August 30, 2005

NOTICE

Our file number: 05-119307-181

Release of Draft (Step 2) ICH¹ Guidance: Quality Risk Management (Q9)

The above referenced draft guidance was released by the ICH Steering Committee for consultation and is being posted on the Therapeutic Products Directorate Website ² for information and comment in accordance with Step 2 of the ICH process.

Please note that draft guidance documents are only made available in English until finalized by the ICH. It is also important to note that amendments to draft documents may occur as a result of regulatory consultations and subsequent deliberations within the ICH.

All comments forwarded to Health Canada will be transmitted to the ICH as is, with the disclaimer that they are provided for information and do not necessarily represent the views of Health Canada, except as specifically indicated in separate comments.

As appropriate, your organization may alternatively wish to provide comments to your affiliate association in the U.S., Europe or Japan for their input directly to ICH.

Comments provided to Health Canada should be submitted no later than September 30, 2005 in order to allow sufficient time for their assessment and subsequent transmission to the ICH.

Comments should be directed to:

Diana Dowthwaite
Compliance and Enforcement Coordination Division
Inspectorate Ottawa
HPFB Inspectorate
A.L. 2003C
3^rd Floor Graham Spry Building
250 Lanark Avenue
Ottawa, Ontario K1A 0K9

Tel: (613) 952-5804
Fax: (613) 952-9805
E-mail: diana_dowthwaite@hc-sc.gc.ca

http://www.hc-sc.gc.ca/dhp-mps/prodpharma/applic-demande/guide-ld/ich/consultation/index_e.html

¹ International Conference on Harmonisation of Technical Requirements for the Registration of Pharmaceuticals for Human Use

² As a PDF file format under Drugs\Application Submission Information\Guidance Documents\ICH\Draft Guidelines Out for Comment

INTERNATIONAL CONFERENCE ON HARMONISATION OF TECHNICAL REQUIREMENTS FOR REGISTRATION OF PHARMACEUTICALS FOR HUMAN USE

DRAFT CONSENSUS GUIDELINE

QUALITY RISK MANAGEMENT
Q9

Released for Consultation
at Step 2 of the ICH Process
on 22 March 2005
by the ICH Steering Committee

(this guideline includes the Post Step 2 correction in Annex I.6, first paragraph :
"(...) (e.g., analytical methods, processes, equipment and cleaning methods).

At Step 2 of the ICH Process, a consensus draft text or guideline, agreed by the appropriate ICH Expert Working Group, is transmitted by the ICH Steering Committee to the regulatory authorities of the three ICH regions (the European Union, Japan and the USA) for internal and external consultation, according to national or regional procedures.

TABLE OF CONTENTS

1. INTRODUCTION

2. SCOPE

3. PRINCIPLES OF QUALITY RISK MANAGEMENT

4. GENERAL QUALITY RISK MANAGEMENT PROCESS

4.1 Responsibilities
4.2 Initiating a Quality Risk Management Process
4.3 Risk Assessment
4.4 Risk Control
4.5 Risk Communication
4.6 Risk Review

5. RISK MANAGEMENT TOOLS

5.1 Basic Risk Management Facilitation Methods
5.2 Informal Risk Management
5.3 Hazard Analysis and Critical Control Points (HACCP)
5.4 Hazard Operability Analysis (HAZOP)
5.5 Failure Mode Effects Analysis (FMEA)
5.6 Failure Mode, Effects and Criticality Analysis (FMECA)
5.7 Fault Tree Analysis (FTA)
5.8 Preliminary Hazard Analysis (PHA)
5.9 Risk Ranking and Filtering
5.10 Supporting Statistical Tools

6. INTEGRATION OF QUALITY RISK MANAGEMENT INTO INDUSTRY AND REGULATORY OPERATIONS

7. DEFINITIONS

8. REFERENCES

Annex I. Potential Opportunities for Conducting Quality Risk Management

I.1 Quality Risk Management as Part of Integrated Quality Management
I.2 Quality Risk Management as Part of Regulatory Operations
I.3 Quality Risk Management as Part of Development
I.4 Quality Risk Management for Facilities, Equipment and Utilities
I.5 Quality Risk Management as Part of Materials Management
I.6 Quality Risk Management as Part of Production
I.7 Quality Risk Management as Part of Laboratory Control and Stability Studies
I.8 Quality Risk Management as Part of Packaging and Labelling
I.9 Quality Risk Management as Part of Continuous Improvement

1. INTRODUCTION

Risk management principles are effectively utilized in many areas of business and government including finance, insurance, occupational safety, public health, pharmacovigilance, and by agencies regulating these industries. Although there are some examples of the use of quality risk management in the pharmaceutical industry today, they are limited and do not represent the full contributions that risk management has to offer. In addition, the importance of quality systems has been recognized in the pharmaceutical industry and it is becoming evident that quality risk management is a valuable component of an effective quality system.

It is commonly understood that risk is defined as the combination of the probability of occurrence of harm and the severity of that harm. However, achieving a shared understanding of the application of risk management among diverse stakeholders is difficult because each stakeholder might perceive different potential harms , place different probability on each harm's occurring and attribute different severities of the harm. In relation to pharmaceuticals, although there are a variety of stakeholders, including patients and medical practitioners as well as government and industry, the protection of the patient by managing the risk to quality should be considered of prime importance.

The manufacturing and use of a drug (medicinal) product, including its components, necessarily entail some degree of risk. The risk to its quality is just one component of the overall risk. It is important to understand that product quality should be maintained throughout the product lifecycle such that the attributes that are important to the quality of the drug (medicinal) product remain consistent with those used in the clinical studies. An effective quality risk management approach can further ensure the high quality of the drug (medicinal) product to the patient in providing a proactive means to identify and control potential quality issues during development and manufacturing. Additionally, use of quality risk management can improve the decision making if a quality problem arises. Effective quality risk management can facilitate better and more informed decisions, can provide regulators with greater assurance of a company's ability to deal with potential risks and can beneficially affect the extent and level of direct regulatory oversight.

The purpose of this document is to serve as a foundational or resource document that is independent yet supports other ICH Quality documents and complements existing quality practices, requirements, standards, and guidelines within the pharmaceutical industry and regulatory environment. It will specifically provide guidance on the principles and some of the tools of quality risk management that can enable more effective and consistent risk based decisions, both by regulators and industry, regarding the quality of drug substances and drug (medicinal) products across the product lifecycle. It is not intended to create any new expectations beyond the current regulatory requirements.

2. SCOPE

This guideline provides principles and examples of tools of quality risk management that can be applied to all aspects of pharmaceutical quality including development, manufacturing, distribution, and the inspection and submission/review processes throughout the lifecycle of drug substances and drug (medicinal) products, biological and biotechnological products, including the use of raw materials, solvents, excipients, packaging and labeling materials.

3. PRINCIPLES OF QUALITY RISK MANAGEMENT

Two primary principles of quality risk management are:

• The evaluation of the risk to quality should ultimately link back to the protection of the patient;
• The level of effort, formality and documentation of the quality risk management process should be commensurate with the level of risk and be based on scientific knowledge.

4. GENERAL QUALITY RISK MANAGEMENT PROCESS

Quality risk management is a systematic process for the assessment, control, communication and review of risks to the quality of the drug (medicinal) product across the product lifecycle. A model for quality risk management is outlined in the diagram (Figure 1). The emphasis on each component of the framework might differ from case to case but a robust process will incorporate consideration of all the elements at an appropriate level of detail.

Figure 1: Overview of quality risk management process

Decision nodes are not shown in the diagram above because decisions can occur at any point in the process. These decisions might be to return to the previous step and seek further information, to adjust the risk models or even to terminate the risk management process based upon information that supports such a decision.

4.1 Responsibilities

Decision makers should take responsibility for coordinating quality risk management across various functions and departments of their organization. The decision makers should ensure that a quality risk management process is defined, appropriate resources are involved and the quality risk management process is reviewed.

Risk management activities are usually, but not always, undertaken by interdisciplinary teams dedicated to the task. Teams formed for quality risk management activities should include experts from the appropriate areas involved in addition to individuals who are knowledgeable of the quality risk management process.

4.2 Initiating a Quality Risk Management Process

Quality risk management includes systematic processes designed to coordinate, facilitate and improve science-based decision making with respect to risk. Possible steps used to initiate and plan a quality risk management process might include the following:

• Define the problem and/or risk question, including pertinent assumptions identifying the potential for risk;
• Assemble background information and data on the potential hazard, harm or human health impact relevant to the risk assessment;
• Define how decision makers will use the information, assessment and conclusions;
• Identify a leader and necessary resources;
• Specify a timeline and deliverables for the risk management process.

4.3 Risk Assessment

Risk assessment consists of the identification of hazards and the analysis and evaluation of risks associated with exposure to those hazards. The steps include risk identification, risk analysis and risk evaluation. Quality risk assessments begin with a well-defined problem description or risk question. When the risk in question is well defined, an appropriate risk management tool (See Examples in Section 5) and the types of information needed to address the risk question will be more readily identifiable. As an aid to clearly defining the risk(s) for risk assessment purposes, three fundamental questions are often helpful:

• What might go wrong?
• What is the likelihood (probability) it will go wrong?
• What are the consequences (severity)?

Risk identification is a systematic use of information to identify hazards referring to the risk question or problem description. Information can include historical data, theoretical analysis, informed opinions, and the concerns of stakeholders. Risk identification addresses the "What might go wrong?" question, including identifying the possible consequences. This provides the basis for further steps in the quality risk management process.

Risk analysis is the estimation of the risk associated with the identified hazards. It is the process that focuses on the second and third questions, seeking the likelihood that risks identified in risk identification might occur and an ability to detect them.

Risk evaluation compares the identified and analyzed risk against given risk criteria. A qualitative or quantitative process might be used to assign the probability and severity of a risk. Risk evaluations consider the strength of evidence for all three of the fundamental questions.

In doing an effective risk assessment, the robustness of the data set is important because it determines the quality of the output. Revealing assumptions and reasonable sources of uncertainty will enhance confidence in this output and/or help identify its limitations. Typical sources of uncertainty include gaps in knowledge (e.g., gaps in pharmaceutical science and process understanding), sources of harm (e.g., failure modes of a process, sources of variability), and probability of detection of problems.

The output of a risk assessment is either a quantitative estimate of risk or a qualitative description of a range of risk. When risk is expressed quantitatively, a numerical probability scale from 0 to 1 (0% to 100%) is used. Alternatively, risk can be expressed using qualitative descriptors, such as "high", "medium", or "low", and they should be defined in as much detail as possible. In quantitative risk assessments, a risk estimate provides the likelihood of a specific consequence, given a set of risk-generating circumstances. Thus, quantitative risk estimation is useful for one particular consequence at a time. Alternatively, some risk management tools use a relative risk measure to combine multiple levels of severity and probability into an overall estimate of relative risk. The intermediate steps within a scoring process can sometimes employ quantitative risk estimation.

4.4 Risk Control

Risk control includes decision making to reduce and/or accept risks. The purpose of risk control is to reduce the risk to an acceptable level. The amount of effort used for risk control should be proportional to the significance of the risk. Decision makers might use different processes for understanding the optimal level of risk control including benefit-cost analysis.

Risk control might focus on the following questions:

• Is the risk above an acceptable level?
• What can be done to reduce, control or eliminate risks?
• What is the appropriate balance among benefits, risks and resources?
• Are new risks introduced as a result of the identified risks being controlled?

Risk reduction focuses on processes for mitigation or avoidance of quality risk when it exceeds an acceptable level. Risk reduction might include actions taken to mitigate the severity and probability of harm. Processes that improve the detectability of hazards and quality risks might also be used as part of a risk control strategy. By the implementation of risk reduction measures, new risks may be introduced into the system or the significance of other existing risks might be increased. Hence, it might be appropriate to revisit the risk assessment to identify and evaluate any possible change in risk.

Risk acceptance is a decision to accept risk. Risk acceptance can be a formal decision to accept the residual risk or it can be a passive decision in which residual risks are not specified. For some types of harms, even the best quality risk management practices might not entirely eliminate risk. In these circumstances, it might be agreed that the optimal quality risk management strategy has been applied and that quality risk is reduced to an acceptable level. This acceptable level will depend on many parameters and should be decided on a case-by-case basis.

4.5 Risk Communication

Risk communication is the exchange or sharing of information about risk and its management between the decision makers and others. Parties can communicate at any stage of the risk management process. Sometimes, a formal risk communication process is developed as a part of risk management. This might include communication among many interested parties; e.g., regulators and industry, industry and the patient, within a company, industry or regulatory authority, etc. The included information might relate to the existence, nature, form, probability, severity, acceptability, treatment, detectability or other aspects of risks to quality. This exchange need not be carried out for each and every risk acceptance. In the event that the communication is between the industry and regulatory authorities concerning quality risk management decisions, these might be made through existing channels as specified in regulations and guidances.

The output of the quality risk management process should be documented when a formal process has been utilized.

4.6 Risk Review

5. RISK MANAGEMENT TOOLS

Quality risk management tools support a scientific and practical approach to decision-making by providing documented, transparent and reproducible methods to accomplish steps of the quality risk management process ( Chapter 4).

The purpose of this section is to provide a general overview and references of some of the primary tools that might be used in quality risk management. The references are included as an aid to gain more knowledge and detail on the particular tool. This is not an exhaustive list.

• Failure Mode Effects Analysis (FMEA);
• Failure Mode, Effects and Criticality Analysis (FMECA);
• Fault Tree Analysis (FTA);
• Hazard Analysis and Critical Control Points (HACCP);
• Hazard Operability Analysis ( HAZOP);
• Preliminary Hazard Analysis (PHA);
• Risk ranking and filtering;
• Supporting statistical tools.

It might be appropriate to adapt these tools for use in specific areas pertaining to drug substance and drug (medicinal) product quality. Quality risk management tools and the supporting statistical tools can be used in combination (e.g., Probabilistic Risk Assessment) . Combined use provides flexibility that is intended to facilitate the application of quality risk management principles.

5.1 Basic Risk Management Facilitation Methods

Some of the simple techniques that are commonly used to structure risk management by organizing data and facilitating decision-making are:

• Flowcharts;
• Check Sheets;
• Process Mapping;
• Cause and Effect Diagrams (also called an Ishikawa diagram or fish bone diagram).

5.2 Informal Risk Management

The pharmaceutical industry and pharmaceutical regulators have assessed and managed risk in a variety of more empirical ways, based on, for example compilation of observations, trends and other information. Such approaches continue to provide useful information that might support, for example, handling of complaints, quality defects, deviations and allocation of resources.

5.3 Hazard Analysis and Critical Control Points (HACCP)

HACCP is a systematic, proactive, and preventive method for assuring product quality, reliability, and safety (see WHO Technical Report Series No 908, 2003 Annex 7). It is a structured approach that applies technical and scientific principles to analyze, evaluate, prevent, and control the risk or the adverse consequence(s) of hazard(s) due to the design, development, production, and use of products.

HACCP consists of the following seven steps:

1. conduct a hazard analysis and identify preventive measure s for each step of the process;
2. determine the critical control points;
3. establish critical limits;
4. establish a system to monitor the critical control points;
5. establish the corrective action to be taken when monitoring indicates that the critical control points are not in a state of control;
6. establish system to verify that HACCP system is working effectively;
7. establish a record-keeping system.

Potential Areas of Use(s)

It might be used to identify and manage risks associated with physical, chemical and biological hazards (including microbiological contamination). HACCP is most useful when product and process understanding is sufficiently comprehensive to support identification of critical control points. The output of a HACCP analysis is a risk management tool that facilitates monitoring of critical points in the manufacturing process.

5.4 Hazard Operability Analysis ( HAZOP)

HAZOP (see IEC 61882) is based on a theory that assumes that risk events are caused by deviations from the design or operating intentions. It is a systematic brainstorming technique for identifying hazards using so-called "guide-words". "Guide-words" (e.g., No, More, Other Than, Part of, etc.) are applied to relevant parameters (e.g., contamination, temperature) to help identify potential deviations from normal use or design intentions. It often uses a team of people with expertise covering the design of process or product and its application.

Potential Areas of Use(s)

HAZOP can be applied to manufacturing processes, equipment and facilities for drug substances and drug (medicinal) products. It has also been used primarily in the pharmaceutical industry for evaluating process safety hazards. Similar to HACCP, the output of a HAZOP analysis is a list of critical operations for risk management. This facilitates regular monitoring of critical points in the manufacturing process.

5.5 Failure Mode Effects Analysis (FMEA)

FMEA (see IEC 60812) provides for an evaluation of potential failure modes for processes and the likely effect on outcomes and/or product performance. Once failure modes are established, risk reduction can be used to eliminate, reduce or control the potential failures. It relies on product and process understanding. FMEA methodically breaks down the analysis of complex processes into manageable ste ps. It is a powerful tool for summarizing the important modes of failure, factors causing these failures and the likely effects of these failures.

Potential Areas of Use(s)

FMEA can be used to prioritize risks and monitor the effectiveness of risk control activities.

FMEA can be applied to equipment and facilities, and might be used to analyze a manufacturing process to identify high-risk steps or critical parameters. The output of an FMEA is a relative risk "score" for each failure mode that is used to rank these modes on a risk basis.

5.6 Failure Mode, Effects and Criticality Analysis (FMECA)

FMEA might be extended to incorporate an investigation of the degree of severity of the consequences, their respective probabilities of occurrence and their detectability, and might become a Failure Mode Effect and Criticality Analysis (FMECA; see IEC 60812) . In order to perform such an analysis, the product or process specifications should be established. FMECA can identify places where additional preventive actions might be appropriate to minimize risks.

Potential Areas of Use(s)

FMECA application in the pharmaceutical industry will mostly be utilized on failures and risks associated with manufacturing processes; however, it is not limited to this application. The output of an FMECA is a relative risk "score" for each failure mode that is used to rank the modes on a risk basis.

5.7 Fault Tree Analysis (FTA)

The FTA method (see IEC 61025) is an approach that assumes failure of the functionality of a product or process. FTA is a method of analysis to identify all root causes of an assumed failure or problem. This method evaluates system (or sub-system) failures one at a time but can combine multiple cause s of failure by identifying causal chains. The results are represented pictorially in the form of a tree of fault modes. At each level in the tree, combinations of fault modes are described with logical operators (AND, OR, etc.). FTA relies on process understanding of the experts to identify causal factors.

Potential Areas of Use(s)

The method can be used to establish the pathway to the root cause of the failure. The use of FTA can be applied while investigating complaints or deviations to fully understand their root cause and to ensure that intended improvements will fully resolve the issue and not lead to other issues (i.e. solve one problem yet cause a different problem). Fault Tree Analysis is a good method for evaluating how multiple factors affect a given issue. The output of a FTA includes both a visual representation of failure modes and a quantitative estimate of the likelihood of each failure mode. It is useful for both risk assessment and in developing monitoring programs.

5.8 Preliminary Hazard Analysis (PHA)

PHA is a method of analysis based on applying prior experience or knowledge of a hazard or failure to identify future hazards, hazardous situations and events that might cause harm, as well as in estimating their probability of occurrence for a given activity, facility, product or system. The method consists of: 1) the identification of the possibilities that the risk event happens, 2) the qualitative evaluation of the extent of possible injury or damage to health that could result and 3) the identification of possible remedial measures.

Potential Areas of Use(s)

PHA might be useful when analyzing existing systems or prioritizing hazards where circumstances prevent a more extensive technique from being used. It can be used for product, process and facility design as well as to evaluate the types of hazards for the general product type, then the product class and finally the specific product. PHA is most commonly used early in the development of a project when there is little information on design details or operating procedures; thus, it will often be a precursor to further studies. Typically, hazards identified in the PHA are further assessed with other risk management tools such as those in this section.

5.9 Risk Ranking and Filtering

Risk ranking and filtering is a tool to compare and rank risks. Risk ranking of complex systems typically requires evaluation of multiple diverse quantitative and qualitative factors for each risk. The tool involves breaking down a basic risk question into as many components as needed to capture factors involved in the risk. These factors are combined into a single relative risk score that can then be used for ranking risks. 'Filters,' in the form of weighting factors or cut-offs for risk scores, can be used to scale or fit the risk ranking to management or policy objectives.

Potential Areas of Use(s)

Risk ranking and filtering can be used to prioritize manufacturing sites for inspection/audit by regulators or industry. Risk ranking methods are particularly helpful in situations in which the portfolio of risks and the underlying consequences to be managed are diverse and difficult to compare using a single tool. Risk ranking is useful when management needs to evaluate both quantitatively and qualitatively assessed risks within the same organizational framework.

5.10 Supporting Statistical Tools

Statistical tools can support and facilitate quality risk management. They can enable effective data assessment and also aid in determining the significance of the data set(s). A listing of some of the principal statistical tools commonly used in the pharmaceutical industry is provided:

• Control Charts (for example):
• Acceptance Control Charts (see ISO 7966);
• Control Charts with Arithmetic Average and Warning Limits (see ISO 7873);
• Cumulative Sum Charts (ISO 7871);
• Shewhart Control Charts (see ISO 8258);
• Weighted Moving Average.
• Design of Experiments (DOE);
• Histograms;
• Pareto Charts;
• Process Capability Analysis.

6. Integration of quality risk management into industry and regulatory operations

Quality risk management is a process that provides the foundation for science-based and practical decisions when integrated into quality systems (see Annex I). As outlined in the Introduction, appropriate use of quality risk management does not obviate industry's obligation to comply with regulatory requirements. However, effective quality risk management can facilitate better and more informed decisions, can provide regulators with greater assurance of a company's ability to deal with potential risks and might affect the extent and level of direct regulatory oversight. In addition, quality risk management can facilitate better use of resources by all parties.

The degree of rigor and formality of quality risk management can be commensurate with the complexity and/or criticality of the issue to be addressed. For simple, less critical situations, an informal approach is usually appropriate. For more complex or critical situations, a more formal approach, using recognized tools (as described in section 5) to conduct and document the quality risk management might be beneficial.

Training of both industry and regulatory personnel in quality risk management provides for greater understanding of decision-making processes and builds confidence in quality risk management outcomes.

Quality risk management should be integrated into existing operations and documented appropriately. Annex I provides examples of where the use of the quality risk management process might provide information that can then be used in a variety of pharmaceutical operations. These examples are provided for illustrative purposes only. They should not be considered a definitive or exhaustive list, nor are they intended to create any new expectations beyond the requirements laid out in the current regulations.

Examples for industry and regulatory operations (see Annex I):

• Quality management.

Examples for industry operations (see Annex I):

• D evelopment;
• Facility, equipment and utilities;
• Materials management;
• Production;
• Laboratory c ontrol and s tability t esting;
• Packaging and labeling;
• Continuous Improvement.

Examples for regulatory operations (see Annex I):

• Inspection activities;
• Assessment activities.

While regulatory decision-making will continue to be taken on a regional basis, a common understanding and application of quality risk management principles could facilitate mutual confidence and promote more consistent decisions among regulators on the basis of the same information. This collaboration could be important in the development of policies and guidelines that integrate and support quality risk management practices.

7. Definitions

Harm :
Damage to health, including the damage that can occur from loss of product quality or availability.

Hazard :
The potential source of harm (ISO/IEC Guide 51).

Product Lifecycle :
All phases in the lifecycle from the initial development through pre- and post-approval until the product's discontinuation.

Quality :
Degree to which a set of inherent properties of a product, system or process fulfills requirements.

Quality Risk Management :
A systematic process for the assessment, control, communication and review of risks to the quality of the drug (medicinal) product across the product lifecycle.

Quality System :
Formalized system that documents the structure, responsibilities and procedures required to achieve effective quality management.

Requirements :
Needs or expectations that are stated, generally implied or obligatory by the patients or their surrogates (e.g., health care professionals, regulators and legislators).

Risk :
Combination of the probability of occurrence of harm and the severity of that harm (ISO/IEC Guide 51).

Risk Acceptance :
Decision to accept risk (ISO Guide 73).

Risk Analysis :
The estimation of the risk associated with the identified hazards.

Risk Assessment :
Systematic process of organizing information to support a risk decision to be made within a risk management process.

Risk Communication :
Exchange or sharing of information about risk and risk management between the decision maker and other stakeholders.

Risk Control :
Actions of implementing risk management decisions (ISO Guide 73).

Risk Evaluation :
Compares the estimated risk against given risk criteria using a quantitative or qualitative scale to determine the significance of the risk.

Risk Identification :
Systematic use of information to identify potential sources of harm (hazards) referring to the risk question or problem description.

Risk Management :
Systematic application of quality management policies, procedures, and practices to the tasks of assessing, controlling and communicating risk.

Risk Reduction :
Actions taken to lessen the probability of occurrence of harm and the severity of that harm.

Risk Review :
Step in the risk management process for taking account of new knowledge and experiences.

Severity :
Measure of the possible consequences of a hazard.

Stakeholder :
Any individual, group or organization that can affect, be affected by, or perceive itself to be affected by a risk. Decision makers might also be stakeholders. For the purposes of this guideline, the primary stakeholders are the patient, healthcare professional, regulatory authority, and industry.

Trend :
A statistical term referring to the direction or rate of increase or decrease in magnitude of the individual data or parameters of a time series of data as a general movement in the course of time.

Uncertainty :
The inability to determine or the ambiguity in the true state of a system caused by a combination of variability and incomplete knowledge.

8. References

ISO/IEC Guide 73:2002 - Risk Management - Vocabulary - Guidelines for use in Standards .

ISO/IEC Guide 51:1999 - Safety Aspects - Guideline for their inclusion in standards.

Process Mapping by the American Productivity & Quality Center, 2002, ISBN 1928593739.

IEC 61025 - Fault Tree Analysis (FTA).

IEC 60812 Analysis Techniques for system reliability--Procedures for failure mode and effects analysis (FMEA).

Failure Mode and Effect Analysis, FMEA from Theory to Execution , 2 nd Edition 2003, D. H. Stamatis, ISBN 0873895983.

Guidelines for Failure Modes and Effects Analysis (FMEA) for Medical Devices , 2003 Dyadem Press, ISBN 0849319102.

The Basics of FMEA , Robin McDermott, Raymond J. Mikulak, Michael R. Beauregard 1996, ISBN 0527763209.

WHO Technical Report Series No 908, 2003, Annex 7 Application of Hazard Analysis and Critical Control Point (HACCP) methodology to pharmaceuticals.

IEC 61882 - Hazard Operability Analysis (HAZOP).

ISO 14971:2000 - Application of Risk Management to Medical Devices.

ISO 7870:1993 - Control Charts.

ISO 7871:1997 - Cumulative Sum Charts.

ISO 7966:1993 - Acceptance Control Charts.

ISO 8258:1991 - Shewhart Control Charts.

What is Total Quality Control?; The Japanese Way, Kaoru Ishikawa (Translated by David J. Liu), 1985, ISBN 0139524339.

Annex I: Potential Opportunities for Conducting Quality Risk Management

This Annex is intended to identify opportunities for the use of quality risk management principles by industry and regulators (e.g., for both inspections and submissions). However, the selection of particular risk management tools is completely dependent upon specific facts and circumstances.

These examples are provided for illustrative purposes and only suggest potential uses of quality risk management. This Annex is not intended to create any new expectations beyond the current regulatory requirements.

I.1 Quality Risk Management as Part of Integrated Quality Management

Documentation

To review current interpretations and application of regulatory expectations.

To determine the need and/or develop the content for SOPs, guidelines, etc.

Training and education

To determine the need for initial and/or ongoing training sessions based on education, experience and working habits of staff, as well as on a periodic assessment of previous training (e.g., its effectiveness).

To identify the training, experience, qualifications and physical abilities of personnel to perform an operation reliably and with no adverse impact on the quality of the product.

Quality defects

To provide the basis for identifying, evaluating, and communicating the potential quality impact of a suspected quality defect, complaint, trend, deviation, investigation, out of specification result, etc.

To facilitate risk communications and determine appropriate action to address significant product defects, in conjunction with regulatory authorities (e.g., recall).

Auditing /Inspection

To define the frequency and scope of audits, both internal and external, tak ing into account factors such as:

• Existing legal requirements;
• Overall compliance status and history of the company or facility;
• Results of a company's quality risk management activities;
• Complexity of the site;
• Complexity of the manufacturing process;
• Complexity of the product and its therapeutic significance;
• Number and significance of quality defects (e.g, recall);
• Results of previous audits/inspections;
• Major changes of building, equipment, processes, key personnel;
• Experience with manufacturing of a product (e.g., frequency, volume, number of batches);
• Test results of official control laboratories.

Periodic review

To select, evaluate and interpret trend results of data within the product quality review.

To interpret monitoring data (e.g., to support an assessment of the need for revalidation, changes in sampling).

Change management / change control

To manage changes based on knowledge and information accumulated in pharmaceutical development and during manufacturing.

To evaluate the impact of the changes on the availability of the final product.

To evaluate the impact on product quality of changes to facility, equipment, material, manufacturing process or conducting technical transfers.

To determine appropriate actions preceding the implementation of a change, e.g., additional testing, (re)qualification, (re)validation, communication with regulators.

I.2 Quality Risk Management as Part of Regulatory Operations

To facilitate continuous improvements of regulatory processes.

Inspection activities

To assist with resource allocation including, for example, inspection planning, frequency and intensity (see "Auditing" section in Annex I.1).

To evaluate the significance of, for example, quality defects, potential recalls and inspectional findings.

To determine the appropriateness and type of post-inspection regulatory follow-up.

Assessment activities

To systematically evaluate information submitted by industry including pharmaceutical development information.

To evaluate impact of proposed variations or changes.

I.3 Quality Risk Management as Part of Development

To select the optimal product design (e.g., parenteral concentrates vs. pre-mix) and process design (e.g., manufacturing technique, terminal sterilization vs. aseptic process).

To enhance knowledge of product performance over a wide range of material attributes (e.g., particle size distribution, moisture content, flow properties), processing options and process parameters.

To assess the critical attributes of raw materials, solvents, Active Pharmaceutical Ingredient (API)-starting materials, API's, excipients, or packaging materials.

To establish appropriate specifications and manufacturing controls (e.g., using information from pharmaceutical development studies regarding the clinical significance of quality attributes and the ability to control them during processing).

To decrease variability of quality attributes:

• reduce product and material defects;
• reduce manufacturing defects;
• reduce human errors.

I.4 Quality Risk Management for Facilities, Equipment and Utilities

Design of facility / equipment

To determine appropriate zones, when designing buildings and facilities e.g.,

• flow of material and personnel;
• minimize contamination;
• pest control measures;
• prevention of mix-ups;
• open versus closed equipment.

To determine appropriate product contact materials for equipment and containers (e.g., selection of stainless steel grade, gaskets, lubricants).

To determine appropriate utilities (e.g., steam, gases, power source, compressed air, heating, ventilation and air conditioning (HVAC), water).

To determine appropriate preventive maintenance for associated equipment (e.g., need for inventory of necessary spare parts).

Hygiene aspects in facilities

To protect the product from environmental hazards, including chemical, microbiological, physical hazards (e.g., determining appropriate clothing and gowning, hygiene concerns).

To protect the environment (e.g., personnel, potential for cross-contamination) from hazards related to the product being manufactured.

Qualification of facility/equipment/ utilities

Cleaning of equipment and environmental control

To differentiate efforts and decisions based on the intended use (e.g., multi- versus single-purpose, batch versus continuous production).

To determine acceptable cleaning validation limits.

Calibration/preventive maintenance

To set appropriate calibration and maintenance schedules.

Computer systems and computer controlled equipment

To select the design of computer hardware and software (e.g., modular, structured, fault tolerance).

To determine the extent of validation, e.g.,

• identification of critical performance parameters;
• selection of the requirements and design;
• code review;
• the extent of testing and test methods;
• reliability of electronic records and signatures.

I.5 Quality Risk Management as Part of Materials Management

Assessment and evaluation of suppliers and contract manufacturers

To provide a comprehensive evaluation of suppliers and contract manufacturers (e.g., auditing, supplier quality agreements).

Starting material

To assess differences and possible quality risks associated with variability in starting materials (e.g., age, route of synthesis).

Use of materials

To determine if it is appropriate to use material under quarantine (e.g., for further internal processing).

To determine appropriateness of reprocessing, reworking, use of returned goods.

Storage, logistics and distribution conditions

To assess the adequacy of arrangements to ensure maintenance of appropriate storage and transport conditions (e.g., temperature, humidity, container design).

To maintain infrastructure (e.g., capacity to ensure proper shipping conditions, interim storage, handling of hazardous materials and controlled substances, customs clearance).

I.6 Quality Risk Management as Part of Production

Validation

To identify the scope and extent of verification, qualification and validation activities (e.g., analytical methods, processes, equipment and cleaning methods).

To determine the extent for follow-up activities (e.g., sampling, monitoring and re-validation).

To distinguish between critical process steps that must operate within validated ranges and non-critical process steps that do not necessarily have to operate within validated ranges.

In-process sampling & testing

To evaluate the frequency and extent of in-process control testing (e.g., justify reduced testing under conditions of proven control).

To evaluate and justify the use of process analytical technologies (PAT) in conjunction with parametric and real time release.

I.7 Quality Risk Management as Part of Laboratory Control and Stability Studies

Stability studies

To determine the effect on product quality of discrepancies in storage or transport conditions (e.g., cold chain management) in conjunction with other ICH guidelines.

Out of specification results

To identify potential root causes and corrective actions during the investigation of out of specification results.

Retest period / expiration date

To evaluate adequacy of storage and testing of intermediates, excipients and starting materials.

I.8 Quality Risk Management as Part of Packaging and Labelling

Design of packages

To design the secondary package for the protection of primary packaged product (e.g., to ensure product authenticity, label legibility).

Selection of container closure system

To determine the critical parameters of the container closure system.

Label controls

I.9 Quality Risk Management as Part of Continuous Improvement

To identify, assess and (re-)evaluate critical parameters throughout the product lifecycle (e.g., as the product and processes move from research, to development and throughout manufacturing).

An illustrative model for continuous improvement: