Assessments and Auditing

Now we need to understand how to apply these ideas as a strategy, to go beyond particular problems that are brought to our attention, to address all the components of sampling. In this chapter, we propose an approach to sampling that uses the previous theoretical information in a practical way. The strategy has three parts audit, assessment, and action. 

Safety Lifecycle activities including audits, assessments, and verifications. 

Participating and supporting internal and external audits, assessments, and self-assessments of SNL/NM Industrial Hygiene Program. 

Results of the verification are documented in such a way that the documentation can be used directly for internal reviews and external audits, assessments and inspections, see for example Figure 4. 

The term is not used in ISO 26262, but does not mean any contradiction Those ideas and terms are illustrated in ISO 26262 in a different or similar context. For example coexistence of software of different criticality (different ASIL) doesn t see a risk if functions are similar but if these functions can influence each other negatively. Furthermore, it is important to mention that ISO 26262 uses and defines the terms validate, verify, analyze, audit, assessment and review in context of functional safety for road vehicles differentiy. These examples also show that requirements, terms or definitions within ISO 26262, depending from which activity or context they are used, can lead to different interpretations or meanings. 

The safety analyses typically include a review of crash history to see if a crash problem exists. However, some states are incorporating new safety tools and methods to include road safety audits/assessments and the application of safety models found in the new Highway Safety Manual. 

The RIMP process was Initiated and is being conducted In a manner that assures the relevant SRS specific Issues are being addressed. Through the rigorous application of comprehensive RIMP evaluation criteria, potential safety Issues were dispositioned. The completeness of the RIMP process ensured that restart sensitive Issues were identified in a timely manner. The overall success of this program Is due. In part, to the contribution made by the Issue Management Committee. As supported by the various audits, assessments and surveillances, the RIMP process has proven to be very thorough. 

Do audits assess that quality and safety activities comply with planned activities, that the quality and safety system are effective and that defined procedures and methods are being followed ... 

The following references will help you develop techniques for applying pollution prevention audits. Use the examples in Chapter 2 as a basis to tailor audit questions and to focus on areas of opportunities. Finally, Chapter 8 will help you in developing the tools needed to assess the financial attractiveness of the pollution prevention opportunities you identify. 

These lists tell us something about the nature of quality records, especially by what is not included. Absent from the lists are policies, procedures, instructions, plans, specifications, and any other prescriptive documents. The records all have one thing in common they describe the results of some activity - the results of inspections, tests, reviews, audits, assessments, calculations, etc. However, these lists are dominated by records relating to product quality rather than to the operations of the quality system. In addition to audit records, the following records may need to be maintained to demonstrate the effectiveness of the quality system ... 

The aforementioned reviews and assessments were assimilated to characterize the effect of dielectric, rotational, and mechanical hazards on motor performance and operational readiness. Functional indicators were identified that can be monitored to assess motor component deterioration caused by aging or other accidental stressors. The study also includes a preliminary discussion of current standards and guides, maintenance programs, and research activities pertaining to nuclear power plant safety-related electric motors. Included are motor manufacturer recommendations, responses from repair facilities to a questionnaire, in-service inspection data, expert knowledge, USNRC-IE audit reports, and standards and guides published by the Institute of Electrical and Electronics Engineers (IEEE). 

Because of the complexity of computer hardware and software and because of the intricacy of a risk assessment, the FDA has to all intents and purposes adopted an indirect regulatory posture. Regulated companies are informally urged to conduct independent audits of Part 11 compliance, utilizing in-house or consultant expertise. The agency can then review the details of the audit report and the credentials for experience, expertise, and independence of the auditor. Follow-up investigation of speciflc points can then be laser-focused on specific areas of concern. 

ISO has two important functions in analytical chemistry. The first is to publish descriptions of accepted methods. These are effectively industry standard methods for particular protocols. The second is in laboratory accreditation. For a laboratory to be ISO accredited, compliance with international QA standards must be confirmed by an initial assessment and subsequently from repeated audits by an independent assessor. Since ISO has no legal or regulatory powers, the standards are voluntary. It is unlikely, however, that a forensic analysis which did not conform to an ISO standard would be upheld in court, for example. Most commercial laboratories need to be accredited to remain competitive and to deal with regulatory authorities. Most university labs are not accredited, mainly due to the time and costs involved, and also to the nonroutine nature of much university research. However, university accreditation may become a requirement in the near future, especially for publicly funded research in the UK. The details of laboratory accreditation are discussed by Christie et al. (1999) and Dobb (2004). 

CRAs achieve these tasks through frequent visits to the clinical trial site. During these visits, the monitor will verify source data, audit regulatory documents for accuracy and completion, perform drug accountability assessments, and communicate any concerns, problems, or new information with the study staff. 

Identifying and analyzing fire hazards and scenarios is the next step in a fire risk assessment. The hazard identification should be structured, systematic, audit-able, and address all fire hazards, including nonprocess fires. The result of the hazard identification is a list of potential fire hazards that may occur at the facility, for example, jet, pool, flash, BLEVE, electrical, or Class A fires. This list should also include the location where each fire could occur. Hazard identification techniques used to identify potential hazards are shown in Table 6-1. 

This table may also be incorporated into the PSM program assess-ment/audit protocol and used during periodic PSM program evaluations.9)... 

The ISO has also produced a set of quality standards specifically for environmental management. This is the ISO 14000 series. The areas addressed by ISO 14000 are Environmental Management Systems, Environmental Performance Evaluations, Environmental Auditing, Life Cycle Assessment, and Environmental Labeling. 

Planning documents preparation —Laboratory procurement —Field and sampling equipment procurement —Preparation for mobilization —Field sampling —Field and laboratory audits —Sampling and laboratory oversight —Data evaluation —Data quality assessment... 

Cl Assessment and response actions C2 Reports to management 4.6.3 Systems and performance audits... 

Another annoying feature of most audit assessment tools is that they provide information about the vulnerabilities found, and not the ones that do not exist in the information system. It is therefore difficult to practice anticorrelation and degrade the severity of events that are not security risks for the information system. To obtain this effect, we currently manually maintain a set of simple rules indicating which vulnerability sets cannot be found in our corporate network. For example, we exclude all IIS vulnerabilities from events coming from hosting zones, as we do not offer this platform in our services. Note that we do not consider here the case where the vulnerability assessment tool fails to discover the vulnerability. Audit information is considered trusted. 

The International Standards Organization (ISO) definition of audit is Systematic, independent, and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which agreed criteria are fulfilled. The bottom-line goal of the software developer audit process is to allow you to assess the developer s quality assurance (QA) system. 

External audits of raw material suppliers and contracted services should be handled in much the same way as the internal QAP. Audit protocols should be customized and tailored to the specific organization to be audited. For example, an assessment of a contract laboratory service should be conducted under the auspices of the internal audit team and follow similar procedures in terms of identifying deficiencies, installing corrective and preventative measures, and reports issuing. It is an advantage to employ the same personnel for both the internal and external audits. This approach assures a standardized and uniform audit procedure across the board. 

A great failure routinely exhibited by many internal audit programs is the lack of an internal rating system. The results of every audit should receive a rating, and each audit should be measured against the previous audit(s) in an effort to determine whether or not the firm is making the necessary improvements. Evidence of continued digression or lack of any improvement audit to audit would serve as a very useful quality indicator and real-time alert mechanism for QA to use as part of its product quality assessment and future release decisions. 

Cameron I, Curran S, Newton P, Petty D, Wattis J. Use of donepezil for the treatment of mild-moderate Alzheimer s disease an audit of the assessment and treatment of patients in routine clinical practice. Int J Geriatr Psychiatry 2000 15(10) 887-91. 

OQ protocols should define any ordering between individual tests. Specific tests may be reconunended by Supplier Audit, GxP Assessments, and Design Reviews. The RTM should be updated with OQ cross-references. The RTM should specifically identify where GxP functionality identified by the GxP Assessment is tested. 

Conduct a compliance gap analysis on the GxP-relevant components and fnnctions of the system with reference to the past operational experience. Assess the completeness of documentation, outstanding internal audit observations, and ontstanding regulatory commitments. 

An audit report will be produced for each supplier, documenting the positive and negative observations made during the assessment of the response to the postal audit questionnaire and/or the site audit. All corrective actions must be followed up, possibly requiring further site visits, in order to ensure that nonconformance issues have been appropriately addressed in a timely manner to minimize the impact on project success. 

Electronic records requiring particular regulatory control should be identified based on critical process control points and associated critical parameters that directly impact product quality or product safety. A defined process should be used to conduct this analysis, and it should be one that builds on or is complementary to any assessment conducted as part of product registration. Consistency is key. There may be additional records identified by predicate rules but care must be taken not to extend beyond these records. A risk assessment should be conducted to determine appropriate electroific record management controls such as audit trail and archiving. Electronic records will need to be archived for retention periods specified in predicate rules. Other data related to process performance rather than product quality or product safety requires only basic data maintenance and may be retained for much shorter periods before being purged. 

When we learn of a sampling problem, we often focus on an obvious culprit. The particular issue may be a procedure, a collection device, or handling, for example. With this approach, we do not look beyond what we know to be wrong. We are content to solve the visible problem at hand. Since we don t see the whole picture, we are oblivious to other sampling issues that may arise in the future. We thus recommend that the first step be a sampling audit, allowing us to look at all the sampling components. An audit provides a firm basis for a detailed assessment and, if necessary, action. 

---