Computerized systems are used throughout the life sciences industry to support various regulated activities, which in turn generate many types of electronic records. These electronic records must be maintained according to regulatory requirements contained within FDA’s 21 CFR Part 11 for US jurisdictions and Eudralex Volume 4 Annex 11 for EU jurisdictions. Therefore, we must ensure the GxP system which maintains the electronic record(s) is capable of meeting these regulatory requirements.
When it comes to audit trails, several requirements are clearly described within the regulations, thus allowing us to develop specifications against which the system can be verified for conformity. Nevertheless, we often come across questions regarding audit trails which are not explicitly covered within the regulations. We’ll be discussing these common questions and concerns within this blog.
What audit trail features must the system have?
The main purpose of the audit trail is to provide assurance with regards to the integrity of the electronic record. Various agency regulations, as well as guidance documents (see Reference section below) provide us with a list of features that a computerized system audit trail must have in order to be considered compliant.
|
The audit trail must be: |
|
|
Automated |
The audit trail entries must be automatically captured by the computer system whenever an electronic record is created, modified or deleted. |
|
Secure |
Audit trail data must be stored in a secure manner and must not be editable by any user. |
|
Contemporaneous |
Each audit trail entry must be time-stamped according to a controlled clock which cannot be altered. The time should either be based on central server time or local time, so long as it is clear in which time zone the entry was performed. |
|
Traceable |
Each audit trail entry must be attributable to the individual responsible for the direct data input. Updates made to data records must not obscure previous values and where required by regulation the reason for changing the data must also be recorded. |
|
Archived |
The audit trail must be retained as long as the electronic record is required to be stored. |
|
Available |
The audit trail must be available for agency review and copying. |
Audit Trail Content
For each audit trail entry, the following information should be recorded.
|
Audit trail content and reason it is required: |
|
|
Identification of the User making the entry |
This is needed to ensure traceability. This could be a user’s unique ID, however, there should be a way of correlating this ID to the person. |
|
Date and Time Stamp |
This is a critical element in documenting a sequence of events and vital to establishing an electronic record’s trustworthiness and reliability. It can also be an effective deterrent to records falsification. |
|
Link to Record |
This is needed to ensure traceability. This could be the record’s unique ID. |
|
Original Value |
This is needed in order to be able to have a complete history and to be able to reconstruct the sequence of events |
|
New Value |
|
|
Reason for Change |
This is only required if stipulated by the regulations pertaining to the audit trail record. (See below) |
What data must be “audit trailed”?
When it comes to determining which data the audit trail must be applied, the regulatory agencies (i.e. FDA and EMA) recommend following a risk-based approach.
Following a “risk-based approach”
In 2003, the FDA issued recommendations for compliance with 21 CFR Part 11 in the “Guidance for Industry - Part 11, Electronic Records; Electronic Signatures — Scope and Application” (see reference: Ref. [04]). This guidance narrowed the scope of 21 CFR Part 11 and identified portions of the regulations where the agency would apply enforcement discretion, including audit trails. The agency recommends considering the following when deciding whether to apply audit trails:
- Need to comply with predicate rule requirements
- Justified and documented risk assessment to determine the potential effect on product quality
- product safety
- record integrity
With respect to predicate rule requirements, the agency states, “Persons must still comply with all applicable predicate rule requirements related to documentation of, for example, date (e.g., § 58.130(e)), time, or sequencing of events, as well as any requirements for ensuring that changes to records do not obscure previous entries.” In the docket concerning the 21 CFR Part 11 Final Rule, the FDA states, “in general, the kinds of operator actions that need to be covered by an audit trail are those important enough to memorialize in the electronic record itself.” These are actions which would typically be recorded in corresponding paper records according to existing record-keeping requirements.
The European regulatory agency also recommends following a risk-based approach. The Eudralex Annex 11 regulations state, “consideration should be given, based on a risk assessment, to building into the system the creation of a record of all GMP-relevant changes and deletions (a system-generated "audit trail").”
By considering the regulations and following a risk-based approach, the regulated user(s) of the application are able to determine which data should be audit trailed. The justification for this decision should be clearly documented.
When does the Audit Trail begin?
The question of when to begin capturing audit trail information comes up quite often, as audit trail initiation requirements differ for data and document records.
For data records:
If the data is recorded directly to electronic storage by a person, the audit trail begins the instant the data hits the durable media. It should be noted, that the audit trail does not need to capture every keystroke that is made before the data is committed to permanent storage. This can be illustrated in the following example involving a system that manages information related to the manufacturing of active pharmaceutical ingredients.
If during the process, an operator makes an error while typing the lot number of an ingredient, the audit trail does not need record every time the operator may have pressed the backspace key or the subsequent keystrokes to correct the typing error prior to pressing the ‘‘return key’’ (where pressing the return key would cause the information to be saved to a disk file). However, any subsequent ‘‘saved’’ corrections made after the data is committed to permanent storage, must be part of the audit trail.
For document records:
If the document is subject to review and approval, the audit trail begins upon approval and issuing the document. A document record undergoing routine modifications, must be version controlled and be managed via a controlled change process. However, the interim changes which are performed in a controlled manner, i.e. during drafting or review comments collection do not need to be audit trailed. Once the new version of a document record is issued, it will supersede all previous versions.
Which clock should be used to generate the time stamp?
Given the global nature of many of today’s life science organizations, it is common to see IT systems spanning multiple time zones. This poses an additional challenge when dealing with time stamps, as it can lead to ambiguity with regards to the chronological sequencing of events, if not properly defined and managed.
In the preamble to the final rule for part 11, entitled “21 CFR Part 11 Electronic Records; Electronic Signatures,” (see reference: Ref. [02]) the FDA stated: “[R]egarding systems that may span different time zones, the agency advises that the signer’s local time is the one to be recorded.” This position, however, has since been reconsidered and the guidance presented the Draft Guidance for Industry 21 CFR Part 11; Electronic Records; Electronic Signatures Time Stamps (see reference: Ref. [03]) reflects the agencies current thinking.
The FDA recommends that time stamps be implemented with a clear understanding of what time zone reference is being used in order to eliminate confusion with respect to the timing of a particular event or action that could be attributed to different time zones. “Systems documentation should explain time zone references as well as zone acronyms or other naming conventions.” It is recommended that the time zone reference appears in human readable forms of the time stamp to help ensure the authenticity and integrity of the electronic record and associated audit trail.
How should the date and time be expressed?
The required precision to which we capture date and time stamps is not explicitly stated in any regulations. However, within the Draft Guidance for Industry 21 CFR Part 11; Electronic Records; Electronic Signatures Time Stamps (see reference: Ref. [03]), the FDA recommends the audit trail and signature time stamps be precise to the hour and minute.
Certain processes might warrant a more precise time stamp, therefore, the unit of time that is used should always be meaningful in terms of documenting human actions being performed. Date expressions should always indicate the year, month and numerical day of the month. The way in which the date and time are expressed should also be clearly defined within the system documentation.
Discover how to navigate audit trail requirements in electronic GxP systems in our free guide on achieving compliance with 21 CFR Part 11 and Annex 11.
Regulatory References
- S. Food and Drug Administration, Code of Federal Regulations, Title 21 Part 11, Electronic Records; Electronic Signatures.
- Industry Coalition on 21 CFR Part 11 – Key Points on Audit Trail Requirements of the Regulation Version 1
- Federal Register / Vol. 62, No. 54 / Rules and Regulations [Docket No. 92N–0251] - 21 CFR Part 11 Electronic Records; Electronic Signatures; Final Rule, 1997
- Guidance for Industry 21 CFR Part 11; Electronic Records; Electronic Signatures Time Stamps (Draft Guidance), 2002
- Guidance for Industry Part 11, Electronic Records; Electronic Signatures — Scope and Application, 2003
- PIC / S PI 011-3 - Good Practices for Computerised Systems in Regulated “GxP” Environments
