When a pharmaceutical company engages a Contract Development and Manufacturing Organization (CDMO) to provide services, the most fundamental assumption is that the CDMO adheres to Good Manufacturing Practices (GMP). What entitles the CDMO to make that promise? The short answer is, it conducts regular audits of its own staff and business processes.
The internal audit is part of the total quality management system. It is much better for a CDMO to discover quality issues on its own than to have those problems uncovered by a client or regulatory audit.
What exactly is an audit? It’s really a set of procedures used to observe the way business is conducted and check it against known standards — internal standard operating procedures (SOPs), regulatory standards, or the terms of a quality agreement between the CDMO and the client.
Usually, it begins with a lot of documentation: batch records, supply chain records, laboratory testing records, deviation investigations, change management, and the like. Every element of GMP has a standard operating procedure. The fundamental question in an audit is: Are the people responsible for this process following the procedures?
These are our procedures. Generally, they are not given to us by the FDA (although they may be given to us by the client, under a specific quality agreement). If a CDMO can’t follow its own procedures, that’s a significant problem — and management has no one to blame but itself.
Your Minimum Expectations
While audit results are fully documented, it is customary for those documents to be held within the company and not shared externally, either with clients or the regulatory agencies, who acknowledge this information to be proprietary. What is shared in some instances is the audit schedule, showing what areas we audit and when, and the status of those audits. And if an audit finding has an impact on a specific client or its product, that client will be informed, generally within 1 to 2 business days. That’s a minimum expectation the client should have of its CDMO.
An important thing to look for in a CDMO is a stable quality management process — one that is being applied consistently and not being improvised. You may not see the audit reports, but if the team is continually re-auditing the same business processes, you are entitled to wonder whether it is dealing effectively with the root causes of recurring issues. And you are entitled to ask.
With any business partner, including a CDMO, innovation is virtually always beneficial. If a service provider is frequently adding new services and new lines of business, odds are that it also is creating innovative ways to improve service and manage quality. On the other hand, clients and prospective clients are entitled to ask for evidence that the new service is as fully documented and audited as the company’s more mature offerings, and that the launch of new service lines has not diluted the attention paid to quality management across all services. These are fair questions.
All elements of the business are subject to audit — the new and cutting edge services, as well as the more mundane back-office processes. Best practice is to have a schedule that allows the quality management leadership team to assess all aspects of the business over 12 or 24 months. Singota, for example, generally runs on an annual audit schedule; the first quarter is given over to data collection and risk assessment, and the actual audits are conducted over the next three quarters.
However, it is critical to allow audit findings to focus priorities on any issues that might be discovered, and not to let the audit team be hemmed in by arbitrary schedules.
Internal and External Audits
Some of our most important data will come from client audits. The results from those are incorporated into our risk assessment and internal audit scheduling. They may focus our attention on areas we may not have seen in our own deviation and nonconformance systems.
Internal audits are diligent but non-adversarial. When the FDA does an external regulatory audit, it has no obligation to let the audited company know ahead of time. The auditors can simply show up unannounced. For our internal audits, we let the managers know in advance. Generally, the audit is intended to be a positive experience, an opportunity for constructive learning. We deal with issues if we find them; we also provide positive reinforcement when the team is performing effectively.
A prospective client should look for evidence that the CDMO has deep knowledge of GMP and quality management. That starts at the top, at the director level; there should be someone among the senior leadership with extensive pharmaceutical-specific experience in quality and regulatory oversight, and that function should be adequately staffed.
But attention to quality management has to be pervasive. Everyone in the company is responsible for adhering to standard operating procedures for good documentation practices. The corporate culture must reinforce every employee’s responsibility to alert a supervisor if something doesn’t look right.
Most CDMOs are relatively small, and must carefully assess the risks to determine how to focus the resources when deciding what to audit and when. Nevertheless, any pharmaceutical company evaluating a CDMO as a prospective partner should look for assurance that the company is auditing effectively and putting steps in place to ensure that any issues discovered don’t recur. That’s the basic purpose of internal audits: To provide that peace of mind.