Bernard Jee, Product Manager, Pilgrim Quality Solutions, an IQVIA company
Time is running out – one month and counting. Manufacturers must meet the requirements of ISO 13485:2016 by February 28, 2019 to maintain their certification.
If you’re responsible for planning and carrying out your company’s internal audits, you know how much planning and effort it takes to monitor your quality system for GMP and ISO compliance. As your quality system has matured, you’ve probably noticed that certain sites, departments, or processes require more of your attention.
If this is the case in your organization, by now your organization should already have implemented a risk-based approach to your internal quality system audits in anticipation of next month’s ISO 13485 compliance deadline. If not, here’s why and how to get with the program.
The Value of a Risk-Based Approach
A risk-based approach to internal audits allows you to assess the importance and performance of each area to be audited and to use your results to devote your auditing time and resources to these critical business areas. Based on this risk assessment, you may also decide that certain areas of your business don’t need as much oversight.
The value in a risk-based approach frequently comes in the form of higher product quality, since trouble areas will receive the time and attention they need to improve. Risk-based quality audits also improve your productivity. You will spend more time discovering and solving problems rather than auditing areas that are already performing well.
So, how can you can incorporate risk into your GMP and ISO internal audit processes?
Step 1: Assess Organizational Risk
When you’re assessing risk, consider the departments and processes you normally audit. As you work through these areas, you may choose to quantify each area’s risk level. Or you can use standard risk analysis tools such as Hazard Analysis, Fault Tree Analysis, or Failure Mode Effects Criticality Analysis (FMEA). There are many areas to consider when assessing risk including:
- Risk to Product Quality and/or Patient Safety — Rank each department or process according to its criticality in terms of producing a safe, high-quality product.
- Performance Risk — Review the history of nonconformances, CAPAs, recalls, or adverse events for each area to be audited. Areas with a higher number of these incidents should be given a higher risk score.
- Compliance Risk — Look at past recommendations and perform a gap analysis on existing regulatory requirements across all countries where you have market approval. This score can also factor in how well the area has corrected previous audit observations.
Once you’ve considered these areas (and other risk areas specific to your business), you can combine their individual risk scores to create an overall risk score for each department or process. This can help you quickly understand your high-risk areas so you can create your audit plan accordingly. This assessment forms the basis for your risk-based audit plan, so it should be documented in a list or spreadsheet as you work through it.
Step 2: Incorporate Risk into your Audit Plan
As you’ve ranked each department’s risk, you’ve probably begun to form a mental picture of your audit plan. Now it’s time to take a closer look at each area and its corresponding risk score. A key part of your planning will be your audit schedule. Higher risk areas will need to be audited more frequently (at least annually, but possibly more often). For low-risk areas, it is important to remember that an annual audit is not always required. In either case, you need to define how often you will audit each department based on the risk assessment, document a schedule, and stick to it.
There are other pieces of your audit plan that are also affected by risk. These can include the audit duration and the size and skill of your audit team. You may need to plan for longer, more detailed audits of high-risk areas. Areas involving more complex products or processes may require auditors with special skills or knowledge.
Step 3: Conduct Risk-based Audits
Risk-based auditing doesn’t stop with your audit plan. Once you’ve determined an area to audit, you can incorporate a risk-based approach into each audit you conduct. The first step is to review each department’s existing procedures. These documents provide you with a jumping off point for understanding which processes a department views as high-risk, so you can focus your questions in these areas.
If you’ve audited an area before, you should review the data you already have from previous audits and work from there. Some items to review include:
- Observations from previous audits
- Previous corrective action plans and their effectiveness
- Areas that were not inspected during previous audits
- Defects, adverse events, or recalls related to this department
- Changes to processes or personnel since the last audit
Understanding these areas will help you hone in on potential areas of concern. This will help you focus your questions properly and get the most value from your time spent auditing.
Step 4: Risk-based Follow Up
Once you’ve completed the audit, you will assign recommendations and/or findings. Using a risk-based approach to follow up, you will assign a risk level to each finding to clarify which findings need a quick response or escalation. This allows you to address critical findings more quickly, rather than just following up to findings in the order they were discovered. This, of course, feeds your CAPA process. High-risk findings can trigger a CAPA process, while low-risk can be resolved quickly and closed with the audit.
Your initial risk assessment was a snapshot of your quality, performance, and compliance risks. Changes to products, processes, or defect history will cause this snapshot to evolve over time. That’s where automated quality management software can help keep you aware of emerging risks.
Step 5: Monitor Changes in Risk
Quality management systems, like SmartSolve® from Pilgrim Quality Solutions, an IQVIA company, will help you monitor and control defects, CAPAs, customer complaints, changes, and other processes that will affect your overall risk. You will be able to quickly understand the performance of your various sites and processes, and modify your audit plan and other quality processes accordingly.
Implementing your Risk-Based Audit Program
The idea of implementing a risk-based GMP audit program, or any type of risk-based process, can be intimidating. But keep in mind that you don’t need to change your entire audit process all at once. Take it one site, department, or process at a time; document your plan; and you will keep your audit program moving in the right direction.
Embedding Risk Within Quality Management Processes
Focus on specific quality management processes and take a closer look at how you can build risk-based thinking into each of them.