Every company I work with has a problem with their auditing program. Some believe they are overdoing it and others feel they are not doing enough. In a sense, they are both right. In actual fact, they are all overdoing it in certain areas and underdoing in others.
Back when I started in Industry, and I am afraid to tell you exactly when, auditing programs were written in stone in SOPs. The frequency, duration and number of people were defined and rigorously enforced. Audits were conducted each the same way and lists of findings were assembled and sent to the auditee. If lucky, the findings were responded to and CAPAs developed. The report was closed out and filed. After the prescribed period of time, the process was repeated. Often the same findings were seen at the next audit. So either the CAPA was not done or it was ineffective. Not exactly an efficient, effective process, but it satisfied the regulators.
Today a program like that is just not acceptable. Why? Have the regulations changed? Have our expectations changed? Has the world changed? The answer to each is yes.
Over the last 20-30 years we have seen a lot change. We have seen drug tampering (Tylenol and cyanide), counterfeit drugs in the market place (you get those emails for those drugs at unbelievable prices) and incidents like the Heparin / Baxter problem. Both industry and regulators have taken note and reacted. In the US and EU, regulators have recognized the problems and issued new regulations and guidances. The Falsified Medicines Directive (FMD), Food and Drug Administration Security and Innovation Act (FDAsia) and the Drug Supply Chain Security Act (DSCSA) have been issued and are in the process of implementation. So how does that fit into the auditing program? It is because the auditing program is a tool that will enable you to meet the spirit of what these regulations are driving at.
We perform both internal audits of our own operations as well as audits of third parties. These third parties include our CMOs, our suppliers of raw materials, excipients, actives as well as services such as testing labs, engineering functions and distribution to name a few. The functions of an audit are many fold including a component of the assessment of whether we care to do business with an entity (the Vendor Qualification Program) as well as as a routine assessment of whether we want to continue to use them (continuous verification) and an assessment after some element has failed (for cause).
Each of these is approached differently, depending on the nature of why we are auditing.
- Vendor assessment – usually, you have never worked with the vendor before, or at least recently, so this is an exploratory audit to assure they are operating to an appropriate standard that is compatible with our expectations. Because of this, the goal is to assess all their systems.
- Continuous verification – you have experience with this type of vendor. You know what they do well and perhaps have identified areas where improvement might be needed. You are often following up from previous audits or experience with their services (described in the annual product review). So it is often more directed than the qualification stage of vendor assessment.
- For cause – something has definitely gone wrong. So this is a very directed audit towards the areas of potential deficiency. The outcome may be to continue to use or to terminate the relationship.
Which brings us to how to conduct an audit to add value. ICH Q9 is a wonderful guidance that if used intelligently can aid you in developing a truly risk-based auditing program: that is to balance the “too much” versus the “too little”. I highly recommend integrating this guidance into your auditing program. Remember if you do not document your risk decisions, you will be found lacking by the regulators.
I use the old moniker of
say what you do,
do what you say,
prove it and
Put another way it is really documents, execution, records and continuous improvement.
These following steps may aid you in defining the audit program.
- Never schedule your auditors more than 67% of their time and that includes prep time and report writing time. The extra 1/3 is important for the unexpected such as the for cause audits, the new suppliers, the new emergency programs and also the deep dives you provide as a service to your internal customers.
- Determine the risk factor for the particular vendor. That includes not just the service provided but the track record of each. This will determine the frequency, duration and manpower needed. And this needs to be kept current because situations change.
- You have limited time at the vendor so use it well. Prepare the outline of what you want to accomplish (the type of audit), what you know, what questions need answering. If possible do work before you arrive. That could be sending out a focused questionnaire to relatively simple elements (you can confirm when you arrive). Even present to them a proposed agenda, so they are prepared and have no excuse when you arrive.
- So what do I focus on when I arrive. A typical process flow approach is my choice. For actives suppliers or CMOs, I walk the process with my questions and get my answers in situ. Armed with my preparation work, I walk through the facility and quite prepared to stop even for a significant length of time to explore more if I sense an issue. For testing labs walk the samples. This is the execution component
- I look at paper work later and I focus on the various quality systems of interest. I do not read SOPs or policies but rather focus on the records part. I look at deviations and investigations, CAPAs, change controls and lot dispositions. The threads I find lead me into the various other systems. I find these systems are the pulse of the organization and tell you a lot about the company.
- If necessary, I go to SOPs and policies. That is the documentation part to confirm that what they say corresponds to what they do.
- I also look at operations and people to detect signs of continuous improvement which is often picked up, not in documents, but in conversation.
- I usually look to see evidence of a modern approach to quality as evidenced by an active involvement of management.
- In the close out I gather the observations which I have ranked using the EU standard of critical, major and minor. In the discussion I might even make some suggestions of how improvement might be made. But it is the company’s decision on the how to address really.
- After you get home, make sure to follow up with requests for CAPAs after the agreed upon time frame.
BTW, one of my first stops is the bath room. Not because of a medical problem but to see how it is kept. Companies that have a good QMS have clear bathrooms. For those with QMS problems, the bathroom can be a telltale.