Q: I have a question and look forward to an answer from the FDA experts. 21 CFR Part 11 Subpart B 11.10 (e) states “Such audit trail documentation…shall be available for Agency review and copying”.
For our clinical trial activities, we use a suite of software products that have the capability to capture automated, computer-generated, time-stamped audit trails. However the software lacks the functionality to generate and display audit trails directly through the system user interface.
To address this situation, we maintain — outside the system — a library of validated SQL queries to generate audit trails from the back-end database upon request from the user or during Agency reviews or inspections.
Is this practice acceptable for Part 11 compliance? During inspections, is it acceptable to provide audit trail reports that are generated from the back-end database in a human-readable format?
A: The steps you describe meet only a small part of the intent of the audit trail requirement under Part 11 Subpart B 11.10 (e).
It appears you do have a mechanism for FDA review and copying. But the purpose of the audit trail also is to have a process for amending records so that any reviewer can review the most current record, review the change history for the record, and (especially) review the reason for the change.
Electronically, there must be mechanisms to show the change clearly and directly in the record that was changed.
With paper records, this kind of process is obvious, but electronically there must be mechanisms to show the change clearly and directly in the record that was changed. It must be obvious that:
- The original has been changed
- The change is authorized
- Reviewers/approvers are aware of the change
- The timing of the change is recorded (so steps can be repeated as necessary), and
- The reason for the change is appropriate and documented.
If you require all your reviewers to perform the same steps using the “validated SQL queries” every time the records are reviewed, then you might be able to convince FDA that you meet the requirements. But from my perspective, compliance with the audit trail provision of Part 11 was not the main (or even an incidental) concern for your application or the application developer.
Without meeting the requirements described above, the reports do not meet the regulation’s intent. So during an inspection, you certainly can provide audit trail reports generated from your back-end database, but I can’t guarantee the inspector will find them acceptable.
Answered by Martin Browning, President and Co-Founder of EduQuest, who served 22 years at the U.S. FDA as an expert field investigator and who also co-wrote 21 CFR Part 11, FDA’s regulation for electronic records and electronic signatures. His education and background are in computer engineering. Martin is the chairman of EduQuest’s FDA Auditing of Computer Systems and Part 11/Annex 11 Compliance training class.