preparing for an audit - ul compliance to performance · pdf fileface compliance challenges...
TRANSCRIPT
Preparing for an Audit MANAGING US FDA INVESTIGATIONS
Based on a UL EduNeering eLearning course, authored by the experts at EduQuest (www.eduquest.net)
Page 2
Few business sectors are as closely regulated or scrutinized as the Pharmaceutical,
Biologics and Medical Device industries (Life Science). The growing complexity of
technologies and the continued globalization of markets and supply chains will only
intensify the attention of regulators, particularly in the area of product quality.
All Life Sciences facilities, regardless of location or product risk, will be inspected. The
majority will be inspected multiple times by inspectors with significantly different
approaches, areas of expertise and regulatory responsibilities. According to federal law,
FDA has the right to inspect all drug, biologic and medical device manufacturing facilities
and all equipment, materials, documentation, and packaging and labeling, at reasonable
times and in a reasonable manner.
FDA will conduct an inspection of a company for several reasons.
Pre-approval Inspection (PAI) - FDA conducts inspections prior to the approval of a New
Drug Application (NDA) or sometimes for an Abbreviated New Drug Application (ANDA).
In the case of medical devices, the PAI may precede the approval of a Premarket Approval
(PMA) or 510k Application. For biological products, the PAI will be conducted prior to the
FDA approval of the Biologic License Application (BLA).
General GMP - FDA requires that general GMP inspections be performed on a periodic
basis to ensure a company is operating in accordance with cGMP regulations.
For Cause - These inspections are performed as a result of complaints, recalls, or regulatory
actions and focus on specific areas of concern. For cause inspections tend to be very
intense and detailed.
Quality System Inspection Technique (QSIT) - Manufacturers of biomedical products,
especially medical equipment, are subject to routine inspections of their quality systems by
FDA. These inspections do not initially focus on specific problems within a facility. Instead,
the QSIT employed by FDA examines the quality control procedures as designed by facility
management and implemented over the whole of the manufacturing process.
Expecting an Unexpected Inspection
PART ONE: Preparing for an Audit – What You Need to Know
Preparation is essential for any audit or investigation, especially because of the escalating
complexity and overlap of global quality regulations. Life Science companies that
serve multiple national markets or rely on dispersed supply chains will commonly
face compliance challenges from regulatory agencies including the US Food and
Drug Administration, European Commission, international organizations such as the
International Committee on Harmonisation, the International Standards Organization and
national governments.
The FDA’s Quality System Regulations (21 CFR 820 for Medical Devices and 21 CFR 210-211
for Pharmaceuticals) are generally considered the most stringent and serve the basis for
many other countries’ regulations. As a result, they can have the greatest impact on a Life
Science company’s ability to market and sell its products. Notwithstanding that common
use, it is important to recognize that different countries impose additional regulatory
requirements.
Although the FDA often provides notice in advance of a planned audit, it is not required to
notify managers within the US. In Europe, FDA inspectors routinely give companies three to
four weeks notice that they intend to inspect a specific facility.
Trends in Regulatory Enforcement
Regulations do not remain static. Rather, they are continually redefined and readjusted by
issues as diverse as legislative pressures and technology advancements. Since 2010, three
important trends that have affected global regulatory compliance are the FDA’s foreign
inspection program, the heightened attention to adverse events and pharmacovigilance,
and quality in the supply chain. Importantly, the Food and Drug Administration Safety and
Innovation Act (FDASIA), which was signed into law in July 2012, enables FDA to identify
facilities involved in the manufacture of generic drugs and associated APIs. Unti that time,
FDA hadn't a formal list of facilities manufacturing APIs globally.
In the United States, the FDA has been under pressure by the US Congress to increase the
stringency of its approval process, especially for medical devices and inspection frequency,
both domestic and foreign. By the end of 2014, FDA had foreign offices in China, Europe,
India, Latin America, and in the Asia-Pacific.
Recent, highly-publicized product recalls and legislative attention has called product safety
and quality into question by regulators, legislative bodies and the public at large. The
result has been expanded regulations related to after-market adverse events. Companies
are being held to higher standards for pharmacovilance through defined reporting and
recordkeeping requirements. Manufacturers should expect the trend to continue and
intensify.
A related issue of growing concern to regulators is the manufacturer’s supply chain. The
vast majority of Medical Device and Pharmaceutical companies rely on supply chains that
cross national borders. The company’s suppliers may, in turn, use multiple subcontractors
Page 3
KEY TOPICS
PART ONE: What You Need to Know:
• Expecting an Unexpected Inspection
• Trends in Regulatory Enforcement
• What to Expect From an Auditor
• The Starting Point: Knowing What to Expect
PART TWO:What to Do ………………… Page 6
PART THREE:What YouShould Learn ……………… Page 12
Preparing for an Audit: PART ONE – What You Need to Know
that the brand manufacturer rarely knows or has direct control over. Despite that, the
brand company has ultimate responsibility for product quality and safety, making careful
oversight of suppliers and contractors imperative.
What to Expect From an Auditor
Audits have vastly different backgrounds and approaches. Understanding what to expect
from an auditor is an important step in undergoing a successful investigation. A former
FDA inspector with extensive experience conducting investigations and working with
counterparts in other regulatory agencies offers insight about the auditors assigned to
inspect Medical Device facilities.
An auditor will typically hold one or more advanced degrees (PhD or MSc level) and
five years of experience as a physician, pharmacist, scientist, microbiologist or chemist.
Increasingly, for Medical Device companies, an auditor may be a chemist/chemical engineer
or engineer. Above all, the vast majority of auditors will be highly professional and should
be treated as such.
FDA auditors in particular are trained in diverse areas. Some of those areas are expected
– drugs and devices, FDA law, Code of Conduct and ethics – but other areas of training
may not be. FDA auditors are trained in evidence gathering, techniques for obtaining
information, sample collection and sterilization and validation. Auditors may also have
specialized expertise in a broad range of subject areas including mechanics and electronics,
plastics, chemistry and biocompatibility, clinical evaluation, ionizing radiation, clinical
evaluation, software and process validation. In particular, many auditors have become
expert in validation.
It is critical that manufacturers assign people to the audits who are equally capable in
the auditor’s area of expertise. Remember that a manufacturer has the right to ask about
the educational and professional background of the auditor who is assigned to conduct
the audit. The auditor does not have to provide that information but it is worth asking. A
company armed with that basic information may be able to focus their preparation activities
on areas in which the auditor is likely to be most interested and knowledgeable.
Manufacturers can expect auditors to arrive at each inspection well-armed with information
about the history of the facility and the company’s other operations. An FDA auditor, for
example, will routinely review previous inspection reports to determine the focus of earlier
audits and findings of noncompliance. If the company has had a noncompliance issue in the
past, the auditor will concentrate on the Corrective Action Plan (CAPA) that it developed to
Page 4
Preparing for an Audit: PART ONE – What You Need to Know
address those issues. Critically, the auditor will want to determine the current status of the
company’s compliance with the CAPA.
Companies can expect the inspections to last from four to five days, with each subsystem
flowing into the next. Auditors may also examine material control, document/record/
change control, and facility and equipment control. Controls over suppliers and
subcontractors have become an area of heightened scrutiny. That scrutiny is expected
to intensify going forward and companies are encouraged to develop risk-management
strategies for their supply chains.
An overriding rule of thumb: inspectors will be professional and prepared. It is critical
that the company approach the audit with equal professionalism and preparation.
The Starting Point: Knowing What to Expect
A regulatory audit can be challenging, even for a well-operated facility with no history of
noncompliance. Preparation for an audit is essential, beginning with a base of knowledge
about prevailing regulations and trends, the audit components and the preparation of the
auditor. From this base, companies will be able to move forward in a systematic process that
includes things to do before the audit, key considerations during the audit, and important
activities to conduct after the audit.
Audits represent an inescapable reality for Life Science companies. Many companies
view them simply as a necessary evil. More forward-looking organizations recognize the
value audits can bring to their operations by focusing attention on areas of improvement,
identifying emerging issues, and introducing policies and procedures that proactively
address industry and regulatory trends. In a fast-changing world with growing competitive
and performance challenges, the way a company views an audit may well signal how it
achieves its larger business goals.
Page 5
Preparing for an Audit: PART ONE – What You Need to Know
An overriding rule of thumb: inspectors will be professional and prepared. It is critical that the company approach the audit with equal professionalism and preparation.
Page 6
What the Auditor Already Knows
When a regulatory auditor arrives at your door, he or she will be prepared. The auditor
will have reviewed the facility’s product specifications, its production processes and its
compliance history. Before the first “Hello,” the auditor will know the focus and findings
of the last auditor, any recalls of products from your plant or even a nonrelated facility
using the same suppliers, and any quality problems noted at your company’s other
facilities. You have to be just as well-prepared. Good preparation for a regulatory audit
involves practical actions that extend from the CEO’s office to the shop floor and loading
dock.
Step 1: Knowing the Rules
In most cases, audit preparation must be completed within a tight schedule. At
the same time, the facility must continue its operations with minimal disruption.
Meeting both objectives requires a systematic approach to a multifaceted endeavor.
Ensuring that none of these multiple tasks “fall through the cracks” begins with a clear
understanding of the scope and range of the upcoming audit.
All regulatory organizations define the range and scope of their audits. The FDA,
for example, requires that its auditors be given access to a broad cross-section of
materials and sites within the organization. It is important to understand what you
must show and what can remain confidential. To complicate things, sometimes both
types of information are contained in the same document. For example, a company’s
competency forms may include the salary paid to the employee. Auditors have the
right to see the competency form but salary information is privileged. Before you hand
an auditor a document or open an area of a facility, make sure you are not exposing
confidential or privileged information.
PART TWO: Preparing for an Audit – What You Should Do
Based on the audit scope, you may be able to identify areas of the facility likely to come
under scrutiny. It is important to remember that auditors typically have considerable
leeway in conducting their investigations. Some auditors will simply pop their heads
into an office as they walk past, stopping to ask the person behind the desk a quick
question. That small aside may not have been part of the auditor’s plan but the
possibility should be part of your preparation.
Step 2: Training Everyone
Training is a fundamental component of any preparation plan. Everyone in the
organization requires training about what the audit means, why it is important, what
the auditor may be looking for and how to respond. Some of the most important points
to make during training include:
• Which regulatory agency is conducting the audit and what is the scope of the audit? Employees should be advised about the regulatory authority, the applicable
regulations and the type of audit (routine, surveillance, for cause or for approval of a
new product).
• What are the consequences to the company from a report of noncompliance? You
should explain why the audit is important and what the consequences are to the
company from noncompliant activities. An audit involves everyone in the company
and depends on the actions and compliance of everyone.
• How does an audit work? Training should outline the audit process, particularly
when a significant number of employees have never experienced one. A virtual
walking tour can help to clarify the actual procedures. It can be helpful to describe
the most likely procedures: document review, interviews, process inspections and
equipment examinations. Employees should know what to expect and the
variations that might occur. We know of some auditors who prefer to use a central
office, bringing in documents to review and individuals to interview. Other auditors
choose to move around the facility, stopping in at offices to speak with personnel
and asking to see where documents are stored. The more information employees
have about the auditor’s background, areas of expertise and past approach, the
better prepared they will be to handle the inevitable pressure of an audit.
• What types of information must be made available to the auditor? Everyone in the
organization needs to understand what the auditor is entitled to see. The company
must make clear that it is not attempting to “hide” information or activities from the
auditor; rather, it is arming employees with the information they need to respond
appropriately to the auditor’s requests.
Page 7
KEY TOPICS
PART TWO: What You Should Do
• What the Auditor Already Knows
• Step 1: Knowing the Rules
• Step 2: Training Everyone
• Step 3: An Internal Audit
• Step 4: Starting Off on the Right Foot
PART THREE:What YouShould Learn ………………Page 12
Preparing for an Audit: PART TWO – What You Should Do
• Do employees have to answer the auditor’s questions? In most cases, yes, but
employees are not required to provide additional information. Many employees
are justifiably proud of their work and, when asked a specific question, may want
to explain far more than is necessary. It is important to remind employees that they
should answer questions without providing extended, unrequested explanations that
might trigger new questions in the auditor’s mind.
• Are employees required to do anything different, such as wear different clothing?
For example, you may want to stress the professionalism of the auditor and the
company’s expectation that personnel look and act equally professional. Similarly,
it important to stress regular housekeeping. An open package of snacks on a
desk, an office with stacks of papers on the file cabinet, a pair of dirty boots by the
door – all can give the impression of carelessness or sloppiness. Housekeeping is
important! An auditor might conclude that the same attitude and conditions extend
to the production line. Managers in areas likely to be under scrutiny should also be
reminded to check drawers and cupboards. Auditors have been known to open both,
often to the chagrin of the department manager.
• What is the company doing to prepare for the audit? Employee training should
include an explanation of what will occur before the regulatory audit, particularly if
the company plans to conduct a thorough internal audit. The company may also
consider “refresher” training before the scheduled audit, both to remind employees
of key points and to update them about relevant issues uncovered during the
internal audit and actions the company has taken to resolve those issues.
A subject that has proved uncomfortable for many is training for corporate officers. Often,
the decision is made to retain an outside organization to train senior executives and
board members as a way of ensuring the most objective, straightforward presentation
possible. Corporate officers need to understand the parameters of the audit, any past
compliance violations or issues, and the auditor’s area of expertise. Like every other
member of the organizations, corporate officers should be reminded of their roles in
creating a good impression of the company through their interactions with the auditor.
Page 8
Preparing for an Audit: PART TWO – What You Should Do
Page 9
Step 3: An Internal Audit
An internal audit can be invaluable in identifying and resolving potential noncompliance
issues before the regulatory inspector arrives. An effective internal audit adheres to several
key principles. First, an internal audit is not synonymous with a “mock audit” designed
to serve as practice for a regulatory audit. Second, SOPs must comply with the entire
relevant regulation, not merely one small piece of it. Third, even though the regulatory
audit may be part of the company’s quality management system or adherence to good
manufacturing practices, audits frequently include assessments of compliance with other
requirements.
There are a number of factors that will determine the accuracy and value of an internal
audit. First and foremost, the company’s standard operating procedures (SOPs) must
include how an internal audit will be conducted. Armed with a robust internal audit,
a company should not have major surprises during an audit by the FDA or another
regulatory agency. Such an audit will have components that include the following:
• Effective SOPs: Standard operating procedures must be checked in content and in
execution. Often overlooked is the physical location of SOPs and the access employees
have to them. Consider, for example, an SOP that is located too far away from the
employee’s work site to offer easy reference. Similarly, consider an auditor’s reaction if
an employee simply didn’t know where a particular SOP was stored or if it were simply
missing. No matter how well crafted, an SOP will fail compliance if it cannot be readily
accessed.
A related issue can emerge when “the way it’s done” is not the way the SOP is
written. Most often, the difference between the two is a cause for renewed training
of employees in SOP compliance. Companies may want to consider another
possibility, however. In some cases, employees with the greatest experience with
a particular process have found a better way to accomplish the task. Companies
may want to consider an alternative to compliance with the SOP. In some cases,
firms have discovered that changing the SOP makes more sense than changing the
employee-developed procedures to comply with a less effective SOP.
• Review of Regulations: Compliance requires adherence to a complete regulation,
not merely one section of a regulation. With limited resources, however, companies
have often focused on specific portions of a regulation and developed SOPs to address
those sections. As a result, important pieces of the regulation may be overlooked and
critical requirements can be missed. The oversight might be expected to occur mainly at
smaller, less-experienced companies, but well-established global companies have also
demonstrated incomplete compliance with regulations.
• Auditor Expertise: An internal audit will necessarily include multiple elements and
should be conducted by trained auditors with experience in the areas they audit.
A global Pharmaceutical or biologic company may require specialized expertise in
Preparing for an Audit: PART TWO – What You Should Do
An open package of snacks on a desk, an office with stacks of papers on the file cabinet, a pair of dirty boots by the door – all can give the impression of carelessness or sloppiness.
Page 10
chemistry, microbiology, engineering, software and water treatment. A Medical
Device company might require additional expertise in mechanical engineering
or materials engineering. Calibration and validation of equipment is critically
important and particularly difficult when it has been crafted for an individual
process or application. Perhaps most important, an internal audit is best performed
by someone inside the company – someone who can “find the dead bodies”
because of an intimate familiarity with the organization.
• Resolving Problems: A good audit will identify potential and existing problems.
Failing to resolve those problems will risk compliance. Auditors have little patience for
companies that know about problems but do nothing to address them. In particular,
companies that have been notified of noncompliance and submitted a corrective
action plan must be able to demonstrate completion of any corrective action required
by a previous audit.
• Review Documentation: A routine requirement of an internal audit is a thorough
review of any required registrations, licenses and certifications. Areas of special
interest to auditors are documentation confirming that the company is operating
within the scope of any quality management system (QMS) certification. Even
in routine surveillance audits, the auditor will want to confirm that any change
in the company’s products or processes have not violated the QMS certification.
Documentation related to recalls, product complaints or adverse events will be closely
examined and, if a recall has occurred, the auditor will scrutinize records about how
the company is responding. Electronic signatures and software validation should be
documented to 21 CFR Part 11 and/or 21 CFR 820.70(i) standards.
• Supplier Relationships: Recent recalls involving medications and devices have put a
company’s supply chain squarely in the spotlight. Because of the growing regulatory
focus on the supply chain, companies must ensure that supplier evaluations and
quality surveillance records are up-to-date. Similarly, QMS certificates and supply
agreements must be current. Companies should advise major suppliers in the area
about the scheduled audit, since an auditor may decide that the supplier should
be included in the audit. Finally, check your Authorized Representative agreement,
if applicable, and make sure it is current. Auditors will question any document that
appears to be improperly maintained or updated.
• Audit Information Package: Collect important documents in an audit information
package that can be presented to the auditor early in the audit process.
• Check the Quarantine Area: Make sure to check the quarantine area because you can
expect the auditor to check it. Make sure there is as little as possible in the quarantine
area.
Preparing for an Audit: PART TWO – What You Should Do
Page 11
Step 4: Welcoming the Auditor
In-depth preparation can still fall victim to small details on the day of the audit. Creating a
positive impression can be hammered if the auditor is left waiting in a reception area for
an hour, ignored by managers who were never advised of the audit, or unable to obtain
an outside phone or Internet connection. There are simple procedures to prevent these
avoidable and potentially damaging situations.
Auditors and investigators should be treated like all facility guests — they must follow the
appropriate procedures for signing in on the guest register and must be accompanied by
company personnel at all times. When the Investigator arrives at a company’s facility, the
receptionist, or the first person to greet the Investigator, should ask for the Investigator’s
name and identification, and immediately contact the employee designated to accompany
the Investigator. After the designated employee is contacted, the Investigator should be
asked to wait in the reception area or lobby until that employee arrives.
The designated employee should be a knowledgeable person in the company, such as
an individual from operations, regulatory affairs, the quality department, or the legal
department. This person is responsible for escorting the FDA Investigator throughout the
inspection and should be designated long before the Investigator arrives.
Early on, book a meeting room or rooms for the duration of the audit and ensure that
phone and Internet connections are available. (A word of caution: make sure the Internet
connection does not link to the company’s internal file system, leaving corporate
information open and available for scrutiny.) Assign an audit leader, preferably with
expertise similar to that of the auditor, to work directly with the auditor. Agree on who
will be at the initial meeting and brief the most senior person in attendance. Arrange for
one or two assistants to be available throughout the audit to run errands, find materials
or fulfill requests by the auditor. Have on hand the files and documents most likely to
be needed, such as quality manuals and registration documents. Create a suggested
agenda for the audit; the auditor might have a different opinion, but the proposed
schedule will serve as a guide for discussion. Make sure the security and reception staff
are expecting the auditor and have made the necessary arrangements for entry.
Give the auditor the prepared audit information package with the proposed agenda on top.
If you have a very short, high-quality video of the company, offer to show it to provide the
auditor with an overview of the company and how your facility fits into the big corporate
picture. Be aware that the auditor may not want to see the video. Certainly, if it is too long or
contains too much puffery about the company, the auditor is likely to stop the viewing.
Most often, the initial meeting will be followed by a facility tour, which can be fairly lengthy
depending on the auditor. The tour can also open the company up to some risk if the
auditor stops to ask random employees questions.
Preparing for an Audit: PART TWO – What You Should Do
An internal audit can be invaluable in identifying and resolving potential noncompliance issues before the regulatory inspector arrives.
Page 12
The Audit as Opportunity
The regulatory audit will demonstrate the effectiveness of your preparation. It can also
open the door to better operations, cost-control and compliance. Companies that insist
on seeing regulatory audits as necessary evils to be endured and promptly forgotten
will miss out on those opportunities to improve their competitiveness and performance
going forward.
During the Audit
Audit leaders will have to balance transparency with unnecessary exposure. At any
point throughout the audit, staff members may be asked questions by the auditor,
which can have a dramatic effect on the auditor’s opinions about the company. Many of
these points will have been addressed through training conducted before the audit, but
they deserve greater specificity here. These points may be reinforced through targeted
“reminder” training conducted shortly before the audit:
• Be open – but not too open. No staff member should attempt to hide anything from
an auditor but neither should they offer answers to questions that have not been
asked. The balancing act between “too much” and “not enough” can be especially
difficult on the shop floor. Many employees are justifiably proud of the work they do
and the benefits their work provides to patients around the world. Their enthusiasm
can sometimes produce unhelpful, long-winded explanations. Without thinking, an
employee may describe how the rank-and-file employees developed an alternative
process because of earlier quality issues – not something the auditor may need to
hear. At the other end of the spectrum are the one-syllable “Yes” and “No” answers,
which are also unacceptable. Staff is required to answer the auditor’s questions
but they are not required to offer unsolicited information. Training should remind
employees (and corporate officers) to think before they answer.
PART THREE: Preparing for an Audit – What You Should Learn
• Don’t “Fill the Silence.”: An auditor’s temporary silence is not an invitation for staff
to fill the space. The silence may be because the auditor is formulating the next
question. It may be because he or she is processing information already obtained.
Regardless, it is not your staff’s job to fill the silence with unrequested information.
Staff should simply remain quiet until the auditor asks another question.
• Know the Answer: Employees can often feel unnecessary pressure to know all the
answers. If you or anyone else in the organization doesn’t know the answer to an
auditor’s question, say so and offer to find someone who does know the answer. In
addition, the audit leader should not be afraid to help out a colleague who might be
unsure of the answer. Most important, everyone has to be reminded not to answer
until he or she understands the question.
• Follow the Auditor’s Lead: Most often, an auditor will expect to work in a meeting
room, requesting specific materials and asking specific individuals to come in for
interviews. Some auditors will do the opposite, watching an employee on the shop
floor perform a task, unexpectedly asking questions of individuals in the hallways,
and asking to see where documents are kept. If the auditor wants to stay in an office
or meeting room, make sure you assign one or two people to find any requested
information or an individual for an interview. Before anyone photocopies or
photographs material, be sure the document contains no privileged information. If
the auditor wants to see part of the facility, don’t be afraid to alert the manager of
that area that the auditor is on the way over.
• Remain Professional: An auditor is not a friend or a confidant. All employees
(including senior managers and officers) should remember that the auditor is an
experienced professional on-site to do a job. Good manners should prevail: don’t
lie, volunteer information, guess what the auditor wants, “interpret” the auditor’s
questions or comments for other people or conduct side conversations. There is no
value in a groan and complaint that “… I told them to fix that and it hasn’t been done.”
• Take Notes: Company personnel should have an accurate and complete knowledge
of what the Investigator has done in an inspection. The best way to accomplish
this is to take good notes during the inspection. Taking notes will allow personnel
to maintain a record of all comments and suggestions made by the Investigator
throughout the inspection. Personnel can also maintain a record of all areas of the
facility the Investigator visited, and to whom he or she spoke.
Page 13
KEY TOPICS
PART THREE: What You Should Learn
• The Audit as Opportunity
• During the Audit
• Nonconformity Risks
• Using Audit Information
• Post Audit Pitfalls
• Moving Beyond the Audit
Preparing for an Audit: PART THREE – What You Should Learn
Nonconformity Risks
An audit effectively gives regulators an open door to your plant’s operations, people and
compliance program. It’s important that everyone in the organization understand how
serious the audit is, what can go wrong, and what the consequences can be. One or more
“major” nonconformities (NCs) can result in withdrawal of an essential certificate or it can
trigger a shipment hold that can cost a company millions of dollars a week. Several “minor”
NCs in the same area can produce the same result and similar NCs at one of the company’s
other plants can trigger compliance questions throughout the enterprise.
A quick review of FDA Warning Letters to Life Science companies clarify the most
common problems noted by the agency:
• Corrective and Preventive Actions (CAPA): During the audit, expect to be asked
for the current status of any corrective action plan – and expect a severe
response if the CAPA produced after the last audit has not been completed or
properly documented.
• Internal Audits: The FDA places particular emphasis on the status of an internal audit
and, as with the CAPA, on the status of rectifying issues identified in the audit.
• Quality Records: Recordkeeping and document storage are basic regulatory
requirements and can trigger warning letters. Ensure that records are complete,
accurate, current and properly stored. Documents that are misfiled, whether in
cabinets or on computer disks, will produce a NC or Warning Letter. Effective
document management is especially important when they relate to adverse events.
• Data Integrity: FDA expects the lab, the production floor, and QA personnel to be
in a “state of control.” FDA expects companies to have valid data, and this spans the
labs, the clinical trials, and of course, the manufacturing process. The FDA requires
companies to validate any application that’s part of the overall quality system.
Not all NCs are major, but even “minor” NCs can become big problems. Is the NC isolated
or is it repeated throughout the organization? Has one of the company’s other facilities
demonstrated the same type of NC? Was the same type of NC noted in a previous audit?
If so, the minor can be expected to grow into a major. There are a number of behaviors
or evidence that will signal potential problems to the auditor, including the use of pencil
or white-out fluid on quality records, undated or unauthorized hand amendments to
documents such as work instructions, and different versions of the same document in use
at the same time. Auditors may find evaluations of design and process changes before
implementation inadequate because the check boxes are not marked on the document.
Data that are pre-entered on test records and check sheets, such as identical dates and
signatures, are favorite hot buttons for auditors. Other problems are illegible signatures
Page 14
Preparing for an Audit: PART THREE – What You Should Learn
Page 15
without accompanying printed names, uncompleted forms, nonexistent validation for Excel
spreadsheets, the use of expired adhesives and inadequate batch record reviews.
SOPs are the basis of compliance, yet many companies fail to enforce SOP-related policies.
Auditors are notorious for following up on an overheard conversation or an explanation
of a specific procedure by asking, “You mentioned SOPs. Where is the one you spoke of?” If
the individual doesn’t know where the SOP is, or it is not where it is supposed to be, or it is
located so far away from the individual performing the related task as to be inaccessible, an
auditor will see a problem, even if the employee knows the SOP and is compliant with those
procedures. SOPs have to be properly written and followed. They also have to be accessible.
Using Audit Information
The auditor will gain as much information as possible about your facility. You should use
the time gaining as much information as you can about the regulatory agency’s current
thinking, common pitfalls and effective responses. At the end of each day, ask the
investigator about any problem areas and, if at all possible, resolve the problem. If that
means working through the night, do it. There is no substitute for telling the auditor the
next day, “That problem you mentioned the other day, we’ve worked hard to address it
quickly. This is what we did to rectify the problem. I’d like to make sure we addressed the
issue in the right way.” Schedule a strategy meeting with your staff at the end of each
day to go over problem areas and correct as many of those issues as possible during the
audit. In addition, keep senior management informed at the end of each day about any
problem areas and corrective actions. No corporate officer wants to be caught unaware
of problem areas by an auditor.
During the audit, keep your own notes – and include issues you identify during the audit
that have been overlooked by the auditor. You should go back and rectify those issues
quickly, even though they do not appear in the auditor’s report. As the audit proceeds,
you may disagree with a specific comment or observation noted by the auditor. You can
challenge those observations but don’t forget that at the end of the day, what goes into
the audit report is the auditor’s decision. Be firm, but polite in stating your disagreement
and be prepared to locate any objective evidence to support your position. It is perfectly
acceptable to call the Human Resources Department, for example, and explain that you
and the auditor are on the way up to look at specific information. The advance notice will
calm the nerves in HR. It will also enable those individuals to collect whatever materials
you request or to make sure that an individual is available to discuss the subject. The
auditor may continue to disagree with you but a reasoned, respectful case may make the
difference between a recorded instance of nonconformity and a simple observation.
Closing the audit provides a framework for a company to work directly with the auditor
on any observations or nonconforming issues. Listen carefully to the auditor’s report
SOPs are the basis of compliance, yet many companies fail to enforce SOP-related policies.
Preparing for an Audit: PART THREE – What You Should Learn
Page 16
and hold any questions or comments until the auditor has finished speaking. There
will probably be no surprises in the auditor’s report. You may already have resolved
some issues as you learned of them during the audit and, most likely, you will already
be planning a corrective action plan for each remaining issue. When you are assured
that you have all relevant information about the auditor’s findings, agree to meet the
corrective action plan deadline, close the meeting and escort the auditor from the
facility.
Following the auditor’s departure, you should conduct a debriefing of the audit with
the senior management group, identify action items and the individuals who will be
responsible for completing each item, and set a timetable for follow-up meetings with
the same group to review intermediate progress and the company’s final response.
Add the nonconformities to the CAPA program and ensure that they are dealt with
appropriately. You should also follow up on the nonconformities you noticed during
the audit that were not included in the auditor’s report and maintain careful oversight
on progress in meeting the established timeline. Your response letter should be
carefully crafted to fully answer the issues raised by the auditor. Limit responses to the
nonconformity issues raised and avoid sending extraneous materials or information. If
a corrective action is complete by the time your response is finalized, provide objective
evidence of its completion, such as a revised SOP, completed forms or training records.
Craft the letter in language that is acceptable to the auditing body. If translations are
required, ensure that the translation is accurate and appropriate.
Three points warrant specific mention. First, the FDA will want to see that any training
required by your corrective action plan is effective. It is important for you to conduct the
appropriate training and audit it for effectiveness. Second, the FDA wants companies
to address the root causes of nonconformities. Make sure that your corrective action
plan addresses the root cause of the issue, not simply the individual violation. Third, an
auditor may extend his or her observations about nonconformity across a multi-site
corporate enterprise. Nonconformity at one facility may suggest a systemic compliance
issue, so you should check whether the same or similar issue has surfaced at other
corporate facilities. If it has, you should learn the corrective actions taken by that facility
and the response of regulators to the resolutions.
Preparing for an Audit: PART THREE – What You Should Learn
Page 17
The Close-Out Meeting
The audit is completed and the corrective action plan has been submitted. What could go
wrong? Recent FDA Warning Letters point to risk areas for companies that submit corrective
action plans subsequent to regulatory audits. The risks are not limited to small companies
with limited resources. Large, multinational companies have also been on the receiving end
of an FDA Warning Letter for noncompliance. Two FDA warning letters shine light on what
can go wrong after an audit:
Case 1: A medical device company had opened a corrective action report in 2013 to address
a large number of complaint investigations that had been open for greater than 90
days. The CAPA identified numerous action items with specified target due dates.
When the FDA investigation ocurred in 2014, the particular CAPA was still open and
FDA did not see any documentation that all action items had been completed or
deemed to be effective.
Case 2: During an FDA investigation of pharmaceutical company, an investigator observed
cobwebs between an Oxygen Analyzer and an adjacent wall in facility, and the
company admitted it had not been using the analyzer as part of its testing, which
contradicted the company's batch production records. In the company's response it
stated that the company had created a Policy and Procedure Manual, which includes
Batch Production and Control Records and an Equipment Calibration Schedule. FDA
noted, however, that the response did not discuss any "retrospective reconciliation"
of prior batch production records.
To ensure that proper action is taken following the audit, the appropriate personnel should
attend the close-out meeting so that qualified personnel can properly respond to 483
observations, if appropriate. In the same vein, senior management should participate in the
meeting to be informed and to impress upon the FDA, management’s concern for quality
and compliance.
The close-out meeting provides all parties an opportunity to explain any observations, or
correct any misunderstandings. During this meeting the auditor will discuss with company
management any conditions or practices, which in his or her judgment, are objectionable.
A list of “Inspectional Observations,” also called an FDA 483, may be used by company
management to correct issues of noncompliance.
Preparing for an Audit: PART THREE – What You Should Learn
The close-out meeting provides all parties an opportunity to explain any observations, or correct any misunderstandings.
Page 18
Moving Beyond the Audit
Audits are short-term events; regulatory compliance is the basis of product quality, patient
safety and corporate competitiveness. Companies cannot refuse an audit but they can
choose to use it as a highly cost-effective learning process for improved compliance and
operational efficiency.
Preparation for a mandatory regulatory audit can provide a Chief Compliance Officer
with resources and tools that might otherwise be postponed or restricted because of
harsh economic conditions. Consequently, an effective program of audit preparation and
response can provide added value through improved long-term compliance and risk
mitigation.
Preparing for an Audit: PART THREE – What You Should Learn
Page 19
About UL EduNeering
UL EduNeering is a business line within UL Life & Health’s Business Unit. UL is a premier global
independent safety science company that has championed progress for 120 years. Its more
than 10,000 professionals are guided by the UL mission to promote safe working and living
environments for all people.
UL EduNeering develops technology-driven solutions to help organizations mitigate risks,
improve business performance and establish qualifi cation and training programs through
aproprietary, cloud-based platform, ComplianceWire®.
For more than 30 years, UL has served corporate and government customers in the Life
Science, Health Care, Energy and Industrial sectors. Our global quality and compliance
management approach integrates ComplianceWire, training content and advisory services,
enabling clients to align learning strategies with their quality and compliance objectives. Since
1999, under a unique partnership with the FDA’s Offi ce of Regulatory Aff airs (ORA),
UL has provided the online training, documentation tracking and 21 CFR Part 11-validated
platform for ORA-U, the FDA’s virtual university. Additionally, UL maintains exclusive
partnerships with leading regulatory and industry trade organizations, including AdvaMed,
the Drug Information Association, the Personal Care Products Council and the Duke Clinical
Research Institute.
Preparing for an Audit: PART THREE – What You Should Learn
uleduneering.com
202 Carnegie Center Suite 301 Princeton, NJ 08540 609.627.5300
UL and the UL logo are trademarks of UL LLC © 2013.
WP/10/080515/LS