Best practices for internal and supplier auditing

BEST PRACTICES
FOR INTERNAL
AND SUPPLIER
AUDITING
September 26, 2014
David L. Chesney, Vice President and
Practice Lead, Strategic Compliance Services
PAREXEL Consulting, Waltham, MA USA
dave.chesney@parexel.com
+1-781-434-4092
Omics Group 3rd International Summit
on
GMP, GCP and Quality Control
Valencia Convention Center
Valencia, Spain
CONFIDENTIAL ©2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS RESERVED.
AGENDA
• Review regulatory audit requirements – EU, US
• Internal auditing – EU and US requirements
• Supplier auditing – EU and US requirements
• Auditing organization and operations
• Objective setting
• Risk basis
• Decision on audit outcomes
• Special considerations for supplier auditing
CONFIDENTIAL ©2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS RESERVED.
/
Internal and Supplier
auditing – EU and US
requirements
3
CONFIDENTIAL ©2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS RESERVED.
REGULATORY REQUIREMENTS
• Requirements for the conduct of audits (internal and supplier
audits) vary from one authority to another
• All authorities clearly “expect” internal and supplier audits to be
conducted, though not all specifically and literally require such
audits
• Despite the lack of uniformity and clarity of the regulatory
requirements, sound quality management principles and
conventional industry practices combine to establish auditing
programs as a “current good practice” for the industry, world
wide.
• This presentation will compare the US and EU requirements to
illustrate how different regulatory authorities deal with the topic.
Companies should be aware of other countries’ requirements that
may impact their operations conducted in those countries.
CONFIDENTIAL ©2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS RESERVED.
/
4
GMP REQUIREMENTS FOR INTERNAL AUDITING: US
• The US Drug GMP, 21 CFR 211, does not specifically require
internal auditing; however, some other similar US GxP regulations
do
• The US Medical Device QSR (the “device GMP” regulation), 21
CFR 820, does specifically require internal audits:
21 CFR 820.22: “Quality audit. Each manufacturer shall establish procedures for
quality audits and conduct such audits to assure that the quality system is in
compliance with the established quality system requirements and to determine the
effectiveness of the quality system….(continues)…”
• The US Human Cells, Tissues, and Cellular and Tissue Based
Products regulation, 21 CFR 1270, does specifically require
internal audits:
21 CFR 1271.160(c): “Audits. You must periodically perform for management review a
quality audit, as defined in 1271.3(gg), of activities related to core CGTP requirements.”
CONFIDENTIAL ©2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS RESERVED.
/
5
GMP REQUIREMENTS FOR INTERNAL AUDITING: EU
• Eudralex, Vol. 4, Part 1, Chapter 1, Quality Management, Section 1.1,
Quality Assurance, Subparagraph ix:
• “The system of Quality Assurance appropriate for the manufacture
of medicinal products should ensure that:
(ix) there is a procedure for Self-Inspection and/or quality audit, which regularly
appraises the effectiveness and applicability of the Quality Assurance system.”
• Eudralex, Vol. 4, Part 1, Chapter 9, Self Inspection, is devoted
entirely to this requirement: “Self inspections should be conducted
in order to monitor the implementation and compliance with Good
Manufacturing Practice principles and to propose necessary
corrective measures.”
CONFIDENTIAL ©2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS RESERVED.
/
6
GMP REQUIREMENTS FOR SUPPLIER AUDITING
• United States
• Auditing of suppliers is not a literal GMP requirement but is clearly an FDA “expectation”
• 21 CFR 211.22(a): “…The quality control unit shall be responsible for approving or rejecting
drug products manufactured, processed, packed, or held under contract by another company.”
• 21 CFR 211.84(d)(3): “…Containers and closures shall be tested for conformity with all
appropriate written specifications. In lieu of such testing by the manufacturer, a certificate of
testing may be accepted from the supplier, provided that at least a visual identification is
conducted on such containers/closures by the manufacturer and provided that the
manufacturer establishes the reliability of the supplier's test results through appropriate
validation of the supplier's test results at appropriate intervals.”
CONFIDENTIAL ©2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS RESERVED.
/
7
KEY GMP PROVISION OF FDASIA
• The FDA Safety and Innovation Act (FDASIA) was signed into law
July 9, 2012. It is a complex bill with 11 Titles. Title VII deals with
the drug supply chain.
• FDASIA Title VII, Section 711, specifies that GMP includes the
implementation of quality oversight and controls over the
manufacture of drugs, including the safety of raw materials,
materials used in drug manufacturing, and finished drug products;
the bill states as follows:
• Section 501 (21 U.S.C. 351) is amended by adding at the end the following flush text:
"For purposes of paragraph (a)(2)(B), the term 'current good manufacturing practice'
includes the implementation of oversight and controls over the manufacture of drugs to
ensure quality, including managing the risk of and establishing the safety of raw
materials, materials used in the manufacturing of drugs, and finished drug products.".
CONFIDENTIAL ©2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS RESERVED.
/
8
GUIDANCE ISSUED TO DATE
CONFIDENTIAL ©2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS RESERVED.
/
9
ICH Q10 ON SUPPLIER AUDITS
• Section 2.7: “The pharmaceutical quality system, including the
management responsibilities described in this section, extends to
the control and review of any outsourced activities and quality of
purchased materials. The pharmaceutical company is ultimately
responsible to ensure processes are in place to assure the control
of outsourced activities and quality of purchased materials. These
processes should incorporate quality risk management and
include…”
• Prequalification of suppliers
• Defining roles and responsibilities via a written agreement
• Monitoring and review of supplier performance
• Monitoring of incoming shipments to ensure they are from approved sources
CONFIDENTIAL ©2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS RESERVED.
/
10
Audit Group
Organization and
Operations
11
CONFIDENTIAL ©2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS RESERVED.
AUDIT ORGANIZATION STRUCTURE
• Commonly, the audit group reports to the Head of Quality, at the
Corporate level in large companies or sometimes at a site level in
smaller companies
• Some companies want more independence and separation from the
rest of the organization. Some trends we are seeing in the United
States include:
• Establishment of a “Compliance” organization within the Quality Unit, reporting directly to
the most senior VP in the Quality Unit
• Auditing groups that report to the “Chief Compliance Officer” (mainly in the US)
• Consolidation of auditing functions in a single group: GMP, GCP, GLP, GDP,
Pharmacovigilance (drug safety) and sometimes other related functions
CONFIDENTIAL ©2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS RESERVED.
/
12
AUDIT PROGRAM OBJECTIVES
• Must decide what the purpose(s) of each audit will be:
• GMP compliance – EU, US, or world wide standard?
• Compliance with Marketing Authorization, NDA, BLA, etc.
• Compliance with company policies and procedures
• Matching of health regulatory agency procedures to duplicate regulatory inspections
• Rehearsal of site staff to be part of regulatory agency inspections
• Supplier audits: Compliance with the contract terms
CONFIDENTIAL ©2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS RESERVED.
/
13
ROLE OF THE AUDITOR
• Must decide the preferred role for the auditor: “Policeman” or
“Consultant”?
• Policeman: Auditor remains completely objective, points out gaps,
offers no assistance in solutions to those gaps
• Consultant: Auditor points out gaps, offers suggestions for
corrective action, but responsibility for final design and execution
of CAPA remains with the audited organization.
• Special case: During supplier auditing, the Auditor should be a
“Policeman” regarding the CMO’s compliance with contract
obligations
CONFIDENTIAL ©2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS RESERVED.
/
14
AUDITOR TRAINING AND QUALIFICATIONS
• Auditors should always be trained in:
• Technical operations – equipment, facilities, processes, quality systems
• Regulatory requirements for the countries served by the sites they will audit
• Detection of data integrity problems
• Auditing methods and practice
• Company policies, contractual requirements and expectations
• In addition, Auditors benefit by training in:
• Investigative interviewing techniques
• Legal aspects – Drug law, regulatory agency authority as stated in law
• Regulatory agency methods and practices for inspections
• Interpersonal skills
CONFIDENTIAL ©2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS RESERVED.
/
15
INDEPENDENCE OF AUDITORS
• Regulatory requirements do not require that auditors be entirely
separate from the areas audited. In fact, the idea of “self
inspection” assumes that an internal process is beneficial.
• Auditors should be empowered to issue findings without fear of
consequences, conflict of interest or undue influence from the
audited facilities or departments.
• Therefore, companies generally utilize personnel from the Quality
organization, or sometimes a fully separate Audit group or
Compliance organization to conduct internal audits. Others may
rely on external consultants to provide objectivity.
• In sensitive matters where there is concern about litigation, many
companies arrange for auditors to be retained under attorney
client privilege through in-house or external legal counsel. This
may vary from one country to another.
CONFIDENTIAL ©2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS RESERVED.
/
16
AUDIT TEAMS
• Few Auditors will be highly skilled in all areas of GMP; assistance
may be very helpful
• Process experts
• Engineers
• Chemists
• Microbiologists
• Other specialists
• Use of audit teams can enhance expertise
• Include subject matter experts where appropriate to assist auditors
with technical aspects of the audit
• Auditor takes the lead in audit conduct and report preparation, with
input from the subject matter expert
CONFIDENTIAL ©2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS RESERVED.
/
17
AUDIT SCHEDULING
• Resources do not permit auditing everyone and everything, so
choices must be made
• Risk based auditing is now the normal procedure for most
companies
• Risk considerations should be based on potential for direct product
quality impact; higher impact = more frequent and more in depth
auditing
• These include, but are not limited to:
• Audit history of the site/department/system to be audited
• Regulatory agency audit history
• Patient risk impact: API, aseptic filling, final testing, stability testing, proper labeling,
sterility aspects, cold chain, etc. are all key risk areas
• Lower risk operations include excipient manufacture, packaging suppliers, other material
suppliers or service providers who have less direct impact on product quality
CONFIDENTIAL ©2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS RESERVED.
/
18
AUDIT RESOURCE CONSERVATION
• On site time is frequently limited: Supplier contracts may limit time
on site; internal audits may try to minimize disruption of activities;
travel is expensive and resources are limited.
• To maximize utilization of resources, consider:
• Review key documents in advance from home office; arrive at site with questions to
resolve; do not use on site time for document review except as necessary
• Spend on site time observing the facility, operations, equipment, and interviewing
personnel
• When necessary, use audit teams of two or three auditors, with each taking different
areas; enables more time to be spent on each area while limiting overall on site time
• Consider adding a non-auditor subject matter expert to assist the auditor in highly
technical or complex processes
CONFIDENTIAL ©2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS RESERVED.
/
19
AUDIT PLANNING
• Require a written audit plan and agenda before the audit
• Obtain information from internal stakeholders (especially for
supplier audits): What problems have been seen, what areas do
stakeholders want addressed during the audit, what suggestions
do they have?
• Be flexible during the audit; if other serious concerns are noted, it
may be necessary to deviate from the plan, with good cause
CONFIDENTIAL ©2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS RESERVED.
/
20
REGULATORY INSPECTION PREPARATION
• If the purpose is to prepare for a regulatory inspection, the audit
plan should be based on available regulatory agency inspection
methods that can be obtained from the internet
• For the FDA, see
http://www.fda.gov/ICECI/ComplianceManuals/ComplianceProgramMan
ual/default.htm
• For the EU, see http://tinyurl.com/5sb8axw
• The Auditors should be trained and experienced in regulatory
inspection methods (or be former regulatory inspectors) and
should stay “in the role” of the regulator as much as possible
• Provide feedback on the performance of company inspection
management and people’s answers to questions in addition to GMP
observations
CONFIDENTIAL ©2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS RESERVED.
/
21
FDA COMPLIANCE PROGRAM GUIDANCE MANUAL
• What it is: A series of programmatic “SOPs” that describe the process
for conducting different types of inspections and sampling programs,
and deciding what course of action to take when violations are found
• Where to find it:
http://www.fda.gov/ICECI/ComplianceManuals/ComplianceProgramMa
nual/default.htm
• How to use it: Key to preparing for FDA inspections. In all CPGMs,
see especially “Part III – Inspectional” and “Part V –
Regulatory/Administrative Strategy” sections
• Key Programs (there are several others also):
• CPGM 7356.002, Drug Manufacturing Inspections
• CPGM 7346.832, Pre-Approval Inspections
• CPGM 7348.810, Sponsors, Monitors and CROs
• CPGM 7348.811, Clinical Investigators (site level inspections)
CONFIDENTIAL ©2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS RESERVED.
/
22
AUDIT REPORTS
• Audit reports should be objective, and provide factual support for
observations
• The most significant findings include:
• Anything that points out a health hazard to the patient such as non-sterility,
overformulation, underformulation, label mixup, stability problems, cross contamination,
etc.
• Observations that impact product currently on the market or in distribution channels
• Things that happen repeatedly rather than just once
• The more current the observation, the more significant it is; something that happened
once, three years ago, is usually insignificant; something that represents a current trend
usually is more significant
• Audit reports should be provided in draft to the audited unit before
they are finalized: Facts correct? Interpretations understood? Any
disputes resolved?
CONFIDENTIAL ©2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS RESERVED.
/
23
EVALUATION OF AUDIT REPORTS
• Observations should be categorized based on risk. For example:
• Critical: An observed condition or practice that could (or did) directly affect the identity,
strength, purity, or other quality characteristics designed to ensure the required levels of
safety and effectiveness of the product or which alone could lead to action by a Regulatory
Authority.
• Major: An observed condition or issue that could indirectly affect the identity, strength,
purity, or other quality characteristics designed to ensure the required levels of safety and
effectiveness of the product or which may be cited on a list of observations during a
regulatory inspection. Note: A pattern of major observations in the same system,
observations in multiple systems, or repeat observations from previous regulatory
inspections could lead to action by a Regulatory Authority.
• Minor: An observed condition or issue that deviates from requirements but for which no
potential direct or indirect impact to the product is evident.
• Comment: A condition or issue that does not rise to the level of an observation as
described above. Note: Comments may include: an observed condition or issue that is not
clearly a deviation from requirements, recommendations for improvement,
recommendations for further consideration in light of an audit’s time constraints, or simply a
statement of findings.
CONFIDENTIAL ©2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS RESERVED.
/
24
EVALUATION OF AUDIT REPORTS
• In addition, the overall outcome of the audit should be classified
based on risk. For example:
• Acceptable: Observations are minor and/or major but are generally
correctable.
• Conditionally Acceptable: Observations are major and may not be
promptly correctable and/or observations are minor, but have the
potential to become major if not attended to promptly. Any critical
observations must be immediately controllable through prompt
action such as discontinuance of operations.
• Unacceptable: Observations are critical and uncorrectable or on a
follow-up audit, previous observations were major/critical and were
not corrected, or there is evidence of deliberate wrongdoing.
CONFIDENTIAL ©2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS RESERVED.
/
25
IMPLICATIONS OF FAILURE TO REACT TO AUDIT
FINDINGS
• The audit is done for a purpose, and the outcome and any
resulting action must be documented.
• Regulatory risk is higher when audit findings point to potential
violations, because the company is on notice, through the audit,
of the issues and therefore compelled to react to them
responsibly.
• Audit systems should include independent evaluation and
classification of audit findings (acceptable, conditionally
acceptable, not acceptable) and actions that are taken consistent
with the severity level of the findings.
• Interim controls may be prescribed as a condition of continued
operation when findings indicate the need.
CONFIDENTIAL ©2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS RESERVED.
/
26
CONFIDENTIALITY OF AUDIT REPORTS
• Most regulators refrain from review of internal audit reports except
under unusual extenuating circumstances
• EU regulators sometimes access audit reports for suppliers, with
an emphasis on API facilities and fill and finish facilities, though
this is not uniform among the EU authorities
• FDA has a Compliance Policy Guide, 130.300, which states FDA’s
position on access to quality system audit reports (see next slide)
CONFIDENTIAL ©2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS RESERVED.
/
27
FDA POLICY, CPG 130.300
• During routine inspections and investigations conducted at any regulated
entity that has a written quality assurance program, FDA will not review or
copy reports and records that result from audits and inspections of the
written quality assurance program.
• FDA may seek written certification that such audits and inspections have
been implemented, performed, and documented and that any required
corrective action has been taken. District personnel should consult with
the appropriate headquarters office prior to seeking written certification.
• The policy provides a few exceptions, but they occur only rarely. FDA will
not generally review internal audit reports during inspections.
CONFIDENTIAL ©2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS RESERVED.
/
28
Special
Considerations
For Supplier
Auditing
29
CONFIDENTIAL ©2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS RESERVED.
AGREEMENTS WITH SUPPLIERS
• EU – Technical Agreements, Eudralex Volume 4, Part 1, Chapter 1
• US – DRAFT Guidance for “Contract Manufacturing Arrangements
for Drugs: Quality Agreements” May, 2013 (see earlier slide)
• Key to both documents is to have roles and responsibilities clearly
described
• Agreements should provide for access for audit purposes, routine
audits and “for cause” audits when problems arise
• Agreements should be part of the contract so they can be enforced
by the contract giver
CONFIDENTIAL ©2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS RESERVED.
/
PRIORITIZE LOCATIONS TO BE AUDITED
• Highest priority: (NOTE: Risk assessment can change priorities)
• API, especially sterile or bioburden-controlled API sites
• Fill and finish sites, especially aseptic filling/lyophilization or terminal sterilization
• Laboratories that do final release testing or stability testing
• Labeling operations
• Next priority:
• Side chain synthesis
• Intermediate process steps
• Laboratories performing lower risk or specialized testing
• Cold chain and GDP
• Lower priority:
• Glassware suppliers
• Packaging suppliers
• Distribution warehouses
CONFIDENTIAL ©2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS RESERVED.
/
31
SUPPLIER AUDITS
• Supplier audit systems should integrate all known information
about supplier quality, not limited to audit results, for example:
• Material supply history – any rejections and reasons for rejections, such as incoming
inspection findings, laboratory analytical findings, foreign material detected during
production, etc.
• Recalls
• Regulatory agency warnings made public
• Internal concerns arising from batch record review
• Business performance of the supplier – on time delivery, right product, price
competitiveness, etc.
• Integrated systems can provide a single reference point on supplier acceptability for use
by Procurement personnel
CONFIDENTIAL ©2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS RESERVED.
/
32
SUMMARY
• Internal audits are not required by US GMP but are almost
universally employed by US companies
• Self assessments are required in the EU
• Technical agreements and supplier audits have been required in the
EU for years, “expected” in the US but now required in the US also
• Dedicated, specially trained audit teams are widespread in the
industry
• Auditors must be objective and independent, but can give
recommendations and advice so long as responsibility remains
with the audited department or company
• Worldwide supply chain management requirements have increased
and can be expected to be a high priority area for regulators
CONFIDENTIAL ©2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS RESERVED.
/
33
THANK YOU
¡Gracias por su atención!
Preguntas y repuestas
CONFIDENTIAL ©2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS RESERVED.
/
34