In this article, you will learn what risk-based auditing is, and how to apply a risk-based approach to auditing and remote supplier audits.
Risk-based auditing considers the risks of failing to achieve audit objectives and the opportunities created by choosing various audit methods and strategies. For example, if you are conducting your first internal audit for a new quality system, a desktop audit of procedures might be appropriate. Alternatively, if you are auditing a mature quality system where very few changes to procedures have been made in the past year, a desktop audit would be a waste of time, and using the element approach to auditing is unlikely to add much value. Audits are meant to be a sampling. Therefore, you should focus on areas of importance, areas where previous nonconformities were identified, any new products or processes, and anything that changed significantly.
The risk-based auditing approach is the most significant change in ISO 19011:2018
One of the main differences between ISO 19011:2018 and the previous 2011 version is the addition of a “risk-based approach” to the principles of auditing. Specifically, clause 4(g) of the guidelines for auditing management systems is, “The risk-based approach should substantively influence the planning, conducting and reporting of audits to ensure that audits are focused on matters that are significant for the audit client, and for achieving the audit program objectives.” A lot of people are unsure of what is meant by a risk-based approach, but the key to understanding this is to focus on the definition of risk. From a product perspective, the risk is the “combination of the probability of occurrence of harm and the severity of that harm.” From a process perspective, the risk is the “effect of uncertainty on an expected result” (ISO 9001:2015, clause 3.09). Therefore, auditors should emphasize medical devices that present the highest severity of harm and any devices that have a high probability of hazards or hazardous situations occurring. When an auditor is focusing on a process, rather than a specific medical device, auditors should emphasize any processes that are not under control and any recent process changes.
Auditor selection should also be risk-based
If you are conducting a supplier audit as part of your initial supplier qualification for a critical component supplier or contract manufacturer, you should consider doing a team audit with a multi-disciplinary team. This is a risk-based approach to the supplier qualification process, which ensures that you have subject matter experts evaluating each process instead of auditors with a general quality assurance background. This approach also forces more of your personnel to introduce themselves to the new supplier, and the audit will develop more reliable communication channels between your two companies. Alternatively, if you are conducting a routine internal audit of a production process, you might select a new lead auditor to conduct the audit. You don’t expect any significant findings in a routine internal audit of an established production process. In your role as an audit program manager, you need to match the new lead auditor to a process that will force them to look at all aspects of the process approach to auditing. Specifically, process validation, calibration, maintenance, and process monitoring are areas that may not apply to other administrative process areas such as purchasing.
Risk-based auditing should influence your auditing schedule.
The frequency of auditing suppliers and internal process areas should reflect the risks associated. Therefore, when you create or update your auditing schedule, you should consider the risk level of products being audited and the process being audited. Production processes with a moderate or high level of non-conforming products may need to be audited more than once per year. Still, a supplier with an excellent track record of extremely high quality and on-time delivery may be audited on alternating years. If you previously scheduled a remote audit, you may want to alternate to conducting an on-site audit the next time.
The duration of your audits should not always be the same either. If one production process makes one product in low-volume, and another production process makes multiple products in high-volume, you should not schedule a two-hour internal audit for both processes every year. The low-volume production process may only need a one-hour audit once per year. In contrast, the high-volume process may require a four-hour internal audit or multiple audits each year.
Risk-based auditing applied to remote supplier auditing.
The risk-based auditing approach was added to ISO 19011:2018 as the seventh principle of auditing. This represents the most significant change to that standard, but how does it apply to remote auditing? Despite the opportunities created by remote supplier auditing, there are also risks associated with auditing suppliers remotely. Most people worry about auditees hiding hazardous situations or unacceptable environmental conditions such as filth or disrepair. However, unacceptable cleanliness and maintenance practices don’t happen overnight. Therefore, you should expect a clean and well-maintained facility to remain that way. One approach is to alternate between remote and on-site audits to verify the overall condition of a supplier’s facility. Therefore, the risk of auditees hiding objective evidence is more an issue of trust than a highly probable occurrence.
The more probable risks associated with remote auditing are related to the potential lack of availability of records. This is especially important for paper-based quality systems. Most people try to address this risk by scanning paper documents and records, but scanning documents have limited value. Scanning paper documents is more efficiently performed in a large batch by an automated or semi-automated process. Also, auditors and inspectors typically focus on the most recent records, and auditors and inspectors rarely sample 100% of the records. Therefore, the best risk controls include:
- Ask a guide to send a digital picture of the record.
- Use a tripod-mounted HD webcam focused on a music stand or similar surface.
- Ask the auditee to read the document while you take notes.
In our experience, you will probably rely on all three risk controls, but it is unlikely to delay the audit. However, in response to the limited physical access to medical device facilities and personnel, certification bodies are sending out questionnaires to assess the risk of being unable to achieve audit objectives or cover the required scope of surveillance and recertification audits. As the audit program manager, you can reduce these risks by working with supply chain managers to develop new supplier questionnaires that specifically ask questions about the capability of supporting audits remotely. In particular, it would be important to obtain facility maps to identify areas with inadequate cellular coverage and identification of records that are only available in hardcopy format.