Monday, June 10, 2019

Getting The Most From Your GMP Supplier Audit

Guest Blogger: Greg Weilersbacher
Founder & President, Eastlake Quality Consulting

All companies outsource. It’s a humbling fact that you simply can’t do it all yourself. This often has to do with resource allocation; your company may allocate dollars to build and sustain some activities in-house while choosing to contract higher-cost operations to qualified suppliers who already have the expertise and equipment. 

You may outsource the manufacturing of tablets, sterile injectable, or topical dosage form, or the GMP release and stability testing of your product. Once the production and testing is complete, the product may need to be stored under controlled temperature and humidity conditions and then distributed to locations around the globe. The Contract Development and Management Organizations (CDMOs) who execute these critical operations are of paramount importance to your company’s success. Choosing the right suppliers will also help to minimize stress-induced headaches throughout your organization. Here are the top five ways to get the most out of a supplier audit.

1.  Come to the Audit Prepared
This seems obvious. However, more often than not, quality auditors step into the supplier’s lobby without doing their homework. Ask yourself the following questions: Why am I auditing this supplier? Is this supplier new to my company or one that we have used before? If used previously, have I read over the audit observations as well as the supplier’s responses and do I understand them? Which audit observations do I suspect would be the most challenging for the supplier to address and which are most important to my company’s requirements for this product? Have I reviewed previously executed production batch records and testing data and are there issues that need to be resolved? Are their deviations and CAPAs to follow up on?

Your understanding the supplier’s work proposal is of great value in refining the scope of the audit. Ask yourself:  Which of our products may be manufactured and tested here and which strengths (e.g., potency) will be produced? Which equipment is likely to be used? For a tablet production, the equipment train could include balances, blenders, roller compactor, spray dryer, solvent-rated oven, comils, tablet press and tooling, gravity feeder, coating systems, de-duster, weight sorter, metal detector, tablet counter, etc. This list of equipment will assist you in requesting equipment records during the audit. 

2.  Stay On Point
Proper audit planning will help to keep the audit organized and adhere to the audit timeline. In advance of the audit, provide the audit host with a list of the technical, lab, and manufacturing staff you wish to speak with and the records you need to review. A well-organized host will have this available for your review. Stick to your audit agenda. This is critical. The best way to derail your progress is to spend precious time chasing down minor issues while glaring problems get little to no attention. Continually refer back to the audit agenda and remember to keep the content of your audit report in mind while executing the audit.

3.  Know Your Technical Expertise and Limitations
Many auditors have led previous lives in the laboratory or in manufacturing while others started their careers in quality assurance and may have little technical background with regard to equipment, manufacturing processes, GMP utilities and laboratory testing. Know your limitations and if necessary strengthen them by hiring an expert consultant to assist you during the audit.

A common problem area that is at best glossed over and at worst completely ignored during an audit is the CDMO’s compliance with GMP utilities requirements. All too often, this is due to the auditor’s lack of understanding of the operation, inputs and outputs, validation parameters, and periodic testing and maintenance requirements for utilities such as HVAC, clean or pure steam, purified water and WFI systems, autoclaves, clean compressed air, nitrogen and other gases used for operating equipment or used during processing activities in manufacturing. Typically, these areas are also less well understood by the CDMO’s employees and as a result noncompliance abound. 

Some GMP utilities may be connected to the facility’s building management system, while others may be stand-alone equipment. In either case, the CDMO should have records of alarms (e.g., out of specification or out of range conditions), an acknowledgement of each alarm by designated staff members, and documentation of corrective actions. The last item is key. This is where the execution of quality systems tends to fail. Make a point to request documentation of corrective actions for each utility alarm. 

Additionally, purified and WFI water systems along with gases, such as clean compressed air and nitrogen, require periodical sampling/testing at each point-of-use. Verify that the timelines (monthly, quarterly, or annual) for sampling and testing were performed as directed by the CDMO’s procedures. These timelines are typically not well adhered to. A clear understanding of all the operations of the supplier’s GMP utility management process will keep your thoughts clear during the audit and help identify areas that are in need of improvement. 

4.  The Auditor’s Job is to Identify the Good and the Bad (Not to Win the Debate)
An important goal of a supplier audit is to identify the supplier’s strengths and weaknesses and come away from the audit with a compliance assessment that your company can use to make important decisions. It is of no value to your company if the goal of the auditor is to show the supplier how much he or she knows by debating the fine points of compliance. GMP auditors with decades of experience generally avoid this competitive exchange as it is unproductive. Rather, it is more important to the spend the necessary time identifying compliance issues, making them known to the audit host in a professional manner, and taking detailed notes that assist in writing the audit report. Your company’s senior managers need to know the supplier’s good and not-so-good points; detailing all of these provides the greatest value. 

5.  Interview the CDMO's Lab Staff, Manufacturing Operators, and Shipping/Receiving Personnel
CDMO’s quality systems are generally written by managers and directors who have many years of industry experience. It is of utmost importance that staff members who execute these systems understand them if your company’s product is to be manufactured, tested, stored, and distributed in a compliant manner. Request to speak with manufacturing staff members who work on the production floor and are likely to work on your product. Ask them about the process they would follow to conduct lines clearance, charge powders to a blender, operate a spray dryer, use a comil, set-up of a tablet press, inspect tablets, use metal detectors, etc. Compare the information they provide to the CDMO’s SOPs to determine if the staff understands their jobs. Listen for phrases such as “I usually do it this way…” or “it’s a different every time but I typically set up the equipment like this…” These phrases reveal a lack of control and adherence to procedures. 

The Take Away
The audit itself lays the foundation for a relationship with the supplier and the take-away message should address the following questions: Will the supplier work to resolve the issues I’ve identified? Am I confident that the supplier will immediately notify and involve my company’s representatives when deviations occur during production or testing? Do the supplier’s quality systems and records meet my company’s requirements and those of regulatory agencies? How confident am I that the supplier will produce and/or test a quality product that my company can stand behind? Is the supplier simply a pair of hands or are they committed to be my partner in this product’s success? The answers will provide you with a comfort level in making the decision to move forward with the CDMO or to look to the their competition.  


A version of this article was first published in Outsourced Pharma.

 About the Author
Greg Weilersbacher is the Founder and President of Eastlake Quality Consulting, a GMP consulting firm based in the Southern California area. Over the last 25 years, he has held director and vice president positions leading Quality Assurance, Quality Control, Analytical Chemistry, Materials Management, GMP Facilities, and Product Manufacturing in biotech and pharmaceutical companies. His unique experiences and technical background have led to the manufacture and release of hundreds of solid oral, sterile, and biologic investigational products to clinics in the U.S. and abroad. Email Greg at

Monday, March 11, 2019

When Sites, eSystems, and Inspections Meet

Q: Do study site personnel need to be able to answer questions about sponsor-provided computer systems during an inspection?

A: Yes, and there’s a simple thing that sponsors and CROs can do to prepare their sites.

This excerpt was lifted from an online, interactive course entitled “Developing a Part 11 Compliance Plan in Clinical Research.” While the course mainly targeted sponsors and CROs, who have the heaviest regulatory burden in this area, sites also have Part 11 and validation concerns, as demonstrated by this question.

Presenter Lisa Olson, a CSV/Part 11 expert with Polaris Compliance Consultants, briefly described her recommendation, which is both simple and effective. (And since that is total catnip to a compliance blogger, I interviewed her after her presentation to develop the following piece.)

So here it is. Here’s what she said...

Clinical research sites rely heavily on technology to store and manage study data, so regulators are focusing on computer systems and electronic data more than ever before. Many of the systems – such as Electronic Data Collection (EDCs), Interactive Response Technology (IRTs), and e-diaries – are selected and largely controlled by sponsors, CROs, and/or third-party vendors. That doesn’t mean, however, that site staff won’t be expected to answer questions about these systems during a regulatory inspection. Quite the contrary: site personnel are responsible for the integrity of the data these systems house. They need to be able to demonstrate the knowledge required to meet their regulatory obligations.

No one is expecting site staff to be computer specialists; the expertise on these systems resides within the sponsor/CRO/vendor organizations. But the better a site can satisfy a basic, frontline inquiry into the systems it uses, the less likely it is that an inspector will pursue additional lines of questions.

So how can sponsors and CROs help?

They can provide a set of short summaries (one page per system) that answer the questions regulators are likely to ask site staff members. Filed in the Investigator Site File (ISF), ready for use, these summaries will be valuable resources.

The Basics

First, sponsors/CROs should supply identifying information: the name of the system, the vendor, the version of the system currently being used, and a few sentences that describe what the system does.
User Access and Control

To ensure both data integrity and compliance with Part 11 e-record/e-signature regulation, it’s essential that access to a system be controlled and data entry/updates be traceable to a specific person. To that end, the one-pager should describe how unique logins are assigned and how users are restricted to activities appropriate to their roles in the study. A monitor requires read-only access to an EDC system. A study coordinator needs to be able to enter and change EDC data. A Principal Investigator must be able to sign electronic Case Report Forms (CRFs). The role determines the access. Staff should also be able to briefly describe how an audit trail captures metadata that show what data were entered/altered, by whom, and when. (And someone, though not everyone, needs to be able to demonstrate how the audit trail can be used to piece together the “story of the data.” That, however, is too much to ask from our one-pager.)

Validation 101

It would be unusual for site personnel to have detailed knowledge of Computer System Validation (CSV) activities. Nevertheless, the one-pager could include a single line that confirms that the system was validated and by whom. A contact number could be included in case a regulator asks for more information or wants to see validation documents.

Where’s The Data?

Regulators will often ask where system data are stored. The answer to that question can be a simple sentence: The data are hosted by the EDC vendor at such-and-such location, or stored at the CRO, or sit on a local server within the site’s IT department.

Finally, the last line of our one-pager could be a simple statement prepared by the sponsor, CRO, or vendor, confirming that the data are protected wherever they are being stored. The data center is secure and environmentally controlled; the data are backed up to protect against loss; the system is accessed via the web through an encrypted channel -- whatever protections apply.


Regulators are increasingly focused on the integrity of study-related data, and that means added scrutiny of electronic systems and records. More inspections are being conducted mid-study so regulators can evaluate and ask about live systems in current operation. It’s very difficult for sites to field these questions without help from the organizations who make the decisions and have the expertise.

It’s okay to tell an inspector, “I don’t know.” (And it’s always preferable to admit that than to improvise an answer.) But say it too many times, and it casts doubt on a site’s ability to produce and maintain reliable study data. That’s in no one’s interest.

It shouldn’t be overly burdensome to develop a one-page summary sheet for each system so site personnel can address an inspector’s questions on the spot. The Investigator Meetings or Site Initiation Visits would be a good opportunity for sites to raise this point with their sponsors/CROs.

Lisa Olson will be giving an encore presentation of “Developing a Part 11 Compliance Plan in Clinical Research,” on March 24th. She describes all the elements that regulators and clients will be expecting, and since sponsors and CROs can’t implement everything all at once, Lisa prioritizes the activities necessary for developing your plan. You can register for the online course, sponsored by the Life Science Training Institute, here. Use the promotion code olson to receive a 10% discount.

Sunday, December 9, 2018

FDA Puts Santa on the Naughty List!



December 1, 2018

Mr. Kris Kringle, Owner
Santa’s Workshop, LLC
1225 Santa Clause Way
North Pole, Arctic Circle
Dear Mr. Kringle:

The U.S. FDA inspected your manufacturing facility, Santa’s Workshop, LLC at
1225 Santa Claus Way, North Pole Arctic Circle, from April 2 to April 20, 2018.

This warning letter summarizes significant violations of CGMP regulations for finished product. See 21 CFR, parts 210 and 211. During our inspection, our investigators observed specific violations including, but not limited to, the following.

CGMP Violations

1.    Your firm failed to ensure that each person engaged in the manufacture, processing, packing, or holding of product has the education, training, and experience, or any combination thereof, to enable that person to perform his or her assigned functions (21 CFR 211.25(a) and 211.28).

Many members of your Enterprise Labor Force (ELF) unit lacked sufficient prior experience for designing and assembling (b)(4). At the time of our inspection, no ELF members had received training on CGMPs, and most were unaware of their responsibilities in the areas of cleanliness and proper attire. Hands and faces were often coated with chocolate, and bells on hats and shoes prevented protective apparel from attaining a proper fit. More generally, factory staff demonstrated an undisciplined, almost gleeful disregard for quality procedures. On three separate occasions, at critical stages of the manufacturing process, floor workers erupted into spontaneous song and dance.

Your written response of May 18, 2018 is inadequate because it does not address these training and experience deficiencies. While endearing, the ability to “sit on a shelf” or “live in a hollow tree” does not constitute acceptable manufacturing experience. Candy coating does not qualify as protective covering. And sticking one’s hands in a nearby snowdrift is not a recognized sanitation procedure. “Pure as the driven snow” is not a thing. Especially with all those reindeer knocking about.

2.    Your firm failed to maintain a system by which the distribution of each lot of product can be readily determined to facilitate its recall if necessary (21 CFR 211.150(b)).

Product distribution records were incomplete and, in the event of a recall, would be insufficient to identify all product recipients.

Your written response of May 18, 2018 is inadequate. Santa’s Own Procedures (SOPs) are insufficient to capture the information required to conduct a thorough recall.  Mr. Kringle may well know which customers are naughty and which are nice -- who’s good, who’s bad, who’s sleeping, and who’s awake, but this information is not written down and, in the opinion of our investigators, would be of limited value if it were.

3.    Your firm failed to store product at an appropriate temperature to ensure the identity, strength, quality, and purity of the products are not affected (21 CFR 211.142(b)).

Entire sections of the facility lacked effective air conditioning, resulting in destruction of all (b)(4) warehoused in two large storage rooms. A third inadequately cooled room was not in use, and except for some miscellaneous items – a couple hunks of coal, a corncob pipe, and a large, oddly sad puddle of water – the room was all but empty.

Your written response of May 18, 2108 was inadequate. FDA isn’t really sure what to do with “that old silk hat we found” in your response package.

4.    Products failing to meet established standards or specifications and any other relevant quality control criteria shall be rejected. Reprocessing may be performed (21 CFR 211.165(f)).

While not strictly a violation of 21 CFR 211.165(f), the rejection and quarantining procedures your firm follows for products that fail to meet established criteria is concerning. While it’s appropriate to reject a (b)(4) that swims, a (b)(4) with square wheels, a (b)(4) that shoots jelly, and a (b)(4) that rides an ostrich, exile to a remote island ruled by a flying lion is, in a word, extreme. Your firm also rejected and exiled a (b)(4)-in-a-box for what was almost certainly an easily remediated labeling problem; reprocessing would have been a more appropriate course of action. Also, we just have to know. Seriously. WHAT WAS WRONG WITH THE DOLLY???

5.    Your firm failed to establish adequate acceptance criteria for sampling and testing necessary to assure that batches of product meet appropriate specifications as a condition of their approval and release (21 CFR 211.165(d)).

Sampling procedures consisted of pulling each finished batch of (b)(4) out of a hot oven, taking a few nibbles, and declaring it “Jingle-icious.” Testers would frequently adulterate samples by submersing and saturating them with milk. These procedures are totally without scientific rigor. Furthermore, sampling was not restricted to members of the Quality Control Unit, but was extended to the entire plant floor. At times, sampling frequency was so high that there was very little, if any, of (b)(4) left to distribute. (On a personal note, our investigators would like to express their appreciation for the opportunity to participate in the testing activity. All the batches they sampled exceeded the strictest statistical quality control criteria, excepting the fruitcake, which could have benefited from additional stability testing and an earlier expiry date.)


Violations in this letter are not intended as an all-inclusive list. Typically the manufacturer is responsible for investigating violations, determining their root causes, and preventing their recurrence. However, in this case we’re going to make an exception. Though your methods and procedures are unconventional and frequently out of compliance with regulations, they are not wholly without merit. Our investigators have never experienced such a high level of workplace morale -- some calling it “downright merry” – and believe it warrants further observation. Investigators have suggested a series of mutually consultative visits to your workshop. Music, dance, batch samples, reindeer games, and the occasional adulterated eggnog are highly encouraged.

Holly Bush
Division Director/OPQO Division I
North Pole District Office

Monday, October 15, 2018

The One-Hour Study Site Audit

In an effort to tease out the priorities of a clinical study site audit, I asked six of our most experienced GCP auditors the following question:

If you only had one hour to conduct a study site audit,
what would you look at?

[Obligatory warnings:  Do not try this at home. This is just a simulation. Caveat lectorem. Dinosaurs in the mirror are bigger than they appear. Et cetera.]

Of course it’s not possible to conduct any kind of meaningful audit in so short a time, but it’s an interesting thought exercise because it gets to the heart of study site risk.

Monday, August 13, 2018

What Suprises GCP Auditors?

Last month, I scheduled one-on-one discussions with our most experienced GCP auditors to ask each of them the same question: What surprises you most about the audits you conduct?

I guess you could say that I was the one who was surprised. I’m not sure exactly what I was expecting to hear, but I thought my teammates were going to talk about things that were new. Instead, I heard a lot more about things that have been around for a long time. To a person, my colleagues said they were surprised to be observing some of the same audit findings they were observing 30 years ago...which *is* surprising when you consider most of them were mere children at the time. ;-)  It seems we have some stubbornly persistent quality and compliance issues in the biopharma industry that decades of neither experience nor technology have seemed to remedy. And the problems are not just persistent; they’re interrelated.

Tuesday, July 10, 2018

Hackin' the GDPR

Trying to comply with the GDPR got you down?
Maybe our parody will cheer you up.

(Sung to the tune of Lennon-McCartney's "Back in the U.S.S.R.")

Monday, May 14, 2018

eSource Terminology Untangled

True or False:

(1) eSource in clinical trials means eliminating the possibility for transcription errors.

(2) Data collected in Electronic Data Capture (EDC) systems is eSource.

Strictly speaking, both statements are false. If that surprises you, it’s probably because many casual uses of the term “eSource” actually differ from the formal definition laid out by FDA. If the participants in any discussion share the same interpretation of “eSource”, or if it’s clear from context how “eSource” is being used, then no harm, no foul. (Contemporary translation: “Meh.”) BUT…and you know where we’re going with this…when a term can be interpreted in multiple ways, there’s always a possibility for miscommunication and cross talk.