A risk-based approach to scheduling audits.

The manufacture and supply of pharmaceutical products can be a very complex operation. Companies may purchase a wide variety of materials, from active pharmaceutical ingredients to packaging materials, from "in company" suppliers or from third parties. They may also purchase or contract a number of services such as analysis, data management, audit, among others. It is very important that these materials and services are of the requisite quality in order that patient safety and company reputation are adequately protected. Such quality requirements are ongoing throughout the product life cycle. In recent years, assurance of quality has been derived via audit of the supplier or service provider and by using periodic audits, for example, annually or at least once every 5 years. In the past, companies may have used an audit only for what they considered to be "key" materials or services and used testing on receipt, for example, as their quality assurance measure for "less important" supplies. Such approaches changed as a result of pressure from both internal sources and regulators to the time-driven audit for all suppliers and service providers. Companies recognised that eventually they would be responsible for the quality of the supplied product or service and audit, although providing only a "snapshot in time" seemed a convenient way of demonstrating that they were meeting their obligations. Problems, however, still occur with the supplied product or service and will usually be more frequent from certain suppliers. Additionally, some third-party suppliers will no longer accept routine audits from individual companies, as the overall audit load can exceed one external audit per working day. Consequently a different model is needed for assessing supplier quality. This paper presents a risk-based approach to creating an audit plan and for scheduling the frequency and depth of such audits. The approach is based on the principles and process of the Quality Risk Management guideline (ICH Q9) of the International Conference on Harmonisation (ICH). It proposes that if regulatory conditions allow, it may be possible to remove the need to conduct audits on the sole basis of time elapsed since the last audit, or at least to increase the time interval between such audits without compromising either patient safety or company reputation. The proposal is equally applicable to both large and small companies. Small companies may find it particularly useful in cases where they use a supplier that may have a monopoly position or that serves many other pharmaceutical companies. In such circumstances the supplier may be reluctant or even refuse to accept audits from some individual companies because of their low purchasing levels. A similar approach could be proposed for regulatory authorities for the scheduling of regulatory inspections.