The Calcott Consulting Blog:

   Articles on audits:


The dilemma of getting consultants to write your SOPs for you. Should you or shouldn’t you?

August 13th, 2019 by

As a consultant, I am often brought in to assess systems, perform gap analyses or to audit. In many respects it is the same activity. I look at what is in place in the form of documents (SOPs and policies) and in processes in action in their operations. Some of these clients are large pharma or biopharma but a large number are relatively new and small operations with much of their activities outsourced to third parties.

Now let me stress, as a consultant, I am totally against getting consultants to write SOPs. It is not because I can not write an SOP. It is because a document that is written must be owned by the eventual company and to get ownership requires, in my mind, an active involvement in the production of the document and process. Ordinarily, I will supply key elements I would expect to see in a document or process. I will review the document to modify it to include elements forgotten or to restructure for clarity.

My approach is the same for both type of clients when I come in to assess. I use the classic moniker of “say what you do, do what you say, prove it, improve it” or putting it simply, documents, execution, records, improvements. So what do I see? In large companies, I often see well established elements with often strengths and weaknesses. So my tasks are relatively straightforward. But in small companies do I see the same? The simple answer is No.

What I see is groups of people working furiously to keep momentum going. This results in major gaps in systems. Many times, procedures are not in place and even if they are, they do not reflect the process in place. Particularly when procedures are in place they are written vaguely with no clarity as to process. When you interview people to gain clarity, you find their processes as verbally described are often quite robust. But it is just not described in any formal document. But since the company is small everybody knows everybody else and communication is very much ad hoc. While this may work initially, as the companies grow they lose that advantage.

So what we have to do is get them to think through the actual processes, write them down and immortalize them in policies and SOPs. This is easier said than done. They are so busy, they do not have the time to get it down on paper. On many occasions, to get them to a better state, I take on the task of writing it down, then getting them to check for accuracy and then shepherd the documents through the system. Ordinarily, I am not a supporter of getting a consultant to write an SOP for the company. Even if written very well, there is no ownership within the organization. But this is different. You are not inventing a new process to implement, it is writing down what is actually done. Or at least that is how I justify going against my own philosophy.

My goal is to put into place procedures describing what is actually done in the company, in a manner that if all the employees disappear overnight, to be replaced in the morning with new people, there is a good chance the processes would be executed similarly as before. In other word a robust sustainable process. This is the first step in building a rugged Quality Management System.

How well has the pharma industry implemented regulations?

February 25th, 2017 by

This has always been a question people ask.  As a consultant i see a slice of the industry that interacts and works with me, so I have my opinions.  However, a company that employs me may not represent the average company.  So a colleague of mine, Peiyi Ko, and I decided to conduct a survey asking these questions.  we used Survey Gizmo as the survey tool and LinkedIn Groups as the interface.  These 40 questions were posed and because of the interesting answers we got, we are publishing them in two parts.  This post has the first part published in Pharmaceuticalonline.  In this part, we examine the implementation of various guidances and regulations.  The second will feature how ell they have impacted the company Quality Management System.

The second part will be published in a couple of months.  Bookmark my website so you will see it when the next is posted.

Happy reading

Effective auditing – one size does not fit all

April 15th, 2015 by

Every company I work with has a problem with their auditing program.  Some believe they are overdoing it and others feel they are not doing enough.  In a sense, they are both right.  In actual fact, they are all overdoing it in certain areas and underdoing in others.

Back when I started in Industry, and I am afraid to tell you exactly when, auditing programs were written in stone in SOPs.  The frequency, duration and number of people were defined and rigorously enforced.  Audits were conducted each the same way and lists of findings were assembled and sent to the auditee.  If lucky, the findings were responded to and CAPAs developed.  The report was closed out and filed.  After the prescribed period of time, the process was repeated.  Often the same findings were seen at the next audit.  So either the CAPA was not done or it was ineffective.  Not exactly an efficient, effective process, but it satisfied the regulators.

Today a program like that is just not acceptable.  Why?  Have the regulations changed? Have our expectations changed?  Has the world changed?  The answer to each is yes.

Over the last 20-30 years we have seen a lot change.  We have seen drug tampering (Tylenol and cyanide), counterfeit drugs in the market place (you get those emails for those drugs at unbelievable prices) and incidents like the Heparin / Baxter problem.  Both industry and regulators have taken note and reacted.  In the US and EU, regulators have recognized the problems and issued new regulations and guidances.  The Falsified Medicines Directive (FMD), Food and Drug Administration Security and Innovation Act (FDAsia) and the Drug Supply Chain Security Act (DSCSA) have been issued and are in the process of implementation.  So how does that fit into the auditing program?  It is because the auditing program is a tool that will enable you to meet the spirit of what these regulations are driving at.

We perform both internal audits of our own operations as well as audits of third parties.  These third parties include our CMOs, our suppliers of raw materials, excipients, actives as well as services such as testing labs, engineering functions and distribution to name a few.  The functions of an audit are many fold including a component of the assessment of whether we care to do business with an entity (the Vendor Qualification Program) as well as as a routine assessment of whether we want to continue to use them (continuous verification) and an assessment after some element has failed (for cause).

Each of these is approached differently, depending on the nature of why we are auditing.

  1. Vendor assessment – usually, you have never worked with the vendor before, or at least recently, so this is an exploratory audit to assure they are operating to an appropriate standard that is compatible with our expectations.  Because of this, the goal is to assess all their systems.
  2. Continuous verification – you have experience with this type of vendor.  You know what they do well and perhaps have identified areas where improvement might be needed.  You are often following up from previous audits or experience with their services (described in the annual product review).  So it is often more directed than the qualification stage of vendor assessment.
  3. For cause – something has definitely gone wrong.  So this is a very directed audit towards the areas of potential deficiency.  The outcome may be to continue to use or to terminate the relationship.

Which brings us to how to conduct an audit to add value.  ICH Q9 is a wonderful guidance that if used intelligently can aid you in developing a truly risk-based auditing program: that is to balance the “too much” versus the “too little”.  I highly recommend integrating this guidance into your auditing program.  Remember if you do not document your risk decisions, you will be found lacking by the regulators.

I use the old moniker of

say what you do,

                    do what you say,

                                          prove it and

                                                           improve it.

Put another way it is really documentsexecutionrecords and continuous improvement.

These following steps may aid you in defining the audit program.

  1. Never schedule your auditors more than 67% of their time and that includes prep time and report writing time.  The extra 1/3 is important for the unexpected such as the for cause audits, the new suppliers, the new emergency programs and also the deep dives you provide as a service to your internal customers.
  2. Determine the risk factor for the particular vendor.  That includes not just the service provided but the track record of each.  This will determine the frequency, duration and manpower needed. And this needs to be kept current because situations change.
  3. You have limited time at the vendor so use it well.  Prepare the outline of what you want to accomplish (the type of audit), what you know, what questions need answering.  If possible do work before you arrive.  That could be sending out a focused questionnaire to relatively simple elements (you can confirm when you arrive).  Even present to them a proposed agenda, so they are prepared and have no excuse when you arrive.
  4. So what do I focus on when I arrive.  A typical process flow approach is my choice.  For actives suppliers or CMOs, I walk the process with my questions and get my answers in situ.  Armed with my preparation work, I walk through the facility and quite prepared to stop even for a significant length of time to explore more if I sense an issue.  For testing labs walk the samples.  This is the execution component
  5. I look at paper work later and I focus on the various quality systems of interest.  I do not read SOPs or policies but rather focus on the records part.  I look at deviations and investigations, CAPAs, change controls and lot dispositions.  The threads I find lead me into the various other systems.  I find these systems are the pulse of the organization and tell you a lot about the company.
  6. If necessary, I go to SOPs and policies.  That is the documentation part to confirm that what they say corresponds to what they do.
  7. I also look at operations and people to detect signs of continuous improvement which is often picked up, not in documents, but in conversation.
  8. I usually look to see evidence of a modern approach to quality as evidenced by an active involvement of management.
  9. In the close out I gather the observations which I have ranked using the EU standard of critical, major and minor.  In the discussion I might even make some suggestions of how improvement might be made.  But it is the company’s decision on the how to address really.
  10. After you get home, make sure to follow up with requests for CAPAs after the agreed upon time frame.

BTW, one of my first stops is the bath room.  Not because of a medical problem but  to see how it is kept.  Companies that have a good QMS have clear bathrooms.  For those with QMS problems, the bathroom can be a telltale.

Tools that make you work for them rather than working for you

October 5th, 2014 by

I am often called into companies to identify opportunities for improvement in processes, products and also the Quality Management System as well. These projects give an opportunity to learn how an organisation ticks, its strengths and its weaknesses. Often management initiates the process by giving me their list of systems that they believe are broken or at least not operating as efficiently as they would like. But not always.  They want these worked on but sometimes are reluctant to consider the systems they consider working well.  Or maybe these “working systems” are the ones without the loud squeaky wheel attached.  That is, the one flying under the radar and silently deficient.

I usually take these lists and negotiate with the company that I should look broader than those that they have identified.  That is not to create billable hours but rather because of efficiency. While they may have identified some of the deficient systems, they may not have all.  Also it may be that the ones they consider working well are in fact not working well at all or they may have a system with overkill in place.  Now, if there are some very good systems, you can learn a lot about an organisation if you can understand why some are good and others not.  What causes this?  it can be an uneven management or a pocket of progressive people who are 100% dedicated in the face of adversity.

The key is to bring me in once to identify all the opportunities rather than bring me in twice.  It costs more.  It adds months to the timeline if I have to do it twice.

So what do I usually find?  First, management often does have a good perspective of the “bad” systems.  Often they have identified the very painful ones – the ones in dire need of improvement.  But not always.  This has to be teased out by careful interview of process owners and stakeholders and users alike.  In the interview, it is critical that it is the system that is examined and not the person who runs it.  These people are trying their hardest (in most cases), its just the tools, resources and environment that prevents them from running a successful process.  In 90% of the time it’s not people but the environment they are working in that causes the problem.  Most of these organisations are working at 100 mph with compulsory overtime needed to just get the basics done.  There is no time for future thinking, the fires are burning out of control and there are just not enough firemen to keep the place from burning down to the ground.

What I also find are organisations that are reluctant to change.  The last time somebody took a risk and it failed, they were punished.  You can bet the next time they don’t risk going out on a limb.  When I talk with these folk, I often find processes that are unwieldy, overly complex.  It’s not uncommon to see SOPs of 40, 50, 60 pages long.  No wonder there is a deviation at every turn.  These deviations then flood the investigation system.  With a 30 day to complete the investigation and a backlog, what happens next.  Well, they wait to day 28 or 29 because they are working on other things and are caught between a rock and a hard place.  Got to get it completed or I miss my goal of 30 days.  Get it signed off and off my desk and get the CAPA in place.  And what is the CAPA?  It’s usually retrain operator or rewrite SOP.  These are easy to think up and everybody is familiar with these.

And do you really believe that these two CAPAs are going to work and prevent a recurrence?  Absolutely not.  I was auditing a company recently and over 80% of CAPAs were retrain operator or rewrite SOP and that was for a set of recurring issues that did not go away over a 4 year period.  Complacency had set in.  Are we really that bad at training and writing that it does not solve the problem?  Or is the CAPA not directed at the right thing?  I think we all know the answer.

So what is my job?  First to look at systems and get them into three categories.

  1. Ones that are clearly deficient – these need major surgery.  Or they may not even be in place.
  2. Ones that are overkill – look for ways to back off what is being done
  3. Ones that meet the need – they are adequate although they may not be world class or one that you can proudly say are a 10/10 system.  At this stage, if it works at the right level, leave it. It does not have to be perfect.

Category 1 and 2 need the major work. These systems are really tools in a tool box to allow us to operate our business and these tools have lost the vision of what they were intended.  Instead of serving us to help us get the work done, they take on a life of their own.  These tools now control us and make us jump through hoops.

However, as my father once said, “If you can identify a problem, you are 50% on the way to the solution” And that is when the fun begins with getting these overworked people together to look for opportunity to eliminate non-value added work which will free up resources to put on the other Towering Inferno areas.  And its contagious.  Solve a problem once and the next problem is much easier to solve.

It’s these moments I really cherish.  When I see surgery on an overly complex process that brings a breath of fresh air to the people involved, those are the moments I look forward to.  The look in the eyes of the staff is what this job is all about.  And its fun.

You thought the Indian companies were taking a hammering. Better look to the US Pharmacies

April 26th, 2014 by

In the first quarter of 2014, 3 Indian companies were issued warning letter (see my posting on the blog) whereas 7 pharmacies were hit.  Statistically significant?  Perhaps.

After the debacle of the New England Compounding Center about a year ago, the FDA has been on a rampage in the Pharmacy world.  I am no lawyer but the way I read it is the pharmacies are using a loophole in the law centered around the  issues of FDA jurisdiction.  FDA basically regulates interstate distribution of drugs, so make a drug in state X and “export” it to state Y – yep FDA has jurisdiction. So the manufacturers of drugs are under FDA rule.

Now, pharmacies are allowed to take these drugs and dispense prescriptions.  So when you go to your corner pharmacist, you can see them dispensing.  Counting out pills and putting them into bottles.  Hardly much risk here so long as they don’t muddle them up, get them cross contaminated  etc.  But they can also do further dispensing.  For instance, they can take a sterile vial or bottle of a drug and dispense it to another sterile container.  Now this is another matter.  What we are describing is aseptic processing.  As we all know that’s a risky business.  How many manufacturers fall foul of the regulations in industry?  The number of warning letters are numerous.

But it seems that FDA can not step in unless there is a demonstrated safety calamity.  But we don’t want to wait for that each and every time.  So what can the FDA do?  Their tack is to inspect these operations when they suspect that the Pharmacy has overstepped their authority.  It seems that in a majority of the 7 letter this quarter they have seen that the pharmacies have been dispensing these aseptically prepared drugs without prescriptions and compounding several drugs together.  Some of these drugs have different regimes of taking the drug.  Ergo, they are no longer dispensing, but manufacturing.

Now when they go in and inspect they cite for lack of GMP adherences and the story goes on.  Call me naive, but if I go to a pharmacy, I want an assurance that the drugs I am receiving are not adulterated.  I don’t care who regulates them but I want it done properly.  Clearly the Boards of Pharmacy have not been doing a good job (they are the ones who regulate at a state level rather than FDA).  What we have here is a standard clash between Federal and state control – we see it every day in other matters but in this case they are using our health as a pawn in the game.

 

Keep up the good work FDA.

He is the link to the 7 warning letters

Nora Apothecary Services ,  Lowlite Investments DBA Olympia PharmacyPallimed SolutionsWedgewood Village PharmacyTotal Pharmacy Services ,Avella of Deer ValleyVillage Fertility Pharmacy