Quality Risk Management: Defining Responsibilities

Showing results for 
Search instead for 
Did you mean: 

Quality Risk Management: Defining Responsibilities

Team TFS
Team TFS

Editor's note: This is the second in a series of four blog posts on quality risk management. Follow for these and more upcoming regulatory updates in 2023.


With great power ...


I think everyone can relate to remembering a younger-you, fantasizing about gaining a new freedom once a particular milestone was crossed. Maybe it was getting a driver's license, eating unlimited amounts of cereal, or being able to stay up long enough to see a late-night television program.


Quality Risk Management.jpgJust as quickly as we cross the milestone, we realize that freedom comes with a new set of responsibilities. I think that realization can be particularly heavy when you become a decision-maker in industry and realize that your policy decisions will guide products to market for real people.


Striving for change and retaining the ability to evolve products and procedures ensures that the quality threshold continues to rise.


Change is coming


The first installment of this blog, Know the Risks, noted that the release of the drafted ICH Q9 quality risk management guideline was pending early/mid 2023. The revision (Q9(R1))1 was released on January 18 and is now available for implementation. An introductory training presentation and additional guidance support information to facilitate updating quality systems was posted for use on the ICH website.2 


As we saw in last year’s announcement from the FDA3 that was prompted from the shortages seen during the pandemic, the industry has been asked to re-evaluate their quality risk management plans utilized for the manufacture of products.  The FDA guidance on risk management for shortages4 is still undergoing draft status and is accepting comments, but in true FDA fashion may remain as a draft for a few years.


So, in this blog post we will look at the changes to the ICH Q9 quality risk management guideline by first discussing responsibilities. The most notable differences in the responsibilities section between the original guidance5 from 2015 and the revision1 from 2023 is the addition of language surrounding subjectivity, with an additional guidance responsibility for decision-makers being added distinctly as, “assure that subjectivity in quality risk management activities is managed and minimized, to facilitate scientifically robust risk-based decision-making.”


Assurance to manage and minimize subjectivity is further discussed as avoiding the introduction of bias with an emphasis to recognize that tools utilized may potentially add bias within the additional sections in chapter 5 of the new guidance.


Tools in risk assessment


A risk matrix can be a common risk management tool and is created with a combination of scores to determine if process steps or product feature use is a high-risk activity. As an example, the below risk score is presented for some selected actions in chromatography with a score assigned for the frequency of the action, a score of its risk relative to product quality, and a score of the likelihood of it being found in review.


Figure 1- Example Risk Matrix. Color for 1-3 score on Use Frequency, Relative Impact, and Inability to Track Use of green (low), yellow (medium), red (high), with Composite Score (sum) scales as 1-3 (low), 4-6 (medium), 7-9 (high).Figure 1- Example Risk Matrix. Color for 1-3 score on Use Frequency, Relative Impact, and Inability to Track Use of green (low), yellow (medium), red (high), with Composite Score (sum) scales as 1-3 (low), 4-6 (medium), 7-9 (high).


Giving this example a quick look at the composite score for manual integration, this would indicate that manual integration should have a further risk plan associated with it. That risk plan could be composed of privilege management, creating a document outlining manual integration use, or implementation of a multistep process of review prior to acceptance for use.


Upon closer inspection, this example is clearly subject to bias. One bias source is that this score could be completely different depending on the person scoring or the context of their use.  As another, the composite scores could shift in severity if the scoring criteria was more than just a 1-3 scale.


These are just some simple examples of bias introduced into this basic risk assessment matrix.


High-risk activity: privileges


In this blog post, I will focus on the privileged access management tools for Thermo Scientific™ Chromeleon™ 7.3.2 Chromatography Data System (CDS).


In the case of highest scored risk actions, it is often the simplest route to simply restrict the ability. However, disallowing a privilege for “integration” just to restrict “manual integration” is too generic to be considered usable. Given the variety of different ways actions can be carried out and the grouping of them into a given set of privileges, a privilege system needs to be granular and flexible to be considered useful.  


Chromeleon CDS 7.3.2 features a more granular privilege system than ever before with easy-to-understand restriction implications. Beyond Create, Modify, Copy, and Delete, a custom privilege set can be made as a Ruleset from much more granular selections.


Chromeleon Privilege Description.png

Options exist for custom privileges for processing actions. These include:

  • Peak Detection (2D and MS)
  • Peak and Component Table
  • Calibration Settings
  • Composite Scoring
  • Chromatogram Subtraction
  • MS Settings


Within the ruleset groups, individual privileges can be assigned. 


For example, within peak and component tables, the ability to edit processing method assigned peak names, retention times, or the ability to add/remove named peaks altogether can be individually restricted.


Video - Rulesets and granular privileges for methods.


In addition to access control, Chromeleon CDS also offers a configurable way to require more information from users who may have access and utilize a higher risk privilege. For these actions, administrators can require a user-provided comment and/or authenticate against performing the action.


Video – For a general guide on requiring authentication and/or comment for restricted actions


Check out issue one of the Quality Risk Management blog

Subscribe to the blog so you don’t miss the third installment on Risk Management in Q3 and subsequent posts in the series.


Additional resources



For questions related to best practices for setting up your privilege system, Thermo Fisher Scientific also offers a complete service offering as well as support plans.  Services and support plans include technical support, product updates, additional resources and training.


Take-home message


I have found there is always a give and take when it comes to utilizing access control and requiring comments to minimize overall risk.  Users obviously require a flexible system to allow for different needs while administrators desire simplicity so that the task of coming up with an access control matrix isn’t a month of meetings deciphering every privilege meaning, and who requires that privilege frequently enough to allow the risk of them having it.


Changing the initial privilege sets also brings up additional challenges if it occurs frequently or without an impact assessment.

Do you review your privilege management settings periodically?  Do you have impact assessments along with audit record review as justification steps?  I’d love to connect or to learn more about your quality pain points when it comes to these decisions and hear about what actions in software you wish were better separated.




1 ICH resources page. https://database.ich.org/sites/default/files/ICH_Q9%28R1%29_Guideline_Step4_2023_0126_0.pdf. Accessed March 22, 2023.

2 ICH news page. https://www.ich.org/news/ich-q9r1-introductory-training-presentation-now-available-ich-website. Accessed March 22, 2023

3 Food and Drug Administration Press Announcements. https://www.fda.gov/news-events/press-announcements/fda-urges-drug-manufacturers-develop-risk-manage.... Accessed March 22, 2023

4 Food and Drug Administration Guidance Documents. https://www.fda.gov/regulatory-information/search-fda-guidance-documents/risk-management-plans-mitig.... Accessed March 22, 2023

5 ICH resources page. https://www.ema.europa.eu/en/documents/scientific-guideline/international-conference-harmonisation-t.... Accessed March 22, 2023.