Effective Internal GMP Auditing Strategies
Massachusetts Biotechnology Council
October 3, 2008
David L. Chesney
Vice President, Strategic Compliance Services
PAREXEL Consulting
Lowell, MA
[email protected]
©2008, PAREXEL Consulting
 Regulatory requirements, policies and “expectations”
 “FDA cannot enforce an expectation – only a regulation” –
(anonymous FDA attorney)
 Elements of an effective internal audit program
 What to look for and some interview techniques
 Q&A
©2008, PAREXEL Consulting
Regulatory Requirements – FDA - Drugs
 For biologic and non-biologic drugs subject to 21 CFR 211,
there is no specific requirement for internal audits
 21 CFR 211 contains no specific requirement for vendor
audits either, however, 211.84(d)(2) states in part: “…a
report of analysis may be accepted from the supplier of a
component, provided that at least one specific identity test
is conducted on such component by the manufacturer, and
provided that the manufacturer establishes the reliability of
the supplier's analyses through appropriate validation of
the supplier's test results at appropriate intervals”
 Vendor audits of contract laboratories are one way of
complying with the underlined section
©2008, PAREXEL Consulting
Regulatory Requirements – FDA - Devices
 For biologic and non-biologic devices subject to the Quality
System Regulation, 21 CFR 820.22 requires that you
perform quality audits of your own quality system (internal
 21 CFR 820.50, Purchasing Controls, requires in part:
“Evaluate and select potential suppliers, contractors, and
consultants on the basis of their ability to meet specified
requirements, including quality requirements. The
evaluation shall be documented.”
 While there may be ways other than audits to meet this
requirement, auditing is the conventional means and is
©2008, PAREXEL Consulting
Regulatory Requirements – FDA - GLP
 The GLP regulations, 21 CFR Part 58.35(b), require in part
that the Quality Assurance Unit shall…
 “(3) Inspect each nonclinical laboratory study at intervals adequate
to assure the integrity of the study and maintain written and
properly signed records of each periodic inspection
showing…(specified items)... Any problems found during the
course of an inspection which are likely to affect study integrity
shall be brought to the attention of the study director and
management immediately.
 “(4) Periodically submit to management and the study director
written status reports on each study, noting any problems and the
corrective actions taken.”
©2008, PAREXEL Consulting
Regulatory Requirements – EMEA - Drugs
 If your drug product (biologic or non-biologic) is licensed in
Europe, you are subject to the Eudralex, Volume 4, Part 2,
Chapter 9 requirement for “Self Inspection”
 This section is detailed, but leads off with the statement
that: “Self inspections should be conducted in order to
monitor the implementation and compliance with Good
Manufacturing Practice principles and to propose
necessary corrective measures.”
©2008, PAREXEL Consulting
Current FDA Guidance
 The FDA’s “Guidance for Industry: Quality Systems
Approach to Pharmaceutical cGMP Regulations”, Part D
(Evaluation Activities), #2 (Conduct Internal Audits)
establishes as an FDA recommendation that “A quality
systems approach calls for audits to be conducted at
planned intervals to evaluate effective implementation and
maintenance of the quality system and to determine if
processes and products meet established parameters and
 Bear in mind that FDA Guidelines are not binding
requirements, but are considered advisable steps and thus
establish what many in the industry refer to as
©2008, PAREXEL Consulting
FDA Policy on Access to Internal Audit Reports
 FDA Compliance Policy Guide Section 130.300 states the
current FDA policy for access to internal audit reports by
agency personnel during inspections and at other times.
 Basically, FDA takes the position that they have access to
such reports but will choose not to access them except
under certain narrowly described circumstances – see file
©2008, PAREXEL Consulting
Internal Audits
Elements of an Effective Program
©2008, PAREXEL Consulting
- 10 -
Key Elements of an Effective Internal Audit Program
 System based – either use the same “six system” approach used by
FDA for GMP inspections, or tailor to your own quality system structure
and hierarchy (if other than GMP, use the systems employed for the
GxP area audited)
 Planned – audits follow an established and documented methodology,
with written audit plans and uniform report formats.
 Tip: Avoid checklist reports – narratives are preferable; checklists are
helpful for audit planning but should be augmented by narrative if used as
the report
 Prioritized – audits give first and most in-depth attention to areas that
present the highest risk to product quality, for example:
 Aseptic processing; terminal sterilization; formulation; labeling; others that
directly impact safety, purity, potency, efficacy
©2008, PAREXEL Consulting
- 11 -
Key Elements of an Effective Internal Audit Program
 Scheduled – audits are scheduled based on risk, and at a frequency
adequate to provide current awareness of the state of control of
processes and systems
 Employ qualified auditors – audits are performed by personnel who
understand the intricacies of the processes, equipment, products and
systems they are auditing, and who also posses effective auditing skills
 Keep audit staff up to date with current changes to regulations
through support of professional development activities –
conferences, association membership, etc.
 Supported by management – Auditors have the support, attention and
respect of department mangers and upper management of the
company; they are seen as key members of the team working to a
common objective, not the “police” engaged in a “gotcha” exercise
©2008, PAREXEL Consulting
- 12 -
Key Elements of an Effective Internal Audit Program
 Balanced – Audits not only point out areas needing
attention and correction, but also praise what is working
 Evaluated and Categorized – Individual findings are rated
on a scale such as “Critical / Major / Minor” and the overall
report is also rated on its total impact, for example, “In
Compliance / Conditional / Unacceptable”; specific criteria
define each of these or similar strata
 Responsibility for Correction – is that of the auditee, not
the auditor
 Corrective actions are verified – Not only “Was it done?”
but “Did it work out as planned?”
©2008, PAREXEL Consulting
- 13 -
Audit Process
 Generate annual audit schedule
 Inform system owners of planned audit dates
 Assign workload to auditors
 Generate audit plans, share with system owners, adjust as
 Conduct audit; provide immediate feedback on findings;
collaborate to resolve any dispute or disagreement
 Prepare draft report, share with auditee
©2008, PAREXEL Consulting
- 14 -
Audit Process
 Finalize and classify report (findings and overall report)
 Receive and evaluate corrective action plan, communicate
with auditee to resolve any differences of opinion
 Auditee executes corrective action plan
 Verify correction was implemented and was effective
 At time of next scheduled routine audit, or, if indicated by the
findings , on a directed basis
 Obtain feedback on auditor performance and audit
effectiveness, adjust as necessary to improve program
©2008, PAREXEL Consulting
- 15 -
How to Report Findings
 Be specific
 Quantify findings where possible
 Put in context – time, operations, frequency of occurrence
 Avoid vague language subject to misinterpretation
©2008, PAREXEL Consulting
- 16 -
How to Report Findings
 Poorly worded observation: “Not all batch records had
data entered where required”
 Better wording:
“25 batches of product X were made in the
time period January 1, 2008 to the present. I reviewed 10
of the 25 batch records and found missing data entries in
nine of the 10 records reviewed. The nine records had
from one to six missing entries each. Examples of missing
data entries were (1) failure to record time of buffer
preparation (four examples); (2) failure of the CIP operator
to note the time the cycle was begun (four examples); and
lack of verification signatures for process steps designated
as critical (eight examples).”
©2008, PAREXEL Consulting
- 17 -
How to Report Findings
 Avoid Vague Observations:
 “Bearded operator observed in the aseptic processing area
wearing nothing but a head covering” (really??!)
 “Poor housekeeping practices noted in the buffer prep area.”
 Better wording for Observations:
 “A bearded operator observed in the aseptic processing area was
not wearing a facial hair restraint as required by SOP XXX”
 “Poor housekeeping practices noted in the buffer prep area, as
evidenced by (list two or three examples).”
 Tell the reader what you saw that led you to conclude that practices
were “poor” so that the reader can reach the same conclusion.
©2008, PAREXEL Consulting
- 18 -
Classification of Findings - Examples
 Critical: The observation  Has already resulted in, or has a high potential to result in, the
production or release of a product that fails to meet a specification
or quality standard; or
 The observation involves deliberate falsification of records
 Major: The observation –
 Represents a repeating pattern of violation of a GMP requirement, or
 Demonstrates a failure to correct a past internal audit observation or
regulatory inspection finding, or
 Represents a condition or practice that could have been prevented
by following existing company SOPs
©2008, PAREXEL Consulting
- 19 -
Classification of Findings - Examples
 Minor – The observation –
 Represents a technical violation of GMP with no immediate
potential for adverse product impact, or
 Represents a condition or practice that does not violate GMP
presently, but which if not corrected, may deteriorate and cause a
 Comment – The observation –
 Represents a condition or practice that is compliant, but which
could be made more efficient or effective, or
 Is a company “best practice”, represents significant improvement
or other commendable issue worthy of note
©2008, PAREXEL Consulting
- 20 -
Classification of Audit Report (Total)
 Acceptable: No critical findings; major findings corrected
during audit or correctable within 30 days without
disruption to normal operations; minor findings few in
number with acceptable corrective actions proposed
 Conditional:
No critical findings; major findings
correctable, but interim steps needed to put in place
temporary controls in order to allow operations to continue
(such as additional monitoring or sampling, temporary
repairs to facilities or equipment, other interim controls)
 Unacceptable: Critical findings, or large number of major
findings which must be corrected before operations can
safely proceed; significant regulatory risk exists if
correction is not promptly achieved.
©2008, PAREXEL Consulting
- 21 -
Management Review
 Internal audit findings should be visible to the highest level
of management
 If the company has a formal management review of the
quality system at prescribed intervals, internal audit
findings should be one of the metrics reviewed
©2008, PAREXEL Consulting
- 22 -
Reporting Relationship
 Internal audit groups should not report to heads of units
they are charged with auditing, if at all feasible, because
this can create a conflict of interest
 For large companies, a Corporate Audit function reporting
as high up the corporate structure as possible is advisable
 If the audit group reports to a site head of QA, consider
bringing in a consultant once a year to perform an audit of
the overall quality system, including the effectiveness of
the audit group
©2008, PAREXEL Consulting
- 23 -
Dashboard Approach for Comparing Multiple Sites
Legend: Green = Acceptable; Yellow = Conditionally Acceptable; Red = Unacceptable
©2008, PAREXEL Consulting
& Equpt
Internal Audits
What to look for;
Interview Techniques
©2008, PAREXEL Consulting
- 25 -
Key Things to Look For
 Regulatory Compliance
 Use the relevant FDA Compliance Programs to help identify areas for
coverage – see next slide
 Stay current on GMP!
 Compliance to internal policies and procedures
 Problems and Pitfalls
 Follow up items from past audits
 Become familiar with common FDA-483 observations for your
industry sector, keep up with warning letters
 Use powers of observation
 Use effective interview techniques
©2008, PAREXEL Consulting
- 26 -
FDA Compliance Programs
 Consult the FDA Compliance Program pertinent to the area
you are auditing for suggestions on what to look for
 Some Compliance Program numbers for key areas:
 7356.002, Drug Manufacturing Inspections (CDER)
 7345.848, Inspection of Biological Drug Products (CBER)
 7346.832, Preapproval Inspections (CDER)
 Others – search on FDA web site; link:
©2008, PAREXEL Consulting
- 27 -
General Guidance
 Observe conditions and practices. Do not make it a “paper
audit” only.
 Look for repeating patterns, not just isolated examples.
Follow up on corrective actions following past audits.
 Stick to current practice.
Avoid citing past problems that
have been corrected and have not reoccurred. Something
that was not done well, months ago, may not be
representative of how that activity is done today. Verify
before citing as a current problem.
 Be helpful and positive, not overly critical.
You are
supposed to find the problems, but for a good purpose – to
get them addressed. (Like an annual physical exam.)
©2008, PAREXEL Consulting
- 28 -
Key Things to Look For - GMP
 Take a general tour and be observant: Are operations
adequately supervised? Who is running things on the
floor? Is area access properly restricted?
 Check documents in production and lab areas to make
sure they are not being filled out in advance of activities
they document.
 Check for extraneous documentation – post-it notes,
scratch pads, white boards, etc., being used as primary
documents – these become your raw data if used!
 Be inquisitive – talk to people who actually do tasks you
are auditing, not just managers and subject matter experts.
©2008, PAREXEL Consulting
- 29 -
Key Things to Look For - GMP
 Look for the unusual, the out of place, the atypical:
 Idle (maybe dirty) equipment in an active production area
 A bucket under a pipe – is it there to catch a leak?
 Operator’s manual open to the troubleshooting page – what went
wrong today?
 Note on top of a stack of documents – “John, please go back and fill
in all the blank spaces”
 Duct tape! – Used to correct a multitude of sins.
 Look into trash cans. Do you see discarded raw data? Why is it
 Ask for trend charts on key quality metrics. Ask what is being done
about adverse trends.
©2008, PAREXEL Consulting
- 30 -
Key Things to Look For - GMP
 Ask for a listing of SOPs sorted by last date of review
(usually the effective date). Are there a lot of old (over 2 or
3 years) SOPs for important activities? Are these current?
 Read the key SOPs.
Could you execute the procedural
steps? Is the SOP clear? Watch out for:
 Vague terms: “As necessary”; “When appropriate”
 Internal conflicts and inconsistencies
 Lack of definition of responsibilities
 Inconsistency of SOP with associated forms, other related SOPs
©2008, PAREXEL Consulting
- 31 -
Key Things to Look For - GMP
 Review batch records, lab notebooks and other similar
records – do entries make sense? For example –
 Documents show two products in same equipment at same time
 Numbers do not make common sense – always exactly in the
middle of operating range, for example
 Entries do not agree with source documents, or source documents
not present and cannot be located
 Site never seems to have a deviation of any kind
 Documents look “too perfect” – especially in the lab
©2008, PAREXEL Consulting
- 32 -
Key Things to Look For - GMP
 Check reject and quarantine areas in warehouse.
Investigate reasons for rejects.
 Read deviation and failure investigations.
Do they do a
good job of identifying root cause issues? Do they all
seem to be an effort to justify what went wrong rather than
understand it and get it fixed? Are remediation steps
reasonable in light of root cause?
 If labeling operations take place, check lines for proper
clearance and check label storage areas. Are proper
electronic or manual controls in place to prevent mixups
and perform label count reconciliation?
©2008, PAREXEL Consulting
- 33 -
Effective Interview Techniques
 Ask the same question different ways at different times, or
ask different people the same question; compare the
answers you get.
 Use open ended questions – “That’s interesting…tell me
some more about that” – “What else?”
 Use a linked series of questions, for example:
 Leading question: “What is your procedure for shutting down a
production line due to an unacceptable condition or practice?”
(assumes there is one)
 Followed by another leading question: “When was the last time
that happened?” (assumes it did)
 Followed by open ended: “Tell me some more about that.”
©2008, PAREXEL Consulting
- 34 -
Closeout and Follow Up
 Oral review of findings prior to finalization
 Obtain input from auditee
 Consider whether to modify findings based on input
 Send draft report to auditee for comments before
 Base scope and priority of follow up on risk assessment of
 Remember to comment on the good things as well
©2008, PAREXEL Consulting
- 35 -
©2008, PAREXEL Consulting

Effective Auditing Strategies