Computerized systems are used throughout the life sciences industry to support various regulated activities, which in turn generate many types of electronic records. These electronic records must be maintained according to regulatory requirements contained within FDA’s 21 CFR Part 11 for US jurisdictions and Eudralex Volume 4 Annex 11 for EU jurisdictions. Therefore, we must ensure the GxP system which maintains the electronic record(s) is capable of meeting these regulatory requirements.
What to look for in Audit Trail?
- Is the audit trail activated? SOP?
- Record of reviews? (most companies trust the electronic systems audit trail and generates electronic paper version of it without a full review)
- How to prevent or detect any deletion or modification
of audit trail data? Training of staff?
- Filter of audit trail
Can you prove data manipulation did not occur?
Persons must still comply with all applicable predicate rule requirements related to documentation of, for example, date (e.g. 58.130(e)), time, or sequencing of events, as well as any requirements for ensuring that changes to records do not obscure previous entries.
Consideration should be given, based on a risk assessment, to building into the system the creation of a record of all GMP-relevant changes and deletions (a system generated “audit trail”).
Audit trail content:
|Audit trail content and reason it is required:|
|Identification of the User making the entry||This is needed to ensure traceability. This could be a user’s unique ID, however there should be a way of correlating this ID to the person.|
|Date and Time Stamp||This is a critical element in documenting a sequence of events and vital to establishing an electronic record’s trustworthiness and reliability. It can also be effective deterrent to records falsification.|
|Link to Record||This is needed to ensure traceability. This could be the record’s unique ID.|
This is needed in order to be able to have a complete history and to be able reconstruct the sequence of events
|Reason for Change||This is only required if stipulated by the regulations pertaining to the audit trailed record. (See below)|
FDA / Regulators findings and complaints during Inspection of Audit Trail Data:
- Audit User sometimes is hard to describe (e.g. user123 instead use full names of each user IDs thus requirement additional mapping)
- Field IDs or Variables names are used instead of SAS labels or Field Labels (map field names with respective field text (e.g. AETERM displayed instead use Reported Term for the Adverse Event)
- Default values should be easily explained or meaningful (see annotated CRF)
- Limited access to audit trail files (many systems with different reporting tools or extraction tool. Data is not fully integrated. Too many files and cannot be easily integrated).
- No audit trail review process. Be prepared to update SOPs or current working practices to add review time of audit trails. It is expected that at least, every 90 days, qualified staff performed a review of the audit trail for their trials. Proper documentation, filing and signature should be in place.
- Avoid using Excel or CSV files. Auditors are now asking for SAS datasets of the audit trails. Auditors are getting trained to generate their own output based on pre-defined set of parameters to allow auditors to summarize data and produce graphs.
- Formatting issues when exporting into Excel, for example. Numbers and dates fields change it to text fields.
What data must be “audit trailed”?
When it comes to determining on which data the audit trail must be applied, the regulatory agencies (i.e. FDA and EMA) recommend following a risk based approach.
Following a “risk based approach”
In 2003, the FDA issued recommendations for compliance with 21 CFR Part 11 in the “Guidance for Industry – Part 11, Electronic Records; Electronic Signatures — Scope and Application” (see reference: Ref. ). This guidance narrowed the scope of 21 CFR Part 11 and identified portions of the regulations where the agency would apply enforcement discretion, including audit trails. The agency recommends considering the following when deciding whether to apply audit trails:
- Need to comply with predicate rule requirements
- Justified and documented risk assessment to determine the potential effect on product quality
- product safety
- record integrity
With respect to predicate rule requirements, the agency states, “Persons must still comply with all applicable predicate rule requirements related to documentation of, for example, date (e.g., § 58.130(e)), time, or sequencing of events, as well as any requirements for ensuring that changes to records do not obscure previous entries.” In the docket concerning the 21 CFR Part 11 Final Rule, the FDA states, “in general, the kinds of operator actions that need to be covered by an audit trail are those important enough to memorialize in the electronic record itself.” These are actions which would typically be recorded in corresponding paper records according to existing recordkeeping requirements.
The European regulatory agency also recommends following a risk based approach. The Eudralex Annex 11 regulations state, “consideration should be given, based on a risk assessment, to building into the system the creation of a record of all GMP-relevant changes and deletions (a system generated “audit trail”).”
When does the Audit Trail begin?
The question of when to begin capturing audit trail information comes up quite often, as audit trail initiation requirements differ for data and document records.
For data records:
If the data is recorded directly to electronic storage by a person, the audit trail begins the instant the data hits the durable media. It should be noted, that the audit trail does not need to capture every keystroke that is made before the data is committed to permanent storage. This can be illustrated in the following example involving a system that manages information related to the manufacturing of active pharmaceutical ingredients. If during the process, an operator makes an error while typing the lot number of an ingredient, the audit trail does not need record every time the operator may have pressed the backspace key or the subsequent keystrokes to correct the typing error prior to pressing the ‘‘return key’’ (where pressing the return key would cause the information to be saved to a disk file). However, any subsequent ‘‘saved’’ corrections made after the data is committed to permanent storage, must be part of the audit trail.
For document records:
If the document is subject to review and approval, the audit trail begins upon approval and issuing the document. A document record undergoing routine modifications, must be version controlled and be managed via a controlled change process. However, the interim changes which are performed in a controlled manner, i.e. during drafting or review comments collection do not need to be audit trailed. Once the new version of a document record is issued, it will supersede all previous versions.
Questions from Auditors: Got Answers?
When was data locked? Can you find this information easily on your audit trail files?
When was the database/system released for the trial? Again, how easily can you run a query and find this information?
When did data entry by investigator (site personnel) commence?
When was access given to site staff?
Part of this article was taking, with permission, from Montrium – Understanding Audit Trail Requirements in Electronic GXP Systems
Fair Use Notice: Images/logos/graphics on this page contains some copyrighted material whose use has not been authorized by the copyright owners. We believe that this not-for-profit, educational, and/or criticism or commentary use on the Web constitutes a fair use of the copyrighted material (as provided for in section 107 of the US Copyright Law).