No Rocket Science: Audit Trails, A Guide to Resolving FDA’s Biggest Concern

Audit trails play an important role in meeting the regulatory compliance of drug manufacturing units. It is also probably the trickiest part of the compliance sheet for a company’s management to understand. But it’s certainly not something the management can afford to ignore.

First thing first – understanding the nitty-gritties of an audit trail is not rocket science.

A senior manager once asked us: “In view of all the FDA warning letters being issued, how do I know if my audit trails are in compliance? After all, I’m no scientist and I have little idea about the technical details of how my Quality Control unit (QC) operates. In addition, my QC unit reports to my Quality Assurance (QA) division. Therefore, the objectivity of reporting is limited.” 

Here was our reply: “Walk into your QC unit and ask them to pull up the last product that had a quality problem.” It’s normal to have quality failures. If there are none, you definitely need to dig deeper since the absence of problems itself is a very big concern.


A Five Point Checklist for Management

Once you have found the last product quality failure, as a member of the senior management you are authorized to bring about radical changes and expected to make challenging requests. Showcase your authority by requesting to delete or modify the (failing) result in the audit trail.

Your request may sound unreasonable or outrageous. But sometimes, there is no better way to push the system to the brink. However, such deletions and modifications can have huge ramifications on your regulatory compliance standing. Here is PharmaCompass’ simple, five-point check list that gives you instances where your manufacturing unit’s regulatory compliance can get compromised:


  • Don’t share someone’s account for deletions: Since you authorized the deletion, a user account with a unique password should be set up with your name. Sharing somebody’s account is a bigger problem than giving them access to your own personal email account.
  • Configure the audit trail to report deletion or modification: The audit trail function should be configured to report that the entry has been deleted or modified, along with the date and time when it happened. Further, the ‘modified’ data should not be obscured and should be available for review. A standard operating procedure (SOP) should be in place that controls modifications which are permissible. The SOP should also spell out who is allowed to make the ‘permissible’ modifications. 
  • Empower IT department to only change audit trail settings:  If the senior QC management ‘configured’ the audit trail to ‘manage’ the deletion or modification of data at your behest, imagine what they do when you’re not around. Therefore, in our view, it’s worthwhile to consider empowering only the Information Technology (IT) group to change settings of the audit trails instead of QC management. 

  • Have a backup server in place: There should also be a backup server which stores the original report and your IT group should be able to retrieve the original information.

  • Never adjust the time and date: During your entire experience, the time and date setting on your system should not have been “adjusted” for any reason, whatsoever. We feel this is one more reason to hand over control of the audit trail system to the IT department.


It’s almost never a software problem

PharmaCompass review of FDA warning letters discovered there is a variety of laboratory software – such as Empower 3, Chromeleon, SpinChrom and TotalChrom™ – that were found out of compliance by FDA inspectors. Almost each software has detailed explanations available online, at no additional cost, outlining how the audit trails should be configured.  

It’s easy to pass the blame onto the software. But it’s not about investing in the wrong software. Compliance failures happen due to the wrong configuration of the installed software. And also due to someone’s wrong intent within the organization.

Very often, companies miss the woods for the trees and start focusing on small technical details while choosing one system over another. In our view, it is really the setup configuration which is paramount and subsequently the level of comfort which the operators experience while running the day-to-day operations using the laboratory software. 


Audit trails prevent data-integrity violations

After you have a properly configured audit trail, you need to ensure that the process of data verification – involving both electronic data and the audit trail(s) associate with it – takes into account all results while taking decisions on lot release.

FDA observations on audit trail non-compliances apply across laboratory test instruments (such as HPLCs, GCs, Titrators, UV Spectrophotometers, IR equipment and Karl-Fischer Titrators). For the purpose of compliance, audit trails need configuration for samples, results, analytical methods, projects and systems.

While configuring them correctly may not be easy, it is important to remember that the underlying concern of regulatory authorities is that the QC unit is not considering all the data while taking lot release decisions.

Data-integrity concerns invariably emerge when, the information that was not considered, while taking lot release decisions, was either falsified or failed the specifications.


Our view

At no time does PharmaCompass support deletion, modification or reprocessing of electronic data.

However, in case data has been deleted, modified or reprocessed, we suggest a radical action check, which in our view is the quickest means of ascertaining the state of compliance of your quality unit.

While PharmaCompass’ writing provides the “quick and dirty” audit trail check, Barbara Unger’s “Demystifying Audit Trails in the GMP QC Laboratory” is a great place to learn how audit trails should be reviewed in detail. 


The PharmaCompass Newsletter – Sign Up, Stay Ahead

Feedback, help us to improve. Click here

Image Credit : ORBCOMM by SpaceX Photos is licensed under CC BY 2.0

“ The article is based on the information available in public and which the author believes to be true. The author is not disseminating any information, which the author believes or knows, is confidential or in conflict with the privacy of any person. The views expressed or information supplied through this article is mere opinion and observation of the author. The author does not intend to defame, insult or, cause loss or damage to anyone, in any manner, through this article.”

Read More