Audit trail requirements on GxP computerized systems

According to Wikipedia an audit trail is a chronological record providing documentary evidence of the sequence of activities that have affected at any time a specific operation, procedure, event, or device. The first uses of audit trails date back to ancient civilizations when rudimentary methods emerged to manage goods, soldiers and financial transactions.

Audit trails to ensure data integrity came into the spotlight when US regulation 21CFR Part 11 was issued in 1997. Part 11 requires the use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records (sec. 11.10 e).

Since the late 90s many other regulatory authorities have included and further refined their expectations for audit trails on GxP electronic records. Next to a regulatory requirement, audit trails are an effective means to investigate deviations, detect unauthorized use of or unauthorized changes to a system. Also, they can provide a wealth of information to reviewers of GxP batch records and lab reports.

Regulatory basis

The main regulations defining audit trail requirements are Part 11 and Eudralex annex 11.

21 CFR Part 11 paragraph 10 (e) – Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Record changes shall not obscure previously recorded information. Such audit trail documentation shall be retained for a period at least as long as that required for the subject electronic records and shall be available for agency review and copying.

Eudralex Volume 4 Chapter 4 paragraph 4.9 – Any alteration made to the entry on a document should be signed and dated; the alteration should permit the reading of the original information. Where appropriate, the reason for the alteration should be recorded.

Eudralex Volume 4 annex 11 paragraph 9 – Consideration should be given, based on a risk assessment, to building into the system the creation of a record of all GMP-relevant changes and deletions (a system generated “audit trail”). For change or deletion of GMP-relevant data the reason should be documented. Audit trails need to be available and convertible to a generally intelligible form and regularly reviewed.

We highly recommend checking out the PIC/S Guidance “Good practices for data management and integrity in regulated GMP/GDP environments”. PIC/S documents are often used by inspectors as a reference, and this particular guide certainly reflects how inspectors will look at audit trails in your company.

Audit trail must-have’s

An audit trail on a GxP computerized system should meet at least the following requirements to be in compliance with the GxP regulations.

1. The audit trail must function in an independent way, not requiring any specific user action to function.
2. It must be impossible for an operational system user to disable the audit trail.
3. Audit trail entries must include the following information
   • WHEN / Timestamp, this is date and time
   • WHO / Identification of the person that undertook the action, logging user ID’s without traceability to full names is insufficient
   • WHAT / Action description e.g., create, modify as well as old and new value (if applicable)
   • WHY / Reason for the action (if applicable)
4. Audit trail entries ARE electronic records, they should thus meet the electronic record requirements. ALCOA principles apply to audit trail entries:
   • Attributable, must record who initiated the action creating the audit trail entry
   • Legible, should be retained and be legible for at least the retention period of the electronic records to which the entries apply
   • Contemporaneous, must be logged in real-time
   • Original, must be clear where the primary location is that entries are stored
   • Accurate, it should be impossible to modify, delete or in any other way corrupt or obscure audit trail entries
5. It must be possible to print the audit trail and to make an electronic copy of it
6. The audit trail functionality must be validated.
7. Audit trails must be regularly reviewed, based on quality risk management

Truth be told there are still applications marketed for GxP operations which do not comply with the audit trail requirements. It is possible to create a paper based record, an audit trail “outside” of the application, to obtain some level of compliance with the GxP regulations. But such an approach should only be used for legacy systems while having a sound plan (i.e. a CAPA) in place for improving or replacing the non-compliant application.

Audit trails should not be confused with a change control system where changes may need to be appropriately controlled and approved before execution. Both serve a different purpose and need processes which are similar in a way but not at all the same.

Since the last revision of Eudralex annex 11 was issued in 2011 many companies are still struggling to find the right balance for audit trail review. Audit trail review should be part of routine activities as much as possible. For example batch review could include review of audit trail entries regarding critical parameters or user interactions during the production process. A true risk based approach is needed to review audit trails in an effective and efficient way.

We hope this blog post helped remind you of the most critical requirements on GxP audit trails. If you need further assistance or if you would like an assessment of audit trail practices in your company, don’t hesitate to contact us.