Audit Trail-Deviations in the course of Inspections

Klaus Feuerhelm, former GMP inspector at the Regierungspräsidium Tübingen in Germany, has compiled a TOP 3 list of deficiencies from 2020 in computerised systems. Number 1 are deficiencies with regard to the audit trail.

What is the regulatory basis?

The deficiencies found in the course of inspections in connection with the audit trail are manifold. Quite often, the deficiency is related to the software delivered. The software suppliers or system suppliers simply do not provide what is actually required by EU-GMP Annex 11. However, there is certainly software that meets the requirements of EU-GMP, even if this does not happen very often as a rule.

First of all, one should be clear about where the requirement for audit trail functionality in a computerised system comes from. In Germany this results from Section 10 of the AMWHV (German regulation based on European law): "The original content of an entry may not be made illegible. No changes may be made that do not reveal whether they were made at the time of the original entry or later" - non-official translation.

Similar wording is to be found in EU GMP Chapter 4: "4.9 ... Any change to an entry in a document should be signed off and dated. Despite modification, the original information should remain legible. If indicated, the reason for the change should be recorded."

This requirement, then, is precisely what must be implemented in the audit trail functionality of a computerised system; the audit trail is thus a functionality for documentation. This information can also be found in the GAMP® Records and Data Integrity Guide, for example:
18.7 Audit Trail Considerations - "Audit trails should be considered part of records."

What is usually provided as an audit trail by many suppliers at present are so-called event logs, in which all sorts of things are logged. This makes a quick review of the audit trail considerably more difficult.

Deficiencies in connection with the audit trail have also been found at the US-American FDA for some time

Gulf Pharmaceutical Industries, February 2012
We also note that your SOP does not have provisions for any audit trail reviews to ensure that deletions and/or modifications do not occur.

Sunrise, January 2010:
In addition, your firm's review of laboratory data does not include a review of an audit trail or revision history to determine if unapproved changes have been made.

There are also more recent examples:
Strides Pharma Science Limited, India
On 02/04/2019, during the walkthrough of the Control Room where Formulation Plant processes were being monitored using a Building Automation System, we observed that the system was not qualified and had no audit trail capabilities. In addition, when asked about the alarms on the system, the Sr. Assistant Instrumentation group, stated that he would reset and clear the alarms.

Deficiencies related to the audit trail found during inspections:

  • A staff member in a quality control laboratory has the rights of a system administrator. For example, he/she was able to make undetectable changes to the audit trail during self-performed analyses or to turn the audit trail on or off.
  • There was no described action to be taken if problems were found during the audit trail review.
  • There was no clear policy on who is allowed to disable the audit trail functionality of system XYZ and how this should be documented.
  • A HPLC station was used in the laboratory to determine the API content of a tablet. The batch release is done without review of relevant audit trail data. Entries in the audit trail could indicate a deviation; the QP should be aware of this deviation prior to release.
  • There is no documented guidance and instructions on how to handle the audit trail.
    For example, these include:
    - How often and when should an audit trail of a particular system be reviewed?
    - Who should perform the audit trail review?
    - How is the audit trail archived?
    - When may audit trails be deleted?
    - Which audit trail entries are to be considered critical?
    - How are audit trail reviews documented?
    - What actions are to be taken if problems are identified during audit trail reviews?

In conclusion, the following points are particularly important:

  • The audit trail is a documentation piece.
  • As with all other GMP documents, a review is necessary.
  • A risk assessment is used to determine when a review is necessary.
  • A deviation may be hidden in an audit trail.
  • For example, a GMP decision is a release decision.

For the future, it is to be hoped that in a new version of Annex 11 (currently being developed by a working group at the EMA) the notes and requirements for the audit trail will be described and formulated more precisely. In particular, the distinction between audit trail and change control should be clearly regulated.

Source: EU-GMP Guideline

Go back

GMP Conferences by Topics