Effective and efficient laboratory controls are now more important than ever in the quickly changing regulatory pharmaceutical landscape of today. Organizations must make sure that their systems are secure, up to date,and compliant with 21 CFR Part 11 in order to keep a competitive edge. The purpose of this brief checklist is to offer a set of stimulating questions that will assist in initiating a strong Audit Trial Review and guarantee that your company’s quality systems continue to be at the forefront of regulatory compliance.
1. May we define entries in our CDS such as standard concentrations, densities, dilution factors, hence parameters used for the quantification of content and purity as static data? Or are these entries also part of the dynamic data, such as the (re)integration of peaks?
Answer: In my opinion, this is also dynamic data the user can influence or change.
2. Is it possible to shorten the audit trail review by taking the status of the analytical sequence and controlling the recorded parameters (such as concentration of the standards) at the end of the analysis and by stating that all changes and corrections carried out in the meantime are part of the analysis and evaluation and must consequently not be commented?
Answer: In my view, this is acceptable as long as a control is carried out and confirmed by a second person.
3. It was mentioned in the seminar that the audit trail review is part of the periodic review. What other points are included in the periodic review?
Answer:
- Roles and Responsibilities
- Service Agreements
- Validation/Qualification and Project Deliverables:
- System Control Procedures
- Audit Trail management
- Incidents, Problems
- Changes, Upgrades
- Security, User Access, User Administration
- User Guides
- Backup, BCP, Performance, Reliability Monitoring
- System Access Training
- Archived Data
4. If I have implemented a role concept, for example, and trained all staff members thoroughly as concerns the topic DI, won’t it then be sufficient to carry out a review of the audit trail on a random basis and to carry out the review prior to the batch release only in the case of irregularities such as OOS results?
Answer: It is acceptable to carry out a review on the basis of the system’s “exception” reports. These exception reports always must be checked anyway. It is not acceptable to carry out a review only on a random basis (but ultimately, this is defined by the risk analysis).
5. Which measures may be taken if the audit trail (as well as the actual data) can be deleted or changed at the level of Windows?
Answer: In the case of systems that can store locally on the HD of the user, it is possible to set up two local user profiles. Then, for instance, the system stores data only on the profile the user cannot access.
Now that you know this, hopefully you are in position to answer the Assignment(s)
- Does your organization have a SOP on Audit Trial Review?
- If yes, then it should clearly define what are “raw data,” “dynamic data,” and “static data.”
- If yes, what is the scope and limitations of the audit trial data review?
- Is the audit trial review system based on risk analysis?
- Do your organization implement a 4-eyes review process for all the critical steps (review by a second individual)?
- Do your audit trial Review SOP can segregate metadata such as time-stamps, critical data such as “deleted,” “modified,” “changed,” and non-critical data such as login/logout features?
- Audit trial review is under the full control of the Quality Assurance department? Do any other departments have access to audit trial data?
- Note: The Four Eyes Principle (also the two-person rule) is a widely used internal control mechanism that requires that any activity by an individual within the organization that involves a material risk profile must be controlled (reviewed, double checked) by a second individual that is independent and competent.