BEST PRACTICES FOR INTERNAL AND SUPPLIER AUDITING September 26, 2014 David L. Chesney, Vice President and Practice Lead, Strategic Compliance Services PAREXEL Consulting, Waltham, MA USA dave.chesney@parexel.com +1-781-434-4092 Omics Group 3rd International Summit on GMP, GCP and Quality Control Valencia Convention Center Valencia, Spain CONFIDENTIAL ©2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS RESERVED. AGENDA • Review regulatory audit requirements – EU, US • Internal auditing – EU and US requirements • Supplier auditing – EU and US requirements • Auditing organization and operations • Objective setting • Risk basis • Decision on audit outcomes • Special considerations for supplier auditing CONFIDENTIAL ©2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS RESERVED. / Internal and Supplier auditing – EU and US requirements 3 CONFIDENTIAL ©2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS RESERVED. REGULATORY REQUIREMENTS • Requirements for the conduct of audits (internal and supplier audits) vary from one authority to another • All authorities clearly “expect” internal and supplier audits to be conducted, though not all specifically and literally require such audits • Despite the lack of uniformity and clarity of the regulatory requirements, sound quality management principles and conventional industry practices combine to establish auditing programs as a “current good practice” for the industry, world wide. • This presentation will compare the US and EU requirements to illustrate how different regulatory authorities deal with the topic. Companies should be aware of other countries’ requirements that may impact their operations conducted in those countries. CONFIDENTIAL ©2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS RESERVED. / 4 GMP REQUIREMENTS FOR INTERNAL AUDITING: US • The US Drug GMP, 21 CFR 211, does not specifically require internal auditing; however, some other similar US GxP regulations do • The US Medical Device QSR (the “device GMP” regulation), 21 CFR 820, does specifically require internal audits: 21 CFR 820.22: “Quality audit. Each manufacturer shall establish procedures for quality audits and conduct such audits to assure that the quality system is in compliance with the established quality system requirements and to determine the effectiveness of the quality system….(continues)…” • The US Human Cells, Tissues, and Cellular and Tissue Based Products regulation, 21 CFR 1270, does specifically require internal audits: 21 CFR 1271.160(c): “Audits. You must periodically perform for management review a quality audit, as defined in 1271.3(gg), of activities related to core CGTP requirements.” CONFIDENTIAL ©2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS RESERVED. / 5 GMP REQUIREMENTS FOR INTERNAL AUDITING: EU • Eudralex, Vol. 4, Part 1, Chapter 1, Quality Management, Section 1.1, Quality Assurance, Subparagraph ix: • “The system of Quality Assurance appropriate for the manufacture of medicinal products should ensure that: (ix) there is a procedure for Self-Inspection and/or quality audit, which regularly appraises the effectiveness and applicability of the Quality Assurance system.” • Eudralex, Vol. 4, Part 1, Chapter 9, Self Inspection, is devoted entirely to this requirement: “Self inspections should be conducted in order to monitor the implementation and compliance with Good Manufacturing Practice principles and to propose necessary corrective measures.” CONFIDENTIAL ©2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS RESERVED. / 6 GMP REQUIREMENTS FOR SUPPLIER AUDITING • United States • Auditing of suppliers is not a literal GMP requirement but is clearly an FDA “expectation” • 21 CFR 211.22(a): “…The quality control unit shall be responsible for approving or rejecting drug products manufactured, processed, packed, or held under contract by another company.” • 21 CFR 211.84(d)(3): “…Containers and closures shall be tested for conformity with all appropriate written specifications. In lieu of such testing by the manufacturer, a certificate of testing may be accepted from the supplier, provided that at least a visual identification is conducted on such containers/closures by the manufacturer and provided that the manufacturer establishes the reliability of the supplier's test results through appropriate validation of the supplier's test results at appropriate intervals.” CONFIDENTIAL ©2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS RESERVED. / 7 KEY GMP PROVISION OF FDASIA • The FDA Safety and Innovation Act (FDASIA) was signed into law July 9, 2012. It is a complex bill with 11 Titles. Title VII deals with the drug supply chain. • FDASIA Title VII, Section 711, specifies that GMP includes the implementation of quality oversight and controls over the manufacture of drugs, including the safety of raw materials, materials used in drug manufacturing, and finished drug products; the bill states as follows: • Section 501 (21 U.S.C. 351) is amended by adding at the end the following flush text: "For purposes of paragraph (a)(2)(B), the term 'current good manufacturing practice' includes the implementation of oversight and controls over the manufacture of drugs to ensure quality, including managing the risk of and establishing the safety of raw materials, materials used in the manufacturing of drugs, and finished drug products.". CONFIDENTIAL ©2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS RESERVED. / 8 GUIDANCE ISSUED TO DATE CONFIDENTIAL ©2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS RESERVED. / 9 ICH Q10 ON SUPPLIER AUDITS • Section 2.7: “The pharmaceutical quality system, including the management responsibilities described in this section, extends to the control and review of any outsourced activities and quality of purchased materials. The pharmaceutical company is ultimately responsible to ensure processes are in place to assure the control of outsourced activities and quality of purchased materials. These processes should incorporate quality risk management and include…” • Prequalification of suppliers • Defining roles and responsibilities via a written agreement • Monitoring and review of supplier performance • Monitoring of incoming shipments to ensure they are from approved sources CONFIDENTIAL ©2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS RESERVED. / 10 Audit Group Organization and Operations 11 CONFIDENTIAL ©2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS RESERVED. AUDIT ORGANIZATION STRUCTURE • Commonly, the audit group reports to the Head of Quality, at the Corporate level in large companies or sometimes at a site level in smaller companies • Some companies want more independence and separation from the rest of the organization. Some trends we are seeing in the United States include: • Establishment of a “Compliance” organization within the Quality Unit, reporting directly to the most senior VP in the Quality Unit • Auditing groups that report to the “Chief Compliance Officer” (mainly in the US) • Consolidation of auditing functions in a single group: GMP, GCP, GLP, GDP, Pharmacovigilance (drug safety) and sometimes other related functions CONFIDENTIAL ©2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS RESERVED. / 12 AUDIT PROGRAM OBJECTIVES • Must decide what the purpose(s) of each audit will be: • GMP compliance – EU, US, or world wide standard? • Compliance with Marketing Authorization, NDA, BLA, etc. • Compliance with company policies and procedures • Matching of health regulatory agency procedures to duplicate regulatory inspections • Rehearsal of site staff to be part of regulatory agency inspections • Supplier audits: Compliance with the contract terms CONFIDENTIAL ©2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS RESERVED. / 13 ROLE OF THE AUDITOR • Must decide the preferred role for the auditor: “Policeman” or “Consultant”? • Policeman: Auditor remains completely objective, points out gaps, offers no assistance in solutions to those gaps • Consultant: Auditor points out gaps, offers suggestions for corrective action, but responsibility for final design and execution of CAPA remains with the audited organization. • Special case: During supplier auditing, the Auditor should be a “Policeman” regarding the CMO’s compliance with contract obligations CONFIDENTIAL ©2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS RESERVED. / 14 AUDITOR TRAINING AND QUALIFICATIONS • Auditors should always be trained in: • Technical operations – equipment, facilities, processes, quality systems • Regulatory requirements for the countries served by the sites they will audit • Detection of data integrity problems • Auditing methods and practice • Company policies, contractual requirements and expectations • In addition, Auditors benefit by training in: • Investigative interviewing techniques • Legal aspects – Drug law, regulatory agency authority as stated in law • Regulatory agency methods and practices for inspections • Interpersonal skills CONFIDENTIAL ©2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS RESERVED. / 15 INDEPENDENCE OF AUDITORS • Regulatory requirements do not require that auditors be entirely separate from the areas audited. In fact, the idea of “self inspection” assumes that an internal process is beneficial. • Auditors should be empowered to issue findings without fear of consequences, conflict of interest or undue influence from the audited facilities or departments. • Therefore, companies generally utilize personnel from the Quality organization, or sometimes a fully separate Audit group or Compliance organization to conduct internal audits. Others may rely on external consultants to provide objectivity. • In sensitive matters where there is concern about litigation, many companies arrange for auditors to be retained under attorney client privilege through in-house or external legal counsel. This may vary from one country to another. CONFIDENTIAL ©2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS RESERVED. / 16 AUDIT TEAMS • Few Auditors will be highly skilled in all areas of GMP; assistance may be very helpful • Process experts • Engineers • Chemists • Microbiologists • Other specialists • Use of audit teams can enhance expertise • Include subject matter experts where appropriate to assist auditors with technical aspects of the audit • Auditor takes the lead in audit conduct and report preparation, with input from the subject matter expert CONFIDENTIAL ©2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS RESERVED. / 17 AUDIT SCHEDULING • Resources do not permit auditing everyone and everything, so choices must be made • Risk based auditing is now the normal procedure for most companies • Risk considerations should be based on potential for direct product quality impact; higher impact = more frequent and more in depth auditing • These include, but are not limited to: • Audit history of the site/department/system to be audited • Regulatory agency audit history • Patient risk impact: API, aseptic filling, final testing, stability testing, proper labeling, sterility aspects, cold chain, etc. are all key risk areas • Lower risk operations include excipient manufacture, packaging suppliers, other material suppliers or service providers who have less direct impact on product quality CONFIDENTIAL ©2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS RESERVED. / 18 AUDIT RESOURCE CONSERVATION • On site time is frequently limited: Supplier contracts may limit time on site; internal audits may try to minimize disruption of activities; travel is expensive and resources are limited. • To maximize utilization of resources, consider: • Review key documents in advance from home office; arrive at site with questions to resolve; do not use on site time for document review except as necessary • Spend on site time observing the facility, operations, equipment, and interviewing personnel • When necessary, use audit teams of two or three auditors, with each taking different areas; enables more time to be spent on each area while limiting overall on site time • Consider adding a non-auditor subject matter expert to assist the auditor in highly technical or complex processes CONFIDENTIAL ©2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS RESERVED. / 19 AUDIT PLANNING • Require a written audit plan and agenda before the audit • Obtain information from internal stakeholders (especially for supplier audits): What problems have been seen, what areas do stakeholders want addressed during the audit, what suggestions do they have? • Be flexible during the audit; if other serious concerns are noted, it may be necessary to deviate from the plan, with good cause CONFIDENTIAL ©2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS RESERVED. / 20 REGULATORY INSPECTION PREPARATION • If the purpose is to prepare for a regulatory inspection, the audit plan should be based on available regulatory agency inspection methods that can be obtained from the internet • For the FDA, see http://www.fda.gov/ICECI/ComplianceManuals/ComplianceProgramMan ual/default.htm • For the EU, see http://tinyurl.com/5sb8axw • The Auditors should be trained and experienced in regulatory inspection methods (or be former regulatory inspectors) and should stay “in the role” of the regulator as much as possible • Provide feedback on the performance of company inspection management and people’s answers to questions in addition to GMP observations CONFIDENTIAL ©2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS RESERVED. / 21 FDA COMPLIANCE PROGRAM GUIDANCE MANUAL • What it is: A series of programmatic “SOPs” that describe the process for conducting different types of inspections and sampling programs, and deciding what course of action to take when violations are found • Where to find it: http://www.fda.gov/ICECI/ComplianceManuals/ComplianceProgramMa nual/default.htm • How to use it: Key to preparing for FDA inspections. In all CPGMs, see especially “Part III – Inspectional” and “Part V – Regulatory/Administrative Strategy” sections • Key Programs (there are several others also): • CPGM 7356.002, Drug Manufacturing Inspections • CPGM 7346.832, Pre-Approval Inspections • CPGM 7348.810, Sponsors, Monitors and CROs • CPGM 7348.811, Clinical Investigators (site level inspections) CONFIDENTIAL ©2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS RESERVED. / 22 AUDIT REPORTS • Audit reports should be objective, and provide factual support for observations • The most significant findings include: • Anything that points out a health hazard to the patient such as non-sterility, overformulation, underformulation, label mixup, stability problems, cross contamination, etc. • Observations that impact product currently on the market or in distribution channels • Things that happen repeatedly rather than just once • The more current the observation, the more significant it is; something that happened once, three years ago, is usually insignificant; something that represents a current trend usually is more significant • Audit reports should be provided in draft to the audited unit before they are finalized: Facts correct? Interpretations understood? Any disputes resolved? CONFIDENTIAL ©2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS RESERVED. / 23 EVALUATION OF AUDIT REPORTS • Observations should be categorized based on risk. For example: • Critical: An observed condition or practice that could (or did) directly affect the identity, strength, purity, or other quality characteristics designed to ensure the required levels of safety and effectiveness of the product or which alone could lead to action by a Regulatory Authority. • Major: An observed condition or issue that could indirectly affect the identity, strength, purity, or other quality characteristics designed to ensure the required levels of safety and effectiveness of the product or which may be cited on a list of observations during a regulatory inspection. Note: A pattern of major observations in the same system, observations in multiple systems, or repeat observations from previous regulatory inspections could lead to action by a Regulatory Authority. • Minor: An observed condition or issue that deviates from requirements but for which no potential direct or indirect impact to the product is evident. • Comment: A condition or issue that does not rise to the level of an observation as described above. Note: Comments may include: an observed condition or issue that is not clearly a deviation from requirements, recommendations for improvement, recommendations for further consideration in light of an audit’s time constraints, or simply a statement of findings. CONFIDENTIAL ©2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS RESERVED. / 24 EVALUATION OF AUDIT REPORTS • In addition, the overall outcome of the audit should be classified based on risk. For example: • Acceptable: Observations are minor and/or major but are generally correctable. • Conditionally Acceptable: Observations are major and may not be promptly correctable and/or observations are minor, but have the potential to become major if not attended to promptly. Any critical observations must be immediately controllable through prompt action such as discontinuance of operations. • Unacceptable: Observations are critical and uncorrectable or on a follow-up audit, previous observations were major/critical and were not corrected, or there is evidence of deliberate wrongdoing. CONFIDENTIAL ©2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS RESERVED. / 25 IMPLICATIONS OF FAILURE TO REACT TO AUDIT FINDINGS • The audit is done for a purpose, and the outcome and any resulting action must be documented. • Regulatory risk is higher when audit findings point to potential violations, because the company is on notice, through the audit, of the issues and therefore compelled to react to them responsibly. • Audit systems should include independent evaluation and classification of audit findings (acceptable, conditionally acceptable, not acceptable) and actions that are taken consistent with the severity level of the findings. • Interim controls may be prescribed as a condition of continued operation when findings indicate the need. CONFIDENTIAL ©2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS RESERVED. / 26 CONFIDENTIALITY OF AUDIT REPORTS • Most regulators refrain from review of internal audit reports except under unusual extenuating circumstances • EU regulators sometimes access audit reports for suppliers, with an emphasis on API facilities and fill and finish facilities, though this is not uniform among the EU authorities • FDA has a Compliance Policy Guide, 130.300, which states FDA’s position on access to quality system audit reports (see next slide) CONFIDENTIAL ©2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS RESERVED. / 27 FDA POLICY, CPG 130.300 • During routine inspections and investigations conducted at any regulated entity that has a written quality assurance program, FDA will not review or copy reports and records that result from audits and inspections of the written quality assurance program. • FDA may seek written certification that such audits and inspections have been implemented, performed, and documented and that any required corrective action has been taken. District personnel should consult with the appropriate headquarters office prior to seeking written certification. • The policy provides a few exceptions, but they occur only rarely. FDA will not generally review internal audit reports during inspections. CONFIDENTIAL ©2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS RESERVED. / 28 Special Considerations For Supplier Auditing 29 CONFIDENTIAL ©2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS RESERVED. AGREEMENTS WITH SUPPLIERS • EU – Technical Agreements, Eudralex Volume 4, Part 1, Chapter 1 • US – DRAFT Guidance for “Contract Manufacturing Arrangements for Drugs: Quality Agreements” May, 2013 (see earlier slide) • Key to both documents is to have roles and responsibilities clearly described • Agreements should provide for access for audit purposes, routine audits and “for cause” audits when problems arise • Agreements should be part of the contract so they can be enforced by the contract giver CONFIDENTIAL ©2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS RESERVED. / PRIORITIZE LOCATIONS TO BE AUDITED • Highest priority: (NOTE: Risk assessment can change priorities) • API, especially sterile or bioburden-controlled API sites • Fill and finish sites, especially aseptic filling/lyophilization or terminal sterilization • Laboratories that do final release testing or stability testing • Labeling operations • Next priority: • Side chain synthesis • Intermediate process steps • Laboratories performing lower risk or specialized testing • Cold chain and GDP • Lower priority: • Glassware suppliers • Packaging suppliers • Distribution warehouses CONFIDENTIAL ©2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS RESERVED. / 31 SUPPLIER AUDITS • Supplier audit systems should integrate all known information about supplier quality, not limited to audit results, for example: • Material supply history – any rejections and reasons for rejections, such as incoming inspection findings, laboratory analytical findings, foreign material detected during production, etc. • Recalls • Regulatory agency warnings made public • Internal concerns arising from batch record review • Business performance of the supplier – on time delivery, right product, price competitiveness, etc. • Integrated systems can provide a single reference point on supplier acceptability for use by Procurement personnel CONFIDENTIAL ©2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS RESERVED. / 32 SUMMARY • Internal audits are not required by US GMP but are almost universally employed by US companies • Self assessments are required in the EU • Technical agreements and supplier audits have been required in the EU for years, “expected” in the US but now required in the US also • Dedicated, specially trained audit teams are widespread in the industry • Auditors must be objective and independent, but can give recommendations and advice so long as responsibility remains with the audited department or company • Worldwide supply chain management requirements have increased and can be expected to be a high priority area for regulators CONFIDENTIAL ©2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS RESERVED. / 33 THANK YOU ¡Gracias por su atención! Preguntas y repuestas CONFIDENTIAL ©2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS RESERVED. / 34