• Addressing product availability risks due to quality issues

The revision emphasizes that formality in quality risk management exists on a spectrum rather than as a binary concept, allowing companies to tailor their approach based on the complexity and criticality of the situation. This updated guidance further reinforces the importance of systematic, science-based risk assessment as the foundation for modern pharmaceutical quality management.

Part 11 and Risk-Based Approach

According to statistics from 2002, the cost to comply with Part 11 (compliance cost) for pharmaceutical companies across the United States was estimated at $250 billion yen (approximately $2.5 billion USD). In other words, the issuance of Part 11 significantly increased compliance costs. Therefore, in September 2003, the FDA announced that it would exercise enforcement discretion regarding Part 11, which had become far more expensive in compliance costs compared to other regulatory requirements.

Specifically, on February 25, 2003, the FDA issued a draft guidance titled “Part 11, Electronic Records; Electronic Signatures — Scope and Application,” which was finalized on September 3, 2003. This guidance announced that the FDA would interpret Part 11 more narrowly and exercise enforcement discretion with respect to certain Part 11 requirements such as validation, audit trails, record retention, and record copying, while the agency re-examined the regulation as part of its cGMP initiative.

Currently, Part 11 inspections are conducted primarily in QC laboratories at manufacturing sites that produce drugs for human use. Part 11 inspections are not conducted for medical devices, veterinary drugs, and similar products. The reason for this is that if electronic data (analytical results and test reports) that resulted in Out of Specification (OOS) in laboratory testing is altered and the product is released, it directly impacts patient safety.

For pharmaceuticals, QC laboratory test results and release determination data have the greatest impact on patient safety, thus presenting the highest risk.

Evolution of Data Integrity Requirements

Since the 2003 Part 11 guidance, the focus on data integrity has continued to evolve and intensify. The FDA and other global regulatory authorities have issued additional guidance documents and expectations related to data integrity, emphasizing the ALCOA+ principles (Attributable, Legible, Contemporaneous, Original, Accurate, plus Complete, Consistent, Enduring, and Available).

The FDA’s Data Integrity and Compliance guidance issued in 2018, along with similar guidance from other authorities such as the European Medicines Agency (EMA) and the Pharmaceutical Inspection Co-operation Scheme (PIC/S), have further clarified expectations for electronic records and data integrity. These documents emphasize that data integrity requirements apply throughout the data lifecycle, from creation through destruction, and across all systems used to collect, process, report, and store GxP data.

Modern regulatory expectations recognize that data integrity is not solely about compliance with Part 11 technical controls, but rather about establishing a comprehensive quality culture where data reliability and trustworthiness are fundamental principles embedded in all operations.

Risk Management Throughout the Product Lifecycle

The risk-based approach is now integrated throughout the entire pharmaceutical product lifecycle, from development through commercialization and post-market surveillance. The ICH Quality Guidelines, including Q8 (Pharmaceutical Development), Q9 (Quality Risk Management), Q10 (Pharmaceutical Quality System), and Q11 (Development and Manufacture of Drug Substances), work together to create a comprehensive framework for quality by design and lifecycle management.

This integrated approach enables:

• Enhanced Product Understanding: Through systematic risk assessment during development, companies gain deeper understanding of critical quality attributes and their relationship to process parameters
• Efficient Regulatory Oversight: Regulators can focus resources on areas of highest risk, enabling more thorough review of critical aspects while allowing greater flexibility in lower-risk areas
• Continuous Improvement: Quality risk management principles facilitate ongoing process optimization and innovation throughout the product lifecycle
• Supply Chain Resilience: Risk-based approaches help identify and mitigate supply chain vulnerabilities that could lead to drug shortages

Contemporary Applications and Future Directions

The risk-based approach continues to evolve with technological advancement and increasing complexity in pharmaceutical manufacturing. Emerging areas where risk-based principles are being applied include:

Advanced Manufacturing Technologies: The FDA’s guidance on “Advanced Manufacturing” and “Emerging Technologies” encourages the adoption of innovative manufacturing approaches such as continuous manufacturing, process analytical technology (PAT), and real-time release testing, all underpinned by robust risk assessment.

Digital Transformation: As the industry embraces digitalization, artificial intelligence, and machine learning, risk-based approaches are essential for validating these new technologies and ensuring data integrity in increasingly complex IT environments.

Global Supply Chains: With pharmaceutical supply chains spanning multiple continents, risk-based approaches are critical for supplier qualification, oversight of contract manufacturers, and ensuring product quality across complex distribution networks.

Pandemic Response: The COVID-19 pandemic highlighted the value of risk-based approaches in enabling rapid vaccine development and manufacturing scale-up while maintaining appropriate quality standards.

Conclusion

The risk-based approach represents a fundamental shift in pharmaceutical regulation from a one-size-fits-all standard to a more sophisticated, science-based system that allocates resources according to actual risk. This approach benefits all stakeholders: patients receive safer medicines at more affordable prices, companies can focus resources where they matter most, and regulators can provide more effective oversight.

As reflected in the continuing evolution from ICH Q9 to Q9(R1) and the ongoing refinement of data integrity expectations, the risk-based approach is not static but continues to develop in response to scientific advances, technological innovation, and accumulated experience. The challenge for pharmaceutical companies is to embed risk-based thinking deeply into their quality culture, moving beyond mere compliance to embrace risk management as a strategic tool for ensuring product quality, operational excellence, and ultimately, patient safety.

The success of the risk-based approach depends on pharmaceutical companies conducting thorough, well-documented risk assessments and making scientifically sound decisions based on those assessments. Regulatory authorities, in turn, must continue to provide clear guidance and appropriate enforcement discretion to encourage innovation while maintaining their fundamental mission of protecting public health. Through this collaborative approach, the pharmaceutical industry can continue to advance toward the vision articulated in the cGMPs for the 21st Century Initiative: a maximally efficient, agile, and flexible pharmaceutical manufacturing sector that reliably produces high-quality medicines with appropriate regulatory oversight.