/ Animal and Plant Health Inspection Service
Biotechnology Regulatory Services / Document Control #:
1001C
Version:
2.0
APHIS BQMS PROGRAM: AUDIT GUIDELINES / Effective Date: 093010

This document provides general guidelines and expectations for an audit of a Biotechnology Quality Management System (BQMS). These guidelines are organized according to major requirements within the APHIS BQMS Audit Standard. Suggested guidelines are provided for auditors for the on-site audit process. These questions are only intended to be general guidelines, and may not be the actual question used during the on-site audit process. The table provides points for each major requirement that both the auditor and participant should be aware of. These points are intended to serve as suggestions for the audit-flow, evidence that may be sought by the auditor—and likewise, evidence that may be provided by the participant. Finally, the table presents interrelationships between the listed requirements with other requirements of the APHIS BQMS Audit Standard.

Overall suggestions to the auditor:

  • Be flexible.
  • Be respectful of confidential business information and adhere to the participant’s non-disclosure agreements and APHIS Confidential Business Information training.
  • Ask open-ended questions to encourage the participant to describe the process/procedure in question.
  • Seek evidence through the interview process.
  • Many documentation requirements may be assessed via desk audit and can reduce time and expenses if properly conducted.
  • Seasonal gaps in evidence (i.e. records) may occur due to implementation start date of a participant’s BQMS.
  • A BQMS focuses at the management of introducing regulated GE organisms and assesses conformance to the requirements within the APHIS BQMS Audit Standard. APHIS conducts field inspections to assess compliance with 7 CFR part 340.
  • When in doubt, seek guidance from the APHIS BQMS Program technical advisor.

Overall suggestions to the participant:

  • Be flexible.
  • Typical audit questions are intended to determine whether required procedures and processes are in place and the organization is following them (i.e. you are doing what you say you are doing).
  • Be prepared to provide records that demonstrate procedures/processes were followed.
  • The participant must realize that a skilled auditor will be able to audit one process and address conformance with other requirements in the Audit Standard.
  • The purpose of the audit is to determine how well your BQMS is established and implemented. It is NOT a search for non-conformance.
  • Non-conformance does not necessarily equal non-compliance with 7 CFR part 340.

Requirement of the BQMS Audit Standard / Suggested Guidelines / Auditor/Participant Awareness Points / Example interrelationship(s) with BQMS requirements
7.1.1 Site selection planning /
  • How do you ensure that those associated with regulated field trials are trained?
  • How do you ensure access to land for monitoring of volunteers after harvest?
  • How do you obtain knowledge of historical land use and topography of the selected field trial sites?
  • How do you address analysis of critical habitat for threatened and endangered species?
  • How does your organization address supplemental permit conditions?
/
  • Be aware the web sites may be used to link federal regulations as external document(s)
  • Site selection is conducted prior to APHIS approval of a permit or acknowledgement of a notification. The regulated field trial can not be conducted until such approval is obtained
  • Special provisions may be mandated by APHIS. (i.e. supplemental permit conditions). These will be stated in a permit. However, it is not the duty of the auditor to address these unique permit-specific requirements unless they fall into the scope of the organization’s BQMS. A more appropriate focus should be on how the organization addresses supplemental permit conditions.
/
  • 4.2.3 Control of documents: the current procedure pertaining to site selection must be made available at point of use
  • 4.2.4 Control of records: records pertaining to site selection must be readily accessible
  • 6.2.2 Competence, awareness and training: relevant internal personnel and external associates must be trained to the site selection procedure in their delegated responsibilities

7.2.1 Storage /
  • How do you store and identify your regulated GE organisms?
  • Describe how you segregate your regulated GE organisms.
  • What types of containers are used for storage?
  • How is access controlled to storage areas?
/
  • Auditor may obtain evidence of storage from a tour or pictures
  • Relevant personnel must be trained on the storage procedure
  • Signage & verbiage will vary between organizations for security purposes
  • Auditor will inquire access to regulated GE organisms
/
  • 4.2.3 Control of documents: the current procedure pertaining to storage must be made available at point of use
  • 4.2.4 Control of records: records pertaining to storage must be readily accessible
  • 6.2.2 Competence, awareness and training: relevant internal personnel and external associates must be trained to the storage procedure in their delegated responsibilities
  • 6.3 Infrastructure: proper infrastructure must be provided, established and maintained for proper storage

7.2.2 Transport, movement and import of regulated GE organisms /
  • How are regulated GE organisms moved interstate?
  • How are regulated GE organisms moved to and from field(s)?
  • If applicable, how does your electronic shipping/receiving system work?
  • What kind of documentation is included with shipments?
  • How long are shipping records kept?
  • How is packaging material disposed of or returned to use?
  • How do you communicate with recipients of shipments?
/
  • Relevant personnel must be trained on the shipping and receiving procedure
  • Organization must ensure that the most up to date shipping and receiving procedure is available to relevant personnel
  • An explanation of the shipping and receiving procedure is appropriate
  • An auditor may want to inquire about the organization’s import process
/
  • 4.2.3 Control of documents: the current procedure pertaining to transport, movement and import must be made available at point of use
  • 4.2.4 Control of records: records pertaining to transport, movement and import must be readily accessible
  • 6.2.2 Competence, awareness and training: relevant internal personnel and external associates must be trained to the transport, movement and import procedure in their delegated responsibilities
  • 6.3 Infrastructure: proper infrastructure must be provided, established and maintained for proper transport, movement and import

7.2.3 Environmental release planning and monitoring /
  • After BRS approval, what happens next?
  • Explain how field release sites are documented.
  • How do you manage reproductive growth control?
  • Show record of relevant planting equipment clean out?
  • Show records of relevant harvest equipment clean out?
  • Show records of monitoring of volunteers
  • How does your organization address supplemental permit conditions?
/
  • Auditor will ask about roles and responsibilities
  • Auditor will be sampling records as evidence of process control
  • Auditor and participant should decide on species to be audited
  • Audit should focus on management of field activities
  • Auditor and participant should be aware that field sites are inspected by APHIS personnel and is not within the scope of the audit
/
  • 4.2.3 Control of documents: the current procedure pertaining to environmental release planning and monitoring must be made available at point of use
  • 4.2.4 Control of records: records pertaining to environmental release planning and monitoring must be readily accessible
  • 5.4Responsibility and authority: in regard to environmental release planning and monitoring must be defined
  • 5.6 Communication: training must be conducted and communicated to relevant internal personnel and external associates
  • 6.2.2 Competence, awareness and training: relevant internal personnel and external associates must be trained to the environmental release planning and monitoring procedure in their delegated responsibilities
  • 7.2.3g Monitoring of volunteers links to 7.1.1 c provision for rights of access to land

7.2.4 Post-harvest handling and transfer /
  • What happens after harvest?
  • What happens if regulated GE organisms are misidentified?
  • How do you record post harvest equipment clean out?
  • What is the process for identifying/labeling harvested regulated GE organisms?
/
  • If applicable, the auditor may want to seek evidence regarding hand-off to another business division
  • Audit of process may result in a logical transition from 7.2.3, 7.2.4 and 7.2.5
  • Audit process will focus on maintaining identity and segregation of harvested regulated GE organisms
/
  • 4.2.3 Control of documents: the current procedure pertaining to post-harvest handling and transfer must be made available at point of use
  • 4.2.4 Control of records: records pertaining to post-harvest handling and transfer must be readily accessible
  • 6.2.2 Competence, awareness and training: relevant internal personnel and external associates must be trained tot post-harvest handling and transfer procedure in their delegated responsibilities
  • 6.3 Infrastructure: proper infrastructure must be provided, established and maintained for post harvest
  • 7.2.2 Transport, movement and import of regulated GE organisms: by packaging, verification and movement after harvest
  • 7.2.3 Environmental release monitoring and planning: monitoring of environmental release sites per notification / permit conditions must occur post harvest
  • 7.2.5 Devitalization and final disposition: proper measures to devitalize and/or dispose and/or store regulated GE organisms must occur post harvest

7.2.5 Devitalization and final disposition /
  • What is your devitalization process in the field?
  • What happens to regulated GE organisms that is harvested and stored?
  • What happens after seed cleaning or conditioning?
  • How do you record the method of devitalization?
  • How is the regulated GE organism used if it is not devitalized or disposed of, if applicable?
/
  • Auditor should be aware that an organization must consult with APHIS before using any regulated GE organisms for an alternative use
  • Records of final disposition should be reviewed
  • Identity and control of regulated GE organisms should be properly addressed
/
  • 4.2.3 Control of documents: the current procedure pertaining to devitalization and final disposition must be made available at point of use
  • 4.2.4 Control of records: records pertaining to devitalization and final disposition must be readily accessible
  • 6.2.2 Competence, awareness and training: relevant internal personnel and external associates must be trained to devitalization and final disposition in their delegated responsibilities
  • 6.3 Infrastructure: proper infrastructure must be provided, established and maintained for devitalization and final disposition

7.2.6 Regulatory compliance reporting and resolution /
  • How does your self reporting process work?
  • What are the roles and responsibilities in terms of reporting compliance incidents?
  • How is a potential compliance incident tracked from report to closing?
  • How do you communicate potential compliance incidents internally and externally?
  • What kind of training is provided to ensure that relevant personnel are aware of potential compliance incident reporting requirements?
/
  • An auditor may seek a flow chart as evidence of the documented process
  • Roles and responsibilities of who is in charge of field trial must clearly be established
  • The auditor may want to seek guidance from the technical advisor in this section
/
  • 4.2.3 Control of documents: the current procedure pertaining to regulatory compliance reporting and resolution must be made available at point of use
  • 4.2.4 Control of records: records pertaining to regulatory compliance reporting and resolution must be readily accessible
  • 5.4 Responsibility and authority: in regard to regulatory compliance reporting and resolution roles must be defined
  • 6.2.2 Competence, awareness and training: relevant internal personnel and external associates must be trained to compliance reporting and resolution in their delegated responsibilities
  • 6.3 Infrastructure: proper infrastructure must be provided, established and maintained for compliance reporting and resolution

7.3 Management of external associates /
  • How do you manage external associates?
  • In regard to your external associates, who is trained?
/
  • The auditor should assess how the organization provides the most current version of procedures/work instructions/forms for external associates
  • External associates must clearly be defined
/
  • 4.2.3 Control of documents: the current relevant procedures must be made available at point of use for external associates
  • 4.2.4 Control of records: relevant records must be readily accessible
  • 5.4 Responsibility and authority: roles must be defined
  • 5.6.1 External communication: management of external associate requires proper communication.
  • 6.2.2 Competence, awareness and training: relevant internal personnel and external associates must be trained to compliance reporting and resolution in their delegated responsibilities

4.2.1 (b) Quality policy and objectives /
  • What are your organization’s quality objectives?
  • How do you measure your quality objectives?
/
  • Objectives should not be an established regulation and/or BQMS Standard requirement
  • Be aware of organizations that have global or higher-level objectives. (i.e. ISO 9001)
  • A participant may have an established QMS and should demonstrate how BQMS fits within their existing system
/
  • 5.1 Management commitment: commitment is demonstrated through the development and implementation of the quality objectives
  • 5.7 Management review: quality objectives are reviewed and revised during the management review for continued suitability with regard to data
  • 8.2.1 Internal audit: quality objectives are reviewed for evidence of effectiveness during the internal audit
  • 8.3 Analysis of data: the measurement of quality objectives generate data that is analyzedfor suitability and effectiveness
  • 8.4.1 Continual improvement: quality objectives are the foundation of continual improvement

4.2.2 Quality manual /
  • How is your quality policy communicated within your organization?
/
  • The quality manual will be thoroughly reviewed during the desk audit. Questions may be addressed at both the desk and on-site audit.
  • The quality manual may reference the procedures
  • The quality manual is the foundation of document control
  • An auditor will confirm that the objectives, policy and scope are components of the quality manual
  • Organizational chart will be reviewed during both the desk audit and on-site audit for suitability
  • Top management may be defined within an organization’s existing global or higher-level QMS. The auditor will need to be aware of this relationship to BQMS
  • Top management identified in the organizational chart should be appropriate for the scope of the BQMS
/
  • 4.2.3 Control of documents: control notation must be updated if any revisions are made to the quality manual and associated documents
  • 5.1 Management commitment: commitment is demonstrated through the development and implementation of the quality manual
  • 5.6.2 Internal communication – internal personnel has access to and understands the quality manual
  • 5.7 Management review – quality manual is reviewed and revised during the management review for continued suitability

4.2.3 & 4.2.4
Document and record
control /
  • How does your electronic document control system work? (if applicable)
  • How are your procedures distributed and controlled?
  • What is your records retention policy?
  • How do you control obsolete records/documents?
/
  • Auditors may be asked to review an electronic document system
  • Organizations must be able to provide appropriate access to their respective document/record control system(s)
  • Auditor will want to ensure that appropriate documents are available to external associates
  • Seasonal segments of an organization’s BQMS implementation may occur
/
  • 5.6 Communication: ensures that internal personnel and external associates have access to current and relevant documents/records

5.1 Management commitment /
  • Who is considered top management in your organization BQMS?
/
  • Auditor should be able to determine management commitment throughout the entire audit process
/
  • 4.2.2 Quality manual: management commitment will be stated in the quality manual
  • 5.4 Responsibility and authority: management defines and communicates the roles and responsibilities of relevant personnel

5.3 Quality planning /
  • How does internal communication work with changes are made to your BQMS or procedures?
  • How does relevant information flow through your organization?
/
  • Changes that are made in terms of quality planning need to be communicated both internally and externally throughout the organization
  • An organizational or process interrelationship chart may be a way that an organization shows their information flow
/
  • 4.2.3 Control of documents: quality planning could lead to the revision of documents
  • 5.4 Responsibility and authority: the primary function of top management is quality planning
  • 5.6 Communication: results of quality planning needs to be communicated
  • 5.7 Management review: the primary function of quality planning is demonstrated in the management review meeting

5.6.1 External communication /
  • How do you communicate with external associates?
  • Who is responsible for communication with external associates?
/
  • External associates must be well defined
  • Appropriate and relevant documents must be made available to external associates
/
  • 4.2.3 Control of documents: external associates must have access to current relevant documents
  • 4.2.4 Control of records: external associates may temporarily store and must have access to current relevant records
  • 5.4 Responsibility and authority: responsibility delegated to external associates must be communicated
  • 6.2.2 Competence, awareness and training: external associates must be trained in relevant aspectsto their delegated responsibilities
  • 7.2 Critical control points and procedures (all, where applicable): relevant aspects of critical control points and procedures must be communicated to internal personnel and external associates

5.6.2 Internal communication /
  • How do you communicate with internal associates?
/
  • Internal personnel or departments must be well defined
  • Appropriate and relevant documents must be made available to internal associates
/
  • 4.2.3 Control of documents: internal personnel must have access to current relevant documents
  • 4.2.4 Control of records: internal personnel must store and have access to current records
  • 5.4 Responsibility and authority: responsibility delegated to internal personnel must be communicated
  • 6.2.2 Competence, awareness and training: internal personnel must be trained in relevant aspectsto their delegated responsibilities
  • 7.2 Critical control points and procedures (all, where applicable): relevant aspects of critical control points and procedures must be communicated to internal personnel and external associates

5.7 Management review /
  • When will your management review be conducted?
  • What is your management review frequency?
/
  • The audit will focus on the inputs and outputs of the management review meeting
/
  • 8.2.1 Internal audit: internal audit will be reviewed during the management review
  • 8.4.1 Continual improvement: continual improvementwill be reviewed during the management review
  • 8.4.2 Corrective action: corrective action(s)will be reviewed during the management review
  • 8.5 Preventive action: preventive action will be reviewed during the management review

6.2.2 Competence, awareness and training /
  • How do you measure the effectiveness of your training program?
  • How do you ensure that those associated with regulated field trials are trained?
  • How is competency addressed?
  • Do you train external associates?
  • How is training delivered?
/
  • Auditor can request to view the training program and any other appropriate information
  • Auditor should seek improvements to the training program
  • The organization may have a variety of methods and media for training relevant personnel
  • Audit should seek measurement of effectiveness of the organization’s training program
  • Relevant external associates must be trained
  • Evidence of competency may include job descriptions and/or job posting information
/
  • 5.6 Communication: training must be conducted and communicated to relevant internal personnel and external associates
  • 8 Monitoring, Analysis and Improvement: training program(s) are monitored, analyzed and improved effectiveness and suitability

6.3 Infrastructure /
  • How would you describe your organization’s infrastructure?
  • How are resources provided to achieve conformance?
/
  • Evidence of infrastructure can be obtained through a tour of facilities, pictures, etc
/
  • 7.2 Critical control points and procedures: proper infrastructure must be provided, established and maintained for the implementation of critical control points and procedures

8.2.1 Internal audit /
  • Who is involved in resolving corrective actions for your BQMS?
  • What is your corrective action process for your BQMS?
  • Who can initiate a corrective action?
  • What is your internal audit frequency plan?
/
  • The internal audit process and outputs will be reviewed
  • Roles and responsibilities must clearly be defined in terms of the internal audit
  • Because of implementation start date the auditor may or may not be able to review the results of a full internal audit
/
  • 4.2.3 Control of documents: the current procedures must be made available for internal audit
  • 4.2.4 Control of records: relevant records must be readily accessible pertaining to the internal audit
  • 5.4 Responsibility and authority: roles must be defined for the internal audit
  • 5.7 Management review: a report pertaining to the internal audit must be given at the management review meeting
  • 8.4.2 Corrective action: corrective action(s) may be initiated during the internal audit
  • 8.5 Preventive action: preventive action(s) may be initiated during the internal audit

8.2.2 Monitoring of process /
  • How do you monitor your BQMS processes?
/
  • This encompasses the organization’s overall approach to entire their BQMS
  • Evidence of process monitoring is collected throughout the audit
/
  • 8.2.1 Internal audit: processes are monitored/measured during the coarse of the internal audit
  • 8.4.2 Corrective action: corrective action(s) may be initiated at any time and/or during the internal audit
  • 8.5 Preventive action: preventive action(s) may be initiated at any time and /or during the internal audit

8.3 Analysis of data /
  • What data are you going to analyze?
  • How are going to use this information?
  • If applicable, what will be the frequency of surveys?
/
  • Data collected from the quality objectives will be addressed in this section
  • The outcome of data analysis will be reviewed in the management review meeting
  • Data from internal and external audits are applicable
/
  • 4.2.1 General: data produced from measurable quality objectives should be analyzed
  • 5.7 Management review: data collected may be presented at management review

8.4 Improvement /
  • How has the implementation of your BQMS improved your organization?
  • Tell us about specific improvements that were made to your management system.
  • Tell us about your corrective action procedure and how it is used?
  • How are you determining effectiveness of the corrective actions?
/
  • Organizations typically have challenges tracking improvements (i.e. giving themselves credit for continual improvement)
  • Review root cause analysis
  • Corrective action(s) should be appropriate for the scope and potential impact of a non-conformance
/
  • 5.7 Management review: corrective action and continual improvement will be used as input into management review meeting
  • 8.2.1 Internal audit: corrective action may be a result of an internal audit

8.5 Preventive action /
  • Can you explain the difference between your corrective and preventive action procedures?
/
  • The auditor may be able to view current preventive actions as evidence
/
  • 5.7 Management review: preventive action will be used as input into management review meeting
  • 8.2.1 Internal audit: preventive action may be a result of an internal audit

Page 1 of 12