Professional Documents
Culture Documents
COMMENTARY
ABSTRACT: The purpose of this article is to share ideas on developing a risk-based model for the scheduling of audits
(both internal and external). Audits are a key element of a manufacturer’s quality system and provide an independent
means of evaluating the manufacturer’s or the supplier/vendor’s compliance status. Suggestions for risk-based
scheduling approaches are discussed in the article.
LAY ABSTRACT: Pharmaceutical manufacturers are required to establish and implement a quality system. The quality
system is an organizational structure defining responsibilities, procedures, processes, and resources that the manu-
facturer has established to ensure quality throughout the manufacturing process. Audits are a component of the
manufacturer’s quality system and provide a systematic and an independent means of evaluating the manufacturer’s
overall quality system and compliance status. Audits are performed at defined intervals for a specified duration. The
intention of the audit process is to focus on key areas within the quality system and may not cover all relevant areas
during each audit. In this article, the authors provide suggestions for risk-based scheduling approaches to aid
pharmaceutical manufacturers in identifying the key focus areas for an audit.
This article applies the risk-based model as described has the larger goal of verifying the compliance status
in ICH Q9 (1) to the audit scheduling process. This of the company. Audits are essential to evaluate the
document was developed as part of PDA’s Paradigm capability of the company or the supplier/vendor to
Change in Manufacturing Operations (PCMO) project consistently produce a material or service of the re-
as the second article in the series. The first article on quired quality, adequacy of production and control
auditing and good practice quality guidelines and reg- procedures, suitability of equipment and facilities, and
ulations (GxP) requirements has been published (2). effectiveness of the quality management system in
The content and views expressed are the result of a assuring the overall state of control. Audits can focus
consensus achieved by the task force members and are on efficiencies associated with manufacturing and test-
not necessarily views of the organizations they repre- ing; however, this type of audit is not within the
sent. primary scope of this article.
Audits, whether they are internally or externally The need for performing audits stems from regulatory
driven, provide an opportunity for an independent requirements, companies’ responsibilities, and company-
assessment of the quality system and compliance with specific business processes. These needs may be the
regulatory requirements; see also TR 54 on Quality same or complementary. In any case, the audit process is
Risk Management (3). This type of independent over- under the control, management, responsibility, and au-
sight, including inspections by regulatory authorities, thority of the company. These audits are an essential
element of the good practices (2), supporting and en-
abling regulatory compliance, and thus have to be gov-
*Corresponding Author: Susan Vargo, Amgen, Inc., erned by the company’s pharmaceutical quality system
4000 Nelson Road, M/S AC27C, Longmont, CO (PQS; also called quality management system, QMS).
80503, USA. svargo@amgen.com
Additionally, a company will have established pro-
doi: 10.5731/pdajpst.2014.00954
cesses for risk acceptance decisions for its operations
(including audits), which need to be in compliance Suggestions for risk factors to be evaluated in a pri-
with all applicable regulations. Therefore, the risk oritization matrix include compliance inputs (prior
management processes are also governed by the tasks regulatory inspection/company audit, overall compli-
described in the PQS. The company’s PQS and gov- ance history), operational inputs, and facility inputs.
ernance model are defined and decided upon by senior Each of these risk factors should be weighted based
management, having ultimate responsibility for all upon the perceived impact on compliance.
matters of quality and compliance, including risk-
based management for audits. As every manufacturing site is different, it is impos-
sible to list all the different risk factors to be consid-
A risk-based management process for audits aids in ered. However, this article does discuss some of the
determining the audit schedule and the scope. The more common risk assessment inputs used for audit
output from the audits will challenge or support as- schedule development. The risks factors discussed in
sumptions and claims of an organization’s compliance the following sections (sections 1.1 to 1.5) should be
status. None of this alters the fact that any audit is used as points to consider when assigning a fixed risk
limited in that the audit can cover and assess a partic- rank to a site/operation. Assigning a fixed risk rank to
ular situation on a specific day. However, an audit can a site/operation will aid in the audit scheduling pro-
minimize the uncertainty about the compliance status. cess.
By consequence, there remains a residual risk of non-
conformance when there is no audit or even if there is 1.1 Risk Factors for Operations Performed
a successful audit. The audit process will provide
The operations at the site can be assigned a fixed risk
evidence, but not proof, of compliance.
rank based on the risk associated with the operations
performed. As an example, high-risk operations usu-
This document is applicable to stakeholders perform-
ally include sterile manufacturing, packaging and la-
ing audits to assess GxP compliance. The elements
beling, final product release testing, and excipient
described focus on audits in the good manufacturing
testing. The function of excipient testing is included
practice/good distribution practice (GMP/GDP) area;
under high-risk operations because these raw materials
however, they can be applied to all GxP areas—for
are a part of the final product formulation and do not
example, good laboratory practice (GLP), good clini-
undergo further purification. These operations tend to
cal practice (GCP), and good pharmacovigilance prac-
have a higher degree of regulatory oversight and are
tice (GPvP).
therefore assigned a higher risk level. Additionally,
supply chain oversight including distribution and
1. General Risk Factors to Consider for a
transport practices are regarded as a high risk in to-
Risk-Based Auditing Approach day’s environment. Medium-risk operations would in-
clude drug substance manufacturing and solid oral
As with all risk-based processes, the decisions, ratio- dosage form manufacturing of drug (medicinal) prod-
nales, and relevant information concerning the audits ucts, while warehousing (e.g., storage areas for prod-
must be documented in an appropriate level of detail. uct and raw materials) would be considered low-risk
This allows for independent review and traceability, operations if appropriately controlled.
which may need to be demonstrated during self-audits
or regulatory inspections or customer audits. Indepen- 1.2 Site/Facility Risk Inputs
dent auditors/inspectors should be able to understand
and follow the process determining whether or not a When assessing the risk profile of a manufacturing site
particular audit is scheduled and, if scheduled, the for clinical or commercial products (both drug sub-
scope and timing of the audit. By following this basic stance and drug product) or a supplier/vendor for
principle, a company can demonstrate that its risk- materials or a contract laboratory for release testing,
based audit process conforms to its quality system and several factors about the facility/site and the equip-
complies with applicable regulations. There is, how- ment should be considered. These factors include fa-
ever, a possibility that inspectors from a regulatory cility design (e.g., the age of the facility and compli-
agency may not concur with the company’s audit ance with current expectations on design should be
process despite a clear rationale supported by scien- considered) and maintenance, equipment maintenance
tific justification. and calibration, and if there have been major changes
Table I
Points to Consider When Scheduling a Supplier Audit
Criticality and
Audit Type Complexity Potential Questions to Address Risk
Suppliers of materials and services Criticality of equipment Is this an autoclave or high-
(calibration and maintenance calibrated/maintained performance liquid chromatography
services, clean gowns, by the supplier (HPLC) equipment used for every
transportation providers) batch (direct impact), or a water
bath thermometer (indirect impact)?
Criticality of operation Are the gowning materials used in
performed by the aseptic filling or in the bioreactor
supplier area?
Raw material/solvents Criticality of material Is this a solvent used in the last
to process process step?
Sourcing—regulatory Does the country of manufacture have
maturity of country a mature regulatory system that
of manufacture assesses manufacturing compliance?
Single source? Is the material only available from
this source versus widely available
from multiple sources?
and external audits as well as to determine the length contract manufacturing operations and quality (includ-
and the scope necessary for the audit. A tool, for ing the QP) could provide information as to the com-
example, a ranking model (1) is useful in prioritizing pliance status of the individual contractors. In addi-
audits based on established criteria identifying rele- tion, laboratory and/or operations staff members who
vant risk factors. A prioritization matrix consisting of are in contact with contract manufacturers/laboratories
risk factors weighted proportionally to a risk level can may have information to contribute to the overall risk
be developed to define the audit interval based on assessment of a contract manufacturer. Participation
lowest to highest risk. of the QP in the scheduling process is useful because
of his or her product knowledge and involvement in
In determining the risk factors that a company will use specific quality functions such the lot release decision.
to develop the audit schedule, tables similar to Tables Including the QP may be of particular importance in
I and II (4) can be helpful. As an example, Table I
multinational companies where the audit program may
provides suggestions on criticality and risk as related
be operated remotely from the QP’s site of responsi-
to an audit of a supplier (i.e., a service provider or a
bility.
raw material vendor).
Table II
Points to Consider When Scheduling an Audit of a Drug Substance or Drug Product Manufacturing
Process
provided as brief comments to the approved audit edge of the auditee/auditors, the preliminary time-
schedule. frame for the audit, the preliminary scope and objec-
tive of the audit, and the expected duration of the
2.2 Planning audit.
The audit plan defines the audit scope, requirements In the planning step, risk management elements could
and schedule based on the risk assessment results. be key drivers to determine the audit planning ele-
Once the schedule has been developed and approved, ments. As an example, the more traditional approach
the planning phase can be initiated by corporate com- for audit scope would be to focus on the product and
pliance or the site compliance unit. During planning, to evaluate all documentation and systems associated
the corporate compliance or site compliance unit with the manufacture of the product. This approach
should identify, for each scheduled audit, the stan- can be time-consuming and require multiple auditors.
dards against which the audit is to be performed, the Using a risk-based approach, the audit scope could
lead auditor and audit team members, language knowl- focus on key system elements (including the quality
Table III
Risk Management Elements When Planning an Audit (5)
Element of Audit
Planning Traditional Approach Risk-Based Approach
Lead auditor Certified auditor (1); certification by the Certified auditor (1); certification by the
company or an independent company or an independent
organization organization
Audit team members Subject matter experts according to the Subject matter experts according to the
scope (2–5) scope (1–3)
Preliminary timeframe Fixed for drug products, active Variable based on the level of
pharmaceutical ingredients, etc. knowledge the auditing organization
has of the supplier
Objective Cover the product and all quality Cover the quality system topics that
system topics affect the product and/or had been of
uncertainty/concern
Preliminary scope Product Quality system
Expected duration 2–5 days 1–5 days; variable, according to the
result of the risk assessment of the
supplier, product type, etc.
system) to evaluate the product being manufactured of this type can aid in targeting the scope of the audit
and/or tested at the site. There are examples listed in and allow for efficient use of audit time and resources
Table III that complement the Pharmaceutical Inspec- at the site. The outcome of regulatory inspections (if
tion Convention and Pharmaceutical Inspection Co- confirmed to be of relevant scope) may be used to
operation Scheme (PIC/S) recommendation “A Rec- defer the audit to a later date on the basis of reduced
ommended Model for Risk Based Inspection Planning risk. It is important that the company’s audit program
in the GMP Environment” (5). evaluate all relevant areas, as part of the audit scope,
over a number of audit cycles independent of regula-
2.3 Preparation tory inspections. A regulatory inspection should not be
used as the sole replacement for the audit. A decision
During the preparation phase, the lead auditor is re- to defer the audit to a later date should be documented
sponsible for confirming, with the auditee, the specific including a follow-up date in the decision.
dates for the audit. The objective and scope of the
audit, based on the result of the risk assessment of the 2.4 Conducting the Audit
auditee, could be finalized during the pre-audit nego-
tiations with the auditee. The audit agenda could be The audit itself could begin with an opening meeting
finalized and shared with the audit team and the audi- to restate the objective and scope of the audit (as
tee. defined by the results of the risk assessment) and the
basic requirements on which the auditors will base
Preparation activities could include requests for pre- their audit. Additional document requests may be made
read material such as the quality manual; the site at this time, if applicable. The majority of time spent at
master file (including organizational chart), if appli- the audit will be devoted to reviewing operations, docu-
cable; the validation master plan; and so on. The mentation, observing ongoing processes (e.g., manufac-
auditors could request from the manufacturer/supplier turing, testing), facility tours, and interviewing relevant
GMP certificates or, if considered necessary, prior staff according to the risk assessment. This schedule
inspection reports and the respective corrective/pre- should be carefully developed based on the information
ventive actions from health authorities, if available. It available.
is useful to understand the focus of the regulatory
inspection and to note where the inspectors did or did As part of the audit, the audit team should assure that
not find compliance problems at the site. Information the auditee has fulfilled all regulatory requirements
Table IV
Example of Ratings for Audit Observations
committed to as part of a marketing application or in the scope and objective of the audit as well as present
response to a regulatory inspection. Compliance with the major findings supported by the individual obser-
new regulations and regulatory guidance should be vations made during the audit. Each finding could be
assessed during the audit as well. The auditors should rated according to a risk ranking system. One ap-
confirm completion, implementation, and (if possible) proach is to rank the findings as critical, major, minor,
effectiveness of all corrective actions from the previ- or recommendation (6, 7) (refer to Table IV).
ous audit. Daily wrap-up meetings are recommended
with a final closing meeting on the last day of the It is useful to include explanatory text following each
audit. During this meeting, the auditors will present finding to provide guidance to the auditee on what
their major observations to the auditee and its man- would constitute an acceptable response. Follow-up
agement. items for the next scheduled audit of this site should be
included in the report.
2.5 Report Generation, Issuance, and
Response Acceptance In addition, an overview of the audit and inspection
activities at a manufacturing site is useful to senior
The audit report is the formal work output after the management. This overview can be a summary of
audit. It is the lead auditor’s responsibility to generate observations and corrective/preventive actions from
and issue the audit report. The report would describe the audit. This summary can then be ranked as “good”,
“satisfactory”, or “unsatisfactory” (8). The ranking is and evidence for the audit closure to the lead auditor.
used for decisions, for example, to initiate a specific Both the auditee and the lead auditor or an assigned
global action across the company (internal audit), to person in the organization should track each commit-
continue business with a specific contract manufac- ment to assure that it is closed as agreed upon during
turer or supplier (external audit), or to adjust the the response acceptance process and that it is closed
frequency for the next audit of this site/company (in- on time. Any change to the corrective/preventive ac-
ternal or external audit). tions (i.e., change in activities associated with the
accepted response, change in the commitment due
It is the auditee’s responsibility to respond to the audit date) should be communicated to the lead auditor or
findings/observations with an acceptable corrective designee. A rationale and a risk assessment to support
action plan identifying what action(s) will be taken or the change should be presented as well. Evidence of
not, who will be responsible for the corrective ac- completion of the corrective action should be provided
tion(s), and the expected time/date for completion. to the lead auditor at the time of completion. Occa-
Multiple interpretations of regulatory requirements sionally, the verification of the corrective action must
have been seen in regulatory inspections as well as in occur at the auditee’s site (e.g., a new piece of equip-
audits by companies. It may be beneficial to relate the ment). Once all corrective actions have been verified
interpretation to patient risk and/or product quality, as acceptable, the audit may be closed.
and to consider best practice documents when re-
sponding to the audit in order to align with a harmo- The overall conclusion of an audit (internal or external)
nized interpretation and/or understanding of the re- should be used as a basis for scheduling the subsequent
quirements. The latter may be more applicable to an audit of the site according to the risk-based approach.
external audit response. Based on the risk/ranking assigned and the urgency for
corrective action verification, the scheduled date for the
The response to the audit should be issued in a timely
subsequent audit could be adjusted to occur sooner or
manner. The typical response time is within 1 month.
later within the next audit schedule. If the interval be-
As part of the response acceptance process, the lead
tween site audits is extended, quality monitoring systems
auditor and the audit team—including subject matter
should be used to alert a manufacturer to potential
experts (SMEs)—should assess both the completeness
changes in product quality or in the quality of materials
of the response and timeliness of the corrective action
supplied by a vendor. Examples of quality monitoring
closure. The response should be judged in terms of the
systems include raw material testing, in-process testing,
criticality rating of the finding. One could anticipate
and final product release testing.
that a critical finding would require a global/systemic
response (e.g., a implementing a revised change con-
Finally, a quality metric(s) could be used to inform
trol program), whereas a minor finding could have a
senior management of the overall effectiveness of the
narrower response (e.g., a revision to standard oper-
company’s audit program. Elements measured could
ating procedures). Additionally, the completion dates
include status of the audit schedule (on time, post-
should be based on the criticality rating of the finding/
poned, canceled, waived based on risk), significance
observation as well as the complexity of the corrective
of the observations, status of individual audits (open,
action.
closed), timeliness of audit report issuance (on time,
late), timeliness of auditee responses (on time, late),
2.6 Completion, Follow-up, and Closure
and so forth. These indicators may or may not reflect
Upon acceptance of the responses by the lead auditor the quality of each audit, but could provide senior
and the audit team, the follow-up and commitment due management with adequate information to judge the
date closure process begins. As soon as the corrective overall compliance status of the company.
actions are accepted and the compliance status is ver-
ified by the lead auditor, the completed audit should be 3. Conclusion
forwarded to other stakeholders as needed (e.g., in the
EU, the QP). This is a similar process to that of issuing Auditing is an excellent indicator of the overall effec-
a GMP certificate of an authority. tiveness of the company’s and the contractor’s quality
systems and product performance. The implementa-
Subsequent to the completion step is the audit closure tion of a risk-based audit management system at both
step. The auditee is responsible for providing updates the local and global level (if applicable), including
regular updates to senior management, could influence and GxP requirements along the product life cy-
the outcome of regulatory inspections (i.e., no unex- cle. PDA J. Pharm. Sci. Technol. 2012, 66(5),
pected observations by the inspectors). However, if 396 – 402.
there are unexpected observations, it is important to
review and assess the risks to understand how best to 3. PDA Technical Report No. 54 (TR 54) Implemen-
improve the quality system elements, including the tation of Quality Risk Management for Pharma-
audit program. Finally, implementing risk-based ap- ceutical and Biotechnology Manufacturing Oper-
proaches to the company’s audit program will help to ations, 2012.
focus resources on key areas of importance, thereby
minimizing the risk to patients. 4. Rönninger, S.; Holmes, M. A risk-based approach
for scheduling audits. PDA J. Pharm. Sci. Tech-
Acknowledgements nol. 2009, 63(6), 575–588.
The authors thank Jim Lyda, PDA, for his input chal-
5. PIC/S. A Recommended Model for Risk Based
lenging the initial draft and as well as other members
Inspection Planning in the GMP Environment. PI
of the PCMO Task Force: Amnon Eylath, Mark Frank-
037-1, January 1, 2012.
com, and Siegfried Schmitt. Additionally, the authors
would like to thank Catherine Bomer for her assis-
6. Health Canada. Health Products and Food Branch,
tance in the preparation of this manuscript.
Risk Classification of Post-Market Reporting
Compliance Observations, Guide-0063, Novem-
Conflict of Interest Declaration
ber 21, 2005.
The authors declare that they have no competing in-
terests. 7. European Medicines Agency. Compilation of
Community Procedures on Inspections and Ex-
References change of Information, EMA/INS/GMP/321252/
2012/Rev. 15, July 16, 2012.
1. International Conference on Harmonization. ICH
Q9. Guideline on Quality Risk Management, No- 8. Rönninger, S.; Berberich, J.; Fischer, G.;
vember 2005. Persson, I.; Wandt, C.; Wall, L. How can we
balance value, effort and risk in foreign GMP
2. Rönninger, S.; Schmitt, S.; Rangavajhula, V.; inspections? A future perspective. GMP Re-
Lyda, J.; Hough, E. Considerations on auditing view, 2012, 10, 14 –18.