In preparing to write this article for Controlled Environments, we looked at audits of vendors, like software developers and automated processes, and to distributor audits for supply chain integrity. A common thread in successful audits is the maintenance of sound audit practices, standards, and guidelines.
TO WHAT PURPOSE?
Auditing serves several purposes that are adapted to the application as necessary. Goals and results should be shared across the enterprise to help solve problems evident in all areas of pharmaceutical manufacturing and distribution. Regardless of what is being examined or audited — a system, facility, or software process — the resources available, such as the data, people, auditors,or experts, can be similar and many can be used in nearly all situations.
Audits are conducted to meet FDA guidelines to insure that manufacturers maintain appropriate due diligence and inspection of processes, environments, vendors, suppliers, and others whose products, work, and expertise goes into the manufacture of regulated products.
For example, in 1996, the FDA challenged the industry to establish a standard way to assess the structural integrity of acquired computer software and to lower overall costs to the industry. In 1997, a task force was formed to assess the integrity of and develop a guideline for auditing acquired commercial off the shelf (COTS) software. Under the umbrella of the Parenteral Drug Association’s PDA’s Computer Validation Interest Group, the PDA along with the FDA,members of the user community from the pharmaceutical and medical device industries, and the software developers themselves came together to create and publisha guideline for auditing the acquired computer software and services.
The objectives of this task group were focused on the specific application of software in the manufacturing process. These objectives were also very similar to those that any group consisting of professionals from any sector of the industrymeeting to establish standards might have. They include:
- To define and demonstrate (through simulation and field testing) a process for supplier audits and qualification in a way that promotes standardization and simplification
- To meet regulatory expectations for the structural integrity of acquired software and computer products in general (regardless of where in the manufacturing process they were applied)
- To satisfy customer needs for information as supporting procurement, systems engineering, and computer validation
- To lower costs to both the pharmaceutical companies and suppliers.1
With regard to the latter point, costs of audits within the industry have increased dramatically and pharmaceutical companies may incur costs (internal and external) upwards of $750,000 per year to perform, manage, and archive audits. Examples exist that show reductions in cost greater than 50% through the use of a central repository. Such a repository for technology process audits was created by the PDA and is now known as the Audit Resource Center (ARC).
DEVELOPING THE AUDIT PROCESS
In the process of developing the published audit process, the task force performed research, used experience from supplier audits, and drafted a common practice to meet the needs of the industry. The needs assessment came from the users’ agreement that auditing practices used throughout the industry were cumbersome, duplicative,and inconsistent.2
The task force of industry professionals continued working after the publication of the report by the PDA (Technical Report 32 or TR-32) to monitor, maintain, and upgrade the process. Today, this group is known with the PDA as the Audit Guidance Advisory Board (AGAB). The AGAB now guides the development of technical reports for auditing and reviews the relevance of the documents, recruits committees of technical experts, and revises, expands, and broadens the guidelines as needed. The first iteration of this new guideline was published in 2001 and was revised in 2004. The current document is under review and publication of a new broader guideline is expected in the coming year.
Anyone who manufactures products that are regulated by the FDA must conduct due diligence of their vendors, typically in the form of audits. In this environment, those vendors who produce equipment that utilizes software or suppliers who develop software itself have to be audited; a well-accepted process that isoften used is TR-32.
Quality audit procedures are all driven by observation. Observations are made either by an external auditor or by the company’s technical expert who insures that inspection of the proper elements is done to current standards or by internal quality teams whose responsibility it is to report to managementon the status of the environment whether static, dynamic, or resting.
Other guidelines and standards exist to support professionals in their auditing, examination, and inspection of manufacturing processes and technology such as cleanrooms, controlled environments, and product pedigree in the chain of custody. Standards are developed by organizations that include members who work in the industry and governing bodies such as the U.S. FDA and the EuropeanMedicines Agency (EMEA).
The need for diligence is not unique to manufacturing of pharmaceuticals and devices. Companies also face challenges in distribution, both internal and throughout the external supply chain typically consisting of pharmaceutical wholesalers. Early in this decade, a significant increase in the incidence of counterfeit and diverted drug products and devices got the attention of industry stakeholders and led to a series of very significant changes. These changes included the publication of “Recommended Guidelines for Pharmaceutical Distribution System Integrity” by the Healthcare Distribution Management Association (HDMA) and the National Association of Boards of Pharmacy (NABP) Model Rules for distributors, which calls for strengthening of the Prescription Drug Marketing Act (pedigree) and related state laws, as well as changes in the business model between manufacturers and distributors (fees for serviceagreements).
Today, the changes in the supply chain landscape continue. While no audit standard has been formally adopted, NABP created an inspection process that may be used by state boards of pharmacy for inspecting distributors (Verified Accredited Wholesale Distributor or VAWD) and the HDMA’s Recommended Guidelinesserve as a metric for at least one private audit firm.
GAMP 4, Good Automated Manufacturing Practices, is used as an audit guide for many manufacturing processes such as controlled environments where computer products and software are not the primary processes being examined. GAMP 4 has also been enhanced, refined, and restructured like the TR-32 to reflect current regulatory expectations and good practice.
Professionals from the Americas and Europe contributed to the production of GAMP 4 which is intended for suppliers and users in pharmaceutical manufacturing and related healthcare industries. This guide draws together key principles and practices and describes how they can be applied to determine the scope and extent of validation for different types of automated systems.
Benefits of this standard to industry users and suppliers echo those of the TR-32 and others include:
- Cost benefits, aiding the production of systems that are fit for purpose, meet user and business requirements, and have acceptable operation and maintenance costs
- Increased understanding of the subject and introduction of a common language and terminology
- Reductions in cost and time taken to achieve compliance systems
- Clarification of the division of responsibility between user and supplier
While GAMP addresses a broad range of issues related to validation of systems, another document that can assist cleanroom operators in maintaining 21 CFR Part 11 compliance is the joint PDA/ISPE publication “Complying with 21 CFR Part 11, Electronic Records and Electronic Signatures,” a companion document to GAMP 4.3
International standards and the groups that develop, maintain, archive, and promote them are the background for auditing within the regulated environment. Consideration must be given to adjunct drivers in the industry that help us conduct not only audits but daily performance, inspection, and maintenance of various processes.
ICH, or the International Conference on Harmonization, along with ISO 9001 standards, govern certain critical elements of the manufacturing process and how they are conducted. The American Society for Quality has been instrumental in supporting the industry and professionals who perform the operation, maintenance, inspection, and management of any systems within the industry.
ISO, the International Standards Organization, is a network of the national standards institutes of 155 countries, on the basis of one member per country, with a Central Secretariat in Geneva, Switzerland, that coordinates the system.
Between 1947 and the present day, ISO published more than 16,000 International Standards. ISO’s work program ranges from standards for traditional activities, such as agriculture and construction, through mechanical engineering to medical devices and the newest information on technology developments, such as the digital coding of audio-visual signals for multimedia applications.4
ISO is accepted in many industries and now has entered the pharmaceutical industry in manufacturing as well as software developers that service the industry.
Audits have historically been executed by compliance personnel in pharmaceutical companies who possessed a basic knowledge of software or other processes. These knowledgeable individuals used methods and checklists common to auditing physical processes and checking paper trails. Much of this was based on written regulation for good manufacturing and clinical practices, but was not alwayssuited for technology processes.
Audits conducted by independent auditors to a standard are valued by industry as a way to “certify” that a vendor or company has followed the proper procedures and their work or products have been through a third partyreview and is credible.
Training, qualification, and certification have become the basis for developing personnel and teams that can execute audits with the latest standards from governing organizations and professional associations like PDA, ISPE, ASQ, and others.
The PDA and ASQ both train professionals and qualify or certify them to conduct quality examinations for their companies, for clients independently, and audit the manufacturing and technical processes discussed here. This training is essential to furthering the standards employed and to the industry acceptance and adherence to standards and regulations from governing bodies like the FDA.
The rationale for developing industry standards is to systemize this process and to qualify auditors based on the standard developed by a sanctioning body, such as the PDA or others.
The PDA Training and Research Institute (TRI) exists for those who want to advance their careers in Quality Assurance, Quality Control, Manufacturing, Training, Regulatory Affairs, Validation, Engineering, or Information Technology; the PDA TRI has courses designed to fit many specialized needs. It is approved by the Accreditation Council for Pharmacy Education (ACPE) as a provider of continuing pharmacy education.5 The American Society for Quality has developed several training and certification courses relevant to this discussion. Someexcerpted from the ASQ Web site are:
- Biomedical Auditor – CBA
- Quality Auditor – CQA
- Quality Engineer – CQE
- Quality Technician – CQT
- Software Quality Engineer – CSQE6
Other organizations that train or qualify auditors, maintain credentials, or set standards for these professionals are listed below with their Web sites:
- International Register of Certified Auditors or IRCA http://www.irca.org/home.html
- International Personnel Certification Association http://www.ipc.com
- RABQSA http://www.rabqsa.com/
- European Commission on Enterprise and Industry (Pharmaceuticals)
Third party participation in the audit process creates some distinct advantages. A third party resource can be a credible source for information, participation by technical experts, overview from sanctioning bodies, and resource extensionfor valuable and scarce internal resources.
One such resource to auditing is a central repository for audits and reports on audits that can be shared across the enterprise and throughout the industry by both a customer and their vendor in an effort to strengthen a vendor relationship, reduce time and cost associated with the auditing process, and provide quality controlfor documentation.
Many organizations may have processes and even specific software for managing audit data and reports. Like internal audit systems and those personnel managing them, they may be subject to the individual needs of groups within the companyor department and not meet a standard or include standard practices.
The same bodies that develop and maintain standards also devise ways to help maintain the integrity of the reports and information that is produced by an audit in an effort to make it acceptable to multiple stakeholders with theorganization or across the industry.
One such entity was created by the PDA’s task group and is the ARC that is managed under the supervision of the Audit Guidance Advisory Board. This entity provides audit reports to industry and partners with suppliers of software products to facilitate audits and track the global supply of available auditsand qualified auditors who conduct them.
One of the goals of examining audit resources in this article is to provide an overview of processes and procedures for auditing in the regulated environment and also to show the breadth and depth of the standards to which those involvedin the discipline are and should be held.
We often look into the detail of that which we are endeavoring to examine to find gems of data that we need to complete reports and manage a process or state of the system. Many times we need to start at a meta-level to understandthe system and make observations about that before examining the details.
This article is intended not to be an exhaustive journey through the history, development, or practice of technical auditing within the regulated pharmaceutical industry, but to shine some light on the resources available within particular sectors and perhaps provide a perspective or broader picture on a critical issue that consumes many hours for all of the professionals who spend careers dedicated to the pursuit of quality.
- Auditing of Suppliers Providing Computer Products and Services for Regulated Pharmaceutical Operations. Technical Report No. 32, Release 2.0, Vol. 58, No. 5, September/October 2004.
- Carney, David; Greenawalt, Harvey; Grigonis, George; Oberndorf, Patricia. Case Study: Computer Supplier Evaluation Practices of the Parenteral Drug Association (PDA) Carnegie Mellon Software Engineering Institute, May 2003.
- GAMP 4, Good Automated Manufacturing Practice (GAMP) Guide for Validation of Automated Systems. Thomson TECHSTREET. 01 Aug 2007 www.techstreet.com.
- Overview of the ISO System. 12 Sep 2006. International Standards Organization. 31 Jul 2007. www.iso.org.
- About PDA Training and Research Institute. Parenteral Drug Association.
28 Jul 2007
- Auditing and ISO Solutions, Quality in Manufacturing. American Society for Quality. 04 Aug 2007. www.asq.org.
Chris Ward is the Director of the Audit Resource Center for SynTe-gra and is responsible for business development and management of the ARC database of software process audits. He is a member of the American Chemical Society and has served as President of the Board of Directors, Vice President and Chair of various committees for the Asthma and Allergy Foundation of America. He can be reached at SynTegra LLC, 12800 Middlebrook Road, Suite 220, Germantown, MD 20874; email@example.com.
Thomas E. Menighan, RPh, MBA, is the President of SynTegra, LLC, and leads development and delivery of a full suite of operational and regulatory compliance services for pharmaceutical and biotechnology companies from product discovery to distribution. He is a past President of the American Pharmacists Association (2001–2002) and is currently a partner in Pharmacy Associates, Inc. He can be reached at firstname.lastname@example.org.