ICH Q9 quality risk management: an introduction


    ICH Q9 is a vital regulatory guideline to consider for your pharmaceutical organization.

    The International Conference on Harmonization (ICH) is a global initiative that brings together regulatory authorities and pharmaceutical industry actors to develop guidelines and standards for the harmonization of pharmaceutical development practices.

    A key ICH guideline is ICH Q9, which focuses on pharmaceutical quality risk management. 

    Here's everything you need to know about ICH Q9, and how adopting it can strengthen your pharma company's risk management activities.


    Table of Contents

    1. Introduction to ICH Q9: quality risk management
    2. Fundamentals of quality risk management
      1. Quality risk management process
      2. Initiating a quality risk management process
      3. Roles & responsibilities in quality risk management
      4. Risk assessment and risk control tools
    3. Key concepts in ICH Q9
      1. Risk assessment
        1. Risk identification
        2. Risk analysis
        3. Risk evaluation
      2. Risk control
        1. Risk reduction
        2. Risk acceptance
      3. Risk communication
        1. Sharing information
        2. Improving decision-making
      4. Risk review
        1. Monitoring outcomes
        2. Updating the risk management plan
        3. Continuous improvement
    4. ICH Q9 quality risk management in practice
      1. Applications of quality risk management in pharmaceutical manufacturing
        1. Process & design control
        2. Supplier & material management
        3. Facility & equipment management
        4. Laboratory controls & training
        5. Change management
      2. Integration of quality risk management into quality systems
        1. Documentation & record management
        2. Quality assurance & quality control
        3. Training & education
        4. Auditing & inspections
    5. Importance of ICH Q9 in the pharmaceutical industry
    6. Automated, digitized pharmaceutical quality risk management



    Introduction to ICH Q9: quality risk management


    ICH Q9 maps out a systematic approach to quality risk management (QRM) throughout the lifecycle of your pharmaceutical product.

    The primary objective of ICH Q9 is to enhance drug, and therefore patient, safety by ensuring proactive risk assessment, control and communication.

    ICH Q9 is often tackled as part of a tripartite of pharmaceutical quality best practice, alongside ICH Q8 (pharmaceutical development) and ICH Q10 (pharmaceutical quality management). In fact, ICH has used the model of a three-legged stool to illustrate this synergy.


    RELATED READING: What is an ICH Q10 pharmaceutical quality system?


    While requirements like cGMP, enshrined in guidelines like FDA 21 CFR Parts 210 and 211, are non-negotiable for modern pharmaceutical companies, ICH Q9 is an optional requirement. 

    You don't need it to get your drug out the doors and to market. But that doesn't mean it should be dismissed as a supplementary nice-to-have.

    Applied properly, ICH Q9 is a powerful framework for managing pharmaceutical risk and insulating your business from the threat of adulteration, recalls, reputational damage and shutdown.

    And when combined with ICH Q8 and Q10, it forms a comprehensive model to make your pharmaceutical company as mature, quality-centric and strong as it can be.


    Sign up for our ICH Q9 webinar



    Fundamentals of quality risk management


    Where medical device companies can rely on ISO 14971 and food companies have HACCP models to structure their risk management activity, ICH Q9 was developed because of a perceived gap in formal risk management guidelines for the pharma world.

    Since ICH Q9 focuses so strongly on risk, it's worth exploring the core fundamental building blocks of pharmaceutical risk management which run through the guidelines.


    Quality risk management process


    ICH Q9 lays down 2 guiding principles running through the pharmaceutical quality risk management process:


    1) The evaluation of the risk to quality should be based on scientific knowledge and ultimately link to the protection of the patient

    2) The level of effort, formality and documentation of the process should be commensurate with the level of risk


    Scientific, patient-based risk evaluation should be built upon control of your product, processes and facility, with a robust quality system providing relevant controls that assess then mitigate potential risks to patient safety.

    And the appropriate, 'commensurate' risk-based oversight should be demonstrated in your marketing authorization applications, any post-approval change reviews, and, of course, GMP inspections by your relevant authority.

    ICH Q9 introduces the technique of pharmaceutical quality risk management as a standardized tool that:


    1. Improves decision-making and identification of patient needs/benefits

    2. Provides a scientific, data-driven and objective model for risk control

    3. Supports prioritization of risk and tactical allocation of resources

    4. Allows quality and transparency to be integrated into risk management

    5. Benefits the entire product lifecycle



    Initiating a quality risk management process


    ICH Q9 compliance, then, hinges on getting an effective QRM process established and operational for each risk you identify.


    ICH Q9 quality risk management


    Your risk management system needs to cover 4 main areas:


    1. System risk (facilities & people)

    This includes elements like interfaces, operators risk, your manufacturing environment, and components such as equipment, IT and design elements 


    2. System risk (organizational)

    Your operational ingredients like your quality systems, controls, measurements, documentation and general regulatory compliance


    3. Process risk

    Risks connected to your actual processes, like your process operations and quality parameters


    4. Product risk

    The safety and efficacy of your product: the 'end goal' of the entire ICH Qx framework. Measured with specifications and data like product quality parameters


    In a nutshell, a quality risk management process should be initiated on a risk-by-risk basis, beginning with identification of the risk or problem and assumptions about its potential impact, then moving onto assembly of relevant data and information about the risk.

    Potential harms, hazards and human health impacts should be pinpointed, then a leader allocated with sufficient resources to fulfil any identified deliverables within your chosen timeframe.

    ICH provides a handy decision tree to help you determine if and when a risk management process should be kicked off.

    As you can see, absence of pre-existing decision-making rules or guidance should trigger a risk assessment:


    ICH Q9 risk management decision tree


    Roles & responsibilities in quality risk management


    Perhaps unsurprisingly, your ICH Q9 quality risk management process should be treated as a collaborative, business-wide initiative supported by everyone.

    Naturally, a trained and knowledgeable quality and risk professional should be the primary decision-maker, with both the competence and authority to make risk management decisions.

    Senior management, as in modern ISO standards, also have a key role to play, and ICH Q9 and Q10 reference management responsibility.

    Your top management should ensure that your risk management processes operate effectively and continuously, and that a 'team approach' is properly coordinated business-wide.

    Which brings us to the team approach itself. Depending on the nature of the risk in question, an interdisciplinary team should operate across:

    • Quality (obviously!)
    • Development
    • Engineering
    • Legal/regulatory affairs
    • Production
    • Sales and marketing
    • Medical/clinical
    • Any other individuals knowledgeable of/relevant to the QRM process



    How to use ICH Q9 risk management principles



    Risk assessment and risk control tools


    How exactly should quality risk management be executed and completed?

    ICH Q9's Annex I maps out a number of 'methods and tools' you can apply, depending on the context of your business and the risk in question.

    These formal tools won't always be required for every single QRM process, but there may be some circumstances where they become highly useful.

    The main risk management tools include:

    • Failure Mode Effects Analysis (FMEA)
      Breaking down large complex processes into manageable steps

    • Failure Mode, Effects and Criticality Analysis (FMECA)
      FMEA & links severity, probability & detectability to criticality

    • Fault Tree Analysis (FTA)
      Tree of failure modes combinations with logical operators
    • Hazard Analysis and Critical Control Points (HACCP)
      Systematic, proactive, and preventive method on criticality - originally developed for the food industry

    • Hazard Operability Analysis (HAZOP)
      Brainstorming technique

    • Preliminary Hazard Analysis (PHA)
      Possibilities that the risk event happens

    • Risk ranking and filtering
      Compare and prioritize risks with factors for each risk

    Underpinning these tools are the nitty-gritty statistical tools you can apply, such as control charts, Pareto charts or process capability analysis. Needless to say, these all require access to reliable, trusted pharmaceutical quality data to function.



    Key concepts in ICH Q9


    Now we've established the overall aim of ICH Q9 and its execution, let's dig into the risk management concepts running through the guidelines.


    Risk assessment

    Clearly, being able to effectively assess the risks connected to your systems, processes and products is vital for ICH Q9 compliance.

    The label of risk assessment is often used interchangeably (and wrongly) with risk management and analysis. 

    In fact, risk assessment is a three-step process that sits within your broader risk management process.

    Let's look at the three steps.


    Risk identification


    Risk identification is the use of information and data within your organization to pinpoint potential risks.

    Historical data, theoretical 'what if?' analysis, stakeholder suggestions and industry knowledge are all valuable sources for your risk identification activity.

    In short, ask yourself the question, 'what could go wrong in our pharmaceutical operation?'

    Note everything you can think of.

    Risk analysis


    Now the risks have been 'found', it's time to analyze their likelihood of actually occurring in reality.

    Risk analysis requires reliable, trusted and easily accessible data to which the statistical models noted above can be applied.


    Risk evaluation


    The classic risk assessment model of combining severity with likelihood comes into action here: "how likely is the risk to happen, and how bad would it be if it did happen?"

    You should also consider the detectability of the risk, and your ability to measure it going into the future.

    The more likely and severe the risk, the more controls required to prevent it actualizing.


    ICH Q9 risk matrix



    Risk control


    Now the risks have been 'assessed', they should be 'controlled' appropriately.

    Some key questions emerge here which need to be effectively answered by your risk control activity:

    • Is the risk above an acceptable level?
    • What can be done to reduce or eliminate the risk?
    • What is the appropriate balance between benefits, risks and resources?
    • Are new risks introduced as a result of the identified risks being controlled?


    At the core of risk control is the reduction of risk likelihood and/or severity, until your residual risk score reaches an acceptable level where the risk can be tolerated and continuously controlled as it is.

    Let's dive into each of these two areas.


    Risk reduction


    Risk reduction is the application of risk controls, such as corrective and preventive actions (CAPAs), to either mitigate, avoid or (ideally) eliminate the risk.

    Your residual risk score (i.e. the likelihood and severity of the risk after controls are added) should be assessed and monitored throughout the reduction process, until you get to...


    Risk acceptance


    Every residual risk needs to be accepted in some form, and each risk should be reviewed and 'accepted' on a case-by-case basis.

    For major risks, senior management should be directly informed and involved, so they can consent to any final residual risk and accept it.

    What do we mean by an 'acceptable' risk? To answer that question, we should revisit the two principles of quality risk management touched on above:


    1) The risk should be controlled in such a way that meets your legal and internal obligations to stakeholders, and especially your patients

    2) The risk control and residual score should take current scientific techniques and knowledge into account



    Risk communication


    Effective communication should be at the core of your quality risk management process. Remember that 'accepting' risks isn't hiding them from senior management or sweeping them under the carpet - risk control and acceptance requires collaborative, informed sign-off from all involved.

    Sharing information


    You should practice constant, bi-directional sharing of information  about risks and their management between your risk decision-makers and other interested internal parties.

    This communication should happen wherever it's logically required in the ICH Q9 quality risk management process, with outputs and results properly documented afterwards.

    The channels through which communication happens should also be formally documented in your SOPs: these could be management reviews, scheduled risk review sessions, after internal audits, and so on.


    Improving decision-making


    The end goal of your risk communication strategy should be the optimization of internal decision-making.

    With constant, transparent sharing of risk information among relevant parties, effective decisions can be made by those most intimately connected to each risk and its adjoining processes.


    Risk review


    Finally, we arrive at the final piece of the risk puzzle: reviewing risks into the future for constant, proactive risk management.

    A robust ICH Q9 risk review strategy should include three key activities and outcomes, as follows:


    Monitoring outcomes


    It's not always possible to immediately gauge the effectiveness of your risk controls. That's why long-term monitoring of risk outcomes shouldn't be ignored.

    The output and results of your past quality risk management processes should be periodically revisited to ensure your controls are functioning as intended.

    New knowledge and experience might be applied 6, 12 or 18 months down the line from your original risk activity, and ICH Q9 encourages application of new insights to strengthen your risk controls.

    In short, give your business a formalized mechanism for revisiting and monitoring risk events, reconsidering past decisions where required.


    Updating the risk management plan


    Your ICH Q9 risk management plan should never be a static set of rinse-and-repeat controls.

    Your plan should continually evolve as new risks emerge, old risk scores alter, new knowledge and expertise is acquired, and your internal context alters.

    Your end goal here should be...


    Continuous improvement


    Like ISO 9001, ICH Q9 pushes for continuous improvement of your business through the lens of continually optimized risk processes.

    One way to do this is to consider and reconsider the tactical tools driving your risk activity. Remember the 'tools' listed above? Periodically revisit your risk toolset, from your statistical analysis to your HAZOP processes, and alter or onboard new tools and techniques as required.


    ICH Q9 quality risk management in practice


    Now we've seen the key concepts and activities underpinning ICH Q9 quality risk management, let's explore how to apply them practically.


    Applications of quality risk management in pharmaceutical manufacturing


    All of the risk management milestones listed above, from risk analysis to communication, need to be embedded into the lifecycle of your drug and the end-to-end framework of your pharmaceutical manufacturing practice.

    Fortunately, ICH Q9's Annex II is full of practical guidance in this regard.


    Process design and control


    Your manufacturing processes should be both built and executed with risk management in mind: the so-called 'quality by design' (QbD) approach.

    In-process sampling & testing is a key component of this approach, and you should carefully consider and evaluate both the frequency and extent of your in-process control testing.

    You'll need to justify reduced testing  activity in any areas of proven control, and evaluate and justify the use of  Process Analytical Technologies (PAT) in conjunction with parametric and real-time release.

    Production planning is also essential here, including both sequential and concurrent production processes.

    The critical quality attributes (CQAs) of your product and the critical process parameters (CPPs) of your manufacturing processes need to be carefully considered together, with risk controls baked into your processes as follows:


    ICH Q9 manufacturing risks


    We saw above how accurate, reliable data is essential for ICH Q9 quality risk management.

    Map out how information and data flows across and within your manufacturing process, paying attention to risks within and how you'll control them.

    An example could look like this:


    ICH Q9 data flow risk



    • How your manufacturing processes work
    • The analytical methods you'll apply, and when
    • The equipment you're using
    • The cleaning methods you're employing (or not!)


    Then let that information guide the application of your sampling, monitoring and re-validation activities. 


    Supplier & material management


    Your ICH Q9 quality risk management activity is only as strong as its weakest link.

    Suppliers and contract manufacturers should be assessed and evaluated before they ever impact your business, with risk-based auditing and quality agreements (QAgs) underpinning your relationships.

    Similarly, your starting materials need to be carefully assessed, with potential risks from aging and synthesis of materials factored into your risk planning.

    Pay close attention to your storage, logistical and distribution conditions, with temperature, humidity and container design managed appropriately.

    And more broadly, think about wider availability risks to your infrastructure and supply chain, including anything that might disrupt your ability to deliver drugs to patients: capacity, customs clearance, interim storage conditions, and so on.


    Download the essential guide to life science supplier management



    Facility & equipment management


    All of the risk activities we covered above should be specifically applied to your utilities, facilities and equipment.

    Risk likelihood and severity should guide the structure and make-up of your physical facilities, as follows:


    ICH Q9 facility risk management


    Facility and 'zone' operation should be conducted with core risk considerations in mind, including:

    • Flow of material and personnel
    • Contamination minimization
    • Pest control
    • Prevention of mix-ups
    • Open vs. closed equipment
    • Clean rooms vs. isolator technologies
    • Dedicated or segregated facilities/equipment


    Your equipment and infrastructure should mirror your risk profile, from container materials to HVAC and ventilation.


    Laboratory controls and testing


    Laboratory controls and stability testing should have clear, documented processes for executing:

    • Out-of-specification result response (to identify root causes and corrective actions)

    • Retest/expiration date setting (to evaluate adequacy of storage and testing  of intermediates, excipients and starting materials, and of use and stress test results)


    Change management


    Your QRM strategy should have a clear mechanism for managing change, in line with the 'continuous improvement' risk objective we touched on above.

    Manufacturing changes based on  knowledge and information accumulated in pharmaceutical development and during manufacturing should be both planned and managed properly, with their impact on both product quality and availability evaluated.


    Integration of quality risk management into quality systems


    Quality risk management shouldn't only be bolted onto your manufacturing process. ICH Q9 encourages you to make quality risk management a seamless component of your broader pharmaceutical quality system.

    With this in mind, you should consider tackling ICH Q9 and Q10 together, to give your business a robust and risk-based quality framework.


    Documentation & record management


    Your document stack should integrate ICH Q9 expectations into your SOPs, guidelines and so on.

    That means thorough documentation of your risk management activity, justifying your actions and conclusions.

    Of course, documents and records introduce their own form of risk.


    ICH Q9 documentation


    Loss of data and information can be as serious an operational risk as a manufacturing fault, so consider working towards ALCOA+ as a way to guarantee the integrity of your documented information.

    ALCOA+ documentation requirements


    Quality assurance & quality control


    Obviously, robust quality assurance and control are an important way to minimize operational risk and maximize the safety of your pharmaceutical product. 

    An effective, documented quality management system should therefore be established.


    ICH Q9 QMS


    You'll need an effective quality assurance and control mechanism for identifying, evaluating, and communicating  the potential risk and quality impact of:

    • Defects
    • Complaints
    • Trends
    • Deviations
    • Investigations
    • OOS results

    And so on.

    As we've seen already, effective and planned risk communications should be built into your QMS too.

    The worst case should be considered and planned for too, with appropriate actions planned to address any significant product defects, such as (Heaven forbid) a recall.

    ICH Q9 quality risk management maturity


    Consider your quality maturity at all times, pushing for continuous improvement on top of your control and assurance activity!



    The 8 essential elements of a pharmaceutical quality system



    Training & education


    Your staff should be properly trained, competent and educated to perform their roles effectively.

    Risks connected to training include:

    • Appropriateness and impact of staff training sessions
    • Ongoing effectiveness of previous training/retraining
    • General training, experience qualifications and physical abilities of each member of staff
    • Most importantly, the ability of all staff to perform an operation reliably and  with no adverse impact on the quality of your product


    Consider an electronic training approach to give yourself total visibility of training status and make this requirement much easier.




    RELATED READING: Training management software datasheet



    Auditing & inspections


    This is a double-edged sword.

    Your business needs to be ready for third-party regulatory inspection and audits, so that the risk of audit failure (shutdown, recalls, warning letters) is managed and acceptable.

    To do so, you'll need a robust internal auditing program in place.

    The frequency, scope and target of your internal audits should be directed according to:

    • Existing legal requirements and standards
    • Overall compliance status and history of your company
    • The strength of your ICH Q9 quality risk management activities
    • Complexity of your site, manufacturing process,  product, and its therapeutic significance
    • Results of previous audits/inspections, including findings
    • Number and significance of quality defects
    • Major changes to buildings, equipment, processes, key personnel, and so on
    • Experience with manufacturing of a product  (e.g. frequency, volume, number of batches)
    • Test results of official control laboratories


    We looked at the data for Form 483 submissions in 2022 and found the top 10 most common reasons for drug companies to receive one from the FDA:


    21 CFR 211 cGMP 483 observations


    Home in on these common cGMP mistakes, alongside specific risks you've identified, and use your audits to uncover and fix potential issues.


    RELATED READING: A step-by-step guide to internal audits



    Importance of ICH Q9 in the pharmaceutical industry


    ICH Q9 is a powerful and comprehensive framework for pharmaceutical companies to grab hold of their risks and control them in a mature, collaborative framework.

    As we saw at the beginning of this guide, ICH Q9 isn't a mandatory requirement.

    But you should consider adopting its requirements anyway. The benefits of robust ICH Q9 quality risk management are comprehensive:


    1. Enhances patient safety

      The primary objective of ICH Q9 is to improve patient safety by identifying and mitigating risks associated with pharmaceutical products. By implementing effective risk management processes, companies can minimize the chances of adverse events or product failures that could harm your patients

    2. Ensures product quality

      ICH Q9 emphasizes the importance of understanding the impact of risks on your product quality. By identifying and managing potential risks early in the product development lifecycle, your organization can embed repeatable product quality and reduce the likelihood of quality defects and variations

    3. Facilitates regulatory compliance

      ICH Q9, as its 'i' suggests,  provides a framework that aligns with regulatory expectations worldwide. By following the ICH Q9 quality risk management guidelines, your pharmaceutical company can demonstrate commitment to risk-based thinking and robust quality risk management, which is crucial for obtaining regulatory approvals and maintaining compliance with other standards and regulations

    4. Improves decision-making

      The risk management principles outlined in ICH Q9 empower your business to make informed decisions based on a thorough understanding of potential risks and their potential impact. This helps prioritization of resources, effective allocation of budgets, and risk-based focus on areas of concern the greatest potential impact on product quality and patient safety.

    5. Promotes continuous improvement

      ICH Q9 emphasizes the importance of an ongoing risk management process throughout the product lifecycle. By continuously assessing and managing risks in line with ICH Q9 best practice, your business can continually identify opportunities for improvement, process optimization and overall enhancement of process efficiency and effectiveness


    Automated, digitized pharmaceutical quality risk management


    An eQMS like Qualio gives your pharmaceutical organization a digital framework for best-in-class ICH Q9 quality risk management, from managing documents and training to onboarding suppliers and executing quality events like CAPAs and OOS responses.