Audit Trail: Risk-Based Approach to Compliance

With the rapid evolution of technology, more and more companies in regulated industries have transitioned to an electronic medical device audit trail. This was the impetus for the U.S. Food and Drug Administration’s (FDA) 21 CFR Part 11 regulation, which states that electronic records and signatures are equivalent to paper record and handwritten signature.

 

Compliance with the regulation requires that a digital signature be assigned to a specific individual, include a signature type (i.e., review, approval, author), and be traceable from the document back to the signer.

 

 

To ensure the transparency, trustworthiness, and reliability of records, regulatory oversight of a company’s data and records management includes examining timestamped audit trails. GxP Lifeline recently met with Seyed Khorashahi, executive vice president of medical devices and CTO at Regulatory Compliance Associates (RCA) — a worldwide consulting firm that assists pharmaceutical, biologic, sterile compounding, biotechnology, and medical device companies with resolving compliance and regulatory challenges. Khorashahi shares some valuable insight on the anatomy of a medical device audit and advises companies on how to comply with this critical component of Part 11.

 

Medical Device Audit

 

Bottom line, an audit trail is the who, what, when, and why of a company’s data. It’s a log containing metadata that essentially allows you to reconstruct all user actions and events. As a result, the accuracy of the data will show who made a change and what was changed. And when it was changed. And, more importantly, why.

 

Part 11 includes the predicate rules, which apply to record retention throughout the product’s life cycle — from cradle to grave. An audit trail ensures the ongoing completeness, accuracy, integrity, and security of data and records. It’s also necessary to provide transparency of the actions people take with the data. This all needs to be available to auditors during an inspection.

 

Audit Tracking

 

Manufacturing regulated products calls keeping a close eye on tracking product data — especially when it can impact on patient safety. This can be tricky in the day-to-day gathering, storage, tracking, usage, etc. of data.

 

Good Documentation Practices (GDP) mandate that you document everything in regulated product development. This help provide supporting evidence during audit tracking that employees are following procedures. An important component in a medical device audit is data needs to be timestamped. Therefore, data needs to be in electronic form. Companies still using paper records need to digitize documents in order to file and track them electronically.

 

Document Scanning

 

When scanning materials, clarity is critical to field audit tracking. Text-only documents can be simple enough, but images are more difficult. You need the ability to capture everything to ensure it’s a true copy that is acceptable under GxP regulations.

 

Beyond that, scanning stacks of documents is prone to its own set of challenges. Not only is it extremely time-consuming, all scanned documents need to be reviewed. This ensures there are no errors or missing pages at the end of the medical device audit. Then the same Part 11 signature guidelines need to apply.

 

Another challenge is the audit trail software that companies use for managing quality processes and data are configurable. This means they might not have a way to limit access to specific users or revise permission access. Above all, leadership employees should employ controls for the inadvertent deletion of data. This directly puts data integrity at risk.

 

Medical Device Cybersecurity

 

Also, if they’re using an open system (connected to the network), it becomes a cybersecurity concern because open systems have a wider cyberattack surface. Hackers continuously employ various human and computer-generated measures to gain access to a company’s data. Once data is breached, it’s no longer compliant with data integrity requirements.

 

There are also situations where employees undermine medical device audit trails by sharing login credentials. This has actually been noted in both warning letters and the audit trail report. Community system access may be a common workaround to keep production going when key personnel are away.

 

However, going back to the who, what, when, and why concept, when an entire department uses the same username and password, there is no way to accurately trace actions to specific individuals or verify electronic signatures.

 

Audit Trail Compliance

 

As I mentioned earlier, at the end of the day, data stewardship is all about keeping track of who, what, when, and why. Companies are collecting and handling more data these days. This means there is a lot more information to keep an eye on. Data has a certain life cycle based on the type of product.

You need to make sure you have a validated system and processes in place to ensure it remains intact, secure, and readily accessible for audits.

 

• Electronic signatures – Are electronic signatures unique to the individual? Ensure that signatures cannot be copied or transferred.
• User credentials – Is user access tightly controlled based on each person’s role and job responsibility? For example, people who access and modify data should not be able to turn off or modify the audit trail. Having too many users with read and write access to data increases the risk of intentional or inadvertent data changes or loss.
• Audit trail reviews – Are audit trails getting reviewed often enough and by the right people? Part 11 guidelines specify the audit trail review requirements regarding who and how frequently they need to be reviewed. This is necessary to ensure records are accurate, free of gaps and errors, and that the information provided to auditors matches what is in the system.
• Escalation – Are only authorized personnel reviewing and approving records? There are occasions when an approver is unavailable. There should always be another person who is authorized to approve and sign records. The system needs to include the functionality and procedures to allow the escalation of document reviews and approvals to other authorized individuals. These situations also need to be logged and documented.
• Security – Are there system vulnerabilities that could lead to a security breach? I touched on security earlier, but I can’t emphasize enough the importance of system and data security. Even before COVID-19 dispatched employees to work remotely, many companies were incorporating mobile devices. This increases security vulnerabilities. Using an integrated QMS that has security measures such as role-based authentication and access controls can effectively augment data protection processes.

I recommend using a risk-based approach with audit trails. Your quality management system (QMS) and processes can identify and resolve the risks to data integrity. Here are a few items to consider when doing a risk assessment and being compliant with Part 11:

 

Digitization is the direction things are going. You need to be able to effectively control and rely on your data. And legacy and hybrid systems won’t always be compatible with the evolving regulatory landscape. Companies in regulated environments need to make sure their data and metadata are compliant with data integrity requirements. Data access should be transparent and accessible to future medical device audit team members, including in a readable format for the extent of the data’s life cycle.

 

To begin the Regulatory Compliance Associates scoping process today, please enter your information in the blue form below and click the submit button at the bottom of the webpage. You may also email us at [email protected].