Establishing an initial audit schedule for Pharma Suppliers


Hello Everyone - could use some guidance on how to go about establishing an initial audit period for direct material suppliers. We have an SOP which outlines qualification requirements for new suppliers and a process for determining audit schedules for established suppliers, but it doesn't outline how to set up when to perform your first 'post-qualification' audit.

I'll explain the process, it's risk based and many of you probably understand risk based analysis immediately - it's new for me so I'm writing it out more for my benefit than yours. :)

For a new supplier we determine how to qualify, based on the severity of an adverse impact on a patient if there was a failure of the direct material(s) we obtain from them. So for example, if the failure of a material would lead to serious adverse health consequences, permanent disability or death, affects product quality parameters, etc., etc., it would be considered catastrophic, and have a severity score of ten. I wont go into each category, but they get less in severity, 8,6,4,2. The score determines the tool you use to qualify the supplier ((either a supplier questionnaire (SQ) or on-site audit)). So a low score may just require a SQ, a high score may require an on-site audit. And then the outcome of the SQ or audit evaluation determines if you will approve, conditionally approve, or not approve the supplier.

Then we have a section for managing suppliers, where the audit frequency is determined by taking into account the severity score of the direct material (from above), and multiplying it by probability of occurrence, probability of occurrence being the likelihood a supplier will have a particular failure. In our SOP, probability of occurrence is associated with a risk number, which is generated by evaluating historical aspects such as audit history, deviations, market complaints, supplier capability.

So for instance, if in a measured period of time we had a high number of material deviations related to issues found at the Supplier, we would call them a high risk supplier, with an appropriately matched score (say like 8 - issues occur frequently). This score is multiplied by the severity score we generated above, and the resulting number tells you the frequency you should be auditing (2, 3, 5 years or none required). Example, severity score of the material is 8, probability of occurrence is 8, you get 64. Per our PRN matrix a score of 64 requires an audit every 2 years.

Where I'm challenged is, how should I determine the time before the initial audit? After qualifying a new Supplier from an SQ or on-site audit, I dont have any historical data yet to assess (audit history, deviations, market complaints, supplier capability) as they are new, so I can't establish a cadence yet. But I want a trigger for when I need to perform the first audit. Is it simply a matter of saying all new suppliers will be evaluated after 6 months, a year, etc? Then after that period of time, you assess Supplier performance and generate your audit cadence based on the formulas above? Am I overthinking this?

Any tips or advice you pros would give, would be greatly appreciated. Thank you in advance for your time. :)


Jen Kirley

Quality and Auditing Expert
Hello AwwPhooey,

It is true that planning audits should be done based on risk and data. Critical status is also a major factor.

Further factors need time to determine, such as defect rate and/or x period of time with a supplier score below y based on criteria set out as a, b and c. I usually see this as a 3-month period with audit schedule evaluation taking place yearly.

I hope this helps.
Top Bottom