Annex 11 requires that audit trails are regularly reviewed to ensure data integrity. There are a significant amount of inconsistent interpretations about the requirement to regularly review audit trails. Some of the interpretations are that a periodic review of audit trails should be performed to ensure data integrity. Under a periodic review approach some companies have implemented a monthly, quarterly, bi-annual and yearly review of audit trails. The challenge is how relevant it is to perform a periodic review after an extended period of time when the data was generated. What is the value? What are we supposed to be looking for? What constitutes a data integrity issue? Which data is critical? Should we take a risk based approach?
This article will provide answers to these challenging questions and solutions about how to perform regularly audit trail reviews.
Aligning with the requirement to regularly perform audit trails reviews can be very challenging for some companies. This requirement is based on the assumption that all system provide audit trails that are “user friendly”, adequate and easy to review for data integrity. One of the biggest challenges is that some systems specifically in the Quality Control laboratories don’t generate audit trails that facilitate a review regularly. Another challenge is whether to perform periodic review or to assess the audit trails prior to signing or approving the data. Can we implement the same approach for all areas with GMP impact or can we take a risk based approach. Which approaches are more value added and not just a paper work exercise?
Unfortunately Annex 11 and other data integrity philosophies fail to provide adequate guidance and direction about how to regularly review audit trails. There is always the challenge on how to deal with all the assumptions related to this requirement and this also includes resources to regularly review audit trails. In order to review audit trails regularly qualified resources are needed to perform this work. The resource impact needs to be clearly understood based on the population of impacted systems, the volume of the reviews and the defined frequency. All the potential challenges need to be well understood and addressed prior to committing to perform audit trails reviews, otherwise the effort will be meaningless and simply a paper exercise.
AUDIT TRAIL ASSESSMENTS
In order to align with the requirement to regularly review audit trails an assessment needs to be performed for all impacted systems. The audit trail assessment is the first and the most critical steps to implement audit trail reviews. An inventory of all impacted systems need to be created. This inventory will identify all impacted systems that need to be included in the audit trail assessment. The intent of the assessment is to identify whether each individual system provide audit trails that are adequate and that can be used for performing these reviews.
System level risk assessments need to be performed to identify whether the system is high, medium or low risk. The system risk needs to be used to prioritize the audit trail assessment and implementation of periodic reviews. For example a quality control system to measure critical quality attributes is probably high risk and should be a priority. A risk based approach will be discussed in more detail later in this article.
Each functional area that have GxP computer systems need to perform the audit trail assessment to determine the following:
- Who has access to view the audit trails?
- Can the audit trail be printed from the application?
- Can the reviewer select a data range?
- Can the reviewer select a specific activity of interest during the audit trail review?
- Will it feasible to include the audit trail with the data results?
- Will it be feasible for QC systems to include the audit trail with the assay results?
- Are user’s action time and date stamped?
- Does the audit trail records creation, modification and deletion of records?
The answer to each question will be potentially being different for each system assessed. Based on the results of this assessment remediation activities may be required to address any gaps or improvements need for audit trails.
To document the results of the audit trail assessment a summary report should be created to summarize the findings.
A remediation plan should be created to describe the corrective actions that will be taken for each system.
Once all remediation activities are closed procedures need to be created or revised to include the steps for performing audit trails periodic review.
RISK BASED APPROACH
A risk based approach to audit trail reviews is critical for an implementation that provide a meaningful process without having a negative impact on cost and resources. The fact is that without taking a risk based approach audit trail reviews can have a negative impact on cost and resources. Audit trail reviews for GxP systems are a time consuming activity that requires resources to execute and manage the information an actions related to the review.
In order to take a risk based approach to audit trail reviews the system risk level need to be identified. Prioritizing the audit trail assessment based on the level of risk is critical to prioritize the assessments and implementation. Systems involved in the testing of Critical Quality Attributes are high risk and should be the highest priority during the assessments and implementation.
The system risk level should be used to establish the frequency and scope of the audit trails periodic reviews. For high risk systems such as those used in Quality Control the audit trails should be reviewed with the test results to ensure the integrity of the test data. The scope of this review should include assessing the accuracy and integrity of the data using the audit trail. In this situation the audit trail will be reviewed for the following:
- Changes to test parameters
- Changes to data processing parameters
- Data deletion
- Data modifications
- Analyst actions
- Data manipulation
- Excessive integration of chromatography peaks
- Security breaches related to data
QC procedures need to define the controls related to data integrity; this will ensure consistency during the audit trail review.
For medium and low risk systems the approach will be less intensive that for high risk. For these systems it can be possible to review periodically the audit trails. The periodic review period should be established based on the level of system risk. Medium risk systems should be reviewed more frequently than low risk systems. For example a document management system is probably medium risk that should be on a periodic review schedule of every six months or a yearly schedule. Low risk system can be reviewed on a yearly or bi-annual basis.
The scope of the audit trail reviews for medium and low risk systems should include the following:
- Data changes
- Data deletions
- Unauthorized access or transactions
To implement audit trail reviews is critical to take a risk based approach. A one size fits all approach can have a significant impact on cost and resources.
In summary a risk based approach is critical for the implementation of audit trail periodic reviews.
Once the audit trail assessment are performed, system risk identified and all corrective actions are closed the audit trail reviews can be implemented. Prior to implementation the impact to resource need to be well understood based on the expected volume of work. Once this impact is understood hiring and reassigning of resource need to be completed prior to formal implementation.
Procedure may need to be created or revised to include the approach of audit trails reviews for each system based on the results of the assessment and system risk.
The last step is training all impacted resources on the applicable procedures with an emphasis of data integrity.
Annex 11 requires that audit trails are reviewed regularly to ensure data integrity. The frequency and scope of the audit trail reviews is not defined in annex 11. Audit trails periodic reviews have impact on resources and cost. To minimize the cost and resource impact and risk based approach should be taken for the implementation of audit trails review. The approach should be based on the system risk level which will facilitate defining scope and frequency of the reviews.
An audit trail review when properly implemented can increase the integrity of data generated by GxP systems.
Implementing and validating global enterprise systems can be very challenging and costly. The lack of global standards and procedures can have a negative impact in the implementation of global enterprise systems. To ensure an adequate ROI governance and oversight must be established to enable full utilization of global enterprise systems.