The following regulations and guidelines are basic sources of information for the requirements of the audit trail:
- MHRA, Data Integrity1
- EU GMP, Annex 11: Computerised Systems2
- FDA, CFR 21 Part113
- ISPE, GAMP Data Integrity4
- ISPE, GAMP55
- PIC/s, Data Integrity in Regulated GMP/GDP Environments6
The method.
The research and the associated selection of regulations and guidelines can lead to an extensive collection of texts. These texts must be analysed and put into a compact form. A helpful method for this is qualitative content analysis according to Mayring.7
Mayring first describes content analysis and qualitative analysis and then derives the four principles for developing a qualitative content analysis. In summary, the principles are as follows: A qualitative content analysis
- must be characterised by a systematic approach.
- must place the material in a communication model.
- uses a system of categories as the centre of analysis.
- must be able to be measured against scientific quality criteria.
In addition to the general content-analytical process model, Mayring also describes special qualitative techniques that result in seven forms of analysis for qualitatively oriented text analysis, which are divided into three groups:
Basic forms | Subgroups |
|---|---|
Summary | Summary Inductive category formation |
Explication | narrow context analysis wide context analysis |
Explication | Formal structuring content structuring typifying structuring scaling structuring |
Table 1: Forms of analysis of qualitative content analysis according to Mayring
The forms of analysis listed in Table 1 describe the basic principles with their subgroups. Summary aims to reduce the initial material without changing the core message. Explication involves expanding the material to make it more understandable. Structuring involves filtering out the essential material and rearranging it.
Based on the forms of analysis of qualitative content analysis, Mayring derives a procedure for summarising content analysis, which is as follows:
Since Mayring applies the methodology in examples to the evaluation of interviews, for the specific case of formulating requirements for the audit trail, a summary of the analysis described by Mayring takes place with the following steps:
- Set material
- Analyse material
- Reduce material
- Check reduced material for initial statement
Figure 2 shows the model for analysing the material available in text form and reducing the associated content to the final version.
After reviewing the material, a decision is made as to which content is relevant (e.g. for the audit trail). The intermediate result is a collection of material, which is symbolised in Figure 2 by the document symbol after the process step 'Determine material'.
This is followed by further analysis of the collected material. In a first step, the relevant contents (paragraphs, passages, sentences) are reduced to such an extent that only the essential statements remain. In a second reduction step, the core statement is reproduced in one's own words.
To ensure that the statement is not falsified by one's own words, a check on the source material follows. If there are no deviations here, the statement is considered final. In the process shown, this is represented by the second document symbol.
Practical application.
Step 1: Determine the material.
Due to the regulatory requirements and guidelines mentioned above, only Annex 11 of the EU GMP Guideline will be considered initially.
Step 2: Analyse the material.
The following excerpt on the Audit Trail can be found in the specified material:
Audit Trails
Consideration should be given, based on a risk assessment, to building into the system the creation of a record of all GMP-relevant changes and deletions (a system generated "audit trail"). For change or deletion of GMP-relevant data the reason should be documented. Audit trails need to be available and convertible to a generally intelligible form and regularly reviewed.
Translation according to the Federal Ministry of Health.8
Audit trails
Based on a risk assessment, consideration should be given to integrating the recording of all GMP-relevant changes and deletions into the system (a system-generated audit trail). When GMP-relevant data is changed or deleted, the reason should be documented. Audit trails must be available, be able to be converted into a generally readable form and be reviewed regularly.
Step 3: Reduce material.
The reduction of the material can be done by means of bullet points:
Requirements for a system-generated audit trail, are
- Recording of all GMP-relevant changes
- Recording of all GMP-relevant deletions
- Record the reasons for GMP-relevant changes
- Recording the reasons for GMP-relevant deletions
- Availability of the audit trail
- Conversion into generally readable form must be possible
- Regular inspection must be carried out
Step 4: Check reduced material for initial statement.
Here we not only check whether the reduction of the material has changed the initial statements, but also whether an explication is necessary. This would be the case, for example, if the statements are unclear and ambiguous and thus supplementary explanations make sense.
The first two statements should be supplemented in the requirements with concrete examples. It must be defined what are GMP-relevant changes and what are not. Ideally, the audit trail should record all changes. A subdivision of what is GMP-relevant and what is not can be made in an SOP for the audit trail review. There, it is determined which contents of the audit trail are to be reviewed regularly.
For points 3 and 4, it should be noted in the requirements how exactly the reasons are given. For example, it is conceivable that a list is displayed and the user merely activates checkboxes. Likewise, free text fields for a more detailed description could also be implemented. Furthermore, it should be specified whether the entries are optional or mandatory.
The 5th point is very vague in the current description. It is unclear what exactly the term availability should mean in this context. For example, the requirements should state that the audit trail can at least be displayed on request at any time. A subsequent requirement could be the printout of a current audit trail.
When converting to generally readable formats (point 6), it should be defined in any case which formats should at least be available as an export variant (e.g. PDF). This then leads to further requirements such as that the export format must not allow any (subsequent) changes to the content or that no proprietary software should be used to read out the exported format.
Finally, the last item on the list specifies that the audit trail must be checked regularly. The audit interval and what exactly needs to be audited should be anchored in a corresponding SOP. This could be reviewed in the context of an OQ or PQ. If the SOP does not yet exist, it will then be created.
Conclusion.
As shown, checking the reduced material against the initial statement can certainly involve a certain amount of effort. The advantage, however, lies in the concrete requirements that develop from this.
The method of qualitative content analysis should be applied to all regulatory provisions and guidelines that are classified as relevant. In order not to lose the described level of detail that can arise in step 4, it is recommended to immediately include it in the draft user requirements.
With intensive consideration and depending on the system, up to 20 requirements can quickly arise for the audit trail alone.
Sources.
- Medicines & Healthcare products Regulatory Agency (MHRA), 'GxP' Data Integrity Guidance and Definitions, March 2018
- EudraLex, The Rules Governing Medicinal Products in the European Union, Volume 4, Good Manufacturing Practice, Medicinal Products for Human and Veterinary Use, Annex 11: Computerised Systems
- U.S. Department of Health and Human Services, Food and Drug Administration (and CDER, CBER, CDRH, CFSAN, CVM, ORA), Guidance for Industry, Part 11, Electronic Records; Electronic Signatures - Scope and Application August 2003, Pharmaceutical CGMPs
- ISPE, GAMP, RECORDS AND DATA INTEGRITY, GOOD PRACTICE GUIDE: Data Integrity by Design, 2020
- ISPE, GAMP, GAMP 5, A Risk-Based Approach to Compliant GxP Computerized Systems, 2008
- PIC/s PHARMACEUTICAL INSPECTION CONVENTION PHARMACEUTICAL INSPECTION CO-OPERATION SCHEME PIC/S GUIDANCE GOOD PRACTICES FOR DATA MANAGEMENT AND INTEGRITY IN REGULATED GMP/GDP ENVIRONMENTS 1 July 2021
- Mayring, P., (2010): Qualitative Inhaltsanalyse: Grundlagen und Techniken, 11th ed.
- Annex 2 to the Notice of the Federal Ministry of Health on Section 2 No. 3 of the Ordinance on the Production of Medicinal Products and Active Substances of 8 August 2011 (BAnz No. 125, pp. 2901-2906)
