Audits are a vital quality-management tool in the biopharmaceutical industry. Whether the activity is verifying supplier or partner qualifications, contributing to corrective and preventative actions (CAPAs), or fulfilling regulatory requirements, proactive auditing is key to successful operations. Over the past couple of years, virtual audits — also known as remote or distance audits — have enabled biopharmaceutical companies to maintain compliance and quality-assurance (QA) demands despite COVID-19–related travel restrictions and social-distancing protocols. Now that the world is opening up again, the benefits of virtual audits have not been forgotten, and despite their difficulties, they are likely to remain an important tool in the industry’s toolbox.
Now that regulators, subject-matter experts (SMEs), and other stakeholders can observe and review facilities on site, we might wonder what purpose virtual audits serve and what benefits still could be leveraged. Pandemic-related restrictions to travel and facility access taught us how to find alternative ways of obtaining information. The public-health emergency also gave us an opportunity, borne out of necessity, to test and refine the processes required to perform virtual audits effectively. That period of experimentation demonstrated how useful virtual auditing can be when getting on site and into a manufacturing suite is infeasible because of safety or quality concerns that might be associated with specific products such as cytotoxic or highly potent medicines. It is also incumbent on industry professionals, as citizens of the world, to limit unnecessary travel. When used appropriately, virtual auditing could be one way of fulfilling that responsibility.
But many people are asking about how to incorporate virtual audits into standard auditing plans now that the world is accessible again. Developing an effective auditing strategy can help biopharmaceutical companies integrate virtual auditing successfully. Such a strategy should begin with risk-based evaluation of a facility’s or supplier’s suitability for virtual review, including its readiness to host and facilitate a meaningful audit experience. Based on the risk associated with the auditee on an audit plan, a company must decide whether a virtual review could work, when it would be most appropriate (e.g., during qualification or a surveillance audit), and what additional risks would be incurred relative to those for an onsite visit. The audit strategy also needs to specify whether a virtual audit will replace an onsite one when both options are available or will serve as an adjunct to reduce rather than replace the need for onsite audits.
Once such elements have been agreed upon, a company should develop a complete and comprehensive audit plan, ensuring that corporate procedures are revised to cover virtual processes. Planning should include development of a remote agenda system as well as options and supports for information and communications technologies (ICTs). Those elements might be in place already if a company used virtual auditing during the pandemic, but they should be reviewed and revised to ensure that they remain relevant to virtual audits, which, in a hybrid strategy, will be performed alongside onsite audits.
When COVID-19 compelled biopharmaceutical companies to take the virtual pathway, key considerations included document access, security, and confidentiality. Companies also sought out the best approaches for providing comprehensive facility tours from a distance. Those concerns have not changed. An effective model for virtual-audit workflows remains important to ensuring regulatory compliance for such elements and will coincide with the workflow for onsite audits.
Why Virtual Audits Are Here To Stay
Even before the emergence of SARS-CoV-2, virtual audits offered a way to reduce the time and expenses needed for site-based audits while suitably checking and challenging manufacturing systems and procedures. Many facilities had adopted remote internal or external audits to manage reviews involving high-potency products, aseptic cores, and other elements that might pose risks to inspectors and/or pharmaceutical products. The pandemic forced companies to test the processes and systems supporting virtual audits when those became the only review option available. Consequently, the biopharmaceutical industry has refined virtual-audit systems such that they are viable and compliant alternatives when onsite inspections offer no additional benefits for review. The industry must take what has been learned and use it wisely to develop audit plans that increase flexibility and reduce reliance on stakeholder travel.
Embracing the Benefits: For some situations, such as cases involving high-risk contract manufacturing organizations (CMOs) and suppliers, nothing will replace having an auditor on site to observe operations on the factory floor. However, when virtual audits have been deemed appropriate, they offer several benefits over their site-based counterparts.
In terms of timing and attendance, virtual audits offer considerably more flexibility than do onsite audits. Auditors and auditees are required to perform far less juggling of schedules than would be needed to get multiple people in the same physical space simultaneously. Issues such as travel delays no longer threaten to derail audits, and differences in time zones become much less prohibitive.
Elimination of travel and related lodging and meals significantly decreases both direct expenses and resource use. Travel reduction also decreases a company’s carbon footprint, creating environmental benefits. In terms of operational efficiency, spending less time on site-based audits can enable auditors to perform more reviews within the same period. Virtual audits also reduce the number of visitors admitted to a facility, thus diminishing disruptions to operations and, in some cases, contamination risks.
Overcoming Obstacles: To take full advantage of such benefits, biopharmaceutical companies tried during the pandemic to address possible problems with remote auditing. For instance, the pandemic increased many organizations’ adoption of remotely operable ICTs, which in turn highlighted the need for robust, reliable information security and protection of confidentiality. Along with adequate wireless-network protocols and/or broadband access, such capabilities simplify a virtual auditing process.
Companies that have yet to implement such measures — e.g., because they still rely on paper documentation systems, use old infrastructure, or lack high-speed Internet access — still should be encouraged to implement them even though onsite audits are again possible. When working with small suppliers and underresourced companies, biopharmaceutical companies might consider providing training on new ICT platforms
and/or access to low-cost, cloud-based services.
Auditors also will need reliable ICT and a suitable work environment that minimizes interruptions, noise, and other distractions when they are performing remote audit reviews. As with suppliers and onsite personnel, auditors might need to be trained to work with new systems and platforms that are used to facilitate an audit.
Another difficulty arises in providing auditors with sufficient objective evidence. After all, audits are intended to gather such evidence for use in evaluating the adequacy of system controls and to ensure a facility’s or supplier’s compliance with policies and operational procedures set forth by customer companies and regulatory agencies. Biopharmaceutical companies should determine the best ways to relay evidence to auditors while maintaining the security and confidentiality of privileged information. Companies should consider
• whether the audit can include real-time images of the facility
• whether interviews and feedback can be recorded
• how to ensure that the auditor receives an objective and thorough view of the facility, including its equipment, operations, and controls
• how to provide remote access to relevant information without compromising confidentiality
• what type of file sharing is appropriate, and what levels of access must be established
• whether a given cloud-storage plan will be sufficient for secure document transfer
• which documents can be viewed online using a camera, and which ones need to be printed and delivered by a courier.
Answering such questions is a key part of planning an effective virtual audit.
Preparation — the Key to Audit Success
Assess Risk: Although preparation for a virtual audit is, in essence, the same as that for an onsite review, particular attention is needed in specific areas. The first step is to determine whether a remote audit is indeed appropriate for a given situation. If necessary, companies can perform risk assessments — e.g., to evaluate a supplier’s impact on product and quality history and then, based on that study, to prioritize supplier audits and decide the best way to perform a virtual audit if one is deemed to be appropriate.
Update Procedures: Another important step — one that should precede audit scheduling — is to review and, if necessary, revise corporate standards, site policies, and company procedures to include information about performing remote audits correctly. Accurate, updated, consistent documentation helps both auditors and auditees optimize the efficiency and efficacy of a remote review.
Adjust the Agenda: Documentation provided to an auditee should include an agenda. For a remote review, specific information should be added to address technology considerations. Begin with your standard site-based agenda, then adapt each item to explain how it will be delivered remotely and which technology will facilitate that transition. For example, video conference calls can replace opening and closing meetings. Video calls also can be used in place of in-person discussions with SMEs. Documents can be uploaded to a secure, cloud-based file-share program to facilitate document review. And onsite facility tours can be replaced with video conferencing, perhaps featuring mixed-reality glasses and a 360-degree camera.
Note that a virtual-audit agenda must be more detailed than one for an onsite review. Include the method and time to completion of each deliverable, schedule meeting times with specific people, and include time for breaks and document review.
Indicate Approved ICT Tools: Procedures should specify acceptable ICT options. Choose robust solutions that facilitate audit objectives. Additional but unnecessary bells and whistles are not worth the frustration and lost productivity created by difficult implementation or a steep learning curve.
A company that performs or is subject to an audit should balance accessibility and security. Data protection and cybersecurity are serious considerations, especially when pharmaceutical intellectual property (IP) is concerned. However, security measures that complicate access to necessary resources are counterproductive.
Specify preferred backups in case of technological troubles. If a company prefers to work with the Zoom video-conferencing tool, for example, which software will be used if that platform is unusable for some reason? Which file-sharing application is preferred, and which option will serve as backup?
It is important that everyone involved in implementing, operating, and maintaining a conferencing platform understands both its functionality and limitations. Companies should consider
• whether images will be provided in real time or recorded beforehand
• whether interviews and meetings can be recorded and/or transcribed
• what security features are available and how their efficacy can be verified
• what security vulnerabilities are known and how dedicated the platform vendor is to security
• how well the platform can share objective views of facilities, equipment, operations, and controls
• how relevant information will be accessed and what options are available for access control
• what features are available to share documents in a cloud-based system
• what tools are available to guide inspectors through a document in real time.
Similar concerns emerge when verifying the accuracy of provided audit data. How will verification be performed? What technologies can be used to support that effort? Know that planning and documented procedures for the verification step must be set forth in more detail than is required for site-based audits.
In making such decisions, companies also will need to consider and mitigate technological difficulties for their partners, suppliers, and auditors. Companies should seek out platforms with staying power from vendors that have a demonstrably reliable system of product support.
Sharing and Securing Data: Apart from ensuring the ability to share, review, and verify data remotely, companies must consider the regulatory and security implications of doing so. As we have navigated toward a “hybrid” workplace since the onset of the pandemic, cybersecurity processes and requirements have been embedded in our daily work. Standard cloud-based document-sharing solutions such as the Microsoft Teams and Box platforms usually can meet basic security requirements. Teams software also enables meeting recording and transcription. Such capabilities can be useful when streamlining a virtual-audit process, yet they raise additional complications surrounding cybersecurity best practices and compliance with laws such as the EU General Data Protection Regulation (GDPR). Companies should ask
• whether a given video-conferencing platform provides for end-to-end encryption
• whether a GDPR assessment of the ICT platform has been performed
• whether all participants have provided consent to be recorded
• where and how secure recordings will be stored, accessed, and exchanged
• what process will be used for deleting recordings that are no longer required
• whether platform servers are located inside or outside the European Union (or the regulatory jurisdictions you work with), and what security measures are in place
• how easily third parties could gain access to information that is managed through the ICT platform.
Conducting Facility Tours: Once a company is satisfied that a virtual audit is feasible and appropriate, many tools can be used to provide a comprehensive facility tour. For example, Google Maps software can give a street view of a manufacturing site, and drones enable auditors to view around and inside the facility. Live streaming using mobile technologies such as a 360-degree camera can provide more-detailed views. Auditors might even be able to review video or recordings from in situ cameras on the manufacturing floor.
Photographs and facility blueprints can offer additional facility details. Emerging technology can be leveraged to combine approaches for an even more realistic experience. Consider three-dimensional mapping, augmented reality (AR) systems that overlay computer-aided design (CAD) drawings onto video recorded by mobile 360-degree cameras, and virtual reality (VR) demonstrations of activities that simulate operations in a safe remote environment. Artificial intelligence (AI) also is expanding the boundaries of possibility for virtual audits (1, 2).
Moving Toward a Virtual Future
Even though pandemic lockdowns and travel restrictions have eased, the reduced cost, time, and environmental impact of virtual audits make them a viable option for biopharmaceutical-industry operations. Drug companies can improve the success of such audits by developing well-considered plans and virtual-auditing strategies.
1 Chapman J. How AI Tools Will Transform Quality Management in the Life Sciences. Pharm. Online 16 April 2018; https://www.pharmaceuticalonline.com/doc/how-ai-tools-will-transform-quality-management-in-the-life-sciences-0001.
2 Krishnamurthy K. AI Is Transforming Industrial Inspection. Innovate UK Blog Archives 14 February 2019; https://webarchive.nationalarchives.gov.uk/ukgwa/20210728193125/https://innovateuk.blog.gov.uk/2019/02/14/ai-is-transforming-industrial-inspection.
Kate Coleman is a senior director/principal consultant and head of Quality Management and Compliance for the United Kingdom and Ireland, as well as the solution lead for Business and Portfolio M&A at PharmaLex Ireland; firstname.lastname@example.org.