26-28 October 2021
Klaus Feuerhelm, former GMP inspector at the Regierungspräsidium Tübingen in Germany, has compiled a TOP 3 list of deficiencies from 2020 in computerised systems. Number 1 are deficiencies with regard to the audit trail.
The deficiencies found in the course of inspections in connection with the audit trail are manifold. Quite often, the deficiency is related to the software delivered. The software suppliers or system suppliers simply do not provide what is actually required by EU-GMP Annex 11. However, there is certainly software that meets the requirements of EU-GMP, even if this does not happen very often as a rule.
First of all, one should be clear about where the requirement for audit trail functionality in a computerised system comes from. In Germany this results from Section 10 of the AMWHV (German regulation based on European law): "The original content of an entry may not be made illegible. No changes may be made that do not reveal whether they were made at the time of the original entry or later" - non-official translation.
Similar wording is to be found in EU GMP Chapter 4: "4.9 ... Any change to an entry in a document should be signed off and dated. Despite modification, the original information should remain legible. If indicated, the reason for the change should be recorded."
This requirement, then, is precisely what must be implemented in the audit trail functionality of a computerised system; the audit trail is thus a functionality for documentation. This information can also be found in the GAMP® Records and Data Integrity Guide, for example:
18.7 Audit Trail Considerations - "Audit trails should be considered part of records."
What is usually provided as an audit trail by many suppliers at present are so-called event logs, in which all sorts of things are logged. This makes a quick review of the audit trail considerably more difficult.
Gulf Pharmaceutical Industries, February 2012
We also note that your SOP does not have provisions for any audit trail reviews to ensure that deletions and/or modifications do not occur.
Sunrise, January 2010:
In addition, your firm's review of laboratory data does not include a review of an audit trail or revision history to determine if unapproved changes have been made.
There are also more recent examples:
Strides Pharma Science Limited, India
On 02/04/2019, during the walkthrough of the Control Room where Formulation Plant processes were being monitored using a Building Automation System, we observed that the system was not qualified and had no audit trail capabilities. In addition, when asked about the alarms on the system, the Sr. Assistant Instrumentation group, stated that he would reset and clear the alarms.
For the future, it is to be hoped that in a new version of Annex 11 (currently being developed by a working group at the EMA) the notes and requirements for the audit trail will be described and formulated more precisely. In particular, the distinction between audit trail and change control should be clearly regulated.
Source: EU-GMP Guideline