Audit Trails and Data Security
Reference: 21 CFR Part 11.10 (e).
Currently the audit trail requirement is being applied too widely. Audit trails should be applied only in cases where operator actions create, modify, or delete high impact GxP records.
If risk analysis shows that adequate data integrity can be achieved through rigorous security controls, user firms should be expected to take a justified decision that addition of audit trails does not provide significant benefit. Audit trails would still be important
For systems in which the users are expected to modify data as a routine part of the business process.
We realize and agree that security and integrity of data is of key importance. Audit trails are only one mechanism for ensuring data integrity, together with other physical, logical, and procedural security measures. Data integrity is also supported by established validation methods that prove system operation and data integrity features, and robust change control that maintains the control established by validation.
In many cases where the data should not be modified, the ability to do so can be restricted such that audit trails are not required. For example, if an HPLC data system writes to a secure directory, and validated system controls do not allow overwriting of files, an automated audit trail adds little to the integrity of this data.
Current industry security practice fulfils many of the Part 11 requirements for data integrity. User firms should be encouraged to follow existing international standards, such as ISO/IEC 17799 Code of practice for information security management, and their existing information security policies, as well as generally accepted good Information Technology practice.
Procedural and Hybrid Solutions
Reference: 21 CFR Part 11.10, 21 CFR Part 11.70, and others.
The continued use of hybrid systems, where electronic and paper records and signatures co-exist, does not increase the risk to the product or patient, if adequate procedural controls are established. Such procedural controls are the basis of current GxPs, and should be acceptable in this area also.
Recent draft FDA guidance on 21 CFR Part 11 has concentrated on complex technical methods of linking records to each other and to handwritten signatures. We suggest that in many cases procedural controls are sufficient, and effective. Procedural links are extensively used elsewhere in the GxP environment. For example, records, documents, and materials are related to each other by means of a batch number or component code.
Such procedural controls are indeed the bedrock upon which the GxPs are based. The user firm should ensure that procedural controls are established and effective, and that validated system features also mitigate the risk to stored electronic records of unauthorized, or uncontrolled, change, copying, or loss.
Reference: 21 CFR Part 11.100.
User firms should define where they need to apply signatures, based on predicate rule requirements, criticality of the process, and risk to the product. User firms should define whether these should be handwritten or electronic.
Page 5 of 6ISPE – Risk-Based Approach to 21 CFR Part 11
Where signatures are currently used with paper records, it may not always be appropriate to apply an electronic signature. With paper records, handwritten signatures are applied in two different cases:
- As a legally binding signature, when there is a regulatory expectation
- As a convenient way of identifying a person
In the second of these cases, the appropriate electronic equivalent would be the system logging the user-id, or an entry in the audit trail, rather than an electronic signature. Automation of the process may, in some circumstances, remove the need for identification, because sufficient assurance is provided through validation. Signatures should only be mandatory when explicitly required by a predicate rule.
This paper has attempted to demonstrate that applying a risk-based approach to electronic records in a GxP context can lead to controls appropriate to the criticality and impact of those records.
This allows measures aimed at a high degree of integrity to be established for records that directly impact the quality, safety, and efficacy of the product, while permitting a less rigorous approach for records of lower criticality.
This overall philosophy, based on the ideas in the new FDA cGMP initiative, would encourage manufacturing innovation and technological advances without increasing risk to the patient or to product quality.