Managing Risk Through Manufacturing Audits

Paul D’Eramo

VP of Pharmaceutical Regulatory Compliance

Johnson & Johnson

September 16, 2014

1

FDA/PQRI Conference Evolving Product Quality September 16 & 17, 2014 Bethesda North Marriott Hotel & Conference Center

J&J manages compliance risk across the enterprise and

provides a holistic view of J&J compliance profile

550+ Sites 275 Companies

60 countries

3 Sectors: Pharmaceuticals

Consumer Medical Devices &

Diagnostics R&D

Manufacturing Packaging

Quality Systems Distribution

34 Quality Standards

$71.3 billion in sales

(2013)

128,100 employees

Our Challenge:

Identify, prioritize, and act on potential compliance concerns

Independent Audit Program

• Classic audit process augmented with innovative closed loop technique

• Independent identification of issues

• Measurement of site Quality Culture

• Ability to Respond, Remediate and to Sustain

Proactive Compliance

Scan

• Foundational utility based upon comprehensive measurements

• Facilitates identification and prioritization of compliance risk

Measurement Program

• Data captured at the site level

• Independent review and classification

• Aggregated to show sector and enterprise trends

Addressing the Challenge

Our multi-faceted approach is based upon risk management techniques* Independent Audit Program, Proactive Compliance Scan, Measurement Program

Independent Audit Program

Proactive Compliance

Scan

Measurement Program

“The Right Actions” *Identify, Assess, Respond & Monitor Compliance Risk

Proactively Drives

Independent Audit Program

Conduct Audit

Audit Focus Areas Management Responsibility / Organization, Laboratories, Facilities / Utilities / Equipment Quality / Compliance Systems, Material Control, Production / Packaging Systems Validation / Qualification, External Manufacturer / Supplier Mgmt, New Product Introduction

Classify Findings CRITICAL

MAJOR

MINOR

Standard definitions based on risk, determined by independent review outside the Audit group and applied consistently

Site Response

Classify Follow-up Strategy

A Measure of Quality Culture

Includes both interim control and final mitigation plan

A = significant issues that are systemic

B = some critical and major observations

C = majority of observations are major

D = majority observations are minor

Based upon classification of findings and site response acceptability; standard definitions based on risk, determined by independent review outside the Audit group and applied consistently

Monthly status report of all site remediation measuring the site’s and their management’s ability to: • remediate immediate issues and • implement sustainable processes

Independent Audit Program: Why does it work?

Independent Audit Program utilizes independence, skilled resources and

key measures to manage compliance risk

Independence: • Audits conducted by an independent group • Observations classified by an independent resource • Follow-up strategy determined by an independent

resource • The same criteria is used for internal findings as that

used for external events

Qualified Resources: • Trained auditors conduct audits • Subject matter experts with extensive compliance

expertise are independent resources • Resources with business and site knowledge work

closely with the sites engaging in remediation

Engagement: • Measures promote engagement :

• Metrics on observations provide insights for the Site

• A measure of Site Quality provides insight for management

This approach… Promotes consistent risk ranking Effectively identifies and prioritizes risk

to make best use of resources Considers both Site and Management

concerns Provides a measure of Site Quality

Culture

Proactive Compliance Scan

Site Compliance Risk Profile Identify, Assess

Remediation Approach

Assess/ Respond

Remediation and Verification

Monitor

Proactive Compliance Risk Scan is a foundational utility to facilitate

identification and prioritization of compliance risk across the J&J landscape.

• Site compliance and quality metric data are collected • An initial score is calculated based on a weighted risk ranking

• The Site’s risk ranking score is plotted against a J&J Supply Chain Risk Management tiered manufacturing site risk ranking

• A final risk ranking placement is determined and communicated

• Proactive remediation is implemented • Remediation progress is tracked and in

select situations, verified to closure

Proactive Compliance Scan

Legal Action

External Profile

Field Action

Regulatory Inspection

Product Lifecycle

Management

Internal Audit --

Quality System

Quality System Metrics (CAPA, Complaints,

Adverse Events)

Internal Profile

Process Capability

Contracted Services

Leadership Changes

Corporate Governance Profile

JJRC Audit Results

Audit Follow-Up

Results

Turnover/RIF

Internal Audit --

Results

Components of Site Compliance Risk Profile

Ris

k R

an

kin

g S

co

re

Supply Chain Risk Management Tier (Tier 3 to Tier 1)*

Proactive Compliance Scan

*A site prioritization approach for ensuring product supply continuity Considers the site’s product concentration, type of products manufactured, single source supply and Public Health

Self-Directed

Corrective Action Plan with Independent

Oversight

Self-Directed

Corrective Action Plan with Independent

Oversight

Comprehensive

Corrective Action Plan with

Independent verification

Heightened Monitoring

Heightened Monitoring

Self-Directed

Corrective Action Plan with

Independent Oversight

No Action

No Action

Heightened Monitoring

Proactive Compliance Scan: Why does it work?

Proactive Compliance Scan utilizes independence, skilled resources and

comprehensive measures to manage compliance risk

Independence: • Scan is architected by an independent group • Risk ranking score is calculated by independent

resources • Independent oversight provides assurance of

completion

Qualified Resources: • Subject matter experts with extensive compliance

expertise are independent resources • Resources with business and site knowledge

supplement the process findings

Engagement: • Site actively participates in the process providing

many of the metrics • Results provide insight for management highlighting

potential areas for improvement

This approach… Considers a set of comprehensive

measures – both compliance and quality metrics

Promotes consistent risk ranking Effectively identifies and prioritizes risk

to make best use of resources

Measurement Program

Key site compliance indicators are independently reviewed and classified,

prioritized based upon risk and monitored to closure.

Identify

Assess

Respond & Monitor

• External: site recalls, health authority inspections and regulatory actions

• Internal: audit findings, site quality measure

Independent resource reviews both external and internal data for

accuracy and assigns risk classification

Independently monitored to closure: • External: prioritized recalls,

inspections and regulatory actions • Internal: prioritized audit findings

Identify, Assess, Respond & Monitor Compliance Risk

Measurement Program

Recall Severity • S1 - Defect will cause serious adverse health consequences

• S2 - Defect may cause reversible adverse health consequences

• S3 - Defect not likely to cause adverse health consequences

• S4 - Not defective, will not cause adverse health consequences

Health Authority Inspections

Data Analytics

• A Health Authority inspection will be considered significant if any of the following apply: One

or more critical observations are noted; Two or more major observations are noted in the

same audit area; One or more repeat major observations from a previous inspection are

found.

• HA observations are classified in the same manner as the Independent Audit Program:

Critical, Major, Minor

Data Information Intelligence

Structured Data through comprehensive reporting

Provide meaning to information through

Subject Matter Expertise Raw Numbers

Utilizing data from both internal and external perspectives

presents a holistic view of risk

Measurement Program: Why does it work?

Independence: • Risk classification is determined by independent

resources

Qualified Resources: • Subject matter experts with extensive compliance

expertise are independent resources • Resources with business and site knowledge work

closely with the sites engaging in remediation

Engagement: • Site actively participates in the process providing

the external compliance data • Real-time reporting provides insight for

management highlighting potential areas for improvement

This approach… Promotes consistent risk ranking Effectively identifies and prioritizes risk

to make best use of resources Provides intelligence around raw data

for a holistic view of risk that betters support the business

Measurement Program utilizes independence, skilled resources and

data analytics to manage compliance risk

Pulling It All Together: Reporting

Comprehensive reporting up, down and across the J&J landscape

provides transparent awareness to all levels of management

Addressing the Challenge: A Proactive Approach

This multi-faceted approach to addressing our challenge… drives JJRC’s early identification of risk …

leading to “The Right Actions”

A Measure of Site Quality

Holistic View of Site Compliance

Profile

Key Compliance Indicators

“The Right Actions”

Early Identification

Independence

Qualified Resources

Engagement

Reporting

Critical Success Factors

Questions?

1