Using IT Audit Trails to Support FDA 21 CFR Part 11 and Data Integrity Compliance

FDA's recent focus on 21 CFR Part 11 and data integrity during computer system validation inspections and audits has brought this issue to the forefront of importance for compliance of systems used in regulated industries.

These include all systems that "touch" product, meaning they are used to create, collect, analyze, manage, transfer and report data regulated by FDA. All structured data, including databases, and unstructured data, including documents, spreadsheets, presentations, images, audio and video files, amongst others, must be managed and maintained with integrity throughout their entire life cycle.

At the heart of structured data compliance is the ability to ensure that no original record is obscured, or is destroyed before the retention period has ended. The best way to preserve database records, those that are uniformly structured, is to place an audit trail on the file. The audit trail will create a new record every time a record is updated, including the old value, new value, date, time, person who authentically performed the modification to the record, and the reason for the change.

Companies are not aligning well with the Part 11 and data integrity requirements, and while many use audit trails, these are not always managed appropriately. In some cases, FDA has found that the audit trail was deactivated for a period of time, but this was not documented, or it was modified or deleted. Without this protection, it's virtually impossible to follow the life cycle for any record from creation to disposition at the end of the retention period.

In some cases, audit trails exist, but do not require the user to enter a reason for a change to a record. This is a challenge when trying to reconstruct what happened, and not having the reason brings into question the validity of the record.

Some legacy stand-alone systems that include software loaded onto a local device, instrument, or piece of equipment do not have audit trail capability. This is not a valid reason for ignoring Part 11 and data integrity requirements. If no technical control is available, such as an audit trail, then a procedural control must be in place. In the case of a stand-alone system, the user would have to maintain a log of all changes made, and this could be done using a bound laboratory notebook or log book, or using Excel or some other means of tracking this information.

Not only do these companies risk being out of compliance, but they are not able to perform analysis and trending on the records to identify the reason behind changes. If it's a consistent reason, it may be due to a training deficiency or have some other cause that should receive action.

We will explore the best practices and strategic approach for evaluating computer systems used in the conduct FDA-regulated activities and determining the level of potential risk, should they fail, on data integrity, process and product quality, and consumer/patient safety. We will walk through the System Development Life Cycle (SDLC) approach to validation, based on risk assessment, and will also discuss 21 CFR Part 11 and data integrity, and the importance of managing electronic records and signatures appropriately.

We will also provide a list of the entire set of essential policies and procedures, as well as other supporting documentation and activities that must be developed and followed to ensure compliance. We will provide an overview of practices to prepare for an FDA inspection, and will also touch on the importance of auditing vendors of computer system hardware, software, tools and utilities, and services.

Why should you Attend: FDA requires that all computer systems that handle data regulated by the Agency to be validated in accordance with their guidance on computerized systems. This guidance was first issued in 1983, and the main points of focus remain consistent today, despite the number of years that have passed and the technology changes that have taken place.

In 1997, the 21 CFR Part 11 Guidance was issued to address electronic records and signatures, as many FDA-regulated organizations began seeking ways to move into a paperless environment. This guidance has been clarified over the years to make it more palatable to industry, and this includes discretionary FDA enforcement measures. The intent was to avoid creating a huge regulatory compliance cost to industry that was initially preventing companies from embracing the technology.

Additional guidance was provided in late 2018 on Data Integrity to address an increasing trend in industry findings. We will cover best practices in industry to address these issues and ensure inspection readiness.

In September 2022, FDA issued a draft guidance for Computer Software Assurance (CSA), which unlike the document-driven CSV, or traditional approach to validation, is based on critical thinking and risk assessment. We will cover how CSA aligns with the most recent version of GAMP®5, 2nd Edition, published in July 2022, both of which include critical thinking and open the door to following one of many non-linear forms of software development, testing, and release, similar to agile. They also offer more streamlined approaches to validation and compliance.

Both 21 CFR Part 11 and data integrity citations have increased in recent years, some of which relate directly to audit trails. We will provide a streamlined approach to meeting compliance as you validate GxP systems.

We will talk about cloud-based services, Software-as-a-Service (SaaS) solutions, automated testing, and how to effectively and efficiently validate these types of systems and infrastructure, and how to perform a vendor audit remotely.

This session will provide some insight into current trends in compliance and enforcement. Some are based on technology changes, and these will continue to have an impact as new innovations and technology come into use in the industry. Again, we will help you position your company in a state of inspection readiness.

Areas Covered in the Session:

• Learn how to identify "GxP" Systems
• Discuss the Computer System Validation (CSV) approach based on FDA requirements
• Understand Computer Software Assurance (CSA), the latest draft guidance from FDA on validation
• Learn how CSA aligns with GAMP®5, 2nd Edition, both in using critical thinking and following simplified approaches for documenting validation activities
• Learn about the System Development Life Cycle (SDLC) approach to validation
• Understand the need to include an assessment of a computer system's size, complexity, business criticality, GAMP®5 category and risk, should it fail, to develop a cohesive and comprehensive validation rationale
• Learn about the importance of audit trails in assuring Part 11 and data integrity compliance
• Discuss the best practices for documenting computer system validation efforts, including requirements, design, development, testing and operational maintenance procedures
• Understand how to maintain a system in a validated state through the system's entire life cycle
• Learn how to assure the integrity of data that supports GxP work
• Understand the rationale for including an audit trail in a GxP system, along with the downside of not doing so
• Understand how procedural controls may be used in place of technical controls, where the capability is lacking and not feasible
• Learn about the policies and procedures needed to support your validation process and ongoing maintenance of your systems in a validated state
• Learn about how to validate and ensure compliance for COTS, cloud and Software-as-a-Service (SaaS) solutions
• Know the regulatory influences that lead to FDA's current thinking at any given time
• Learn how to best prepare for an FDA inspection or audit of a GxP computer system
• Understand the importance of performing a thorough vendor audit to ensure oversight to the products and services they deliver
• Finally, understand the industry best practices that will enable you to optimize your approach to validation and compliance, based on risk assessment, to ensure Part 11 and data integrity compliance are maintained throughout the entire data life cycle
• Q&A

• Information Technology Analysts
• Information Technology Developers and Testers
• QC/QA Managers and Analysts
• Analytical Chemists
• Compliance and Audit Managers
• Laboratory Managers
• Automation Analysts
• Manufacturing Specialists and Managers
• Supply Chain Specialists and Managers
• Regulatory Affairs Specialists
• Regulatory Submissions Specialists
• Risk Management Professionals
• Clinical Data Analysts
• Clinical Data Managers
• Clinical Trial Sponsors
• Computer System Validation Specialists
• GMP Training Specialists
• Business System/Application Testers
• Business Stakeholders responsible for computer system validation planning, execution, reporting, compliance, maintenance and audit
• Consultants working in the life sciences industry who are involved in computer system implementation, validation and compliance
• Auditors engaged in the internal inspection of GxP records and practices