Focussing on Quality - Critical aspects for auditing IT suppliers and service providers
Partner or potential risk? Especially in the globally manufacturing pharmaceutical industry, this question is not a trivial one. Digitalisation measures can help in providing more transparency in quality management. However, recurring drug recalls and shortages prove that they also come with new challenges. An important step towards mitigating risk is to give audits of critical IT technologies just as high a priority as the "classic" supplier audit.
Risk factor digitalisation
Regulatory authorities have intended the supplier audit as part of an efficient supplier management. A physical audit of contract manufacturers, laboratories and API manufacturers/suppliers is thereby required1. However, it follows from the risk-based approach dictated by the EU GMP Guidelines2 that there is also a certain obligation to audit other critical suppliers. Furthermore, a riskbased approach to business risks should also include a close look at critical suppliers.
The question who or what is to be considered as "critical" is closely connected to the progressive digitalisation nowadays: an increasing number of processes in pharmaceutical manufacturing and marketing are being controlled and monitored by IT, thus increasing their influence on the criticality regarding product quality, patient safety and business operations. Although a computerised system must always be validated before use, it is advisable for critical systems to audit their suppliers beforehand in order to gain a better understanding of their operations and quality assurance3. This becomes even more important if there is a high dependency on suppliers such as cloud solution providers, on whom more and more pharmaceutical companies rely even for systems closely connected to product quality like MES or LIMS.
Establishing a competence interfaceSupplier qualification deals with suppliers of materials as a rule. So how do you include IT or CSV audits4 into your QMS5? And what is the best way to carry out such audits? After all, the typical auditors in a company tend to be manufacturing, QC and QA experts, while IT and CSV experts often do not have the typical "auditor skills".
Added to this are technological challenges. Especially with cloudbased applications, for example, the service level agreements are an elemental factor to continuous service delivery. However, it is precisely these SLAs that are formulated in a very technical way due to usage and therefore incomprehensible to many non-IT experts.
Effectively combining specialist expertiseFor an "IT audit" - for example to audit a software manufacturer - you need an IT expert who not only has auditing experience, but also expertise in pharmaceutical QM systems and often CSV. This expert must also be able to understand and interpret the SLAs in order to verify their correct implementation, which in turn requires forensic auditor skills. If such experts are not available in-house, external resources can be used. Alternatively, a "classic" auditor is accompanied by an IT expert / SME6. In any case, the audit must include the requirements of the IT system as well as the planned or existing use and its influence on product and patient safety in order to consider the right aspects adequately during the audit.
Integrating IT audits into supplier qualificationThe implementation of the audit into the existing supplier qualification7 is either done via conventional categorization processes with risk-based assignment of a one-time or recurring audit request or is triggered directly once from a software implementation project. The audit is then scheduled according to time requirements or general procedures in the (annual) audit calendar. The following requirements for the audited software operation ("auditee") must be taken into account:
- Systematic QMS: Although the software must be validated according to GMP, or rather GAMP, at delivery and before use, the supplier cannot per se be expected to be GMP certified8. However, there should be a QMS that is as systematic as possible, which must, for example, meet the requirements of GAMP. Ultimately, the QMS must meet the quality requirements of the client - which in turn are defined by detailed quality/service level agreements.
- Software life cycle: The complete software life cycle must be regulated in the QMS and must be adhered to. This usually includes controlled development, testing, design freeze or configuration mastery and final release as well as release and change management.
- Competence development: Similarly, the audit can be used to better evaluate the quality awareness and training of employees with regard to GMP relevance. The auditor or the team of auditors must be able to evaluate the functionality of the QMS both when using classical and agile methods. Experience and specific empathy of the auditor are essential.
Especially the actual implementation and compliance with the requirements can only be determined by an audit. The criticality of detected deficiencies must then be determined in a risk-based manner in relation to the use of the audited software. This may even result in new requirements for the software or further tests for the validation phase. If possible gaps and deficiencies cannot be technically solved or controlled, the company's own procedural measures may minimize potential risks in later operation.
Harmonize risk assessments of IT and supplier auditsBut what do you do if a software provider cannot be audited - a particular cloud provider or market leader, for example? Typically, whitepapers or association audits are available from such vendors; alternatively, remote access to the QMS may be granted. In both cases, at least a "paper audit" can be carried out in which the existing documents are checked against the company's own requirements. Potential gaps must then again be controlled by internal measures such as validation tests or procedural controls. This does not change the objective: Ultimately, both classic supplier and IT audits must contribute to generating a low quality risk and thus low patient risk.
Dr. Georg Sindelar
... is Head of Pharma QMS Consulting at msg industry advisors ag. His main focus lies on GMP Compliance, Auditing and the optimisation of Quality Management Systems.
1 EU GMP Guide, Annex 16.
2 EU GMP Guide p1 Ch.5.27
3 GAMP5 Guide 5.3, 6.1.4 et seq.
4 CSV: Computer System Validierung
5 QMS: Qualitätsmanagementsystem
6 SME: Subject Matter Expert
7 GAMP5 126.96.36.199.
8 Simply put, the state only awards these to pharmaceutical and active ingredient manufacturers.