Today’s rapidly evolving pharmaceutical regulatory environment makes effective and efficient laboratory controls more crucial than ever. For organizations to remain competitive, they must ensure that their systems are safe, current, and in compliance with 21 CFR Part 11. In order to ensure that your company’s quality systems remain at the forefront of regulatory compliance, this short checklist aims to provide a collection of thought-provoking questions that will help launch a robust audit trial review.
1. May the Head of Laboratory have admin rights, for example, to carry out the audit trail review?
Answer: Yes, provided as long as she/he does not operate and process or analyze herself/himself. It should be clearly defined in the SOPs.
2. File-based data retention: Deletion is possible outside the software. How is it possible to “build in” safety?
Answer: Yes, in systems that can store locally on the HD of the user, it is possible to set up two local user profiles. Then, for instance, the system stores data only on the profile the user cannot access.
3. What are metadata?
Answer: Data concerning data, such as the timestamp, actions relevant to the user.
4. Equipment often has a standard audit trail function. A lot of data is recorded (on/off), but only a small part of it is critical or relevant for a review. What is the best way to proceed when carrying out a review?
Answer: The IT department should configure the requirements of audit trials. The best way is to configure a report that only shows the most relevant data and leaves out all the non-critical elements (e.g., login/logout).
5. What is the way to proceed in the case of facilities in the production area, such as AP production, mixers, filling lines with variable parameters as concerns classification of data/systems, extent, and intervals of review?
Answer: It is best to classify systems and facilities according to ISA95. Then you will notice that at the bottom levels (field level, PLC, SCADA), no interactions of the user are permitted. Hence, no audit trail review is required. Basis is the risk analysis of the systems and data.
6. Whose job is it to carry out the audit trial review in the laboratory?
Answer: The FDA requires “Quality Unit” (QA) in the Draft Guideline. All other draft guidelines allow for peer review.
7. Must all electronic data be stored and archived in the case of a process in the sterile area, or is the batch record sufficient?
Answer: You must define what the raw data are. These have to be stored in addition to the batch record.
8. Would you consider changes of the parameters or formulations at production facilities as dynamic data? Do I have to consider them in every batch?
Answer: This data is governed by the change control and is not part of the data for a review.
9. Many of our production processes are documented by means of a batch record on paper. What should we do as concerns the review of the audit trail? Should we review the good documentation practice in the batch record by means of an audit trail review?
Answer: As long as you only document on paper the audit trail review is not relevant for you, but the 4-eyes principle for all critical steps. The following is stated in the FDA Guidelines: “Critical process steps have to be verified by a second individual.”
10. Is it necessary to perform an audit trail review (ATR) after each measurement or analysis carried out at the equipment in the laboratory? Who carries out the ATR—laboratory personnel (operator) or the Head of the Laboratory?
Answer: A SOP is required for the ATR for each system that describes the details. The review after completion of the analysis is important.
Now that you know this, hopefully you are in position to answer the Assignment(s)
- Does your organization have a SOP on Audit Trial Review?
- If yes, then it should clearly define what are “raw data,” “dynamic data,” and “static data.”
- If yes, what is the scope and limitations of the audit trial data review?
- Is the audit trial review system based on risk analysis?
- Does your company use the 4-eyes review procedure, which involves having a second person examine each crucial step?
- Is it possible for your audit trial review SOP to distinguish between non-critical data, such as login/logout features, critical data, like “deleted,” “modified,” and “changed,” and metadata, like time stamps?
- Does the Quality Assurance department have complete authority over audit trial reviews? Is the data from audit trials accessible to any other department?
- Note: A popular internal control mechanism known as the “four eyes principle” (also known as the “two-person rule”) mandates that any action taken by an individual within the company that involves a material risk profile be monitored (reviewed, double checked) by a second, competent, and independent person.