1
How do you handle a hostile auditee?
Members were unanimous: professionalism and patience are the tools that work. Several stressed the importance of not mirroring the auditee's anxiety and of clarifying early that the process is not personal. Open questions were favoured over confrontation.
What members said
Remain pleasant and professional. Be factual. Focus on the agenda and the audit. You don't need to leave the audit as best friends.
The key is to not mirror their anxieties, or jump to conclusions just based on their reaction; it could be that they're reflecting on previous bad experiences.
Take a breath, and ask them open questions to get them round to the way that you're thinking, focus on the facts.
Key takeaway
Stay factual, clarify that the audit is about the process not the person, and use open questions to guide the conversation. Do not mirror hostility.
2
When a sponsor takes a different approach than the guideline suggests, how do I evaluate whether that is justified by risk assessment?
Responses centred on the non-negotiable principles: patient safety, data integrity, and participant rights. Members referenced ICH Q9(R1) as the key benchmark, noting that risk management cannot be used to justify practices that would otherwise be unacceptable. The degree of concern depends on how far the sponsor deviates and how prescriptive the guideline is.
What members said
Their approach must address issues of patient safety, confidentiality, and data integrity.
As per ICH Q9(R1): quality risk management should not be used in a manner where decisions justify a practice that would otherwise be deemed unacceptable.
It depends on the different approach and how far from the guidelines they're deviating.
Key takeaway
Evaluate alternative approaches against patient safety and data integrity. ICH Q9(R1) is the reference point. Risk management is not a loophole for non-compliance.
Further reading
3
Vendor oversight audit expectations have increased. Has anyone justified their risk-based approach to regulators during inspections?
Experience was mixed. One member described an MHRA GMP inspection where the criticality assessment documentation was initially unsatisfactory, but draft improvements were accepted. The consensus: regulators will probe your rationale but accept it if well documented. Resource constraints were a recurring concern.
What members said
MHRA was not satisfied with documentation of criticality assessment, but they reviewed the drafts and were happy with the more robust criteria.
Regulators want to see how you document your risk approach in the audit program.
Key takeaway
Documentation is everything. Regulators accept risk-based approaches but the criticality assessment must be robust and written down.
4
Does anyone have categories for CAPA root cause analysis, rather than using issue categories?
Two frameworks dominated: the 6M method (Method, Materials, Manpower, Machine, Measurements, Mother Nature) and HSE Human Factors categories for breaking down human error. An important distinction was raised: classify the root cause, not the CAPA itself. Some organisations track CAPA trends (retraining, procedural updates) separately for management review.
What members said
We kept getting loads of human error root causes. We decided to break this down further using categories similar to the HSE's Human Factors: Slips, Lapses, Rule-based, Knowledge-based.
The CAPA is a response to a Root Cause. I normally classify the Root Cause, not the CAPA. Please, do not confuse RC with CAPA.
Key takeaway
The 6M framework and HSE Human Factors model are the most widely used. Classify root causes, not CAPAs. Track resolution trends separately for management review.
Further reading
5
How does your effectiveness checks process work? What are the important considerations?
Members highlighted the importance of pre-defining what you are measuring and for how long. Several trigger effectiveness checks based on deviation severity. The recurring challenge is measuring the "absence" of something over a practical time period.
What members said
PRE-DEFINED parameters: What are you measuring? What are the deliverables? How long are you measuring for? What do you do if it's not effective?
An Effectiveness Check must be created when Deviation severity is Critical, Major, or Minor with recurrence.
I generally don't include any, as too many CAPA include the "absence" of something, and how long do you want to measure that for?
Key takeaway
Define parameters, timeframes, and cadence before starting. Trigger checks based on deviation severity. The main challenge remains measuring the absence of recurrence over a meaningful period.
6
How easy is it to validate Adobe for electronic signatures in GxP? Do you need a licence for every signer?
Validating Adobe Sign for GxP use is substantial work. Members raised concerns about identity verification, noting that standard Adobe Sign relies solely on email. Some organisations use eIDAS integration or have opted for alternative providers who manage validation themselves.
What members said
One of the lessons from DocuSign is not to forget verifying configurations. The number of times I've seen those control settings not actually switched ON!
The general Adobe I'm not a fan of. It's purely linked to email, and there is no control whatsoever on identity apart from the email.
It's quite complicated. We chose an alternative provider who did the validation for us.
Key takeaway
Adobe Sign validation is complex. Identity verification is the weak point. Consider eIDAS integration or alternative providers. Always verify that configuration settings are active.
Further reading
7
What are the appropriate regulatory and quality standards for bioanalytical method validation (BMV) in GCP clinical studies?
ICH M10 was the dominant answer, cited by the majority of respondents. The EMA Reflection Paper and WHO's GCLP recommendation were also referenced. BMV sits in a grey area: it is not formally a GCP activity, but if the method supports a clinical trial, GCP principles and ICH M10 apply. Where BMV is conducted in a GLP lab, members cautioned against claiming GLP compliance for the validation itself.
What members said
If the method is going to be used for a GCP clinical trial study, then it should be done to GCP/following ICH M10.
The main references are the EMA Reflection Paper for laboratories that perform the analysis or evaluation of clinical trial samples, and ICH M10.
Key takeaway
ICH M10 is the primary standard, supplemented by the EMA Reflection Paper. BMV sits between GCP and GLP. QA oversight remains best practice. Do not claim GLP compliance for BMV conducted in GLP labs.
Further reading
8
For non-clinical/non-GLP research, what quality standards are applied? What are they called?
Most organisations call these "Good Research Practice" (GRP). Several have developed internal GRP guidelines that formalise what scientific teams were already doing. The EQIPD framework and UKRI Good Research Practice policy were the most cited external references. There is no single mandatory standard.
What members said
We previously developed "Good Research Practice" guidelines for non-GxP activities, which effectively spelled out what the scientific teams already did to safeguard their data.
They are normally called "Good Research Practices". Many frameworks are available, e.g. the one of RQA. I think that many companies apply EQIPD.
Key takeaway
"Good Research Practice" is the most common term. EQIPD, UKRI policy, and RQA guidance are the main reference points. Organisations typically create internal frameworks based on available guidance.
Further reading
9
In GLP multisite studies, how are QA managing the Study Director's comments on the audited Test-Site report?
The PI is responsible for addressing the Study Director's comments. Test site QA then verifies that comments have been incorporated or that there is a justified reason for not accepting them. Practice varies on whether QA proactively checks all SD comments or relies on the PI to escalate.
What members said
If the SD has comments on the phase report then the PI is responsible for addressing these and then test site QA would need to check for incorporation of SD comments.
Lead QA sits with the SD as Test Facility with overall responsibility for the compliance of the study.
Key takeaway
The PI owns the response to SD comments. Test site QA verifies incorporation. Whether QA checks all comments proactively or on escalation varies by organisation.
10
China is not an OECD member state or MAD signatory. Where can information be found on running GLP studies there?
This question received limited engagement. One member noted that regulatory authorities in MAD countries can inspect test facilities in non-MAD countries when sponsors claim no alternative is available. This remains a niche area where further member discussion would be valuable.
What members said
I know from Sciensano Belgian MA that they can inspect the TF/TS on purpose if the company claims that they have no option in MAD countries.
Key takeaway
Limited responses on this topic. Regulatory authorities may inspect non-MAD facilities directly. Further member input would be welcome for a future session.
Further reading
11
Has anyone used Copilot AI for document reviews as a first pass for GLP compliance checking?
Views were cautiously positive. Members see potential in AI-assisted first-pass reviews but emphasise that human oversight is non-negotiable. Hallucinations remain a known risk. The most practical current uses are checking internal QMS consistency and consulting regulations.
What members said
I think there can be a value in a first pass through AI with auditor oversight for the finer points of compliance.
I'm not sure it would save time, as there should be a human in the loop for any non-validated decision making process.
I use it more to check internal consistencies across QMS. I also use it a lot to consult regulations and SOPs, and I verify after.
Key takeaway
AI tools show promise for first-pass reviews and consistency checks, but human oversight is essential. The most pragmatic uses today are QMS consistency and regulation lookup, not replacing auditor judgement.
12
Do Quality SMEs have sufficient IT and data-related competencies to contribute to data governance frameworks alongside CSV?
The consensus is that most QA professionals do not yet have deep IT or data governance skills, but that is not necessarily their role. QA's strength is asking the right questions. In small organisations, QA often doubles as the CSV expert. In larger settings, a close QA/CSV partnership is the preferred model.
What members said
The most important thing that quality individuals do is ask questions. Understanding the GxP requirements and using that to ask appropriate questions of the technical SMEs is the best way for quality to contribute.
This may need to become a tandem of a QA professional closely collaborating with a CSV expert.
Key takeaway
QA's role is to ask the right questions, not to become IT experts. A close partnership between QA and CSV specialists is the most workable model.
13
Are auditors (PV, GCP, etc.) considered GxP personnel in pharma companies?
This was the most clear-cut response of the session. Every respondent agreed: auditors are GxP personnel. They follow GxP guidelines, work to GxP processes, and generate GxP records. There was no dissent.
What members said
Auditors have to follow GxP guidelines, so yes, auditors are classed as GxP personnel.
Audit reports, certificates, and subsequent CAPA are all GxP records, and auditors have a part to play in that.
Key takeaway
Unanimous: auditors are GxP personnel. They follow GxP processes, produce GxP records, and are integral to the QMS.