In April 2016, the FDA put out its draft guidance on Data Integrity and Compliance With cGMP, which helped to clarify the FDA’s stance on data integrity.
“For the purposes of this guidance, data integrity refers to the completeness, consistency, and accuracy of data. Complete, consistent, and accurate data should be Attributable, Legible, Contemporaneously recorded, Original or a true copy, and Accurate (ALCOA).” – FDA Guidance on Data Integrity and Compliance with cGMP
The term “data integrity” has far-reaching applications for computer systems. Any FDA-regulated company should look carefully at their CSV program to revisit the following areas:
- System design and implementation
- User access controls
- Segregation of duties
- Audit trail design and capture
- Review of audit trails
- Data backup and archiving
- Data retention
- Disaster recovery and business continuity (BCP)
- Electronic signature design and implementation
The Two Types of Audit Trail Reviews
Audit trails are subject to either regular or scheduled reviews.
Regular Review: Audit trails that need to be reviewed with the parent GxP record. The FDA recommends that audit trails that capture changes to critical data be reviewed with each record and before final approval.
Audit trails subject to regular review include but are not limited to:
- The change history of finished product test results
- Changes to sample run sequences
- Changes to sample identification
- Changes to critical process parameters
Scheduled Review: Audit trails that need to be reviewed at regular intervals. The FDA recommends routine scheduled audit trail reviews based on the complexity of each system and its intended use.
Regular Audit Trail Reviews
The expectation with regular reviews is that the audit trail associated with a critical GxP record must be reviewed along with the record itself (for example, a batch record).
A data-integrity-friendly application must present the audit trail data to the reviewer in a way that is easily understandable and user friendly; otherwise, the reviewer will spend far more time reviewing the audit trail than the parent record. Most modern, well-designed IT apps, such as Atlassian Jira, can accomplish this out of the box.
Scheduled Audit Trail Reviews
Scheduled reviews can be a bit trickier than regular reviews. For enterprise applications, performing such reviews requires answering several questions, including:
- How often and what should be reviewed?
- How do you make the review a value-added exercise?
- What’s the cost of doing such reviews?
- How many resources are necessary?
Some large pharma companies are mandating SOPs be developed and audit trail reviews be conducted on a periodic basis, which poses a challenge for system owners and administrators. Most legacy applications generate logs and audit trails that can only be read by software programmers, not end users.
Additionally, the sheer volume of audit trail records makes this a nearly insurmountable task. For example, a cloud enterprise application can generate hundreds of audit trail records for a single workflow execution.
Using a Big Data System for Audit Trail Reviews
A big data system can be set up to consume audit trail logs and records and display meaningful information in a dashboard format. Such a system can categorize transactions, provide statistical information, and notify the user of any unusual activity. It also can monitor:
- Unusual login activity
- Record deletion if it is not permissible
- Changes to critical system configuration records
- User role changes
- Abnormal, disallowed, or unusual record state changes
- System logs for critical application errors and correlate them with user activity
Once a strong baseline is established with historical data, a big data system will learn from that baseline and flag unusual activity in near-real time.