Configuring Software for Compliance with 21 CFR Part 11 Audit Trail Requirements (1)

The US Food and Drug Administration’s (FDA’s) 21 CFR Part 11 (often abbreviated to ‘the Rule’) specifies audit trail requirements in general terms. The Rule remains in force, despite the fact that it is currently under review and the draft guidance that FDA had issued to assist organizations with interpretation has been withdrawn. In the absence of specific guidance, audit trail is, nevertheless, essential both for regulatory compliance and to prevent the loss of valuable business information.
The Part 11 section that covers audit trails (11.10e) reads: “Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify or delete electronic records. Record changes shall not obscure previously recorded information. Such audit trail documentation shall be retained for a period at least as long as that required for the subject electronic records and shall be available for agency review and copying.”
The best strategy for audit trail configuration is not always clear. In addition, the functionality for audit trails available in commercial software, commercial packages or legacy applications may be less than ideal. There are a number of questions regarding audit trails that require consideration when formulating a compliance strategy:

  • Is it necessary to audit all information and if not, precisely what information must be audited?
  • Maintenance of an audit trail for record creation can generate large amounts of information. What is the best way to approach this?
  • What is the difference between version control audits and simple audits? When should each type be used?
Generally, applications that use commercial database management systems (DBMS) can be configured to support compliance without too much difficulty. Functionality within applications that manipulates electronic records without using DBMS are much more variable; some are full-featured, others much less so.

What to audit Good clinical, laboratory, manufacturing and pharmaceutical practice (GxP) regulations may specify records that must be audited, but this is not always the case. It is possible to audit all records, although this incurs high storage and processing overheads, and useful information may be difficult to retrieve from redundant data. Therefore, it is important to review records, particularly when they are high-volume, and ask: “Is there a regulatory or business need to audit trail these records?”
A cautious approach is recommended, wherein the default is to audit all records - unless it is clear that there is no business or regulatory requirement.

Audit strategies There are two fundamentally differing strategies to achieving a compliant audit trail, version control and audit trail control. The distinction is not made clear, or indeed mentioned, in either Part 11 or its preamble; however, it is a distinction that is made by predicate rules and is familiar to those working with paper documents in a GxP environment.
Version control. The distinction between the two strategies can be made clear by examples from paper-based systems. A paper-based example of version control is updating a standard operating procedure (SOP). Here, the 21 CFR Part 58 predicate rule states: “A historical file of standard operating procedures, and all revisions thereof, including the dates of such revisions, shall be maintained.” (Part 58.81) Therefore, when an SOP is updated, an entire copy of the superseded version must be retained.
Audit trail control. For audit trail control of an analytical record, the same document states: “Any change in entries shall be made so as not to obscure the original entry, shall indicate the reason for such change, and shall be dated and signed or identified at the time of the change.” (Part 58.130) Therefore, in contrast to modifying an SOP, it is not necessary to retain an entire copy of the unmodified record and reissue a completely new amended copy when modifying a paper analytical record; it is acceptable to amend and annotate the existing paper copy.
Advantages and disadvantages. Both of these approaches can be mimicked by electronic systems. A change to a record can force an entirely new version to be issued (version control) or the change can be applied to the existing version and the ‘value before change’ recorded in an audit record (audit trail control). Either approach allows historical records to be retrieved. With audit trail control, historical records may be reconstructed by ‘rolling back’ the audit changes and restoring the ‘before change’ values up to the point of interest. Version control’s principal advantage is that all historical records exist in their entirety and no reconstruction is necessary. Both approaches also allow details of record changes to be retrieved. With version control, detailed ‘before’ and ‘after’ change information can be reconstructed by comparing the record versions before and after the change. With audit trail control, the detailed changes are explicitly recorded and no reconstruction is necessary. The major disadvantage of using version control is that vastly more information must be retained, and retained for the lifetime of the records.

Part 11 Link