PQRI Case Study (8): Internal GMP Audit Program

Published on: 
Pharmaceutical Technology, Pharmaceutical Technology-12-02-2011, Volume 35, Issue 12

The last in a series of eight case studies from the Product Quality Research Institute focuses on internal GMP audits.

An integral part of an effective quality system in a cGMP-compliant pharmaceutical manufacturing operation is a formal self-assessment process. This is commonly accomplished by performing periodic internal audits of site operations (e.g., quality, manufacturing, engineering, logistics) and associated systems with potential cGMP impact.

The overall administration of the internal audit program is the responsibility of the quality control unit. The quality control unit is responsible to assess site operations and associated systems in order to identify the focus, frequency and resources to support the internal audits as well as to determine the effectiveness of the conducted audits. Audits are typically conducted according to a predetermined schedule and on a regular basis.

This case study on internal GMP audits is the last of eight in a series put together by the Product Quality Research Institute Manufacturing Technical Committee (PQRI-MTC) risk-management working group. The series is meant to advance the understanding and application of the International Conference on Harmonization (ICH) Q9 Quality Risk Management guideline by providing actual examples of risk-management assessments used by the bio/pharmaceutical industry. The introductory article and first case study, on defining design space, appeared in the July 2011 issue of Pharmaceutical Technology (1). Subsequent case studies in the series (8 in total) can be viewed online at PharmTech.com/pqristudies.

In the current case study, the manufacturing site is a diverse drug-product facility. Ideally, the site would be able to perform internal audits of all site operations and systems within a given calendar year. Given the breadth and scope of operations and available support resources, it will be difficult to conduct an internal audit to all operations and systems within that timeframe. One potential approach to administer an effective internal audit system is to maintain a listing of site operations that are subject to internal audit and determine audit frequency based upon the criticality of the operation. The site maintains a list of current operations and also periodically reviews and understands the performance of these operations and associated systems. As a result, facility management recognizes that there are certain internal systems that could benefit from additional focus and enhancement. Site management wants to ensure that resources are applied to those operations having the highest potential for GMP impact and proposes use of quality risk management (QRM) as a tool to effectively apply resources and schedule and conduct internal audits at their site.

The risk question and assessment method

The risk question developed for the subject case study was: What is the optimal internal audit schedule to ensure that those operations and associated systems with the greatest potential impact on product quality and, therefore, potentially the patient, are audited on a more frequent interval than those determined to be less critical?

An internal audit is a diverse activity with more qualitative characteristics than quantitative ones. Therefore, the selected risk-assessment tool will produce a qualitative description of risk (e.g., high, medium, or low). An additional objective of the selected tool is to assist in the organization of data as the assessment moves to the next stage of the process. The developed list of site operations and associated systems ensures identification of the potential risks. As a result, a complex risk-assessment tool is not required. A simple tool that allows for qualitative analysis and evaluation is sufficient.


The risk methodology selected for the subject case study was: risk ranking and filtering.

Risk identification and analysis

As partially shown in Table I, the site has prepared a master list identifying all operations and associated systems which have potential impact on product quality.

Table 1: Risk-evaluation score.

The risk-analysis stage of the QRM process estimates the potential harm(s) associated with each potential risks. The analysis may be qualitative or quantitative in nature, or a combination of the two. The risk score in the current case study will be determined by combining the probability or likelihood of a problem in a given site operation and the outcome, or potential undesired consequences, if a problem were found in the operation. A numerical value of 1, 2, or 3 is assigned to correspond with a low, medium, or high risk-analysis determination, respectively. The risk-evaluation score is calculated as follows:

(Probability Score × Outcome Score) = Risk Evaluation Score

The probability and outcome scores and subsequent risk-evaluation scores for the selected operations are presented in Table I. If desired, for this application, the risk ranking and filtering tool may be modified to include consideration of the length of time since the last audit was performed. To include this element in the risk-evaluation process, the formula for determining the risk-evaluation score is modified to include the time since the last audit as follows:

(Probability Score x Outcome Score) + (Years since last audit) = Risk Evaluation Score

As a result of the executed QRM evaluation, the site is now able to better prioritize resource utilization to focus auditing efforts on those areas with the highest risk scores.

Risk control and documentation

In the current case study, risk is reduced by identifying site operations above a specific threshold score from the risk ranking, and scheduling internal audits for those operations. Inherent risk will be accepted for those site operations which are below that threshold. For those operations, an internal audit will be deferred until audits have been completed for those operations with a higher risk ranking.

Communication of the utilized QRM process should include all key stakeholders of the affected departments throughout the department to ensure organizational buy-in and support. The output of QRM process, the audit schedule, and associated risk analysis justifying the approach, should be documented and endorsed by the site quality unit and effectively communicated to stakeholders.

Risk review

In the case study presented, it may be convenient to review the risk-assessment process and assumptions as the annual schedule is developed. During this activity, the site will confirm that included operations/systems are still in use, remove those that are not and add any new operations/systems to the process. Examples of changes that may potentially impact risk of site operational systems include: changes to control systems, changes to equipment and processes, changes in suppliers/contractors, and organizational restructuring.

Ted Frank is with Merck & Co; Stephen Brooks, Kristin Murray,* and Steve Reich are with Pfizer; Ed Sanchez is with Johnson & Johnson; Brian Hasselbalch is with the FDA Center for Drug Evaluation and Research; Kwame Obeng is with Bristol Myers Squibb; and Richard Creekmore is with AstraZeneca.

*To whom all correspondence should be addressed, at kristin.murray@pfizer.com