You are on page 1of 34

BEST PRACTICES

FOR INTERNAL AND


SUPPLIER AUDITING
September 26, 2014
David L. Chesney, Vice President and
Practice Lead, Strategic Compliance Services
PAREXEL Consulting, Waltham, MA USA
dave.chesney@parexel.com
+1-781-434-4092

Omics Group 3rd International Summit


on
GMP, GCP and Quality Control
Valencia Convention Center
Valencia, Spain

CONFIDENTIAL 2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS RESERVED.

AGENDA
Review regulatory audit requirements EU, US
Internal auditing EU and US requirements
Supplier auditing EU and US requirements

Auditing organization and operations


Objective setting
Risk basis
Decision on audit outcomes

Special considerations for supplier auditing

CONFIDENTIAL 2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS RESERVED.

Internal and Supplier


auditing EU and US
requirements

CONFIDENTIAL 2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS RESERVED.

REGULATORY REQUIREMENTS
Requirements for the conduct of audits (internal and supplier
audits) vary from one authority to another
All authorities clearly expect internal and supplier audits to be
conducted, though not all specifically and literally require such
audits
Despite the lack of uniformity and clarity of the regulatory
requirements, sound quality management principles and
conventional industry practices combine to establish auditing
programs as a current good practice for the industry, world
wide.
This presentation will compare the US and EU requirements to
illustrate how different regulatory authorities deal with the topic.
Companies should be aware of other countries requirements that
may impact their operations conducted in those countries.

CONFIDENTIAL 2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS RESERVED.

GMP REQUIREMENTS FOR INTERNAL AUDITING: US


The US Drug GMP, 21 CFR 211, does not specifically require
internal auditing; however, some other similar US GxP regulations
do
The US Medical Device QSR (the device GMP regulation), 21
CFR 820, does specifically require internal audits:
21 CFR 820.22: Quality audit. Each manufacturer shall establish procedures for
quality audits and conduct such audits to assure that the quality system is in
compliance with the established quality system requirements and to determine the
effectiveness of the quality system.(continues)

The US Human Cells, Tissues, and Cellular and Tissue Based


Products regulation, 21 CFR 1270, does specifically require
internal audits:
21 CFR 1271.160(c): Audits. You must periodically perform for management review a
quality audit, as defined in 1271.3(gg), of activities related to core CGTP requirements.

CONFIDENTIAL 2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS RESERVED.

GMP REQUIREMENTS FOR INTERNAL AUDITING: EU


Eudralex, Vol. 4, Part 1, Chapter 1, Quality Management, Section
1.1, Quality Assurance, Subparagraph ix:
The system of Quality Assurance appropriate for the manufacture
of medicinal products should ensure that:
(ix) there is a procedure for Self-Inspection and/or quality audit, which regularly
appraises the effectiveness and applicability of the Quality Assurance system.

Eudralex, Vol. 4, Part 1, Chapter 9, Self Inspection, is devoted


entirely to this requirement: Self inspections should be
conducted in order to monitor the implementation and compliance
with Good Manufacturing Practice principles and to propose
necessary corrective measures.

CONFIDENTIAL 2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS RESERVED.

GMP REQUIREMENTS FOR SUPPLIER AUDITING


United States
Auditing of suppliers is not a literal GMP requirement but is clearly an FDA expectation
21 CFR 211.22(a): The quality control unit shall be responsible for approving or rejecting
drug products manufactured, processed, packed, or held under contract by another company.
21 CFR 211.84(d)(3): Containers and closures shall be tested for conformity with all
appropriate written specifications. In lieu of such testing by the manufacturer, a certificate of
testing may be accepted from the supplier, provided that at least a visual identification is
conducted on such containers/closures by the manufacturer and provided that the
manufacturer establishes the reliability of the supplier's test results through appropriate
validation of the supplier's test results at appropriate intervals.

CONFIDENTIAL 2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS RESERVED.

KEY GMP PROVISION OF FDASIA


The FDA Safety and Innovation Act (FDASIA) was signed into law
July 9, 2012. It is a complex bill with 11 Titles. Title VII deals with
the drug supply chain.
FDASIA Title VII, Section 711, specifies that GMP includes the
implementation of quality oversight and controls over the
manufacture of drugs, including the safety of raw materials,
materials used in drug manufacturing, and finished drug
products; the bill states as follows:
Section 501 (21 U.S.C. 351) is amended by adding at the end the following flush text:
"For purposes of paragraph (a)(2)(B), the term 'current good manufacturing practice'
includes the implementation of oversight and controls over the manufacture of drugs to
ensure quality, including managing the risk of and establishing the safety of raw materials,
materials used in the manufacturing of drugs, and finished drug products.".

CONFIDENTIAL 2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS RESERVED.

GUIDANCE ISSUED TO DATE

CONFIDENTIAL 2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS RESERVED.

ICH Q10 ON SUPPLIER AUDITS


Section 2.7: The pharmaceutical quality system, including the
management responsibilities described in this section, extends to
the control and review of any outsourced activities and quality of
purchased materials. The pharmaceutical company is ultimately
responsible to ensure processes are in place to assure the control
of outsourced activities and quality of purchased materials. These
processes should incorporate quality risk management and
include
Prequalification of suppliers
Defining roles and responsibilities via a written agreement
Monitoring and review of supplier performance
Monitoring of incoming shipments to ensure they are from approved sources

CONFIDENTIAL 2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS RESERVED.

10

Audit Group
Organization and
Operations

11

CONFIDENTIAL 2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS RESERVED.

AUDIT ORGANIZATION STRUCTURE


Commonly, the audit group reports to the Head of Quality, at the
Corporate level in large companies or sometimes at a site level in
smaller companies
Some companies want more independence and separation from the
rest of the organization. Some trends we are seeing in the United
States include:
Establishment of a Compliance organization within the Quality Unit, reporting directly to
the most senior VP in the Quality Unit
Auditing groups that report to the Chief Compliance Officer (mainly in the US)
Consolidation of auditing functions in a single group: GMP, GCP, GLP, GDP,
Pharmacovigilance (drug safety) and sometimes other related functions

CONFIDENTIAL 2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS RESERVED.

12

AUDIT PROGRAM OBJECTIVES


Must decide what the purpose(s) of each audit will be:
GMP compliance EU, US, or world wide standard?
Compliance with Marketing Authorization, NDA, BLA, etc.
Compliance with company policies and procedures
Matching of health regulatory agency procedures to duplicate regulatory inspections
Rehearsal of site staff to be part of regulatory agency inspections
Supplier audits: Compliance with the contract terms

CONFIDENTIAL 2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS RESERVED.

13

ROLE OF THE AUDITOR


Must decide the preferred role for the auditor: Policeman or
Consultant?
Policeman: Auditor remains completely objective, points out gaps,
offers no assistance in solutions to those gaps
Consultant: Auditor points out gaps, offers suggestions for
corrective action, but responsibility for final design and execution
of CAPA remains with the audited organization.
Special case: During supplier auditing, the Auditor should be a
Policeman regarding the CMOs compliance with contract
obligations

CONFIDENTIAL 2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS RESERVED.

14

AUDITOR TRAINING AND QUALIFICATIONS


Auditors should always be trained in:
Technical operations equipment, facilities, processes, quality systems
Regulatory requirements for the countries served by the sites they will audit
Detection of data integrity problems
Auditing methods and practice
Company policies, contractual requirements and expectations

In addition, Auditors benefit by training in:


Investigative interviewing techniques
Legal aspects Drug law, regulatory agency authority as stated in law
Regulatory agency methods and practices for inspections
Interpersonal skills

CONFIDENTIAL 2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS RESERVED.

15

INDEPENDENCE OF AUDITORS
Regulatory requirements do not require that auditors be entirely
separate from the areas audited. In fact, the idea of self
inspection assumes that an internal process is beneficial.
Auditors should be empowered to issue findings without fear of
consequences, conflict of interest or undue influence from the
audited facilities or departments.
Therefore, companies generally utilize personnel from the Quality
organization, or sometimes a fully separate Audit group or
Compliance organization to conduct internal audits. Others may
rely on external consultants to provide objectivity.
In sensitive matters where there is concern about litigation, many
companies arrange for auditors to be retained under attorney
client privilege through in-house or external legal counsel. This
may vary from one country to another.

CONFIDENTIAL 2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS RESERVED.

16

AUDIT TEAMS
Few Auditors will be highly skilled in all areas of GMP; assistance
may be very helpful
Process experts
Engineers
Chemists
Microbiologists
Other specialists

Use of audit teams can enhance expertise


Include subject matter experts where appropriate to assist auditors
with technical aspects of the audit
Auditor takes the lead in audit conduct and report preparation, with
input from the subject matter expert

CONFIDENTIAL 2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS RESERVED.

17

AUDIT SCHEDULING
Resources do not permit auditing everyone and everything, so
choices must be made
Risk based auditing is now the normal procedure for most
companies
Risk considerations should be based on potential for direct product
quality impact; higher impact = more frequent and more in depth
auditing
These include, but are not limited to:
Audit history of the site/department/system to be audited
Regulatory agency audit history
Patient risk impact: API, aseptic filling, final testing, stability testing, proper labeling,
sterility aspects, cold chain, etc. are all key risk areas
Lower risk operations include excipient manufacture, packaging suppliers, other material
suppliers or service providers who have less direct impact on product quality

CONFIDENTIAL 2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS RESERVED.

18

AUDIT RESOURCE CONSERVATION


On site time is frequently limited: Supplier contracts may limit time
on site; internal audits may try to minimize disruption of activities;
travel is expensive and resources are limited.
To maximize utilization of resources, consider:
Review key documents in advance from home office; arrive at site with questions to
resolve; do not use on site time for document review except as necessary
Spend on site time observing the facility, operations, equipment, and interviewing
personnel
When necessary, use audit teams of two or three auditors, with each taking different
areas; enables more time to be spent on each area while limiting overall on site time
Consider adding a non-auditor subject matter expert to assist the auditor in highly
technical or complex processes

CONFIDENTIAL 2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS RESERVED.

19

AUDIT PLANNING
Require a written audit plan and agenda before the audit
Obtain information from internal stakeholders (especially for
supplier audits): What problems have been seen, what areas do
stakeholders want addressed during the audit, what suggestions
do they have?
Be flexible during the audit; if other serious concerns are noted, it
may be necessary to deviate from the plan, with good cause

CONFIDENTIAL 2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS RESERVED.

20

REGULATORY INSPECTION PREPARATION


If the purpose is to prepare for a regulatory inspection, the audit
plan should be based on available regulatory agency inspection
methods that can be obtained from the internet
For the FDA, see
http://www.fda.gov/ICECI/ComplianceManuals/ComplianceProgramManua
l/default.htm
For the EU, see http://tinyurl.com/5sb8axw
The Auditors should be trained and experienced in regulatory
inspection methods (or be former regulatory inspectors) and
should stay in the role of the regulator as much as possible
Provide feedback on the performance of company inspection
management and peoples answers to questions in addition to GMP
observations

CONFIDENTIAL 2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS RESERVED.

21

FDA COMPLIANCE PROGRAM GUIDANCE MANUAL


What it is: A series of programmatic SOPs that describe the process
for conducting different types of inspections and sampling programs,
and deciding what course of action to take when violations are found
Where to find it:
http://www.fda.gov/ICECI/ComplianceManuals/ComplianceProgramManu
al/default.htm
How to use it: Key to preparing for FDA inspections. In all CPGMs,
see especially Part III Inspectional and Part V
Regulatory/Administrative Strategy sections
Key Programs (there are several others also):
CPGM 7356.002, Drug Manufacturing Inspections
CPGM 7346.832, Pre-Approval Inspections
CPGM 7348.810, Sponsors, Monitors and CROs
CPGM 7348.811, Clinical Investigators (site level inspections)
CONFIDENTIAL 2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS RESERVED.

22

AUDIT REPORTS
Audit reports should be objective, and provide factual support for
observations
The most significant findings include:
Anything that points out a health hazard to the patient such as non-sterility,
overformulation, underformulation, label mixup, stability problems, cross contamination,
etc.
Observations that impact product currently on the market or in distribution channels
Things that happen repeatedly rather than just once
The more current the observation, the more significant it is; something that happened
once, three years ago, is usually insignificant; something that represents a current trend
usually is more significant

Audit reports should be provided in draft to the audited unit before


they are finalized: Facts correct? Interpretations understood? Any
disputes resolved?

CONFIDENTIAL 2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS RESERVED.

23

EVALUATION OF AUDIT REPORTS


Observations should be categorized based on risk. For example:
Critical: An observed condition or practice that could (or did) directly affect the identity,
strength, purity, or other quality characteristics designed to ensure the required levels of
safety and effectiveness of the product or which alone could lead to action by a Regulatory
Authority.
Major: An observed condition or issue that could indirectly affect the identity, strength,
purity, or other quality characteristics designed to ensure the required levels of safety and
effectiveness of the product or which may be cited on a list of observations during a
regulatory inspection. Note: A pattern of major observations in the same system,
observations in multiple systems, or repeat observations from previous regulatory
inspections could lead to action by a Regulatory Authority.
Minor: An observed condition or issue that deviates from requirements but for which no
potential direct or indirect impact to the product is evident.
Comment: A condition or issue that does not rise to the level of an observation as
described above. Note: Comments may include: an observed condition or issue that is not
clearly a deviation from requirements, recommendations for improvement,
recommendations for further consideration in light of an audits time constraints, or simply a
statement of findings.

CONFIDENTIAL 2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS RESERVED.

24

EVALUATION OF AUDIT REPORTS


In addition, the overall outcome of the audit should be classified
based on risk. For example:
Acceptable: Observations are minor and/or major but are generally
correctable.
Conditionally Acceptable: Observations are major and may not be
promptly correctable and/or observations are minor, but have the
potential to become major if not attended to promptly. Any critical
observations must be immediately controllable through prompt
action such as discontinuance of operations.
Unacceptable: Observations are critical and uncorrectable or on a
follow-up audit, previous observations were major/critical and were
not corrected, or there is evidence of deliberate wrongdoing.

CONFIDENTIAL 2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS RESERVED.

25

IMPLICATIONS OF FAILURE TO REACT TO AUDIT


FINDINGS
The audit is done for a purpose, and the outcome and any
resulting action must be documented.
Regulatory risk is higher when audit findings point to potential
violations, because the company is on notice, through the audit,
of the issues and therefore compelled to react to them
responsibly.
Audit systems should include independent evaluation and
classification of audit findings (acceptable, conditionally
acceptable, not acceptable) and actions that are taken consistent
with the severity level of the findings.
Interim controls may be prescribed as a condition of continued
operation when findings indicate the need.

CONFIDENTIAL 2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS RESERVED.

26

CONFIDENTIALITY OF AUDIT REPORTS


Most regulators refrain from review of internal audit reports
except under unusual extenuating circumstances
EU regulators sometimes access audit reports for suppliers, with
an emphasis on API facilities and fill and finish facilities, though
this is not uniform among the EU authorities
FDA has a Compliance Policy Guide, 130.300, which states FDAs
position on access to quality system audit reports (see next slide)

CONFIDENTIAL 2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS RESERVED.

27

FDA POLICY, CPG 130.300


During routine inspections and investigations conducted at any regulated
entity that has a written quality assurance program, FDA will not review or
copy reports and records that result from audits and inspections of the
written quality assurance program.
FDA may seek written certification that such audits and inspections have
been implemented, performed, and documented and that any required
corrective action has been taken. District personnel should consult with
the appropriate headquarters office prior to seeking written certification.
The policy provides a few exceptions, but they occur only rarely. FDA will
not generally review internal audit reports during inspections.

CONFIDENTIAL 2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS RESERVED.

28

Special
Considerations
For Supplier
Auditing

29

CONFIDENTIAL 2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS RESERVED.

AGREEMENTS WITH SUPPLIERS


EU Technical Agreements, Eudralex Volume 4, Part 1, Chapter 1
US DRAFT Guidance for Contract Manufacturing Arrangements
for Drugs: Quality Agreements May, 2013 (see earlier slide)
Key to both documents is to have roles and responsibilities clearly
described
Agreements should provide for access for audit purposes, routine
audits and for cause audits when problems arise
Agreements should be part of the contract so they can be enforced
by the contract giver

CONFIDENTIAL 2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS RESERVED.

PRIORITIZE LOCATIONS TO BE AUDITED


Highest priority: (NOTE: Risk assessment can change priorities)
API, especially sterile or bioburden-controlled API sites
Fill and finish sites, especially aseptic filling/lyophilization or terminal sterilization
Laboratories that do final release testing or stability testing
Labeling operations

Next priority:
Side chain synthesis
Intermediate process steps
Laboratories performing lower risk or specialized testing
Cold chain and GDP

Lower priority:
Glassware suppliers
Packaging suppliers
Distribution warehouses
CONFIDENTIAL 2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS RESERVED.

31

SUPPLIER AUDITS
Supplier audit systems should integrate all known information
about supplier quality, not limited to audit results, for example:
Material supply history any rejections and reasons for rejections, such as incoming
inspection findings, laboratory analytical findings, foreign material detected during
production, etc.
Recalls
Regulatory agency warnings made public
Internal concerns arising from batch record review
Business performance of the supplier on time delivery, right product, price
competitiveness, etc.
Integrated systems can provide a single reference point on supplier acceptability for use
by Procurement personnel

CONFIDENTIAL 2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS RESERVED.

32

SUMMARY
Internal audits are not required by US GMP but are almost
universally employed by US companies
Self assessments are required in the EU
Technical agreements and supplier audits have been required in the
EU for years, expected in the US but now required in the US also
Dedicated, specially trained audit teams are widespread in the
industry
Auditors must be objective and independent, but can give
recommendations and advice so long as responsibility remains
with the audited department or company
Worldwide supply chain management requirements have increased
and can be expected to be a high priority area for regulators

CONFIDENTIAL 2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS RESERVED.

33

THANK YOU
Gracias por su atencin!
Preguntas y repuestas

CONFIDENTIAL 2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS RESERVED.

34

You might also like