In preparing to write this article for Controlled Environments, we looked at audits of vendors, like software developers and automated processes, and to distributor audits for supply chain integrity. A common thread in successful audits is the maintenance of sound audit practices, standards, and guidelines.

TO WHAT PURPOSE?
Auditing serves several purposes that are adapted to the application as necessary. Goals and results should be shared across the enterprise to help solve problems evident in all areas of pharmaceutical manufacturing and distribution. Regardless of what is being examined or audited — a system, facility, or software process — the resources available, such as the data, people, auditors,or experts, can be similar and many can be used in nearly all situations.

Audits are conducted to meet FDA guidelines to insure that manufacturers maintain appropriate due diligence and inspection of processes, environments, vendors, suppliers, and others whose products, work, and expertise goes into the manufacture of regulated products.

For example, in 1996, the FDA challenged the industry to establish a standard way to assess the structural integrity of acquired computer software and to lower overall costs to the industry. In 1997, a task force was formed to assess the integrity of and develop a guideline for auditing acquired commercial off the shelf (COTS) software. Under the umbrella of the Parenteral Drug Association’s PDA’s Computer Validation Interest Group, the PDA along with the FDA,members of the user community from the pharmaceutical and medical device industries, and the software developers themselves came together to create and publisha guideline for auditing the acquired computer software and services.

The objectives of this task group were focused on the specific application of software in the manufacturing process. These objectives were also very similar to those that any group consisting of professionals from any sector of the industrymeeting to establish standards might have. They include:

• To define and demonstrate (through simulation and field testing) a process for supplier audits and qualification in a way that promotes standardization and simplification
• To meet regulatory expectations for the structural integrity of acquired software and computer products in general (regardless of where in the manufacturing process they were applied)
• To satisfy customer needs for information as supporting procurement, systems engineering, and computer validation
• To lower costs to both the pharmaceutical companies and suppliers.¹

With regard to the latter point, costs of audits within the industry have increased dramatically and pharmaceutical companies may incur costs (internal and external) upwards of $750,000 per year to perform, manage, and archive audits. Examples exist that show reductions in cost greater than 50% through the use of a central repository. Such a repository for technology process audits was created by the PDA and is now known as the Audit Resource Center (ARC).

DEVELOPING THE AUDIT PROCESS
In the process of developing the published audit process, the task force performed research, used experience from supplier audits, and drafted a common practice to meet the needs of the industry. The needs assessment came from the users’ agreement that auditing practices used throughout the industry were cumbersome, duplicative,and inconsistent.²

The task force of industry professionals continued working after the publication of the report by the PDA (Technical Report 32 or TR-32) to monitor, maintain, and upgrade the process. Today, this group is known with the PDA as the Audit Guidance Advisory Board (AGAB). The AGAB now guides the development of technical reports for auditing and reviews the relevance of the documents, recruits committees of technical experts, and revises, expands, and broadens the guidelines as needed. The first iteration of this new guideline was published in 2001 and was revised in 2004. The current document is under review and publication of a new broader guideline is expected in the coming year.

Anyone who manufactures products that are regulated by the FDA must conduct due diligence of their vendors, typically in the form of audits. In this environment, those vendors who produce equipment that utilizes software or suppliers who develop software itself have to be audited; a well-accepted process that isoften used is TR-32.