I am a microbiologist with over 15 years’ experience in the pharmaceutical industry supporting the manufacture of liquids, creams, ointments and tablets. I have a strong interest sterile manufacturing, leading and developing others. Recently I have been working closely with data security. I have an arty streak, an affinity for computers and ride bicycles…a lot.
Good Manufacturing Practice in Australia uses recommendations presented in the PIC/s Guide to GMP (PE009-13). The section on Quality Management states, “there is a procedure for self-inspection and/or quality audit, which regularly appraises the effectiveness and applicability of the Pharmaceutical Quality System”. Chapter 9 deals entirely with Self Inspection and lists 3 points – not entirely helpful.
To ensure that every process does what it is meant to and does not deviate from the established (and hopefully validated) procedures, you need to audit and audit consistently.
What follows is advice for conducting your self-inspection (internal audit) based on my own experience when auditing. This advice may help you to meet your GMP internal audit responsibilities and prepare you for an audit by a third party such as a regulatory authority.
1. Develop an audit schedule
You should have a Quality Management System in place (aka PQS). Part of your QMS will detail your internal audit process. Before you can audit, you must determine what are the most at risk processes. Once you have determined your critical processes, develop a schedule. Audit your high-risk processes every 6-12 months. Audit your low risk processes on a 2-3 year rotation. Note that these are my opinions and your site will have different needs – you must determine those.
Once you have a schedule, get it signed off by your Quality Assurance manager and stick to it.
Deviations need to be justified to a 3rd party auditor. Save yourself the work.
2. Who Is Best to Audit the Process?
Your internal auditor should be someone unfamiliar with the process. For example, a microbiologist could audit a chemistry laboratory or a production process. Someone from the cleaning department would not audit the cleaning department.
An added advantage is your staff interact with other departments. This could break down silos and encourage collaboration.
3. Document Your Audit Process
Regarding the actual audit. You must record who the auditor was, who was interviewed and what your observations were. This is especially useful for future audits. You or another auditor may see something you missed previously. You can also double check that Corrective and Preventative Actions previously determined had their intended effect. If you have the option, you might want to request a different interviewee if you observe the same staff member was interviewed for the last three years regarding the same process. Conversely, if you have become too familiar with the audited process, choose another auditor if possible.
Actions arising from an audit (eg corrective and preventative action) must be documented and scheduled for fixing.
4. Familiarise Yourself With Your Internal Documents and Regulatory Requirements
In an ideal world, all processes will be validated and regulatory compliant. Often this is not the case. A process may have been grandfathered or “it has always been done this way”. By knowing the regulations, you can identify gaps and propose solutions to close the gaps, thus improving your processes.
I recommend you print the relevant documents and familiarise yourself with the processes you plan to audit. Take them to your audit as a reference only. By knowing the procedure beforehand, you do not have to continually refer to the procedure. This can help you look more professional and should improve the communication between you and those you interview. By being familiar with your internal procedures, you can ask about things in them that may not be clear. Procedures should always be clear and not open to interpretation. If a documented procedure has areas of grey, you have the opportunity to determine if the user has made the correct interpretation, or if your interpretation differs to theirs. There should be no grey areas. If there are, update your documentation.
Don’t get too familiar with the process however. An air of mystery is needed, as you are more likely to spot something that is out of place.
5. Have a process for how you will conduct the audit
Your official documentation will tell you what to audit and how to audit. It most likely will not advise you on style. Regardless, follow your controlled documentation regarding the audit process.
6. When auditing, ask questions, listen and observe
People have different interview techniques and I encourage you to develop your own.
I like to examine the process documentation before I audit and ask for an overview of the process and then narrow my focus when (if) the interviewee is not clear or shows evasive body language. I also like to have a list of questions to ask. I’ll ask to see the process. After observing the entire process, if there were additions or subtractions from the procedure, I’ll ask about them.
The most important thing in any information exchange is to ask and then listen. In regular communication, you will try not to interrupt to show the individual speaking has your full attention. It is unlikely each step of a process will require much talking, so you will have the opportunity to seek clarification at frequent intervals if you feel the need. Ideally, be encouraging and do not ask questions until the end. You could ask for another walk through of the process indicating you may ask questions this time. This gives you the opportunity to see if the process is repeatable.
7. Keep things informal and friendly
The main point of your internal audit is to make sure your processes stand up to a regulatory audit. This needs the contribution of everyone in your company. Though the audit process is formalised, your style does not have. Treat the audit as an opportunity to exchange information. Encourage those you audit to identify where they can see process improvements. If you are unfamiliar with who you are auditing, try to get to know them. By building a rapport you build trsut, they will be more likely to share their concerns. By improving your procedures now, their robustness will enable them to stand up to an external audit more readily. This saves you work.
8. Summarise your audit
After you complete your audit, thank those you have audited and provide a short summary of what you have seen, good and bad. This could be at the site of the audit or if a larger audit of multiple processes, in a meeting room. Advise those audited you’ll send out a written summary in a day or two. Make sure you do this, and you do it on time. This enhances your integrity. Don’t include anything you did not discuss during the audit. You will destroy any integrity and trust you have built.
Your summary is an important part of your documentation and allows an area supervisor, a QA Manager or a third party auditor a clear overview of the state of your processes. In a regulatory audit, a clear state of affairs may mean the process is passed over by the auditor.
9. When issues are identified, suggest corrective action
If you identify any issues, propose solutions in the form of Corrective and Preventative Actions (CAPA). Ideally, use the expertise of those you audit to formulate these – they are your subject matter experts (SME’s).
Your SME’s will know the best way to fix problems to reduce the likelihood of the same issues in the future. By getting their buy in you are less likely to meet opposition when proposing CAPA. If those you interview make suggestions for improvements during the audit, make sure you record the benefits. To maintain trust and integrity with those you audit, do not make proposals you have not discussed with them first. Nobody likes suprises.
For proposed action, you need to set dates for completion. Ideally, you will have a tracking system for CAPA. Whether a paper based or computerised system, proposed dates need approval/signoff by your Quality and Area Managers.
As part of tracking CAPA, you have to follow up. If CAPA is approved, then it should be assigned to someone who can complete it by the agreed upon due date.
Non-approved CAPA requires justification. For completed CAPA, did it do what it was supposed to do? If not, why not. When preparing for an audit, what CAPA was proposed or performed in the past. Was it completed? Check with those you audit. Do they think it worked? Would they have done something different?
Stick to the dates. Failure to do so will require justification in a regulatory audit. Save yourself time and stick to the dates!
By following these 10 recommendations, you could improve how you conduct internal audits.
Do you have other suggestions or a different list? Post them in the comments or message me. By sharing information, we all benefit.