According to – Electronic Records § 11.10 (e) Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records.

But what exactly does this mean? The following article will try and clear up any misconceptions that may surround this statement.

The Meaning of Independent

The word independent used in relation to audit trails means once the audit trail log is generated it cannot be manipulated by operator/users of the system or anyone else for that matter.

The main purpose is to ensure and prove data integrity. If the data has been changed, the audit trail should record what has been changed and who made the various changes.

The audit trail functionality should be built into the software and it should be protected and stored safely and is especially important for critical computer related processes with manual operator interaction.

All GxP application that strive to be Part 11 compliant must have an audit trail. Since this mimics the regulatory requirement of making correction in paper systems.

Audit trails needs to be outside of the user’s control – running independently to capture who did what to which records, and when they did it. The expectation is that a Part 11 compliant implementation of an audit trail is automatically generated, which implies that its operation is entirely transparent to the typical end user.

The Meaning of Readable

Audit trails must also be readable. You can have a third party application such as report generator that reads the tables and generates a report. If you need to contact the vendor in order to read the audit trail then it is NOT Part 11 compliant.

Record the Changes

Audit trails need to record the changes. The entry of data is recorded in the record, but when data is changed the previous data needs to be recorded in the audit trail. You should be able to provide proof during the testing and validation that the previous data is in a read only audit trail and can be viewed in a human readable report or screen.

When Should an Audit Trail Begin?

The audit trail should start right after the system is configured initially and validated

What Records Should be Captured?

The audit trail only needs to be captured for electronic records specifically under Part 11 – records required to be maintained by predicate rules – which are not necessarily *all records* within the system. It’s very important to choose what elements of the system need to be audit trailed. Sometimes people do not take the time to figure this out and end up just creating a huge audit trail for every transaction in the system. This shows lack of understanding of Part 11 and what actually needs to be recorded.

What Should Each Audit Trail Entry Contain?

Each audit trail entry must include:

  • Name (User_ID)
  • Action that was performed: (Create, Modify, Delete)
  • Date and time of action
  • Where data is modified, the values before and the values after the changes, for all the changes
  • Reason for change where appropriate