THIRD PARTY GMP AUDITS: WHICH REPORTS CAN BE USED - WHICH CAN'T?

Granulation & Tableting - Live Online Training

Recommendation

17-19 September 2024

Granulation & Tableting - Live Online Training

   

GMP/GDP – On Demand Online Training

You can book the desired online training from our extensive database at any time. Click below for more information.

   

Stay informed with the GMP Newsletters from ECA

The ECA offers various free of charge GMP newsletters  for which you can subscribe to according to your needs.

More and more organisations offer third party audit reports of GMP audits at API manufacturing sites. Their acceptance is not at all clear, though. Therefore, what is essential to pay attention to?

The major questions to be answered are: Who has commissioned the audit? Was it the API manufacturer himself or another pharmaceutical company?

Although the European Medicines Agency (EMA) has given an unequivocal statement on the question1, there are still API manufacturers who commission an audit themselves. Reports of audits which have been initiated by the API manufacturer or one of his distributors are not valid - i.e. not recognised by the inspection authorities, though.

You should get a written confirmation that the audit was ordered by one or several manufacturers of medicinal products who purchase one of the products from the API manufacturer in question. The audit cannot be independent when the API manufacturer is the ordering party. Also, the performance of an audit by an accredited body has no influence on it. In pharmaceutical law, accreditation has no significance at all. Accepted Third Party Audits are based on a comprehensive regulations framework. These Audit Schemes are particularly important when used by several companies (Shared Audits). Examples are the APIC programme based on the APIC Guide2 as well as the Rx-360 programme3 based on the Rx-360 standards4.

Acceptance - accreditation and "conflict of interest": What do you have to pay attention to?

Basically, a manufacturer of medicinal products himself can perform an audit or he can entrust a third party for that (so called Third Party Audit). The manufacturer often commissions consultants (i.e. PCA Consulting5 or other organisations) who are experienced in performing audits. These 1:1 audits (a contract audit for only one client) are less complex and don't have to rely on a comprehensive scheme. Nevertheless, a few elements should be considered as the external auditor will work for the pharmaceutical company as if he / she was an own employee. It is important to choose an auditor who knows the processes used in the company to be audited. For example: when you need an audit for a biopharmaceutical API respectively for its manufacturer, the auditor should have the necessary experience with biopharmaceutical processes. The auditor should confirm that he / she wasn't doing any consulting in the area to be audited within the last three years - otherwise that would mean that he / she has to audit his / her own work. This documented confirmation is not considered too often. As already mentioned above, accreditation standards from the ISO environment don't play any role - it is the qualification of the GMP auditor which is a lot more important. Require a CV from the auditor (studies, professional experience and auditor trainings) and qualify him / her. In any event, avoid so called "Conflicts of Interest": that means that neither the auditor nor the contractor are allowed to work for the API manufacturer.

Cross Contamination Control - Live Online Training

Recommendation

1/2 October 2024

Cross Contamination Control - Live Online Training

Subsequent purchase of audit reports

The numbers of audit reports for purchase keep on increasing. Generally, there is no objection to the purchase of an audit report. However, the same rules as for the initiation of an audit apply. This means that the audit must have been ordered by a pharmaceutical company which purchases products from the API manufacturer concerned. This also requires a written confirmation. Make sure that the audited products are the products which are relevant for you suppliers qualification. Auditing another product is not very helpful.

Can I buy reports of pure system-audits? Or does the audit have to be product-specific?

An audit report made without product-specific details doesn't reveal much information. In the end, you want to make sure that the quality of the APIs you purchase is fine. That is the reason why you need audit reports containing detailed information about the product-specific processes and procedures. This is the only method for the Qualified person to decide whether a supplier is qualified sufficiently or not.

An audit report represents only a part of supplier qualification

Audit reports are the main focus of interest. But don't forget - they are just a part of the supplier qualification. Audit reports contain a description of the GMP situation on the day the audit took place. The real evaluation of these results must be done by the quality assurance or the responsible QP. In addition to the audit report, further pieces of information must be considered - like for example experience with the supplier and the evaluation of the goods delivered. How valuable is an audit report with a satisfying evaluation when deviations to the specifications within the sampling process have been observed on a regular basis? It is also important to consider further information. This includes available inspection reports from the FDA (generally accessible thanks to Freedom of Information Act) or the EDQM database containing the list of CEPs of API manufacturers which have been withdrawn because of GMP deficiencies. All these elements should be taken into account with a risk analysis in order to qualify a supplier - or not.

Frequently forgotten: the importance of CAPAs

As soon as deviations are reported in an audit report, a follow-up with the CA PA measures to be taken should be engaged. The follow-up of measures is an essential part of the supplier qualification. That's why Quality Assurance / the QP should follow and keep track of the handling of deviations.

"One-day audits"

The evaluation of a supplier requires sufficient time. One-day audits are basically possible but they are subject to very tight limits. It must be ensured that the size of the facility to be audited is not too large. Larger facilities cannot be audited in less than two days (mostly even more). Also a risk analysis of the API should be taken into account in the time dedicated to the audit. Past experience with critical audits and similar variations in quality should result in more attention than can be given within a one-day audit.

Minimum standards for audit reports and the qualification of auditors

So far, there were no official standards for audit reports. The EMA recently refined its requirements with regard to audit reports of API manufacturers and the auditor qualification in one of their Q&A documents to the GMP Guide. This collection of frequently asked questions compiled by the Inspectors Working Group was recently supplemented by three questions and answers:

  • "During inspections, why do inspectors sometimes ask to see reports of audits of active substance manufacturers carried out by the medicinal product manufacturer?"
  • "What expectations do inspectors have for the content of reports of audits of active substance manufacturers carried out by the medicinal product manufacturer?"
  • "How should active substance auditors be qualified?" The answer to the question of the minimum standards of active substance audit report is unusually detailed. The following examples:
  • The duration of the audit needs to be justified, especially if less time for the actual audit was applied than originally intended for the scope of the audit.
  • The areas not covered by the audit also need to be described.
  • Specific high risk areas of the company (e.g. cleaning/ cleaning validation, potential cross-contamination, sources for unknown impurities, confusion/mixing of material or product etc.) need to be identified and described by the auditors.
  • Areas where access was denied need to be mentioned.
  • Corrective actions (CA PAs) are to be judged with regard to their meaningfulness; the same applies to the plausibility of time limits for the processing of CA PAs.
  • A period of time for a follow-up audit is to be proposed.
Container-/Closure-Integrity Testing - Live Online Training

Recommendation

Thursday, 24 October 2024 9 .00 - 17.15 h

Container-/Closure-Integrity Testing - Live Online Training

The EMA also clearly and explicitly defined its requirements in relation to the qualification of auditors, whether they come from the pharmaceutical manufacturers themselves or from a third-party organisation. Auditors have to

  • have a scientific or technical experience corresponding to the area to be audited,
  • have completed training and assessment corresponding to the audit activities. The training has to include the GMP rules for substances in accordance with GMP Guide part II, as well as general audit techniques. The training and personal assessment is to be fully documented.

With these guidelines for the quality standards of an API audit report and the auditor qualification the EMA sets benchmarks the numerous other third party audit organisations will have to consider in the future to be able to compete on the market. On the other hand, GMP inspectors now have a concrete criteria catalogue at hand that can be used to clearly check the quality of audit reports and the qualification of the auditors.

Author:
Dr Gerhard Becker
CONCEPT HEIDELBERG

Related GMP News

25/04/2024
APIC: Best Practices Guide for dealing with Suppliers
24/04/2024
FDA Warning Letter: Missing Ongoing Stability Studies for APIs
17/04/2024
ECHA: Next steps for "PFAS"
27/03/2024
APIC Quality Agreement Guideline: Update published
19/03/2024
EMA/CMDh: Appendix 1 for Nitrosamines Updated Again
13/03/2024
EDQM: Top Ten Deficiencies for CEPs

Go back

To-Top
To-Bottom