In April 2016 the FDA released the draft version of “Data Integrity and Compliance with cGMP, Guidance for Industry.” Among the topics covered in the guidance was ‘audit trails’. The answers to these two questions “How often should audit trails be reviewed?” and “Who should review audit trails?” may represent a significant update to the FDA’s interpretation and enforcement of predicate rules regarding the use of audit trails.
First, the guidance clarifies the 21 CFR Part 11 definition of “audit trail” as “a secure, computer-generated, time-stamped electronic record that allows for reconstruction of the course of events relating to the creation, modification, or deletion of an electronic record.” And “Electronic audit trails include those that track creation, modification, or deletion of data (such as processing parameters and results) and those that track actions at the record or system level (such as attempts to access the system or rename or delete a file). And, just as Good Documentation Practices dictate practices regarding written changes to a hardcopy document, 21 CFR Part 11 requires the electronic equivalent of GDP. (see 11.10(e)).
To better understand the FDAs position on audit trails for electronic records, let’s look at how the guidance addresses the question, “When does electronic data become a cGMP (cGxP) record?” Its answer, “When generated to satisfy a cGMP requirement, all data become a cGMP record.” Data must be recorded at the time of generation in order to be compliant. Storing cGMP data electronically in temporary memory, in a manner that allows for manipulation, before creating a permanent record is not acceptable. cGMP-compliant record-keeping practices prevent data from being lost or obscured (see examples 21 CFR 211.160(a), 211.194, and 212.110(b)). Electronic record-keeping systems, which include audit trails, can fulfill these cGMP requirements.
With regard to audit trail reviews, the guidance states that audit trails that capture changes to critical data are considered to be part of the associated laboratory or production records. And it states that quality unit personnel responsible for cGMP should review the audit trails that capture changes to critical data associated with the record along with their review the electronic record before final approval of the record. (see 211.22(a), §§, 211.101(c), 211.192, 211.194(a)(8), and 212.20(d)). The guidance also recommends a routine audit trail review scheduled commensurate to cGMP risk. Personnel reviewing audit trails should be trained to detect data integrity issues (see 211.25 and 212.10.).
Once published, the final guidance document will provide current FDA thinking and expectations on Data Integrity. What is your action plan to evaluate how your company’s systems stack up to this new FDA guidance?