The Cove Business Standards Discussion Forums
Periodic Audit Trail Review - Scope, Content & Frequency
UL - Underwriters Laboratories - Health Sciences
Periodic Audit Trail Review - Scope, Content & Frequency
Periodic Audit Trail Review - Scope, Content & Frequency
Periodic Audit Trail Review - Scope, Content & Frequency
Periodic Audit Trail Review - Scope, Content & Frequency
Periodic Audit Trail Review - Scope, Content & Frequency
Periodic Audit Trail Review - Scope, Content & Frequency
Periodic Audit Trail Review - Scope, Content & Frequency
Periodic Audit Trail Review - Scope, Content & Frequency
Periodic Audit Trail Review - Scope, Content & Frequency
Go Back   The Elsmar Cove Business Systems and Standards Discussion Forums > > >
Forum Username

Elsmar Cove Forum Visitor Notice(s)

Wooden Line

Periodic Audit Trail Review - Scope, Content & Frequency


Monitor the Elsmar Forum
Sponsor Links




Courtesy Quick Links


Links Elsmar Cove visitors will find useful in the quest for knowledge and support:

Jennifer Kirley's
Conway Business Services


Howard's
International Quality Services


Marcelo Antunes'
SQR Consulting, and
Medical Devices Expert Forum


Bob Doering
Bob Doering's Blogs and,
Correct SPC - Precision Machining


Ajit Basrur
Claritas Consulting, LLC



International Standards Bodies - World Wide Standards Bodies

AIAG - Automotive Industry Action Group

ASQ - American Society for Quality

International Organization for Standardization - ISO Standards and Information

NIST's Engineering Statistics Handbook

IRCA - International Register of Certified Auditors

SAE - Society of Automotive Engineers

Quality Digest

IEST - Institute of Environmental Sciences and Technology


Some Related Topic Tags
21 cfr part 11 - electronic records and signatures, audit plans and audit frequency, audit scope, audits and auditing, gamp (good automated manufacturing practice)
Reply
 
Thread Tools Search this Thread Rate Thread Content Display Modes
  Post Number #1  
Old 28th June 2017, 09:32 PM
v9991

 
 
Total Posts: 952
Question Periodic Audit Trail Review - Scope, Content & Frequency

'audit trail review' is required to reflect the state of 'control' and usually carried out at broadly two levels.
1. at the end and specific to the unit-operation / analysis (batch or unit operation or analysis for specific equipment)...there is broad clarity on the audit trail review criteria (contents) for specific to the batch


2. my query is about the second one, "predefined/pre determined frequency - WHEN - HOW/WHAT"

note :-
I was looking for any templates (could only find certain guidances...enclosed); there will be more iterations if we start building from these references., hence looking for some template/advanced starting point.
Attached Files: 1. Scan for viruses before opening, 2. Please report any 'bad' files by Reporting this post, 3. Use at your Own Risk.
File Type: pdf 21 CFR Part 11_ How and Why to Comply _ MDDI Medical Device and Diagnostic Industry News Product.pdf (625.3 KB, 96 views)
File Type: doc ELDII Checklist 050912 FINAL (1).doc (309.5 KB, 148 views)
File Type: pdf GAMP-annex-july-mvp .pdf (279.3 KB, 104 views)
File Type: pdf IVT Network - Audit Trails Reviews for Data Integrity - 2017-01-25.pdf (47.8 KB, 165 views)

Sponsored Links
  Post Number #2  
Old 29th June 2017, 11:38 AM
yodon

 
 
Total Posts: 1,121
Re: Periodic Audit Trail Review - Scope, Content & Frequency

Sorry, I got lost... from what document are you quoting (regarding frequency)?

Audit trail information should be part of the computer system validation. Unless the software (or configuration) changes, the audit trail data will be consistently generated so after validation, checking doesn't make much sense. In fact, the GAMP annex you attached states:

Audit trails should be regarded primarily as a tool to be used for investigation, as and when required, rather than for continuous routine review. Routine review of all audit trail content is not required, and is not consistent with a risk-based approach. The cost and effort is not justified by any likely benefit.

I guess it wouldn't hurt to do a routine check to ensure, for example, that the environment hasn't changed (especially true for SaaS applications / cloud-based / delivered applications) but otherwise, I don't see value.
  Post Number #3  
Old 29th June 2017, 12:30 PM
v9991

 
 
Total Posts: 952
Re: Periodic Audit Trail Review - Scope, Content & Frequency

Quote:
In Reply to Parent Post by yodon View Post

Sorry, I got lost... from what document are you quoting (regarding frequency)?
here we go...
GUIDANCE ON GOOD DATA AND RECORD MANAGEMENT
PRACTICES
[QUOTE]
Systems typically include many metadata fields and audit trails. It is expected that during validation of the system the organization will
establish
– based upon a documented and justified risk assessment – the frequency, roles and responsibilities, and approach to review of
the various types of meaningful metadata, such as audit trials. For example, under some circumstances, an organization may justify
periodic review of audit trails that track system maintenance activities, whereas audit trails that track changes to critical GxP data with
direct impact on patient safety or product quality would be expected to be reviewed each and every time the associated data set is being
[/QUOTE]
Quote:

reviewed and approved
– and prior to decision-making.


Data Integrity and Compliance With CGMP
7. How often should audit trails be reviewed?.................................................................................6
Quote:
226 each record and before final approval of the record. Audit trails subject to regular review 227 should include, but are not limited to, the following: the change history of finished 228 product test results, changes to sample run sequences, changes to sample identification, 229 and changes to critical process parameters. 230
231
FDA recommends routine scheduled audit trail review based on the complexity of the 232 system and its intended use.

 
MHRA GMP Data Integrity Definitions and Guidance for Industry March 2015
Quote:
Audit trail review should be part of the routine data review / approval process, usually performed by the operational area which has generated the data (e.g. laboratory). There should be evidence available to confirm that review of the relevant audit trails have taken place. When designing a system for review of audit trails, this may be limited to those with GMP relevance (e.g. relating to data creation, processing, modification and deletion etc). Audit trails may be reviewed as a list of relevant data, or by a validated ‘exception reporting’ process. QA should also review a sample of relevant audit trails, raw data and metadata as part of self inspection to ensure on-going compliance with the data governance policy / procedures.


coming to the real part....I agree with the emphasis on the "intent/value" of the exercise. (frequency is mere part of the it_)

Let me try...
a. details specific/relevant to the decision ought to be reviewed before releasing the cgxp data. (activity driven, viz., before completing an unit operation viz., drying, its appropriate to have reviewed relevant data/records from the system, viz., excursions, recipe, etc)

b. others such as changes (periodic and routine (not the daily ones)) need to be reconciled.
Quote:

For example, under some circumstances, an organization may justify
periodic review of audit trails that track system maintenance activities,

Last edited by v9991; 29th June 2017 at 01:48 PM.
  Post Number #4  
Old 29th June 2017, 10:15 PM
Ajit Basrur's Avatar
Ajit Basrur

 
 
Total Posts: 6,205
Re: Periodic Audit Trail Review - Scope, Content & Frequency

It is already there in one of the FDA documents that you have attached ....

FDA recommends that audit trails that capture changes to critical data be reviewed with each record and before final approval of the record.

Audit trails subject to regular review should include, but are not limited to, the following: the change history of finished product test results, changes to sample run sequences, changes to sample identification, and changes to critical process parameters.

FDA recommends routine scheduled audit trail review based on the complexity of the system and its intended use.
  Post Number #5  
Old 30th June 2017, 08:35 AM
v9991

 
 
Total Posts: 952
Re: Periodic Audit Trail Review - Scope, Content & Frequency

Quote:
In Reply to Parent Post by Ajit Basrur View Post

It is already there in one of the FDA documents that you have attached ....[/B]


v9991
Quote:
2. my query is about the second one, "predefined/pre determined frequency - WHEN - HOW/WHAT"

note :-
I was looking for any templates (could only find certain guidances...enclosed); there will be more iterations if we start building from these references., hence looking for some template/advanced starting point.
  Post Number #6  
Old 30th June 2017, 09:01 AM
Ajit Basrur's Avatar
Ajit Basrur

 
 
Total Posts: 6,205
Re: Periodic Audit Trail Review - Scope, Content & Frequency

I do not have a checklist but preparing one just by listing the requirements from EU GMP Annex 11 and FDA 21 CFR Part 11 would be a great start.

Also refer THIS to get more questions.
Thanks to Ajit Basrur for your informative Post and/or Attachment!
  Post Number #7  
Old 1st July 2017, 01:06 AM
v9991

 
 
Total Posts: 952
Apple Re: Periodic Audit Trail Review - Scope, Content & Frequency

we ended up covering following in periodic review checklist for audit trails.

* Data
review of 'reasons' captured for each activity.

* System
any standby/backup system triggered
review of time syn in the lab.
any system/policy updates.

* user ids and privileges changes if any.
No. of instances where user id is locked or pwd reset .
No. of ids activated / deactivated.
any change in the admin/qa pwds.

* backup & archival
compliance as per the changes
status of any data 'restored'
backup status of the log for audit trail.

of course, there will be other application/lab specific requirements.
  Post Number #8  
Old 3rd June 2018, 03:57 AM
v9991

 
 
Total Posts: 952
Look! Re: Periodic Audit Trail Review - Scope, Content & Frequency

https://www.agilent.com/cs/library/f...dit_Wright.pdf
Data Integrity (DI) questions:
• Is electronic data available?
• Is electronic data reviewed?
• Is meta data (audit trails) reviewed regularly?
• Are there clear segregation of duties?
• Has the system been validated for its intended use?

Internal Data Review External (Auditor)
Data Review
• Analysis performed as per the monograph.
• Sequence information correct.
• Chromatography is typical.
• SST acceptance criteria achieved.
• NO “conditioning” or “test” injections using the sample (use a standard or control sample if specified by your procedures and monograph).
• Correct integration (pay attention to MANUAL integration).
• Chromatography appropriately scaled.
• Individual results duplicate and meet specification.
• Check the sequence and individual injection audit trail - any atypical / suspect activity?
• Data processing: - Do the audit trail comments provide traceability? - Can the reprocessing be justified?
• Check electronic results within the CDS match results reported on hard copy chromatography or in LIMS / SAP systems. • Administration control.
• Individual user profiles and passwords.
• Clear segregation of duties within user profiles.
• Restricted privileges for user (cant delete / over-write / move).
• Audit trail functionality switched ON.
• Date / time functionality locked by IT.
• Lab Demo – User log-on (multiple), date / time locked, cant delete data.
• Data recall – Electronic sequence / data file recall in lab using staff member. Data recall needs to be fast and efficient.
• Data review – Chromatography scaling, integration and electronic results.
• Audit trail review – looking for suspicious activity, justification of processing.
• Training – assess staff competency with CDS in lab. Make sure staff are trained to interact with the auditor. Have a CDS superuser present during the lab inspection.
• Query search –assurance that batch hasn’t been analysed multiple times as part of an investigation.

https://www.fda.gov/downloads/AboutF.../UCM561491.pdf
Current expectations and guidance, including data integrity and compliance with CGMP

Regular Review Scheduled Review
• Overwriting
• Aborting runs
• Testing into compliance
• Deleting
• Backdating
• Altering data
• (not an all-inclusive list) •


https://www.linkedin.com/pulse/how-y...a-nagesh-nama/
Regular Review Scheduled Review
the change history of finished product test results,
changes to sample run sequences,
changes to sample identification, and
changes to critical process parameters
• Look for unusual login activity
• Monitor record deletion (if such an activity is not permissible)
• Monitor changes to critical system configuration records
• Monitor user role changes
• Monitor abnormal, disallowed or unusual record state changes
• Monitor system logs for critical application errors and correlate them with user activity
• And much more….

http://www.cbinet.com/sites/default/files/files/Longden_Heather_pres.pdf
 Audit trails tell us WHO did WHAT, WHEN automatically
 Audit trails tell us WHY as defined by the user
 They have two primary purposes:
– Give a history to the data, to help decide if it can be trusted
– They should deter wrongdoing (think of CCTV)
o Without review, they are not a deterrent


Audit trail record…at least the following information
Name of the person who made – the change to the data; – Description of the change; – Time and date of the change; – Justification for the change;

• the change history of finished product test results,
• changes to sample run sequences,

• changes to sample identification,
• changes to critical process parameters. ( not “processing” parameters)
– routine scheduled audit trail review based on the complexity of the system and its intended use • include discrete event logs, history files, database queries or reports
• require specific training in evaluating the configuration settings and reviewing electronic data and metadata, such as audit trails, for individual computerized systems
• correct use of Admin functionalities
• determine if any retesting or additional testing of new functionality is required
• Deleting Data only by designated administrators and WHY
•
•  Creating projects only by designated administrators
•  Regular archiving of projects / altering access or status of projects
•  Altering System Policies  User creation patterns
•  Password resetting activity
•  Alteration of systems
•  Changes to roles



https://valimation.com/blog/2017/7/1/how-are-you-fulfilling-the-fdas-audit-trail-expectations-for-data-integrity

• Look for unusual login activity
• Monitor record deletion (if such an activity is not permissible)
• Monitor changes to critical system configuration records
• Monitor user role changes
• Monitor abnormal, disallowed or unusual record state changes
• Monitor system logs for critical application errors and correlate them with user activity
• And much more...

http://microsep.co.za/wp-content/upl...ata-Review.pdf

SYSTEM AUDIT TRAIL
• Deleting data only by designated administrators and WHY
•  Creating projects only by designated administrators
•  Regular archiving of projects / altering access or status of projects
•  Altering System Policies
•  User creation patterns
•  Password resetting activity
•  Unauthorised access to system
•  Alteration of systems
•  Changes to roles
•  Access to system at non working time
•  Restore of Projects and Project Integrity
•  Check on performance of IQ (Warning, Error)
•  Archive and Removal of Audit Trail
 Unsuccesful Attempt to Confirm Identity

PERIODIC AUDIT TRAIL
It’s like an internal audit on the compliance of the system – Find concerns BEFORE the audit –
Find ways to improve the efficiency of systems and processes –
Documented evidence of actively searching for data integrity issues –
Eg Review System Audit Trail for correct use of Admin functionalities

 Review major and minor changes to determine if any retesting or additional testing of new functionality is required
– Has it significantly expanded or changed use
– Is the system still in control and in a validated state?

http://www.who.int/medicines/areas/q...4_16092015.pdf
Management reviews and regular reporting of quality metrics
• tracking and trending the occurrence of invalid and aberrant data may reveal unforeseen variability in processes and procedures previously believed to be robust, opportunities to enhance analytical procedures and their validation, validation of processes, training of personnel or sourcing of raw materials and components; Working document QAS/15.624 page 13
• regular review of audit trails may reveal incorrect processing of data and help prevent incorrect results from being reported and identify the need for additional training of personnel;
• routine inspections of computerized systems may reveal gaps in security controls that inadvertently allow personnel to access and potentially alter time/date stamps. These findings help raise awareness to management of need to allocate resources to improve computerized systems validation controls;
• monitoring of contract acceptors and tracking and trending of associated quality metrics for these sites help to better identify risks that may indicate the need for more active engagement and allocation of additional resources by the contract giver to ensure quality standards are met.
Read pg.18 onwards


Data Integrity ALCOA+
A Attributable Who acquired the data or performed an action
L Legible Can you read and understand the data entries?
C Contemporaneous Was it documented at the time of the activity
O Original Is is the first recorded observation (or a verified true copy)?
A Accurate Is it scientifically valid with no errors?
+
Complete All data including any repeat or reanalysis performed
Consistent All elements of the analysis are dated/time stamped and in the expected sequence
Enduring Recorded in a permanent, maintainable form for the useful life
Available For review, audit or inspection over the lifetime of the record


http://www.formpipe.com/Global/Life%...ity%202017.pdf
Common Data Integrity Issues
Common passwords :- Analysts share passwords, unable to identify who created or changed a record
User privileges :- System configuration does not adequately define or segregate user levels Users have access to unauthorised functions
Computer System Operational Controls :- Inadequate controls over data Unauthorised access to modify or delete files No automatic saving of files, records not accurate or complete
Processing methods :- Integration parameters not controlled, chromatograms may be re-integrated without correct change process
Audit trails :- Functionality turned off, no complete record of the data life cycle – who modified a file and why

Conflict of interest :- Business process owners granted enhanced security access e.g. system administrator “Unofficial” documentation Recording data first on a scrap of paper then transferring to the official document (e.g. the laboratory notebook)
Failure to review “original data” :-Data and metadata not reviewed together to ensure context is maintained Errors or omissions may be undetected
Inadequate data retention arrangements :- Failure to avoid inadvertent or deliberate alteration or loss throughout the retention period



http://www.pharmacy.tcd.ie/assets/pd...-BBuhlmann.pdf

Data Integrity Continuum
System Error (ignore)
Individual Mistake (Sloppiness)
Individual Malfeasance (sleaziness)
Institutional Malfeasance (fraud )



Data Review
 Good Documentation Practices Legible, Contemporaneous, Permanent, Attributable, Traceable, Time/Date Stamped
 System Audit Trail Tracks actions of System Administrator Reviewed periodically based on risk Defined in Administrators SOPs
 Data Audit Trail Tracks actions of users, reviewers, and approvers Is reviewed when the data is reviewed Defined in User Operational SOPs


https://www.agilent.com/cs/library/f...dit_Wright.pdf



http://media.firabcn.es/content/S109.../coso_anna.pdf

1. Results discarded without explanation
2. 2. Overwriting electronic raw data files for on-going sequences
3. 3. EM plates without evidence of contact (finger prints)
4. 4. Operators with several profiles in a system
5. 5. Dates of # print outs without appropriate correlation

1. Which profiles and privileges are defined?
2. Who could change the data?
3. Is the e-data reviewed, or only paper data?
4. How do you manage your automated IPC controls?
5. Where do you keep your back-ups?




Important Questions and Answers concerning the Audit Trail Review

https://www.gmp-compliance.org/gmp-n...t-trail-review

https://www.gmp-compliance.org/gmp-n...-review-part-2



https://blog.montrium.com/experts/un...ic-gxp-systems
The audit trail must be:
Automated The audit trail entries must be automatically captured by the computer system whenever an electronic record is created, modified or deleted.
Secure Audit trail data must be stored in a secure manner and must not be editable by any user.
Contemporaneous Each audit trail entry must be time stamped according to a controlled clock which cannot be altered. The time should either be based on central server time or a local time, so long as it is clear in which time zone the entry was performed.
Traceable Each audit trail entry must be attributable to the individual responsible for the direct data input. Updates made to data records must not obscure previous values and where required by regulation the reason for changing the data must also be recorded.
Archived The audit trail must be retained as long as the electronic record is required to be stored.
Available The audit trail must be available for agency review and copying.


Audit trail content and reason it is required:
Identification of the User making the entry This is needed to ensure traceability. This could be a user’s unique ID, however there should be a way of correlating this ID to the person.
Date and Time Stamp This is a critical element in documenting a sequence of events and vital to establishing an electronic record’s trustworthiness and reliability. It can also be effective deterrent to records falsification.
Link to Record This is needed to ensure traceability. This could be the record’s unique ID.
Original Value This is needed in order to be able to have a complete history and to be able reconstruct the sequence of events
New Value
Reason for Change This is only required if stipulated by the regulations pertaining to the audit trailed record. (See below)

http://3dsbiovia.com/blog/?p=2477


http://www.formpipe.com/Global/Life%...ity%202017.pdf







DATA INTEGRITY CHECKLIST
https://www.pharmout.net/downloads/D...-Checklist.pdf

https://www.europeanpaymentscouncil....0-Approved.pdf

https://assets.thermofisher.com/TFS-...wp72664-en.pdf


http://www.salute.gov.it/imgs/C_17_E...Intervista.pdf

http://www.salute.gov.it/imgs/C_17_E...Intervista.pdf

http://www.pharmtech.com/data-integr...atory?pageID=2


http://www.waters.com/webassets/cms/...20005904en.pdf


http://rx-360.org/wp-content/uploads...D-APPROVAL.pdf

https://assets.thermofisher.com/TFS-...wp72664-en.pdf

http://www.waters.com/webassets/cms/...20005904en.pdf

http://rx-360.org/wp-content/uploads...D-APPROVAL.pdf
Attached Files: 1. Scan for viruses before opening, 2. Please report any 'bad' files by Reporting this post, 3. Use at your Own Risk.
File Type: docx data integrity - audit trail review.docx (812.4 KB, 20 views)
Thanks to v9991 for your informative Post and/or Attachment!
Reply

Lower Navigation Bar
Go Back   The Elsmar Cove Business Systems and Standards Discussion Forums > > >

Bookmarks



Visitors Currently Viewing this Thread: 1 (0 Registered Visitors (Members) and 1 Unregistered Guest Visitors)
 
Thread Tools Search this Thread
Search this Thread:

Advanced Forum Search
Display Modes Rate Thread Content
Rate Thread Content:

Forum Posting Settings
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Emoticons are On
[IMG] code is On
HTML code is Off


Similar Discussion Threads
Discussion Thread Title Thread Starter Forum Replies Last Post or Poll Vote
SOP for Audit Trail Comments v9991 Qualification and Validation (including 21 CFR Part 11) 5 28th April 2014 08:41 AM
Product Audit Planning / Frequency /Scope - Is anyone aware of preferred methods? Boro Col General Auditing Discussions 11 6th August 2009 08:59 AM
Ideal Internal Audit Frequency and Scope - ISO 9001 rahimahm Internal Auditing 6 26th February 2009 04:31 AM
Review complete, no changes needed - When a Procedure is due for a periodic review? kennypa Document Control Systems, Procedures, Forms and Templates 10 8th February 2006 01:24 PM
QP-5.6.0 - Management Review should be both periodic and continual TownDawg Management Review Meetings and related Processes 14 11th February 2005 12:15 AM



The time now is 11:08 AM. All times are GMT -4.
Your time zone can be changed in your UserCP --> Options.



Misc. Internal Links


NOTE: This forum uses "Cookies"