Downloaded from journal.pda.

org on June 7, 2014

A Risk-Based Auditing Process for Pharmaceutical

Manufacturers
Susan Vargo, Bob Dana, Vijaya Rangavajhula, et al.

PDA J Pharm Sci and Tech 2014, 68 104-112

Access the most recent version at doi:10.5731/pdajpst.2014.00954

Downloaded from journal.pda.org on June 7, 2014

COMMENTARY

A Risk-Based Auditing Process for Pharmaceutical

Manufacturers
SUSAN VARGO1, BOB DANA2, VIJAYA RANGAVAJHULA3, and STEPHAN RONNINGER4
1

Amgen, Inc., Longmont, CO, USA; 2PDA, Bethesda, MD, USA; 3Divison of Acquired Immunodeficiency Syndrome, National
Institutes of Health (NIH), Bethesda, MD, USA; 4Amgen (Europe) GmbH, Zug, Switzerland PDA, Inc. 2014

ABSTRACT: The purpose of this article is to share ideas on developing a risk-based model for the scheduling of audits
(both internal and external). Audits are a key element of a manufacturers quality system and provide an independent
means of evaluating the manufacturers or the supplier/vendors compliance status. Suggestions for risk-based
scheduling approaches are discussed in the article.
KEYWORDS: Audit, compliance, Quality systems, Risk assessment, Risk factors.
LAY ABSTRACT: Pharmaceutical manufacturers are required to establish and implement a quality system. The quality
system is an organizational structure defining responsibilities, procedures, processes, and resources that the manufacturer has established to ensure quality throughout the manufacturing process. Audits are a component of the
manufacturers quality system and provide a systematic and an independent means of evaluating the manufacturers
overall quality system and compliance status. Audits are performed at defined intervals for a specified duration. The
intention of the audit process is to focus on key areas within the quality system and may not cover all relevant areas
during each audit. In this article, the authors provide suggestions for risk-based scheduling approaches to aid
pharmaceutical manufacturers in identifying the key focus areas for an audit.

This article applies the risk-based model as described

in ICH Q9 (1) to the audit scheduling process. This
document was developed as part of PDAs Paradigm
Change in Manufacturing Operations (PCMO) project
as the second article in the series. The first article on
auditing and good practice quality guidelines and regulations (GxP) requirements has been published (2).
The content and views expressed are the result of a
consensus achieved by the task force members and are
not necessarily views of the organizations they represent.

has the larger goal of verifying the compliance status

of the company. Audits are essential to evaluate the
capability of the company or the supplier/vendor to
consistently produce a material or service of the required quality, adequacy of production and control
procedures, suitability of equipment and facilities, and
effectiveness of the quality management system in
assuring the overall state of control. Audits can focus
on efficiencies associated with manufacturing and testing; however, this type of audit is not within the
primary scope of this article.

Audits, whether they are internally or externally

driven, provide an opportunity for an independent
assessment of the quality system and compliance with
regulatory requirements; see also TR 54 on Quality
Risk Management (3). This type of independent oversight, including inspections by regulatory authorities,

The need for performing audits stems from regulatory

requirements, companies responsibilities, and companyspecific business processes. These needs may be the
same or complementary. In any case, the audit process is
under the control, management, responsibility, and authority of the company. These audits are an essential
element of the good practices (2), supporting and enabling regulatory compliance, and thus have to be governed by the companys pharmaceutical quality system
(PQS; also called quality management system, QMS).

*Corresponding Author: Susan Vargo, Amgen, Inc.,

4000 Nelson Road, M/S AC27C, Longmont, CO
80503, USA. svargo@amgen.com
doi: 10.5731/pdajpst.2014.00954

104

Additionally, a company will have established processes for risk acceptance decisions for its operations
PDA Journal of Pharmaceutical Science and Technology

Downloaded from journal.pda.org on June 7, 2014

(including audits), which need to be in compliance

with all applicable regulations. Therefore, the risk
management processes are also governed by the tasks
described in the PQS. The companys PQS and governance model are defined and decided upon by senior
management, having ultimate responsibility for all
matters of quality and compliance, including riskbased management for audits.
A risk-based management process for audits aids in
determining the audit schedule and the scope. The
output from the audits will challenge or support assumptions and claims of an organizations compliance
status. None of this alters the fact that any audit is
limited in that the audit can cover and assess a particular situation on a specific day. However, an audit can
minimize the uncertainty about the compliance status.
By consequence, there remains a residual risk of nonconformance when there is no audit or even if there is
a successful audit. The audit process will provide
evidence, but not proof, of compliance.
This document is applicable to stakeholders performing audits to assess GxP compliance. The elements
described focus on audits in the good manufacturing
practice/good distribution practice (GMP/GDP) area;
however, they can be applied to all GxP areasfor
example, good laboratory practice (GLP), good clinical practice (GCP), and good pharmacovigilance practice (GPvP).
1. General Risk Factors to Consider for a
Risk-Based Auditing Approach
As with all risk-based processes, the decisions, rationales, and relevant information concerning the audits
must be documented in an appropriate level of detail.
This allows for independent review and traceability,
which may need to be demonstrated during self-audits
or regulatory inspections or customer audits. Independent auditors/inspectors should be able to understand
and follow the process determining whether or not a
particular audit is scheduled and, if scheduled, the
scope and timing of the audit. By following this basic
principle, a company can demonstrate that its riskbased audit process conforms to its quality system and
complies with applicable regulations. There is, however, a possibility that inspectors from a regulatory
agency may not concur with the companys audit
process despite a clear rationale supported by scientific justification.
Vol. 68, No. 2, MarchApril 2014

Suggestions for risk factors to be evaluated in a prioritization matrix include compliance inputs (prior
regulatory inspection/company audit, overall compliance history), operational inputs, and facility inputs.
Each of these risk factors should be weighted based
upon the perceived impact on compliance.
As every manufacturing site is different, it is impossible to list all the different risk factors to be considered. However, this article does discuss some of the
more common risk assessment inputs used for audit
schedule development. The risks factors discussed in
the following sections (sections 1.1 to 1.5) should be
used as points to consider when assigning a fixed risk
rank to a site/operation. Assigning a fixed risk rank to
a site/operation will aid in the audit scheduling process.
1.1 Risk Factors for Operations Performed
The operations at the site can be assigned a fixed risk
rank based on the risk associated with the operations
performed. As an example, high-risk operations usually include sterile manufacturing, packaging and labeling, final product release testing, and excipient
testing. The function of excipient testing is included
under high-risk operations because these raw materials
are a part of the final product formulation and do not
undergo further purification. These operations tend to
have a higher degree of regulatory oversight and are
therefore assigned a higher risk level. Additionally,
supply chain oversight including distribution and
transport practices are regarded as a high risk in todays environment. Medium-risk operations would include drug substance manufacturing and solid oral
dosage form manufacturing of drug (medicinal) products, while warehousing (e.g., storage areas for product and raw materials) would be considered low-risk
operations if appropriately controlled.
1.2 Site/Facility Risk Inputs
When assessing the risk profile of a manufacturing site
for clinical or commercial products (both drug substance and drug product) or a supplier/vendor for
materials or a contract laboratory for release testing,
several factors about the facility/site and the equipment should be considered. These factors include facility design (e.g., the age of the facility and compliance with current expectations on design should be
considered) and maintenance, equipment maintenance
and calibration, and if there have been major changes
105

Downloaded from journal.pda.org on June 7, 2014

to the facility and/or equipment since the last audit. If

past audits or regulatory inspections have identified
problems with major systems (e.g., air handling systems/environmental controls or clean utilities), this
information should factor into the risk profile for the
site/facility.
1.3 Product/Process Risk Inputs
Specific information on both product(s) and processes
will be useful in developing the fixed risk rank for the
site/operation. As an example, a multi-product manufacturer producing products in multiple profile classes
(parenterals, tablets, capsules, patches) or products
that pose patient safety risks (high potency actives,
hormones, cephalosporins, allergens, etc.) should have
a higher risk rank than a manufacturer producing a
single profile class of product. Additionally, if these
compounds are being manufactured in the same manufacturing areas and/or using shared equipment with
the companys product, then this information should
be considered in the risk ranking of the site/operations.
Risk ranking criteria can be developed based on the
product class and formulation type. For example, manufacturing of an intravenous (IV) formulation of a
biologic (IV formulation of complex protein with an
adjuvant) is at a higher risk level than an oral tablet of
a well-defined small molecule (oral product).
1.4 Compliance Risk Inputs
The overall compliance elements of a site should be
assigned the highest risk score and given the greatest
weighting when determining the fixed risk rank.
Knowledge of compliance history, through recent regulatory inspections and company audits, should be
used as an input for assigning a risk ranking. Other
areas to consider when determining the overall risk
associated with the sites compliance elements may
include criticality rating of inspection/audit findings,
timeliness in addressing findings (adequacy of responses), and status of corrective actions. In general,
the sites experience with the health authorities is a
good indicator for compliance status. If available, any
information regarding product issuessuch as Field
Alert Reports (FARs) and Biological Product Deviation Reports (BPDRs) submitted to the U.S. Food and
Drug Administration or Notifications submitted to the
EU authoritiesrecalls, and product complaints
should be reviewed and considered elements of the
overall compliance risk.
106

Figure 1
The elements of a typical audit program.
Other areas that may indirectly affect the compliance
status of a site and should be considered in the assessment include new product introduction to the site,
major changes in key GxP personnel and ownership
(i.e., company buy-out or merger), and, if applicable,
knowledge about sister sites compliance status and
the companys contract manufacturing quality monitoring visit results, and the outcomes of the site internal audit program (if available). The dates of the last
regulatory inspection/audit and the dates of the anticipated next regulatory inspection could be considered,
too.
1.5 Business Inputs
Business concerns are not a part of the GMP realm;
however, certain business criticality issues should be
considered as part of your risk ranking process. These
could include the volume of product manufactured or
tested or stored, if the site is single-sourced, and if
there is a licensed/approved back-up site available.
2. Risk-Based Approaches: From Planning
to Completion
The elements of a typical audit program are depicted
in Figure 1. The audit process can be divided in six
steps: scheduling, planning, preparation, conducting
the audit, report generation/issuance/response acceptance, and follow-up/closure. Each step is discussed
below.
2.1 Scheduling
A risk-based approach to scheduling audits is a useful
tool to determine the audit frequency for both internal
PDA Journal of Pharmaceutical Science and Technology

Downloaded from journal.pda.org on June 7, 2014

Table I
Points to Consider When Scheduling a Supplier Audit
Audit Type
Suppliers of materials and services
(calibration and maintenance
services, clean gowns,
transportation providers)

Raw material/solvents

Criticality and
Complexity
Criticality of equipment
calibrated/maintained
by the supplier

Criticality of operation
performed by the
supplier
Criticality of material
to process
Sourcingregulatory
maturity of country
of manufacture
Single source?

and external audits as well as to determine the length

and the scope necessary for the audit. A tool, for
example, a ranking model (1) is useful in prioritizing
audits based on established criteria identifying relevant risk factors. A prioritization matrix consisting of
risk factors weighted proportionally to a risk level can
be developed to define the audit interval based on
lowest to highest risk.
In determining the risk factors that a company will use
to develop the audit schedule, tables similar to Tables
I and II (4) can be helpful. As an example, Table I
provides suggestions on criticality and risk as related
to an audit of a supplier (i.e., a service provider or a
raw material vendor).
A second example is provided in Table II (4). This
table provides suggestions for criticality and risk related to manufacturing (either for an internal audit or
a contractor audit).
Within the company, several disciplines might be involved in assessing the risk for each site. For internal
audits performed by corporate auditors or performed
by auditors from the site, compliance and quality
including the qualified person (QP) could participate
in assessing the risk for the frequency of auditing their
specific site. For external audits performed by corporate auditors or performed by auditors from the site,
Vol. 68, No. 2, MarchApril 2014

Potential Questions to Address Risk

Is this an autoclave or highperformance liquid chromatography
(HPLC) equipment used for every
batch (direct impact), or a water
bath thermometer (indirect impact)?
Are the gowning materials used in
aseptic filling or in the bioreactor
area?
Is this a solvent used in the last
process step?
Does the country of manufacture have
a mature regulatory system that
assesses manufacturing compliance?
Is the material only available from
this source versus widely available
from multiple sources?

contract manufacturing operations and quality (including the QP) could provide information as to the compliance status of the individual contractors. In addition, laboratory and/or operations staff members who
are in contact with contract manufacturers/laboratories
may have information to contribute to the overall risk
assessment of a contract manufacturer. Participation
of the QP in the scheduling process is useful because
of his or her product knowledge and involvement in
specific quality functions such the lot release decision.
Including the QP may be of particular importance in
multinational companies where the audit program may
be operated remotely from the QPs site of responsibility.
Once the assessment has been performed, a risk level
with a rating can be assigned to the audit as a means
of determining frequency. Risk levels can be high,
medium, and low. Typical intervals for the audit frequency, unless specifically required by regulations,
include 1218 months (high risk), 18 24 months (medium risk), and 24 36 months (low risk).
Under the risk-based paradigm, new information acquired during the year could be considered. Changing
suppliers, regulatory issues, product complaints, and
so on may lead to a modification of the audit schedule
during the year. Rationales for these changes can be
107

Downloaded from journal.pda.org on June 7, 2014

Table II
Points to Consider When Scheduling an Audit of a Drug Substance or Drug Product Manufacturing
Process
Audit Type
Drug substance (biotechnology &
small-molecule active
pharmaceutical ingredients)

Criticality and Complexity

Process steps

Process controls
Sourcingregulatory maturity of
country of manufacture
Single source?

Drug (medicinal)
productgeneral

Dosage form manufacturing

process
Process steps

Process controls

Ability to clean
Intended use

Sourcingregulatory maturity of
country of manufacture
Single source?

provided as brief comments to the approved audit

schedule.

Potential Questions to Address Risk

Are there multiple steps that involve
manual or highly technical
operations?
Are there controls in place to detect
or eliminate errors?
Does the country of manufacture have
a mature regulatory system that
assesses manufacturing compliance?
Is the material only available from
this source versus widely available
from multiple sources?
Aseptic processing versus nonsterile
solution dosage form?
Do operations involve powder
blending versus mixing a true
solution?
Is sterilization filtration or terminal
sterilization used in solution
processing?
Is this a high-potency or hard-tosolubilize product?
Does this product treat a lifethreatening illness versus a sun
screen product?
Does the country of manufacture have
a mature regulatory system that
assesses manufacturing compliance?
Is the material only available from
this source versus widely available
from multiple sources

2.2 Planning

edge of the auditee/auditors, the preliminary timeframe for the audit, the preliminary scope and objective of the audit, and the expected duration of the
audit.

The audit plan defines the audit scope, requirements

and schedule based on the risk assessment results.
Once the schedule has been developed and approved,
the planning phase can be initiated by corporate compliance or the site compliance unit. During planning,
the corporate compliance or site compliance unit
should identify, for each scheduled audit, the standards against which the audit is to be performed, the
lead auditor and audit team members, language knowl-

In the planning step, risk management elements could

be key drivers to determine the audit planning elements. As an example, the more traditional approach
for audit scope would be to focus on the product and
to evaluate all documentation and systems associated
with the manufacture of the product. This approach
can be time-consuming and require multiple auditors.
Using a risk-based approach, the audit scope could
focus on key system elements (including the quality

108

PDA Journal of Pharmaceutical Science and Technology

Downloaded from journal.pda.org on June 7, 2014

Table III
Risk Management Elements When Planning an Audit (5)
Element of Audit
Planning
Lead auditor

Audit team members

Preliminary timeframe

Traditional Approach

Risk-Based Approach

Certified auditor (1); certification by the

company or an independent
organization
Subject matter experts according to the
scope (25)
Fixed for drug products, active
pharmaceutical ingredients, etc.

Certified auditor (1); certification by the

company or an independent
organization
Subject matter experts according to the
scope (13)
Variable based on the level of
knowledge the auditing organization
has of the supplier
Cover the quality system topics that
affect the product and/or had been of
uncertainty/concern
Quality system
15 days; variable, according to the
result of the risk assessment of the
supplier, product type, etc.

Objective

Cover the product and all quality

system topics

Preliminary scope
Expected duration

Product
25 days

system) to evaluate the product being manufactured

and/or tested at the site. There are examples listed in
Table III that complement the Pharmaceutical Inspection Convention and Pharmaceutical Inspection Cooperation Scheme (PIC/S) recommendation A Recommended Model for Risk Based Inspection Planning
in the GMP Environment (5).
2.3 Preparation
During the preparation phase, the lead auditor is responsible for confirming, with the auditee, the specific
dates for the audit. The objective and scope of the
audit, based on the result of the risk assessment of the
auditee, could be finalized during the pre-audit negotiations with the auditee. The audit agenda could be
finalized and shared with the audit team and the auditee.
Preparation activities could include requests for preread material such as the quality manual; the site
master file (including organizational chart), if applicable; the validation master plan; and so on. The
auditors could request from the manufacturer/supplier
GMP certificates or, if considered necessary, prior
inspection reports and the respective corrective/preventive actions from health authorities, if available. It
is useful to understand the focus of the regulatory
inspection and to note where the inspectors did or did
not find compliance problems at the site. Information
Vol. 68, No. 2, MarchApril 2014

of this type can aid in targeting the scope of the audit

and allow for efficient use of audit time and resources
at the site. The outcome of regulatory inspections (if
confirmed to be of relevant scope) may be used to
defer the audit to a later date on the basis of reduced
risk. It is important that the companys audit program
evaluate all relevant areas, as part of the audit scope,
over a number of audit cycles independent of regulatory inspections. A regulatory inspection should not be
used as the sole replacement for the audit. A decision
to defer the audit to a later date should be documented
including a follow-up date in the decision.
2.4 Conducting the Audit
The audit itself could begin with an opening meeting
to restate the objective and scope of the audit (as
defined by the results of the risk assessment) and the
basic requirements on which the auditors will base
their audit. Additional document requests may be made
at this time, if applicable. The majority of time spent at
the audit will be devoted to reviewing operations, documentation, observing ongoing processes (e.g., manufacturing, testing), facility tours, and interviewing relevant
staff according to the risk assessment. This schedule
should be carefully developed based on the information
available.
As part of the audit, the audit team should assure that
the auditee has fulfilled all regulatory requirements
109

Downloaded from journal.pda.org on June 7, 2014

Table IV
Example of Ratings for Audit Observations
Rating
Critical

Major

Minor

Recommendation

Observation Description
Observation describing a situation that is likely
to result in a noncompliant product, quality
defect, or a situation that may result in an
immediate or latent health risk and includes
any observation that involves fraud,
misrepresentation or falsification of products
or data.
Critical observations in an audit will
compromise the success of inspection(s) by
authorities.
Observation that may result in the production
of a drug (substance or product) not
consistently meeting its marketing
authorization.
Major observations may compromise the
success of inspection(s) by authorities.
Remedial action must be initiated in the short
to medium term.
Observation that is neither critical nor major
but represents a departure from the GMP.
There is a low risk of inspection(s) by
authorities being compromised.
A recommendation does not represent a
violation of the principles of the PQS in
terms of QMS and/or GMP rules. It outlines
areas of suggested improvement.

committed to as part of a marketing application or in

response to a regulatory inspection. Compliance with
new regulations and regulatory guidance should be
assessed during the audit as well. The auditors should
confirm completion, implementation, and (if possible)
effectiveness of all corrective actions from the previous audit. Daily wrap-up meetings are recommended
with a final closing meeting on the last day of the
audit. During this meeting, the auditors will present
their major observations to the auditee and its management.
2.5 Report Generation, Issuance, and
Response Acceptance
The audit report is the formal work output after the
audit. It is the lead auditors responsibility to generate
and issue the audit report. The report would describe
110

Suggested Timeframe for Corrective

Measures
Immediate remedial action must be
initiated immediately, within 1
month.

No later than three months; in cases

where this is not practical, an action
plan to be available within one
month.

Remedial action must be initiated.

Up to 6 months; in cases where this
is not practical, an action plan to be
available within 1 month.
As appropriate

the scope and objective of the audit as well as present

the major findings supported by the individual observations made during the audit. Each finding could be
rated according to a risk ranking system. One approach is to rank the findings as critical, major, minor,
or recommendation (6, 7) (refer to Table IV).
It is useful to include explanatory text following each
finding to provide guidance to the auditee on what
would constitute an acceptable response. Follow-up
items for the next scheduled audit of this site should be
included in the report.
In addition, an overview of the audit and inspection
activities at a manufacturing site is useful to senior
management. This overview can be a summary of
observations and corrective/preventive actions from
the audit. This summary can then be ranked as good,
PDA Journal of Pharmaceutical Science and Technology

Downloaded from journal.pda.org on June 7, 2014

satisfactory, or unsatisfactory (8). The ranking is

used for decisions, for example, to initiate a specific
global action across the company (internal audit), to
continue business with a specific contract manufacturer or supplier (external audit), or to adjust the
frequency for the next audit of this site/company (internal or external audit).
It is the auditees responsibility to respond to the audit
findings/observations with an acceptable corrective
action plan identifying what action(s) will be taken or
not, who will be responsible for the corrective action(s), and the expected time/date for completion.
Multiple interpretations of regulatory requirements
have been seen in regulatory inspections as well as in
audits by companies. It may be beneficial to relate the
interpretation to patient risk and/or product quality,
and to consider best practice documents when responding to the audit in order to align with a harmonized interpretation and/or understanding of the requirements. The latter may be more applicable to an
external audit response.
The response to the audit should be issued in a timely
manner. The typical response time is within 1 month.
As part of the response acceptance process, the lead
auditor and the audit teamincluding subject matter
experts (SMEs)should assess both the completeness
of the response and timeliness of the corrective action
closure. The response should be judged in terms of the
criticality rating of the finding. One could anticipate
that a critical finding would require a global/systemic
response (e.g., a implementing a revised change control program), whereas a minor finding could have a
narrower response (e.g., a revision to standard operating procedures). Additionally, the completion dates
should be based on the criticality rating of the finding/
observation as well as the complexity of the corrective
action.
2.6 Completion, Follow-up, and Closure
Upon acceptance of the responses by the lead auditor
and the audit team, the follow-up and commitment due
date closure process begins. As soon as the corrective
actions are accepted and the compliance status is verified by the lead auditor, the completed audit should be
forwarded to other stakeholders as needed (e.g., in the
EU, the QP). This is a similar process to that of issuing
a GMP certificate of an authority.
Subsequent to the completion step is the audit closure
step. The auditee is responsible for providing updates
Vol. 68, No. 2, MarchApril 2014

and evidence for the audit closure to the lead auditor.

Both the auditee and the lead auditor or an assigned
person in the organization should track each commitment to assure that it is closed as agreed upon during
the response acceptance process and that it is closed
on time. Any change to the corrective/preventive actions (i.e., change in activities associated with the
accepted response, change in the commitment due
date) should be communicated to the lead auditor or
designee. A rationale and a risk assessment to support
the change should be presented as well. Evidence of
completion of the corrective action should be provided
to the lead auditor at the time of completion. Occasionally, the verification of the corrective action must
occur at the auditees site (e.g., a new piece of equipment). Once all corrective actions have been verified
as acceptable, the audit may be closed.
The overall conclusion of an audit (internal or external)
should be used as a basis for scheduling the subsequent
audit of the site according to the risk-based approach.
Based on the risk/ranking assigned and the urgency for
corrective action verification, the scheduled date for the
subsequent audit could be adjusted to occur sooner or
later within the next audit schedule. If the interval between site audits is extended, quality monitoring systems
should be used to alert a manufacturer to potential
changes in product quality or in the quality of materials
supplied by a vendor. Examples of quality monitoring
systems include raw material testing, in-process testing,
and final product release testing.
Finally, a quality metric(s) could be used to inform
senior management of the overall effectiveness of the
companys audit program. Elements measured could
include status of the audit schedule (on time, postponed, canceled, waived based on risk), significance
of the observations, status of individual audits (open,
closed), timeliness of audit report issuance (on time,
late), timeliness of auditee responses (on time, late),
and so forth. These indicators may or may not reflect
the quality of each audit, but could provide senior
management with adequate information to judge the
overall compliance status of the company.
3. Conclusion
Auditing is an excellent indicator of the overall effectiveness of the companys and the contractors quality
systems and product performance. The implementation of a risk-based audit management system at both
the local and global level (if applicable), including
111

Downloaded from journal.pda.org on June 7, 2014

regular updates to senior management, could influence

the outcome of regulatory inspections (i.e., no unexpected observations by the inspectors). However, if
there are unexpected observations, it is important to
review and assess the risks to understand how best to
improve the quality system elements, including the
audit program. Finally, implementing risk-based approaches to the companys audit program will help to
focus resources on key areas of importance, thereby
minimizing the risk to patients.
Acknowledgements
The authors thank Jim Lyda, PDA, for his input challenging the initial draft and as well as other members
of the PCMO Task Force: Amnon Eylath, Mark Frankcom, and Siegfried Schmitt. Additionally, the authors
would like to thank Catherine Bomer for her assistance in the preparation of this manuscript.
Conflict of Interest Declaration
The authors declare that they have no competing interests.
References
1. International Conference on Harmonization. ICH
Q9. Guideline on Quality Risk Management, November 2005.
2. Rnninger, S.; Schmitt, S.; Rangavajhula, V.;
Lyda, J.; Hough, E. Considerations on auditing

112

and GxP requirements along the product life cycle. PDA J. Pharm. Sci. Technol. 2012, 66(5),
396 402.
3. PDA Technical Report No. 54 (TR 54) Implementation of Quality Risk Management for Pharmaceutical and Biotechnology Manufacturing Operations, 2012.
4. Rnninger, S.; Holmes, M. A risk-based approach
for scheduling audits. PDA J. Pharm. Sci. Technol. 2009, 63(6), 575588.
5. PIC/S. A Recommended Model for Risk Based
Inspection Planning in the GMP Environment. PI
037-1, January 1, 2012.
6. Health Canada. Health Products and Food Branch,
Risk Classification of Post-Market Reporting
Compliance Observations, Guide-0063, November 21, 2005.
7. European Medicines Agency. Compilation of
Community Procedures on Inspections and Exchange of Information, EMA/INS/GMP/321252/
2012/Rev. 15, July 16, 2012.
8. Rnninger, S.; Berberich, J.; Fischer, G.;
Persson, I.; Wandt, C.; Wall, L. How can we
balance value, effort and risk in foreign GMP
inspections? A future perspective. GMP Review, 2012, 10, 14 18.

PDA Journal of Pharmaceutical Science and Technology

Downloaded from journal.pda.org on June 7, 2014

An Authorized User of the electronic PDA Journal of Pharmaceutical Science and

Technology (the PDA Journal) is a PDA Member in good standing. Authorized Users are
permitted to do the following:
Search and view the content of the PDA Journal
Download a single article for the individual use of an Authorized User
Assemble and distribute links that point to the PDA Journal
Print individual articles from the PDA Journal for the individual use of an Authorized User
Make a reasonable number of photocopies of a printed article for the individual use of an
Authorized User or for the use by or distribution to other Authorized Users
Authorized Users are not permitted to do the following:
Except as mentioned above, allow anyone other than an Authorized User to use or access the
PDA Journal
Display or otherwise make any information from the PDA Journal available to anyone other
than an Authorized User
Post articles from the PDA Journal on Web sites, either available on the Internet or an Intranet,
or in any form of online publications
Transmit electronically, via e-mail or any other file transfer protocols, any portion of the PDA
Journal
Create a searchable archive of any portion of the PDA Journal
Use robots or intelligent agents to access, search and/or systematically download any portion
of the PDA Journal
Sell, re-sell, rent, lease, license, sublicense, assign or otherwise transfer the use of the PDA
Journal or its content
Use or copy the PDA Journal for document delivery, fee-for-service use, or bulk reproduction or
distribution of materials in any form, or any substantially similar commercial purpose
Alter, modify, repackage or adapt any portion of the PDA Journal
Make any edits or derivative works with respect to any portion of the PDA Journal including any
text or graphics
Delete or remove in any form or format, including on a printed article or photocopy, any
copyright information or notice contained in the PDA Journal