Guidance 079 – Use of a Risk-Based Approach To Establish External Quality Assurance Audit Frequency Pharmaceuticals quality assurance & validation procedures GMPSOP

Title: Use of a Risk-Based Approach to Establish External Quality Assurance Audit Frequency
Guidance Number: 079
Prepared by:	Date:	Supersedes:
Checked by:	Date:	Date Issued:
Approved by:	Date:	Review Date:

Use of a Risk-Based Approach to Establish External Quality Assurance Audit Frequency

Purpose

The purpose of this document is to provide guidance for GMP Quality Audits stakeholder’s responsibility to utilize a risk-based approach for determining External Quality Assurance Audit (EQAA) prioritization and frequencies.

Background

The Site Quality Team shall be responsible for the following audit related activities:

Review and issue Supplier Audit prioritization and schedules
Conduct Supplier Audit.

Process

1. Collect and organize relevant information.

The following represents suggested data to gather prior to performing the assessment:

Listing of material suppliers, materials sourced and where used
Prior audit records
Performance data related to material (lots rejected/finished product issues related to material
Correspondences with supplier related to changes in operation or process Regulatory inspection records for material supplier, if available.

2. Identify the Risk Question The Quality Risk Management (QRM) process is guided by the establishment of a risk question that identifies the scope, sought outcome and areas of focus (risk factors) for the assessment. If applicable the question can also capture constraints such as limited personnel to participate in the audit program. In the case of the EQAAs, the following are examples of a potential risk question related to development of a risk based supplier audit schedule:

How should supplier audits be prioritized and scheduled as a function of their risks to product safety, quality and, market share (business)?
What are the patients, product quality, and business risks associated with materials/components/services used in the production of medicinal products in relation to their supplier’s audits, and how could these audits be prioritized and scheduled to minimize such risks?”

3. Assess Method to be Used

There are several simple to intermediate QRM tools that could be applied to this assessment; for this example we are using Risk Ranking and Filtering (RRF). In using this simple tool we will limit the assessment to a review of the severity and probability associated with each hazard.

4. Determine the Potential Risk Factors and related Hazards

In order to determine the potential risk factors and related hazards, one might need to answer:

What are the risk factors (e.g. patient safety, regulatory compliance, and business) from which each scenario must be viewed to ensure that all potential or related hazards are identified?
What are the sources of potential harm related to each risk factor?
Could the material sourced have a potential impact on patient safety?
Could the material sourced have a potential impact on product quality and conformance to registered specifications?
Could the supply of the material have an adverse impact on the business?

What are the related hazards?

For the purpose of prioritizing the EQAA schedule, each material supplier represents a potential risk to the finished product(s) in which the material(s) sourced are used, therefore, all material suppliers can be viewed as hazards for the purpose of this assessment.

5. Define the Risk Assessment Scales for Probability and Severity In order to perform an assessment of the risk posed by each hazard (material supplier) the probability and severity characteristic of each hazard must be defined. Severity and probability scales must first be defined by determining the range of possibilities and differentiations for each as indicated below:

Severity Severity is the measure of the consequence (impact) that a defect or failure borne of the material supplier (hazard) may have on your operation/products.

Assessing the severity requires an understanding of how the material supplier might impact the risk factor. For example, when looking at material suppliers and their potential impact on finished product quality, an API supplier may be assigned a higher severity scale than a tertiary packaging supplier since the API may impact potency or dissolution of the finished product, whereas a shipper has no impact on product performance.

Probability Probability is a measure of the likelihood for a “harm” to occur. The probability as it relates to materials’ suppliers could be based the following questions:

What is the historical performance of an individual material supplier (hazard)? Since the last audit, what has the material supplier’s performance been?
How many material suppliers’ lots have failed to meet specifications upon receipt or have been linked to nonconforming finished product (Product Quality)?
How often have there been supply issues where material that meets specifications was not available to meet the production scheduledemands (Business)
What is the material supplier’s regulatory inspection history and last audit outcome?

6. Define the Risk Evaluation Matrix and Determine the Action Thresholds Prior to completing the risk assessment using the scales established for severity and, probability an evaluation matrix must be constructed to aid in evaluation of the total risk scores (severity x probability) derived for each hazard.

The matrix is constructed by populating the y-axis with the number range from the probability scale in ascending order (bottom to top). The x-axis is populated with the severity scale, again, in ascending order (left to right). The cells of the resulting matrix are then populated by multiplying the intersecting values from the y-and x-axes. The resulting matrix should contain all possible total risk scores.

The next step is to establish the thresholds. For the purposes of establishing a risk based supplier audit schedule, each action threshold will represent a different audit frequency. Delineation of the thresholds should be based on perception of risk and an organizational acceptance of the represented risks. For instance, the threshold containing the range of lowest risk scores will correlate with the lowest audit frequency.

An example of a risk evaluation matrix and corresponding action thresholds is shown in Figure 1 below. In this example the values in the green boxes (risk scores 1-4) represent low risk, and could be audited every 5 years. The values in yellow (risk scores 5-14) represent medium risk and could be audited every 3 years. And the values in red (risk 15-25) are high risks to be audited annually.

7. Assess Probability and Severity Scale for Each Supplier Construct the EQAA assessment table and determine the severity and probability score for each material supplier (hazard) based on the available data gathered in Step 1. For example, the supplier of LDPE bottles, Ajax, has a probability score of 3, taking into account that this supplier has been inspected by the sponsoring site, there have been as many as 7observations and the observations have not been responded to and/or responses have not been accepted by the sponsoring site as indicated by Table 5. In addition, the LDPE bottles are used as primary packaging components which correlates with a severity score of 5 as indicated in Table 3. Table 6 summarizes examples of the executed assessment for the Ajax supplier.

To continue with the risk assessment, all material suppliers shown in the Site Supplier List will be assessed as previously indicated. Table 6 summarizes examples in how the Suppliers EQAA Prioritization and Frequencies can be reported.

8. Control the Risks

The EQAA prioritization and frequencies matrix and schedule are constructed based on the risk score and related risk category (high, medium or low) that each supplier was assigned during the assessment. In the example shown in Table 7, the audit frequency serves as the risk reduction/mitigation mechanism. The risk posed by a high risk supplier is mitigated through more frequent audits compared to the lower frequency for a low risk supplier. Audit frequencies and risk categories are a function of the site operation and exclusively defined by them.

Risk Acceptance is achieved through approval of the audit EQAA prioritization and frequencies matrix and scheduled by the Site Quality Team.

9. Communicate and Document

Communication and documentation of the risks associated with suppliers is achieved upon finalization and distribution of the audit EQAA prioritization and frequencies matrix and schedule to the key stakeholders (Site Quality Team, Procurement, audit staff, etc).

10. Review the Risks

Risk Review is a continual process comprised of performance monitoring and the result of periodic supplier audits. If through an audit or routine performance monitoring of a supplier the need exists to re-categorize the supplier, the EQAA prioritization and frequencies matrix and schedule would be revised to accurately reflect the current degree of risk associated with a supplier.