We regularly receive questions related to GMP compliance issues. One of the most asked question addresses the topic accreditation of bodies that perform supplier audits. Some providers of supplier audits (APIs, excipients, packaging, etc.) refer to ISO accreditation. According to the term "accreditation", the independence status of auditors should be provided. The standard ISO 17020 is - among other things - referred to.
What about the actual legal basis in Europe? Here it becomes clear that ISO 17020 as well as other ISO standards about auditing and auditor qualification don't play any role. Even more: those who rely on accreditation may - in certain circumstances - trust the results of an audit which is null and void as evidence of GMP Compliance. For example: when accredited bodies are contracted by API manufacturers or API suppliers to carry out audits, those audits are no evidence of a performed supplier qualification. Audits have to be initiated by the pharmaceutical company which uses the APIs in question for its own production.
The GMP audit can - of course - be performed by own auditors of a pharmaceutical company or contracted external auditors (so-called Third Party Audits). The common performance of audits with other companies (shared audits like e.g. the API Compliance Institute) is also possible and acceptable. It is essential that the audits are not commissioned by the API manufacturer / supplier. Here arises a "Conflict of Interest". The EMA has already laid down its expectations regarding this issue. According to the Q&A of the EMA:
"However, it must also be satisfactorily demonstrated that there are no conflicts of interests. Conflicts of interests could arise for example from:
- A commercial relationship between the organisation performing the audit and the organisation being audited;
- A personal conflict on the part of the auditor where he / she has been employed by the organisation being audited in the recent past (i.e. within the last three years) or has a financial interest in it".
Such a "commercial relationship" does obviously exist when an API manufacturer commissions the auditor (whether accredited or not). Already in August 2011, the European Qualified Person Association had developed a check list with all the criteria to consider for a supplier qualification (whether performed by own auditors or contracted ones). In addition the EMA just recently completed the requirements on audit reports. Accreditation to a certain ISO standard is not mentioned here.