ICH Guideline Q9(R1) On QRM, Part 1: Formality & Risk-Based Decisions

By Stacey Largent and Virginia Andreotti-Jones, ValSource Inc.

The long-awaited revision to ICH’s harmonized tripartite guidance on Quality Risk Management (QRM), Q9(R1), was adopted on January 18 of this year.¹ While the primary principles and concepts of QRM in this new version remain consistent with the original 2005 document, the longer, revised guidance has four new subsections. Risk management methodology (Section 5) has been expanded to include three new topics:

1. Formality (Section 5.1)
2. Risk-based decision-making (Section 5.2)
3. Subjectivity (Section 5.3)

The final added subsection, QRM in addressing product availability risks, is included in Section 6 on integration of QRM into industry and regulatory operations.

This is the first in a two-part series to address what the additions to ICH Q9 mean for QRM in practice. In this article, the changes and implications associated with the inclusion of formality and risk-based decision-making in the updated guidance will be examined. A second article will discuss subjectivity and addressing product availability risks through integration of QRM.

Formality In QRM

When ICH Q9 was released in 2005, one of the main principles of QRM was “The level of effort, formality and documentation of the quality risk management process should be commensurate with the level of risk”; however, the words “formal” and “formality” were only used four times.

In the R1 version, formality takes center stage with a staggering 850% increase to 34 mentions of “formal” or “formality.” This change matters to QRM practitioners because ICH intended to fulfill the request of industry to better understand what formality is and how to determine the appropriate level of formality in QRM activities. By creating the new section, “Formality in Quality Risk Management,” ICH has clarified what is expected and how to generally interpret the previously mentioned QRM principle.

ICH Q9(R1) describes the concept of formality within QRM as a spectrum (not binary) and the factors that may influence the level of formality for a given QRM activity. Refer to Table 1 below to understand the different elements that influence formality.

Table 1. Factors Influencing the Level of Formality to Apply within Quality Risk Management per ICH Q9(R1)

The guidance also discusses how varying degrees of formality can be applied by considering the attributes of higher and lower levels of formality. Refer to Table 2 below for a discussion of the characteristics associated with varying degrees of formality. A “mix and match” approach across these attributes can be used to achieve the appropriate level of formality.

Table 2. Examples of Characteristics Representative of Varying Degrees of Formality in Quality Risk Management

The majority of the new formality concepts included in this guideline (e.g., formality spectrum, number of QRM elements applied, use of stand-alone reports, cross-functional teams, tool usage) are in direct alignment with the findings of a joint group of regulators and industry representatives that were united in their efforts to further explore the concept of formality within QRM. The results were captured in a 2020 article titled Understanding the Concept of Formality in Quality Risk Management.² The alignment on this topic is not surprising as Dr. Kevin O’Donnell of the HPRA was the lead for the ICH Q9(R1) working group.

What Does This Mean To Firms?

In the nearly 18 years following the initial release of ICH Q9, there have been some negative consequences due to lack of understanding of formality within QRM. This likely included use of overly complex or formal activities for simple risk questions and problem statements, as well as a lack of appropriate scientific rigor for more complex activities.

With detailed additional guidance about formality in ICH Q9(R1), there is promise of increasing maturity in QRM through:

• Having the appropriate and right number of cross-functional subject matter experts involved, resulting in more efficient resourcing and freeing up senior management to manage higher levels of risk.
• Applying fit-for-use methodology and tool selection in conjunction with supporting scientific data, creating more effective and efficient risk assessments and risk control decisions, and aligning with the principle for formality to be commensurate with the level of risk, curtailing the application of a one-size-fits-all solution.

With increased flexibility about how formality may be applied, ICH Q9 still stresses the importance of robust QRM as a key objective (less formal does not mean less robust!) and specifies that lack of resources is not an appropriate rationale for using a lower degree of formality.

Risk-Based Decision-Making

In ICH Q9(R1), risk-based decision-making is focused on the decisions made during and about the quality risk management process. This new section provides guidance and structure to reduce subjectivity in decision-making and provides a framework for how risk should guide decisions.

As with Section 5.1, the revised guidance describes risk-based decision-making as a process that occurs on a spectrum of formality. Like determining the formality of the QRM approach, the importance, uncertainty, and complexity of a process or circumstance must be considered when determining the appropriate process for making risk-based decisions. Table 3 below summarizes these concepts as they apply to risk-based decisions.

Table 3. Factors Influencing the Level of Formality to Apply for Risk-Based Decision-Making per ICH Q9(R1)

What Does This Mean To Firms?

These principles of risk-based decision-making should be integrated into a firm’s QRM programs. For organizations with an existing QRM structure, it is likely that elements of the risk-based decision-making spectrum exist in the current program. The decision process may be explicitly stated, or it may be implied by the existing requirements of the process. For organizations in the process of building a QRM program, this is an opportunity to lay out the decision-making process clearly from the start. Consider these steps:

• Review the current or planned processes and identify decision points.
• For each decision point, consider the importance, uncertainty, and complexity of that decision and the formality of the QRM application.
• From there, determine the formality needed for that decision point.
• Based on the formality of the risk decision, build instructions into procedures and content into training materials to reach the desired level of risk-based decision-making.

The examples in Table 4 below illustrate the application of risk-based decision-making in two scenarios.

Table 4. Example for Determining the Level of Formality to Apply for Risk-Based Decision-Making

Conclusion

The new guidance provided in ICH Q9(R1) is a welcome addition that provides direction and clarity to several topics in QRM, including the role of formality in QRM and risk-based decision-making. Defining and implementing these practices within an organization’s QRM program improves the overall maturity of these processes and, ultimately, the QRM culture.

While the new sections provide a wealth of helpful information, there may still be areas where more detail (e.g., in the form of case studies) can be beneficial to the industry, and collaboration among our industry colleagues would serve to support implementation.

Watch for Part 2 of this article series to learn more about the ICH Q9 updates on risk-based thinking and the role of QRM in addressing product availability risks.

References

1. ICH Q9 Quality Risk Management (R1), final version, January 18, 2023; https://database.ich.org/sites/default/files/ICH_Q9%28R1%29_Guideline_Step4_2023_0126_0.pdf
2. O’Donnell K, Tobin D, Butler S, Haddad G, Kelleher D. Understanding the concept of formality in quality risk management. J. Valid. Technol, 2020 Jun; 26(3).

About The Authors:

Virginia Andreotti-Jones is a consultant with ValSource, focused on providing innovative approaches to quality risk management (QRM). Throughout her career, she has played a role in quality risk management, quality event investigations, and quality systems, using her expertise in the development and deployment of customized solutions for QRM, program development, and integration of QRM into quality systems. Additional QRM expertise includes human error reduction (human performance), QC equipment qualification, change control, and project management. Andreotti-Jones currently serves on the board of the Pacific Northwest Chapter of PDA. She holds a B.S. in chemistry from Gonzaga University and can be reached at vandreottijones@valsource.com.

Stacey Largent is a senior consultant at ValSource, Inc. She specializes in quality risk management (QRM), aseptic processing, sterility assurance, and supporting the needs of vaccine/biopharmaceutical product development and manufacturing. With more than 20 years in the pharmaceutical and medical device industry, she spent over 16 years at Merck and most recently served as head of its global QRM Center of Excellence. Largent also has experience in evaluating new technologies, tech transfer, leading complex investigations, and method development. She holds a B.S. in biomedical engineering from Drexel University and an M.Eng. in biological chemical engineering from Lehigh University. She can be reached at slargent@valsource.com.