Documente Academic
Documente Profesional
Documente Cultură
As stated in the April 2016 OECD Guidance Number 17 for Additionally, any change actions need to be documented
Applications of GLP Principles to Computerized Systems : 2 automatically in the audit trail and the recorded changes
“An audit trail provides documentary evidence of activities must not obscure previously recorded information
that have affected the content or meaning of a record at a (i.e. record the “before” and “after” values).
specific time point.” Finally, the users are required to also record a scientific
Additionally it has become clear that while audit trail justification of “why” the changes are being made. This is
capabilities exist on most laboratory applications, they normally documented in a comment or reason field.
are often not enabled, configured correctly, or part of the ■■ Empower® Software has the ability to discern invalid
data review or periodic review cycle in many laboratories. or altered records using entries in the project audit trail.
Regulators are keen to see that this technical control, which Changes to methods and results automatically creates new
enables detection of non-desirable activity by users, and and discrete versions of those records. This not
provides a management tool to modify users’ behavior (based only preserves the original but allows for comparison
on the degree of review of audit trails), is being utilized to by highlighting differences.
ensure data integrity in regulated companies. Moreover, they
■■ In addition, Empower provides checksum
themselves are using audit trails to review the honesty and
and cyclic redundancy check (CRC) verification for
trustworthiness of data that is being presented to them.
all human-readable and machine-readable data to
protect against data being altered by external
access to the system.
1
[ WHITE PAPER ]
As highlighted in a number of the recent guidances, audit computerized or paper based systems. It is therefore
trails consist of more than simply the table you might find important for settings to be adjusted to reflect the intended
in an application, which is labeled “Audit Trail”. use and acceptable risk of any laboratory.
Figure 3. During creation of a Node connection in Empower, the Node time Figure 5. View Filters on Audit Trails can be created to search for specific
zone and Node location can be set. data; specific users, specific actions, or specific reasons for actions.
activities, may be a manual process, or with the use of activity performed by users, as well as data, metadata, and
NuGenesis LMS, this task may be automated. methods inside that project.
■■ The Project Audit Trail captures information that affects
EMPOWER SYSTEM AUDIT TRAIL the data within a project (sample set information,
■■ Empower 3 Software System Audit Trail provides a history calibration curves, method changes, processing data)
of actions that affects the overall system configuration and other information captured in the Empower database
(such as denied login, project archival, changes to system (who, when, what, and why) including any data creation,
policies etc.). modifications to metadata, record copying, deletions and
■■ ‘System’ here refers to the overall Empower application signature actions.
and should not be confused with an analytical instrument ■■ Further details can be found in individual item histories
system or HPLC system audit trail. such as Acquisition or Injection Logs, Method Audit Trails,
■■ Changes to user privileges are tracked. Sample or Sample Set Histories.
METHOD HISTORIES
■■ All methods in Empower are never overwritten and are
automatically versioned.
■■ Methods are assigned unique ID’s (within the project)
upon creation, with all previous versions available for
Figure 8. Difference between methods and method versions, as used in
review, and permanently linked to any results that were Empower can easily be shown and differences highlighted.
generated using them.
■■ Methods can be locked, assuring that modifications can
never be made.
■■ While an indication of changes to any Empower method
exists in the project audit trail, more details of the change
are additionally stored in each method properties.
■■ Method properties shows the history and all versions of
the method, including the reason for change.
■■ Older versions of methods can be “made current” allowing
users, if permitted, to restore an earlier version into use.
SAMPLE AND SAMPLE SET HISTORIES Most regulated companies treat audit trails relating directly to
Changes to sample metadata are often required. Metadata data and results as an integral part of the metadata needing
may be as simple as a sample name or text field but may also to be reviewed based on a risk-based approach before batch
be a critical value that is required to calculate the final results. or study release. This may follow a “review by exception”
Modification of metadata may be needed, either pre or post- approach, as is typically performed for other metadata.
run, to complete missing metadata or to correct incorrectly ■■ Empower can assist in meeting this expectation by
entered metadata. providing easy access to method, data, results, and
Metadata changes will often be simple corrections or may metadata audit trails from the Review screen. This
indicate an attempt to influence the final results. capability is available in all versions of Empower Software.
Changes to sample metadata should therefore be audit ■■ A new tool introduced in Empower 3 FR2, called the Result
trailed, with the ‘before’ and ‘after’ values recorded Audit Viewer, brings together audit records from the
automatically so that previous values are not obscured Project Audit Trail, Acquisition Log, Method, and Sample
and are associated with an acceptable justification. Histories into a single window, and also permits easy
comparison of methods and results.
Records where metadata has been altered should be
flagged, indicating that a deeper review is needed as
part of a risk-based quality management system.
INCLUDING AUDIT RECORDS, LOGS, While many laboratories still continue to create paper copies
AND HISTORIES IN REPORTS of electronic records in the form of reports and rely on these
In a hybrid laboratory that has yet to fully embrace electronic to review them, the task of now creating giant reports,
data review and still largely relies on paper records, the including audit trails, and the risk that critical notifications
requirement to now include audit trail review can present may be lost in the sea of printed data, pose a significant risk
a major obstacle. Many of the new guidances clearly define to product quality and data integrity. This specific risk is also
reports as “static” records that do not preserve the “dynamic” mentioned in the WHO Guidance.3
nature of the original electronic record which permits a more
forensic review of laboratory (e.g. integration baselines.) DOCUMENTING DATA REVIEW INCLUDING
AUDIT TRAIL REVIEW
Additionally, while regulators are requiring review of
Documentation of audit trail review should be performed
significantly more metadata, such that a review must
in a similar way to documentation of any review process.
include the “complete” data, the challenge of presenting
Typically this is done by signing the results as ‘reviewed’
all the available dynamic electronic data on a static paper
or ’approved’, following a data review SOP which outlines
or PDF report becomes insurmountable.
how the review process should be performed, and will
As well as audit trails, regulators may include in their include how and when to review audit trails.
definition of “complete data” every chromatographic run
The WHO Guidance 3 , notes that under the section for
of a specific sample, (even those rejected because of a
documentation of data review on paper records, a signature
failed system, injection, column or solvents), every version
is added to the actual records reviewed, while, in the
of a result, (potentially even those rejected because of poor
“expectations for electronic records” you follow a clear
or inaccurate integration or incorrect metadata), and all
procedure and then electronically sign the electronic data
versions of sample sets and methods.
set as having been reviewed and approved.
The FDA themselves do not believe that, for anything more
Thus it would seem unreasonable to require specific
complicated than a simple balance or pH meter, any static
‘evidence’ of exactly which records and metadata were
report can be defined as a true and complete copy of the
looked at or opened. This might be considered an audit trail
original electronic record. Review of the original and complete
of the review process, or an audit trail of the audit trail review
electronic record is expected.6
process. Perhaps keystroke tracking or video recordings may
■■ “The printed chromatograms used in drug manufacturing be the only way to achieve this electronically.
and testing do not satisfy the predicate rule requirements
in 21 CFR Part 211.” 7 Other non-audit trail logs
In addition to the audit records detailed above, there are
■■ “The electronic record must be maintained and readily
other logs and messages regarding the Empower application,
available for review by, for example, QC/QA personnel or
instrument drivers, and the host operating system available
the FDA investigator.”
to the user which do not meet the definition of an audit trail.
The WHO Guidance,3 however, does propose a way to create
These include, but are not limited to the Windows Event
and leverage paper or PDF summary reports for further
Viewer, Empower Message Center, and pop-up messages
decision making:
from Empower or any other application. Like most kinds
■■ “Paper printouts of original electronic records from or error logs or histories, these logs may not always be
computerized systems may be useful as summary reports permanently retained, as their usefulness is time dependent.
… verify that the printed summary is representative of all
The Empower Message Center is an interface that brings
(electronic) results.”
together pertinent informational, warning, and error
—— Note that this can only be done after verification that messages generated by Empower applications, which might
the summary is trustworthy and all-inclusive. otherwise only display in a pop up message. These messages
■■ “Data integrity risks may occur when persons choose may be from Waters or third party instruments and drivers,
to rely solely on paper printouts or PDF reports.” third party applications via the API toolkit, as well as from
pieces of Empower code.
■■ “If the reviewer only reviews the subset of data provided
as a printout or PDF, these risks may go undetected.”
References
1. FDA Title 21 chapter 1 Subchapter A Part 11 (21 CFR Part 11)
Electronic Records; Electronic Signatures from www.ecfr.gov
2. ENV/JM/MONO(2016)13..... OECD Series Number 17: Application
of GLP Principles to Computerised Systems 22-APR-2016
available on http://www.oecd.org
3. WHO_TRS_996 Annex05 http://www.who.int/medicines/
publications/pharmprep/WHO_TRS_996_annex05.pdf
4. EudraLex Volume 4 GMP Medicinal Products for Human and
Veterinary Use; EU GMP Annex 11 Available from: http://
ec.europa.eu/health//sites/health/files/files/eudralex/vol-4/
annex11_01-2011_en.pdf
5. PIC/s GMP Guide (PE 009-13 (Annexes) Annex 11: Computerised
Systems Available from https://www.picscheme.org
6. Questions and Answers on Current Good Manufacturing
Practices, Good Guidance Practices, Level 2 Guidance ‐ Records
and Reports; Available from: http://www.fda.gov/Drugs/
GuidanceComplianceRegulatoryInformation/Guidances/
ucm124787.htm
7. FDA Title 21 chapter 1 Subchapter A Part 211 (21 CFR Part 211)
GMP for Finished Pharmaceuticals from www.ecfr.gov
Waters Corporation
34 Maple Street
Milford, MA 01757 U.S.A.
Waters, The Science of What’s Possible, ACQUITY, and Empower are registered trademarks of Waters Corporation.
All other trademarks are the property of their respective owners.
T: 1 508 478 2000
F: 1 508 872 1990
©2017 Waters Corporation. Produced in the U.S.A. March 2017 720005904EN RF-PDF www.waters.com