Partner or risk? This question is not at all trivial, especially for the pharmaceutical industry with its global production. Although digitalization measures can ensure greater transparency in quality management, the fact that drug recalls and bottlenecks are still fairly common only goes to show that even digitalization comes with new challenges. One important step in minimizing the risks is to make the auditing of critical IT technologies as high of a priority as “traditional” supplier audits.

Consider the Risk Factor Involved in Digitalization

Regulatory bodies intended supplier audits to be part of efficient supplier management. Within that context, a physical audit is only obligatory for contract manufacturers, laboratories and active ingredient manufacturers/suppliers¹. Yet, according to the riskbased approach specified in the GMP guidelines² and §9.2 of the AMWHV [Ordinance/ Decree for the Manufacture of Medicinal Products and Active Pharmaceutical Ingredients], there is a certain obligation to audit other critical suppliers as well. Furthermore, a risk-based approach would dictate that critical suppliers be closely examined to determine business risks.

Who exactly, or what exactly, happens to be considered “critical” is currently directly related to quickly-advancing digitalization: more and more processes in pharmaceutical production and market supply are steered and controlled by IT, thereby increasing IT’s influence on and, in turn, the criticality of IT for product quality, patient safety and business operations. Even though computerized systems have to be validated prior to use, when it comes to critical systems, it is still advisable to audit suppliers ahead of time in order to get a better idea of their service provision and quality assurance processes³ . This becomes even more important when there is a strong dependence on suppliers, such as, for example, providers of cloud solutions on which a growing number of pharmaceutical companies have come to rely, including for product quality-related systems such as MES and LIMS.

Create an Expertise Interface

Vendor qualifications, however, tend to focus on suppliers of materials. So how can IT or CSV-based audits⁴ be integrated into these processes and into a company’s own QMS⁵ ? And what is the best way to perform these audits? After all, in-house auditors tend to be experts in manufacturing processes, QC and QA, whereas IT and CSV experts do not usually have typical “auditor skills”.

This is further complicated by technological challenges. With cloud-based applications, for example, service level agreements in particular form the framework that guarantees the quality of continuous service provision. Given how these SLAs are used, however, can be very technical and difficult for non-IT experts to understand.

Effectively Combine Specialized Expertise

Consequently, an “IT Audit” – such as a software manufacturer audit, for example – requires an IT expert who not only has auditor experience, but also expertise in pharmaceutical QM systems and often CSV as well. In addition, that expert must also understand and be able to interpret SLAs in order to verify the correct implementation thereof. That, in turn, requires forensic auditor skills. If a qualified expert cannot be found in-house, external resources are always an option (such as those used for all audits pursuant to §11 of the AMWHV). Alternatively, a “traditional” auditor can also be assisted by an IT expert / SME6 . At any rate, both the IT system specifications and the planned or current use of the system, and how that influences product and patient safety, must be known in order to properly review the right aspects during the audit, and to do so to the right extent and level of detail.

Integrate IT Audits into the Vendor Qualification

An audit can be integrated into the existing vendor qualification7 either through traditional categorization processes with risk-based allocation of a one-time or recurring audit requirement or the integration can be triggered as a one-time event as part of a software implementation project. The audit is then scheduled in the audit (annual) calendar based on the required time or following the general scheduling approach. Essential to this process are the following requirements for the software supplier being audited (“auditee”):

• Systematic QMS: Although software is validated upon delivery and before use pursuant to GMP, or according to GAMP to be more accurate, GMP certification cannot be expected from suppliers per se8 . However, a QMS should be in place that is as systematic as possible and that satisfies, for example, the requirements of GAMP. At the end, the QMS must meet the customer’s quality requirements – which themselves are defined in detailed quality/service level agreements.
• Software Lifecycle: The entire software lifecycle must be regulated and complied with in the QMS. This generally includes controlled development, testing, design freezes or configuration control and final release, as well as release and change management.
• Expertise Development: Similarly, audits make it easier to evaluate employee quality awareness and training with regard to GMP relevance. When doing so, the auditor or audit team must be in a position to evaluate the functionality of the QMS, both when using traditional, as well as agile approaches. This requires auditors to have experience and a good feel for the subject matter.

The actual implementation and compliance with requirements, in particular, can only be determined through an audit. The criticality of detected defects must be ascertained in a risk-based manner in relation to how the audited software is used. Doing so can even result in new requirements for the software or additional tests for the validation phase. If potential gaps and defects cannot be resolved or controlled by technical means, it may be possible to use internal procedural measures to minimize potential risks that could occur later on during operation.

Harmonize IT and Supplier Audit Risk Assessments

Yet what should be done if a software provider cannot be audited – whether that be a specific cloud provider or a market leader? These types of manufacturers typically have white papers or association audit reports; alternatively, remote access to the QMS may be granted. Either way, a minimum of a paper audit can be performed, where the available materials are checked against a company’s own requirements. Potential gaps then have to be remedied through internal measures, such as validation tests or procedural controls. This, however, does not affect the overall objective: In the end, both traditional supplier audits and IT audits must contribute to minimizing the quality risk and thus the risk to the patient.

Sources

(1) §9 & §11 of the AMWHV [Ordinance/Decree for the Manufacture of Medicinal Products and Active Pharmaceutical Ingredients], EU GMP Guide, Annex 16.

(2) EU GMP Guide p1, Ch. 5.27; see also §11 (4) of the AMWHV.

(3) See also GAMP5 Guide 5.3, 6.1.4 ff.

(4) CSV: Computer System Validation

(5) QMS: Quality Management System

(6) SME: Subject Matter Expert

(7) See also GAMP5 Guide 6.2.5.3.

(8) In simple terms, the state only grants this certification to pharmaceutical and active ingredient manufacturers.