,

GxP audits: How important are they and how are they conducted?

In the highly regulated pharmaceutical industry, audits are more than just a control mechanism – they are an indispensable tool for ensuring the quality and compliance of processes. Audits play a key role in ensuring that companies adhere to the strict requirements of Good Manufacturing Practice (GMP) and other GxP standards. The aim is not only to identify errors, but also to continuously improve processes and eliminate weaknesses before they lead to errors or quality problems. The role of audits in quality management can therefore not be overestimated. They help to meet regulatory requirements and at the same time strengthen the trust of customers and authorities in the company.

Below you will find out what a GxP audit is, why it is so important for companies in regulated industries and how it can be carried out optimally.

What is a GxP audit?

An audit is a systematic, independent and documented review that serves to determine whether activities and results meet the planned requirements. So much for the theory.

In the GxP area, audits are particularly important in practice, as they ensure that all processes actually meet the strict requirements of GMP, GLP and GCP standards. These audits not only check compliance with regulations, but also whether processes are used for continuous improvement and risk reduction and actually make this contribution.

Why are audits in the GxP area so important?

Audits fulfill a central function in the so-called Pharmaceutical Quality System (PQS) and offer many advantages that are important for the entire industry:

  • Audits guarantee that companies comply with and implement the legal and regulatory requirements in such a way that the medicines produced are of truly impeccable quality and also safe.
  • Audits make it possible to identify potential errors in operations and production at an early stage so that measures can be taken to minimize risks. This prevents critical errors or weaknesses in the production process from leading to serious problems and questionable medicines from reaching the market and patients.
  • Audits offer the opportunity to evaluate existing processes and identify optimization potential. In this way, companies can increase their efficiency and improve quality at the same time.
  • Regular audits strengthen the trust of customers, partners and regulatory authorities. A well-documented and executed audit shows that the company is able to critically scrutinize itself in order to reliably deliver high-quality products to the market.

The audit process: step by step

An audit in the GxP area follows a structured procedure that enables the auditor to thoroughly examine the processes in the company. Typically, an audit consists of six main phases:

  1. Planning: Audit preparation is crucial for success. The parties involved must ensure that all relevant people and documents are available. Thorough planning ensures a smooth process.
  2. The initial meeting: In this step, the auditors and the representatives of the company to be audited meet at the start of the audit. The audit plan or the audit agenda is discussed again. Questions are also clarified here and expectations are defined if they have not already been clearly understood before the audit.
  3. Conducting the audit: The auditor checks the company’s premises, machines, documents and processes. Interviews with employees also take place during this phase in order to assess the practical implementation of the processes.
  4. The final meeting: At the end of the audit, the results are summarized. This is where we discuss what worked well and where there is room for improvement.
  5. The audit report: The auditor prepares a detailed report documenting the results of the audit. This report also contains recommendations to help the company eliminate weaknesses and further improve processes.
  6. Follow-up of the audit results: After the audit, follow-up is essential to ensure that the recommended measures have been implemented. This includes documenting the corrections and, if necessary, rechecks to ensure the sustainability of the improvements.

Preparing the audited company for a GxP audit: how to succeed

Thorough preparation is the key to a successful audit. Companies should ensure that their documents are complete and up-to-date and that their employees are aware of the requirements of the audit. Employee training plays a central role here, as a well-prepared team helps to ensure that the audit runs smoothly and possible deficiencies can be identified at an early stage.

Tips for audit preparation:

  • Review all important documents, including SOPs (standard operating procedures), batch documentation and qualification documents
  • If possible, carry out internal mock audits in advance to identify weaknesses in advance
  • Bring your team up to speed on regulatory requirements and audit expectations

Successful audit practice: the key to success

A successful audit requires careful preparation, a clear structure and detailed follow-up. Cooperation between the auditor and the audited company is of great importance in order to develop a common understanding of the requirements and expectations. This not only promotes compliance, but also the continuous improvement of processes. Companies that integrate regular audits into their business processes improve their quality assurance and reduce the risk of production errors or non-compliance with regulations.

Conclusion: Audits as the key to quality assurance

Audits are an indispensable part of quality management in the GxP sector. They not only help to ensure compliance with regulations, but also promote the quality and safety of products. Thorough preparation and the selection of experienced auditors are crucial to the success of an audit.

At Experts Institut, we not only offer training courses for auditors, but are also happy to support you in ensuring your compliance and continuously improving your processes. We can do “audits”. Contact us at info@expertsinstitut.de

Would you like to find out more?

Listen to our podcast episode “Audits in the pharmaceutical industry”, in which we examine the importance and challenges of audits in detail: https://podcasters.spotify.com/pod/show/experts-insights/episodes/Audits-in-der-Pharmaindustrie-e2of577

Read our blog: experts-institut.de/newsroom

Follow us on LinkedIn: Experts Institute LinkedIn

/by
,

GMP Guidance for Artificial Intelligence (AI), Machine Learning (ML) and Digital Transformation: How it Finally Begins to Enter the EU GMP Guide

The Now: Gaping Holes

When sifting through today’s status of the EU GMP Guide, it does not take an expert to see that there are gaping holes on topics of engineering, management of computerized systems, data integrity, digitalization and application of artificial intelligence.

Not that the guide has nothing to say to some of these areas. At least by means of implication the guide says lots of things between the lines. This very “in-between” is what gives pharmaceutical manufacturers quite a headache when facing governmental inspections.

The issue is that what it has to say does not cover what’s actually out there. And “by implication” is simply not a good advisor for the industry. It may be good enough for an inspector to set up interpretive requirements and for giving industry a hard time. But for a company it is simply not practicable when a text is elusive.

Although we have best practices like ISPE GAMP5 or other guidance somewhere out in the GxP universe, we would like to know from our most relevant guide-the EU GMP Guide-what is required. And this very guide has been doing a rather horrible job to provide the input industry needs (it seems not surprising that some EU countries struggle massively to keep life sciences and pharmaceuticals on their territory).

A New Hope

A new hope may be on the horizon as we have been expecting a revised version of Annex 11. There-so the concept paper tells us-we will receive a text that will address words such as artificial intelligence, clouds, and even digital transformation. One might wonder whether it is worth holding our breath for the release of the new Annex 11, as high hopes have been shown to greatly disappoint before. One might remember Annex 21 or interpretive documents from local supervizing authorities, that in the end have not been helpful for real life at all.

However, in this case it may be different. Can we guess some consequences from this next generation Annex 11?

GMP

GMP Data Integrity Finally Takes Center Stage

Although some would passionately disagree with me on this, the EU GMP guide has virtually lacked clarity on data integrity for decades. It was the US FDA who had to essentially teach us in Europe what Data Integrity is and why this is important. Without them we would still think that Good Documentation Practices and Validation of Spreadsheets is all it takes.

I love how every EU member state GMP inspector knows exactly what is necessary in terms of data integrity-only with next to no express textual basis for it in the EU GMP guide. I mean sure: evey company has by now heard of data integrity, letalone has received inspections that dealt with it. And yes, we were told after the fact that the GMP guide has “always meant” data integrity in various little phrases of the guide. But that seemed a bit of a crutch to assure the colleagues from US FDA that in Europe data integrity is something we “totally want and require!”

Point taken, it is true that in the Annex 11 we had such wording in some spots. And now the EU guide will finally take into consideration the fuller importance of data integrity-at least for computerized systems. One can tell that the EU grows more towards considering guidance from for example WHO or PIC/S.

The consequences will be that audit trails and audit trail review requirements will be clarified and likely deepend. More work. The bar for what is “basic” will be raised.

The same will happen for archiving, backups, and retrieval requirements for archived data. Companies will unlikely be able to keep playing the low-key game in the archiving area.

Management of Clouds will be a Topic

This will be upgraded, or actually decently considered in the new Annex 11. And here I must say that this is positive improvement. The GMP guide has been pretty much blind to this for quite some time now. It will be a reasonable change. It will be interesting to see how block-chain systems will be treated under the new Annex 11.

And I certainly will be interested to see how cloud hosts seriously validate and qualify their systems, software, and infrastructure. The hunsh is: this is going to cause trouble for some service providers. My recommendation to cloud providers who have pharma-clients: Get ready for it now, or You will be out of business before You know it.

If this enters Annex 11 it could mean:

– cloud services must qualify their infrastructure according to GMP.

– they must validate their software fully in line with GMP as well.

This essentially would require a quality-oriented quality management system (and no, ISO9001 would not suffice, not the slightest chance for anyone who wants to take this seriously).

GMP for Artificial Intelligence (AI) and Machine Learning (ML) will Hatch

We must be honest here: it might not be a whole lot of guidance what we will receive from the revised Annex 11:

The primary focus should be on the relevance, adequacy and integrity of the data used to test these models with, and on the results (metrics) from such testing, rather that on the process of selecting, training and optimizing the models.

https://www.ema.europa.eu/en/documents/regulatory-procedural-guideline/concept-paper-revision-annex-11-guidelines-good-manufacturing-practice-medicinal-products-computerised-systems_en.pdf

Though this quote from the concept paper is as elusive as sand running through one’s fingers, it does give us a tiny insight into what will be important to a regulator or a GMP-inspector: data (and their quality) used to feed AI models.

One of the biggest questions is: How in the world do we validate AI and ML? Will AI or ML need to be validated according to the typical V-model? In reality this seems almost impssible, since any software code change would required re-validation. And code changes might have to be expected, especially with machine learning. My assupmtion is that we will not receive much help here form the new Annex 11. Industry will be thrown back on non-governmental best practice guidance-as is often the case.

“No New Requirements”

It must be acknowledged that some of what we will find in the revised Annex 11 will likely be clarification and nailing down of requirements that were logical consequences from what is in the current version of the Annex. Yet, we will also find more work, new requirements.

For each company a careful gap assessment will be in order, and for those who have gotten away with mediocre management of electronic systems it will be time to act and invest in modernization.

Needless to say, that I am already looking forward to the next years at Experts Institut, when those projects will continue to fill our work schedules. It is a great challenge!

GMP Challenges for Small Pharmaceutical Businesses

I encourage representatives of small businesses – smaller pharmaceutical entities – to comment and to give feedback once the draft to the new Annex 11 is out. Often it is the larger pharmaceutical businesses that drive or influence what best practice is or what those texts may contain. A consequence can be that the requirements push smaller companies off the cliff of financial and infrastructural fesability. This does not need to be so. But small businesses must take a bit of a stand here. Take the chances You get, that is my recommendation. Digitalization and the use of AI and ML are unstoppable because neither society and nor the economy will not stop it. This is coming at the industry real fast. And it will likely make or break smaller business in the near future. So – get ahead with it!

Experts Institute can help!

Need help with GMP-Digitalization projects and AI-validation concepts? Contact us. Management consultancy GMP, GXP & Business Solutions | Experts Institut (experts-institut.com).

Read our full blog: https://experts-institut.de/newsroom/

And feel free to follow us on LinkedIn: https://de.linkedin.com/company/expertsinstitut

/by

Information security – a must for modern companies

In today’s digital world, information security is more than just a technical concern: it is a business-critical necessity. Companies must protect sensitive data and at the same time meet legal requirements. This article highlights the most important aspects of information security with a focus on the implementation of an ISMS according to ISO 27001 and the new EU NIS2 directive, which comes into force in 2024.

Why is information security important?

Information security ensures the confidentiality, integrity and availability of data and IT systems. It not only protects against cyber attacks, but also ensures the continuity of business processes. An effective information security management system (ISMS) helps companies to identify and minimize risks.

Implementation of an ISMS through ISO 27001

ISO 27001 is an internationally recognized standard that helps companies to develop and implement an ISMS. It offers a systematic approach to protecting information and minimizing risks.

Why is ISO 27001 important?

  • By complying with ISO 27001, companies can strengthen the trust of their customers and partners
  • Many industries require compliance with certain security standards, ISO 27001 helps to meet these requirements
  • The standard provides a clear framework for identifying and managing security risks

Steps for implementation

  1. A project team is set up to take responsibility for implementing the ISMS
  2. Clear roles and responsibilities are defined to ensure smooth implementation
  3. A delta audit and an inventory are carried out to identify vulnerabilities and the current security status
  4. All employees involved are sensitized and qualified through targeted training courses
  5. Departments receive weekly task packages that cover various chapters of ISO 27001
  6. A comprehensive, digitalized ISMS is created to ensure sustainable information security
  7. Internal auditors are trained to carry out regular audits in the company
  8. Regular internal audits ensure that all measures are properly complied with
  9. A gap analysis is used to identify weaknesses, which are then remedied with a concrete action plan
  10. The action plan is implemented by implementing the planned measures in a targeted manner
  11. The certification process is continuously monitored until successful completion of ISO 27001 certification

NIS2 and the connection to ISO 27001

The NIS2 Directive, which comes into force in October 2024, tightens information security requirements, especially for operators of critical infrastructure (KRITIS), and affects around 21,600 new companies in Europe. The aim of the directive is to strengthen protection against cyberattacks and resilience.

ISO 27001 and NIS2 both pursue the goal of information security, but differ in scope. While ISO 27001 provides a flexible framework for implementing an ISMS, NIS2 adds additional requirements specifically aimed at KRITIS operators and critical facilities. Companies that are ISO 27001 compliant have already met many of the NIS2 requirements.

NIS2 introduces the following obligations for companies:

  • Companies need to further enhance their security standards and conduct regular audits to ensure both cyber security and physical resilience
  • Security incidents must be reported within 24 hours as there are stricter reporting requirements
  • Violations may result in penalties in the form of fines of up to 10 million euros or 2% of global turnover

Conclusion: Why information security is essential for companies

The importance of information security in the modern business world cannot be overemphasized. With increasing connectivity and the steady rise of cyber threats, it is becoming imperative for companies to develop robust security strategies and comply with regulatory requirements such as the NIS2 directive. By implementing an effective information security management system in accordance with ISO 27001, companies can not only minimize their risk, but also strengthen the trust of their customers and partners. Given the new challenges that come with NIS2, it is crucial that companies act proactively to adapt to the increased information security requirements and avoid potential sanctions.

How we as Experts Institut can help

As Experts Institut, we offer comprehensive consulting services for the implementation and optimization of ISMS in accordance with ISO 27001. We also support companies in implementing the new requirements of the NIS2 directive. Our focus is on supporting customers in complying with IT compliance requirements and strengthening their information security.

Are you considering optimizing the security measures in your company? Get ahead and in touch with us – info@expertsinstitut.de

Read our entire blog: https://experts-institut.de/newsroom/

And feel free to follow us on LinkedIn: https://de.linkedin.com/company/expertsinstitut

/by

Neustadt

Experts Institut Beratungs GmbH
Kirchwiesenstrasse 5

D-67434 Neustadt a. d. Weinstraße

Phone: +49 (0)6321 969210
E-mail: info@expertsinstitut.de

Fax: +49 (0)6321 9692199

Bamberg

Experts Institut Beratungs GmbH
Untere Sandstraße 53

D-96047 Bamberg

Phone: +49 (0)951 51939330
E-mail: info@expertsinstitut.de

Freiburg

Experts Institut Beratungs GmbH
Habsburgerstrasse 101a

D-79104 Freiburg im Breisgau

Phone: +49 (0)6321 9692120
E-mail: info@expertsinstitut.de

St. Gilgen (Austria)

Experts Institut Beratungs GmbH
Helenenstrasse 16

A-5340 St. Gilgen, Austria

Tel.: +43 (0)6227 21068
E-mail: info@expertsinstitut.de

kununu