Pharmaceuticals Audits and Self-Inspections
An audit is a “systematic, independent, and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which audit criteria are fulfilled.” Audits can be categorized in different ways (Table 14.1). This chapter focuses on first-party audits in a good manufacturing practices (GMP) organization.
Internal audits are performed according to a schedule to evaluate the quality system in order to determine if it is effectively implemented and maintained. In addition, they are performed to determine whether the organization’s processes and products meet established parameters and specifications.
The organization performs internal audits to ensure that its systems are compliant by proactively evaluating them and addressing any gaps in compliance. This evaluation process increases the chance that the organization will produce goods and services that meet quality requirements, and help ensure that consumers can trust that their medications and medical devices are safe and effective. Internal audits can give early warning of a problem before it can impact product quality. Ensuring that quality systems are under control also maximizes the likelihood that a third-party audit of the System, process, and product audits have different areas of focus that can be used for internal audits (and for second- or third-party audits, as well) (Table 14.2). The United States Food and Drug Administration (FDA) has identified six systems that they may review when conducting regulatory inspections: production, materials, laboratory controls, facilities and equipment, packaging and labeling, and quality. Process audits can address an aspect of a quality system, such as change control, product disposition, or validation. Product audits are usually narrower in scope than system or process audits and focus on a specific product or product family.
AUDIT PROCESS
Internal audits (also referred to as self-inspections) are conducted by GMP organizations to evaluate the effectiveness of their quality systems in complying with GMP. The generic steps involved in an audit are:
• Initiation (scope and frequency)
• Preparation (review of documentation, the program, and working documents)
• Execution (opening meeting, examination and evaluation, collecting evidence, observations, closing meeting with the auditee)
• Report (preparation, content, and distribution)
• Completion (report, submission, and retention)
GMP regulations and guidance documents from the US, Canada, European Union (EU), and Japan have similar requirements for an internal audit program:
• A written procedure to define the audit process
• A defined audit schedule covering all quality systems
• Qualified, independent, trained auditors
• Documentation of findings and corrective actions
• Management responsibility for timely implementation of effective corrective actions
Written Procedure
All of the steps necessary to conduct the audit should be defined in a written standard operating procedure (SOP). The written procedure should include how an auditor will be qualified. An auditor should be knowledgeable about the requirements against which he/she will be auditing (for example, GMP for pharmaceutical products) and the auditing process. The auditor should have experience in conducting audits.
The procedure should document which requirements are to be evaluated during the audit (for example, US GMP for finished pharmaceuticals, EU requirements for medicinal products for human use) and define how the audit schedule will be established. The frequency of audits and audit topics should be addressed in the written procedure.
The audit SOP includes requirements for the auditor to conduct an opening meeting with the auditee to explain the audit process and scope and to schedule the execution of the audit. The audit methodologies usually include observation of processes, facilities, and equipment, interviews with process participants, and review of procedures and records. At the closing meeting of the audit, the auditor addresses the draft observations with the auditees; in some cases, the auditee may provide missing information that indicates no gap in compliance exists, and the draft observation can be removed.
The procedure indicates that the auditor compiles the observations (gaps in compliance with requirements) in an audit report, which is provided to the auditee. The manager(s) responsible for the areas in which there are observations provide a response for each observation within a defined amount of time (for example, two weeks or one month after the completion of the audit). Finally, the procedure should include the methods used to monitor corrective actions to completion, and mechanisms to determine effectiveness of the corrective actions after they are implemented.
Audit Schedule
The audit schedule is often issued for a one-year period (for example, at the beginning of the calendar year) and indicates the areas and topics to be audited and when the audits will occur. Audits can be prioritized by evaluating the potential risk to product of various quality system elements, but the entire quality system should be evaluated on a periodic basis. The schedule is approved by management of the audit function. This document can be used to assign auditors to specific audits and to track the execution of audits as they are completed. When a regulatory agency conducts an inspection of an organization, this document can be used to provide evidence that the audits are being conducted as planned. Internal audit reports are not reviewed by FDA during the course of a routine inspection. FDA will only review internal audit reports in the following cases (FDA Access to Results of Quality Assurance Program Audits and Inspections):
• In directed or for-cause inspection and investigations of a sponsor or monitor of a clinical investigation
Department of Justice law enforcement activity, including administrative regulatory actions)
• During inspections made by inspection warrant where access to records is authorized by statute and when executing any judicial search warrant
Qualified, Independent Auditors
Auditors should be qualified to perform audits based on education, training, and experience. Education and training on GMP and the audit process can be obtained through courses and conferences provided by a variety of GMP consultants and organizations. An auditor’s knowledge about current GMP can be increased by reading industry periodicals, regulations, and guidance documents from applicable countries for the type of products being manufactured, inspection results (for example, as summarized in GMP Trends [http://www.gmptrends.com/] or documented in warning letters), and books on GMP topics.
Auditors can become certified through organizations such as the American Society for Quality (ASQ), which has certified quality auditor, certified biomedical auditor, and certified hazard analysis and critical control points (HACCP) auditor designations.
The best way for a new auditor to learn about auditing is to work with an experienced (lead) auditor. First, the new auditor needs to be trained on the organization’s procedure for internal audits. Once he or she is familiar with the organization’s procedures, the new auditor can observe audits in process. Once he or she is comfortable with the process, the new auditor can assist a lead auditor in performing audits and writing observations and audit reports. As a final step, the new auditor can conduct an audit with oversight by an experienced lead auditor. When the new auditor has proven to the lead auditor that they can conduct an audit and write clear, objective audit reports, he or she is ready to perform audits independently. It is important to document the new auditor’s education, training, and experience to demonstrate his or her qualifications to conduct audits.
Auditors must be independent of the areas that they audit. An auditor should be able to objectively assess compliance with requirements. Auditors are typically part of Quality Assurance, but it is not uncommon for individuals from a variety of departments to participate on audit teams.
Analyze Audit Results to Assess Conformance to Requirements
During the execution of the audit, the auditor needs to determine whether the procedures meet regulatory requirements, and whether actual practices follow the written procedures. Starting with regulatory requirements, the auditor confirms that written procedures exist to meet these requirements. Next, the auditor assesses whether actual practice is consistent with the company procedures by observing the execution of the procedures, interviewing process participants, and/or reviewing records. The auditor asks questions such as:
• Do procedures exist for each regulatory requirement?
• Is there evidence that each procedure is being followed as written?
• Are procedures and records clear and understandable?
• Are records legible?
• Are corrections to records clear and justified?
• Are deviations initiated when procedures are not followed?
• Is the change control process followed to evaluate potential impact of a change before it is implemented?
• Are training needs identified for each GMP employee for his or her assigned job?
• Is each GMP employee trained to perform a task before the task is performed?
• Do employees receive general GMP training periodically?
Documentation of Findings and Corrective Actions
Once the audit has been completed, a report is written by the auditor to serve as a record of the audit. The scope, purpose, and what was observed during the audit, both positive and negative (that is, gaps in compliance), should be documented. The observations of gaps in compliance should be written to clearly indicate which regulation, guidance, or procedural requirement was not met.
It is in the internal auditor’s and the company’s best interest for the internal auditor to maintain a positive relationship with coworkers. Even though a primary goal of auditing is to identify noncompliances, this process should be portrayed as an opportunity for continuous improvement. When an internal auditor conducts an audit, he or she can report on positive results observed (areas observed to be compliant) in addition to the gaps in compliance. It is important to write the observations to address the gaps with GMP and not to place blame on anyone for the gaps. Also, the auditor should not impose his or her solution to an observation; the people performing the process are the experts and owners of the process. The auditor may provide feedback about proposed corrective actions if requested by the auditee. In general, if the internal auditor (or audit team) treats the auditee with respect throughout the audit process, a positive relationship can be maintained.
Management Responsibility for Implementation of Corrective Actions
Manager(s) of the areas in which noncompliances were observed are responsible for providing responses to the observations. The responses should identify the corrective actions to be taken to close any gaps in compliance. Each corrective action should indicate specific action to be taken, who is responsible for implementing the action, and the date when the action will be implemented.
More than one corrective action may be needed to successfully address the observation. The timeliness of implementation of a corrective action should be based on the criticality of the observation. Noncompliant situations that have a high risk to product quality (for example, potential contamination of product) should be implemented immediately. Observations with a low risk to product quality can be implemented as soon as practical. At no time, however, should audit corrective actions languish; they should be given priority by management and implemented in a timely fashion.
After the responses are approved by audit management, responsible management ensures that the corrective actions are implemented by the date indicated in the corrective action plan. If for some reason the action can not be implemented as indicated in the response or by the date in the response, the area management should proactively contact audit management to communicate the change. If the scope of the corrective action or timeliness of implementation need to change, audit management should approve the change and document it in the audit records. If the noncompliance is critical to product quality, the necessary resources should be found to make it possible to meet the original corrective action plan.
Verification of Corrective Actions
The audit department tracks the corrective actions to ensure they are closed as indicated. The audit department may follow up on the dates when the actions were to be completed or check periodically (for example, monthly) to ensure that the actions were completed. The responsible managers provide objective evidence to the audit department to demonstrate that the corrective action was implemented. The objective evidence should be reviewed by the audit department to close the observation. Once the objective evidence is reviewed to confirm that the corrective action was implemented, the audit department can close the observation.
To ensure that the corrective actions effectively resolve the compliance gaps, the next time that an audit is conducted in the area where the observations were made, the auditor will review all previous observations within the scope of the current audit. During the current audit, the auditor reviews the previous non compliances to make sure that they have been adequately addressed and that the compliance gaps no longer exist.
Another method that could be used to follow up on adequacy of corrective actions is to review the compliance gap after a fixed period of time has elapsed. For example, if an SOP was revised to clarify a process so that it is performed correctly, the audit department could check six months after the SOP is implemented to ensure that no further processing errors have been made as a result of following the revised procedure.
In some cases, a noncompliant observation written for one specific compliance gap may be a symptom of a systemwide gap. For example, an observation was listed regarding mechanics not being required to attend annual GMP training. It is possible that other departments who should attend annual GMP training were overlooked, but they do not have this requirement in their training curricula. Finance employees typically do not perform GMP tasks, but if they use the GMP inventory computer system to track product costs, they, at a minimum, need to be trained on GMP procedures for this computer system. When determining the corrective actions to be included in an audit observation response, responsible management should evaluate the potential for any systemwide gaps.
If the responsible area does not implement the corrective actions as indicated in the audit response, the audit department should determine why they were not implemented. If there are resource issues, the audit department should work with management to obtain the necessary resources, and adjust the due date for implementation if the risk assessment permits a delay. As a last resort, if the area management does not cooperate with the audit process, the audit department can escalate the issue with upper management or issue a nonconformance for not following the audit procedure.
If a corrective action was implemented but was found not to be effective, the organization needs to find the true root cause and address it with an appropriate corrective action. A follow-up audit could be performed to review more closely the context of the noncompliance, or the responsible area could investigate the root cause of the noncompliance again using more-rigorous problem-solving tools. The second round of corrective actions should be tracked by the audit department, and effectiveness of these corrective actions should be checked after implementation.