4/5 February 2020
Prague, Czech Republic
We are often consulted about the acceptance of GMP audits of API manufacturers. The point is that more and more organisations offer such audits. What is essential to pay attention to?
1) The major question to answer is: Who has commissioned the audit? Was it the API manufacturer himself or another pharmaceutical company?
Although the EMA has given an unequivocal statement on the question, there still exist API manufacturers who commission an audit themselves. Audit reports which have been initiated by the API manufacturer or one of his distributors are not valid i.e. not recognised by the inspection authorities.
You should have a confirmation that the audit was ordered by one or several manufacturers of medicinal products who purchase one of the products from the API manufacturer in question. The audit cannot be independent when the API manufacturer is the ordering party. You should absolutely get a written confirmation. Also the performance of an audit by an accredited body has no influence on it. In pharmaceutical law, accreditation has no significance at all. Third Party Audits accepted are based on a comprehensive regulations framework. These Audit Schemes are particularly important when used by several companies (Shared Audits). Examples are the APIC programme based on the APIC Guide as well as the Rx-360 programme based on the Rx-360 standards.
2) Acceptance - accreditation and "conflict of interest": What do you have to pay attention to?
Basically, a manufacturer of medicinal products himself can perform an audit or he can entrust a third party for that (so called Third Party Audits). The manufacturer often commissions consultants (i.e. PCA Consulting or other organisations) who have much experience with the performance of audits. These 1:1 audits (contract audit for only one client) are less complex and don't have to rely on a comprehensive scheme. Nevertheless, you should consider a few elements as the external auditor will work for the pharmaceutical company as if he / she was an own employee. It is important to choose an auditor who knows the processes used in the company to be audited. For example: when you need an audit for a biopharmaceutical API i.e. for its manufacturer, the auditor should have the necessary experience with biopharmaceutical processes. The auditor ought to confirm that he / she hasn't been in charge of an audit in the area within the last three years auditing - otherwise that would mean that he / she has to audit his / her own job. As already mentioned above, accreditation standards like ISO ones don't play any role - it is the qualification of the GMP auditor which is utmost important. Require a CV from the auditor (studies, professional experience and auditor trainings) and qualify him / her. In any event, avoid so called "Conflicts of Interest": when the auditor and the contractor are not allowed to work for the API manufacturer.
3) Subsequent purchase of audit reports.
The numbers of audit reports for purchase keeps on increasing. Generally, there is no objection to the purchase of an audit report. However, the same rules as for the initiation of an audit apply. This means that the audit must have been ordered by a pharmaceutical company which purchases products from the API manufacturer concerned. This also requires a written confirmation. Make sure that the audited products are the products which are relevant for you suppliers qualification. Auditing another product is not very helpful.
4) Can I buy reports of purely system-audits? Or only product-specific ones?
An audit report made without product-specific details doesn't reveal much information. In the end, you want to make sure that the quality of the APIs you purchase is fine. That is the reason why you need audit reports containing detailed information about the product-specific processes and procedures. This is the only method for the Qualified person to decide whether a supplier is qualified or not.
5) An audit report represents only a part of supplier qualification.
Audit reports are the main focus of interest. But they are just a part of the supplier qualification. Audit reports contain a description of the GMP situation on the day the audit takes place. The real evaluation of these results must be done by the quality assurance or the responsible QP. In addition to the audit report, further pieces of information must be considered like for example experience with the suppliers and the evaluation of the goods delivered. How valuable is an audit report with satisfying evaluation when deviations to the specifications within the sample process have been observed on a regular basis? Further information must be considered like for example available inspection reports from the FDA (generally accessible thanks to Freedom of Information Act) or the EDQM database containing the list of CEPs of API manufacturers which have been withdrawn because of GMP deficiencies. All these elements should be taken into account with a risk analysis in order to qualify a supplier - or not.
6) One often forgets the importance of CAPAs.
As soon as deviations are reported in an audit report, a follow-up with the CAPA measures to be taken should be engaged. The follow-up of measures is an essential part of the supplier qualification that's why the quality assurance / the QP should follow and keep track of the handling of deviations.
7) "One-day audits"
The evaluation of a supplier requires sufficient time. One-day audits are basically possible but they are subject to very tight limits. It must be ensured that the size of the facility to be audited is not too large. Larger facilities cannot be audited in less than 2 days (mostly even more). Also a risk analysis of the API should be taken into account in the time dedicated to the audit. Indeed, experience made in the past with critical audits and similar variations in quality should be the proof that more attention should be given to audits than can be given within a one-day audit.
The European QP Association also published a checklist for audits at API manufacturers.