Tuesday, August 4, 2009

Do You Use Risk Assessments in Auditing?

Audits are a critical component of quality systems, but are they guided by formal assessments of risk to your products? In this world of ICH Q9, can you offer even a semi-quantitative justification for your audit priorities? We have spoken to many people in the industry, and almost all mention a risk assessment being undertaken prior to an audit. But we have not found many people that formalize that risk assessment, or keep it updated from audit to audit. Even fewer communicate their scoring of risk to either their internal clients or the vendor that has been audited.

A new trend in auditing is to use a form of risk assessment both before and after the audit. A popular form is the Failure Modes and Effects Assessment, or FMEA (see, for example, http://www.sre.org/pubs/Mil-Std-1629A.pdf). In a traditional FMEA, risks of failure are identified in a detailed fashion, and scored in three categories related to the failure’s probability, detectability and severity. Scoring is done on a semi-quantitative or relative basis using an arbitrary scale such as 1-10. For an audit, you might use the same categories as they relate to a particular vendor's (or department's) ability to deliver a product or service, failure free. You could organize your FMEA according to the critical quality attributes of the product or service being delivered or according to a list of requirements from a guideline or the CFR's. Your FMEA should receive input from affected departments, and should be used for prioritization of audit items. You should have the FMEA in mind as you conduct your audit, and remember why various items received high prioritization. You may change ratings for probability or detectability based on what you observe. If instead, you confirm your evaluation, you should probe remediations that decrease your firm's primary concern. A remediation that addresses detectability, when the issue was probability, likely won’t mitigate the risk of failure.
When you return from your audit, rescore the FMEA with assessments based on your observations and data that you collected. Make sure that you share your analysis with the stakeholders. And monitor the performance of the vendor until the next audit; the data will help inform your next FMEA.

Do you already use FMEA's in audit preparation and reporting? Let us know your practices.