As we progress into spring 2023 and the audit season gets into full swing and following our successful Qualistery webinar on the topic, we wanted to highlight and talk about auditing and supplier qualification in some more detail, as this is one of the core services that we offer.
There are many different types of Audits for different situations, and each has its own approach and requirements, which we will delve into in more detail below. There are also overall program requirements, such as having a mechanism for feeding new qualification audits into the program and a periodic risk assessment of all suppliers to ensure we are selecting the correct qualification or audit process.
So… First things first, what is an audit?
An audit in the pharmaceutical industry is where we complete an independent and systematic examination of the company we wish to qualify and where we establish if the activities performed by that supplier or contractor are in alignment with all current industry standard regulations.
There are many different types of audits. Our industry usually employs a combined approach to look at the Quality Management System and the product and processes to ensure our material or product is manufactured according to set requirements. For a new supplier or contractor, an initial risk assessment should be completed to determine the appropriate level of qualification and mitigation actions required. This should be governed by the change control and NPI processes within your organisation. This will ensure that the supplier/contractor is onboarded and qualified using a systematic approach while at the same time protecting the product and, ultimately, the patient.
What type of audit should we complete?
For the initial qualification of new API suppliers or new contract manufacturing sites, the criticality will usually necessitate an in-person audit of the site to properly assess the facilities, organisation structure and processes at the site being evaluated.
For the lowest risk suppliers – A desktop audit where a data pack is reviewed with a short follow-up meeting might be appropriate, for example, for a manufacturing aid or simple excipient like talc. A remote audit might be suitable for a chemical excipient or unprinted packaging supplier, and this could be necessitated if the supplier does not allow in-person full-day audits. Then a single-person in-person audit would be appropriate for higher-risk suppliers like API, printed packaging, functional excipients, or outsourced services (so examples here might be. capsule shells, sterilisation, micronisation, etc.). Finally, for critical risk suppliers like entirely outsourced end-to-end manufacturing processes or upstream/downstream biologic processes, then a multi-day team audit would be appropriate in this situation, and this will need to include the QP (or person responsible for release if outside the EU) and possibly the RP if holding and distribution are being completed.
Who should complete the audit?
Your organisation must ensure that any auditor you use is qualified to assess the potential supplier. Also, they should have experience in the manufacturing process and regulatory standards that the supplier or service provider will be evaluated against. For example, a junior QA team member would only audit an aseptic process if they have a sterile manufacturing background. There should be appropriate experience, a lead auditor qualification or robust internal training, and one or more accompanied audits with a previously qualified individual or team. Finally, most of the regulatory standards require that the assessment of the auditor and their CV is retained on file, either with the audit report or the change control used to introduce the supplier. This is particularly important if an outsourced contractor or sister company auditor is used where it may be difficult later or in a regulatory inspection to justify why that person was acceptable to use.
What about Virtual Audits and when are these appropriate?
These are sometimes referred to as remote or distance audits, and they came to the fore during the Pandemic in 2020. While they can be appropriate in many situations where risk is deemed low such as for routine surveillance of established suppliers, they may not suit all situations. For example, if you are contracting out a critical process or setting up a new warehouse that will be acting as the main site of physical import and storage for GMP importation then certainly for a first audit, it would be expected that this would be multi-day and onsite.
If you do consider that the risk level allows for a remote audit, then you should ensure that you set this up for success. You need to ensure that a remote data room is set up to allow you to see all the documentation as and when you are ready to view it while at the same time protecting the auditee company’s intellectual property rights and confidentiality.
Technology will be the key to successful remote audits; you will need to have the filesharing capabilities set up well in advance and tested, and the auditee site should reassure you that they will have the camera and internet bandwidth to allow for virtual tours of the facility. Do not be afraid to insist on this as these companies would have had to have this in place for their health authority inspections during the pandemic years so there is no reason why they cannot accommodate this now.
Sometimes lean organisations just do not have the capacity to handle all their audit requirements and will leverage outside organisations and contractors to help facilitate some or most of their audit programs. Selecting the right partners is critical, and we can help you with this. Orion GXP Consulting has a panel of highly competent GMP, GDP and GCP lead auditors including QPs and RPs with decades of experience in this field.
We would be happy to review your program and either assist you in streamlining or help with audits to keep your qualification program on track.
Get in touch today by emailing info@oriongxp.com; or by calling us IRL – 07198 10101 or UK 0203 475 0375.