How are you fulfilling the FDA's Audit Trail expectations for Data Integrity?

FDA put out its DRAFT guidance on Data Integrity and Compliance with cGMP in April 2016. This guidance is important because we come to understand FDA's thinking on Data Integrity.

For the purposes of this guidance, data integrity refers to the completeness, consistency, and accuracy of data. Complete, consistent, and accurate data should be Attributable, Legible, Contemporaneously recorded, Original or a true copy, and Accurate (ALCOA).
— FDA Guidance on Data Integrity and Compliance With CGMP, April 2016

My focus in this post will be limited to IT applications. Needless to say the guidance has big repercussions for anyone in areas of IT Quality and Computer Systems Validation. Many predicate rules that were written for the paper world still hold good and can be applied to e-records as well. FDA does cite quite a few of them in the guidance.

The two words "Data Integrity" has far reaching implications for computer systems. Any FDA regulated company need to carefully look at their CSV program and revisit, but not limited to, the following areas:

  1. System Design & Implementation
  2. Validation
  3. User Access Controls
  4. Segregation of Duties
  5. Audit Trail Design and Capture
  6. Review of Audit Trails
  7. Data Backup and Archiving
  8. Data Retention
  9. Disaster Recovery & Business Continuity (BCP)
  10. Electronic Signature Design & Implementation
  11. Training

I would like to focus on only one topic in this post: Audit Trail reviews. There can be two (2) types of reviews:

  • Regular Review: Audit Trails that need to be reviewed with the "parent GxP record".
FDA recommends that audit trails that capture changes to critical data be reviewed with each record and before final approval of the record.
Audit trails subject to regular review should include, but are not limited to, the following: the change history of finished product test results, changes to sample run sequences, changes to sample identification, and changes to critical process parameters.
— FDA Guidance on Data Integrity and Compliance With CGMP, April 2016
  • Scheduled Review: Audit Trails that need to be reviewed at regular intervals.
FDA recommends routine scheduled audit trail review based on the complexity of the system and its intended use.
— FDA Guidance on Data Integrity and Compliance With CGMP, April 2016

Let us take regular review of audit trails. The expectation here is that the audit trail associated with a "critical GxP record" must be reviewed along with the record itself (e.g.: a batch record). A "data integrity friendly" application must present the audit trail data to the reviewer in a way that is easily understandable and user friendly for this criteria to be met. Otherwise the reviewer will be spending 10x the time reviewing the audit trail rather than the parent record. Most modern and well designed IT apps can accomplish this out of the box (e.g.: Atlassian Jira).

Now let us move on to the trickier "scheduled review". Anyone who is familiar with an Enterprise application realizes that this can be a daunting task. Even if you decide to perform such reviews, you need to ask: How often? What to Review? How to make this a value added exercise? What is the cost of doing such reviews? How many resources do I need?

Some of the larger pharma companies are mandating that SOPs must be developed and audit trail reviews must be conducted on a periodic basis. System owners and administrators are struggling with this mandate. Most of the legacy applications generate logs and audit trails that can be read only by software programmers rather than end users. And also the sheer volume of audit trail records make this an insurmountable task (for example: a cloud enterprise application can generate hundreds of audit trail records for a single workflow execution). Imagine a situation where one has to review a million records generated in one quarter!

Big Data Analytics and Machine Learning can be your savior. A Big Data system can be setup to consume audit trail logs and records and display meaningful information in a dashboard format. Such a system can also send notifications of any unusual activity. Also, such a system can categorize transactions and provide statistical information. Such an Enterprise system can consume logs and records from various apps and perform bulk of the scheduled reviews.

Such a system can:

  • Look for unusual login activity
  • Monitor record deletion (if such an activity is not permissible)
  • Monitor changes to critical system configuration records
  • Monitor user role changes
  • Monitor abnormal, disallowed or unusual record state changes
  • Monitor system logs for critical application errors and correlate them with user activity
  • And much more...

There are many advantages in designing such a Big Data system. Once a good baseline is established by providing it with historical data, it can learn from it and flag unusual activity in near real-time. For example: such a system can flag a particular sequence of record status change as "unexpected" based on the historical data.

An intelligent Big Data system can be your big friend to handle audit trail reviews. Such a system should be integral part of your data integrity and cyber-compliance toolset.

We provide Big Data Analytics for Audit Trail reviews as part of our xLM Continuous Validation managed service.