How to become EXCiPACT certified supplier

 

Introduction

According to this scheme, a pharmaceutical excipient supplier is certified upon completion of a satisfactory audit and a positive certification decision from a qualified 3rd party audit organization. The 3rd party audit organization in turn shall have been assessed and judged as competent by an accreditation body and EXCiPACT. In order to receive a valid certificate, the pharmaceutical excipient supplier… more

The certification process

Choice of certification body

It is essential that the supplier is assessed against the current version of the standard and that the standard is available throughout the certification process. The current standard of the scheme is available… more 

Agreement with 3rd Party Audit Organization

A contract shall exist between the supplier and the 3rd party audit organization. It is within the responsibility of the supplier to ensure that adequate and accurate information is given to the 3rd party audit organization to enable the 3rd party audit organization to select (an) auditor(s) with the required skills to undertake the audit. The 3rd party audit organization shall require completion of an official application form, signed by a duly authorized representative of the supplier.

Audit program, duration and costs

There shall be a two-stage initial audit (pre-audit, full audit, Corrective and Preventive Action (CAPA), Certification). At least annual surveillance audits and triennial re-certification – a frequency likely to be higher than any pharmaceutical company could manage, even for high risk excipients. The duration of audits shall be adjusted according to… more

Conditions required to grant Certification

The Audit Report lists observations and rates findings as life threatening, critical, major or minor. 3rd Party Technical Experts review audit report and findings, recommend certification if there are no life threatening, critical, no major without CAPA, and no minors that indicate failure of quality system element. The audit team of the 3rd party audit organization shall analyze… more

Changes, scope extension

Once certification has been granted, any changes that may affect the fulfillment of the requirements for the certification shall immediately be communicated to the 3rd party audit organization. This may be changes in the… more  .

Ongoing Surveillance Audits

The certificate expires three years after the date of issuance. In the intermediate period, surveillance audits shall be conducted at least once a year. These audits shall address all scheme… more 

Recertification every 3 years

Before the date of expiration of the certificate, a recertification audit shall be conducted. The purpose of this audit is to confirm the continued conformity and effectiveness of the quality management system as a whole. The fulfillment of all requirements is evaluated. The audit also includes… more

Communication with certification bodies

In the event that the supplier becomes aware of legal proceedings with respect to product safety or legality, or in the event of a product recall,… more

 

 

 

 

 

 

Introduction

According to this scheme, a pharmaceutical excipient supplier is certified upon completion of a satisfactory audit and a positive certification decision from a qualified 3rd party audit organization. The 3rd party audit organization in turn shall have been assessed and judged as competent by an accreditation body and EXCiPACT. In order to receive a valid certificate, the pharmaceutical excipient supplier shall select a 3rd party audit organization which is approved and licensed by EXCiPACT. The EXCiPACT scheme (Annex to ISO 17021:2006 Conformity assessment – Requirements for bodies providing certification of excipient management systems) stipulates detailed requirements that a 3rd party audit organization shall meet in order to gain approval. In addition, the auditors employed by the 3rd party audit organization shall meet the EXCiPACT Auditor competency standards (Annex to ISO 19011:2002). As a minimum, the 3rd party audit organization shall be accredited in accordance with the requirements and regulations of the EXCiPACT certification standard, ISO/IEC 17021 and ISO 19011. The process for certification of a pharmaceutical excipient supplier is outlined in this document.

EXCiPACT GMP and GDP standards are annexes to ISO 9001:2008 and it is particularly effective to have a simultaneous audit against ISO 9001 and the selected EXCiPACT standards.

Back to top

The certification process

Choice of certification body

It is essential that the supplier is assessed against the current version of the standard and that the standard is available throughout the certification process. The current standard of the scheme is available here.The supplier identifies if GMP and or GDP parts are needed. The standard should be read and understood and a preliminary self-assessment shall be conducted by the supplier against the requirements and guidance of the standard. Any areas of nonconformities shall be addressed by the supplier. Once the self-assessment has been completed and nonconformities addressed, the supplier selects a 3rd party audit organization (ideally the one that already provides them with ISO 9001 certification). EXCiPACTTM cannot advise on the selection of a specific 3rd party audit organization, but the supplier can find EXCiPACT approved certification bodies here.

Back to top

Agreement with 3rd Party Audit Organization

A contract shall exist between the supplier and the 3rd party audit organization. It is within the responsibility of the supplier to ensure that adequate and accurate information is given to the 3rd party audit organization to enable the 3rd party audit organization to select (an) auditor(s) with the required skills to undertake the audit. The 3rd party audit organization shall require completion of an official application form, signed by a duly authorized representative of the supplier.

Audit program, duration and costs

There shall be a two-stage initial audit (pre-audit, full audit, Corrective and Preventive Action (CAPA), Certification). At least annual surveillance audits and triennial re-certification – a frequency likely to be higher than any pharmaceutical company could manage, even for high risk excipients. The duration of audits shall be adjusted according to the scope and complexity of the GMP / GDP system and excipients produced (for orientation refer to clause 9 in the Annex to ISO 17021:2006 Conformity assessment – Requirements for bodies providing certification of excipient management systems). Costs (financial and time) are comparable to an overall ISO 9001 certification. There is also a certification fee payable to EXCiPACT through the 3rd party audit organisation which is currently €5,500 for a three year period.

If the supplier is applying for certification according to ISO 9001 he could simply extend the audit to the EXCiPACT certification. For the initial audit, the supplier shall agree a mutually convenient date or dates, with due consideration given to the amount of work required to meet the requirements of the scheme. The supplier shall provide the 3rd party audit organization with appropriate information to allow them to review the application and to assess the duration and the costs of the audit. There is a requirement on the supplier to plan carefully for the audit, to have appropriate documentation for the auditor to assess and to have appropriate staff available at all times during the on-site audit. The initial certification is carried out at the premises of the supplier and is conducted in two stages. In the first stage the documentation of the quality management system is evaluated. An important objective of this audit is to assess the preparedness of the supplier for the audit. Any areas of concern that could be classified as nonconformity shall be resolved before the stage 2 audit. In the stage 2 audit the implementation and effectiveness of the quality management system is evaluated.

Alternatively, suppliers who do not hold ISO 9001 certification will be able to obtain an equivalent certificate through the forthcoming US national standard (ANSI-NSF 363), which also uses the EXCiPACTTM GMP standard. All suppliers will, therefore, have the choice of which certification route to follow. In either case, the requirements will be the same.

Back to top

Conditions required to grant Certification

The Audit Report lists observations and rates findings as life threatening, critical, major or minor. 3rd Party Technical Experts review audit report and findings, recommend certification if there are no life threatening, critical, no major without CAPA, and no minors that indicate failure of quality system element. The audit team of the 3rd party audit organization shall analyze and review the findings of the stage 1 and stage 2 audit and report on the assessment. Nonconformities are pointed out and, where applicable, the effectiveness of the corrections and corrective action taken or planned by the supplier. On the basis of this audit report and any other relevant information (e.g. comments of the supplier on the audit report), the 3rd party audit organization shall make a certification decision. A certificate shall only be granted if all nonconformities are resolved. In case of minor nonconformities the 3rd party audit organization may grant certification if the supplier has a plan for correction and corrective action. The certificate shall be issued by the 3rd party audit organization typically within 30 calendar days after the 3rd party audit organization has reviewed, accepted and verified the effectiveness of the corrections and corrective actions and the plans of the corrections and corrective actions for the revealed nonconformities. The Audit Report – available to the pharmaceutical customer from the excipient supplier – may be redacted to show that confidential information has been hidden – but the substance of report will not be altered.

If any life-threatening nonconformities are identified then the 3rd party audit organization will recommend the supplier contact their customers and the relevant authorities immediately to alert them of the potential risks to patient safety and to keep them promptly informed with further communications. Should no evidence of such communications be seen then the 3rd party audit organization will notify EXCiPACT and EXCiPACT will also notify the supplier that immediate action is required, otherwise EXCiPACT will have to advise the relevant authorities of the risk to patient safety.

The users of the certificates are advised to verify that the scope of the certificate is clearly stated and this information is consistent with their own requirements. Whilst the certificate is issued to the supplier, it remains the property of the 3rd party audit organization which controls its ownership, use and display.

The supplier has the right to appeal the certification decision made by the 3rd party audit organization in accordance with the documented appeal handling process of the 3rd party audit organization. EXCiPACT will publish a list of the certifications granted, suspended and withdrawn on their homepage.

Back to top

Changes, scope extension

Once certification has been granted, any changes that may affect the fulfillment of the requirements for the certification shall immediately be communicated to the 3rd party audit organization. This may be changes in the products or manufacturing processes that may require extension of the scope of the certification, in the management and ownership of the supplier, the location etc. The 3rd party audit organization will then conduct a site visit to examine the consequences and determine any audit activities necessary. The 3rd party audit organization decides whether or not an extension may be granted. If an extension is granted the current certificate will be superseded by a new certificate using the same expiry dates as detailed in the original certificate.

Back to top

Ongoing Surveillance Audits

The certificate expires three years after the date of issuance. In the intermediate period, surveillance audits shall be conducted at least once a year. These audits shall address all scheme requirements including evaluation of internal audits and management review, review of actions taken on nonconformities identified in the previous audit, treatment of complaints, effectiveness of the quality management system, progress on continual improvement, operational control, review of changes and use of marks and references to certification. In case nonconformity is identified by the audit team, the 3rd party audit organization shall take a decision continuation, suspension or withdrawal of the certificate depending on the corrections and corrective actions of the supplier.

Back to top

Recertification every 3 years

Before the date of expiration of the certificate, a recertification audit shall be conducted. The purpose of this audit is to confirm the continued conformity and effectiveness of the quality management system as a whole. The fulfillment of all requirements is evaluated. The audit also includes a review of the system over the whole period of certification, including previous surveillance audit reports. Identified nonconformities are dealt with as described in the surveillance audits. The 3rd party audit organization makes a decision on renewing of the certification on the basis of the recertification audit, the review of the system over the whole period and complaints received from users of the certification.

Back to top

Communication with certification bodies

In the event that the supplier becomes aware of legal proceedings with respect to product safety or legality, or in the event of a product recall, the supplier shall immediately make the 3rd party audit organization aware of the situation. The 3rd party audit organization in turn shall take appropriate steps to assess the situation and any implications for the certification, and shall take any appropriate action.

Back to top