Risk management is a topic that has long been a part of the Medical Device industry from product design through post-marketing surveillance, yet it has only become fashionable for Pharmaceuticals and Biotech within the last 10 years. The International Conference on Harmonization (ICH) published chapter Q9: Quality Risk Management in November 2005 (www.ich.org/fileadmin/Public_Web_Site/ICH_Products/Guidelines/Quality/Q9/Step4/Q9_Guideline.pdf). Within the year following the initial ICH publication, the FDA issued a related guidance document titled “Q9: Quality Risk Management” (http://www.fda.gov/downloads/Drugs/…/Guidances/ucm073511.pdf).

From that point forward, Risk Management has been a hot topic within our industry along with Design Space, Validation, Electronic Records and Signatures, Supply Chain Management, Track and Trace, and Serialization. During the last decade, the topic of risk management has continued to garner considerable discussion at industry conferences and within journals, publications, and even blog posts.

In the beginning, risk management was primarily about risk analyses of products or processes with safety, compliance, and end user requirements in mind. Models of risk analysis tools were borrowed from other industries, such as the automotive industry, for use in Pharma. Gradually, the risk analysis process expanded to non-conformance investigations, change control, CAPAs, training, and procedural documentation. New tools and methods for analyzing risk evolved. These days the scope of Risk Management has expanded to include Business Continuity and Disaster Recovery planning and includes other business areas such as Finance, HR and Safety.

But what really is risk management?Risk Management

Following the FDAs guidance document, risk management is a method of identifying, evaluating, and quantifying (or qualifying) the inherent risk to product quality that is a natural part the drug manufacturing and customer use. The FDA states that risk management follows two overall principles:

  1. The foundation of risk analysis lies in scientific information that links directly to patient protection/safety, and
  2. The amount of effort, documentation and formality of the risk analysis much equal the level of risk.

So, in a nutshell, that means when you are assessing the risk associated with a product, equipment, non-conformance, design, etc., the analysis must be data based, factual, and scientific. Further, you must always keep in mind that the goal of the analysis is to ensure harm to the patient is eliminated or mitigated.

In addition, if your analysis determines the risk is high, you’d better put considerable effort (i.e., content and volume) into your documentation. Does it pass the “weight test”? Did senior management in the responsible areas, including QA, review and approve it?

Both the FDA guidance and the ICH publication offer a very easy-to-follow flow chart that outlines the overall process of risk management. The important thing to remember is that risk analysis (FMEA, HAACP, HAZOP, FTA, etc.) is NOT the same thing as risk management. Analysis is part of the overall part of the management process; just as control, communication, and review are.

For those of you who are just getting started on the risk management process, familiarize yourself with the industry guidance documentation available via the imbedded links I have provided. For an example of risk analysis methods, check out the available Risk Analysis tool in our Downloads.

I really appreciate that you are reading my post! Here at TCG, I regularly write about topics, issues, and trends within the pharmaceutical, medical device, and biotech industry. As always, I’m interested in your feedback and opinions about my posts. Constructive comments are always welcome! You can also reach me directly at abarefoot@catalystcompliancegroup.com.