Types of Audit Trail
The data (including meta data) to be evaluated should include data directly related to manufacturing and control activities but also system data and configuration data that may affect the ability to control processes as expected and designed.
Typically audit trails and their associated reviews can be divided into two categories
- Data Audit Trail: appropriate audit trail elements supporting the acquisition, sequencing, processing, reporting and retention of CGxP data. Including all relevant or significant CGxP data generated, which may affect the product, as determined by a risk assessment.
- System Audit Trail: a record of all administrator changes. Operations conducted through the system should ideally be recorded in an audit trail.
However often normal operations are recorded by system logs which may not have the same detail recorded. When data entered in the execution of such operations are time and date stamped, not modifiable, system logs and can be used for review purposes in place of or in combination with the audit trail. This decision should be supported by a formal assessment.
Data Audit Trail Review
The content and frequency of a data audit trail review should be based on a risk assessment which considers -
- the potential impact of the data on product safety and efficacy
- the probability of a data integrity issue to occur
- the likelihood of detection of a data integrity issue once it has occurred.
System Audit Trail Review
Examples of areas to be included, but not limited to:
- Failed user log-in attempts
- Data deletions
- Configuration changes e.g., scan and compression rates, audit trail activation/deactivation, file path or database locations
- List of users and their authorisation levels
- Significant errors, alerts or warnings as defined by company e.g., back up failures or issues o Remote access events (successful and unsuccessful)
Frequency of Audit Trail
- Typical frequency annual.
- Higher frequency may be necessary based upon factors such as the severity of the data, system usage and data audit trail review frequency.
- Shall be clearly risk based and justified.
