Why Didn’t the Internal GMP Audit Group Identify that Before the Health Authorities?

The FDA inspection observations continue to identify the shortcomings in many of the same areas over the last five or more years. That begs the question why. Does the FDA rapidly shift its focus in that short a time period? Are they applying novel interpretations that the industry has not anticipated? Alternatively, is the internal GMP audit group focusing on the wrong areas? Or is management downplaying the internal audit findings saying something along the lines of “The FDA has reviewed that program and not found any faults, so no, we’re not making any changes – particularly the costly ones.” Let’s take a look at the various options.


In my opinion, the FDA has been largely consistent in their inspection focus. We’ve seen periods where high purity water systems were the focus, then process and cleaning validation, then packaging multiple drug product lots into a single packaging lot, and for the last few years, it’s been data governance and data integrity. Usually, the industry gets the message and proactively remediates their own processes, or the FDA decides that the focus needs to be shifted. I don’t generally see the FDA modifying their interpretation or application of existing regulations. One change we have seen in the past couple of years is many new inspectors who will need to come up the learning curve which will take time. Even the data integrity flurry we’ve all been aware of for the past few years has been developing for the last almost 20 years, and anyone who has monitored warning letters and 483s has seen this. In my opinion, the Able Laboratories 483 from 2005 was a watershed moment that should have prompted a shift in procedures and practices. While there have been some changes in emphasis over the decades, the past ten years or so has seen no inherently novel interpretation of existing regulations.

Let’s look at an example that has been an FDA focus for years. The topic of ‘investigations’, 21 CFR 211.192, and their shortcomings have been on the top of the list for years. In the device area, it’s been there for over 10 years. And while I haven’t tabulated the drug data going back that far, it’s been at the top of the drug inspection list for at least four years (you can read more here 2016 Inspection Observations and 2016 Warning Letters). So, what are the problems here? Shortcomings repeatedly cited include:

  • Failure to identify root cause or probable root cause
  • Failure to extend the investigation to other lots that may reasonably be associated with the deviation
  • Conclusions are not supported by the data provided and
  • No corrective or preventive actions are identified and implemented.

I doubt that any of us would consider these shortcomings to be novel or over-reaching.


Another reason we might be seeing the same problems in 483s is that the internal audit groups may not be identifying them as problems. The corporate audit groups should always evaluate FDA warning letters, 483s and other enforcement actions to determine the areas of focus for the agency and the practices that are deemed problematic or deficient. The audit group(s) should participate in ongoing training — either internal or at external training opportunities. It is also unrealistic to expect that someone with limited GMP experience can be an excellent auditor, and reaching that level of expertise takes experience and time. Rotating junior staff through an audit program for two to three years may not serve the company well. Further, it is valuable for auditors to have experience at firms outside their own to ensure they have an appreciation for the many ways to ensure compliance with requirements.

Consider an inspection by a new FDA investigator who has only participated in one or two inspections. They generally fail to identify the critical deficiencies at a firm, and focus on items such as “failure to follow procedures.” They have not yet developed the skill to be able to ‘connect the dots’ or even to know which ‘dots’ need to be connected. I also wonder if, after a while, even good corporate auditors don’t tend to become victims of something akin to the “Stockholm syndrome” used in reference to kidnap victims who begin to identify and sympathize with those who are holding them.

An evaluation by a knowledgeable internal audit group should be more rigorous than a regulatory authority, particularly because they have a detailed understanding of the firm’s quality processes and procedures and should have a sense of where the problems may reside. Rigorous audits by experienced auditors can go a long way to prevent ‘surprises’ when health authorities conduct their audits.

I’ve recently become aware of a pharma company that holds its corporate GMP auditors responsible for preventing inspection surprises. When a surprise occurs during a health authority inspection, the internal audit group gets to explain why that happened. This seems to be a practice worth considering. Or at the very least, when inspection observations are identified by health authorities, it should be determined whether these were previously identified by the internal audit groups, and, if so, why the remediation was not sufficient to prevent the inspection observation from being cited by the health authorities.


Warning letters continue to remind us that “your executive management remains responsible for fully resolving all deficiencies and ensuring ongoing CGMP compliance.” Critical and repeated major observations or those which occur at multiple sites during corporate audits should be considered at Management Review. Management should ensure that the audited areas respond to the audit report in a timely manner, maybe 30-45 days, and that the responses are adequate. Often in smaller firms, it sometimes seems that internal audit reports are simply ignored. In other instances, it’s sometimes determined that “the agency has evaluated that during the last inspection and found no problem, so no, we’re not going to remediate that.” While it’s appropriate to make an executive level decision not to remediate an issue, using as the justification that this has never been cited by the health authorities is done at risk.  Agency inspections, just like internal audits, provide a snapshot in time driven by a variety of purposes and needs. Just because an observation was not made at an inspection does not guarantee that the area is without problems and won’t be cited in the future. This is particularly true of pre-approval inspections (PAI) where the purpose is different from that of a routine periodic GMP inspection.

Similarly, management should hold the internal audit group responsible for providing in-depth focus on areas that may negatively impact product quality and patient safety. Management should empower their GMP audit groups to perform rigorous evaluations. They should ensure that auditors are the ‘right’ people with the appropriate skills, on-going education, and management support. Finally, management should ensure auditors are supplemented by a comprehensive GMP Intelligence program that keeps auditors and the firm up to date on enforcement actions and trends.


The same observations continue to be identified over the years, but this is likely not due to changing FDA interpretations or application of regulations and guidance. While this does happen on occasion, it is not a significant reason that we continue to see the same observations year over year.

I suggest that the real problem may be a lack of effective partnership between executive management and the GMP audit groups. Audit groups should be highly valued within the firm and should be composed of individuals with significant expertise in the interpretation and application of GMP requirements and expectations. These individuals should be critical thinkers who not only know how to “connect the dots” but more importantly which “dots” need to be connected. The audit program should be managed to ensure focus in the areas where health authorities focus their inspection and enforcement activities. A comprehensive GMP Intelligence program that identifies GMP enforcement actions and trends supports this. Audit reports should address areas important to product quality and patient safety and not simply “failure to follow procedures” without being driven by impact to patient safety and product quality.

Upper management should ensure that audited area management responds to the report in a timely and thorough manner. Management should review the audit program and ensure that critical observation and repeated or multiple-site major observations are addressed appropriately. Better to have a critical deficiency identified during an internal audit than wait for a regulator to find that same deficiency. Also, when a regulatory authority inspection uncovers a serious issue not previously identified, it’s worth considering why that happened and what can be done in the future to prevent the recurrence. It may not be a simple solution, but it’s worth looking for the reason(s) and considering potential solutions. Success requires an effective partnership between a strong GMP audit team and management.