1. Purpose
The purpose of this guideline is to define the concept of Quality and Compliance Auditing within the system of quality management and outline the roles and responsibilities for planning, performing, reporting and follow-up of audits.
2. Scope and Applicability
This Guideline is applicable to all pharmaceutical manufacturing sites, functions And departments undertaking work, or providing support services, required to meet Good Laboratory Practice (GLP), Good Clinical Practice (GCP), Good Manufacturing Practice (GMP) and/or International Organization for Standardization (ISO) standards.
3. Definitions
3.1 Audit
Note that, audits may assess: systems, processes, procedures, facilities, products, studies, reports, records and/or data for compliance with policies, standards, procedures, guidelines, regulations or regulatory submissions. Audits may assess both in-house and external activities. Audits may be planned, or undertaken on a ‘for-cause’ basis.
3.2 Critical Observation
“Deficiencies with Company Standards, and/or current regulatory expectations that provide immediate and significant risk to product quality, patient safety or data integrity, or a combination/repetition of major deficiencies that indicate a critical failure of systems. “Immediate corrective action and reporting to Management is required.
3.3 Major Observation
“Deficiencies with Company Standards and/or current regulatory expectations that provide potentially significant risk to product quality, patient safety or data integrity, or could potentially result in significant observations from a regulatory agency, or a combination/repetition of “other “deficiencies that indicate a failure of system(s).”
3.4 Minor Observation
Observations of a less serious or isolated nature that are not deemed Critical or Major, but require correction, or suggestions given on how to improve systems or procedures that may be compliant, but would benefit from improvement (e.g. Good Practice seen elsewhere).
3.5 Outsourced
Work (e.g. services, products, studies, projects.) sourced to an individual or organization outside the company.
3.6 QA/Compliance Group
The Quality and Compliance Group responsible for auditing.
4. Responsibilities
QA/Compliance Groups should, in conjunction with management: Establish a program of audit which satisfies the relevant standards / Expand covers all areas of their activities to a defined frequency. The audit program should ensure areas of highest risk are identified and covered. Ensure that the program is undertaken to plan, with any changes to the plan being justified. Assure any corrective/improvement actions identified during audits are implemented in a timely manner. Ensure any audit trends are identified, communicated and acted upon. Ensure any Critical Observations or Trends are reported to Management Management is to ensure that areas where systems/processes cross ‘functional boundaries ‘are covered by audit, when appropriate. Written ‘Quality Agreements’ should be in place defining auditing roles and responsibilities for audits jointly undertaken, or performed on behalf of another group. Management should establish a program of audit that provides high-level audit coverage of the business. In all cases, the QA/Compliance groups and relevant management have responsibility to ensure adequate resources are available to ensure a comprehensive, effective program of auditing is set up, executed and followed up.
5. Guideline
5.1 General
Auditing is an essential part of any system of Quality Management, to assess compliance and identify areas for corrective actions and improvement. Within the system of Quality Management audits may be undertaken by local, global and corporate QA/Compliance groups in a manner that aims to provide comprehensive coverage, without duplication of activities. The audit program must consider both internal items (e.g. systems, procedures, data) and external / outsourced items (e .g. obtained via contractors, vendors) under the span of responsibility of the organization.
5.2 SOP/Schedule
Each QA/Compliance Group must ensure that
Written procedure s are available describing: Audit Responsibilities, Audit Planning, Audit Performance, Audit Reporting, Classification of Audit Observations, Audit Follow up, Audit Close Out, Audit Report Retention, Trending of Audit Observations and reporting of Critical Observations to Management. An agreed audit plan/schedule is issued/maintained, which provides audit coverage across the areas and activities for which it has responsibility in an appropriate timescale.
5.3 Auditors
Personnel undertaking audits must have the appropriate skills, training, experience and personal attributes for the type of audits they are to perform. Where appropriate, specialists should be appointed to the audit team. Auditors must have sufficient independence to be able to openly report adverse findings to management in order to satisfy internal and external corporate governance expectations. Auditors performing Quality and Compliance related audits would normally report into the QA/Compliance unit.
5.4 Audit Planning
For planned audits the auditor should agree dates/venues/participants with the auditee. The audit purpose, scope and the standards to be audited against should be established and communicated in advance. Those involved should identify and undertake any necessary pre-work prior to the audit, including review of any previous audits and actions. Unplanned audits may also be undertaken (e.g. ‘for-cause’.)
5.5 Audit Performance
When appropriate, management representatives should be invited to the opening and close out meetings. The purpose, scope, audit process and reporting/follow-up procedures should be made clear to all involved. Observations made during the audit should be discussed with personnel, preferably at the time they are observed, so that they are understood by all involved. At the end of the audit, a verbal summary must be given by the auditor. This should aim to balance positive feedback with any observations made.
5.6 Audit Reporting
Audits must be documented in formal reports, preferably to a standard style/format.
A clear statement of audit outcome must be included in the summary.
The report must be issued to an agreed circulation list, including management of the audited area, within a defined time period (commonly within 15 days), and should clearly include any observations that require written responses and the timescale for response (commonly within 15 days of receiving report).
All audit reports should be issued as a confidential document and the list of recipients kept to a minimum. The statement “This document is the legal property of the company.
Its use is confined to the company employees. Use or disclosure of the contents outside the company, without authority, is not permitted.
(Accepted practice within the Pharmaceutical Industry has historically been that the content of internal audit reports would not normally be shared with external regulatory agency inspectors, although audit schedules/logs may be. However, some regulatory agencies are now asking to see actual audit reports as a means to ensuring any corrective actions identified are followed up adequately. Regulatory Agencies are also bound to confidentiality.
Audit Observations must be classified into Critical, Major (Significant) or Other (Minor) categories. For example:
5.6.1 Critical Observations
“Deficiency with Company Standards, GXPs and/or current regulatory requirements or expectations that provides an immediate and significant risk to product quality, patient safety or data integrity. A critical Observation can also be a combination/repetition of Major Observations that indicate a critical failure of systems.”
Immediate corrective action and reporting to Management is required. All critical observations should additionally be reported to senior management via the formal Compliance Issue reporting process and where appropriate elevated to the functional continuous assurance process.
5.6.2 Major (Significant) Observations
“Deficiency with Company Standards, GXPs, and/or current regulatory requirements or expectations that provides a potentially significant risk to product quality, patient safety or data integrity. A Major Observation can also be a combination/repetition of Minor Observations that indicate a failure of system(s) and can potentially result in a significant observation from a regulatory agency. A response indicating responsibilities and timescales of corrective actions is required.
5.6.3 Other (Minor) Observations
“Observation of a less serious or isolated nature that is not deemed Critical or Major, but requires correction, or suggestions given on how to improve systems or procedures that may be compliant, but would benefit from improvement (e.g. Good Practices seen elsewhere).’
Where possible references should be made to the regulations, guidelines or internal procedures to which observations relate.
5.7 Follow Up
Processes must be in place to ensure responses are reviewed for their adequacy /timeliness and their progress monitored. The audit should be kept ‘live’ until it is evident that corrective and preventative actions have been completed , or until a satisfactory response has been received from the auditee that corrective and preventative actions will be completed in an appropriate timescale. The audit may then be ‘closed’.
5.8 Report Retention
The security/distribution/retention procedures for audit documentation must be described in procedures. A separate log of audits undertaken is recommended.
5.9 Audit Program Review
The status of the audit program and the outcome of audits and follow up actions must be a regular item for the management meetings within an area. It is recommended that Key Performance Indicators are defined and monitored for audit performance. It may be appropriate to include corrective actions to critical and significant audit observations and/or trends within local Compliance Improvement Plans.