“You have all these audit trails, which provide great information about your testing, but none of your procedures tell you to review those audit trails. I’ll expect to see that next time I’m here.”
Those were the words from an FDA inspector toward the end of our routine inspection. I had just spent the previous few hours explaining why we chose the Thermo Scientific™ Chromeleon™ Chromatography Data System as our CDS, the validation approach we used to ensure 21 CFR Part 11 compliance, and going through actual data. I thought we were all set because of the Chromeleon software’s extensive audit trail functionality, the fact that we had them turned on, and that I had just demonstrated that we could provide all of the information the auditor had requested, but they were looking for more – proof that we reviewed these audit trails on a regular basis.
This conversation occurred while I was managing a QC lab in 2013, well before the FDA Draft Guidance, Data Integrity and Compliance with CGMP, was released in April 2016. Since that time, it has become crystal-clear that routine review of audit trails is expected in order to help ensure the integrity of data generated in your lab. Lab management cannot be present to observe every step for every sample tested, so the audit trails are used to help prove compliance. As anyone with GMP experience knows, following your SOPs and documenting that you are doing so, are two of the most important points in showing compliance. With this in mind, a GMP-compliant laboratory nowadays should have a procedure in place that describes how data is reviewed, and a section of that procedure should address audit trails.
The US FDA, MHRA and CFDA guidance documents on data integrity all state that audit trail review should be part of the data review and approval process. The following areas, at minimum, need to be included in the audit trail review, though you may have a reason to include even more:
-
- Change history of finished product test results
-
- Changes to sample sequences
-
- Changes to sample identification
-
- Changes to critical process parameters
The audit trail review should be documented per your written procedure in order to provide evidence that it is being performed. The Quality Assurance group should also routinely verify the audit trails, raw data and metadata in order to ensure internal procedures are being followed.
A final review that needs to be performed, though on a less-frequent basis, is the audit trail of the system itself. This review takes place in order to ensure the global policies and specific privileges assigned to users are set as expected. The frequency can be determined by the complexity of the system.
As the inspector told me years ago, the audit trails generated by Chromeleon software contain very useful information about our samples. What you do with that information will go a long way in demonstrating compliance in your lab. Having written procedures in place to detail the audit trail review, along with the documentation proving it was performed, will help to ensure your next audit is worry-free.
Check out this product spotlight to see how Chromeleon CDS can help to ensure compliance in your lab. For a more in-depth discussion on reviewing Chromeleon CDS audit trails for data integrity, download this whitepaper.