Taking a Risk-Based Approach to Drug Inspections

A concise history of FDA’s risk-based Site Selection Model

Dirk Dusharme @ Quality Digest

February 19, 2019

As the United States struggles with rising healthcare costs, reducing the amount of money pharmaceutical companies spend dealing with regulation, while at the same time meeting drug safety requirements, would seem to be competing interests.

The goal of any honest pharmaceutical company is to make money producing a safe product that consumers need and getting it to market as quickly as possible. But the U.S. Food and Drug Administration’s (FDA) job is to make sure drugs are safe, and that means oversight (some would say excessive oversight), and oversight means costs and delays for manufacturers.

The FDA isn’t blind to this issue. In an October 2005 FDA/ISPE workshop, Dr. Janet Woodcock, director for the FDA Center for Drug Evaluation and Research (CDER) stated that a common goal of industry, consumers, and regulators was to have a “a maximally efficient, agile, flexible pharmaceutical manufacturing sector that reliably produces high-quality drugs without extensive regulatory oversight.”1

That’s about as plain as you can get when it comes to meeting the quality and safety goals for all stakeholders in drug quality. Drug makers want an efficient and agile development and manufacturing system because that allows them to get products to market faster; consumers (and regulators) want safe, high-quality drugs; and everyone wants this to happen with the least amount of government oversight possible. As to the latter: For manufacturers, excessive government oversight is expensive and can delay product release, the costs for which are passed on to consumers. For consumers, less oversight means quicker access to new or less-expensive drugs. And for regulators it’s about making better use of already limited manpower.

Taking a risk-based approach

Before 2005, the FDA’s method for pharma company site visits was pretty much a brute-force method of biennial inspections for all regulated companies. The problem with that system, if practiced today, is that there are more than 13,000 pharmaceutical manufacturing sites worldwide (this includes human and veterinary drugs), about one-third of which are located outside the United States.2 And that’s just for pharmaceutical manufacturing. Add to that all the medical device manufacturers and companies in the food industry, and there is no way the FDA can inspect all regulated sites on a regular and consistent basis. Given its limited manpower, then and now, this translates to less oversight and potentially less drug safety.

In part to address this issue, Woodcock introduced the concept of risk management in 2000 as a new approach to drug safety, and in August 2002 the FDA announced a new initiative, the Pharmaceutical Current Good Manufacturing Practices (CGMPs) for the 21st Century.3 The FDA wanted—needed actually—to modernize the regulation of pharmaceutical manufacturing and product quality, and as it put it, “bring a twenty-first century focus to this critical FDA responsibility.” Although safety was a key concern, the initiative also helped the FDA address the manpower shortage that prevented the agency from regularly inspecting all pharmaceutical companies, foreign and domestic, using the previous biennial inspection approach.

Since 2002, Woodcock has led the “Pharmaceutical Quality for the 21st Century Initiative,” the FDA’s highly successful effort to modernize drug manufacturing and its regulation. A key element of the initiative, which should be old-hat to most U.S. manufacturers, is to apply modern quality management techniques, including quality system approaches, to all aspects of pharmaceutical production and quality assurance.

One of the outcomes of the initiative was to implement, beginning in 2005, a risk-based approach to prioritizing human drug manufacturing sites for routine CGMP surveillance inspection.4 Keep in mind, it was about the early 2000s that risk-based approaches and risk-based thinking were being broadly talked about in many industries, and also showed up in the ISO 9001:2008 quality management system standard. So it made sense that the FDA would look at risk-based approaches as well.

Risk and the Site Selection Model

What came out of 2005 initiative was a site selection model (SSM) that replaced the agency’s previous approach—a biennial inspection for domestic sites—with a requirement that the FDA inspect domestic and foreign drug establishments “in accordance with a risk-based schedule” that considers establishments’ “known safety risks.” Thus, sites would get a routine inspection at a frequency that was based on risk, regardless of location. The hoped for outcome, according to the FDA, was “to promote parity in inspectional coverage and the effective and efficient use of FDA resources to address the most significant public health risks.”

The beauty of this risk-based approach is that it makes better use of the FDA’s already stretched human resources, focusing them on higher-risk companies rather than doing biennial inspections of companies regardless of whether their products present a risk or not. For companies, the benefit is that as long as their products are not high-risk products to begin with, and that they have not had any adverse events with their products, they can go many years without an FDA inspection. For consumers, the approach could hopefully lower drug costs and get critical products to market faster.

As you can see in the following list, the FDA’s approach takes a patient-centric view and attempts to identify and prioritize the factors that could lead to increased risk for patients. Based on the following, companies are prioritized for a site visit. The more risk, the more likely you will get a site visit. Certain companies are exempt from the SSM for various reasons, e.g., certain compounding sites, medical gas sites, excipients, and investigational drug manufacturing sites.

From the FDA’s Manual of Policies and Procedures, “Understanding CDER’s Risk-Based Site Selection Model,” the following are currently identified as risk factors for inclusion in the SSM:
• Site type. For instance, is this a manufacturer of drugs (higher risk) or a packager (lower risk)?
• Time since last surveillance inspection, or if the site was never previously inspected. The longer since your last inspection, the more likely you will be moved up the list.
• FDA compliance history. Is this site already on the FDA’s radar because of past violations, for instance?
• Foreign regulatory authority inspectional history. If this is a foreign company, has it been inspected by a recognized foreign authority?
• Patient exposure
• Hazard signals such as field alert reports (FARs), entries in FDA’s Adverse Event Reporting System (FAERS), a Biological Product Deviation Report (BPDR), MedWatch reports, recalls, and so forth. In other words, have flags been raised about a company’s products?
• Inherent product risk. These are risks associated with the product itself, which can be dosage form, how the drug is administered, therapeutic class, and more.

To ensure the list stays current, the risk factors are periodically reviewed and could be added to or changed in the future.

Still lacking some transparency

Of course, knowing the risk factors, companies might ask how the FDA weights these different factors to come up with the SSM prioritization. As Barbara Unger writes in her column, referring to FDA compliance history: “In the interest of transparency, it would be helpful to understand what is considered in this risk factor and whether it is based on empirical data or expert judgment. More important, and challenging, is the weighting applied to each of the identified risk factors as a site score is assigned.”

As of this writing, we don’t know. We are waiting on a response from the FDA on how it implements its prioritization. But although this is an interesting question, does it really matter? If the goal was to move away from a purely blind adherence to a frequency-based inspection model, which can no longer be met, and instead base inspections on consumer risk, this seems like the logical route to take, regardless of how factors are weighted.

And, as Unger also points out, the FDA is now doing what industry has done for quite a while. It’s “remarkably similar to processes that pharmaceutical firms use to determine inspection frequency for their suppliers, CMOs, and company-owned manufacturing sites, so it should come as no surprise to the regulated industry,” says Unger.


We all want safe drugs. But we also want them to be affordable. We also want access to life-saving or life-altering drugs as soon as possible. Manufacturers want that, too, of course. Balancing safety, cost, and accessibility of drugs within a highly-regulated environment is challenging. The FDA’s risk-based approach to quality makes sense on all fronts.

1.Roy, Michael J. Biotechnology Operations: Principles and Practices. CRC Press, 2011, p.166.
2. Dept. of Health and Human Services, U.S. Food and Drug Administration. “2017 Annual Report on Inspections of Establishments in FY 2016.”
3.Dept. of Health and Human Services, U.S Food and Drug Administration. “Pharmaceutical CGMPS for the 21st Century—A Risk-Based Approach, Final Report.”  September 2004.
4. Center for Drug Evaluation and Research, Office of Pharmaceutical Quality. “Understanding CDER’s Risk-Based Site Selection Model,” Manual of Policies and Procedures. MAPP 5014.1.  Sept. 26, 2018.

About The Author

Dirk Dusharme @ Quality Digest’s picture

Dirk Dusharme @ Quality Digest

Dirk Dusharme is Quality Digest’s editor in chief.