GMP-Auditing ISO-Certified Suppliers: Many Faces - Same Conclusion?
Before You read on, please let me clarify: What I am writing here is an appeal to correct what I believe to be a defective situation in the ISO accreditation system. Yet I highly respect the effort which ISO is putting into their norms and system concepts. I am also well aware that GMP / GxP historically owes quite a bit to ISO-quality management principles. And it is also understood that my impressions and experiences may not at all be representative for the industry. So cut me some slack - I mean well.
Multiple Situations - Same Conclusion?
Situation #1: Receiving Worrying Pointers about ISO-based Accreditations.
I am sitting with a friend somewhere in the US. We are having a private conversation about his and about my job. He is not in the pharmaceutical industry like I am, but he works helping health care institutions to optimize their quality processes. He is acquainted with a variety of non-GMP quality management standards.
As we talk about some of these quality management accreditations - many of which are ISO management standards in many contexts - I share my concerns about some certifications being issued with possibly not enough independence or decency of the accrediting auditors.
I say: "Isn′t it that a company could simply look for someone else if their accrediting auditor does not give them their certificate?" He smiles at me: "That′s exactly what happens."
This is not the first time that a person confirms to me what my hunch has been telling me for 10+ years now. Even reports of economic favors have come to my ears now accrediting an ISO-related standard to a company. Of course I can′t verify that, but it still worries me.
Situation #2: A Company Holding Various ISO-Based Accreditations.
I perform a training for a drug raw material supplier (pharmaceutical excipients). During the training a participant shares about a situation with an ISO quality system accreditor: "Well, at least he gave us his input when he mock-audited us... then later he performed our accreditation audit". I am rather buffled: "So You are saying Your ISO-accreditor made money with You as a consultant? And then(!) the same person performed the accreditation audit with You?" He answers my question: "Yes." Some time after this I receive verification of a seasoned ISO-experienced consultant: "That would definitely be not legit!" that′s what I had thought anyway, but it was good to receive confirmation.
Situation #3: An ISO9001 Accredited Company - (General) QM-System.
A client asks me to audit an ISO 9001 accredited company. The company has held the accrediation for more than a decade. My audit scope is not ISO, but pharmaceutical GMP, so I go in with rather basic expectations. As I ask for a complaint management process - one of the most clearly required ISO 9001 workflows - the Quality Manager tells me: "We don′t have that." I am surprised: "Well, would this not be a finding or a deficiency even in Your ISO accreditation audit...? How did You get this certificate?!" This time I get no answer at all.
Situation #4: ISO22000 - Food Safety / HACCP.
An ISO22000 (food safety) certified company prides itself with the regular review of their flagship quality sub-system: the HACCP for the food products they procude i.e. sell. It is a rather large company site. The company′s quality representative says: "We do this HACCP-review even with involvement of Senior Management, every 6 months!" I can tell that he is very proud of this. I take a look into the actual HACCP-document - the actual risk-analysis - the very core document : About 20% of all spaces are not populated, not actually done. ...what is going on...? "How can You hold this certificate with the HACCP not even completed....?! And how can this still not be completed if You even review this every 6 months...?!" No answer.
Situation #5: ISO22716 - Cosmetic GMP.
An ISO9001 and ISO22716 accredited company - cosmetic GMP. As we discuss the topic of training of personnel it turns out that the company does not have anything in writing about training: No training concept in writing! Nothing at all. I am as so many times very surprised and ask: "How could Your accreditor give You this certificate? You′ve had this now for several years!" We discuss this for the hygiene concept. Same result No written concept in place. We discuss it for cleaning of equipment: No written concept in place... And yet: ISO 22716 was accredited.
Now would You...
...believe me if I said: I can continue this list with situations from ISO13485 companies, from ISO17025 accredited firms, ISO15387 establishments, material suppliers, software developers... It seems like it is always the same.
The (my) conclusion that comes from all these scenarios: Where an ISO-quality standard is accredited, I (and this may just be me) can simply not know what it actually stands for, at times not even if the very ISO-contents are adequately implemented. That - for me - is a tough lesson to learn - from a "class" which has been in session for me for more than 10 years now. ISO is not GMP. - I know that. But ISO should at least be ISO. And I am simply not sure if that is the case.
The standards themselves for the most part - I find really excellent! But there is a rather big gap when it comes to the reality in the actual companies. Document Management, Hygiene Concept, Qualification / Validation of Company Equipment, HACCP-Documentation ... all those things are clear enough requirements in their associated ISO standards. And more often than not, even these things are just not there. And still it is apprently ok that the certificates are issued, and with them a bill of course. And still others place trust in these accreditation papers! And this trust - in my experience - is often just not fully founded.
This may sound like a curt verdict, but given that many of these companies serve as pharmaceutical suppliers impacting patient safety and wellbeing, I think it is more than adequate to speak openly about this. I have been in the position and responsible to release drug product batches to the market, including steril products, and others. It is rather aggravating when You realize that the GMP-industry hangs (and has to hang) heavy quality-weigths in very thin wires when it comes to reliance on their suppliers′ quality accreditations. No wonder that supplier audits are so desired by drug regulatory authorities.
The Conclusion for the GMP-Auditor
Given experiences like these, it should not come as a surprise to GMP-Auditors that auditing an ISO-certified supplier according to its own ISO-standard will get You next to no gain in understanding if the company is suitable or not. There seems always to be some excuse why things that formally should really be implemented - ISO-elements - are simply not. And so there is really almost no direct connect of key quality system parts to those elements You would hope for from a GMP-perspective.
So better apply GMP as an audit standard and evaluate how much is lacking, rather than trying to make ends meet with what is there at the supplier and somehow make it work with only the ISO-system more or less in place.
But how can You justify before the supplier, that You want to see a GMP-like Quality Management and not(!) only an ISO-QMS-backbone? I will try and show this in the next blog post.
Field Application Specialist | Advanced Therapies | Cell and Gene Therapies | iPSCs Enthusiast
4 年Good read! You raise quite compelling arguments, from valuable personal experience, on doubting certifications without the corresponding documentation to back it. I think this statement is succinct: "Alles, was nicht dokumentiert ist, ist formal nicht durchgeführt worden" - Not documented, not done! - whether under GMP or ISO and pharmaceutical companies should really do due diligence in qualifying their suppliers. Looking forward to your next article.