In the pharmaceutical and medical device industries, regulatory agencies require internal and supplier audits to ensure compliance with Good Manufacturing Practices and ISO standards.
The audits are conducted to identify potential problems that may impact product quality, efficacy, or safety and provide a mechanism for corrective actions to minimize public health risks. In this blog post, we will discuss seven critical areas to focus on during internal or supplier audits.
Regulatory agencies in the pharmaceutical and medical device industry require both internal and supplier audits to ensure that products are safe and effective for public use. The audit requirements are listed in the Good Manufacturing Practices (GMP), Good Distribution Practices (GDP), ISO 13485:2016, or other relevant standards.
Conducting audits helps to identify potential issues that may affect the quality, efficacy, or safety of the products. By identifying and addressing these issues, audits help minimize public health risks. Companies are responsible for maintaining these standards during the period between audits.
In October of 2020, he sat down to discuss PAIs in an episode of The FDA Group's podcast, The Life Science Rundown. Watch the full episode below and read on for a clear and simple deep dive into PAIs.
Listen and subscribe to The Life Science Rundown →
Many FDA-regulated manufacturers falsely assume that by outsourcing duties to suppliers, these third parties take on the responsibilities for maintaining regulatory compliance. This is a fundamental misunderstanding of the expectations laid out in 21 CFR Part 820 for medical device companies and FDA’s Q10 Pharmaceutical Quality System guidance for the pharmaceutical industry.
Although a viable supplier business model demands high-quality products and services, the regulatory burden ultimately rests on the company receiving their products or service. Monitoring and managing quality is extremely important when outsourcing anything that could potentially impact the product. This includes both the typical outsourced services like component suppliers and contract manufacturers, as well as consulting services, more generally.
To eliminate confusion around the expectations placed on manufacturers, we’ve summarized the key regulations governing supplier management for drug and device companies below.
This guidance extends quality systems responsibilities for drug makers to their outsourcing activities. One particularly important clause states that contract givers “should be responsible for assessing the suitability and competence of the contract acceptor to carry out the work required.” It also establishes that all responsibilities for quality-related activities between the two parties “should be specified in a written agreement.”
Beyond this, drug manufacturers must ensure that any product introduced into interstate commerce is neither adulterated nor misbranded due to the actions of a contracted facility but rather due to the labeled drug manufacturer. This point is particularly crucial for “virtual” companies that rely entirely on outsourced manufacturing.
All companies, virtual or otherwise, are ultimately responsible for the products they place into interstate commerce. A risk-based approach to supplier quality management is recommended to ensure this expectation can be met.
This should include, at minimum, the following actions:
📄 Download our free white paper — The Complete Guide to FDA-Regulated Supplier Qualification and Quality Management — for a more in-depth guide to proper supplier qualification.
All medical device companies marketing products in the United States must have a Quality Management System that satisfies the requirements of Part 820. Specific to suppliers, this regulation establishes Purchasing Controls (Section 820.50), which require manufacturers to develop and maintain procedures that ensure all purchased or otherwise received products and services adhere to a specific set of requirements.
Evaluation of suppliers, contractors, and consultants. Each manufacturer shall establish and maintain the requirements, including quality requirements, that must be met by suppliers, contractors, and consultants. Each manufacturer shall:
1. Evaluate and select poten-tial suppliers, contractors, and consultants on the basis of their ability to meet specified requirements, including quality requirements. The evaluation shall be documented.
2. Define the type and extent of control to be exercised over the product, services, suppliers, contractors, and consultants, based on the evaluation results.
3. Establish and maintain records of acceptable suppliers, contractors, and consultants.
Purchasing data. Each manufacturer shall establish and maintain data that clearly describe or reference the specified requirements, including quality requirements, for purchased or otherwise received product and services. Purchasing documents shall include, where possible, an agreement that the suppliers, contractors, and consultants agree to notify the manufacturer of changes in the product or service so that manufacturers may determine whether the changes may affect the quality of a finished device. Purchasing data shall be approved in accordance with § 820.40.
The use of the term “establish” is particularly important to interpret properly. According to FDA in 21 CFR Part 820.3, “establishing” means to define, document, and implement. In the context of Purchasing Controls, thorough documentation (written or electronic) is absolutely essential.
Manufacturers conduct internal audits to evaluate their own processes and guarantee compliance with GMP and other regulatory standards. These audits are an essential component of the manufacturer's quality management system, and they offer an opportunity to detect potential issues and implement corrective actions to prevent recurrence while striving for continuous improvement.
Supplier audits provide an objective evaluation of supplier processes and compliance with regulatory requirements. These audits are essential for identifying potential issues related to purchased products or services that could impact internal production. In other words, supplier audits are crucial for ensuring the quality of purchased products or services and compliance with regulations.
FDA-regulated firms conduct various types of vendor/supplier audits to ensure compliance with regulatory standards and to maintain the quality and safety of their products. Often, these types of audits will be combined based on the needs at hand.
The types of audits conducted can include, but are certainly not limited to:
Quality System Audits: These audits assess the supplier's quality management system to ensure it meets the standards required by the FDA. This includes reviewing processes for design control, production, product testing, and quality assurance. Pre-Approval Inspections (PAI): For pharmaceutical companies, PAI audits are conducted on suppliers of active pharmaceutical ingredients (APIs) or critical components before the FDA approves a new drug application. Good Manufacturing Practice (GMP) Audits: These audits focus on the supplier's compliance with GMP regulations, which are critical in ensuring that products are consistently produced and controlled according to quality standards. Good Laboratory Practice (GLP) Audits: These audits are relevant for suppliers who conduct nonclinical laboratory studies. The audit ensures compliance with GLP regulations, which are designed to ensure the quality and integrity of safety data. Good Clinical Practice (GCP) Audits: For suppliers involved in clinical trials, GCP audits assess compliance with regulations that ensure the integrity of clinical trial data and the protection of trial participants. Supply Chain Security Audits: These audits assess the security of the supplier's supply chain, including transportation and storage, to prevent contamination, adulteration, or other compromises to product integrity. Data Integrity Audits: These audits focus on the accuracy and reliability of the supplier's data, including record-keeping practices, data storage, and data processing systems. Risk-Based Audits: These are tailored audits based on the risk profile of the supplier and the criticality of the materials or services they provide. They may cover a combination of the above areas depending on the specific risks identified. |
An FDA-regulated manufacturer should perform supplier audits at several key points and under various circumstances to ensure compliance and maintain the quality and safety of their products.
Here are some scenarios when supplier audits are typically conducted (again, this list is not exhaustive):
Before Onboarding a New Supplier: Before entering into a business relationship, an initial audit is crucial to assess the supplier's ability to meet regulatory and quality requirements. This is a critical part of supplier qualification. Periodic Scheduled Audits: Regularly scheduled audits, often annually or biennially, are conducted to ensure ongoing compliance and to identify any changes in the supplier's processes or quality systems. When Significant Changes Occur: If there are significant changes in the supplier's operations, management, production processes, or materials, a new audit may be necessary to evaluate the impact of these changes on quality and compliance. Post-Issue Resolution: If a supplier was previously found to have issues or non-compliance, a follow-up audit is often conducted after corrective actions have been implemented to ensure that the issues have been adequately addressed. Risk-Based Frequency: High-risk suppliers, or those providing critical components, may require more frequent audits. The frequency can be determined based on a risk assessment considering factors like the supplier's past performance, the supplied materials' criticality, and the manufacturing process's complexity. Regulatory Requirement Changes: If there are changes in FDA regulations or industry standards that affect the supplied materials or components, an audit may be necessary to ensure the supplier's processes and products comply with the new requirements. Random or Unannounced Audits: Some manufacturers conduct random or unannounced audits to get a more accurate picture of the supplier's typical operations and compliance status. Market or Consumer Complaints: If there are market complaints or adverse events related to the quality or safety of the products, an audit may be conducted to investigate if the issue is related to the supplier's materials or processes. As Part of Continuous Improvement: Audits can also be part of a continuous improvement program to enhance quality, efficiency, and compliance in the supply chain. When Industry Trends or Issues Arise: If there are emerging trends or widespread issues in the industry that could affect the supplier, an audit might be conducted to ensure that these broader challenges are being effectively managed. |
When conducting a supplier audit for an FDA-regulated manufacturer, there are several key areas to focus on to ensure compliance with regulatory standards and to maintain product quality and safety.
Here are some of the critical areas, however, the specific components of any specific audit are situation-specific.
Quality Management System (QMS): Evaluate the supplier's QMS to ensure it aligns with industry standards and regulatory requirements. This includes reviewing their documentation, procedures, and records. Good Manufacturing Practices (GMP): Assess the supplier's adherence to GMP regulations. This includes evaluating cleanliness, equipment maintenance, personnel training, and process controls. Regulatory Compliance: Verify that the supplier complies with all relevant FDA regulations and any other applicable regulatory requirements. Product Quality and Specifications: Ensure the products or materials supplied meet the agreed-upon specifications and quality standards. Process Control and Validation: Evaluate the supplier's process control measures and validation procedures to ensure consistency and reliability in production. Supplier Qualification and Performance: Review the supplier's qualification process and historical performance, including their ability to meet delivery timelines and quality standards. Change Control: Assess the supplier's change control procedures to ensure that any changes in materials, processes, or equipment are properly documented, evaluated, and communicated. Corrective and Preventive Actions (CAPA): Review the supplier's CAPA system to ensure that they effectively identify, document, and resolve quality issues. Data Integrity and Record Keeping: Evaluate the integrity and accuracy of the supplier's data and their record-keeping practices. Supply Chain and Material Traceability: Assess the traceability of materials throughout the supply chain to ensure transparency and the ability to track and recall products if necessary. Environmental Control: Evaluate the supplier's environmental controls, including temperature, humidity, and contamination controls, especially for sensitive materials. Employee Training and Competence: Review the training programs and competence of the supplier's personnel, particularly those involved in critical processes. Facility and Equipment: Inspect the supplier's facilities and equipment to ensure they are suitable, well-maintained, and capable of producing quality products. Risk Management: Assess the supplier's risk management practices and how they identify, evaluate, and mitigate potential risks. Sub-Supplier Management: If applicable, evaluate how the supplier manages their own sub-suppliers to ensure quality and compliance throughout the supply chain. Customer Complaints and Feedback: Review how the supplier handles customer complaints and feedback and how they implement improvements based on this feedback. Audit and Inspection History: Review the supplier's history of audits and inspections, including any findings and how they were addressed. |
In addition to these standard focus areas, supplier audits can provide valuable insight into other areas that paint a much more complete picture of their operation and standing.
For example, an exceptionally skilled auditor may evaluate the supplier's capacity for scalability ahead of increased production needs. This is crucial for manufacturers with growing demands or plans for expansion.
Cybersecurity is another major (and quickly growing) area of concern, especially if a supplier handles sensitive data or is integrated into digital aspects of the manufacturing process.
Supply chain resilience is another emerging area of focus. This includes their ability to manage disruptions, maintain inventory levels, and have contingency plans for emergencies or unexpected demand changes.
Quality leaders responsible for auditing suppliers, particularly in FDA-regulated industries, face various challenges. These challenges can impact the audits' effectiveness and the supply chain's overall quality.
Modern pharma/device supply chains can be incredibly complex, involving multiple tiers of suppliers spread across different countries. This complexity makes it challenging to maintain visibility and control over quality standards throughout the supply chain.
A few best practices:
|
Effectively assessing and prioritizing risks among various suppliers to focus resources on the most critical areas can be complex.
A few best practices:
|
Conducting audits across different countries involves dealing with varying regulations, languages, and cultural practices. These differences can pose significant challenges in terms of communication, understanding local regulations, and ensuring consistent standards.
A few best practices:
|
Quality leaders often face resource constraints, including limited time, budget, and personnel. This can make it difficult to conduct thorough audits, especially for a large number of suppliers or for suppliers located in distant regions.
A few best practices:
|
Sometimes suppliers may be resistant to audits or may not fully cooperate. This can be due to various reasons, including perceived intrusion, fear of revealing proprietary information, or concerns about potential disruptions to their operations.
A few best practices:
|
Ensuring the integrity and transparency of data provided by suppliers can be challenging. There may be instances of incomplete, inaccurate, or manipulated data, which can hinder the audit process.
A few best practices:
|
Suppliers can vary greatly in terms of their quality maturity, technological capabilities, and understanding of regulatory requirements. Tailoring audit approaches to suit different levels of supplier maturity can be challenging.
A few best practices:
|
Establishing a robust supplier audit program involves several key steps. These steps are designed to ensure that the program is comprehensive, effective, and aligned with the company's quality and compliance objectives. Here are the basic steps:
Define what you want to achieve with the supplier audit program. This could include:
Then decide which suppliers will be audited, the frequency of audits, and the specific areas or processes that will be evaluated.
Action items:
|
Develop clear criteria for the audit based on regulatory requirements, industry standards, and your company's quality expectations. Then develop detailed checklists or guidelines that outline what will be assessed during the audits.
Action items:
|
Work with an experienced firm to access qualified auditors with the necessary expertise, experience, and certifications. Ensure they have a good understanding of the industry and regulatory requirements. Offer training to auditors on your company's procedures, the specific audit criteria, and any relevant regulatory updates. Some auditors will offer their own general audit criteria as well.
Auditors should thoroughly understand your facility’s technical operations (equipment, facilities, processes and quality systems) before moving forward.
Contact us to access the indsutry's best auditors. Here's a look at our proven process for auditing projects:
Action items:
|
Prioritize audits based on risk assessments. High-risk suppliers or critical supply chain components should be audited more frequently. Communicate with suppliers to schedule audits at mutually convenient times. Provide them with information on the scope and expectations of the audit.
Action items:
|
Auditors should conduct thorough evaluations based on the predefined criteria and checklists. This may include reviewing documents, inspecting facilities, and interviewing staff. Collect evidence to support findings. This could include records, logs, photographs, or samples.
Since an auditor’s time on-site is often limited, make the most of the visit by utilizing your resources efficiently.
After the audit, compile the findings into comprehensive audit reports. Reports should clearly outline any non-compliances, areas for improvement, and best practices observed. Share the audit reports with the suppliers. Provide them with clear feedback and discuss any areas of concern.
Action items:
|
Work with suppliers to develop corrective action plans for any non-compliances or issues identified. Regularly follow up with suppliers to monitor the implementation of corrective actions. Offer support and guidance as needed. We regularly assist with planning and executing these remediation projects. Contact us to discuss remediation support.
Action items:
|
Analyze audit results over time to identify trends, common issues, or areas for overall supply chain improvement. Regularly review and update the audit program based on feedback, changes in regulations, or shifts in company strategy.
Action items:
|
Keep detailed records of all audits, including reports, corrective action plans, and follow-up communications. Ensure that sensitive information gathered during audits is kept confidential and secure.
Action items:
|
Our certified, experienced auditors plan, schedule, and execute vendor/supplier quality management audits to identify areas of conformance and nonconformance with applicable global regulations. Following assessment, our experts provide a detailed report including all observations, deficiencies, and a risk-based corrective action plan for improvement.
With an enhancement plan in place, our quality professionals will work closely with you to provide recommendations, resolve compliance issues, track corrective actions, and communicate the status of resolutions with company management.
This comprehensive approach to vendor/supplier quality management strengthens your vendor/supplier relationships while ensuring your products are of the highest quality through a quality system that is compliant and efficient.
Our vendor/supplier auditing services include:
Contact us to start the conversation.
Watch our free webinar to learn more about conducting a thorough gap analysis as well as a step-by-step process for resourcing and implementing remediation afterward.