With the rapid evolution of technology, more and more companies in regulated industries have transitioned to maintaining records and submitting information electronically. This was the impetus for the U.S. Food and Drug Administration’s (FDA) 21 CFR Part 11 regulation, which states that electronic records and electronic signatures are equivalent to their paper record and handwritten signature counterparts. Compliance with the regulation requires that a digital signature be assigned to a specific individual, include a signature type (i.e., review, approval, author), and be traceable from the document back to the signer.
To ensure the transparency, trustworthiness, and reliability of records, regulatory oversight of a company’s data and records management includes examining timestamped audit trails. GxP Lifeline recently met with Seyed Khorashahi, executive vice president of medical devices and CTO at Regulatory Compliance Associates (RCA) Inc. — a worldwide consulting firm that assists pharmaceutical, biologic, sterile compounding, biotechnology, and medical device companies with resolving compliance and regulatory challenges. Khorashahi shares some valuable insight on the anatomy of an audit trail and advises companies on how to comply with this critical component of Part 11.
Bottom line, an audit trail is the who, what, when, and why of a company’s data. It’s a log containing metadata that essentially allows you to reconstruct all user actions and events involving data, including who made a change, what was changed, when it was changed, and why.
Part 11 includes the predicate rules, which apply to record retention throughout the product’s life cycle — from cradle to grave. An audit trail is in place to ensure the ongoing completeness, accuracy, integrity, and security of data and records. It’s also necessary to provide transparency of the actions people take with the data. This all needs to be available to auditors during an inspection.
Manufacturing regulated products calls for companies to keep a close watch on data — especially when it can have an impact on product quality and patient safety. This can be tricky in the day-to-day gathering, storage, tracking, usage, etc. of data.
Good Documentation Practices (GDP) mandate that you document everything in regulated product development to provide evidence that staff are following procedures. An important component in an audit trail is data needs to be timestamped. Therefore, data needs to be in electronic form. Companies still using paper records need to scan all the documents in order to file and track them electronically.
When scanning materials, clarity is critical. Text-only documents can be simple enough, but images are more difficult. You need the ability to capture everything to ensure it’s a true copy that is acceptable under GxP regulations. Beyond that, scanning stacks of documents is prone to its own set of challenges. Not only is it extremely time-consuming, all scanned documents need to be reviewed to make sure there are no errors or missing pages. Then the same Part 11 signature guidelines need to apply.
Another challenge is the systems companies use for managing quality processes and data are configurable. This means they might not have a way to limit access to specific users, control user actions, and avoid intentional or inadvertent deletion of data, which puts data integrity at risk. Also, if they’re using an open system (connected to the network), it becomes a cybersecurity concern because open systems have a wider cyberattack surface. Hackers continuously employ various human and computer-generated measures to gain access to a company’s data. It’s important to note that when data has been breached, it’s no longer compliant with data integrity requirements.
There are also situations where employees undermine audit trails by sharing login credentials. This has actually been noted in warning letters. Community system access may be a common workaround to keep production going when key personnel are away. However, going back to the who, what, when, and why concept, when an entire department uses the same username and password, there is no way to accurately trace actions to specific individuals or verify electronic signatures.
As I mentioned earlier, at the end of the day, data stewardship is all about keeping track of who, what, when, and why. Companies are collecting and handling more data these days. This means there is a lot more information to keep an eye on. Data has a certain life cycle based on the type of product. You need to make sure you have a validated system and processes in place to ensure it remains intact, secure, and readily accessible for audits.
I recommend using a risk-based approach with audit trails. Your quality management system (QMS) and processes should enable you to identify and resolve the risks to data integrity and compliance with Part 11. Here are a few items to consider when doing a risk assessment:
Digitization is the direction things are going. You need to be able to effectively control and rely on your data. And legacy and hybrid systems won’t always be compatible with the evolving regulatory landscape. Companies in regulated environments need to make sure their data and metadata are compliant with data integrity requirements, transparent, and accessible in a readable format for the extent of the data’s life cycle.
Enjoying this blog? Learn More.
21 CFR Part 11 Compliance ChecklistDownload Now