Risk-Based Inspection (RBI) is an inspection approach where regulators prioritize systems, products, and sites based on patient-risk and compliance history. Instead of treating every area equally, RBI goes deeper where failures can most affect product quality and patient safety—and “self-inspection” is one of the strongest predictors of whether a site stays in control between regulatory visits.
Schedule M & WHO TRS 986 (8.1–8.4): Self-inspection fundamentals
Across Schedule M and WHO TRS 986, points 8.1–8.4 set the foundation for an effective self-inspection (internal audit) program:
8.1 Purpose and system
The company must run self-inspections to verify GMP compliance and identify gaps for improvement. RBI expects the program to be part of the Pharmaceutical Quality System (not an occasional activity) and to cover all GMP elements (premises, utilities, validation, QC, documentation, warehouses, packaging, etc.).
8.2 Independence and competence
Self-inspection should be conducted by trained, competent personnel, preferably independent of the area being audited. Under RBI, inspectors test whether auditors understand risk (e.g., contamination control, data integrity, mix-up risks) and whether audits are objective—no “friendly audits”.
8.3 Frequency and planning (risk-based)
A written schedule must define frequency and scope. RBI expects frequency to be risk-based: higher-risk areas (sterile, potent products, data-critical labs, aseptic filling, critical utilities) are audited more often, and audits are also triggered by signals (deviations, complaints, OOS trends, major changes, recalls).
8.4 Reporting and follow-up trigger
Self-inspection outcomes must be documented in reports, with observations classified (critical/major/minor or equivalent) and routed into CAPA. Even though CAPA follow-up is emphasized later (e.g., 8.6), RBI still checks at 8.4 whether reports are clear, timely, approved, and linked to action owners and due dates.
What RBI inspectors typically verify (evidence)
- Annual/rolling audit plan with risk rationale and completed audits vs plan
- Auditor qualifications, training, and independence
- Sample self-inspection reports showing strong observations, root-cause thinking, and data integrity scrutiny
- CAPA linkage, overdue controls, effectiveness checks, and trend review of repeat findings
- Management involvement: review, escalation of critical risks, and resourcing decisions
Common RBI red flags: “checklist-only” audits, repeated findings with weak CAPA, and audit scope that ignores high-risk processes.