Creating Value Solutions Through Assessment and Risk Reduction

GxP Lifeline Feature Article


Auditing is a more formalized assessment process. Whether we are assessing vendors like software developers whose products are used in the automated processes for manufacturing of pharmaceuticals or medical devices or the less technologically driven processes like pharmaceutical distribution channels for supply chain integrity; the process of inspection can help create useful data to support development of technology for specific uses. These audits also stimulate the utilization of technology to protect the supply chain from manufacturer to patient. Here we are talking about the use of similar processes and tools whether it is a system, facility or process audit.

...costs of audits within the industry have increased and pharmaceutical companies may incur costs (internal and external) upwards of $750,000 a year to perform, manage and archive audits. Examples exist that show reductions in cost greater than 50% through the use of a central repository. Such a repository was created by the PDA and is now known as the Audit Resource Center, or ARC.

One common thread throughout different audit processes is the maintenance of sound audit practices, standards and guidelines. This has been illustrated through regulatory action and oversight. Regulations, Standards and Guidelines, as published by the Food and Drug Administration (FDA), Drug Enforcement Agency (DEA), state regulatory bodies like Boards of Pharmacy, the Healthcare Distribution Management Association (HDMA), National Association of Boards of Pharmacy (NABP) and other associations and regulatory agencies affect the way audits are conducted and what standards or guidelines are used to measure compliance or performance.

Audits are conducted to meet FDA guidelines to insure manufacturers conduct appropriate due diligence by inspecting processes, environments, vendors, suppliers and others whose products, work and expertise are used in the manufacture and distribution of regulated products.

Auditing Standards
In 1996 the FDA challenged the industry to establish a standard way to assess the structural integrity of acquired computer software in order to improve the process and to and to lower overall costs to the industry.

In 1997, a task force was formed to develop a guideline for auditing acquired Commercial Off the Shelf (COTS) software. Organized by the Parenteral Drug Association (PDA), stakeholders formed a Computer Validation Interest Group. The group included representatives from FDA, the user community from the pharmaceutical and medical device industries and the software developers themselves. The group created guidelines for auditing the acquired computer software and services. The guidelines and audit process were published by PDA as Technical Report 32, Auditing of Suppliers Providing Computer Products and Services for Regulated Pharmaceutical Operations, or "TR-32."The objectives of this Task Group were focused on the specific application of software in the manufacturing process. Objectives were similar to those that any standards setting group might have. They include:

  • To define and demonstrate (through simulation and field testing) a process for supplier audits and qualification in a way that promotes standardization and simplification.
  • To meet regulatory expectations for structural integrity of acquired software and computer products in general (regardless of where in the manufacturing process they were applied)
  • To satisfy customer needs for information as supporting procurement, systems engineering and computer validation and
  • To lower costs to both the pharmaceutical companies and suppliers1

With regard to the latter point, costs of audits within the industry have increased and pharmaceutical companies may incur costs (internal and external) upwards of $750,000 a year to perform, manage and archive audits. Examples exist that show reductions in cost greater than 50% through the use of a central repository. Such a repository was created by the PDA and is now known as the Audit Resource Center, or ARC.

In the process of developing the published audit process, the task force performed research, used experience from supplier audits and drafted a common practice to meet the needs of the industry. The needs assessment came from the user's agreement that auditing practices used throughout the industry were cumbersome, duplicative and inconsistent.2

The task force of industry professionals continued working after the publication of TR-32 to monitor, maintain and upgrade the process. Today this group operates within PDA and is known as the Audit Guidance Advisory Board. The AGAB now guides the updating of TR-32, including assuring continued relevance of audit processes and guidelines, recruitment of committees of technical experts and the expansion of applications for which the audit process can be applied. The current document is under review and publication of a new broader guideline is expected in the coming year.

Anyone who manufactures products that are regulated by the FDA must conduct due diligence of their vendors, typically in the form of audits. In this environment, those vendors who produce equipment that utilizes software or those suppliers who develop software have to be audited utilizing a well accepted process such as the TR-32.

Quality audit procedures are all driven by observation. Observations are made either by an external auditor or by the company's technical expert. These individuals insure that inspection of the proper elements is done to current standards or by internal quality teams whose responsibility it is to report to management on the status of the environment whether static, dynamic or resting.

GAMP 5 or Good Automated Manufacturing Practices is used as an audit guide for many manufacturing processes like controlled environments where computer products and software are not the primary process being examined. GAMP 5 has also been enhanced, refined and restructured like the TR-32 to reflect current regulatory expectations and good practice.

Professionals from the Americas and Europe contributed to the production of GAMP 5 which is intended for suppliers and users in pharmaceutical manufacturing and related healthcare industries. This guide draws together key principles and practices and describes how they can be applied to determine the scope and extent of validation for different types of automated systems.

Benefits of this standard to industry users and suppliers echo those of the TR-32 and others and may include:

  • Cost benefits, aiding the production of systems that are fit for purpose, meet user and business requirements and have acceptable operation and maintenance costs
  • Increased understanding of the subject and introduction of a common language and terminology
  • Reductions in cost and time taken to achieve compliance systems
  • Clarification of the division of responsibility between user and supplier

While GAMP addresses a broad range of issues related to validation of systems, another document that can assist us in maintaining 21 CFR Part 11compliance is the joint PDA/ISPE publication, "Complying with 21 CFR Part 11, Electronic Records and Electronic Signatures," a companion document to GAMP 5.3 As far as these authors are aware, unlike TR-32, no repository exists for audits conducted using either of these audit guidelines.

Audits have historically been executed by compliance personnel in pharmaceutical companies who possessed a basic knowledge of software or other processes. These knowledgeable individuals used methods and checklists common to auditing physical processes and checking paper trails. Much of this was based on written regulation for good manufacturing and clinical practices, but was not always suited for technology processes.

Audits conducted by independent auditors to a standard are valued by industry as a way to "certify" that a vendor or company has followed the proper procedures and their work or products has been through a third party review and is credible.

Training, qualification and certification have become the basis for developing personnel and teams that can execute audits with the latest standards from governing organizations and professional associations like PDA, International Society for Pharmaceutical Engineers (ISPE), American Society for Quality (ASQ) and others.

The PDA and ASQ both train professionals and qualify or certify them to conduct quality examinations for their companies, for clients independently and audit the manufacturing and technical processes discussed here. This training is essential to furthering the standards employed and to the industry acceptance and adherence to standards and regulation from the governing bodies like the FDA.

The rationale for developing industry standards is to systemize this process and to qualify auditors based on the standard developed by a sanctioning body such as PDA or others. One group that assists in this training is the PDA Training and Research Institute. The TRI is approved by the Accreditation Council for Pharmacy Education (ACPE) as a provider of continuing pharmacy education.4

Third party participation in the audit process creates some distinct advantages. A third party resource can be a credible source for information, participation by technical experts, overview from sanctioning bodies and resource extension for valuable and scarce internal resources.

The need for diligence is not unique to manufacturing of pharmaceuticals and devices. Companies also face challenges in distribution, both internal and through the external supply chain typically consisting of pharmaceutical wholesalers. Early in this decade, a significant increase in the incidence of counterfeit and diverted drug products and devices got the attention of industry stakeholders and led to a series of very significant changes.

The increase in US counterfeits increased the need for oversight in the US supply chain in the last six years. Specifically the distribution of branded pharmaceuticals is now more tightly controlled than ever. Yet, even with better control, the US market is not immune from counterfeits and certainly not from diversion. Questions continue to be asked by stakeholders regarding whether distributors maintain products under the appropriate chain of control throughout the distribution channel.

The stakeholders' concerns were addressed by the Healthcare Distribution Management Association (HDMA) and the National Association of Boards of Pharmacy (NABP) which published "Recommended Guidelines for Pharmaceutical Distribution System Integrity" and the "Model Rules for Distributors," respectively. These published guidelines call for wholesale operations that maintain vigilance in purchasing as well as in receiving, storing and shipping pharmaceuticals. More recently, and as a result of pressure on the supply chain to eliminate entry points for counterfeits, manufacturers demanded discontinuation of secondary source buying and wholesale distributors responded with fee for service agreements.5

Auditing of the distributors of pharmaceutical products and their processes is as important as any audit of suppliers to those manufacturers. Perhaps because significant payments are now made by manufacturers to wholesalers, today's operational audits evaluate not only the security and integrity of the supply chain for pharmaceutical products to the public, but also compliance with FFS agreement terms and conditions. Under provisions in the PDMA (Prescription Drug Marketing Act), distributors who are not authorized by the manufacturer to handle and sell their products must provide an "identifying statement" to purchasers. This is intended to ensure that the chain of control or possession of products is easily identified and oversight is clear. The "pedigree statement" documents each prior sale, purchase or trade of the prescription medicine. Current state definitions and requirements for pedigree vary. Several states have begun ambitious programs to mandate pedigree for all pharmaceutical products distributed within that state. Some states exempt distributors who maintain the normal supply chain of Manufacturer to Authorized Distributor to Pharmacy. Florida requires more active pedigree management, while laws in California are pending.6

Types of audits that focus on the distribution of pharmaceutical products include:

  • Operational audits
  • Assessment of distributor compliance with industry regulations, standards & guidelines
  • Assessment of data completeness and validity
  • Assessment of compliance with fee for service agreement terms and conditions.
  • Chargeback audits
  • Evaluation of distributor and manufacturer processes
  • Assessment of data completeness and validity
  • Assessment of the financial transactions between and among the manufacturer, their ultimate customer and the distributor

Today the changes in the supply chain landscape continue. While no audit standard has been formally adopted, NABP has created an inspection process that may be used by state boards of pharmacy for inspecting distributors. This program is known as the Verified Accredited Wholesale Distributor, or VAWD program. Indiana requires all distributors that ship into the state to be VAWD inspected. While the VAWD program measures regulatory compliance, the HDMA Recommended Guidelines serve as a credible measuring tool for compliance with guidelines and standards.

Look For ROI to Create Efficiencies
Return on investment (ROI) is an important consideration when manufacturers consider the conduct of audits. The commitment and resources required are significant even if audits are mandated or strongly recommended by an oversight agency or body. Measurements of return are sometimes not easily quantifiable, but may be measured in dollars, time, safety or other factors, including the impact of negative events on the brand. With increasingly limited resources, the need for efficiency is greater now than at any time.

Though auditing serves several purposes which can be adapted to the application as necessary, results can and should be shared across the enterprise to help maintain diligence and vigilance. Many times divergent agendas within an organization as well as for external stakeholders can make the process much more difficult and resource allocation more demanding than necessary. One way to reduce this potential duplication is to utilize resources that provide efficiencies. One such resource to auditing is a central repository like the TR-32 Audit Resource Center maintained by PDA for audits that can be shared across the enterprise and throughout the industry. Manufacturer customers of COTS and their vendors benefit from strengthened relationships, reduced time and cost associated with the auditing process and improved quality and consistency in documentation.

Many organizations may have processes and even specific software for managing audit data and reports. Like internal audit systems and those personnel managing them, these processes may be subject to the individual needs of groups within the company or department and thus may not meet a standard or include standard practices.

The same bodies that develop and maintain standards also devise ways to help maintain the integrity of the data, reports and information that is produced by an audit in an effort to make it consistently acceptable to multiple stakeholders with the organization or across the industry.

One tool created by the PDA's task group, is the Audit Resource Center, (ARC) that is managed under the supervision of the AGAB. The ARC provides audit reports to industry and partners with suppliers of software products to facilitate audits and track the global supply of available audits and qualified auditors who conduct them. The ARC provides a repository of audit reports of computer products and services by serving as trusted custodian of audit reports, archived in a secure environment in an effort to help foster some efficiency.

As we delve into the assessment process and the tools we use to accomplish our individual goals or goals for our teams, we often look too closely at the details of the systems that we are auditing in an attempt to mine for any data we need to complete our audit reports or manage the state of the system. Anytime we set out to inspect a dynamic process, we often have to remind ourselves to step back, look at the big picture and remember the larger goals we started with to create a greater understanding of the system or process we are assessing to make sure we come out with true and useful observations and not just a set of results to complete a report.

References1 Auditing of Suppliers Providing Computer Products and Services for Regulated Pharmaceutical Operations. Technical Report No. 32, Release 2.0, Vol. 58, No. 5, September/October 20042 Carney, David; Greenawalt, Harvey; Grigonis, George; Oberndorf, Patricia. Case Study: Computer Supplier Evaluation Practices of the Parenteral Drug Association (PDA) Carnegie Mellon Software Engineering Institute, May 20033 GAMP 5, Good Automated Manufacturing Practice (GAMP) Guide for Validation of Automated Systems. SciTech Engineering Website: Commissioning and Qualification Team Brief; Mar. 5, 2008. Reference CQ-TB-C5V0014 About PDA Training and Research Institute. Parenteral Drug Association. 28 Jul 20075 NABP website; www.nabp.net6 HDMA Guidelines;

Chris Ward is the Director of the Audit Resource Center for SynTegra. Mr. Ward is responsible for business development and management of the ARC database of software process audits. He began his career in sales and has broadened his experience with work in human resources, sales training, management development and more recently, marketing. Mr. Ward spent much of his career with Rhone-Poulenc Rorer Pharmaceuticals then was recruited by the world's largest biotech company, Amgen and as a product manager on the Nephrology Franchise worked on the launch of Aranesp.He has experience in small business management as an Associate Director of Business Development for a start up CRO. He then went into full time non-profit work as Director of Business Development at MdBio, a division of the Tech Council of Maryland.Mr. Ward has a Bachelors of Business Administration, with a concentration in Marketing. He received a certificate in Marketing from the University of Chicago and has graduate work in Health Policy at The Johns Hopkins University. He is a member of the American Chemical Society and is past Chair (2005 - 2006) of the Board of Directors of the Asthma and Allergy Foundation of America.

Thomas E. Menighan RPh, MBA, is the President of SynTegra, LLC, a subsidiary of Health Pathways, Inc., Mr. Menighan leads development and delivery of a full suite of operational and regulatory compliance services for pharmaceutical and biotechnology companies from product discovery to distribution. He was the former CEO of SymRx, Inc., a pharmaceutical information technology company that developed and was sold in 2002. Mr. Menighan is a past President of the American Pharmacists Association (2001-2002) where in the early 1990s he also served as a senior staff member. Mr. Menighan was VP of Operations for the PharMark Corporation, a Drug Utilization Review systems provider. In 1978, he opened a Medicine Shoppe in Huntington, WV and was a 20 year owner. He is currently a partner in Pharmacy Associates, Inc., a multi-state home-care company he founded in 1982 that serves patients in over 28 states. He is a graduate of WVU School of Pharmacy, currently serves on their Health Sciences Center National Advisory Board and holds an MBA from Averett College.

Learn more about audit related topics:

MasterControl Video:Benefits to Senior Management