ERP Audit Trail audit by FDA? Regular audit trail report template?

Wolf.K

Quite Involved in Discussions
#1
Hi folks,

I wonder if someone can give me hints for how an "audit trail report" of an ERP (Electronic Resource Planning) system should look like to fulfill the requirements of FDA Quality System audits of medical device manufacturers? We are a small start-up, have a QMS (13485:2016 certificate), and currently we are setting up an ERP software. We are EU-based, but we are planning to enter the US market sooner or later. Our software has audit trail functionality, but nobody of us has any clue of what we should look for (we are all scientists...). I have read several threads here in the forum and PDFs on the net, but I still feel clueless. So, does anyone of you have some kind of experience, maybe already having FDA guys auditing your company? What should/could I do? I am even not sure if I ask the correct question(s)! I think it is not only about data integrity, right?

Truly yours,
Wolf
 
Elsmar Forum Sponsor

Jean_B

Trusted Information Resource
#2
When you say 'data integrity', to be honest, it is. And to achieve that it also imposes requirements on related parts. (Note: audit trails for IT are not necessarily the same as the audit trails the FDA expects.)

The key term you should go from is 21 CFR Part 11 (restated, even though I suspect you already know this). The text itself is the usual condensed ruleset that you'll need either experience with or help to decode (consultant paradise). Even the guidance has this, but to a lesser extent.
This forum has bits and pieces of answers (though no complete guide as that is more paid work). This is because complying with it is complex and dependent on both the system in use, the application and non-technology bits like humans.

Also try looking at major providers' guides, faqs and whitepapers to get a better feel. E.g.:
How the DocuSign Part 11 Module fits with 21 CFR Part 11 - New DocuSign Experience | DocuSign Support Center

Administratively keep to the general Good Documentation Practice rules when setting stuff up: know who did what when, and if its special know why. If something needs to be replaced or added to, do the same and keep the original available.
Restrict authority to override such controls very specifically to a person who does not have a motive for changing the information (but don't forget that when only single person has high-level rights there is a risk of gridlock should that person die or leave).
Now with UDI's on-stage, think about traceability maintained in ERP, and what systems would be interfacing with it.
Be careful of the 'as long as i have a paper record' i don't need to validate or control. The paper record would need to be your first resort nearly every time. So if you print your orders and store in a binder, but everyone uses the very handy search, filter, sort (edit :eek: ) functionality that software provides, guess what: still mandatory to do part 11.
 

Wolf.K

Quite Involved in Discussions
#3
Dear Jean_B,

Thank you very much for your long comment! I think, IT and technical recording of all changes and else is good enough to fulfill all requirements of 21 CFR Part 11 and other regulatory requirements. What I wonder is how I should document the regulatory requirement of the regular "audit trail reports" I will have to write. I have never seen such a document yet. Therefore, I don't know how even the basic struture of such a report. Is it a one-page document like "All changes of records have been evaluated. 25 batches have been manufactured of product A. Product has been delivered to 23456 customers. No peculiarities have been found. All product deliveries are traceable." or a many-pages document documenting all changed records for all batches and so on?

:) Wolf
 

Jean_B

Trusted Information Resource
#4
I am wondering which regulatory requirement spawns the need for a regular audit trail report? My memory (and cursory re-examination) of 21CFR Part 11 doesn't show that to be the case.
While awaiting your response on the source:
  1. In my mind a report might be necessary on anomalous behavior with regards to the controls or the data they were intended to protect, but would often look like many deviation reports do:
    Deviation observed
  2. Confirming deviation actually occurred, and any context/circumstances
  3. Investigation trail/evidence.
  4. Cause
  5. This could then be followed up by the determination of need for corrective action (probably you need to correct/justify the item itself as it's a deviation already), and all that goes with that.
There's no explicit threshold for which attempts are regarded as anomalous enough to warrant investigation though. (Explicit one is obviously changed data; always of interest). You might find inspiration in literature for IT dealing with break-in attempts on secured systems or data integrity. On those matters i'll defer to those who have IT security as a full profession instead of a hobby.
The example you describe would be a regular surveillance audit on the system or process, and should adhere to your internal audit procedure (which has its own requirements). Here it's the case that Part 11 goes toward IT audit trail territory, and traditional internal audit trails are about adequately showing links between objective evidence, criteria and finding. They might interact, with Part 11 process and systems being either the subject of the audit, or providing the objective evidence for other matters being scrutinized.
 

Wolf.K

Quite Involved in Discussions
#5
I am wondering which regulatory requirement spawns the need for a regular audit trail report? My memory (and cursory re-examination) of 21CFR Part 11 doesn't show that to be the case.
Probably you are right, the regulatory requirements do not state "write an audit trail". But compare with post-market surveillance (ISO 13485:2016) - there are no "checklists" with "do this and that", and every company tinkers with the audit reports they have to write. I have seen many of them, some just one page, others about 100 pages (for identical products). As we all (at my company) are new to the "ERP" business and did not even know that there is something like an audit-trail just a few month ago, I found some information about "audit trail reports". Of course it makes sense to include it in the internal audits! But all I know so far is that our notified body likes "reports", therefore, when I read about "audit-trail reports" I thought "yes, that is what we need". That is the reason why I posted my question in this forum, hoping for information regarding audit trails and how to deal with them. Of course it does not make sense to collect the data automatically by the system and never bother about it. There are different processes - some are GMP relevant, and others not but important e.g. for the tax office. And of course we want to be sure that nobody is changing the data of the ERP unnoticed.
So, I am still somewhat looking for a kind of a checklist what to do to check the ERP. Your outline is nice, and I will just start with collecting data of some processes (e.g. # of changes to datasets, bills, inventory and so on).

Wolf
 

Ninja

Looking for Reality
Staff member
Super Moderator
#6
Up front...I do not and have never worked in this area...

That said, if you have purchased an ERP system specifically to include these regulations...your ERP provider has likely been down this road before.
Do not discount using them as an available resource for what you are trying to achieve.
You may find that the answer is "Just hit that button...that's what it's there for".

It's your first time down this road (assumption)...it likely is not the first time for them...use them as a learning tool.

HTH
 

Wolf.K

Quite Involved in Discussions
#7
Of course not, they have almost all we need, but... We are in Europe, so they do not have many customers yet in the US yet, but they are selling MS Dynamics NAV, which is used by many US companies. But: "Money makes the world go round" (Liza Minelli) ... "Money money money money" (Abba)... As we are PLANNING to enter the US market sooner or later, of course our management did not plan to spend money for the important parts of such an implementation. Cheap is better for bonus. After I handed over our High Level Risk Assessment, at least we got the money for the validation support. I hope that I can get more information from the company about the audit trail audit, but having other information is a good thing too!
 
Thread starter Similar threads Forum Replies Date
M Go Live With New ERP System before Recertification Audit General Auditing Discussions 6
M ERP / QMS related software standards for Validation IEC 62304 - Medical Device Software Life Cycle Processes 6
B Oracle Cloud ERP Validation during Quarterly Patch ISO 13485:2016 - Medical Device Quality Management Systems 1
qualprod Assign a name to a home-made ERP system? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 1
N ERP Software Implementation Manufacturing and Related Processes 3
K ERP System Software Validation - ISO13485 2016 4.1.6 Design and Development of Products and Processes 8
Q Software SOP - Use and maintenance of an ERP system Software Quality Assurance 6
qualprod What is the Normal Flow in an ERP for Manufacturing? Manufacturing and Related Processes 0
K Identification and Traceability with an ERP system - Barcode Labels? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 3
L Off the Shelf Software VISUAL ERP system ISO 13485:2016 - Medical Device Quality Management Systems 1
S Where to keep Enterprise Resource Planning software (ERP) Validation Records ISO 13485:2016 - Medical Device Quality Management Systems 1
J PMA Device - Lot # change in New ERP Software - What are the FDA Requirements 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 0
D eQMS/ERP System Admin Work Instructions - Where do they fit? Misc. Quality Assurance and Business Systems Related Topics 5
S Small Business ERP System - Recommendations wanted Manufacturing and Related Processes 5
S ERP Software and Quality Department Procedures Integration Misc. Quality Assurance and Business Systems Related Topics 4
J ERP Systems and Your Pain Coffee Break and Water Cooler Discussions 5
pbojsen ERP Data Control Requirements ISO 13485:2016 - Medical Device Quality Management Systems 4
G Paper Based Manufacturing with an Unvalidated ERP ISO 13485:2016 - Medical Device Quality Management Systems 3
A Lean and ERP software Lean in Manufacturing and Service Industries 0
W QMS and/or ERP software choices for both US and China Quality Assurance and Compliance Software Tools and Solutions 2
R Document Control when an ERP System Produces most Forms and other Paperwork Document Control Systems, Procedures, Forms and Templates 7
L Managing ITP with an ERP system Inspection, Prints (Drawings), Testing, Sampling and Related Topics 3
C New ERP System: Any Free Gantt Chart Software Recommendations Out There Quality Assurance and Compliance Software Tools and Solutions 2
A Which ERP system complies to medical device regulations? ISO 13485:2016 - Medical Device Quality Management Systems 4
D AS9100C 4.2.3 - Obsolete Electronic ERP Documents AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 6
R ISO 13485 - Security and Control of ERP System ISO 13485:2016 - Medical Device Quality Management Systems 1
K Validation of ERP/CRM Software Using Sandbox Qualification and Validation (including 21 CFR Part 11) 4
S Configuration Management System software that can also be linked to our ERP system AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 6
I ERP Software Validation - required or not? ISO 13485:2016 - Medical Device Quality Management Systems 3
I ERP acronym has double meaning in our company Internal Auditing 6
B Using Job Shop ERP Software for a QMS Quality Assurance and Compliance Software Tools and Solutions 2
Stijloor ERP (Enterprise Resource Planning) Manufacturing Software Recommendations Manufacturing and Related Processes 3
P ERP (Emergency Response Plan) for Small Air Operator EASA and JAA Aviation Standards and Requirements 7
T Document Control of ERP Report Format from Software Document Control Systems, Procedures, Forms and Templates 13
smryan M2M (Made2Manage ERP System) newby questions Document Control Systems, Procedures, Forms and Templates 2
I MRP/ERP for small CM/EMS Manufacturing and Related Processes 3
M Is ERP (Enterprise Resource Plannning) software like SAP in scope of AS9100 7.5.1.3 AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 4
C Setting Up Part Masters in ERP Systems - How are others doing it? Document Control Systems, Procedures, Forms and Templates 1
K Any one with experience on 'EPICOR' ERP System? Quality Assurance and Compliance Software Tools and Solutions 14
N Work Instructions for ERP (Enterprise Resource Planning) software Process Maps, Process Mapping and Turtle Diagrams 3
A Naming Convention for our ERP System Purchase Parts Document Control Systems, Procedures, Forms and Templates 4
W Validation of SAP for ERP - Inventory, shipping, and monitoring expiration dates Qualification and Validation (including 21 CFR Part 11) 18
I New ERP system - Need Doc. Numbers for ERP generated PO's, Packing Slips, etc? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 4
T Utilization of new ERP system - (IFS- Industrial and Financial Systems) Quality Assurance and Compliance Software Tools and Solutions 8
M NetSuite ERP and CRM features Validation for a medical device company ISO 13485:2016 - Medical Device Quality Management Systems 4
K Part Naming Convention for SAP ERP Application Document Control Systems, Procedures, Forms and Templates 4
T Any Input on new ERP package? Service Industry Specific Topics 1
A New ERP system Validation ISO 13485:2016 - Medical Device Quality Management Systems 7
P Global Shop Software ERP management system questions Quality Assurance and Compliance Software Tools and Solutions 5
DanteCaspian ERP Systems: Monitoring, Inventory and Lean Lean in Manufacturing and Service Industries 7

Similar threads

Top Bottom