This may take You a couple of minutes to read, but You may find it worth Your while.
Just recently – during a (c)GMP-auditor training on how best to audit non-GMP suppliers, a participant asked me: „Can I not trust that when a material supplier has an ISO-xxx accreditation, that the material is always correctly labeled and that a mixup is adequately prevented? Or that the results of a certificate for analysis for a raw material batch are reliable? Or can I not assume that a company that holds an ISO9001 accreditation has their quality system fully documented? Are these basic things not part of what we can rely on when a supplier or vendor has an ISO-accredited quality system?“
These and other questions I received reflect some of the many silent assumptions that are made when a drug manufacturing company qualifies their suppliers and external service providers. But are these expectations realistic? Are they warranted by such ISO-standard based certifications? As a matter of fact: No. Many aspects which in a pharmaceutical quality sytem (GMP) are considered absolutely basic are not naturally paralleled in other standards such as for example an ISO9001 quality system or in an ISO13485 certified company. Not even if some words or terms in these standards sound exactly like vocabulary from the EU GMP Guide or from US cGMP such as 21 CFR. The claims which some non-GMP quality systems make or in fact do not make – those must be really understood when sourcing, qualifying and / or auditing GMP-relevant suppliers. Because otherwise heavy reliance is put on the very fact that an ISO-standard accreditation is simply there, assuming those certifications ascertain effective GMP-like management of product or service quality and – as a consequence – not really looking into all the potential issues during qualification and auditing.
And there is much confusion among GMP-auditors when it comes to the question: „How in the world should I GMP-audit a company that does not run a pharmaceutical quality system? What can I even ask for in the audit? What can I demand? So GMP-auditors most of the time find themselves between a rock and a hard place, thinking: „Well, real deal GMP I cannot require from the supplier, because they don´t claim to do GMP in the first place“, and: „…but still: the way things are done here at this supplier really are not sufficient at all when it comes to quality assurance! – Wow unto me – what should I do?“ This carries potential for wreaking major havoc on drug companies and more importanly on patients(!).
So let´s clarify some things when it comes to GMP-auditing of ISO-certified suppliers and service providers:
Pointer #1: Understand the Otherness of some ISO-Quality Systems.
- Understand that there are no natural parallels between for example a basic ISO9001 quality system and a Pharmaceutical Quality System. These standards are not a lean version of GMP. They are not GMP. Whatever You decide to look at during the audit, decide it not based on silent assupmtions of what the non-GMP standard „should probably be capable of“. During an audit: Do not look for any GMP-aspects within the ISO-system contents of the company – because it will just not be there. The typical ISO-systems do not claim actual pharmaceutical GMP, and even if they are oriented towards it – they are far away from its reality. And most non-GMP companies will not affirm either that they commit to GMP.
Pointer #2: The GMP-Standard Defines Your Expectations, Not the ISO-Standard.
- Make Your demands based on the GMP-Guide – no matter if the supplier is formally not bound to it. You(!) are bound to it though – and thus becomes(!) Your supplier bound to it. You do not have to accept statements like „We do not do this because our quality standard does not require this.“ What is required is determined by Your(!) standard, not by the supplier´s. If You as an auditor stoop down to a general willingness of accepting „what an ISO-company can do is what I must be content with“, then You will automatically let go of a significant degree of quality assurance – and especially as a GMP-auditor that is exactly what You are not supposed to do. And just for added clarity: A company can be ISO accredited, and still have had deviations from the ISO-norm in the accreditation audit. The certification system allows for this. And another clarification: Even in ISO-standards that are supposed to reflect certain GMP-aspects, for example ISO17025 – the accreditation typically stands for the fact that someone audited the clauses of the ISO norm, but that does not mean that these clauses are up to par with actual GMP, and it does not mean the the auditor tested for any suitability or robustness of even 1 of all those processes from the ISO-standard. So the burden of verifying what is really going on is on You as the GMP-auditor.
Pointer #3: GMP-like Key Personnel or a cGMP Quality Unit are Not a Given!
- Understand the Role and Standing of the Supplier´s Quality Management Unit! Going back to the example of ISO 9001: There is no GMP-like key personnel und no quality unit required in this stanadard. Two basic modes of Quality Management Departments are: (A) The QM does the administration for the Quality System, but is not or only little operatively involved in day by day quality decisions or workflows. In a situation like that the QM department may only be represented by 1 single person at site, not more, even if the site employs a three digit number of employees. At times there is even noone from QM on site at all, but only comes in for customer or ISO audits. Mode (B): The quality department is actively involved in quality-relevant processes, for example release of product. This is obvously better. Yet it is important for You to understand as a GMP-auditor: a fully independent Quality Unit with immediate quality oversight is really only necessary where Your own regulators require this likewise in Your own GMP quality system. And not every international regulator requires this (FDA expects it, EMA would not be as firm on this). However this means: Do not assume a Quality Department to be there, and do most certainly not assume a quality organization that employs an Quality Unit independent from physical operative groups and departments. You will need to assess during the audit whether this is a gap and a risk for a given supplier situation or not.
Pointer #4: You will likely have to Press on for Written Procedures and Records.
- Procedures and Records: You ask if the supplier keeps records for his operations. If he says yes, what he really means is that he keeps in line with an ISO standard phrase such as „documented information“. But this does not mean at all that the company has written or detailed procedures for all relevant operations or that records are availalble or filled out for any of those procedures and work steps. What „documented information“ really is, that highly depends on what a company deems relevant for being documented and what the company got away with during their ISO audit. In a non-GMP-company that is usually significantly less than what the GMP-auditor would expect or assume. So in the audit, You will only know for sure if a process is actually documented if You personally take a real look and see for Yourself. Do not even be content with text sections in an ISO quality manual saying that the company employs documentation of some sort. If You as the GMP-auditor need a certain process to be regulated in a written procedure, then You will have to ask for it specifically! And never simply believe if someone says „Yes we have that“ without really checking what „Yes we have that“ really means.
Pointer #5: There may be no Documentation of any Quality Risk Management.
- Risk Management is an important element to the ISO9001 systematic – although it is not necessarily quality risk management. Risk Management for ISO9001 includes not only identifying risks but also „chances“ / „opportunities“ – so the focus of risk management is not even remotely as quality oriented as it is in pharmaceutical GMP. It just does not compare at all. And even worse: The ISO9001 standard literally says that this does not necessarily need to be documented(!). For a GMP-audit this degree of freedom is fully unacceptable. You must(!) have documented proof that risks to quality – not to just anything – to QUALITY(!) – are adequately identified and controlled. Simply claiming this or trying to sell „all the rest“ of the quality system as „Risk Management“ is not enough. And as a GMP-auditor You walk on shaky ground if You accept this. The risk management effort must be traceable to documented decisions and measures. Otherwise knowledge and control of risk is not credible. You can debate about the degree and depth of such documents. But the presence of something(!) is not negotiable.
Pointer #6: Validation Can and Should be Demanded.
- Know that Validation Activities are a Legitimate Thing to ask for at an ISO-Accredited Supplier! Here a GMP-auditor should be aware that validation activities are in a sense optional in ISO9001. It will highly depend on what the supplier does and for whom. If a company produces a material for a pharmaceutical customer and if it is relevant for the customer that for example the production process is validated, then the company must do it. So here again: If the customer requires it, the supplier must do it! And it does not matter whether it concerns production, cleaning or analytical procedures. The supplier must ensure „controlled conditions“ in what he does – that is what ISO9001 asks for.
Pointer #7: Data Integrity is a Significant and Realistic Concern for Supplier Audits.
- Data Management and Data Integrity: This is very thinly stretched in non-GMP quality systems. Be aware: Data Management is not a quality management aspect that is typically on a supplier´s quality radar. Oftentimes even raw data are not kept (no saving of electronic data, no printers installed with analytical devices, etc.). These are significant gaps that cannot simply be accepted because a supplier says „we do not need this“ or „our ISO-auditor never wanted this“. That is no argument. ISO – particularly ISO 9001 is all about adjusting to customer reuqirements! And You are a customer with GMP-requirements. You can – and should – require adequate data governance. And missing raw data is a textbook example of a fundamental lack of such governance and state of control.
Pointer #8: Hygiene Concepts must be Carefully Reviewed for Justification and Reason!
- Hygiene Concepts with Cleaning, Sanitization and Hygiene Measures are oftentimes implemented. A Master-Document may be lacking though. The largest issue is that the hygiene measures including monitoring of particulates and microbes may not be thought through and thus largely ineffective. Rationales for sampling points and even for warning and acceptance limits often are completely missing. The company does something but has no idea why. And if a company does not know why they work according to given procedures, monitoring and acceptance limits, then this is not in control. Knowing the „Why“ is kind of the whole point in a Hygiene Concept. Sometimes the auditee will point to other ISO norms as „typical“ or „commonly applied“, but this will still not explain why the company works based on those norms and limits. They need to know why they do what they do, and if not they will have to accept requirements coming from You representing the customer.
Would there be more Pointers? Certainly. But these eight will give You a good first point of reference. It can be quite difficult to see through the fog of non-GMP quality management standards. But it pays off to deal with it.
The biggest challenge in all this is for You as a GMP-auditor: Accepting alternative ways of doing quality management, yet at the same time not forsaking the „must-haves“ coming from the GMP-stnadard to which You are accountable.
Es informiert Sie,

Dr. Dietmar Gross,
Apotheker &
Consultant