Securing Excellence: Navigating the Terrain of Data Integrity and Audit Trails

Introduction:

An audit trail is a timeline documenting all system activities—showing who, what, when, and why. It reveals a comprehensive view of actions like creating, modifying, and deleting electronic records, aiding in issue identification and incident investigation.

Computerized system audit trails serve as comprehensive records, detailing the Who, What, When, Where, and Why of each data transaction, facilitating the reconstruction of system-related events.

The ALCOA++ principles can be aligned with audit trail requirements, as depicted in the figure below, to uphold and safeguard data security and data protection.

Analogy tradition and electronic system

In regulatory compliance, data audit trails in electronic systems, unlike traditional paper-based methods, distinctly document operator actions in creating, modifying, or deleting GMP records. In a paper system, corrections involve manual entries with initials, date, and reasons. Electronic systems employ data audit trails, recording original and new values, user details, timestamps, and reasons, ensuring traceability. In paper-based manufacturing, modifications to batch records are manually traced, and master records are managed separately. In electronic manufacturing, the audit trail captures normal operations, tracks status changes, and records the deletion of records at the retention period's end, offering a comprehensive digital equivalent.

Regulatory Requirement

21 CFR part 11 Subpart B Sect 11.10:

• Requirement: Use secure, computer-generated, time-stamped audit trails to record date and time of operator entries/actions.
• Condition: Record changes without obscuring previous information.
• Retention: Keep audit trail documentation for at least the duration required for the electronic records.
• Accessibility: Must be available for agency review and copying.

?EudraLex Volume 4 Annex 11: Computerized Systems, Audit Trails:

• Recommendation: Consider creating an audit trail based on a risk assessment.
• Content: Record all GMP-relevant changes and deletions, with documented reasons.
• Access: Audit trails should be available, convertible to an intelligible form, and subject to regular reviews.

MHRA 'GXP' Data Integrity Guidance and Definitions:

• Definition: Audit trail is metadata with details on actions related to GXP record creation, modification, or deletion.
• Function: Facilitates secure recording of life-cycle events without obscuring the original record.
• Reconstruction: Enables reconstruction of the history of events, providing "who, what, when, and why" details regardless of the record's medium.

Optimizing Audit Trail Review for Data Integrity

Audit trail reviews are integral to data reliability. Operational areas, like manufacturing or laboratories, should incorporate them into routine data approval processes. Quality units may perform additional reviews per GxP requirements.

• ?Who Conducts Audit Trail Reviews?

Personnel overseeing record reviews under CGMP should assess audit trails capturing data changes. The FDA advocates a quality system approach for overseeing and reviewing CGMP records.

• How Often Should Audit Trails be Reviewed?

Adhere to CGMP regulations specifying the data review frequency. If not defined, determine audit trail review frequency using process knowledge and risk assessments. Consider data criticality, control mechanisms, and product quality impact.

• Relevance of Audit Trail Data:

Organizations should assess the relevance of retained audit trail data for robust data review. Not every system activity needs inclusion, focusing on GXP-relevant elements.

• Routine Data Review and Audit Trails:

In routine data reviews, conduct documented audit trail assessments based on risk. Design systems to review GXP-relevant trails, using methods like exception reporting for abnormal data or actions requiring attention.

• Ensuring Audit Trail Integrity:

Verify audit trail functionality during system validation, ensuring compliance with ALCOA++ principles.

Regulated users must understand and assess different audit trails during qualification for GMP/GDP relevance.

Assessments for audit trail reviews may include identifying changes, focusing on anomalies, and addressing systems with open modification capabilities.

• Critical vs. Non-Critical Audit Trails:

Independently review critical audit trails related to operations before completion, ensuring data acceptability. Originating departments should conduct this, verified by the quality unit.

Non-critical audit trail reviews may occur during system reviews at a predefined frequency, verified by the quality unit when necessary.

• Audit Trail Security and Company Procedures:

Ensure audit trail functionalities remain enabled and locked at all times.

Implement company procedures outlining data requirements in audit trails and their review, aligning with risk management principles.

Audit Trail Key Components:

1. Is audit trail functionality enabled and associated with the system?
2. Has the audit trail been tested to ensure proper functioning?
3. Which roles, including elevated privileges, are associated with the system?
4. Is there a clear segregation of duties between administrators and users?
5. What procedures govern system control, operation, maintenance, calibration, and administration?
6. How are changes within the system managed and documented?
7. Are there additional systems/processes linked to data import/export?
8. In what format is the audit trail data available, and is it easily interpretable?
9. How is audit trail data exported and made available for review?
10. What is the size of the audit trail dataset for the specified review type and period?
11. Is sampling and filtering necessary for a meaningful and effective review?

Audit Trail Review Focus:

1. Verify 'who, what, when, where, and why' for all entries.
2. Scrutinize Administrator and elevated access actions.
3. Review configuration changes, ensuring alignment with Change Control or Quality System Elements.
4. Confirm activities align with governing procedures when not covered by Change Control.
5. Validate authorization of admin and other users for system interactions.
6. Ensure no unexplained gaps exist in audit trail data.

?Types of Audit Trails and Considerations:

?1. System Audit Trail:

• Involves settings or logs affecting system control.
• Captures activities like Administrator actions, log-ins, non-standard access, data deletions, configuration changes, backup failures, and remote access events.
• Review frequency should align with system complexity, configurability, and relative risk.

?2. Data Audit Trail:

• Applies directly to electronic records/results, focusing on critical data.
• Captures changes with potential impacts on product and patient safety.
• 'At Release’ Audit Trail Review is conducted prior to record approval or release.
• Determined by, Potential impact on product safety and efficacy, ????? Probability of data integrity issues and Likelihood of detecting data integrity issues.

?Considerations for Audit Trail Reviews:

1. Data Scope:

• Include manufacturing and control activities.
• Encompass system and configuration data affecting process control.

?2. System Audit Trail Review:

• Regularly examine interactions like Administrator activities, log-ins, non-standard access, data deletions, configuration changes, backup failures, and remote access events.
• Review frequency tailored to system complexity, configurability, and risk.

?3. Data Audit Trail Review:

• Directly applied to electronic records/results.
• Emphasize critical data changes impacting product and patient safety.
• Conduct 'At Release' Audit Trail Review before record approval.

?4. Determinants for Data Audit Trail Review:

• Assess the potential impact on product safety and efficacy.
• Consider the probability of data integrity issues.
• Evaluate the likelihood of detecting data integrity issues.

?Benefits of Implementing Audit Trail Recording:

?1. Ensuring Data Integrity and Accuracy:

• Detailed record of system actions maintains authenticity and integrity.
• Tracks changes, responsible individuals, and reasons for alterations.

2. Facilitating Traceability and Accountability:

• Clear history of document handling and system usage.
• Identifies errors, pinpoints issues, and holds individuals accountable.

3. Supporting Regulatory Compliance:

• 21 CFR Part 11 mandates audit trails for compliance.
• Provides evidence of system and data integrity for regulatory inspections.

4. Reducing Risks of Tampering, Fraud, and Unauthorized Access:

• Detects and prevents tampering, fraud, and unauthorized access.
• Identifies suspicious activities and changes, ensuring data security.

5. Improving Inspection Readiness:

• Provides inspectors with a comprehensive record of electronic record actions.
• Facilitates quick and easy review during audits and inspections.

6. Enhancing Operational Efficiency:

• Offers visibility into dates and times of every activity completion.
• Identifies inefficiencies and areas for improvement in processes.

In conclusion, audit trails play a pivotal role in safeguarding data integrity and ensuring regulatory compliance. These digital footprints meticulously record every system action, providing a transparent account of changes, fostering accountability, and serving as a vital tool during regulatory inspections. Implementing robust audit trails is not just a regulatory requirement; it's a strategic step towards maintaining data reliability and upholding the highest