Is My Audit Trail Regulatory Compliant?

Operating a laboratory within regulatory requirements can be a challenge.  The wording of regulations is typically cryptic, and there’s always room for different interpretations.  Audit trails are an important factor for compliance because they document a comprehensive history of sample analysis. Whether you capture sample history using a paper-based method or use an electronic system (LIMS), data integrity requirements equally apply.  In this article, we have simplified the key features of audit trails for electronic systems based on the MHRA Orange Guide and FDA 21 CFR Part 11 requirements.

The Audit Record

The audit record should be human readable and contain the following information:

• Type of Action: The record must inform the user if something has been created, modified or deleted.
• Operator: This is the identity of the user who performed the action. In some cases, the system maybe recorded as an operator where actions are automated. For example, where your LIMS is integrated with equipment, you may see the ‘System’ entered results for a test.
• Date and Time of Action: When the audit trail records the date and time of action, the system should use the date and time from a location that cannot be editable by the user.
• Values: Where data has been modified, the audit record must include previous and new values.
• Reason for change: For all action types that are not part of the routine sample analysis process, a reason for change must be recorded by the user. For example, if a duplicate test is added to sample, the user must record why a duplicate test was required and record additional identifiers where necessary (e.g. laboratory investigation – LIR 17-098).
• Electronic Signature: Where the user has entered their electronic signature to complete an action, this must be included in the audit record.

Data Integrity

It is important that your system audit trail adheres to data integrity requirements.  This means that the system must prevent users from modifying or deleting the audit trail as well as obscuring original data entries. A well designed and compliant LIMS will provide read-only access to the audit trail through reporting or a user interface, and additional measures will be implemented to prevent unauthorised access at the database level (both physical and electronic access).

Data Reporting

The audit trail is one example of an electronic record, and it is a regulatory requirement that the system has the ability to generate accurate and complete copies of the audit trail in a printable and human readable format. This allows you to conduct periodic compliance reviews to maintain a validated system.  It also allows auditors, both internal and external, to review records as appropriate.