Q&A: A Risk-Based Approach to Compliant Audit Trails

With the rapid evolution of technology, more and more companies in regulated industries have transitioned to maintaining records and submitting information electronically. This was the impetus for the U.S. Food and Drug Administration’s (FDA) 21 CFR Part 11 regulation, which states that electronic records and electronic signatures are equivalent to their paper record and handwritten signature counterparts. Compliance with the regulation requires that a digital signature be assigned to a specific individual, include a signature type (i.e., review, approval, author), and be traceable from the document back to the signer.

To ensure the transparency, trustworthiness, and reliability of records, regulatory oversight of a company’s data and records management includes examining timestamped audit trails. GxP Lifeline recently met with Seyed Khorashahi, executive vice president of medical devices and CTO at Regulatory Compliance Associates (RCA) Inc. — a worldwide consulting firm that assists pharmaceutical, biologic, sterile compounding, biotechnology, and medical device companies with resolving compliance and regulatory challenges. Khorashahi shares some valuable insight on the anatomy of an audit trail and advises companies on how to comply with this critical component of Part 11.

Q: Can You Briefly Explain Compliance Audit Trails?

Bottom line, an audit trail is the who, what, when, and why of a company’s data. It’s a log containing metadata that essentially allows you to reconstruct all user actions and events involving data, including who made a change, what was changed, when it was changed, and why.

Part 11 includes the predicate rules, which apply to record retention throughout the product’s life cycle — from cradle to grave. An audit trail is in place to ensure the ongoing completeness, accuracy, integrity, and security of data and records. It’s also necessary to provide transparency of the actions people take with the data. This all needs to be available to auditors during an inspection.

Q: What challenges do companies experience with compliance audit trails?

Manufacturing regulated products calls for companies to keep a close watch on data — especially when it can have an impact on product quality and patient safety. This can be tricky in the day-to-day gathering, storage, tracking, usage, etc. of data.

Good Documentation Practices (GDP) mandate that you document everything in regulated product development to provide evidence that staff are following procedures. An important component in an audit trail is data needs to be timestamped. Therefore, data needs to be in electronic form. Companies still using paper records need to scan all the documents in order to file and track them electronically.

When scanning materials, clarity is critical. Text-only documents can be simple enough, but images are more difficult. You need the ability to capture everything to ensure it’s a true copy that is acceptable under GxP regulations. Beyond that, scanning stacks of documents is prone to its own set of challenges. Not only is it extremely time-consuming, all scanned documents need to be reviewed to make sure there are no errors or missing pages. Then the same Part 11 signature guidelines need to apply.

Another challenge is the systems companies use for managing quality processes and data are configurable. This means they might not have a way to limit access to specific users, control user actions, and avoid intentional or inadvertent deletion of data, which puts data integrity at risk. Also, if they’re using an open system (connected to the network), it becomes a cybersecurity concern because open systems have a wider cyberattack surface. Hackers continuously employ various human and computer-generated measures to gain access to a company’s data. It’s important to note that when data has been breached, it’s no longer compliant with data integrity requirements.

There are also situations where employees undermine audit trails by sharing login credentials. This has actually been noted in warning letters. Community system access may be a common workaround to keep production going when key personnel are away. However, going back to the who, what, when, and why concept, when an entire department uses the same username and password, there is no way to accurately trace actions to specific individuals or verify electronic signatures.

Q: What recommendations do you have for creating compliant audit trails?

As I mentioned earlier, at the end of the day, data stewardship is all about keeping track of who, what, when, and why. Companies are collecting and handling more data these days. This means there is a lot more information to keep an eye on. Data has a certain life cycle based on the type of product. You need to make sure you have a validated system and processes in place to ensure it remains intact, secure, and readily accessible for audits.

• Electronic signatures – Are electronic signatures unique to the individual? Ensure that signatures cannot be copied or transferred.
• User credentials – Is user access tightly controlled based on each person’s role and job responsibility? For example, people who access and modify data should not be able to turn off or modify the audit trail. Having too many users with read and write access to data increases the risk of intentional or inadvertent data changes or loss.
• Audit trail reviews – Are audit trails getting reviewed often enough and by the right people? Part 11 guidelines specify the audit trail review requirements regarding who and how frequently they need to be reviewed. This is necessary to ensure records are accurate, free of gaps and errors, and that the information provided to auditors matches what is in the system.
• Escalation – Are only authorized personnel reviewing and approving records? There are occasions when an approver is unavailable. There should always be another person who is authorized to approve and sign records. The system needs to include the functionality and procedures to allow the escalation of document reviews and approvals to other authorized individuals. These situations also need to be logged and documented.
• Security – Are there system vulnerabilities that could lead to a security breach? I touched on security earlier, but I can’t emphasize enough the importance of system and data security. Even before COVID-19 dispatched employees to work remotely, many companies were incorporating mobile devices. This increases security vulnerabilities. Using an integrated QMS that has security measures such as role-based authentication and access controls can effectively augment data protection processes.

I recommend using a risk-based approach with audit trails. Your quality management system (QMS) and processes should enable you to identify and resolve the risks to data integrity and compliance with Part 11. Here are a few items to consider when doing a risk assessment:

Digitization is the direction things are going. You need to be able to effectively control and rely on your data. And legacy and hybrid systems won’t always be compatible with the evolving regulatory landscape. Companies in regulated environments need to make sure their data and metadata are compliant with data integrity requirements, transparent, and accessible in a readable format for the extent of the data’s life cycle.