In the absence of detailed FDA guidance, it is highly likely that, theoretically, either version control or audit trail control alone will be sufficient to comply with Part 11. However, to comply with a predicate rule, version control may be mandatory.
It should be noted that the two approaches are not mutually exclusive: both can be used. This is analogous to a situation where a new version of a document is reissued, and although a copy of the previous version is retained, a change history section is included in the new version to summarize what changes were applied.
Full-featured applications will also provide a prompted or silent audit. A prompted audit requires the operator to enter a reason for the action, whereas a silent audit does not. Silent audits are, therefore, a good electronic analogue of the typical good manufacturing practice (GMP) paper record modification when an alteration is justified by a handwritten annotation. However, prompted audits can be laborious and tedious to use, particularly when a single logical amendment results in the alteration of many physical records and the operator is forced to repeatedly enter the same reason.
Auditing record creation and deletion Audit trail discussions mainly focus on record modification, but Part 11 mandates audit of record creation and deletion. Most DBMS can be configured to audit trail all record creation events. Doing this, however, can almost double both transaction processing time and storage requirements. To view this as mandatory under Part 11 is to misinterpret the regulation. It is only necessary to separately audit record creation when the record does not itself contain creation audit trail information.
When the electronic record format includes the identity of the creator and a compliant creation time-stamp, all the record creation audit infor- mation is captured within the record itself. Comment 73 in the Part 11 preamble makes clear that this strategy is acceptable: "The agency advises that audit trail information may be contained as part of the electronic record itself or as a separate record. FDA does not intend to require one method over the other."
Some applications prevent physical record deletion and use an alternative strategy of marking records as deleted without physically deleting them. In such cases, it may not be necessary to configure deletion audit events. However, in contrast to record creation, record deletion is rare and the cost of taking the cautious approach (auditing all deletions) is likely to be low.
Taking laboratory information management system (LIMS) audit trail functionality as an example, most commercial LIMS automate the creation of audits when operators modify information against a sample, test, result or other entity. Advanced LIMS allow any field from any table to be audited and conditions can be set to dictate what, and what not, to audit (Figure 1). Some modern LIMS allow more complex conditions that govern the creation of audits; for example, audits may activate on only finished product samples rather than in-process quality control (QC) samples, or audits may only occur on changes made by certain operators.
Guidelines Further to defining detailed configuration for all record formats, it is useful to write an overall audit strategy document for each GxP application that defines and justifies what different approaches are used. Examples of guiding principles that can be included in such a strategy document are as follows:
- Static information (reference information that is routinely used during a long period) should be version controlled.
- Dynamic information should be audit trail controlled.
- Dynamic information comprises one-off transaction records that document actions and events - for example, methods and specifications are static, whereas test results are dynamic.
- Predicate rules may mandate version control.
- All electronic signature records must be audited.
- Regulatory information must either be version controlled or audit trailed. For non-regulatory information, an audit trail may be used if it is judged to provide useful information.
- When version control is used, an audit trail may still be useful as it provides an easy way to compare version differences. Silent audit should be used.
- Creation of records is seldom necessary because the purpose of the audit trail is to record modifications. This is compliant under Part 11 provided that the identity of the user creating the record and the time-stamp are recorded within the record. By definition, there is no 'previous' information to be held in the audit record data structure.
- In many cases, a single prompted audit applied to a summary record can be used to comment several changes to subsidiary or dependent records. Silent audit may be used to record subsidiary record changes.