General European OMCL Network (GEON)

QUALITY MANAGEMENT DOCUMENT

PA/PH/OMCL (20) 21 R1

RISK-BASED AUDITING APPROACH

Full document title Risk-based Auditing Approach

and reference PA/PH/OMCL (20) 21 R1
Document type Recommendation Document

Legislative basis Council Directive 2001/83/EC and 2001/82/EC, as amended

Date of first adoption 10 June 2020

Date of original entry 10 August 2020

into force
Date of entry into /
force of revised
document
Previous titles/other /
references / last valid
version
Custodian The present document was elaborated by the OMCL Network /
Organisation EDQM of the Council of Europe
Concerned Network GEON

N.B. This OMCL Quality Management System document is applicable to members of the European
OMCL Network only. Other laboratories might use the document on a voluntary basis. However,
please note that the EDQM cannot treat any questions related to the application of the documents
submitted by laboratories other than the OMCLs of the Network.
 PA/PH/OMCL (20) 21 R1 – Risk-based Auditing Approach

1. INTRODUCTION
The overall common objective of the European Regulatory Network is to ensure the health and well-
being of patients and protect public health through medicinal products of high quality that are safe
and effective. OMCLs contribute to this objective by testing the quality of medicines on the market
(legal or illegal) and by producing reliable test results as a basis for adequate decision-making by the
competent authority. However, risks to patients or to public health can often only be estimated within
a specific context. This Guidance therefore focuses on the risks to the validity of reported test results.

Application of a risk-based approach in auditing is primarily aimed at the identification of risk factors.
This includes the careful selection of methodologies that are representative of the laboratory’s scope
to ensure confidence in the conformity of the laboratory with the requirements of ISO/IEC 17025,
OMCL Guidelines and the Ph. Eur. This risk-based identification and selection should follow a
structured approach for planning and conducting audits. It should also be applicable to all laboratories
and include additional ad hoc elements, e.g. randomly selected and/or new topics under the scope.

2. OBJECTIVE AND SCOPE

The purpose of this Guidance is to define criteria for the identification of risk factors during technical
audits and the risk-based selection of methods or techniques in cases where the full scope cannot be
assessed with the available audit capacity. A risk-based reduction of the technical scope is aimed at
ensuring confidence in the laboratory’s ability to meet the requirements while balancing the elements
of the scope and the audit time frame available (for criteria and examples refer to section 6).
Moreover, adequate identification of the risk factors that contribute to the validity of results is key to
ensuring that the laboratory is in control of its various elements.

This Guidance can support the audit team in the preparation of the MJA schedule, whenever the
concept of risk-based auditing becomes necessary. The Guidance does not have a prescriptive
character.
Application of a risk-based approach in audits is focused on identifying risk-based methodologies to
attain the necessary confidence of the conformity of the lab with the requirements of ISO/IEC 17025,
OMCL Guidelines and Ph. Eur. requirements.

Reduction of the scope of the technical audit should not be applied in cases where the full scope can
be covered within the normal time frame (usually two days of assessment). However, in the event of
a large scope involving different lab units and/or a wide instrument park, the considerations presented
in this Guidance should be taken into account during the preparation of the audit schedule.

Regarding the quality system, all clauses of ISO/IEC 17025 shall be covered in an audit; therefore the
quality system is out of the scope of this document.

3. DEFINITIONS/GLOSSARY
Audit scope: extent and boundaries of an audit.
Audit criteria: reference against which conformity is determined, e.g. applicable standard, policies,
procedures, regulatory requirements, performance criterial including objective.
Risk-based approach: an audit approach that considers risk and opportunities. The risk-based
approach should substantively influence the planning, conducting and reporting of audits in order to
ensure that audits are focused on matters that are significant for OMCL function.

4. METHODOLOGY FOR RISK-BASED AUDITING APPROACH

All relevant risk factors that apply to a specific OMCL shall be covered during an audit. As long as the
laboratory follows a structured approach and employs a high level of standardisation across different
fields of expertise or organisational units (if applicable), a spot check with positive outcome for each
risk factor should be sufficient to assure compliance. On the other hand, if the audit team uncovers
indications that an approach is not standardised, the sample should be expanded.

For the audit of the quality system, all clauses of ISO/IEC 17025 shall be covered in an audit.

p. 2/8
 PA/PH/OMCL (20) 21 R1 – Risk-based Auditing Approach

For the technical audit, this Guidance identifies several typical risk factors that shall be addressed
during an audit. The list of risk factors provided in section 6 should not be considered exhaustive, and
not all risk factors are applicable to all OMCLs.

5. METHOD-SPECIFIC RISK FACTORS: GROUPING OF TEST METHODS

Several of these risk factors are related to specific analytical techniques. Therefore, test methods may
be grouped in order to select an item out of every cluster, while other risk factors are independent of
the analytical technique.

Some examples are provided for clarification:

1. An OMCL uses two LCs, i.e. LC1/DAD and LC2/MS. Providing that both are under the same QMS,
once qualification is successfully verified for LC1, it would not be re-checked for LC2. Both
detectors will be audited in full.
2. Several chromogenic assays of coagulation factors may be covered by auditing only one
method, given that they follow a common approach in validation, assay layout, equipment and
staff involved.

These method clusters are identified in Table 1.

Table 1-Method Clusters

Main Cluster Risk factors that require selection of more

method/technique than one sample out of the cluster
Chromatography GC • all types of detectors in use (incl. MS)
• all different separation modes
TLC • all types of detection methods (e.g. chemical,
visual, etc.)
HPLC/UPLC • all types of detectors in use (incl. MS)
• all different separation modes (reversed phase,
normal phase, ion exchange, SEC, etc.)

Electrophoresis SDS-PAGE
Blotting
Physical Dissolution test • different dosage forms/apparatus
Gravimetry • different precision requirements
Volumetry • excl. volumetric titration (see below)
Visual determination Appearance • incl. semi-quantitative determination of
coloration/opalescence
Optical microscopy

Spectrometry Atomic (AAS/AES/ICP) • different modes of atomisation

Fluorimetry

IR/NIR/Raman • different types of sample

preparation/measurement modes
MS • all types of ionisation modes/analysers in use
UV/Visible

Titration Visual endpoint • all types of titration

Potentiometric • all types of titration
Simple identification of
ions with visual
determination

p. 3/8
 PA/PH/OMCL (20) 21 R1 – Risk-based Auditing Approach

Main Cluster Risk factors that require selection of more

method/technique than one sample out of the cluster
Immunochemical Immunoassay (ELISA) • self-prepared plates
methods • validation of anti-HIV & HBsAg in pool plasma

Coagulation Chromogenic
Clotting time
Vaccine potency Virus titration • all detection techniques in use (visual, staining,
antibody staining, NAT, etc.)

6. GENERAL (METHOD-INDEPENDENT) RISK FACTORS FOR THE VALIDITY OF TEST

RESULTS
Other risk factors mentioned in this Guidance are independent from the analytical techniques.
Therefore, effective communication between the technical auditors is essential in order to cover all
relevant items in an audit without overlap/duplication.

Risk factors that contribute to the validity of reported test results are depicted in the fishbone diagram
below and further discussed in Table 2, including the points to be checked during the audit. The list
below is not comprehensive and, unless indicated, is not given in priority order.

Fig. 1 Fishbone diagram of general risk factors:

The management of these and some additional risk factors are addressed by OMCL Quality
Management Guidelines or Recommendation Documents.

p. 4/8
 PA/PH/OMCL (20) 21 R1 – Risk-based Auditing Approach

Table 2. Risk factors that contribute to the validity of reported test results and points to be checked during the audit.

General Risk Factors References Check

Equipment GL Qualification of Equipment • All types of equipment shall be audited

& Annexes • Check specific requirements (as audit criteria) defined by Ph. Eur. or GLs, as applicable
• For widely used equipment (pipettes, balances, refrigerators, etc.), spot-check if they are
consistently managed across the OMCL. If not, expand sample

Reference Substances GL Handling and Use of Non- • Reference substances obtained from marketing authorisation holders (MAH)
Compendial Reference • Reference substances obtained by purchasing from commercial sources
Standards in the OMCL • Use of reference substances outside the intended scope (e.g. storage and re-use of
Network aliquots)
• Secondary in-house reference substances established by the OMCL

Reagents GL Management of Reagents • Purchased reagents in their original container

• Purchased reagents which have been transferred into another container
• In-house prepared reagents
• Water manufactured by the OMCL using qualified equipment
• Volumetric solutions

Validation GL Validation/Verification of • Prioritise according to complexity of validation requirements:

Analytical Procedures - impurity quantitative > assay > impurity limit > identification
- full validation (in-house) > partial validation (e.g. active substance method for finished
product, 2nd manufacturer's method) > verification of fully validated method
• Check if verification/SST requirements are systematically checked and fulfilled
• Check changes in the method and validation status of the method

GL Evaluation of Measurement • In-house developed methods

Uncertainty • Ad hoc methods (e.g. screening, analysis of unknown products, trace analysis)
• Methods with unknown or incomplete information regarding uncertainty
• Confirming out-of-specification results
• Identification of uncertainty sources

Computerised systems GL Computerised Systems & • Management of installation and updates of (commercial) equipment software
Annexes • Self-developed Excel spreadsheets
• Complex systems (LIMS validation)

p. 5/8
 PA/PH/OMCL (20) 21 R1 – Risk-based Auditing Approach

General Risk Factors References Check

Environmental conditions Recommendation Document Method-specific audit items, as applicable:

Management of Environmental • Temperature: storage and environmental conditions (samples, reagents and reference
Conditions substances)
• Specific temperature requirements (e.g. drying, ash, microbiological incubation)
• Vibrations: weighing, LAL
• Cross contamination & hygiene in general: NAT & microbiology (incl. particle count and
differential pressure in clean rooms)
• Light & humidity: animal house

Sample Management GL Management of Samples Prioritisation acc. to risk factors from matrix/required sample preparation:
• unknown > complex (e.g. ointments, herbals) > solution
• product-specific storage conditions

Competence requirements Qualification and • Recently introduced new staff

Requalification of Analysts • Recently introduced methods (incl. training)
General Requirements for • Systematic approach to infrequently performed techniques
Infrequently performed • Method-specific risk factors from specific/complex handling requirements
techniques • Re-qualification programme

Ensuring validity of results ISO/IEC 17025 7.7 (no • PTS participation (see last management review) and failure management
additional OMCL requirements) • Laboratory comparisons other than PTS (collaborative studies)
• Use of Control charts
• Blind samples
Triggers for method selection:
• No PTS participation or poor PTS performance
• Not covered by NAB accreditation
• Not covered by previous MJA
• Other approaches

p. 6/8
 PA/PH/OMCL (20) 21 R1 – Risk-based Auditing Approach

General Risk Factors References Check

Evaluation and reporting of GL Evaluation and reporting of • Traceability of technical records (including calculations, transcription and checks).
results results • Decision rules in case of conformity assessment
GL Management of documents • OOS Verification/investigation/decisions and effectiveness of actions
and records • Test reports
ISO/IEC 17025 clause (clause • Interpretations and decisions based on test results (assessment, OCABR certificates, etc.)
7.8)

p. 7/8
 PA/PH/OMCL (20) 21 R1 – Risk-based Auditing Approach

7. RESPONSIBILITIES
The audit team is responsible for the risk-based selection of audit items.
However, the audited laboratory should contribute by providing the necessary information to support a
meaningful method selection during the preparation phase, when applicable.
Risk-based selection of the methods will be defined before the audit, and any change discussed/agreed with
the audited lab.

8. REFERENCES
1) ISO 19011:2018 for auditing management systems, clauses 4.g), 6.3.2.1., 6.3.2.2.h)
2) ISO/IEC 17025:2017 General requirements for the competence of testing and calibration laboratories
3) OMCL Quality Management Guidelines and Recommendation Documents

p. 8/8