Ten GMP Self Inspection or Internal Audit Considerations

Posted as a LinkedIn article on 20190718


I am a microbiologist with over 15 years’ experience in the pharmaceutical industry supporting the manufacture of liquids, creams, ointments and tablets. I have a strong interest sterile manufacturing, leading and developing others. Recently I have been working closely with data security. I have an arty streak, an affinity for computers and ride bicycles…a lot.


Good Manufacturing Practice in Australia uses recommendations presented in the PIC/s Guide to GMP (PE009-13). The section on Quality Management states, “there is a procedure for self-inspection and/or quality audit, which regularly appraises the effectiveness and applicability of the Pharmaceutical Quality System”. Chapter 9 deals entirely with Self Inspection and lists 3 points – not entirely helpful.

To ensure that every process does what it is meant to and does not deviate from the established (and hopefully validated) procedures, you need to audit and audit consistently.

What follows is advice for conducting your self-inspection (internal audit) based on my own experience when auditing. This advice may help you to meet your GMP internal audit responsibilities and prepare you for an audit by a third party such as a regulatory authority.

1.   Develop an audit schedule

You should have a Quality Management System in place (aka PQS). Part of your QMS will detail your internal audit process. Before you can audit, you must determine what are the most at risk processes.  Once you have determined your critical processes, develop a schedule. Audit your high-risk processes every 6-12 months. Audit your low risk processes on a 2-3 year rotation. Note that these are my opinions and your site will have different needs – you must determine those.

Once you have a schedule, get it signed off by your Quality Assurance manager and stick to it.

Deviations need to be justified to a 3rd party auditor. Save yourself the work.

2.   Who Is Best to Audit the Process?

Your internal auditor should be someone unfamiliar with the process. For example, a microbiologist could audit a chemistry laboratory or a production process. Someone from the cleaning department would not audit the cleaning department.

An added advantage is your staff interact with other departments. This could break down silos and encourage collaboration.

3.   Document Your Audit Process

Regarding the actual audit. You must record who the auditor was, who was interviewed and what your observations were. This is especially useful for future audits. You or another auditor may see something you missed previously. You can also double check that Corrective and Preventative Actions previously determined had their intended effect. If you have the option, you might want to request a different interviewee if you observe the same staff member was interviewed for the last three years regarding the same process. Conversely, if you have become too familiar with the audited process, choose another auditor if possible.

Actions arising from an audit (eg corrective and preventative action) must be documented and scheduled for fixing.

4.   Familiarise Yourself With Your Internal Documents and Regulatory Requirements

In an ideal world, all processes will be validated and regulatory compliant. Often this is not the case. A process may have been grandfathered or “it has always been done this way”. By knowing the regulations, you can identify gaps and propose solutions to close the gaps, thus improving your processes.

I recommend you print the relevant documents and familiarise yourself with the processes you plan to audit. Take them to your audit as a reference only. By knowing the procedure beforehand, you do not have to continually refer to the procedure. This can help you look more professional and should improve the communication between you and those you interview. By being familiar with your internal procedures, you can ask about things in them that may not be clear. Procedures should always be clear and not open to interpretation. If a documented procedure has areas of grey, you have the opportunity to determine if the user has made the correct interpretation, or if your interpretation differs to theirs. There should be no grey areas. If there are, update your documentation.

Don’t get too familiar with the process however. An air of mystery is needed, as you are more likely to spot something that is out of place.

5.   Have a process for how you will conduct the audit

Your official documentation will tell you what to audit and how to audit. It most likely will not advise you on style. Regardless, follow your controlled documentation regarding the audit process.

6.   When auditing, ask questions, listen and observe

People have different interview techniques and I encourage you to develop your own.

I like to examine the process documentation before I audit and ask for an overview of the process and then narrow my focus when (if) the interviewee is not clear or shows evasive body language. I also like to have a list of questions to ask. I’ll ask to see the process. After observing the entire process, if there were additions or subtractions from the procedure, I’ll ask about them.

The most important thing in any information exchange is to ask and then listen. In regular communication, you will try not to interrupt to show the individual speaking has your full attention. It is unlikely each step of a process will require much talking, so you will have the opportunity to seek clarification at frequent intervals if you feel the need. Ideally, be encouraging and do not ask questions until the end. You could ask for another walk through of the process indicating you may ask questions this time. This gives you the opportunity to see if the process is repeatable.

7.   Keep things informal and friendly

The main point of your internal audit is to make sure your processes stand up to a regulatory audit.   This needs the contribution of everyone in your company. Though the audit process is formalised, your style does not have. Treat the audit as an opportunity to exchange information. Encourage those you audit to identify where they can see process improvements. If you are unfamiliar with who you are auditing, try to get to know them. By building a rapport you build trsut, they will be more likely to share their concerns. By improving your procedures now, their robustness will enable them to stand up to an external audit more readily. This saves you work.

8.   Summarise your audit

After you complete your audit, thank those you have audited and provide a short summary of what you have seen, good and bad. This could be at the site of the audit or if a larger audit of multiple processes, in a meeting room. Advise those audited you’ll send out a written summary in a day or two. Make sure you do this, and you do it on time. This enhances your integrity. Don’t include anything you did not discuss during the audit. You will destroy any integrity and trust you have built.

Your summary is an important part of your documentation and allows an area supervisor, a QA Manager or a third party auditor a clear overview of the state of your processes. In a regulatory audit, a clear state of affairs may mean the process is passed over by the auditor.

9.   When issues are identified, suggest corrective action

If you identify any issues, propose solutions in the form of Corrective and Preventative Actions (CAPA). Ideally, use the expertise of those you audit to formulate these – they are your subject matter experts (SME’s).

Your SME’s will know the best way to fix problems to reduce the likelihood of the same issues in the future. By getting their buy in you are less likely to meet opposition when proposing CAPA. If those you interview make suggestions for improvements during the audit, make sure you record the benefits. To maintain trust and integrity with those you audit, do not make proposals you have not discussed with them first. Nobody likes suprises.

For proposed action, you need to set dates for completion. Ideally, you will have a tracking system for CAPA. Whether a paper based or computerised system, proposed dates need approval/signoff by your Quality and Area Managers.

10.   Followup

As part of tracking CAPA, you have to follow up. If CAPA is approved, then it should be assigned to someone who can complete it by the agreed upon due date.

Non-approved CAPA requires justification. For completed CAPA, did it do what it was supposed to do? If not, why not. When preparing for an audit, what CAPA was proposed or performed in the past. Was it completed? Check with those you audit. Do they think it worked? Would they have done something different?

Stick to the dates. Failure to do so will require justification in a regulatory audit. Save yourself time and stick to the dates!


By following these 10 recommendations, you could improve how you conduct internal audits.

Do you have other suggestions or a different list? Post them in the comments or message me. By sharing information, we all benefit.


Australian Theraputic Goods Administration PIC/s Specifc Webpage

PIC/s Guide to GMP (PE009-13)

What are the guidelines for autoclave re-Validation?

The Question posed on LinkedIn:

Dear Experts, What are the guidelines that clarify the frequency and number of cycles required for re-Validation of equipment? For example, during re-qualification of the autoclave should each cycle be repeated 3 times (empty, minimum and maximum loads)? Or is it based on risk assessment by choosing the maximum loads only? (On initial qualification each cycle was performed 3 times consecutively). Also for depyrogenation tunnels, should the runs be repeated 3 times? Thank you

Continue reading

Question regarding classification of passthroughs and laminar flow hoods

The Question posed on LinkedIn:

Can we provide the grades of pass box and lafs in on critical area with respect to material movement ? For example if a pass box installed between grade c and grade d environment can be designated as grade b? Similarly laf installed in grade c area can be designated as grade c? If yes what woukd be the viable and non viable limits to be applied?

Continue reading


10 Ways to Protect Your Digital and Physical Security

The following is an article I placed on LinkedIn.

I am a microbiologist with over 15 years’ experience in the pharmaceutical industry supporting the manufacture of liquids, creams, ointments and tablets. I have a strong interest sterile manufacturing, leading and developing others. Recently I have been working closely with data security. I have an arty streak, an affinity for computers and ride bicycles…a lot.
Before I began working in IT security, my only thoughts to security were install an anti-virus, never share your password and to lock your doors and not to travel to dangerous parts of the world. These days, I have a more nuanced understanding of how to protect your physical and digital property.
Today your data is everywhere online. You can potentially lose your savings, access to various account and even your identity. With or without access to your online data, thieves can access your property and make off with your stuff.
In no particular order, here are my top 10 tips to protect your digital and physical self.

1. Restrict access

Without physical access to your property, it cannot be stolen. Physical access to a computer system makes theft easier. Hard drives can be removed and inserted into other systems. Routers can be reset. USB drives can be used to auto load malicious payloads.
Use user accounts for general use and save administrator accounts for system administration such as software installation or configuration. Systems that are not secure or are breached allow access to your data. Blocking ports on your devices that are no needed reduces your attack surface. Don’t give your grandkiddies access to your computer unless they have their own restricted access account. I periodically remind my parent of this.
When creating an account or installing a new device, change the default password immediately.

2. Use complex unique passwords

Use one key for your screen door, another for your front door, another for your server rack and another for your study. This may be inconvenient. Losing your property is more so.
For data, make sure your passwords are unique for each resource you access. Password managers are handy here. NEVER use passwords such as “12345” or “guessme”. NEVER recycle passwords by adding numbers or letters to the end of an existing password when prompted to update one. If using a password manager, give it a long and complex password.

3. Backup, backup, backup

For property, maintaining an inventory database is useful. This ensures in the event of theft or fire, you can substantiate (to the police, to your insurer) what has been lost and replacements sourced.
For data, if it is important, back it up. Ideally a local backup for convenience and an off-site backup for disaster. In the past this involved burning data to tape, CD or DVD and storing copies off site. Today, many cloud providers allow you to back up data in real time off site. If you have gone to the trouble of backing up, you should test your backups periodically. There is no point losing data only to find your backups are corrupt. I backup my main PC to my server. I also backup online. I don’t care about the data on my laptop.

4. Hide keys to your identity

Access passes, addresses or rego numbers on keys These are ways to identify where they can be used in the event of loss. Don’t store you keys in obvious locations when not using them. When keys were stolen from my partner’s car, what they accessed could not identified. They were not keys for anything local.
You should never wear your work passes on the way to work. A malicious actor could view your name and place of work while you commute and then send a targeted email as part of a social engineering or phishing campaign. You may even be called directly or your contact details found via social engineering.
Never store passwords in human readable form. Do not place them under your keyboard or stick them to your monitor of insert them behind the photo of a loved one.

5. Don’t give away information for free

See point 4 regarding passes and other personally identifiable information.
Don’t discuss private information in public. Conversations on public transport, in a café, while walking and talking on your phone etc. are not private. Useful information about you and your movements and associations can be gleaned from these conversations.
If you value your data, keep it to yourself. Most services perceived as free are not. Your data is the payment. Examples include Facebook, Google searches, email receipts sent to your phone, competitions requiring email entry etc.
When using portable computers, use a privacy shield to reduce the ease of shoulder surfing.
Information you should never share includes social media posts about where you are. If a criminal knows where you live and knows or finds you on social media, a post about your current overseas or out of town holiday is an invite to rob you. Your fitness app profile could be used to find your social media profile and from there, your address and movements. If you must post about your holiday, do it when you get home.

6. Use Multiple layers of security

Two or more layers of security are good here. Lock your external doors. Place a lock on your study/computer room door. If your router is in a rack or another room, lock that too. Some companies use what are known as man traps. Only one person can pass through the entrance (or even exit) of a restricted area at any one time.
For data, make sure your passwords are unique. Ideally use user accounts for general use and save administrator accounts for system administration such as software installation or configuration. Consider multiple forms of authentication, such as a password and also a fact or physical attribute.

7. Never open email attachments (or click on links)

Most of your security comes down to your actions and opening an email attachment without 100% verifying the sender sent it is very unsafe. Email can be used to verify the account exists, seek information from you such as passwords, download and install ransomware, download and install CPU hijackers and more. Clicking on links could take you to websites that use known or unpatched flaws on your computer to compromise it and your data. Linked sites can also be used to elicit private information such as account numbers and passwords.
Even with the latest and greatest security program, there is a risk malicious programs or system compromise can occur. Security software relies on known malicious programs and known attack techniques. Criminals are constantly honing and improving their attacks.

8. Encrypt

In the event that access to your data was obtained, encryption can prevent it being used. Only you (assuming you used solid passwords and a modern encryption protocol) will be able to access your data. If local or online data compromise occurs, encrypted data is useless to thieves.
Lost or stolen laptop? Stolen computer? Lost phone? These are all useless (other than possibly resale value) to a criminal. Without encryption, data compromise is inevitable. With encryption, despite what you see on CSI, it will take more than 1000 years to gain access to your encrypted data.

9. Monitor your property

For your property, keeping an eye on it helps you to track it and prevent theft. This could extend to security cameras. Auto notification emails or texts can be set up on systems where motion is detected.
Systems such as intrusion detection and prevention system can be used to monitor hacking attempts. Many online services send emails when an unrecognised IP address access an account of yours. Examining user access logs and system logs allows you to determine out of place activity.

10. Provide a false impression

You can use pseudonyms when using the Internet. If you run servers, use a honey pot to mislead hackers. Use a device that emulates TV glow when you are travelling. Use timers for lights. Arrange a neighbour to empty your letterbox to give the impression someone is home if you are not.

Do you agree with this list? Do you have anything to add or your own security ideas? Share them in the comments section or message me directly.

Ability to manage the release of the software/device exactly with the support mechanisms

The Question posed on LinkedIn:

I have been working with an academic team of global R & D partners on TECH DOC, Product Support, Training, and Learning/Development solutions. One item on the hot list is the ability to manage the release of the software/device exactly with the support mechanisms such as the KB, the release notes, and the manual/quick start guide. Across several sectors, this issue seems to exist. How do I save the most time, yet not overwork the team, and remain as precise as possible without creating confusion for the internal teams/external teams? Any product manager, project managers, or other TECH DOC specialists care to share how to provide precision across the different LOBs in a global environment where time zones matter?

Continue reading

Developing My Writing While Helping Others

I am a microbiologist with over 15 years’ experience in the pharmaceutical realm. I have a strong interest in regulatory compliance and developing others. Recently I have been working closely with data security. I have an arty streak, have been a work place trainer and have an affinity for computers.

Lately I’ve been thinking of ways to share my knowledge with others outside of my cycling and science blogs and have decided to write 12 LinkedIn posts over 12 months. I will limit the post size to between 500 and 1000 words (1-2 A4 pages). Continue reading

Microbiological Trending of Environmental Monitoring Data

Microbiological trending of environmental monitoring data serves multiple purposes:

  • Trending helps to define and hone your limits
  • Trending helps to determine if control of your processes has been lost (or is heading that way)
  • Trending helps to identify the effectiveness CAPA and process ‘improvements’

Continue reading

Does anyone use Evernote as an ELN (electronic laboratory notebook)?

The Question posed on LinkedIn:

Does anyone use Evernote as an ELN (electronic laboratory notebook)?

Evernote seems to be a powerful, extensible cloud based application. I am curious if anyone in the group uses it in their lab and how do they use it, for what purpose and how well does it work for your needs?/

My reply to this was:

I’d not advise it. Besides a vendor audit to ensure availability of the system and backups you’d need to ensure Evernote data cannot be obscured or changed, make sure time, date and user stamps are in place and the data integrity is maintained for the duration of the retention period.


Using MS Excel or MS Access for Tracking

The Question posed on LinkedIn:

“Quality Assurance of Excel-Tables or Access-Databases used for tracking Change Control Procedures , Deviations, or Complaint handling

While larger companies nowadays use validated systems such as Trackwise, SAP modules and the like for following-up on their CCPs, deviations, CAPAs etc., in GMP inspections of smaller companies I usually encounter some sort of electronic Access- or Excel-based lists that are used (typically by QA) for this purpose, i.e. entering cases, assigning event ID’s, and supervising the progress of investigations / implementation measures until approval / close-out.

These lists a quite critical, especially when many events have to be dealt with, a.o. because of the risk that certain events might get ‘forgotten’.

Nevertheless, I see quite often that little is done to ensure that entries in these lists are correct and uptodate. Another issue is controlled handling of hardcopies of these lists which often, not astonishingly, are outdated as soon as they come out of the printer.
Any ideas what it makes challenging to deal with these lists? What are proven good practices worthwhile to share?”

My reply to this was:

Just like for word, Excel has a revision tracking feature.

There are ways to log changes to tables data in Access, but none are particularly robust.

It all boils down to using the right tool for the job. Is Excel or Access a suitably regulatory compliant solution or do you need to use something else?

The last line of the my comment sums things up nicely.

TGA Inspection Trends

My reply to a post on LinkedIn.

Current TGA Inspection trends: This presentation will focus on the common types of deficiencies found by the TGA’s GMP Inspectors as well as some data on the number of inspections performed both locally and overseas and compliance rating outcomes for the inspections performed.

Comment 1 stated “…there are patterns that seem to repeat year after year. Poor QMS, inadequate investigations, lack of training.”

My reply to this was:

“The PIC’S guide to GMP stresses the need for a robust QMS and repeats over and over again the need for documentation, solid investigations and adequate training and retraining. It is a wonder why citations regarding a lack of these keep being given.” Continue reading