CONFIDENTIAL 2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS
RESERVED. BEST PRACTICES FOR INTERNAL AND SUPPLIER AUDITING
September 26, 2014 David L. Chesney, Vice President and Practice
Lead, Strategic Compliance Services PAREXEL Consulting, Waltham, MA
USA [email protected] +1-781-434-4092
[email protected] Omics Group 3 rd International Summit on
GMP, GCP and Quality Control Valencia Convention Center Valencia,
Spain
Slide 2
CONFIDENTIAL 2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS
RESERVED. / AGENDA Review regulatory audit requirements EU, US
Internal auditing EU and US requirements Supplier auditing EU and
US requirements Auditing organization and operations Objective
setting Risk basis Decision on audit outcomes Special
considerations for supplier auditing
Slide 3
CONFIDENTIAL 2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS
RESERVED. Internal and Supplier auditing EU and US requirements
3
Slide 4
CONFIDENTIAL 2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS
RESERVED. / REGULATORY REQUIREMENTS Requirements for the conduct of
audits (internal and supplier audits) vary from one authority to
another All authorities clearly expect internal and supplier audits
to be conducted, though not all specifically and literally require
such audits Despite the lack of uniformity and clarity of the
regulatory requirements, sound quality management principles and
conventional industry practices combine to establish auditing
programs as a current good practice for the industry, world wide.
This presentation will compare the US and EU requirements to
illustrate how different regulatory authorities deal with the
topic. Companies should be aware of other countries requirements
that may impact their operations conducted in those countries.
4
Slide 5
CONFIDENTIAL 2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS
RESERVED. / GMP REQUIREMENTS FOR INTERNAL AUDITING: US The US Drug
GMP, 21 CFR 211, does not specifically require internal auditing;
however, some other similar US GxP regulations do The US Medical
Device QSR (the device GMP regulation), 21 CFR 820, does
specifically require internal audits: 21 CFR 820.22: Quality audit.
Each manufacturer shall establish procedures for quality audits and
conduct such audits to assure that the quality system is in
compliance with the established quality system requirements and to
determine the effectiveness of the quality system.(continues) The
US Human Cells, Tissues, and Cellular and Tissue Based Products
regulation, 21 CFR 1270, does specifically require internal audits:
21 CFR 1271.160(c): Audits. You must periodically perform for
management review a quality audit, as defined in 1271.3(gg), of
activities related to core CGTP requirements. 5
Slide 6
CONFIDENTIAL 2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS
RESERVED. / GMP REQUIREMENTS FOR INTERNAL AUDITING: EU Eudralex,
Vol. 4, Part 1, Chapter 1, Quality Management, Section 1.1, Quality
Assurance, Subparagraph ix: The system of Quality Assurance
appropriate for the manufacture of medicinal products should ensure
that: (ix)there is a procedure for Self-Inspection and/or quality
audit, which regularly appraises the effectiveness and
applicability of the Quality Assurance system. Eudralex, Vol. 4,
Part 1, Chapter 9, Self Inspection, is devoted entirely to this
requirement: Self inspections should be conducted in order to
monitor the implementation and compliance with Good Manufacturing
Practice principles and to propose necessary corrective measures.
6
Slide 7
CONFIDENTIAL 2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS
RESERVED. / GMP REQUIREMENTS FOR SUPPLIER AUDITING United States
Auditing of suppliers is not a literal GMP requirement but is
clearly an FDA expectation 21 CFR 211.22(a): The quality control
unit shall be responsible for approving or rejecting drug products
manufactured, processed, packed, or held under contract by another
company. 21 CFR 211.84(d)(3): Containers and closures shall be
tested for conformity with all appropriate written specifications.
In lieu of such testing by the manufacturer, a certificate of
testing may be accepted from the supplier, provided that at least a
visual identification is conducted on such containers/closures by
the manufacturer and provided that the manufacturer establishes the
reliability of the supplier's test results through appropriate
validation of the supplier's test results at appropriate intervals.
7
Slide 8
CONFIDENTIAL 2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS
RESERVED. / KEY GMP PROVISION OF FDASIA The FDA Safety and
Innovation Act (FDASIA) was signed into law July 9, 2012. It is a
complex bill with 11 Titles. Title VII deals with the drug supply
chain. FDASIA Title VII, Section 711, specifies that GMP includes
the implementation of quality oversight and controls over the
manufacture of drugs, including the safety of raw materials,
materials used in drug manufacturing, and finished drug products;
the bill states as follows: Section 501 (21 U.S.C. 351) is amended
by adding at the end the following flush text: "For purposes of
paragraph (a)(2)(B), the term 'current good manufacturing practice'
includes the implementation of oversight and controls over the
manufacture of drugs to ensure quality, including managing the risk
of and establishing the safety of raw materials, materials used in
the manufacturing of drugs, and finished drug products.". 8
Slide 9
CONFIDENTIAL 2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS
RESERVED. / GUIDANCE ISSUED TO DATE 9
Slide 10
CONFIDENTIAL 2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS
RESERVED. / ICH Q10 ON SUPPLIER AUDITS Section 2.7: The
pharmaceutical quality system, including the management
responsibilities described in this section, extends to the control
and review of any outsourced activities and quality of purchased
materials. The pharmaceutical company is ultimately responsible to
ensure processes are in place to assure the control of outsourced
activities and quality of purchased materials. These processes
should incorporate quality risk management and include
Prequalification of suppliers Defining roles and responsibilities
via a written agreement Monitoring and review of supplier
performance Monitoring of incoming shipments to ensure they are
from approved sources 10
Slide 11
CONFIDENTIAL 2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS
RESERVED. Audit Group Organization and Operations 11
Slide 12
CONFIDENTIAL 2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS
RESERVED. / AUDIT ORGANIZATION STRUCTURE Commonly, the audit group
reports to the Head of Quality, at the Corporate level in large
companies or sometimes at a site level in smaller companies Some
companies want more independence and separation from the rest of
the organization. Some trends we are seeing in the United States
include: Establishment of a Compliance organization within the
Quality Unit, reporting directly to the most senior VP in the
Quality Unit Auditing groups that report to the Chief Compliance
Officer (mainly in the US) Consolidation of auditing functions in a
single group: GMP, GCP, GLP, GDP, Pharmacovigilance (drug safety)
and sometimes other related functions 12
Slide 13
CONFIDENTIAL 2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS
RESERVED. / AUDIT PROGRAM OBJECTIVES Must decide what the
purpose(s) of each audit will be: GMP compliance EU, US, or world
wide standard? Compliance with Marketing Authorization, NDA, BLA,
etc. Compliance with company policies and procedures Matching of
health regulatory agency procedures to duplicate regulatory
inspections Rehearsal of site staff to be part of regulatory agency
inspections Supplier audits: Compliance with the contract terms
13
Slide 14
CONFIDENTIAL 2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS
RESERVED. / ROLE OF THE AUDITOR Must decide the preferred role for
the auditor: Policeman or Consultant? Policeman: Auditor remains
completely objective, points out gaps, offers no assistance in
solutions to those gaps Consultant: Auditor points out gaps, offers
suggestions for corrective action, but responsibility for final
design and execution of CAPA remains with the audited organization.
Special case: During supplier auditing, the Auditor should be a
Policeman regarding the CMOs compliance with contract obligations
14
Slide 15
CONFIDENTIAL 2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS
RESERVED. / AUDITOR TRAINING AND QUALIFICATIONS Auditors should
always be trained in: Technical operations equipment, facilities,
processes, quality systems Regulatory requirements for the
countries served by the sites they will audit Detection of data
integrity problems Auditing methods and practice Company policies,
contractual requirements and expectations In addition, Auditors
benefit by training in: Investigative interviewing techniques Legal
aspects Drug law, regulatory agency authority as stated in law
Regulatory agency methods and practices for inspections
Interpersonal skills 15
Slide 16
CONFIDENTIAL 2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS
RESERVED. / INDEPENDENCE OF AUDITORS Regulatory requirements do not
require that auditors be entirely separate from the areas audited.
In fact, the idea of self inspection assumes that an internal
process is beneficial. Auditors should be empowered to issue
findings without fear of consequences, conflict of interest or
undue influence from the audited facilities or departments.
Therefore, companies generally utilize personnel from the Quality
organization, or sometimes a fully separate Audit group or
Compliance organization to conduct internal audits. Others may rely
on external consultants to provide objectivity. In sensitive
matters where there is concern about litigation, many companies
arrange for auditors to be retained under attorney client privilege
through in-house or external legal counsel. This may vary from one
country to another. 16
Slide 17
CONFIDENTIAL 2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS
RESERVED. / AUDIT TEAMS Few Auditors will be highly skilled in all
areas of GMP; assistance may be very helpful Process experts
Engineers Chemists Microbiologists Other specialists Use of audit
teams can enhance expertise Include subject matter experts where
appropriate to assist auditors with technical aspects of the audit
Auditor takes the lead in audit conduct and report preparation,
with input from the subject matter expert 17
Slide 18
CONFIDENTIAL 2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS
RESERVED. / AUDIT SCHEDULING Resources do not permit auditing
everyone and everything, so choices must be made Risk based
auditing is now the normal procedure for most companies Risk
considerations should be based on potential for direct product
quality impact; higher impact = more frequent and more in depth
auditing These include, but are not limited to: Audit history of
the site/department/system to be audited Regulatory agency audit
history Patient risk impact: API, aseptic filling, final testing,
stability testing, proper labeling, sterility aspects, cold chain,
etc. are all key risk areas Lower risk operations include excipient
manufacture, packaging suppliers, other material suppliers or
service providers who have less direct impact on product quality
18
Slide 19
CONFIDENTIAL 2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS
RESERVED. / AUDIT RESOURCE CONSERVATION On site time is frequently
limited: Supplier contracts may limit time on site; internal audits
may try to minimize disruption of activities; travel is expensive
and resources are limited. To maximize utilization of resources,
consider: Review key documents in advance from home office; arrive
at site with questions to resolve; do not use on site time for
document review except as necessary Spend on site time observing
the facility, operations, equipment, and interviewing personnel
When necessary, use audit teams of two or three auditors, with each
taking different areas; enables more time to be spent on each area
while limiting overall on site time Consider adding a non-auditor
subject matter expert to assist the auditor in highly technical or
complex processes 19
Slide 20
CONFIDENTIAL 2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS
RESERVED. / AUDIT PLANNING Require a written audit plan and agenda
before the audit Obtain information from internal stakeholders
(especially for supplier audits): What problems have been seen,
what areas do stakeholders want addressed during the audit, what
suggestions do they have? Be flexible during the audit; if other
serious concerns are noted, it may be necessary to deviate from the
plan, with good cause 20
Slide 21
CONFIDENTIAL 2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS
RESERVED. / REGULATORY INSPECTION PREPARATION If the purpose is to
prepare for a regulatory inspection, the audit plan should be based
on available regulatory agency inspection methods that can be
obtained from the internet For the FDA, see
http://www.fda.gov/ICECI/ComplianceManuals/ComplianceProgramMan
ual/default.htm
http://www.fda.gov/ICECI/ComplianceManuals/ComplianceProgramMan
ual/default.htm For the EU, see
http://tinyurl.com/5sb8axwhttp://tinyurl.com/5sb8axw The Auditors
should be trained and experienced in regulatory inspection methods
(or be former regulatory inspectors) and should stay in the role of
the regulator as much as possible Provide feedback on the
performance of company inspection management and peoples answers to
questions in addition to GMP observations 21
Slide 22
CONFIDENTIAL 2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS
RESERVED. / FDA COMPLIANCE PROGRAM GUIDANCE MANUAL What it is: A
series of programmatic SOPs that describe the process for
conducting different types of inspections and sampling programs,
and deciding what course of action to take when violations are
found Where to find it:
http://www.fda.gov/ICECI/ComplianceManuals/ComplianceProgramMa
nual/default.htm
http://www.fda.gov/ICECI/ComplianceManuals/ComplianceProgramMa
nual/default.htm How to use it: Key to preparing for FDA
inspections. In all CPGMs, see especially Part III Inspectional and
Part V Regulatory/Administrative Strategy sections Key Programs
(there are several others also): CPGM 7356.002, Drug Manufacturing
Inspections CPGM 7346.832, Pre-Approval Inspections CPGM 7348.810,
Sponsors, Monitors and CROs CPGM 7348.811, Clinical Investigators
(site level inspections) 22
Slide 23
CONFIDENTIAL 2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS
RESERVED. / AUDIT REPORTS Audit reports should be objective, and
provide factual support for observations The most significant
findings include: Anything that points out a health hazard to the
patient such as non-sterility, overformulation, underformulation,
label mixup, stability problems, cross contamination, etc.
Observations that impact product currently on the market or in
distribution channels Things that happen repeatedly rather than
just once The more current the observation, the more significant it
is; something that happened once, three years ago, is usually
insignificant; something that represents a current trend usually is
more significant Audit reports should be provided in draft to the
audited unit before they are finalized: Facts correct?
Interpretations understood? Any disputes resolved? 23
Slide 24
CONFIDENTIAL 2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS
RESERVED. / EVALUATION OF AUDIT REPORTS Observations should be
categorized based on risk. For example: Critical: An observed
condition or practice that could (or did) directly affect the
identity, strength, purity, or other quality characteristics
designed to ensure the required levels of safety and effectiveness
of the product or which alone could lead to action by a Regulatory
Authority. Major: An observed condition or issue that could
indirectly affect the identity, strength, purity, or other quality
characteristics designed to ensure the required levels of safety
and effectiveness of the product or which may be cited on a list of
observations during a regulatory inspection. Note: A pattern of
major observations in the same system, observations in multiple
systems, or repeat observations from previous regulatory
inspections could lead to action by a Regulatory Authority. Minor:
An observed condition or issue that deviates from requirements but
for which no potential direct or indirect impact to the product is
evident. Comment: A condition or issue that does not rise to the
level of an observation as described above. Note: Comments may
include: an observed condition or issue that is not clearly a
deviation from requirements, recommendations for improvement,
recommendations for further consideration in light of an audits
time constraints, or simply a statement of findings. 24
Slide 25
CONFIDENTIAL 2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS
RESERVED. / EVALUATION OF AUDIT REPORTS In addition, the overall
outcome of the audit should be classified based on risk. For
example: Acceptable: Observations are minor and/or major but are
generally correctable. Conditionally Acceptable: Observations are
major and may not be promptly correctable and/or observations are
minor, but have the potential to become major if not attended to
promptly. Any critical observations must be immediately
controllable through prompt action such as discontinuance of
operations. Unacceptable: Observations are critical and
uncorrectable or on a follow-up audit, previous observations were
major/critical and were not corrected, or there is evidence of
deliberate wrongdoing. 25
Slide 26
CONFIDENTIAL 2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS
RESERVED. / IMPLICATIONS OF FAILURE TO REACT TO AUDIT FINDINGS The
audit is done for a purpose, and the outcome and any resulting
action must be documented. Regulatory risk is higher when audit
findings point to potential violations, because the company is on
notice, through the audit, of the issues and therefore compelled to
react to them responsibly. Audit systems should include independent
evaluation and classification of audit findings (acceptable,
conditionally acceptable, not acceptable) and actions that are
taken consistent with the severity level of the findings. Interim
controls may be prescribed as a condition of continued operation
when findings indicate the need. 26
Slide 27
CONFIDENTIAL 2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS
RESERVED. / CONFIDENTIALITY OF AUDIT REPORTS Most regulators
refrain from review of internal audit reports except under unusual
extenuating circumstances EU regulators sometimes access audit
reports for suppliers, with an emphasis on API facilities and fill
and finish facilities, though this is not uniform among the EU
authorities FDA has a Compliance Policy Guide, 130.300, which
states FDAs position on access to quality system audit reports (see
next slide) 27
Slide 28
CONFIDENTIAL 2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS
RESERVED. / FDA POLICY, CPG 130.300 During routine inspections and
investigations conducted at any regulated entity that has a written
quality assurance program, FDA will not review or copy reports and
records that result from audits and inspections of the written
quality assurance program. FDA may seek written certification that
such audits and inspections have been implemented, performed, and
documented and that any required corrective action has been taken.
District personnel should consult with the appropriate headquarters
office prior to seeking written certification. The policy provides
a few exceptions, but they occur only rarely. FDA will not
generally review internal audit reports during inspections. 28
Slide 29
CONFIDENTIAL 2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS
RESERVED. Special Considerations For Supplier Auditing 29
Slide 30
CONFIDENTIAL 2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS
RESERVED. / AGREEMENTS WITH SUPPLIERS EU Technical Agreements,
Eudralex Volume 4, Part 1, Chapter 1 US DRAFT Guidance for Contract
Manufacturing Arrangements for Drugs: Quality Agreements May, 2013
(see earlier slide) Key to both documents is to have roles and
responsibilities clearly described Agreements should provide for
access for audit purposes, routine audits and for cause audits when
problems arise Agreements should be part of the contract so they
can be enforced by the contract giver
Slide 31
CONFIDENTIAL 2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS
RESERVED. / PRIORITIZE LOCATIONS TO BE AUDITED Highest priority:
(NOTE: Risk assessment can change priorities) API, especially
sterile or bioburden-controlled API sites Fill and finish sites,
especially aseptic filling/lyophilization or terminal sterilization
Laboratories that do final release testing or stability testing
Labeling operations Next priority: Side chain synthesis
Intermediate process steps Laboratories performing lower risk or
specialized testing Cold chain and GDP Lower priority: Glassware
suppliers Packaging suppliers Distribution warehouses 31
Slide 32
CONFIDENTIAL 2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS
RESERVED. / SUPPLIER AUDITS Supplier audit systems should integrate
all known information about supplier quality, not limited to audit
results, for example: Material supply history any rejections and
reasons for rejections, such as incoming inspection findings,
laboratory analytical findings, foreign material detected during
production, etc. Recalls Regulatory agency warnings made public
Internal concerns arising from batch record review Business
performance of the supplier on time delivery, right product, price
competitiveness, etc. Integrated systems can provide a single
reference point on supplier acceptability for use by Procurement
personnel 32
Slide 33
CONFIDENTIAL 2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS
RESERVED. / SUMMARY Internal audits are not required by US GMP but
are almost universally employed by US companies Self assessments
are required in the EU Technical agreements and supplier audits
have been required in the EU for years, expected in the US but now
required in the US also Dedicated, specially trained audit teams
are widespread in the industry Auditors must be objective and
independent, but can give recommendations and advice so long as
responsibility remains with the audited department or company
Worldwide supply chain management requirements have increased and
can be expected to be a high priority area for regulators 33
Slide 34
CONFIDENTIAL 2014 PAREXEL INTERNATIONAL CORP. ALL RIGHTS
RESERVED. / THANK YOU CONFIDENTIAL 2014 PAREXEL INTERNATIONAL CORP.
ALL RIGHTS RESERVED. / 34 Gracias por su atencin! Preguntas y
repuestas