FDA Requests Comment on ICH Q9(R1) Quality Risk Management – BioProcess Online | Region & Cash

By Mark Durivage, Quality Systems Compliance LLC

On June 16, 2022, the FDA’s Center for Drug Evaluation and Research (CDER) released Q9(R1) Quality Risk Management Guidance for Industry for public comment. The International Council for the Harmonization (ICH) of Technical Requirements for Medicinal Products for Human Use has undertaken the revision of Q9 Quality Risk Management to ensure that safe, effective and high-quality medicinal products are developed, registered and maintained in the most resource-efficient manner worldwide. The FDA, a founding member of the ICH, plays an important role in the development of each of the ICH guidelines, which the FDA then adopts and issues as guidance for industry.

The purpose of the guide is to improve the application of effective quality risk management principles by industry and regulators and to provide a systematic approach to quality risk management for improved, informed and timely decisions. The FDA recognizes that quality risk management is a valuable component of an effective pharmaceutical quality management system to ensure drug products are safe and effective.

Q9(R1) Quality Risk Management provides quality risk management principles and tools that can be applied throughout the product lifecycle of drug substances, drug products, and biological and biotechnology products, including development, manufacturing, distribution, inspection, and regulatory filing and review -Processes.

Q9(R1) Quality Risk Management Step 1, Signature of consensus draft technical document was completed in October 2021. It was signed in November 2021 as a Step 2 document to be released for public consultation by ICH regulators. This document was developed based on a concept paper approved in November 2020 and a business plan approved in October 2020. ICH anticipates finalization as a step 4 document for implementation by local regional regulatory systems in September 2022.

Principles of Quality Risk Management

ISO/IEC Guide 51 defines risk as the combination of probability of occurrence of harm (harm to health, including harm that may result from loss of product quality or availability) and severity (a measure of the possible consequences of a hazard). [potential source of harm]) of this damage.

Quality risk management consists of two basic principles. First, the assessment of quality risks should be based on scientific evidence and ultimately linked to the protection of the patient. Second, the quality risk management process (effort, formalities and documentation) should be proportionate to the level of risk.

Quality risk management is a systematic process of assessing, controlling, reviewing and communicating drug quality risks throughout the drug life cycle. Q9(R1) Quality Risk Management provides a quality risk management model as shown in Figure 1. If risks are determined to be unacceptable due to patient risk and legal or regulatory requirements, the risk should be reassessed. Other risk models can be used but should generally contain the same elements as the model shown in Figure 1.

Quality risk management activities are best conducted by an interdisciplinary team representing the business activities involved including Quality, Regulatory Affairs, Operations, Production, Sales, Marketing, Research & Development, Engineering, Maintenance, Supply Chain, Warehousing, Distribution, Customer Service, Clinical Affairs and Post-Market Surveillance. Interdisciplinary teams can help minimize subjectivity when identifying hazards and probabilities of occurrence and assessing the effectiveness of risk reduction.

The quality risk management process owner is responsible for coordinating quality risk management activities throughout the organization, ensuring that the quality risk management process is established, implemented and maintained, ensuring adequacy of resources (training and experience) and ensuring subjectivity is controlled, to facilitate robust risk-based decision making based on science and data.

Figure 1: Overview of a typical quality risk management process.

The quality risk management process should be designed to coordinate, facilitate and improve risk-based decision-making. An effective quality risk management process should include the following basic steps:

  1. define the problem
  2. form an interdisciplinary team
  3. identify a leader
  4. Gather the background information
  5. develop a schedule
  6. set benefits.

Quality risk assessments begin with a well-defined problem statement or risk question to identify hazards and to analyze and assess the risks associated with exposure to the identified hazards. Three useful questions that can be used by the interdisciplinary team to define the risks are:

  • What could go wrong (hazard detection)?
  • What is the probability that it will go wrong (risk analysis)?
  • What are the consequences of the severity (risk assessment)?

Effective risk assessments rely on the quality of the data used to make risk assumptions. Documenting the reasons for assumptions helps current and future team members make decisions. Knowledge gaps related to the pharmaceutical sciences, including processing, impede the interdisciplinary team’s ability to properly identify sources of damage, probabilities of occurrence and ability to recognize the problem. Depending on the risk management tools and methods used, risk assessments can provide a quantitative or qualitative risk estimate. Quantitative risk is expressed as a numerical probability, while qualitative risk is described as, for example, high, medium or low.

In the risk control phase, the risk is reduced to an acceptable level while deciding to reduce and/or accept the identified risks. Useful questions to help the interdisciplinary team control risks include:

  • Is the risk above an acceptable level?
  • What can be done to reduce or eliminate risk?
  • What is the appropriate balance between benefits, risks and resources?
  • Does controlling the identified risks introduce new risks?

Risk mitigation focuses on mitigating or avoiding risk when the risk exceeds a predetermined limit. Risk mitigation actions can include reducing the severity of harm, reducing the frequency of occurrence and improving the ability to recognize the hazards associated with the harm. The decision to accept residual risks should be supported by a documented justification that risks may not be fully eliminated.

The exchange of information about risk and risk management between decision makers and other interested parties is the basis of an effective risk communication process. Risk communication may involve corporate stakeholders, regulators and industry and industry, and the patient and may include information related to the existence, nature, form, likelihood, severity, acceptability, control, treatment and detectability of risks .

Risk management should be an ongoing process and should include a mechanism to review and monitor events, including the results of product evaluations, inspections, audits, change controls, complaints, adverse events, recalls, field actions, new knowledge and lessons learned.

There are several widely accepted tools and techniques that can be used for risk management, including:

  • Basic methods to facilitate risk management
  • Failure Mode Effects Analysis (FMEA)
  • Failure Mode, Effects and Criticality Analysis (FMECA)
  • Fault Tree Analysis (FTA)
  • Hazard Analysis and Critical Control Points (HACCP)
  • Hazard Analysis (HAZOP)
  • Preliminary Hazard Analysis (PHA)
  • Risk ranking and filtering
  • Statistical Tools

The choice of risk management tools depends on concrete facts, circumstances and the level of experience of the interdisciplinary team. Appendix I of the Guidance: Quality Risk Management Methods and Tools provides an overview, references and potential areas of application for the tools and techniques that could be used by industry and regulators in the risk management process.

Quality risk management can be used as part of an integrated quality management system, including regulatory operations, development, facilities, equipment and supplies, materials management, production, inspection, laboratory control, stability studies, packaging, labeling, supply chain control, warehousing, and distribution. Q9(R1) Quality risk management Appendix II: Quality risk management as part of integrated quality management identifies potential applications of quality risk management principles and tools by industry and regulators.


Q9(R1) Quality Risk Management is well written and provides a good basis for establishing an effective risk management program. For more information on the proposed changes to ICH’s Q9(R1) Quality Risk Management, see WG Presentations/Trainings.

Please submit written comments to the Dockets Management Staff, Food and Drug Administration, 5630 Fishers Lane, Rm. 1061, Rockville, MD 20852 or electronic comments at https://www.regulations.gov. Please reference file number FDA-2022-D-0705 for all comments. If you have any questions about this draft document, please contact Rick Friedman, Rick.Friedman@fda.hhs.gov.

About the author:

Mark Allen Durivage has worked as a practitioner, educator, consultant and author. He is Managing Principal Consultant at Quality Systems Compliance LLC, ASQ Fellow and SRE Fellow. Durivage works primarily with companies in the FDA regulated industries (medical devices, human tissues, animal tissues and pharmaceuticals) and focuses on the implementation, integration, updating and training of quality management systems. In addition, he assists companies by providing internal and external audit support, as well as FDA 483 and Warning Letter Response and Remediation services. He earned a BAS in Computational Processing from Siena Heights University and an MS in Quality Management from Eastern Michigan University. He holds multiple certifications including CRE, CQE, CQA, CSSBB, RAC (Global) and CTBS. He has written several books available from ASQ Quality Press and published articles in quality progressand contributes regularly Life Science Connect. You can reach him at mark.durivage@qscompliance.com with any questions or comments.

Leave a Comment