Quality Risk Management
The Real Problem in Pharmaceutical Quality Risk Management: Method or Perspective?
The problem in Risk Management is not the method,
but it’s the perspective.
If we look at regulatory guidance, Risk Management is one of the most structured elements of the pharmaceutical quality system. ICH Q9 describes a clear process, built on scientific principles and intended to support decision-making throughout the entire product lifecycle.
When this framework is applied in day-to-day activities, however, the perception changes. Analyses are performed correctly, the right tools are used, and the documentation meets expectations. The critical aspect is not how the analysis is formally built, but how much it actually influences decisions.
In many cases, conclusions tend to confirm an existing setup rather than challenge it.
When this framework is applied in day-to-day activities, however, the perception changes. Analyses are performed correctly, the right tools are used, and the documentation meets expectations. The critical aspect is not how the analysis is formally built, but how much it actually influences decisions.
In many cases, conclusions tend to confirm an existing setup rather than challenge it.
Figure 1 - Quality Risk Management process according to ICH Q9 (source: QRM process diagram from ICH Q9)
Within this gap between theoretical structure and practical application, a less visible but central aspect emerges. The system is rarely observed from a neutral starting point. Instead, it is interpreted through what is already known: procedures, implemented controls, and established operational practices. As a result, the risk evaluation is already conditioned from the beginning.
During the analysis phase, the system should be considered in terms of how it can behave, not how it has already been protected. Only afterwards should controls be evaluated for their effectiveness in reducing risk. This distinction allows a clear separation between intrinsic vulnerability and the effect of mitigation measures.
In real assessments, this separation rarely holds.
This changes the meaning of the analysis itself. What should be a description of system behavior gradually becomes an indirect representation of its perceived robustness.
The same effect appears in preliminary analyses, such as Preliminary Hazard Analyses (PHA), which are used to identify risk scenarios in early phases. At this stage, existing measures are often used immediately to qualify the scenario. Procedures, periodic tests, and documented checks are included from the beginning, limiting the possibility of assessing the risk independently.
At that point, the analysis no longer starts from how the system might fail, but from the conditions expected to prevent failure.
The focus shifts from understanding what can go wrong to explaining why, under current conditions, it should work. This is reflected directly in PHA structures, where risk scenarios and control measures are reported together.
During the analysis phase, the system should be considered in terms of how it can behave, not how it has already been protected. Only afterwards should controls be evaluated for their effectiveness in reducing risk. This distinction allows a clear separation between intrinsic vulnerability and the effect of mitigation measures.
In real assessments, this separation rarely holds.
This changes the meaning of the analysis itself. What should be a description of system behavior gradually becomes an indirect representation of its perceived robustness.
The same effect appears in preliminary analyses, such as Preliminary Hazard Analyses (PHA), which are used to identify risk scenarios in early phases. At this stage, existing measures are often used immediately to qualify the scenario. Procedures, periodic tests, and documented checks are included from the beginning, limiting the possibility of assessing the risk independently.
At that point, the analysis no longer starts from how the system might fail, but from the conditions expected to prevent failure.
The focus shifts from understanding what can go wrong to explaining why, under current conditions, it should work. This is reflected directly in PHA structures, where risk scenarios and control measures are reported together.
Figure 2 - PHA extract: risk scenario described together with existing control measures
The same issue becomes visible, in a different way, in more structured analyses such as FMEA and FMECA. In scenarios involving data loss, system unavailability, or traceability issues, procedures and controls often enter the evaluation from the very beginning. Probability is implicitly reduced before the system has been considered in its most exposed state.
As a result, probability no longer represents how the system can fail, but how it behaves once mitigations are already in place.
As a result, probability no longer represents how the system can fail, but how it behaves once mitigations are already in place.
Figure 3 - FMECA extract: risk evaluation influenced by already considered mitigation actions
In this situation, risk is not evaluated based on system behavior alone, but with mitigation measures already embedded in the assessment. Probability reflects a controlled system, rather than how it could actually fail.
In more operational analyses, such as FMEA applied to control systems, a different pattern emerges. When evaluating system controls such as access management, audit trails, backup processes, or training, the outcomes tend to align with what has already been implemented.
Controls exist, they are documented, and they have been verified. As a result, the system appears fully compliant.
Under these conditions, it becomes difficult to meaningfully differentiate between areas. When outcomes are uniform, the ability to identify what is truly critical is reduced. Prioritization progressively loses its meaning.
In more operational analyses, such as FMEA applied to control systems, a different pattern emerges. When evaluating system controls such as access management, audit trails, backup processes, or training, the outcomes tend to align with what has already been implemented.
Controls exist, they are documented, and they have been verified. As a result, the system appears fully compliant.
Under these conditions, it becomes difficult to meaningfully differentiate between areas. When outcomes are uniform, the ability to identify what is truly critical is reduced. Prioritization progressively loses its meaning.
Figure 4 - FMEA extract: control evaluation with uniform outcomes and limited differentiation of risk
Across all these situations, the issue is not methodological. The process is applied correctly, the tools are used appropriately, and the information is available.
What is missing is a shift in perspective at the beginning of the analysis.
Performing Risk Management requires temporarily setting aside what is already known about the system. Not to ignore it, but to prevent it from shaping the construction of risk too early. The system needs to be observed as if controls did not yet exist, and only afterwards should their effect be assessed.
Separating system behavior from controls requires a deliberate effort, because in practice the two are almost always evaluated together.
ICH Q9 itself acknowledges that risk perception can vary among stakeholders, and that subjectivity cannot be completely eliminated, but must be understood and managed.
This means that the way the system is observed becomes part of the analysis itself.
When this distinction is handled more consciously, the outcome changes. Severity reflects real impact on patient, product, and data. Probability describes how the system behaves, not how it is controlled. Detectability becomes a true measure of the ability to identify issues.
When the separation between system and controls is maintained, the analysis itself changes form. Evaluations that previously appeared linear begin to diverge. Some scenarios become more relevant than expected. It becomes clearer where the system is truly exposed and where it is simply well controlled.
At that point, decisions also begin to shift. Not because the numbers change, but because what those numbers represent is different. This aspect is particularly evident in computerized systems, where separating system behaviour from the controls defined during Computer System Validation is often challenging.
What is missing is a shift in perspective at the beginning of the analysis.
Performing Risk Management requires temporarily setting aside what is already known about the system. Not to ignore it, but to prevent it from shaping the construction of risk too early. The system needs to be observed as if controls did not yet exist, and only afterwards should their effect be assessed.
Separating system behavior from controls requires a deliberate effort, because in practice the two are almost always evaluated together.
ICH Q9 itself acknowledges that risk perception can vary among stakeholders, and that subjectivity cannot be completely eliminated, but must be understood and managed.
This means that the way the system is observed becomes part of the analysis itself.
When this distinction is handled more consciously, the outcome changes. Severity reflects real impact on patient, product, and data. Probability describes how the system behaves, not how it is controlled. Detectability becomes a true measure of the ability to identify issues.
When the separation between system and controls is maintained, the analysis itself changes form. Evaluations that previously appeared linear begin to diverge. Some scenarios become more relevant than expected. It becomes clearer where the system is truly exposed and where it is simply well controlled.
At that point, decisions also begin to shift. Not because the numbers change, but because what those numbers represent is different. This aspect is particularly evident in computerized systems, where separating system behaviour from the controls defined during Computer System Validation is often challenging.
Article by Andrea Bussi - CSV Business Unit Manager, S.T.B. Valitech S.r.l.
Riference
- ICH Q9(R1) - Quality Risk Management (EMA/CHMP/ICH/24235/2006, 2023)
- FDA - Guidance for Industry Q9(R1) Quality Risk Management (May 2023)
Latest
News
