Leveraging Third-Party Audits in Pharma/Biotech Industries

May 19, 2015
Finding ways to reduce complexities, eliminate redundancies and streamline operations while staying compliant

Those of us in the competitive and highly regulated pharmaceutical, biotechnology and medical device industries understand the need to balance operational efficiency with regulatory compliance. We must find ways to reduce complexities, eliminate redundancies and streamline operations while staying compliant with an array of regulations, guidance documents and regulatory expectations (some explicit, others less so). Making changes to our processes requires overcoming challenges arising from these often competing interests.

When publishing guidance documents, the FDA includes language implying that industry can use an alternative approach if it satisfies the requirements of the applicable statutes and regulations. Using this language as a stick by which to measure well-intentioned process optimization proposals, this article will explore considerations for creating desired efficiencies while maintaining compliant processes.

To help illuminate the topic, let’s look at a common process optimization example of streamlining a supplier audit program.

OPTIMIZING THE SUPPLIER AUDITS PROGRAM
Onsite audits are an important and well established tool for assessing suppliers. Still, there are ways to optimize supplier audit programs.

At this point, one may have already sliced and diced a list of suppliers by establishing risk-based categorizations of the types of services and/or goods they provide. While retaining other supplier oversight mechanisms, companies often eliminate onsite audit requirements for suppliers with no potential impact to its products. The impact includes reduced onsite auditing frequencies for the suppliers with a lower potential for product impact.

Nonetheless, the list of annual required audits remains daunting. Many have dwelled for the millionth time on the fact that they are not the only one auditing each supplier? The dozens of times each year that other entities audit a supplier can make you wonder: Is there a way to leverage those activities to reduce onsite auditing requirements?

A process optimization idea is born. Fewer onsite audits mean:
• Spending less time on scheduling and audit preparation
• Reduced execution and reporting activities
• Decreased travel time and costs
• Fewer findings to track to resolution
• Simplified metrics and management reporting

PURCHASE AN AUDIT REPORT
Various industry proposals for leveraging common audit reports have been circulating for years. Typically, a third party audits a supplier, prepares a report and sells it to companies that want to avoid conducting their own audit.

There may be a place for common audit reports, particularly with regard to low-risk suppliers. Before taking such an approach, though, consider the following factors:

• The report may not adequately address the scope needed, but one likely won't realize that until after it has been purchased. Only the buyer knows the importance of the services and/or goods that the supplier is providing; the auditor might not have placed sufficient emphasis on what is critical to you.

• Even if it does satisfy the scope required, the report may grow stale. The supplier may experience impactful regulatory inspections and/or changes to procedures, personnel, facilities, equipment, etc. Will a window into the past suffice?

• Perhaps a proprietary process is involved, and the third party would not have had access to audit those processes. And if the third party did have access, it would not be prudent to share those details with other companies.

Assessment: Purchasing common audit reports can fulfill some of one’s needs. Let's call this option a "Maybe."

LEVERAGE QUALITY SYSTEM CERTIFICATIONS?
Leveraging your suppliers' quality system certifications to certain standards such as ISO 13485 (applicable for medical devices) may be an option. To gain and maintain that certification, quality system experts must audit the suppliers routinely.

Whether your organization makes medical devices, pharmaceuticals or biologics, many may potentially benefit from this approach. However, be sure to consider the following questions:

• Who issued the certificate? There are vast differences in the weight that certificate-issuing organizations carry. For the harmonized European version (EN ISO 13485), the certificate should be issued by a group with rigorous standards called an authorized notified body. Organizations with similarly rigorous qualification requirements exist to audit and issue quality system certificates to ISO 13485 for other regions, such as Canada (recognized registrars).

• Is the certificate relevant? If, in addition to medical devices, the supplier's scope includes pharmaceutical and/or biotechnology(and one is only interested in these two areas) and if the quality systems are independent of each other, then the medical device ISO 13485 quality system certificate may not be relevant enough. If there are common quality system elements, then the certification may provide some level of assurance that your needs are being met. The FDA combination products regulation — 21CFR Part 4 — is intended for the development of a combination product quality system. That regulation gives a view into why a pharmaceutical or biotechnology company might find it acceptable to leverage at least part of the elements present within a medical device quality system for a supplier audit program.

• Which certificate should be accepted? One complication is that a supplier can have both a notified body and a registrar, each of which issues a certificate to ISO 13485. Furthermore, the notified body and registrar can be different organizations. Or, the supplier can have more than one notified body or registrar, each of which may issue their own certification for the scope of activities that they are covering.

The question of which certificate to accept is even harder to answer if the supplier is not manufacturing a medical device or component for you (in which case, you can at least pinpoint which organization has oversight of the type of device or component that you will be procuring). Just picking one is not the best strategy, so its important to discuss this with the supplier to understand which certificate will best cover services and/or goods.

• Is the certificate alone enough? No. The quality system certificate must encompass the scope of services and/or goods. The only way to really know if a quality system certificate is meaningful and can be leveraged is to review the underlying audit reports associated with the certificate.

• Which audit reports should one review? Some notified bodies or registrars may break up the areas they are evaluating into small pieces and do multiple audits each year before gaining the full picture of the quality system's performance. In those instances, multiple reports may need to be reviewed before the scope relevant to you has been covered.

• What if the supplier won't release their audit reports? This can happen. Citing client confidentiality or proprietary technology reasons, your supplier may not be willing to share their most recent notified body or registrar reports. And they may or may not be willing to share redacted reports.

Assessment: Leveraging quality system certificates and associated audit reports must be a thoroughly vetted process to understand exactly what scope they cover and thus how to best use them as part of a supplier audit management process. This may be an acceptable strategy to reduce the frequency of onsite audits. Conversely, with all of the considerations mentioned here, one may conclude it is easier and less time-consuming to perform onsite audits yourself.

Let's call this option another "Maybe," but note that it will require careful implementation.

LEVERAGE REGULATOR AUDITS, INSPECTIONS?
If suppliers are willing to share regulator audit/inspection reports (e.g., FDA Establishment Inspection Reports), that option might be worth exploring. Considerations with this approach include:

• What is the scope of the report? The same concerns apply here as with the previously discussed reports. For you to leverage it, the report must cover the scope of your services and/or goods.Each time a regulator audits or inspects a supplier, it is just a snapshot and unlikely to be inclusive of the full scope of a supplier's activities.

• Was the audit relevant? How can you leverage a regulator's report if it was focused on a different government's regulations? While efforts have been ongoing to harmonize as many of the regulations as possible, there are still differences, and it will require an understanding of what you are trying to leverage. If the regulations mapping methodology described within the aforementioned 21 CFR Part 4 is extended through a comparison of the other global regulations performed, then one can make a legitimate argument for leveraging those reports.

Assessment: This scenario is not very different from leveraging quality system certificates. But it is advised to restrict which regulator reports one is willing to leverage; otherwise, it may require a good deal of work unless someone is already mapping the various global regulations. This option, then, is yet one more "Maybe."

CONSIDER REGULATOR PERCEPTION
What would regulators think about industry leveraging third-party audit reports? It is important to first put into perspective that, like anyone in this industry, regulators are under a tremendous burden to fulfill their audit obligations within mandated timeframes. And they, too, have been evaluating options to leverage the work of third parties.

One pilot program for the regulators is already underway. The International Medical Devices Regulators Forum (which includes, but is not limited to regulators from the United States, Canada, Brazil and Australia) is leveraging third-party audits using the Medical Device Single Audit Program (MDSAP). An extensive framework surrounding the MDSAP governs the qualifications for authorizing a third party to perform the audits and defines the required audit report content (among the establishment of many other criteria).

Suppose this program reduces for regulators the number of required audits for medical devices while maintaining the integrity of the regulators' respective missions. In that case, you can bet that pharma and biotech regulators will also want to participate in such programs. If the regulators have seen the benefit of leveraging third-party audit reports and have begun implementing those processes, they would likely have no issues with industry taking a similar approach (as long as appropriate controls are employed in doing so).

A FINAL NOTE
The example provided in this article relates to the process optimization of a supplier audit program. However, with regard to other process optimization activities that might be considered, it’s hoped that the principles discussed here could be applied to help strike the balance of creating efficiencies while also maintaining regulatory compliance.

ABOUT THE AUTHOR 
Daniel Fishman is a Senior Consultant at Complya Consulting. He has over 23 years of industry experience and global regulatory compliance/quality systems consulting that spans the broad range of the medical device, pharmaceutical and biotechnology industries. Daniel has served in internal leadership positions as a change agent with a proven track record of developing operationally efficient, compliant and implementable solutions, which he tailors to meet the needs of clients ranging from startups to multinational firms. He received his BA in biochemistry from Brandeis University. Daniel can be reached [email protected].

www.complya.com

About the Author

Daniel Fishman | Senior Consultant