ICH Q9 is the major guideline providing principles and examples of tools for Quality Risk Management (QRM) that can be applied to different aspects of pharmaceutical quality.
Quality Risk Management itself plays an important role in the EU-GMP Guidelines. For example, in Annex 16 to the EU-GMP Guidelines (Certification by a Qualified Person and Batch Release) the term "risk management" is referenced six times. In the current draft of the revised Annex 1 (Manufacture of Sterile Medicinal Products) the term "risk management" can be found four times and "risk assessment" 25 times! But the main reference lies in the EU-GMP Guidelines, Part 1, chapter 1: "To achieve the quality objective reliably there must be a comprehensively designed and correctly implemented system of Quality Assurance incorporating Good Manufacturing Practice, Quality Control and Quality Risk Management. It should be fully documented and its effectiveness monitored". Now, with ICH Q12, a marketing authorisation holder (MAH) may propose reporting categories for post-approval changes based on risk and knowledge gained in pharmaceutical development.
Other GMP areas where risk management principles are used are for example:
Deviation Management and CAPA
Evaluating quality product defects
Determination of the scope and extent of qualification and validation activities
Monitoring and sampling processes
Making justification within "unless otherwise justified" concepts
And ICH Q9 describes some of the most important tools to implement respective risk management and assessment principles. Quality risk management activities are usually, but not always, undertaken by interdisciplinary teams. When teams are formed, they should include experts from the appropriate areas.
But how do competent authorities look at these systems in their GMP inspections?
If the company explains that ICH Q9 has been used as basis for establishing the QRM system, it will likely be used by inspectors as a reference. Independent from that, inspectors might review
Integration of QRM systems in the Quality System
Definition of risk
Appropriate set-up of QRM teams
Decision making processes and their traceability and transparency
Implementation of defined actions
The link to continual improvement processes
Examples can be seen in the following excerpts from FDA Warning Letters:
"You did not provide a risk assessment evaluating the potential effect of your deviations on the quality of API you previously repackaged and released."
"Your response is inadequate because you did not provide a risk assessment of the lots tested with the unqualified secondary reference standards."
"Your strategy should include … a comprehensive description of the root causes of your data integrity lapses, including evidence that the scope and depth of the current action plan is commensurate with the findings of the investigation and risk assessment."
"FDA strongly recommends that your management immediately undertake a comprehensive assessment of your operations, including facility design, procedures, personnel, processes, materials, and systems."
"Provide an assessment of the cross-contamination risks due to your current practices for the material flow of solvents, and any corrective actions resulting from this assessment. Also, provide an assessment of the contamination risk for batches within expiry."
"In response to this letter, provide the following: (…) a risk assessment regarding the effects of your supplier changes on the distributed API."
"In response to this letter, provide a comprehensive assessment of all in-process OOS results for (…), including root causes. Extend this assessment to other batches that might have been affected."
[In your response provide] "A current risk assessment of the potential effects of the observed failures on the quality of your drugs. Your assessment should include analyses of the risks to patients caused by the release of drugs affected by a lapse of data integrity, and risks posed by ongoing operations."