Those of us in the competitive and highly regulated pharmaceutical, biotechnology and medical device industries understand the need to balance operational efficiency with regulatory compliance. We must find ways to reduce complexities, eliminate redundancies and streamline operations while staying compliant with an array of regulations, guidance documents and regulatory expectations (some explicit, others less so). Making changes to our processes requires overcoming challenges arising from these often competing interests.
When publishing guidance documents, the FDA includes language implying that industry can use an alternative approach if it satisfies the requirements of the applicable statutes and regulations. Using this language as a stick by which to measure well-intentioned process optimization proposals, this article will explore considerations for creating desired efficiencies while maintaining compliant processes.
To help illuminate the topic, let’s look at a common process optimization example of streamlining a supplier audit program.
OPTIMIZING THE SUPPLIER AUDITS PROGRAM
Onsite audits are an important and well established tool for assessing suppliers. Still, there are ways to optimize supplier audit programs.
At this point, one may have already sliced and diced a list of suppliers by establishing risk-based categorizations of the types of services and/or goods they provide. While retaining other supplier oversight mechanisms, companies often eliminate onsite audit requirements for suppliers with no potential impact to its products. The impact includes reduced onsite auditing frequencies for the suppliers with a lower potential for product impact.
Nonetheless, the list of annual required audits remains daunting. Many have dwelled for the millionth time on the fact that they are not the only one auditing each supplier? The dozens of times each year that other entities audit a supplier can make you wonder: Is there a way to leverage those activities to reduce onsite auditing requirements?
A process optimization idea is born. Fewer onsite audits mean:
• Spending less time on scheduling and audit preparation
• Reduced execution and reporting activities
• Decreased travel time and costs
• Fewer findings to track to resolution
• Simplified metrics and management reporting
PURCHASE AN AUDIT REPORT
Various industry proposals for leveraging common audit reports have been circulating for years. Typically, a third party audits a supplier, prepares a report and sells it to companies that want to avoid conducting their own audit.
There may be a place for common audit reports, particularly with regard to low-risk suppliers. Before taking such an approach, though, consider the following factors:
• The report may not adequately address the scope needed, but one likely won't realize that until after it has been purchased. Only the buyer knows the importance of the services and/or goods that the supplier is providing; the auditor might not have placed sufficient emphasis on what is critical to you.
• Even if it does satisfy the scope required, the report may grow stale. The supplier may experience impactful regulatory inspections and/or changes to procedures, personnel, facilities, equipment, etc. Will a window into the past suffice?
• Perhaps a proprietary process is involved, and the third party would not have had access to audit those processes. And if the third party did have access, it would not be prudent to share those details with other companies.
Assessment: Purchasing common audit reports can fulfill some of one’s needs. Let's call this option a "Maybe."
LEVERAGE QUALITY SYSTEM CERTIFICATIONS?
Leveraging your suppliers' quality system certifications to certain standards such as ISO 13485 (applicable for medical devices) may be an option. To gain and maintain that certification, quality system experts must audit the suppliers routinely.
Whether your organization makes medical devices, pharmaceuticals or biologics, many may potentially benefit from this approach. However, be sure to consider the following questions:
• Who issued the certificate? There are vast differences in the weight that certificate-issuing organizations carry. For the harmonized European version (EN ISO 13485), the certificate should be issued by a group with rigorous standards called an authorized notified body. Organizations with similarly rigorous qualification requirements exist to audit and issue quality system certificates to ISO 13485 for other regions, such as Canada (recognized registrars).
• Is the certificate relevant? If, in addition to medical devices, the supplier's scope includes pharmaceutical and/or biotechnology(and one is only interested in these two areas) and if the quality systems are independent of each other, then the medical device ISO 13485 quality system certificate may not be relevant enough. If there are common quality system elements, then the certification may provide some level of assurance that your needs are being met. The FDA combination products regulation — 21CFR Part 4 — is intended for the development of a combination product quality system. That regulation gives a view into why a pharmaceutical or biotechnology company might find it acceptable to leverage at least part of the elements present within a medical device quality system for a supplier audit program.
• Which certificate should be accepted? One complication is that a supplier can have both a notified body and a registrar, each of which issues a certificate to ISO 13485. Furthermore, the notified body and registrar can be different organizations. Or, the supplier can have more than one notified body or registrar, each of which may issue their own certification for the scope of activities that they are covering.