Configuring Software for Compliance with 21 CFR Part 11 Audit Trail Requirements

November 1, 2003
John Dickson
Pharmaceutical Technology Europe

Volume 15, Issue 11

Until specific audit trail requirements are available from the US Food and Drug Administration, manufacturers must define their own parameters for software system compliance and decide for themselves how to meet those requirements.

The US Food and Drug Administration's (FDA's) 21 CFR Part 11 (often abbreviated to 'the Rule') specifies audit trail requirements in general terms. The Rule remains in force, despite the fact that it is currently under review and the draft guidance that FDA had issued to assist organizations with interpretation has been withdrawn. In the absence of specific guidance, audit trail is, nevertheless, essential both for regulatory compliance and to prevent the loss of valuable business information.

The Part 11 section that covers audit trails (11.10e) reads: "Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify or delete electronic records. Record changes shall not obscure previously recorded information. Such audit trail documentation shall be retained for a period at least as long as that required for the subject electronic records and shall be available for agency review and copying."

The best strategy for audit trail configuration is not always clear. In addition, the functionality for audit trails available in commercial software, commercial packages or legacy applications may be less than ideal. There are a number of questions regarding audit trails that require consideration when formulating a compliance strategy:

  • Is it necessary to audit all information and if not, precisely what information must be audited?

  • Maintenance of an audit trail for record creation can generate large amounts of information. What is the best way to approach this?

  • What is the difference between version control audits and simple audits? When should each type be used?

Generally, applications that use commercial database management systems (DBMS) can be configured to support compliance without too much difficulty. Functionality within applications that manipulates electronic records without using DBMS are much more variable; some are full-featured, others much less so.

What to audit

Good clinical, laboratory, manufacturing and pharmaceutical practice (GxP) regulations may specify records that must be audited, but this is not always the case. It is possible to audit all records, although this incurs high storage and processing overheads, and useful information may be difficult to retrieve from redundant data. Therefore, it is important to review records, particularly when they are high-volume, and ask: "Is there a regulatory or business need to audit trail these records?"

Figure 1: An audit configuration in LIMS.

A cautious approach is recommended, wherein the default is to audit all records - unless it is clear that there is no business or regulatory requirement.

Audit strategies

There are two fundamentally differing strategies to achieving a compliant audit trail, version control and audit trail control. The distinction is not made clear, or indeed mentioned, in either Part 11 or its preamble; however, it is a distinction that is made by predicate rules and is familiar to those working with paper documents in a GxP environment.

Version control. The distinction between the two strategies can be made clear by examples from paper-based systems. A paper-based example of version control is updating a standard operating procedure (SOP). Here, the 21 CFR Part 58 predicate rule states: "A historical file of standard operating procedures, and all revisions thereof, including the dates of such revisions, shall be maintained." (Part 58.81) Therefore, when an SOP is updated, an entire copy of the superseded version must be retained.

Audit trail control. For audit trail control of an analytical record, the same document states: "Any change in entries shall be made so as not to obscure the original entry, shall indicate the reason for such change, and shall be dated and signed or identified at the time of the change." (Part 58.130) Therefore, in contrast to modifying an SOP, it is not necessary to retain an entire copy of the unmodified record and reissue a completely new amended copy when modifying a paper analytical record; it is acceptable to amend and annotate the existing paper copy.

Advantages and disadvantages. Both of these approaches can be mimicked by electronic systems. A change to a record can force an entirely new version to be issued (version control) or the change can be applied to the existing version and the 'value before change' recorded in an audit record (audit trail control). Either approach allows historical records to be retrieved. With audit trail control, historical records may be reconstructed by 'rolling back' the audit changes and restoring the 'before change' values up to the point of interest. Version control's principal advantage is that all historical records exist in their entirety and no reconstruction is necessary. Both approaches also allow details of record changes to be retrieved. With version control, detailed 'before' and 'after' change information can be reconstructed by comparing the record versions before and after the change. With audit trail control, the detailed changes are explicitly recorded and no reconstruction is necessary. The major disadvantage of using version control is that vastly more information must be retained, and retained for the lifetime of the records.

In the absence of detailed FDA guidance, it is highly likely that, theoretically, either version control or audit trail control alone will be sufficient to comply with Part 11. However, to comply with a predicate rule, version control may be mandatory.

It should be noted that the two approaches are not mutually exclusive: both can be used. This is analogous to a situation where a new version of a document is reissued, and although a copy of the previous version is retained, a change history section is included in the new version to summarize what changes were applied.

Full-featured applications will also provide a prompted or silent audit. A prompted audit requires the operator to enter a reason for the action, whereas a silent audit does not. Silent audits are, therefore, a good electronic analogue of the typical good manufacturing practice (GMP) paper record modification when an alteration is justified by a handwritten annotation. However, prompted audits can be laborious and tedious to use, particularly when a single logical amendment results in the alteration of many physical records and the operator is forced to repeatedly enter the same reason.

Auditing record creation and deletion

Audit trail discussions mainly focus on record modification, but Part 11 mandates audit of record creation and deletion. Most DBMS can be configured to audit trail all record creation events. Doing this, however, can almost double both transaction processing time and storage requirements. To view this as mandatory under Part 11 is to misinterpret the regulation. It is only necessary to separately audit record creation when the record does not itself contain creation audit trail information.

When the electronic record format includes the identity of the creator and a compliant creation time-stamp, all the record creation audit infor- mation is captured within the record itself. Comment 73 in the Part 11 preamble makes clear that this strategy is acceptable: "The agency advises that audit trail information may be contained as part of the electronic record itself or as a separate record. FDA does not intend to require one method over the other."

Some applications prevent physical record deletion and use an alternative strategy of marking records as deleted without physically deleting them. In such cases, it may not be necessary to configure deletion audit events. However, in contrast to record creation, record deletion is rare and the cost of taking the cautious approach (auditing all deletions) is likely to be low.

Taking laboratory information management system (LIMS) audit trail functionality as an example, most commercial LIMS automate the creation of audits when operators modify information against a sample, test, result or other entity. Advanced LIMS allow any field from any table to be audited and conditions can be set to dictate what, and what not, to audit (Figure 1). Some modern LIMS allow more complex conditions that govern the creation of audits; for example, audits may activate on only finished product samples rather than in-process quality control (QC) samples, or audits may only occur on changes made by certain operators.

Guidelines

Further to defining detailed configuration for all record formats, it is useful to write an overall audit strategy document for each GxP application that defines and justifies what different approaches are used. Examples of guiding principles that can be included in such a strategy document are as follows:

  • Static information (reference information that is routinely used during a long period) should be version controlled.

  • Dynamic information should be audit trail controlled.

  • Dynamic information comprises one-off transaction records that document actions and events - for example, methods and specifications are static, whereas test results are dynamic.

  • Predicate rules may mandate version control.

  • All electronic signature records must be audited.

  • Regulatory information must either be version controlled or audit trailed. For non-regulatory information, an audit trail may be used if it is judged to provide useful information.

  • When version control is used, an audit trail may still be useful as it provides an easy way to compare version differences. Silent audit should be used.

  • Creation of records is seldom necessary because the purpose of the audit trail is to record modifications. This is compliant under Part 11 provided that the identity of the user creating the record and the time-stamp are recorded within the record. By definition, there is no 'previous' information to be held in the audit record data structure.

  • In many cases, a single prompted audit applied to a summary record can be used to comment several changes to subsidiary or dependent records. Silent audit may be used to record subsidiary record changes.

Conclusion

The availability of all necessary audit trail features must be of primary importance when selecting and upgrading software applications under Part 11. Even if an application allows all the possible configurations described in this article, achieving a compliant audit trail strategy remains a complex task. Determining and implementing the best approach requires detailed consideration and documentation, combined with a good understanding of the application, the business and the regulations.