Audit Trails Remain Critical Defense During FDA Inspection
Urgency surrounding Part 11 and electronic record security controls has ebbed and flowed for many years as the FDA’s own emphasis has appeared to wax and wane, but one constant remains: Audit trails are critically important when dealing with FDA inspectors, experts tell PIR.
As former FDA field inspector Jan Holladay recently told PIR, “If you want to set off a warning bell in the mind of an FDA inspector at your site, turning off your audit trails at any time in the past is a great way to do it.”
Holladay, now compliance and education director for Rx Trials, a network of independent inpatient and outpatient clinical research sites, says it “amazes me to see people turning off their audit trails. It looks like they are hiding something.”
And, don’t expect the FDA to let up on its interest in seeing good audit trails anytime soon, agrees InfoStrength President Rita Geiger. “Audit trails have been important and will continue being important,” she told PIR. Likening them to an insurance policy for FDA-regulated life science companies, Geiger noted that no matter how the Part 11 rule changes, the FDA will always be interested in the ability of life science companies to demonstrate that they can generate accurate and complete records, provide record accountability and demonstrate integrity of records from the point of creation to the point of receipt.
The agency’s overall posture of leniency on many aspects of Part 11 compliance does not include audit trails, Holladay agreed.
It is also important not to get hung up on terminology, SEC Associates John McKenney and his team note in their reference guide to Part 11. “Certain predicate rules do, in fact, call for audit trails without using that specific wording,” he writes in the book.
For example, in the GLP regulations, 21 CFR 58.130 states, “Any change in automated data entries shall be made so as not to obscure the original entry, shall indicate the reason for change, shall be dated, and the responsible individual shall be identified.” That’s just one of many examples where predicate rules call for audit trail-type functionality without specifically using the term “audit trails.”
On the plus side, more and more regulated life sciences companies appear to be getting the point that audit trails matter.
“For the most part, people understand the importance of audit trails,” Geiger said. That’s likely because audit trails are not only important for Part 11 regulations but also for other regulations such as the Sarbanes-Oxley Act, which governs companies’ financial erecords, she said. “Audit trails provide a means to help accomplish several security-related objectives,” Geiger added.
In Holladay’s experience, audit trails are most often “switched off” by scientists in pre-clinical laboratories. They’ll turn them off not so much because they are hiding something, but because the audit trails slow their work down.
But companies still make all-too-common mistakes when putting together their audit trail program, Geiger said. “The most common mistake is that a system is not designed with audit trails in mind and the database may not be designed to capture the ‘before’ and ‘after’ version of a particular record as well as related information such as the person who made the change, the time, etc.,” she said.
The problem: If audit trails are created after the fact, they may be very difficult to design or they may not be complete. For example, a regulation may require that the reason for the change is captured and a system may not be designed to capture such information, Geiger said. - Michael Causey