FDA/PQRI Conference
Evolving Product Quality
September 16 & 17, 2014
Bethesda North Marriott Hotel & Conference Center
Managing Risk Through
Manufacturing Audits
Paul D’Eramo
VP of Pharmaceutical Regulatory Compliance
Johnson & Johnson
September 16, 2014
1
J&J manages compliance risk across the enterprise and
provides a holistic view of J&J compliance profile
550+ Sites
275 Companies
60 countries
R&D
Manufacturing
Packaging
Quality Systems
Distribution
3 Sectors:
Pharmaceuticals
Consumer
Medical Devices &
Diagnostics
$71.3 billion
in sales
(2013)
34 Quality
Standards
128,100
employees
Our Challenge:
Identify, prioritize, and act on potential compliance concerns
Addressing the Challenge
Our multi-faceted approach is based upon risk management techniques* Independent
Audit Program, Proactive Compliance Scan, Measurement Program
Independent
Audit Program
Measurement
Program
Proactive
Compliance
Scan
Proactively Drives
“The Right Actions”
Independent
Audit Program
Proactive
Compliance
Scan
Measurement
Program
• Classic audit process augmented with
innovative closed loop technique
• Independent identification of issues
• Measurement of site Quality Culture
• Ability to Respond, Remediate and to
Sustain
• Foundational utility based upon
comprehensive measurements
• Facilitates identification and
prioritization of compliance risk
• Data captured at the site level
• Independent review and classification
• Aggregated to show sector and
enterprise trends
*Identify, Assess, Respond & Monitor Compliance Risk
Independent Audit Program
Conduct Audit
Audit Focus Areas
Management Responsibility / Organization, Laboratories, Facilities / Utilities / Equipment
Quality / Compliance Systems, Material Control, Production / Packaging Systems
Validation / Qualification, External Manufacturer / Supplier Mgmt, New Product Introduction
Classify Findings
CRITICAL
MAJOR
MINOR
Standard definitions based on risk, determined by independent review
outside the Audit group and applied consistently
Site Response
Includes both interim control and final mitigation plan
Classify Follow-up
Strategy
Based upon classification of findings and
site response acceptability; standard
definitions based on risk, determined by
independent review outside the Audit
group and applied consistently
A Measure of
Quality Culture
Monthly status report of all site
remediation measuring the site’s and
their management’s ability to:
• remediate immediate issues and
• implement sustainable processes
A = significant issues that are systemic
B = some critical and major observations
C = majority of observations are major
D = majority observations are minor
Independent Audit Program: Why does it work?
Independent Audit Program utilizes independence, skilled resources and
key measures to manage compliance risk
Independence:
•
•
•
•
Audits conducted by an independent group
Observations classified by an independent resource
Follow-up strategy determined by an independent
resource
The same criteria is used for internal findings as that
used for external events
Qualified Resources:
•
•
•
Trained auditors conduct audits
Subject matter experts with extensive compliance
expertise are independent resources
Resources with business and site knowledge work
closely with the sites engaging in remediation
Engagement:
•
Measures promote engagement :
• Metrics on observations provide insights for
the Site
• A measure of Site Quality provides insight for
management
This approach…
 Promotes consistent risk ranking
 Effectively identifies and prioritizes risk
to make best use of resources
 Considers both Site and Management
concerns
 Provides a measure of Site Quality
Culture
Proactive Compliance Scan
Proactive Compliance Risk Scan is a foundational utility to facilitate
identification and prioritization of compliance risk across the J&J landscape.
Site Compliance
Risk Profile
•
•
Site compliance and quality metric data are collected
An initial score is calculated based on a weighted risk ranking
Identify, Assess
•
Remediation
Approach
Assess/ Respond
•
The Site’s risk ranking score is plotted against a J&J Supply
Chain Risk Management tiered manufacturing site risk
ranking
A final risk ranking placement is determined and
communicated
Remediation and
Verification
Monitor
•
•
Proactive remediation is implemented
Remediation progress is tracked and in
select situations, verified to closure
Proactive Compliance Scan
Components of Site Compliance Risk Profile
External Profile
Legal Action
Field Action
Internal Profile
Corporate Governance
Profile
Leadership Changes
Process Capability
JJRC Audit Results
Internal Audit -Quality System
Contracted Services
Audit Follow-Up
Results
Internal Audit -Results
Product Lifecycle
Management
Regulatory Inspection
Quality System Metrics (CAPA, Complaints,
Adverse Events)
Turnover/RIF
Risk Ranking Score
Proactive Compliance Scan
Self-Directed
Corrective Action Plan
with Independent
Oversight
Self-Directed
Corrective Action Plan
with Independent
Oversight
Comprehensive
Corrective Action
Plan with
Independent
verification
Heightened
Monitoring
Heightened
Monitoring
Self-Directed
Corrective Action
Plan with
Independent
Oversight
No Action
No Action
Heightened
Monitoring
Supply Chain Risk Management Tier (Tier 3 to Tier 1)*
*A site prioritization approach for ensuring product supply continuity
Considers the site’s product concentration, type of products manufactured, single source supply and Public Health
Proactive Compliance Scan: Why does it work?
Proactive Compliance Scan utilizes independence, skilled resources and
comprehensive measures to manage compliance risk
Independence:
•
•
•
Scan is architected by an independent group
Risk ranking score is calculated by independent
resources
Independent oversight provides assurance of
completion
Qualified Resources:
•
•
Subject matter experts with extensive compliance
expertise are independent resources
Resources with business and site knowledge
supplement the process findings
Engagement:
•
•
Site actively participates in the process providing
many of the metrics
Results provide insight for management highlighting
potential areas for improvement
This approach…
 Considers a set of comprehensive
measures – both compliance and
quality metrics
 Promotes consistent risk ranking
 Effectively identifies and prioritizes risk
to make best use of resources
Measurement Program
Key site compliance indicators are independently reviewed and classified,
prioritized based upon risk and monitored to closure.
•
Identify
Assess
Respond
& Monitor
•
External: site recalls, health
authority inspections and
regulatory actions
Internal: audit findings, site
quality measure
Independent resource reviews both
external and internal data for
accuracy and assigns risk
classification
Independently monitored to closure:
• External: prioritized recalls,
inspections and regulatory actions
• Internal: prioritized audit findings
Identify, Assess, Respond & Monitor Compliance Risk
Measurement Program
• S1 - Defect will cause serious adverse health consequences
Recall Severity
• S2 - Defect may cause reversible adverse health consequences
• S3 - Defect not likely to cause adverse health consequences
• S4 - Not defective, will not cause adverse health consequences
Health Authority
Inspections
• A Health Authority inspection will be considered significant if any of the following apply: One
or more critical observations are noted; Two or more major observations are noted in the
same audit area; One or more repeat major observations from a previous inspection are
found.
• HA observations are classified in the same manner as the Independent Audit Program:
Critical, Major, Minor
Data
Data Analytics
Raw Numbers
Information
Structured Data through
comprehensive reporting
Intelligence
Provide meaning to information
through
Subject Matter Expertise
Utilizing data from both internal and external perspectives
presents a holistic view of risk
Measurement Program: Why does it work?
Measurement Program utilizes independence, skilled resources and
data analytics to manage compliance risk
Independence:
•
Risk classification is determined by independent
resources
Qualified Resources:
•
•
Subject matter experts with extensive compliance
expertise are independent resources
Resources with business and site knowledge work
closely with the sites engaging in remediation
Engagement:
•
•
Site actively participates in the process providing
the external compliance data
Real-time reporting provides insight for
management highlighting potential areas for
improvement
This approach…
 Promotes consistent risk ranking
 Effectively identifies and prioritizes risk
to make best use of resources
 Provides intelligence around raw data
for a holistic view of risk that betters
support the business
Pulling It All Together: Reporting
Comprehensive reporting up, down and across the J&J landscape
provides transparent awareness to all levels of management
Addressing the Challenge: A Proactive Approach
This multi-faceted approach to addressing our challenge…
drives JJRC’s early identification of risk …
leading to “The Right Actions”
A Measure
of Site
Quality
Independence
Key
Compliance
Indicators
Holistic
View of Site
Compliance
Profile
Critical Success
Factors
Qualified
Resources
Engagement
Early Identification
Reporting
“The Right Actions”
Questions?
1