Regulatory requirements for Audit Trail Reviews

Audit Trails and their reviews are an important requirement in the current GMP policies. Since 2011, Annex 11 "Computerised Systems" of the EU GMP Guideline has demanded records of all GMP relevant changes and deletions to be implemented as a system-integrated Audit Trail: the reasons for changes and deletions must be documented. Audit Trails must be available, convertible into a generally readable form and checked regularly.

The PIC/S draft "Good Practices for Data Management and Integrity in Regulated GMP/GDP Environments" from August 2016 also defines Audit Trails and provides comprehensive review requirements.

GMP/GDP Audit Trails are defined as metadata recorded about critical information such as the change or deletion of GMP/GDP relevant data in order to enable the reconstruction of GMP/GDP activities.

Pharmaceutical companies should upgrade their software so that the functionality for Audit Trails is included. Through this, all events in the system can be recorded and all activities regarding the collection, evaluation, deletion and overwriting of data for the Audit Trail Review are made available.

Audit Trails should be part of the system validation. The validation documentation is to show that the Audit Trails are functional and that all activities, changes and other transactions are recorded in a useable form.

It is also required that Audit Trails are reviewed regularly. For this purpose, every company has to implement a standard operating procedure (SOP), in which the strategy and the procedure for the Audit Trail Review are determined in compliance with risk management principles. This also applies to "ongoing reviews" of Audit Trails depending on the criticality and complexity of the system.

If significant deviations are found during the Audit Trail Review, these must be fully investigated and documented. The procedure of the measures a company takes in such a case in order to ensure the quality of the produced drug product must also be described in an internal SOP.

Moreover, the FDA has also defined the term Audit Trail in their "Data Integrity Guidance for Industry" draft from April 2016: an Audit Trail is a chronology of the "who, what, when and why" for a specific data record. As an example, the Audit Trail of a HPLC system is named. The HPLC Audit Trail should include: the user, date and time of the run, the integration parameters used and, when applicable, further details on reprocessing, including the justification for the reprocessing.

Despite these regulatory requirements, many questions about the specific implementation into practice remain.