What is Quality Risk Management (QRM)?

The ultimate responsibility for the safety, quality and efficacy of a medicinal product throughout its life cycle lies with the marketing authorisation holder (MAH), see EU-GMP Guideline Annex 16, General Principles. The holder of a manufacturing authorisation must manufacture medicinal products in such a way that their suitability for their intended use is guaranteed, that they comply with the requirements of the marketing authorisation or clinical trial authorisation, where applicable, and that patients are not exposed to any risk due to inadequate safety, quality or efficacy. The senior management of a company is responsible for achieving this quality objective. In order to achieve the quality objective, "a comprehensively designed and correctly implemented Pharmaceutical Quality System incorporating Good Manufacturing Practice and Quality Risk Management" must be in place (EU GMP Guidelines, Part 1, Chapter 1).

Quality Risk Management (QRM) was officially introduced in the pharmaceutical industry with the ICH Q9 Guideline, which was incorporated into the EU GMP Guidelines, Part 3. QRM is listed (alongside Knowledge Management) in the ICH Q10 Guideline (Pharmaceutical Quality System) as an important enabler for an effective quality system. ICH Q10 defines QRM as a "systematic process for the assessment, control, communication and review of risks to the quality of the drug (medicinal) product across the product lifecycle." According to this guideline, QRM is an essential part of a pharmaceutical quality system. It enables a proactive approach to identifying, assessing and controlling potential quality risks. It facilitates the continuous improvement of process performance and product quality throughout the product lifecycle. ICH Q9 describes principles and examples of quality risk management tools that can be applied to various aspects.

In the course of implementing ICH Q9, risk-based approaches became increasingly important. Previously, processes were often defined, implemented and documented down to the smallest detail. Now, risk assessments allow for greater flexibility, enabling processes to be implemented and controlled more efficiently. Decisions can be made on the basis of assessed (and controlled) risks. Unfortunately, many companies limit their entire QRM system to the implementation of the Failure Mode and Effects Analysis (FMEA) method. But it is much more than that, and other suitable methods can also be used (see also below, 'Methods and tools'). QRM requirements are now consistently found in the various chapters and appendices of the EU GMP Guidelines. QRM aims to systematically assess, control, communicate and regularly review risks.

Guideline Q9 defines two central principles:

1. Scientific basis and patient protection: Any assessment of risks to quality must be based on scientific evidence and always linked to the goal of protecting patients. Risks to product quality can also affect availability, for example when quality problems lead to delivery failures.
2. Proportionality: The effort, formality and documentation of the risk management process should be proportionate to the significance and level of the respective risk.

Definition and process

Quality risk management is defined as "systematic process for the assessment, control, communication and review of risks to the quality of the drug (medicinal) product across the product lifecycle".

The process typically consists of the following steps:

• Risk Assessment: First, the question is asked what could go wrong ("Hazard Identification"), how likely it is to occur and what the consequences would be. Scientific data, empirical values and expert assessments are used for this purpose.
• Risk Control: Based on the assessment, a decision is made on how risks can be reduced or accepted. This includes risk reduction measures (e.g. additional controls or measures) and the conscious acceptance of a residual risk.
• Risk Communication: Results and decisions must be communicated appropriately within the company, but also between industry and authorities and, where appropriate, with patients and professional circles.
• Risk Review: Risks are reviewed regularly, especially when new information or experience becomes available (e.g. after deviations, audits, inspections or product recalls).

Methods and Tools

The guideline describes various tools that can be used for risk analysis, such as:

• FMEA (Failure Mode and Effects Analysis): Analysis of possible failures and their consequences.
• FMECA (Failure Mode, Effects and Criticality Analysis): Extended FMEA with criticality assessment.
• FTA (Fault Tree Analysis): Fault tree analysis to identify chains of causes.
• HACCP (Hazard Analysis and Critical Control Points): Hazard analysis with definition of critical control points.
• HAZOP (Hazard Operability Analysis): systematic deviation analysis using keywords.
• PHA (Preliminary Hazard Analysis): early hazard assessment.
• Risk ranking and filtering methods: for prioritising risks.
• Statistical tools: for trend analysis, process control and data evaluation.

The method used depends on the context, the complexity of the process and the level of risk.

Integration into Quality and Regulatory Systems

As already described, QRM is not an isolated instrument, but an integral part of a pharmaceutical quality system (cf. ICH Q10). It is used in all areas, e.g. in:

• Development: to define critical quality attributes and process parameters.
• Manufacturing: for validation, process control and deviation investigations.
• Plant and equipment: for design, qualification and maintenance.
• Materials management: for supplier evaluation and raw material control.
• Packaging and labelling: to avoid mix-ups.
• Supply chain: to ensure product availability and quality.

QRM also plays an important role for authorities, for example in inspection planning or in the evaluation of changes. Joint application of the principles facilitates consistent decisions and promotes trust between industry and authorities.

The ECA offers a seminar on this topic that focuses on the practical implementation of quality risk management (QRM).