Transcription

The ultimate specification for “Audit Trails”A simple guideline for the so called “Audit Trail Review”What is exactly a GMP Audit Trail – purpose, objective, types and implementation?What is an Audit Trail Review good for? Where is it really useful?In 2016 we were very often asked about “Audit Trails” and the so called “Audit TrailReview” in the context of another hot buzz-word “data integrity”.However it must be mentioned that “data integrity” or better defined as good dataand records management contains a wider scope of other topics and not only atechnical function like the Audit Trail.So this short article describes some basics and careful consideration about thisspecial topic (Audit Trails) and related concepts and interpretations, with making noclaim to be complete.The term or function “Audit Trail” is very often totally misunderstood or misinterpreted.It gets even worse if the definition or understanding of the “Audit Trail” is not clearwhen the question about the “Audit Trail Review” arises. This might then end in bizarreand meaningless discussions without any solution.Fact #1: There is no clear definition of the Audit Trail function in general. Otherindustries are also using Audit Trails or IT developers might have anotherunderstanding of this function. There the Audit Trail is just seen as a simple logmechanism, tracking who has changed what and when. The GMP Audit Trail alsorequires the reason of change (not a description, not a comment, the real reasonWHY it was changed). Logically the reason for change must be entered by theoperator manually for each executed data change.Fact #2: If we talk about the Audit Trail we see it as a general / umbrella term. One ofthe first questions must be if we call / define an Audit Trail for the initial entry by theuser or the first change of an initial entry. Again logically the first / initial entry by theuser must be confirmed (e.g. by pressing the OK button, Return key etc.).From a GMP perspective the initial entry must not be audit trailed, because it mustbe recorded and documented anyway (what we always did). And it would makeno sense to enter the reason for change, because it is not a change of the data(instruction type or record/report type). If it is not “audit trailed” (respectively notmandatory) an “Audit Trail Review” of the records does not really make sense. Or wemistrust the operator? Or we have no confidence on the process and data created– this might happen, if the process design is weak (retesting possible and nottraceable) and not restricted by proper user access and rights / groupsStatus: 13th January 2017 (Rev. 1)

management (segregation of duties). But then an “Audit Trail” might not be theappropriate solution for it and re-design of the process would be required.Fact #3: A lot of vendors defined any kind of existing log or trail functions as AuditTrail, without a pre-defined basis of specification or interpretationAll “Audit Trails” are identical?We prefer to call this type of “Audit Trail”, if you still like the general term, as theactivity log or trail [Activity Trail]. For example this Activity Trail records all initial entriesof the user (operator/analyst) which are part of the ordinary / normal work executionfor each work step in a sequence of actions, comparable to a normal checklist onpaper (protocol form, for each step one initial given). This Activity Trail might be veryuseful to replace each confirmation given by an initial on paper for each work step.This can also reduce the need giving tons of electronic signature for each stepexecuted, if for example a single-sign on mechanism is used (based on login by userand automated log-off function).Admin Admin?To make life easier, a second type of “Audit Trail” should be defined as Security Trail[Security Trail]. For that it must be clear, that the also very generally used term of theadministrator role must be more precisely defined. You might find statements, that anadministrator of a system can add/change users, assign users to user groups, etc. butalso can change system configuration settings, even able to change methods orrecipes (programs, calculations parameters) or even change network / serversettings. If so, this is too much power concentrated one on single role. It makes senseto separate these admin roles to the user administrator, application administrator,and/or network administrator or similar.Back to the Security Trail: According EMA GMP Annex 11 – 12.3 – “Creation, change,and cancellation of access authorisations should be recorded” anyway withappropriate request forms (incl. reason for change) similar to change records(preferable as electronic forms). But the Security Trail for the user management andadministration itself could be used for the recording / documented evidence thatthe change was executed. In addition it can be used to show during the periodicevaluation (ref. EMA GMP Annex 11 – chapter 11) that the user accounts, the groupassignments, etc. do comply. Another kind of Security Trail can show the login logsand attempts, which might be useful (for open systems) for intrusion detection andsecurity management. This can be reviewed during the periodic evaluation or ifneeded and critical during special security checks. We should not call this an “AuditTrail Review”, because such logs look totally different like GMP Audit Trails. Forexample, a hacker to an open system would not use a real user name – the IPaddress would be much more interesting, which can then be blocked.Status: 13th January 2017 (Rev. 1)

“Audit Trail” really needed?What is an “Audit Trail”? Is this a basic question? Or at least it is not a simple one.Let’s start with a deliberate provocation: Does a system really need to have an“Audit Trail” in general? Simple answer: NO. Although a standard sentence in anyURS for a computerized system is poorly formulated that the system should have anAudit Trail functionality. Is this really correct?Again, basically not, if data is at minimum following a defined and compliant statuscontrol like any other (paper-based) document or record (reviewed and approved).The audit trail function itself is a luxury and comfort function. It enables the user /operator / analyst to change data in real time, ideally within a predefined timeperiod and a predefined range. The audit trail function records automatically the oldand new values (status), date and time of change, person performing the changeand the reason for the change – this is indeed very comfortable. Basically this all canalso be handled by a “traditional” change control record and manual print-outs andscreen-shots attached to the change request – but this takes a lot of time, maycause errors and faults, and is far away from “real time” working (keyword: real-timerelease / operational excellence).But for now it is important to realize that the “Audit Trail” function is a great nice-tohave function. And the conclusion for that must be that it is very important how andin which context a GMP process owners allows the user / operator to make online /real-time changes of data. Before having computerized systems and more manualprocesses the process owner needed to define if changes were recorded into amachine / instrument logbook, if a change needed to be requested by the changecontrol process, if an event entry should be recorded in the batch / laboratoryrecords and/or if such an event would trigger a deviation record. All variants couldbe found nowadays.Beside of that we need to define first what exactly can be changed. The basic GMPdocumentation is defined into two types: instructions and records/reports. For surechanging pre-approved instructions must be seen as critical. We would also agreeon that changing critical quality attributes (CQA) of a product would be critical.Changing critical process parameters (CPPs) might be allowed, if a Design Spaceand a pre-defined, approved Control Strategy would be in place. Even changingsystem parameters or methods might be allowed, if again such a processes is predefined and approved. This is at the end also a question of following a retrospectiveor prospective QRM approach (Quality Risk Management), without going into detailshere.Status: 13th January 2017 (Rev. 1)

What should be audit trailed? Or which role must be trailed?Coming back quickly to the “administrator” group mentioned above: Let’s assumethere is a user group defined as “QC analysists” who exclusively performs QC testruns. Another group, let’s call them “application admin” is managing the analysismethods. Each method is version- and status controlled. That means that the QCanalyst can only use the last approved version for a sample run, cannot modify themethod before, during and after the test run, and the method must be approved bya QA role. No individual is assigned to both groups in parallel. Any change of themethod must be requested by a change request. Different versions of the methodcan be compared. Now the magic question: Do we need (mandatory) an audit trailfor the group QC analyst and secondly for the application admin group? With nodoubt an audit trail or maybe it is more an automated change log would make anyinvestigation easier, but it is not really mandatory in this case. There might be a lot ofBUT and IFs, but in most of the cases it should be analysed if an audit trail (and whichtype) is really needed. If processes and work flows are well designed, restrictive,secured, fit for purpose it might not really required to run all data objects under audittrails.Fact #4: Data objects / sets must be version-controlled. Data objects whichare configured to be tracked by an audit trail function should have suchversion control (V1.0 of data set) and/or status control (in review/approved).In more complex systems and data relations such version controls can coverpurely the vertical or even the horizontal tracking of each data object andrelated data references.Audit Trail Review – do the right thingLet’s start with a simple statement: The term “Audit Trail Review” is not mentioned inany guideline or regulation. EMA Annex 11 states that “audit trails should beregularly reviewed.”Fact #5: The “Audit Trail Review” contains two levels of verification: Verificationof the “Audit Trail” function and verification (review) of the Audit Trail records.Fact #6: The purpose and objective of the “Audit Trail Review” (of records) isto gain knowledge (ref. ICH Q10) of the product and process and the linking(relationship) between product (CQA) and process (CPP and systemparameters) and emphasizes product and process understanding.We might agree that this “Audit Trail Review” in the context of GMP must not beexecuted for the Security Trail (covered by periodic evaluation) and the Activity Trail(covered by the batch / lab. record review).Status: 13th January 2017 (Rev. 1)

The real GMP Data Audit TrailNow it is really time to have a look on the real GMP Data Audit Trail. Before thatproper GMP Data and Records Management requires a good understanding of theoverall GMP/CGMP regulations and modern Quality System, Product Developmentand Process Management (QbD) as defined for example in ICH Q8, Q9, Q10, andQ11.In very simple words there are two different Product / Process approaches, forexample according EMA Annex 15: Manufacturing processes may be developedusing a traditional approach or a continuous verification approach.We may call the traditional one the “Quality-by-Testing” (QbT) approach and thecontinuous verification approach “Quality-by-Design” (QbD). With the traditionalQbT methodology the critical process parameters are fixed and pretty static(examples can be found in ICH Q11). On the contrary the QbD approach is basedon a so called Design Space and Control Strategy, which may include a feed-backcontrol system (or also called PAT – process analytical technology).The real magic between Product and Process (knowledge) comes in when theQuality Attributes and Process Parameters are mapped to each other, refer to ICHQ11 - chapter 3.1.5. Linking Material Attributes and Process Parameters to DrugSubstance CQAs. Just to keep in mind, again the basic idea is have a greater outputof medicines with a better quality. So products must have a defined Quality TargetProduct Profile and associated CQAs and CPPs, which we must understand, for newand existing products.Linking Critical Quality Attributes (CQA) and Critical Process Parameters (CPP) is notan easy task and it is not a one to one or linear relationship. The QbD and/or PATapproach is based on a new quality paradigm from compliance to enhancedproduct and process understanding that will allow design of effective and efficientmanufacturing processes and "real time" quality assurance (variability).Coming back to the GMP Data Audit Trail and its “Audit Trail Review”: Let’s assumewe define the Quality Target Product Profile (QTPP) with the mode of administration,dosage form, dosage strength, pharmacokinetics, stability etc. the CQAs withidentity, assay, dissolution, impurities, microbial limits the CPPs for eachmanufacturing process step with temperature, volume, pressure, rate, time andspeed etc.We would agree for sure that CQAs cannot be changed – same applies to the QTPP,raw data created in the laboratory, and quality master data (e.g. batch, materialnumber etc.). So the GMP Data Audit Trail [Data Audit Trail] can only be applied tocritical process parameters (CPPs), irrespective if they are based on the QbT or QbDproduct/ process approach.Status: 13th January 2017 (Rev. 1)

Details of the QbD approach can be found in ICH Q11 with all definitions in detail. Itseems that although ICH Q11 is a great document it misses some deeper technicalcontemplations and considerations:A Critical Process Parameter is function of other technical variables of a processcontrol system or similar. Computerized systems in production and manufacturingmeasure data with sensors and control the process with actuators, normally definedin separate programs or recipes executed in a chronological order. NonethelessCPPs are finally also a function of “system parameters, configurations, or settings”.It might be good to have a look now on a practical example: In production anautoclave is part of the manufacturing process of a product (QTPP: sterile drug) witha CQA of a sterility assurance level (SAL) of 10 6 or greater. The CPPs are time (e.g. 15minutes), temperature (121 C) and pressure (2 bar). Which data should be audittrailed? What about the CPPs?The operator (user) won’t or should not be able to change the CPPs. So if he/shecan’t change the CPPs there is no need for a Data Audit Trail for these CPPs,because they are fixed and not variable or dynamic.That for was the CPPs for this particular process step - only. If we have now a view onthe work process the operator might first enter a batch and/or material number,needs to choose a program/recipe according the master batch instructions (e.g.choice list selection) and then loads the autoclave with the material.Let’s assume the operator enters the batch number (manually, via keyboard) andconfirms his data entry (Button OK). His first entry is now saved as electronic data,comparable when written on paper of the batch production record. It might be thathe or his colleague finds out that the wrong number (transposed digits) was entered.As we have defined that there is no need for a Data Audit Trail for the CPPs, it mightmake sense to have it here for the GMP meta-data (Batch #). If it would beimplemented, the wrong entry can be corrected in real-time directly by the operatoron the system (if we want that). If we have no Data Audit Trail function a deviationrecord must be issued.An interesting question for that case would be, how long the operator would be ableto change the wrong entry of the batch number – before he started the autoclave,during the operation of 15 minutes or when the autoclave have stopped the run?The correct answer will be that the lean, comfortable “Audit Trail” change (withoutdeviation / change record) can be executed until the start of the batch recordreview and the batch release by the QP. But do we really know systems with a timelimited or even batch-status triggered Audit Trail configuration? The real problem inthis case is that the entry must be done manually, which is simply an error-pronedesign (compared to an automated scanner/transport system).Status: 13th January 2017 (Rev. 1)

Interposed question: Would it make sense to review the data audit trail of theoperator for the entry of the data object: batch number? No, we cannot gainknowledge about the product or process But for sure there will be an Activity Trail function on the autoclave showing that theoperator has chosen the correct program and inserted the data in the rightchronological order. These activities reflect the instructions and are recorded – asusual – on the final report. Just remember our “good” old paper protocols; in the leftcolumn the instructions and on the right column the recorded results with date/initials.During any review and verification there must be documented evidence that theinstructions were followed, where such an Activity Trail can be very useful. Pleaseremember that the Activity Trail covers always the initial entries and not datachanges, so no reason for change is expected.Next insight: Even the best Audit Trail function cannot avoid that the operator isloading the autoclave with the wrong materials or in the wrong loading schema; oran analyst is retesting a sample several times. In fact this shows that data integrityand compliance requires different other topics to be considered and implemented,which will not be described in detail here.Facing systems and analyseAnnex 11 states that “consideration should be given, based on a risk assessment, tobuilding into the system the creation of a record of all GMP-relevant changes anddeletions ”If you stand in front of a system, machine, instrument etc. you may ask yourself whichdata is really GMP relevant and which one should be trailed (refer Annex 11: basedon a risk assessment)?In general and as a very basic rule: Production machines (e.g. PLC) cover CPPs QC Lab instruments and systems cover CQAs On ERP (MES) level: Management of master and transaction data Electronic QMS systems: Quality System data (CAPA, training etc.)Relevant are foremost the CPPs, which are normally fixed nowadays in a traditionalproduction model. Changes of the CQAs, if at all changeable, won’t be possible. OnERP or eQMS level corrections of quality, master and transaction data should bepossible (mistakes will happen).It might be surprising if that Data Audit Trail is limited to all online and real-timechangeable CPPs there won’t be a high number of these. And as such the so calledAudit Trail Review will also be limited to this number of Data Audit Trails.Can this be correct?Status: 13th January 2017 (Rev. 1)

Changes of system configurationFirst of all, yes it is correct for the CPPs, but as already mentioned these are alsofunction of the system settings / configuration / programs or defined methods. Sodata impacted, created, controlled, calculated and recorded by systems must alsobe version and status controlled, exactly like the created data. For systems theinterpretation must be that they have a proper release, change and configurationmanagement.For our autoclave example this means that the operator / user should not be able tochange the program and recipe; or in QC lab that an analyst should not be able tochange methods. At the autoclave the program can only be changed by anapplication administrator (programmer). The program was verified to be fit forpurpose during the process validation exercise. Basically the programmer has nointention to change to program by himself. Why should he do it? The only reasonwould be technical optimization and hopefully without any impact on theprocess/product. But in any case changes to a program or method is normallymanaged by the change control process in order to inform other process owners,experts and quality assurance. Magic question: Is it required to have a – real-time,pre-approved, lean – audit trail function for changes of the system programs by theprogrammer? No, because such changes must be analysed, executed, reviewedand approved by several roles and an audit trail would not be appropriate for that.Audit Trail TypesWe defined three “Audit Trail” types:1. Security Trail – log function – review during periodic evaluation (security)2. Activity Trail – log function – initial entries of user – review as normal / routingprocess of production or lab records (must be transparent and complete)3. Data Audit Trail – log function including forced user entry of reason for change– data review useful if CPPs were changed.a. Remark: Normally it would not be possible to change instructionswithout a deviation record.Data Audi Trail SpecificationHaving a detailed view on the Data Audit Trail:1. User enters data into the system2. User presses the OK button or Enter Key to confirm initial entry – data is saved(version 1)3. User realizes a wrong data entry or any other compliant need to change theinitial data entry4. User reopens the data object and corrects the data set5. User presses the OK button or Enter Key to confirm data change – data issaved (version 2)Status: 13th January 2017 (Rev. 1)

What must happen now? There are different options or even opinions (based oncriticality / severity):6. The system must request (mandatory) the entry of the reason for changea. For example: Pop-up window (active)b. Field label: Enter or Select Reason for Changec. Insert field: Free text or choice list (preferred)7. Optional: It might be that the operator must be forced to enter his user nameand password as verification signature8. Optional: It might be that a second operator (or shift coordinator) must enteralso his user name and password – double signatureThis is just an example for the Data Audit Trail process. There are also otherspecifications to be defined for a proper Data Audit Trail. In general a good audittrail specification covers more than 20 requirements, like for the following areas: Audit Trail function: General requirements for the function, e.g. date and timereference taken from network time services, logical function setup, impact ofchanges of master data (e.g. user name changes) etc.Audit Trail configuration: Requirements for the configuration settings of an audittrail like date format and time zone, configuration of which data objects shouldbe trailed and with which type of audit trails.Audit Trail listing and view: Requirements for displaying, sorting, selecting audittrails with user access rights.Audit Trail print-outs: Controlled print-outs, Report design, etc.Audit Trail Analysis: Automated analysis for “Audit Trail Review” (exception report)Specification of Audit Trail ReviewWhen we have specified the Audit Trail above there should also be a specificationfor the “Audit Trail Review”. It might be that some persons define the review as amanual and paper-based process. It should not be like that. The Audit Trail Reviewshould be automated (refer PIC/S PI 041 – exception report).That means that the audit trail review, if defined to be needed, should be done bythe system or even systems. Again the linking between CPPs and CQAs could bevery interesting – and these have an influence and impact over several differentsystems and process steps. I would be simply impossible to do such reviews manually.If you have further questions or comments, please feel free to contact us at:[email protected] visit us at: www.comes-services.comRevision 1: some minor correctionsStatus: 13th January 2017 (Rev. 1)

Fact #5: The "Audit Trail Review" contains two levels of verification: Verification of the "Audit Trail" function and verification (review) of the Audit Trail records. Fact #6: The purpose and objective of the "Audit Trail Review" (of records) is to gain knowledge (ref. ICH Q10) of the product and process and the linking