You are on page 1of 11

Downloaded from journal.pda.

org on June 7, 2014

A Risk-Based Auditing Process for Pharmaceutical


Manufacturers
Susan Vargo, Bob Dana, Vijaya Rangavajhula, et al.

PDA J Pharm Sci and Tech 2014, 68 104-112


Access the most recent version at doi:10.5731/pdajpst.2014.00954
Downloaded from journal.pda.org on June 7, 2014

COMMENTARY

A Risk-Based Auditing Process for Pharmaceutical


Manufacturers
SUSAN VARGO1, BOB DANA2, VIJAYA RANGAVAJHULA3, and STEPHAN RÖNNINGER4
1
Amgen, Inc., Longmont, CO, USA; 2PDA, Bethesda, MD, USA; 3Divison of Acquired Immunodeficiency Syndrome, National
Institutes of Health (NIH), Bethesda, MD, USA; 4Amgen (Europe) GmbH, Zug, Switzerland ©PDA, Inc. 2014

ABSTRACT: The purpose of this article is to share ideas on developing a risk-based model for the scheduling of audits
(both internal and external). Audits are a key element of a manufacturer’s quality system and provide an independent
means of evaluating the manufacturer’s or the supplier/vendor’s compliance status. Suggestions for risk-based
scheduling approaches are discussed in the article.

KEYWORDS: Audit, compliance, Quality systems, Risk assessment, Risk factors.

LAY ABSTRACT: Pharmaceutical manufacturers are required to establish and implement a quality system. The quality
system is an organizational structure defining responsibilities, procedures, processes, and resources that the manu-
facturer has established to ensure quality throughout the manufacturing process. Audits are a component of the
manufacturer’s quality system and provide a systematic and an independent means of evaluating the manufacturer’s
overall quality system and compliance status. Audits are performed at defined intervals for a specified duration. The
intention of the audit process is to focus on key areas within the quality system and may not cover all relevant areas
during each audit. In this article, the authors provide suggestions for risk-based scheduling approaches to aid
pharmaceutical manufacturers in identifying the key focus areas for an audit.

This article applies the risk-based model as described has the larger goal of verifying the compliance status
in ICH Q9 (1) to the audit scheduling process. This of the company. Audits are essential to evaluate the
document was developed as part of PDA’s Paradigm capability of the company or the supplier/vendor to
Change in Manufacturing Operations (PCMO) project consistently produce a material or service of the re-
as the second article in the series. The first article on quired quality, adequacy of production and control
auditing and good practice quality guidelines and reg- procedures, suitability of equipment and facilities, and
ulations (GxP) requirements has been published (2). effectiveness of the quality management system in
The content and views expressed are the result of a assuring the overall state of control. Audits can focus
consensus achieved by the task force members and are on efficiencies associated with manufacturing and test-
not necessarily views of the organizations they repre- ing; however, this type of audit is not within the
sent. primary scope of this article.

Audits, whether they are internally or externally The need for performing audits stems from regulatory
driven, provide an opportunity for an independent requirements, companies’ responsibilities, and company-
assessment of the quality system and compliance with specific business processes. These needs may be the
regulatory requirements; see also TR 54 on Quality same or complementary. In any case, the audit process is
Risk Management (3). This type of independent over- under the control, management, responsibility, and au-
sight, including inspections by regulatory authorities, thority of the company. These audits are an essential
element of the good practices (2), supporting and en-
abling regulatory compliance, and thus have to be gov-
*Corresponding Author: Susan Vargo, Amgen, Inc., erned by the company’s pharmaceutical quality system
4000 Nelson Road, M/S AC27C, Longmont, CO (PQS; also called quality management system, QMS).
80503, USA. svargo@amgen.com
Additionally, a company will have established pro-
doi: 10.5731/pdajpst.2014.00954
cesses for risk acceptance decisions for its operations

104 PDA Journal of Pharmaceutical Science and Technology


Downloaded from journal.pda.org on June 7, 2014

(including audits), which need to be in compliance Suggestions for risk factors to be evaluated in a pri-
with all applicable regulations. Therefore, the risk oritization matrix include compliance inputs (prior
management processes are also governed by the tasks regulatory inspection/company audit, overall compli-
described in the PQS. The company’s PQS and gov- ance history), operational inputs, and facility inputs.
ernance model are defined and decided upon by senior Each of these risk factors should be weighted based
management, having ultimate responsibility for all upon the perceived impact on compliance.
matters of quality and compliance, including risk-
based management for audits. As every manufacturing site is different, it is impos-
sible to list all the different risk factors to be consid-
A risk-based management process for audits aids in ered. However, this article does discuss some of the
determining the audit schedule and the scope. The more common risk assessment inputs used for audit
output from the audits will challenge or support as- schedule development. The risks factors discussed in
sumptions and claims of an organization’s compliance the following sections (sections 1.1 to 1.5) should be
status. None of this alters the fact that any audit is used as points to consider when assigning a fixed risk
limited in that the audit can cover and assess a partic- rank to a site/operation. Assigning a fixed risk rank to
ular situation on a specific day. However, an audit can a site/operation will aid in the audit scheduling pro-
minimize the uncertainty about the compliance status. cess.
By consequence, there remains a residual risk of non-
conformance when there is no audit or even if there is 1.1 Risk Factors for Operations Performed
a successful audit. The audit process will provide
The operations at the site can be assigned a fixed risk
evidence, but not proof, of compliance.
rank based on the risk associated with the operations
performed. As an example, high-risk operations usu-
This document is applicable to stakeholders perform-
ally include sterile manufacturing, packaging and la-
ing audits to assess GxP compliance. The elements
beling, final product release testing, and excipient
described focus on audits in the good manufacturing
testing. The function of excipient testing is included
practice/good distribution practice (GMP/GDP) area;
under high-risk operations because these raw materials
however, they can be applied to all GxP areas—for
are a part of the final product formulation and do not
example, good laboratory practice (GLP), good clini-
undergo further purification. These operations tend to
cal practice (GCP), and good pharmacovigilance prac-
have a higher degree of regulatory oversight and are
tice (GPvP).
therefore assigned a higher risk level. Additionally,
supply chain oversight including distribution and
1. General Risk Factors to Consider for a
transport practices are regarded as a high risk in to-
Risk-Based Auditing Approach day’s environment. Medium-risk operations would in-
clude drug substance manufacturing and solid oral
As with all risk-based processes, the decisions, ratio- dosage form manufacturing of drug (medicinal) prod-
nales, and relevant information concerning the audits ucts, while warehousing (e.g., storage areas for prod-
must be documented in an appropriate level of detail. uct and raw materials) would be considered low-risk
This allows for independent review and traceability, operations if appropriately controlled.
which may need to be demonstrated during self-audits
or regulatory inspections or customer audits. Indepen- 1.2 Site/Facility Risk Inputs
dent auditors/inspectors should be able to understand
and follow the process determining whether or not a When assessing the risk profile of a manufacturing site
particular audit is scheduled and, if scheduled, the for clinical or commercial products (both drug sub-
scope and timing of the audit. By following this basic stance and drug product) or a supplier/vendor for
principle, a company can demonstrate that its risk- materials or a contract laboratory for release testing,
based audit process conforms to its quality system and several factors about the facility/site and the equip-
complies with applicable regulations. There is, how- ment should be considered. These factors include fa-
ever, a possibility that inspectors from a regulatory cility design (e.g., the age of the facility and compli-
agency may not concur with the company’s audit ance with current expectations on design should be
process despite a clear rationale supported by scien- considered) and maintenance, equipment maintenance
tific justification. and calibration, and if there have been major changes

Vol. 68, No. 2, March–April 2014 105


Downloaded from journal.pda.org on June 7, 2014

to the facility and/or equipment since the last audit. If


past audits or regulatory inspections have identified
problems with major systems (e.g., air handling sys-
tems/environmental controls or clean utilities), this
information should factor into the risk profile for the
site/facility.

1.3 Product/Process Risk Inputs

Specific information on both product(s) and processes


will be useful in developing the fixed risk rank for the
site/operation. As an example, a multi-product manu-
facturer producing products in multiple profile classes
Figure 1
(parenterals, tablets, capsules, patches) or products
that pose patient safety risks (high potency actives,
The elements of a typical audit program.
hormones, cephalosporins, allergens, etc.) should have
a higher risk rank than a manufacturer producing a Other areas that may indirectly affect the compliance
single profile class of product. Additionally, if these status of a site and should be considered in the assess-
compounds are being manufactured in the same man- ment include new product introduction to the site,
ufacturing areas and/or using shared equipment with major changes in key GxP personnel and ownership
the company’s product, then this information should (i.e., company buy-out or merger), and, if applicable,
be considered in the risk ranking of the site/operations. knowledge about “sister” sites’ compliance status and
the company’s contract manufacturing quality moni-
Risk ranking criteria can be developed based on the toring visit results, and the outcomes of the site inter-
product class and formulation type. For example, man- nal audit program (if available). The dates of the last
ufacturing of an intravenous (IV) formulation of a regulatory inspection/audit and the dates of the antic-
biologic (IV formulation of complex protein with an ipated next regulatory inspection could be considered,
adjuvant) is at a higher risk level than an oral tablet of too.
a well-defined small molecule (oral product).
1.5 Business Inputs
1.4 Compliance Risk Inputs
Business concerns are not a part of the GMP realm;
The overall compliance elements of a site should be however, certain business criticality issues should be
assigned the highest risk score and given the greatest considered as part of your risk ranking process. These
weighting when determining the fixed risk rank. could include the volume of product manufactured or
Knowledge of compliance history, through recent reg- tested or stored, if the site is single-sourced, and if
ulatory inspections and company audits, should be there is a licensed/approved back-up site available.
used as an input for assigning a risk ranking. Other
areas to consider when determining the overall risk 2. Risk-Based Approaches: From Planning
associated with the site’s compliance elements may to Completion
include criticality rating of inspection/audit findings,
timeliness in addressing findings (adequacy of re- The elements of a typical audit program are depicted
sponses), and status of corrective actions. In general, in Figure 1. The audit process can be divided in six
the site’s experience with the health authorities is a steps: scheduling, planning, preparation, conducting
good indicator for compliance status. If available, any the audit, report generation/issuance/response accep-
information regarding product issues—such as Field tance, and follow-up/closure. Each step is discussed
Alert Reports (FARs) and Biological Product Devia- below.
tion Reports (BPDRs) submitted to the U.S. Food and
Drug Administration or Notifications submitted to the 2.1 Scheduling
EU authorities—recalls, and product complaints
should be reviewed and considered elements of the A risk-based approach to scheduling audits is a useful
overall compliance risk. tool to determine the audit frequency for both internal

106 PDA Journal of Pharmaceutical Science and Technology


Downloaded from journal.pda.org on June 7, 2014

Table I
Points to Consider When Scheduling a Supplier Audit

Criticality and
Audit Type Complexity Potential Questions to Address Risk
Suppliers of materials and services Criticality of equipment Is this an autoclave or high-
(calibration and maintenance calibrated/maintained performance liquid chromatography
services, clean gowns, by the supplier (HPLC) equipment used for every
transportation providers) batch (direct impact), or a water
bath thermometer (indirect impact)?
Criticality of operation Are the gowning materials used in
performed by the aseptic filling or in the bioreactor
supplier area?
Raw material/solvents Criticality of material Is this a solvent used in the last
to process process step?
Sourcing—regulatory Does the country of manufacture have
maturity of country a mature regulatory system that
of manufacture assesses manufacturing compliance?
Single source? Is the material only available from
this source versus widely available
from multiple sources?

and external audits as well as to determine the length contract manufacturing operations and quality (includ-
and the scope necessary for the audit. A tool, for ing the QP) could provide information as to the com-
example, a ranking model (1) is useful in prioritizing pliance status of the individual contractors. In addi-
audits based on established criteria identifying rele- tion, laboratory and/or operations staff members who
vant risk factors. A prioritization matrix consisting of are in contact with contract manufacturers/laboratories
risk factors weighted proportionally to a risk level can may have information to contribute to the overall risk
be developed to define the audit interval based on assessment of a contract manufacturer. Participation
lowest to highest risk. of the QP in the scheduling process is useful because
of his or her product knowledge and involvement in
In determining the risk factors that a company will use specific quality functions such the lot release decision.
to develop the audit schedule, tables similar to Tables Including the QP may be of particular importance in
I and II (4) can be helpful. As an example, Table I
multinational companies where the audit program may
provides suggestions on criticality and risk as related
be operated remotely from the QP’s site of responsi-
to an audit of a supplier (i.e., a service provider or a
bility.
raw material vendor).

Once the assessment has been performed, a risk level


A second example is provided in Table II (4). This
with a rating can be assigned to the audit as a means
table provides suggestions for criticality and risk re-
lated to manufacturing (either for an internal audit or of determining frequency. Risk levels can be high,
a contractor audit). medium, and low. Typical intervals for the audit fre-
quency, unless specifically required by regulations,
Within the company, several disciplines might be in- include 12–18 months (high risk), 18 –24 months (me-
volved in assessing the risk for each site. For internal dium risk), and 24 –36 months (low risk).
audits performed by corporate auditors or performed
by auditors from the site, compliance and quality— Under the risk-based paradigm, new information ac-
including the qualified person (QP)— could participate quired during the year could be considered. Changing
in assessing the risk for the frequency of auditing their suppliers, regulatory issues, product complaints, and
specific site. For external audits performed by corpo- so on may lead to a modification of the audit schedule
rate auditors or performed by auditors from the site, during the year. Rationales for these changes can be

Vol. 68, No. 2, March–April 2014 107


Downloaded from journal.pda.org on June 7, 2014

Table II
Points to Consider When Scheduling an Audit of a Drug Substance or Drug Product Manufacturing
Process

Audit Type Criticality and Complexity Potential Questions to Address Risk


Drug substance (biotechnology & Process steps Are there multiple steps that involve
small-molecule active manual or highly technical
pharmaceutical ingredients) operations?
Process controls Are there controls in place to detect
or eliminate errors?
Sourcing—regulatory maturity of Does the country of manufacture have
country of manufacture a mature regulatory system that
assesses manufacturing compliance?
Single source? Is the material only available from
this source versus widely available
from multiple sources?
Drug (medicinal) Dosage form manufacturing Aseptic processing versus nonsterile
product—general process solution dosage form?
Process steps Do operations involve powder
blending versus mixing a true
solution?
Process controls Is sterilization filtration or terminal
sterilization used in solution
processing?
Ability to clean Is this a high-potency or hard-to-
solubilize product?
Intended use Does this product treat a life-
threatening illness versus a sun
screen product?
Sourcing—regulatory maturity of Does the country of manufacture have
country of manufacture a mature regulatory system that
assesses manufacturing compliance?
Single source? Is the material only available from
this source versus widely available
from multiple sources

provided as brief comments to the approved audit edge of the auditee/auditors, the preliminary time-
schedule. frame for the audit, the preliminary scope and objec-
tive of the audit, and the expected duration of the
2.2 Planning audit.

The audit plan defines the audit scope, requirements In the planning step, risk management elements could
and schedule based on the risk assessment results. be key drivers to determine the audit planning ele-
Once the schedule has been developed and approved, ments. As an example, the more traditional approach
the planning phase can be initiated by corporate com- for audit scope would be to focus on the product and
pliance or the site compliance unit. During planning, to evaluate all documentation and systems associated
the corporate compliance or site compliance unit with the manufacture of the product. This approach
should identify, for each scheduled audit, the stan- can be time-consuming and require multiple auditors.
dards against which the audit is to be performed, the Using a risk-based approach, the audit scope could
lead auditor and audit team members, language knowl- focus on key system elements (including the quality

108 PDA Journal of Pharmaceutical Science and Technology


Downloaded from journal.pda.org on June 7, 2014

Table III
Risk Management Elements When Planning an Audit (5)

Element of Audit
Planning Traditional Approach Risk-Based Approach
Lead auditor Certified auditor (1); certification by the Certified auditor (1); certification by the
company or an independent company or an independent
organization organization
Audit team members Subject matter experts according to the Subject matter experts according to the
scope (2–5) scope (1–3)
Preliminary timeframe Fixed for drug products, active Variable based on the level of
pharmaceutical ingredients, etc. knowledge the auditing organization
has of the supplier
Objective Cover the product and all quality Cover the quality system topics that
system topics affect the product and/or had been of
uncertainty/concern
Preliminary scope Product Quality system
Expected duration 2–5 days 1–5 days; variable, according to the
result of the risk assessment of the
supplier, product type, etc.

system) to evaluate the product being manufactured of this type can aid in targeting the scope of the audit
and/or tested at the site. There are examples listed in and allow for efficient use of audit time and resources
Table III that complement the Pharmaceutical Inspec- at the site. The outcome of regulatory inspections (if
tion Convention and Pharmaceutical Inspection Co- confirmed to be of relevant scope) may be used to
operation Scheme (PIC/S) recommendation “A Rec- defer the audit to a later date on the basis of reduced
ommended Model for Risk Based Inspection Planning risk. It is important that the company’s audit program
in the GMP Environment” (5). evaluate all relevant areas, as part of the audit scope,
over a number of audit cycles independent of regula-
2.3 Preparation tory inspections. A regulatory inspection should not be
used as the sole replacement for the audit. A decision
During the preparation phase, the lead auditor is re- to defer the audit to a later date should be documented
sponsible for confirming, with the auditee, the specific including a follow-up date in the decision.
dates for the audit. The objective and scope of the
audit, based on the result of the risk assessment of the 2.4 Conducting the Audit
auditee, could be finalized during the pre-audit nego-
tiations with the auditee. The audit agenda could be The audit itself could begin with an opening meeting
finalized and shared with the audit team and the audi- to restate the objective and scope of the audit (as
tee. defined by the results of the risk assessment) and the
basic requirements on which the auditors will base
Preparation activities could include requests for pre- their audit. Additional document requests may be made
read material such as the quality manual; the site at this time, if applicable. The majority of time spent at
master file (including organizational chart), if appli- the audit will be devoted to reviewing operations, docu-
cable; the validation master plan; and so on. The mentation, observing ongoing processes (e.g., manufac-
auditors could request from the manufacturer/supplier turing, testing), facility tours, and interviewing relevant
GMP certificates or, if considered necessary, prior staff according to the risk assessment. This schedule
inspection reports and the respective corrective/pre- should be carefully developed based on the information
ventive actions from health authorities, if available. It available.
is useful to understand the focus of the regulatory
inspection and to note where the inspectors did or did As part of the audit, the audit team should assure that
not find compliance problems at the site. Information the auditee has fulfilled all regulatory requirements

Vol. 68, No. 2, March–April 2014 109


Downloaded from journal.pda.org on June 7, 2014

Table IV
Example of Ratings for Audit Observations

Suggested Timeframe for Corrective


Rating Observation Description Measures
Critical Observation describing a situation that is likely Immediate remedial action must be
to result in a noncompliant product, quality initiated immediately, within 1
defect, or a situation that may result in an month.
immediate or latent health risk and includes
any observation that involves fraud,
misrepresentation or falsification of products
or data.
Critical observations in an audit will
compromise the success of inspection(s) by
authorities.
Major Observation that may result in the production No later than three months; in cases
of a drug (substance or product) not where this is not practical, an action
consistently meeting its marketing plan to be available within one
authorization. month.
Major observations may compromise the
success of inspection(s) by authorities.
Remedial action must be initiated in the short
to medium term.
Minor Observation that is neither critical nor major Remedial action must be initiated.
but represents a departure from the GMP. Up to 6 months; in cases where this
There is a low risk of inspection(s) by is not practical, an action plan to be
authorities being compromised. available within 1 month.
Recommendation A recommendation does not represent a As appropriate
violation of the principles of the PQS in
terms of QMS and/or GMP rules. It outlines
areas of suggested improvement.

committed to as part of a marketing application or in the scope and objective of the audit as well as present
response to a regulatory inspection. Compliance with the major findings supported by the individual obser-
new regulations and regulatory guidance should be vations made during the audit. Each finding could be
assessed during the audit as well. The auditors should rated according to a risk ranking system. One ap-
confirm completion, implementation, and (if possible) proach is to rank the findings as critical, major, minor,
effectiveness of all corrective actions from the previ- or recommendation (6, 7) (refer to Table IV).
ous audit. Daily wrap-up meetings are recommended
with a final closing meeting on the last day of the It is useful to include explanatory text following each
audit. During this meeting, the auditors will present finding to provide guidance to the auditee on what
their major observations to the auditee and its man- would constitute an acceptable response. Follow-up
agement. items for the next scheduled audit of this site should be
included in the report.
2.5 Report Generation, Issuance, and
Response Acceptance In addition, an overview of the audit and inspection
activities at a manufacturing site is useful to senior
The audit report is the formal work output after the management. This overview can be a summary of
audit. It is the lead auditor’s responsibility to generate observations and corrective/preventive actions from
and issue the audit report. The report would describe the audit. This summary can then be ranked as “good”,

110 PDA Journal of Pharmaceutical Science and Technology


Downloaded from journal.pda.org on June 7, 2014

“satisfactory”, or “unsatisfactory” (8). The ranking is and evidence for the audit closure to the lead auditor.
used for decisions, for example, to initiate a specific Both the auditee and the lead auditor or an assigned
global action across the company (internal audit), to person in the organization should track each commit-
continue business with a specific contract manufac- ment to assure that it is closed as agreed upon during
turer or supplier (external audit), or to adjust the the response acceptance process and that it is closed
frequency for the next audit of this site/company (in- on time. Any change to the corrective/preventive ac-
ternal or external audit). tions (i.e., change in activities associated with the
accepted response, change in the commitment due
It is the auditee’s responsibility to respond to the audit date) should be communicated to the lead auditor or
findings/observations with an acceptable corrective designee. A rationale and a risk assessment to support
action plan identifying what action(s) will be taken or the change should be presented as well. Evidence of
not, who will be responsible for the corrective ac- completion of the corrective action should be provided
tion(s), and the expected time/date for completion. to the lead auditor at the time of completion. Occa-
Multiple interpretations of regulatory requirements sionally, the verification of the corrective action must
have been seen in regulatory inspections as well as in occur at the auditee’s site (e.g., a new piece of equip-
audits by companies. It may be beneficial to relate the ment). Once all corrective actions have been verified
interpretation to patient risk and/or product quality, as acceptable, the audit may be closed.
and to consider best practice documents when re-
sponding to the audit in order to align with a harmo- The overall conclusion of an audit (internal or external)
nized interpretation and/or understanding of the re- should be used as a basis for scheduling the subsequent
quirements. The latter may be more applicable to an audit of the site according to the risk-based approach.
external audit response. Based on the risk/ranking assigned and the urgency for
corrective action verification, the scheduled date for the
The response to the audit should be issued in a timely
subsequent audit could be adjusted to occur sooner or
manner. The typical response time is within 1 month.
later within the next audit schedule. If the interval be-
As part of the response acceptance process, the lead
tween site audits is extended, quality monitoring systems
auditor and the audit team—including subject matter
should be used to alert a manufacturer to potential
experts (SMEs)—should assess both the completeness
changes in product quality or in the quality of materials
of the response and timeliness of the corrective action
supplied by a vendor. Examples of quality monitoring
closure. The response should be judged in terms of the
systems include raw material testing, in-process testing,
criticality rating of the finding. One could anticipate
and final product release testing.
that a critical finding would require a global/systemic
response (e.g., a implementing a revised change con-
Finally, a quality metric(s) could be used to inform
trol program), whereas a minor finding could have a
senior management of the overall effectiveness of the
narrower response (e.g., a revision to standard oper-
company’s audit program. Elements measured could
ating procedures). Additionally, the completion dates
include status of the audit schedule (on time, post-
should be based on the criticality rating of the finding/
poned, canceled, waived based on risk), significance
observation as well as the complexity of the corrective
of the observations, status of individual audits (open,
action.
closed), timeliness of audit report issuance (on time,
late), timeliness of auditee responses (on time, late),
2.6 Completion, Follow-up, and Closure
and so forth. These indicators may or may not reflect
Upon acceptance of the responses by the lead auditor the quality of each audit, but could provide senior
and the audit team, the follow-up and commitment due management with adequate information to judge the
date closure process begins. As soon as the corrective overall compliance status of the company.
actions are accepted and the compliance status is ver-
ified by the lead auditor, the completed audit should be 3. Conclusion
forwarded to other stakeholders as needed (e.g., in the
EU, the QP). This is a similar process to that of issuing Auditing is an excellent indicator of the overall effec-
a GMP certificate of an authority. tiveness of the company’s and the contractor’s quality
systems and product performance. The implementa-
Subsequent to the completion step is the audit closure tion of a risk-based audit management system at both
step. The auditee is responsible for providing updates the local and global level (if applicable), including

Vol. 68, No. 2, March–April 2014 111


Downloaded from journal.pda.org on June 7, 2014

regular updates to senior management, could influence and GxP requirements along the product life cy-
the outcome of regulatory inspections (i.e., no unex- cle. PDA J. Pharm. Sci. Technol. 2012, 66(5),
pected observations by the inspectors). However, if 396 – 402.
there are unexpected observations, it is important to
review and assess the risks to understand how best to 3. PDA Technical Report No. 54 (TR 54) Implemen-
improve the quality system elements, including the tation of Quality Risk Management for Pharma-
audit program. Finally, implementing risk-based ap- ceutical and Biotechnology Manufacturing Oper-
proaches to the company’s audit program will help to ations, 2012.
focus resources on key areas of importance, thereby
minimizing the risk to patients. 4. Rönninger, S.; Holmes, M. A risk-based approach
for scheduling audits. PDA J. Pharm. Sci. Tech-
Acknowledgements nol. 2009, 63(6), 575–588.

The authors thank Jim Lyda, PDA, for his input chal-
5. PIC/S. A Recommended Model for Risk Based
lenging the initial draft and as well as other members
Inspection Planning in the GMP Environment. PI
of the PCMO Task Force: Amnon Eylath, Mark Frank-
037-1, January 1, 2012.
com, and Siegfried Schmitt. Additionally, the authors
would like to thank Catherine Bomer for her assis-
6. Health Canada. Health Products and Food Branch,
tance in the preparation of this manuscript.
Risk Classification of Post-Market Reporting
Compliance Observations, Guide-0063, Novem-
Conflict of Interest Declaration
ber 21, 2005.
The authors declare that they have no competing in-
terests. 7. European Medicines Agency. Compilation of
Community Procedures on Inspections and Ex-
References change of Information, EMA/INS/GMP/321252/
2012/Rev. 15, July 16, 2012.
1. International Conference on Harmonization. ICH
Q9. Guideline on Quality Risk Management, No- 8. Rönninger, S.; Berberich, J.; Fischer, G.;
vember 2005. Persson, I.; Wandt, C.; Wall, L. How can we
balance value, effort and risk in foreign GMP
2. Rönninger, S.; Schmitt, S.; Rangavajhula, V.; inspections? A future perspective. GMP Re-
Lyda, J.; Hough, E. Considerations on auditing view, 2012, 10, 14 –18.

112 PDA Journal of Pharmaceutical Science and Technology


Downloaded from journal.pda.org on June 7, 2014

An Authorized User of the electronic PDA Journal of Pharmaceutical Science and


Technology (the PDA Journal) is a PDA Member in good standing. Authorized Users are
permitted to do the following:

·Search and view the content of the PDA Journal


·Download a single article for the individual use of an Authorized User
·Assemble and distribute links that point to the PDA Journal
·Print individual articles from the PDA Journal for the individual use of an Authorized User
·Make a reasonable number of photocopies of a printed article for the individual use of an
Authorized User or for the use by or distribution to other Authorized Users

Authorized Users are not permitted to do the following:


·Except as mentioned above, allow anyone other than an Authorized User to use or access the
PDA Journal
· Display or otherwise make any information from the PDA Journal available to anyone other
than an Authorized User
·Post articles from the PDA Journal on Web sites, either available on the Internet or an Intranet,
or in any form of online publications
·Transmit electronically, via e-mail or any other file transfer protocols, any portion of the PDA
Journal
·Create a searchable archive of any portion of the PDA Journal
·Use robots or intelligent agents to access, search and/or systematically download any portion
of the PDA Journal
·Sell, re-sell, rent, lease, license, sublicense, assign or otherwise transfer the use of the PDA
Journal or its content
·Use or copy the PDA Journal for document delivery, fee-for-service use, or bulk reproduction or
distribution of materials in any form, or any substantially similar commercial purpose
·Alter, modify, repackage or adapt any portion of the PDA Journal
·Make any edits or derivative works with respect to any portion of the PDA Journal including any
text or graphics
·Delete or remove in any form or format, including on a printed article or photocopy, any
copyright information or notice contained in the PDA Journal