For drug and device manufacturers in the United States, electronic records created through computerized systems must be maintained in accordance with FDA’s 21 CFR Part 11 and EudraLex Volume 4 Annex 11 for EU jurisdictions.
Audit trails are an important requirement contained in each, and both US and EU regulations offer manufacturers the criteria needed to develop specifications for verifying system conformity.
Specifically for audit trails, however, many questions arise surrounding the matters not explicitly covered in the regulations. If you have found yourself in need of guidance around audit trail requirements, this quick guide may offer some helpful clarification.
There are several components to a complete audit trail entry. These include the following:
In many cases, this reference link will be the unique ID of the corresponding record. This is needed to ensure the trail can be traced back to the record directly.
Along with a link to the record, each audit trail entry must be traceable to the individual responsible for creating, changing, or deleting the record.
All values applied to a record throughout time must be present in the audit trail. This ensures a complete history is being preserved and can be reviewed.
A log for noting the reasons behind a change are required in some instances and should be managed via a controlled change process. However, controlled changes made during the drafting or review comments collection of a document record typically do not need to be audit trailed.
A clear and accurate date and time stamp is one of the most important components for maintaining trustworthy and reliable electronic records.
Audit trails are primarily used to ensure the integrity of electronic records. Regulations and supporting documents provide important information on the features audit trail systems must have to maintain a state of compliance. All audit trails must be:
Audit trails must be maintained in such a way to ensure they're always available to regulators in a format that can be copied and reviewed.
Audit trail entries cannot be manually updated by users. The computer system must capture entries automatically when an electronic record is created, changed, or deleted.
All audit trails must be kept as long as their corresponding electronic records are required to be stored.
Each entry must be attributable to the person who directly entered the record. If updates to records are made, they may not change or hide previous audit trail data or record values. The reason for the change must also be noted where required.
Each entry must be time stamped using a controlled clock system which cannot be changed.
Audit trail data must be securely stored and not accessible to users for editing.
Both the FDA and EMA recommend companies take a risk-based approach when determining where to apply audit trails. We've highlighted the key parts of each agency's requirements below.
In a 2003 guidance document, FDA offer more clarity into the requirements presented in 21 CFR Part 11 regarding audit trails. Taking all predicate requirements into consideration, the Agency states, "Persons must still comply with all applicable predicate rule requirements related to documentation of, for example, date (e.g., § 58.130(e)), time, or sequencing of events, as well as any requirements for ensuring that changes to records do not obscure previous entries.”
In reference to the 21 CFR Part 11 final rule, FDA went on to say, “in general, the kinds of operator actions that need to be covered by an audit trail are those important enough to memorialize in the electronic record itself.” These are actions which would typically be recorded in corresponding paper records according to existing recordkeeping requirements."
More broadly, the Agency recommends considering the need to comply with predicate rule requirements, justified and documented risk assessments to determine the potential effect on product quality, product safety, and record integrity when deciding whether to apply audit trails.
In reference to audit trails, the Eudralex Annex 11 regulations state, “consideration should be given, based on a risk assessment, to building into the system the creation of a record of all GMP-relevant changes and deletions (a system generated "audit trail").”
In this case, guidelines are more generalized, recommending companies consider relevant regulations and follow a risk-based approach to determine which data should be audit trailed, however the justification behind those decisions should be clearly documented.
Interested in learning more about maintaining data integrity throughout your organization?