Nicola Brady simplifies the key elements of the computerised system audit trail and how important they are for the preservation of data integrity.
Who, What, When, Where and Why?
The first questions we learn as children, or when we are learning a new language, are ‘Who, What, When, Where and Why’, and there is a very good reason for this. These simple questions, often referred to as the 5 Ws, are an extremely powerful tool in information gathering.
As adults, no matter our walk of life, these questions are still invaluable in helping us understand the world around us both personally and professionally. The 5 Ws are used by everyone from police detectives to journalists to life science professionals alike to help get the complete story, provide context, and ultimately support problem solving and issue resolution.
In essence the 5 Ws are fundamental in data collection and as such the concept is as relevant in the human world as it is in the world of computerised systems.
The 5 Ws and Computerised System Audit Trails
The audit trail of a computerised system is a record or snapshot of the Who, What, When, Where and Why associated with every data transaction. It essentially allows for the reconstruction of any event associated with that computerised system. In highly-regulated industries, including Life Science or any industry where data integrity is held in high esteem, the audit trail is a fundamental tool in assuring that the integrity of data is maintained.
GAMP 5 Guide: Compliant GxP Computerized Systems details the key components of the audit trail:
- Who? Identification of the user or system responsible for the data transaction. This provides attributability and traceability.
- What? Original Value – New Value for the audit trail entry. This is necessary in order to have a complete history for the data and to be able reconstruct the sequence of events if required.
- Why? Reason for Change. This allows for clear visibility and justification for any creation, modification, deletion, or manipulation of the data.
- When? Date and Time Stamp for when the data record was generated. This is a critical element in documenting a chronological sequence of events and vital to establishing an electronic record’s trustworthiness and reliability.
- Where? Link to Record associated with the audit trail entry. This provides traceability and context for what the data transaction related to
When a computerised system audit trail consistently, accurately, and completely captures these key components it goes a long way to satisfying the core principles of data integrity.
What do the Regulators want?
In the life science industry, the regulators expect audit trails to be in place for GxP computerised systems.
- 21 CFR part 11 Subpart B Sect 11.10 Controls for Closed Systems: ”Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Record changes shall not obscure previously recorded information”.
- EudraLex Volume 4 Annex 11: Computerised Systems: “Consideration should be given, based on a risk assessment, to building into the system the creation of a record of all GMP-relevant changes and deletions (a system generated ‘audit trail’). For change or deletion of GMP-relevant data the reason should be documented”.
But it is not enough to have them in place if they are never interrogated and reviewed to confirm that they are operating as intended and that the data integrity associated with the system is preserved.
The regulators expect companies within the life science industry to regularly review the audit trails associated with their GxP computerised systems. The type of review and the frequency that it is performed should be risk based with consideration to the criticality of the system and its potential impact on product or patient safety, the complexity of the system and the criticality and vulnerability of the data associated with the system. Application of risk-based principles will ensure an effective and meaningful review.
The importance of the Audit Trail Review
An audit trail review can be considered a review of a computerised system audit trail to confirm that it is functioning correctly and to assure that data integrity is preserved.
There are two types of Audit trail review.
(1) Data Review – Audit trails that capture changes to critical data with the potential to impact product and patient safety may need to be reviewed with each record prior to approval or release of that record, e.g. changes to critical processing parameters. This form of data review is often referred to as ‘At Release’ Audit Trail Review.
(2) System Audit Trail Review – Audit trails that capture system interactions should be reviewed periodically. E.g. Administrator activities, log in attempts, non-standard access. The frequency applied for this type of audit trail review should consider the complexity, configurability and relative risk associated with the system and its data.
Irrespective of the type of audit trail review being performed, the following should be considered:
- Is there audit trail functionality associated with the system and is it enabled for use?
- Has the audit trail been tested to confirm it is functioning as intended?
- What roles are associated with the system and which roles have elevated user privileges e.g. system administrator?
- Is there clear segregation of duties between the system administrator and system users?
- What procedures govern the control, operation, maintenance, calibration and administration of the system, e.g. where the permitted activities are detailed?
- How are changes associated with the system managed and documented?
- Are there supplemental systems / processes associated with the system where data may be imported / exported?
- What format is the audit trail data available in? Will it be possible to interrogate / interpret the data? How is the audit trail data exported / made available for review?
- What is the size of the audit trail data set for the review type and review period in question? Sampling and filtering of the dataset and exclusion of certain data may be necessary to perform a meaningful and effective review.
When conducting the audit trail review the focus should be on the following:
- Confirm the ‘who, what, when, where and why’ are appropriately captured for all audit trail entries
- Review Administrator actions and actions by any roles with elevated access
- Review all configuration changes with confirmation that changes are attributable to a Change Control or other Quality System Elements
- Where not covered by change control or other quality element, confirm activities are in line with expected practices as detailed in governing procedures
- Review and confirm admin users and any other users interacting with the system are authorised for those activities
- Confirm there are no unexplained gaps in audit trail data
The completion of the audit trail review should be formally documented and reported, and any findings reviewed and remediated. The regulators will want to see the fruits of your labour to assure themselves that you are in control of your data integrity.
By implementing a comprehensive, risk based review process for the audit trail that encompasses at release data review and periodic system audit trail review, you not only satisfy the simple 5W questions and assure the integrity of the data associated with your systems and their associated processes, you also satisfy the regulatory requirements set forth above.