The APIC Audit Programme Version 6
The APIC Audit Programme Version 6
The APIC Audit Programme Version 6
Table of contents
1 General
3 The Auditors
3.3 Contract
5 Cost Considerations
Annexes
The Document entitled “Guidance on the occasions when it is appropriate for Competent
Authorities to conduct inspections at the premises of manufacturers of active substances
used as starting materials” (1) and the EMA Website GMP Question and Answers on audits
of active substances manufacturers
(http://www.ema.europa.eu/ema/index.jsp?curl=pages/regulation/q_and_a/q_and_a_detail_0
00027.jsp&mid=WC0b01ac05800296ca) give further guidance on what the European
Authorities expect in terms of assessing the GMP status of active substance, intermediates,
starting materials (SM) and critical raw materials (RM) manufacturers.
Audits should be performed by qualified and trained staff, the audit should be properly
documented and the audit reports will be subject to inspection by the Competent Authorities
during inspections of the MAH for the Medicinal Products and API manufacturers.
Audits should be done periodically using a risk based approach to assess the continuing
cGMP Compliance status of the API, intermediates, critical RM and SM Manufacturers and,
as necessary, the Agent, Broker, Packer, Re-Packer, Distributor or Importer.
If a Third Party is involved during auditing then the MAH or API manufacturer as ”contract
giver” should follow Chapter 7 of the EU GMP Guide and evaluate the auditors/audit process
of the Third Party as the “contract acceptor” to ensure that the audit process complies with
their cGMP expectations. The MAH and API manufacturer should ensure there is no conflict
of interest between the audit process, the auditors and the Auditee. In view of the legal
background and the cGMP expectation of supplier evaluation by the authorities, the Qualified
Person(s) or responsible person(s) of the MAH and/or API manufacturer is responsible to
assure that the materials used in Human and Veterinary Medicinal Product Manufacture are
manufactured according to the EU GMP guidelines for APIs.
2
The Second Party Audit can also be applied to outsourced or contracted material
manufacturing and performed by qualified auditors of the MAH and/or API manufacturers
The audit report and findings should be reviewed by the Qualified Person(s) of the MAH or
the responsible person of the API manufacturer. In this case, the responsibilities for auditing
of the material Manufacturer should be defined in the Technical Contract.
Shared Third Party Audits are acceptable to the European Authorities as long as
the Qualified Person(s) and /or responsible persons in API manufacturing ensures
that the scope of the audit is applicable to each material used in API manufacturing
or Medicinal Product.
The customer of the Third Party Audit should decide for themselves whether there
are any conflict of interest issues with any Third Party Audit Option.
The approach taken by many Medicinal Product and API Manufacturers towards this legal
requirement is to perform one to one audits of their material manufacturers. However it is
recognized that audits are time-consuming and expensive for both the API and Medicinal
Product Manufacturer and there is potential for significant audit overload for the
Pharmaceutical and chemical Industry if this is the only option used.
The aim of the APIC Audit Programme is to provide a standardised Third Party Auditing
process to ensure that an effective assessment is performed of the cGMP status of critical
RM, SM, intermediates and APIs; These APIs are used as Starting Materials for Medicinal
Products and in so doing contribute to the assurance of the Quality, Safety and Efficacy of
the Medicinal Products.
The API Compliance Institute as a Business Unit of Concept Heidelberg has been contracted
by APIC to administer the APIC Audit Programme.
3
The audits within the framework of the APIC Audit Programme are conducted by APIC
Certified Auditors and standardised reports with classification of findings are issued.
Third Party Audits for APIs should be initiated by the Marketing Authorisation Holder for the
Medicinal product according to the European directive 2001/83/EC and its amendments
where it is defined that it is the responsibility of the MAH to assure that the API is
manufactured in accordance with the cGMPs in force.
Third Party Audits related to critical RM, SM and intermediates can be performed on request
against the applicable parts of ICH Q7.
In the case that several MAHs and/or API manufacturers wish to cooperate on an audit of the
same material Manufacturer or share an audit report the ‘Third party audit’ becomes a
‘Shared Third Party Audit’. Once the initial request to arrange the audit has been made to
The API Compliance Institute, other potential customers for the 3rd Party Audit could be
contacted using the standardised letter (Annex 4) and if they wish to share this audit, they
should contact the API Compliance Institute 4 weeks at latest before the audit takes place.
In the case that a Third Party Audit has recently been performed and the Manufacturer is
contacted by a QP or responsible person of another MAH and/or API manufacturer who is
interested in assessing whether this Third Party Audit Report satisfies his requirements, the
representative of the MAH and/or API manufacturer should be asked to contact the API
Compliance Institute. This scheme can also be applied to non EU MAH and/or API
manufacturers.
Important:
The ‘Compliance Triangle principle’ (see figure 1) will be followed at all steps of the audit
process to ensure that all parties involved - the ‘customer’, the ‘Auditee’, the auditors and the
API Compliance Institute as the coordinator of the audit are involved in the communication
processes.
Figure 1: Compliance Triangle Principle of the APIC Third Party Audit Programme
.
Auditors
ACI
QP(s) or responsible
Auditee person(s)
4
Request by the QP(s) or Responsible Person(s) of the Manufacturing Authorisation
Holder(s): Third Party Audit of API Starting Material used in Medicinal Products and
critical RM, SM, filed intermediates, excipients.
Request by the API Manufacturer/Distributor/Broker/Importer/Packer/Re-Packer: Self
Assessment Audit of GMP status
Participation in the APIC Audit Programme is on a voluntary basis and is not limited to
members of APIC or to a specific region of the world.
Major Deficiency:
A non critical deficiency which has produced or may produce a product, which does not
comply with its marketing authorization or which indicates a “major” deviation from cGMP,
or a combination of several “other” deficiencies, none of which on their own may be major,
but which may together represent a major deficiency and should be explained and
reported as such.
Other Deficiency:
A deficiency, which cannot be classified as either critical or major, but which indicates a
departure from cGMP.
(A deficiency may be “other” either because it is judged as “minor”, or because there is
insufficient information to classify it as a major or critical).
5
3 The Auditors
Attendance at a specific five-day training course sponsored by APIC (two and a half
days related to cGMPs in API manufacture and two and a half days for training in
effective auditing techniques) is a prerequisite for becoming an APIC Certified
Auditor. The participant will receive a certificate of attendance for each of the two
training courses.
The seminar fees will be charged directly to the Auditor or his company.
6
APIC Certified Auditor and the form is archived at the API Compliance Institute
together with the record of performance in the examination.
Auditors who have successfully passed the examinations and the assessment will
then become APIC Certified Auditors. The Certificate is valid for three years.
The API Compliance Institute keeps a register of all APIC Certified Auditors.
3.3 Contract
‘APIC Certified Auditors’ who agree to conduct audits in the framework of the APIC
Audit Programme have to sign a contract with the API Compliance Institute (see
Annex 1). This contract lays down the obligations of the Certified Auditor.
7
4 The Audit Process
The following section describes the steps that should be followed in the audit
process from the initial contact with the API Compliance Institute by the potential
customer until the distribution of the audit report. The timings mentioned below are
maximum time frames however the timeframes can be reduced to support urgent
requests
Signing of Audit Contract, 4 weeks
8
4.1.1 Preliminary Talks
A Third Party Audit should be initiated by one or more QP(s) and/or responsible
person(s) of MAH(s) and/or API manufacturer(s) (‘called ‘customer’).
Requests to initiate Third Party Audits should be made to the API Compliance
Institute in all cases.
Audit requests will follow the Compliance Triangle Principle (see Figure 2).
Figure 2: Compliance Triangle Principle of the APIC Third Party Audit Programme,
Preliminary Talks
.
Auditors
Marketing
Authorisation Holder
Auditors
ACI
(a) (b)
customer
Auditee
Before formal placement of an order by the customer, the API Compliance Institute
will have preliminary talks on the following topics, among others:
Provide details of the objectives and structure of the APIC Audit Programme so
that the customer can verify that the audit process is suitable with respect to
Chapter 7 of EU GMP Guide relating to Contract Services.
Scope of the audit
Steps of the audit process
Expected time inputs and expected costs
Timetable, if desired
Discuss potential involvement of other customers with the material Manufacturer
and initial customer requesting audit to encourage Shared Third Party Audit
Option.
Standardised letters (Annex 4) to encourage The Shared Third Party Audit
Options will be sent by the ACI to the customers and Auditee to explain the
Shared Third Party Audit Option and if they are in agreement, the relevant
Standardised Letters may then be sent to other customers who may be
interested in participating in the Shared Third Party Audit.
9
The following standardised approach will be followed.
Follow up audit
Initiating Phase
1
Selection of Auditors
2 Preparing the Audit
If the customer is interested in ordering an audit, the API Compliance Institute will
send the necessary documents, including the Audit Agreement (see Annex 2) to the
customer. The customer can define any specific points that should be covered in
the audit for example corrective actions from previous audits in the amendment to
the Agreement.
The Audit Agreement has to be signed by all parties involved, the customer, the
Auditee, the auditors and the API Compliance Institute. When more than one QP or
Responsible Person(s) of the MAH(s) and/or API manufacturer(s) are requesting
the audit, for reasons of confidentiality, contracts with each QP or responsible
person can be documented separately.
10
The services listed in the following sections on the individual steps of the audit take
place after the Audit Agreement has been signed by all parties and returned to the
API Compliance Institute.
Auditors
(d)
ACI
(d) (c)
Auditee customers
For gaining initial information about the Auditee and to effectively plan the audit a
pre-audit questionnaire (for further details see Appendix B of APIC Auditing Guide)
will be sent by the API Compliance Institute to the Auditee in advance.
The questionnaire will also be forwarded to the selected auditors for their
preparation. If, after evaluation of the questionnaire, the auditors will have any
doubt of a successful audit, the Auditee will be contacted by the API Compliance
Institute to discuss on how to proceed.
The Auditee will appoint a contact person (audit representative) responsible for the
handling of the audit.
11
4.1.3 Selection of Auditors
Auditors
ACI
(e) (e)
Auditee
(e) ACI informs the Auditee and the customers about the names of the chosen
APIC certified auditors. Both the Auditee and/or the customers can refuse one
or both auditors (e.g. due to competition reasons)
In general, for API auditing the API Compliance Institute will select two Certified
Auditors from the APIC register. A lead auditor will be nominated. The Auditee and
the customer(s) will be notified of the names of the auditors and their CVs will be
provided.
For auditing critical RM, SM and intermediates the number of auditors will depend
on the criticality defined in agreement with the customer.
The Auditee and the customer(s) are entitled to reject the proposed auditors.
Nevertheless they will be asked to explain the reasons for rejecting an auditor. In
these cases new auditors will be selected by the API Compliance Institute. On
request the Auditee and the customer will be informed on the types of audits the
auditor(s) has/ve conducted during the past two years.
The auditors will sign a statement in the Secrecy Agreement to confirm that they did
not work for the Auditee or customer (for example as a consultant or employee) for
at least 5 years prior to the audit and there is no financial interest or commercial
conflict with customer or Auditee.
12
4.1.4 Execution of the Audit
Figure 6: Steps (3) and (4): Preparing and executing the audit
Auditors
ACI
customers
Auditee
(f) Lead Auditor interacts directly with the Auditee in order to plan the audit in
detail. The customers will be informed by ACI.
As a guideline, the audit may be performed by two auditors for two days The ACI
will propose the duration of the Audit and number of auditors considering the scope
of the audit.
If the agreed audit time schedule and/or number of auditors changes during the
audit this must be communicated immediately to the customer(s) and ACI
explaining the reason for the change.
Before the audit the Auditee will receive an audit plan from the auditors, detailing
the major topics of the audit and a tentative schedule
During the audit the cGMP compliance of the Auditee will be evaluated by the
auditors on the basis of the applicable items of the ICH Q7 guideline (GMP for APIs,
part II of the EU GMP Guide) and other relevant guidances if applicable (for
example ISO, ICH Q9, 10, 11) using the APIC Auditing Aide Memoire and APIC
How To Do ICH Q7 Guidance document as references.
All observations relating to GMP deficiencies will be stated and classified (Refer to
section 1 for classification rating) during the final wrap up meeting with the Senior
Management of the Auditee.
13
4.1.5 Audit Report: Reviewing, Signing and Archiving
Auditors
(g)
(h)
ACI
customer
Auditee
(h)
(g) Lead Auditor sends the draft audit report to the Auditee for any missing data,
errors in data etc. and for defining corrective actions.
(h) After checking the draft audit report for accuracy, the Auditee responds to any
observations proposing corrective actions, amends these parts to the final draft
of the report and sends it back to the auditors and the ACI.
IMPORTANT: In the drafted report only ‘factual’ mistakes should be corrected.
At the latest, within a period of 3 working weeks after the audit, the lead auditor
sends a drafted audit report to the Auditee to check for accuracy and to define
corrective actions. The audit report will include a management summary, an
overview of which ICH topics were evaluated during the Audit, supported by the ICH
Q7 checklist and a detailed description and evidence of the deficiencies. The
Auditee should check the accuracy and respond to any observations, proposing
corrective actions, responsibilities and time frames within one month and amend
these parts to the final draft of the audit report that will be sent back to the auditors
and the ACI. The auditors will check within 2 weeks time wether the CAPAs are
reasonable and send the signed audit report to ACI.
ACI will forward the final version of the audit report to the audit initiators and the
auditee.
14
Figure 8: Step (6): Handover of the final audit report
Auditors
(i)
ACI
(j) (j)
customers
Auditee
(i) After having reviewed that proposed actions have been defined for any
deficiencies the auditors sign the final audit report that is sent to the ACI.
(j) The ACI sends copies of the signed audit report to the customer(s) and to the
Auditee and archives the original signed audit report.
On receipt of the audit report from the Auditee, the auditors will review and confirm
that a response with realistic timelines has been received for each observation, sign
the audit report and send it to the API Compliance Institute. The ACI will then issue
a copy of the final signed audit report to the customer(s) and to the Auditee.
The original audit reports are archived for 10 years, however, the original signed
audit report remains valid for maximum 3 years.
The customer(s) are responsible to review the signed audit report received and
decide if any deficiencies have been adequately addressed.
The evaluation of the impact of the audit deficiencies included in the audit report on
the GMP status of the API(s) used in the Manufacture of Medicinal Products is the
responsibility of the Customer.
In the case that the QP or Responsible Person of the MAH or Auditee is not
satisfied with the quality of the audit report/performance of the auditors, they should
contact ACI in writing explaining their concerns. ACI will review their concerns with
the auditors and QP or Responsible Person of the MAH and try to satisfy the
concerns. In the case that there continues to be a serious disagreement on any of
the deficiencies made in the audit report or in the performance of the auditors, the
ACI may also request independent review from the APIC Audit Programme
Representative/APIC Excom Member on the GMP Compliance issues raised. In this
case, the ACI should ensure there is no Conflict of Interest with the APIC Nominee
15
and the Auditee and the terms of the Confidentiality Agreement should be extended
to include this review. The ACI will report in writing to the QP or Responsible
Person of the MAH and the Auditee to give feedback on the formal review of their
disagreements and request agreement to close the audit report.
In the case that resolution of disagreements is not possible and the disagreements
are related to poor audit performance, the Audit Agreement will be revoked. Written
statements of the auditors, the auditee and the customer will be included into the
audit report.
IMPORTANT: The copyright of the audit report is jointly held by the customer(s),
Auditee and API Compliance Institute. If any of these parties wishes to pass on the
audit report to a subsequent Third Party, a request should be made to the API
Compliance Institute.
The API Compliance Institute will discuss the use of the Third Party Audit Report with
the subsequent customer to ensure the scope of the audit meets their requirements
before the audit report is shared.
With the agreement of the Auditee, a list of Third Party Audits completed within the
last 3 years may be published on the ACI Website.
IMPORTANT NOTE: It is an essential condition of the Audit Agreement that all Parties
agree in advance of the audit that the audit reports may be shown to Inspectors
during an audit of the customer as evidence for the qualification of the material
Following completion and issue of the Third Party Audit Report, the Auditee should
issue periodic updates on progress with proposed actions to the customer(s) based
on the timelines defined in the audit report.
The customers have the responsibility to check that the proposed actions of the
Auditee in response to the audit observations have been implemented in a timely
and effective manner.
The customers will also decide on the need and timing for a follow up audit
including auditing of the effectiveness of the corrective actions defined in original
audit report.
The auditee needs to inform ACI from important changes that impact the validity of
the current audit report
Within one month of completion of the audit report, the ACI will request feedback on
the effectiveness of the audit process and performance of the auditors from the
Auditee using the standard form (Appendix 5). Feedback on displayed knowledge
and understanding of the GMP requirements for APIs, audit performance, general
communication and inter-personal skills of the auditors will be requested.
16
This feedback will be used by ACI to improve the effectiveness of the audit
programme and to assess the performance of the auditors on an ongoing basis and
will be reviewed during the evaluation of auditor performance at the time of their Re-
Certification as APIC Auditors.
5 Costs Considerations
The number of customers will be considered for the cost calculation. This can
reduce the audit costs significantly.
In the case that a completed Third Party Audit Report is requested by subsequent
customers, re-imbursement costs will be given to the original customer(s) for the
Third Party Audit until all costs of the initial audit have been reimbursed. For more
details please contact the ACI.
17
6 Relationship between APIC and the API Compliance Institute
There is an Agreement between APIC and the API Compliance Institute that defines
the responsibilities of each party.
Table 1 lists the major obligations of the API Compliance Institute and APIC.
APIC will review, on a regular basis, together with the API Compliance Institute the
function of the "APIC Audit Programme" process and will agree any areas of
improvements.
APIC will not intervene in the responsibilities of the API Compliance Institute related
to this programme and will not request specific information related to audited
companies such as audit reports.
----------------------------------
18