Key aspects that ensure data integrity in computerized systems

R.D. McDowall - Comparison of FDA and EU Regulations for Audit TrailsData integrity is a current hot topic with regulatory agencies, as seen with recent publications in this magazine,1,2 and audit trails are an important aspect of ensuring this in computerized systems. The purpose of this article is to compare and contrast the EU and FDA GMP regulatory requirements for computerized system audit trails. Both the regulators state that the requirement for an audit trail should be based on a risk assessment.3,4 However, it is the contention of the author that, when computerized systems are used electronically, then an audit trail is a mandatory requirement for ensuring data integrity and, therefore, there will not be a discussion of whether or not an audit trail is required.

Regulatory Requirements
The starting point for the audit trail discussion will be FDA 21 CFR 115 and EU GMP Annex 11,4 as shown in Table 1. Note that the trigger for an audit trail under 21 CFR 11 is contained at the end of §11.10(a) which is the ability of a system to discern altered records.5 The comparison between the two regulations is slightly complicated by the fact that Part 11 is interpreted in conjunction with the underlying predicate rule, which for GMP is 21 CFR 2116 and GLP is 21 CFR 58.7 Table 1 presents the two regulations in an unusual format, as each regulation is split into a number of sections, where the intent of the two regulations is essentially the same, the wording is presented in the same row. Where there are differences between the two regulations, the portion of one regulation will have no comparable text in the corresponding column.
Looking at the comparison of the two sets of requirements in Table 1, a reader could be forgiven for thinking that the two regulations are not very similar. However, it is in the approaches of the two regulatory agencies where we can determine the two regulations are similar in most aspects. The difference is in the way that the regulations are written: explicit versus interpretive. The left-hand column of Table 1 is numbered to make discussion of each point easier, and we will begin in sequence.

Item 1: The discussion of the risk-based approach to audit trails in Annex 11 is covered in the Part 11 Scope and Application guidance,3 so the two regulations are essentially the same.
Item 2: Part 11 goes into detail of what is required for an audit trail: secure, time stamped, computer generated, and covering the life cycle of the records it is monitoring from creation to deletion. Furthermore, changes shall not obscure previously recorded data. There is nothing in comparison with the EU requirements for audit trail. However, under Annex 11 clause 12 on security there is the following requirement:
12.4 Management systems for data and for documents should be designed to record the identity of operators entering, changing, confirming or deleting data including date and time. So, a similar requirement is there, but it is not in the expected place in the Annex 11 regulation!
Item 3: Previously recorded information not being obscured is a specific requirement in Part 11, but there is nothing in place in Annex 11. However, this is a specific requirement in EU GMP; it is just found in Chapter 4 on documentation8 in the section on good documentation practices that covers paper, hybrid and electronic systems:
4.9 Any alteration made to the entry on a document should be signed and dated; the alteration should permit the reading of the original information. Where appropriate, the reason for the alteration should be recorded.
Item 4: Both requirements are essentially the same, requiring the audit trail to be available for regulatory review. Although, the EU requirement for audit trail output in generally intelligible form presumably requires a generally intelligible inspector to review it.
Item 5: The Annex 11 requirement for an audit trail to be “regularly reviewed” is a major difference between Part 11 and Annex 11 at first sight. However, is this the case? For laboratory data, there is the GMP requirement in §211.194(a)(8)6
for the second person review to ensure that the laboratory records are “complete.” This has been interpreted in the Able Laboratories 4839 and a number of warning letters10,11 that audit trails in chromatography data systems should be reviewed. Therefore, the two regulations are similar. However, when working electronically, there is no functionality in any laboratory application to record that a second person has reviewed the audit trail entries.
Item 6: The reason for making a change is required under Annex 11, but there is nothing in Part 11; however, the reason for change depends on the underlying predicate rule. There is no requirement documenting the reason for change in US GMP,6 but in the GLP predicate rule there is the requirement in §58.130(e) … Any change in automated data entries shall be made so as not to obscure the original entry, shall indicate the reason for change, shall be dated, and the responsible individual shall be identified.7
Item 7: Annex 11 refers to keeping the audit trails for as long as required
by the predicate rule requirements for record retention, but there is no explicit statement in Annex 11. However, the retention requirements are found in clauses 4.10-4.12 in Chapter 4 on documentation.8

The audit trail regulatory requirements from 21 CFR 11 and EU GMP Annex 11 are compared and contrasted. In general, the two requirements are similar, but interpretation is required, as some
requirements are present either in the underlying predicate rule (for 21 CFR 11) or in other locations (for EU GMP). It is important when interpreting a specific section of a regulation to remember that other parts of the regulations may modify or interact with it. The problem is that audit trails in commercial applications fail to document the second person review adequately and should highlight when changes have been made to records.

1. R.D.McDowall, Scientific Computing, August 2013
2. R.D.McDowall, Scientific Computing, September 2013
3. FDA Guidance for Industry, Part 11 Scope and Application, 2003
4. EU, Good Manufacturing Practice, Annex 11 Computerized Systems, 2011
5. Electronic Records; Electronic Signatures Final Rule 21 CFR 11, 1997
6. Current Good Manufacturing Practice for Finished Pharmaceutical Products, 21 CFR 211, 2008
7. Good Laboratory Practice for Non-Clinical Studies, 21 CFR 58, 1978
8. European Union, Good Manufacturing Practice, Chapter 4 Documentation, 2011
9. Able Laboratories, FDA 483 Observations, July 2005
10. Concord Laboratories, FDA Warning Letter, July 2006
11. Ohm Laboratories, FDA Warning Letter, December 2009

R.D. McDowall is Principal, McDowall Consulting. He may be contacted at