Article | July 23, 2015

CYA 101: 4 Tips to Help You Cover Your Audit

Source: Seapine Software

By Michael Sieve, Life Sciences Solutions Engineer, Seapine Software

Audits are a part of doing business for most life sciences companies, but that doesn’t make them any less stressful. If an audit goes badly, it’s a black eye for your company. You could be looking at long product delays, warning letters, consent decrees, recalls, or even a plant shutdown. That’s enough to make anyone sweat as they sit across the table from an auditor.

If you sit down for an FDA audit and you aren’t 100 percent confident that everything about your product can be backed up and proven, the auditor is going to pick up on it. What’s more, your unease may make him decide to take a closer look at your documentation than he originally planned.

What’s the secret to walking into an audit with confidence? It takes proper planning and the right tools. Here are a few tips to help you be better prepared, so you no longer have to fear the auditor.

1. Know the Rules

Ignorance of the law is no excuse, as the venerable maxim says. You need at least one person on your team who knows, inside and out, the regulatory standards for your industry. This compliance expert should be tuned in to industry news to stay abreast of changes to the regulatory standards that affect your business.

You also need to train your team to strictly comply with regulatory standards. Keep records of compliance training for each employee, so you can prove that everyone on the team knows the rules and complies with them. Whenever a regulatory change occurs, revise and update employee training.

Annual training is a best practice, and often a regulatory requirement. Keep your team sharp by holding yearly training sessions, even if the regulations haven’t changed.

2. Record Everything

A favorite maxim of FDA auditors is, “If it isn’t documented, it didn’t happen.” Be sure to maintain complete, end-to-end records of everything related to your product, from design control to production. This includes, but is not limited to:

  • The design history file (DHF)
  • Device master records (DMR)
  • Verification and validation activities
  • Production, serialization, and shipping records
  • All steps and activities within the development process

Industry experts recommend keeping product data in a secure, searchable, traceable electronic repository — not in stacks of binders. Printed documentation isn’t searchable and can prevent you from finding requested information in an audit.

Your product lifecycle management solution should track, link, and verify each activity within the development process in a manner that complies with FDA ruling 21 CFR Part 11. If you can access this data instantly and validate any step in your entire development process, you’ll be able to answer the auditor’s queries in seconds, no matter what rabbit hole he chooses to go down.

A word of caution: If you don’t have something the auditor requests, be upfront about it — don’t dodge the question or try to delay. The truth is going to come out sooner or later. If it comes out sooner, at least you won’t annoy the auditor. An auditor’s goodwill is a priceless commodity.

3. Audit Yourself

Another best practice is to make internal audits and mock audits a regularly scheduled part of your process, to expose weaknesses before an actual audit.

In an internal audit, your compliance manager scrutinizes your product to the same degree an FDA auditor would. An internal audit can help you find potential violations in advance, giving you the opportunity to fix the issue before a real audit occurs.

A side benefit of internal audits is that they help you identify team members you want to include in your next audit. Having credible, confident employees there to answer an auditor’s questions gives the auditor more confidence in your product and process.

You also may want to hire a third party to do a mock audit before your product release. Mock audits deliver a completely objective analysis of how you would do in a real audit, and give you a good look at what to expect during a formal audit.

Third-party mock auditors often have vast experience and deep industry knowledge. Some of them are former FDA auditors. They can help you improve your team’s processes in ways beyond merely passing your audit.

By going over every pertinent detail that might cause concern during an audit, you’ll gain a more complete understanding of what you need to fix to pass the actual audit. This not only helps you practice for a real audit, but it ensures that your processes and documentation are bulletproof. 

4. Be Able to Provide Proof Instantly

If you have to dig through stacks of binders every time the auditor asks for proof that you do what you say, the audit isn’t going to go well. While you search those binders, the auditor will spend more time poking holes in your original documentation and coming up with additional items to request. The key is to quickly provide the proof the auditor needs to feel confident in your team, your processes, and your company.

For example, when a major life science company’s new medical device was audited, the process took three months. Each query from the auditor resulted in the manufacturer searching through piles of printed documents and reports. When the manufacturer couldn’t find the documentation to prove compliance, the company was issued a warning letter. The FDA later imposed a $1.7 million fine.

It took 278 days for the manufacturer to make the necessary changes and provide the traceability and validation the FDA required. The company suffered $1 million per day in lost revenue in addition to the fine. Ultimately, the FDA ruled that the company didn’t meet the standards for Current Good Manufacturing Processes (cGMP) and the product had to be pulled from the market.

A software solution would have allowed the company to find any documented information the auditors asked for. Additionally, having such a solution in place would have demonstrated the company’s commitment to quality, accuracy, and thoroughness. Don’t make the same $280-million mistake.

Another word of caution: Don’t cobble together a homegrown system to manage your product development lifecycle. If your system is built in-house, auditors will want to know how secure it is, and may question its reliability. Verification and validation testing on the system will be required if it’s part of your quality system.

Finding fault with your homegrown system is another way auditors might find you noncompliant. Make sure to implement a proven system for electronic data and document control to maintain data integrity.

Conclusion

The key to walking into an audit with confidence is to have all of your project data linked, traceable, and available upon request. If you thoroughly address the four key areas outlined above, you can relax and know you’ve covered your audit.

About The Author

Michael Sieve is a life sciences solutions engineer with Seapine Software. He has consulted with more than 100 clients to help improve their requirements, testing, and issues management processes. Michael has over 10 years experience in compliance industries.