Beruflich Dokumente
Kultur Dokumente
2
With the onset of the Medical Device Single Audit Program (MDSAP), ISO 13485
compliance is becoming more critical than ever before.
Since ISO 13485 will be used as an auditing standard for MDSAP, your company
may also need to adhere to these standards during a regulatory audit.
Pilgrim is here to help you every step of the way. As you work through your gap
analysis phase, you’ll need to closely examine many processes, especially your
quality management processes.
In this e-book, we’ll focus on specific quality management processes and take
a closer look at how you can build risk-based thinking into each of them.
Learn More 43
4
Risk-based
Quality Audits
Why Risk-based Auditing?
If you’re responsible for planning and carrying out your company’s internal
audits, you know how much planning and effort it takes to monitor your
quality system for GMP and ISO compliance.
As your quality system has matured, you’ve probably noticed that certain
sites, departments, or processes require more of your attention, while
others are consistently in compliance and don’t need as much assistance.
If this is the case in your organization, it’s time for you to consider a risk-
based approach to your internal quality system audits.
6
The Value of a Risk-based Approach
A risk-based approach to internal audits allows you to assess the importance and
performance of each area to be audited and to use your results to devote your auditing time
and resources to these critical business areas.
Based on this risk assessment, you may also decide that certain areas of your business don’t
need as much oversight. The value in a risk-based approach frequently comes in the form of
higher product quality, since trouble areas will receive the time and attention they need to
improve.
Risk-based quality audits also improve your productivity. You will spend more time discovering
and solving problems rather than auditing areas that are already performing well.
7
Get Started with Risk-based Auditing
Let’s take a look at how you can incorporate risk into your internal
ISO and GMP audit processes.
8
Step 1: Assess Organizational Risk
When you’re assessing risk, consider the departments and processes you
normally audit.
As you work through these areas, you may choose to quantify each area’s risk
level.
Or you can use standard risk analysis tools such as Hazard Analysis, Fault Tree
Analysis, or Failure Mode Effects Criticality Analysis (FMEA).
9
Step 1: Assess Organizational Risk
There are many areas to consider when assessing risk including:
10
Step 1: Assess Organizational Risk
Once you’ve considered these areas (and other risk areas specific to your
business), you can combine their individual risk scores to create an overall risk
score for each department or process.
This can help you quickly understand your high-risk areas so you can create
your audit plan accordingly.
This assessment forms the basis for your risk-based audit plan, so it should be
documented in a list or spreadsheet as you work through it.
11
Step 2: Incorporate Risk into Your Audit Plan
As you’ve ranked each department’s risk, you’ve probably begun to form a
mental picture of your audit plan. Now it’s time to take a closer look at each area
and its corresponding risk score.
A key part of your planning will be your audit schedule. Higher risk areas will
need to be audited more frequently (at least annually, but possibly more often).
For low-risk areas, it is important to remember that an annual audit is not always
required. In either case, you need to define how often you will audit each
department based on the risk assessment, document a schedule, and stick to it.
12
Step 2: Incorporate Risk into Your Audit Plan
There are other pieces of your audit plan that are also affected by risk. These
can include the audit duration and the size and skill of your audit team.
You may need to plan for longer, more detailed audits of high-risk areas. Areas
involving more complex products or processes may require auditors with
special skills or knowledge.
13
Step 3: Conduct Risk-based Audits
Risk-based auditing doesn’t stop with your audit plan. Once you’ve determined
an area to audit, you can incorporate a risk-based approach into each audit you
conduct.
14
Step 3: Conduct Risk-based Audits
If you’ve audited an area before, you should review the data you already have
from previous audits and work from there. Some items to review include:
Understanding these areas will help you hone in on potential areas of concern.
This will help you focus your questions properly and get the most value from
your time spent auditing.
15
Step 4: Risk-based Follow Up
Once you’ve completed the audit, you will assign recommendations and/or
findings.
Using a risk-based approach to follow up,
you will assign a risk level to each finding to
clarify which findings need a quick
response or escalation. This allows you to
address critical findings more quickly, rather
than just following up to findings in the
order they were discovered.
16
Step 5: Monitor Changes in Risk
Your initial risk assessment was a snapshot of your quality, performance, and
compliance risks. Changes to products, processes, or defect history will
cause this snapshot to evolve over time. That’s where automated quality
management software can help keep you aware of emerging risks.
17
Implementing Your Risk-based Audit
Program
The idea of implementing a risk-based GMP audit program, or any
type of risk-based process, can be intimidating. But keep in mind
that you don’t need to change your entire audit process all at once.
18
The Basics
of Risk-based
Incoming
Inspection
An Introduction to Risk-based Inspection
You’re probably conducting incoming inspections today but if you aren’t taking a
risk-based approach, chances are you’re performing inspections you don’t need
to do and possibly overlooking the items which need to be inspected most.
20
Three Components of Risk-based Inspection
1 2 3
Sampling Plan & Skip Lot Switching Rules
AQL Schedule Performance-based
Manage Inspection Control Inspection Change
Quantity Frequency
21
Sampling Plan and AQL
Sampling plans help to define your sample size or
the number of items to be inspected for each lot of
incoming material.
24
Switching Rules
Switching rules are a third component of risk-based incoming inspection. These
rules take ongoing inspection results into consideration and tell you how your
sample size and skip lot schedule should change as a result.
For sampling systems like ANSI/ASQ Z1.4, switching rules govern changes
between the following states:
ü Normal – The baseline for sample size and number of lots to be inspected
ü Reduced – Fewer lots are inspected and fewer samples are taken for each
lot. This state is reached based on good results in previous incoming
inspections.
ü Tightened – More lots are inspected and more samples are taken for each
lot. This state is reached based on poor results in previous incoming
inspections.
25
Stick with the Standards
Switching rules are also based on a statistical plan that modifies the inspection
schedule while maintaining confidence that incoming quality will remain high.
For this reason, you will need to stick with an industry-standard plan rather than
creating your own skip lot schedule.
26
Challenges in Risk-based Inspection
A major obstacle to risk-based inspection is that sampling systems are difficult
to track. Industry standard sampling tables are detailed and complex.
This makes it difficult to determine sample size, skip lot frequency, and
switching schedules for an organization’s many suppliers and raw materials.
27
Challenges in Risk-based Inspection
Fortunately, electronic Inspection Management solutions can completely
automate risk-based inspection processes.
You can have all of the benefits of risk-based inspection without the
administrative (or statistical) headaches.
28
Sampling Systems and Compliance
In the Life Sciences, compliance has to be at the forefront of
every incoming quality decision. Don’t forget to consider the
compliance aspects of your sampling choices.
29
Risk-based
CAPA
and
Efficiency
A more efficient CAPA process
CAPA systems provide a wealth of information regarding the
quality of a product or process. However, few companies fully
leverage the power of this tool to realize its positive impact to the
bottom line.
31
A more efficient CAPA process
Over time, the system becomes laden with records of varying
degrees of severity, which are often vetted by issuance order
rather than priority.
32
“ By quantifying risk, companies can more quickly
realize a return on investment for their preliminary
data gathering and work during the CAPA process.
“
Konyika Nealy
VP of Quality Assurance & Validation
Pilgrim Quality Solutions
33
What’s the Risk?
First, while it must be noted that there is no standard
definition for risk that can be applied across
organizations, the common goal is to mitigate risk, and
for those that cannot be eliminated, to reduce them to
a level as low as reasonably practicable.
34
Building a Risk-based CAPA Matrix
Risk assessment (or impact assessment) is required for any CAPA
process and involves the identification, analysis, and prioritization of
risks, and the subsequent application of effort to minimize, monitor,
and control the probability and/or impact of a negative outcome.
35
Building a Risk-based CAPA Matrix
Next, plot a 2 x 2 matrix (probability versus severity) to focus on the
high-risk and high-impact category.
This risk matrix becomes a tool that allows you to determine the
corresponding actions to events based on those criteria, including
no action if it falls within the acceptable risk category.
Further, for events that required action based on its risk rank as
defined by the matrix, an effectiveness review becomes more
analytical since a new severity (in light of mitigation strategy
employed) and frequency can be measured to produce a follow-
up ranking.
36
Risk-based CAPA Drives Innovation
In Life Sciences, where patient safety is foremost, quality-related
risks must be addressed swiftly and systematically.
37
Employee
Training
and
Risk
Training Requirements and Risk
How does your organization currently define training
requirements? If you’re not considering risk as you define them,
you will need to add this consideration into your process.
39
Determining Training Requirements
When determining the training requirements for these process
steps, you will benefit from analyzing:
40
Risk at Various Levels
Does your business associate the risk for both role-
level training and for job-specific requirements?
41
Getting it Documented
Finally, how will your organization capture this information and link
it to objective evidence required for the competency of each role
and/or requirement?
If you don’t have a plan for this, now is the time to act. Risk-based
quality processes and training requirements are key updates in
ISO 13485:2016.
42
Learn
More
Risk-based Quality Processes
Quality Management Software can speed your company’s path to ISO 13485:2016
compliance. Pilgrim SmartSolve® contains in-the-box best practices for:
ü Audit Management – Captures auditee risk as a part of the audit planning process.
ü CAPA Management – Provides a guided processes to implement risk-based corrective
actions quickly.
ü Change Management – Allows specific cross-functional teams and business process
workflows to be dynamically managed based on the significance of each proposed
change.
ü Document Management – Controls standard operating procedures and other
documentation throughout their lifecycle.
ü Inspection Management – Automates sampling plans and inspection frequency for
incoming inspection.
ü Training Management – Manages certifications for both role-related and job-related
training requirements.
44
ISO 13485:2016 Resources
Although risk-based quality processes are a key part of ISO 13485:2016
compliance, there are more changes within the standard that need your
attention. And Pilgrim is here to help you every step of the way.
Here are additional resources to help you on your path to ISO 13485:2016
compliance:
ü On-Demand Webinar: ISO 13485:2016 : Will Your Transition be a Marathon or
a Sprint?
ü Key Takeaways on ISO 13485:2016
ü ISO 13485:2016: Are you prepared for the transition?
ü cGMP and ISO 13485: Aligning Device Quality Worldwide
ü ISO 13485:2016 Compliance: Resources to Help You Get Started
45
About Pilgrim Quality Solutions
Pilgrim Quality Solutions is the leader in quality compliance management
software and services for Life Sciences.
For more than 20 years, our solutions have automated thousands of processes
across global company sites to manage the quality and compliance of life’s
most important products.
With Pilgrim Quality Solutions as your partner, you are prepared to succeed. For
more information, visit www.pilgrimquality.com.
46
Contact Us
Pilgrim Quality Solutions
(813) 915-1663
www.pilgrimquality.com
Prepare to Succeed
48