LOGFILE No. 15/2011 - November 2011


Which Risk Assessment fits best?

Authors: S. Roenninger, M. Hertlein

This article addresses the following questions:

  • Which methods of risk management are referenced in ICH Q9?
  • Are there methods that are equally suitable for use across all areas of application?
  • How can these be used in practice?



Before you begin worrying about the individual methods used while conducting risk management, you need to be clear that there is no "one size fits all" method for all application areas. For example, there are some methods that deal primarily with risk identification e.g. fault tree analysis (FTA), as well as other methods, which concentrate more on the evaluation of errors and determination of risk-minimizing measures (e.g. Failure Mode Effects Analysis = FMEA). Finally, a hazard analysis of critical control points (HACCP), which requires a high degree of knowledge also exists. So an FMEA could support defining critical control points, which are assessed by HACCP towards prioritization of measures.

A large number of publications and papers are available that provide information about and descriptions of the various methods of risk management. The methods referred to in this chapter are taken from ICH Q9 Quality Risk Management. This guideline contains the most comprehensive list of tools to be used in the pharmaceutical development and operation business. It is also one of the most recent guidelines in this field, and therefore reflects the current tanking. It has to be addressed that this is not state of the art for each and every company, site or regulatory agency. These methods provide opportunities and a guide not a recommendation or a MUST. ICH Q9 is about a structured approach on using risk management. Furthermore, greater emphasis is placed on the informal method which, although not explicitly listed in Q9, is of great importance due to its flexible and simple applicability. Informal in this sense means a structured thinking of hazards to be assessed and prioritized. The level of documentation and formality is less than adequate for a formal assessment using a specific tool (e.g. HACCP or FMEA).

In this way of using risk management stating less is more also applies. The variety of methods used for assessing and controlling risks could be limited to facilitate comparisons between similar processes and the use of synergies, as well as to ensure that the skills required using the methods remains within reasonable limits.

Annex 1 of ICH Q9 lists potential methods for the execution of different steps in the risk management process. It is important to note that some methods (e.g. process mapping) do not serve the whole risk management process, but provides options for fulfilling necessary prerequisites in terms of process and product knowledge, understanding, and transparency. All further methods build on this.

Methods of risk management according to ICH Q9, Annex 1:

  1. Basic risk management facilitation methods:
  2. Failure Mode Effects Analysis (FMEA)
  3. Failure Mode Effects and Criticality Analysis (FMECA)
  4. Fault Tree Analysis (FTA)
  5. Hazard Analysis and Critical Control Points (HACCP)
  6. Hazard Operability Analysis (HAZOP)
  7. Preliminary Hazard Analysis (PHA)
  8. Risk ranking and filtering
  9. Supporting statistic tools

Application areas of selected methods can be utilized based on experience. This can only be a guide and not a right or wrong examination.

The methods described below can only be usefully and effectively applied once the following has taken place:

  • Process Mapping
  • Informal Use of Risk Management
  • Fault Tree Analysis (FTA)
  • Failure Mode Effects Analysis (FMEA)
  • Hazard Analysis and Critical Control Points (HACCP)

These processes are described in more detail in the following chapters.

Rational decision making has always incorporated a degree of risk management. This risk management thinking can be implemented most simply and universally as an informal approach. In these circumstances hazards and their effects/risks are assessed and the results can be documented together with a conclusion. The pharmaceutical industry and regulators has lagged behind other industries in using structured ("formal") risk assessment techniques. This shift to structured risk assessment is the big change for industry and regulators. An overview of the application emphasis of the most important formal risk management methods is necessary. Depending on the characteristics of each method, the weak points of individual methods can be compensated by supplementary/supporting activities. The focus is selected according to the risk management process from ICH Q9 (Figure 10.D-1).

Figure 10.D-1 Application examples of some risk management methods


This overview provides an initial indication where the individual methods have been shown to be beneficial. It means that risk communication can be supported by all methods, e.g. through suitable organizational measures and processing of information. The only difference is that certain methods (e.g. HACCP) also include this risk communication in their theoretical approach.

However, a long and detailed list of hazards and risk control is not always beneficial. To demonstrate knowledge and understanding in an inspection a summary is often most helpful.

Such a summary may contain the following elements:

  • Well defined scope
  • Technique / tools used
  • Appropriate people / functions involved
  • Identify "Potential high risks"
  • Short description of all risks beyond the threshold
  • Decisions made (e.g. actions, rational, accepted residual risks)
  • Responsibilities for follow-up activities

In addition, statistical methods as described in ISO standards offer an important instrument for the assessment of product and process quality. They are helpful to identify, analyze and evaluate risks. They also facilitate visualization of the result of a risk management study. For detailed descriptions of the individual methods, refer to the relevant literature on the subject.

The following chapters describe specific methods in more detail to facilitate the use later on. Please note that these methods can be used on literature as well as be adapted to the specific problem. They should not be used only to satisfy that a risk method is used. They should be used according to the needs to answer a question and bring the company a step forward to fulfill legal obligations and to guarantee a better quality.


Since there is no single method suitable for all application areas, in practice, risk management will always be composed of several methods. In order to keep the training effort to a minimum and to maximize the use of synergies, companies should still limit the number of different methods used (max. 3-4), It also should challenge it, if a company already used risk management methods in other department (e.g. safety, health & environmental protection or finance). The ICH Q9 Quality Risk Management guideline provides an overview of the most commonly applied methods and how they can be adopted to the pharmaceutical industry if needed to solve problems and to priorities actions.

This article as PDF:


About the Authors

Dr.-Ing. Stephan Roenninger, F. Hoffmann-La Roche Ltd, Switzerland
Co-author of GMP MANUAL chapter 10 Considerations on Risk Management

Mario Hertlein, Boehringer Ingelheim Pharma GmbH & Co. KG, Germany
Co-Author of GMP MANUAL chapter 10 Considerations on Risk Management

You need more GMP information for your company? Consider the GMP MANUAL - the most comprehensive GMP interpretation in the global business of good manufacturing practices. From Maas & Peither, the European market leader in GMP information.