Audit Trails Reviews for Data Integrity | IVT

数据完整性审计追踪审核

By

Ivan Soto

PeerReviewed: Data Integrity

INTRODUCTION

说明

Annex 11 requires that audittrails are regularly reviewed to ensure data integrity. There are a significantamount of inconsistent interpretations about the requirement to regularlyreview audit trails. Some of the interpretations are that a periodic review ofaudit trails should be performed to ensure data integrity. Under a periodicreview approach some companies have implemented a monthly, quarterly, bi-annualand yearly review of audit trails. The challenge is how relevant it is toperform a periodic review after an extended period of time when the data wasgenerated. What is the value? What are we supposed to be looking for? Whatconstitutes a data integrity issue? Which data is critical? Should we take arisk based approach?

附录11要求审计追踪被定期审核以确保数据完整性。对于定期审核审计追踪的要求有很多不一样的解释。部分的解释是，一个审计追踪的定期审查应确保数据的完整性。定期审查在一些企业的做法是每月、每季度、每半年和年度实施。面临的挑战是在数据生成较长一段时间后执行定期审查的相关性。价值是什么？我们要找的是什么？什么是数据的完整性问题？哪些数据是重要的？我们应该采取一种基于风险的方法吗？

This article will provideanswers to these challenging questions and solutions about how to performregularly audit trail reviews.

本文将提供这些问题的解答以及如何执行定期的审计追踪审核。

THE CHALLENGES

面临的挑战

Aligning with the requirementto regularly perform audit trails reviews can be very challenging for somecompanies. This requirement is based on the assumption that all system provideaudit trails that are “user friendly”, adequate and easy to review for dataintegrity. One of the biggest challenges is that some systems specifically inthe Quality Control laboratories don’t generate audit trails that facilitate areview regularly. Another challenge is whether to perform periodic review or toassess the audit trails prior to signing or approving the data. Can weimplement the same approach for all areas with GMP impact or can we take a riskbased approach. Which approaches are more value added and not just a paper workexercise?

根据要求定期进行审计跟踪评审可能对一些公司很有挑战性。这一要求是基于假设所有的系统提供审计追踪是“用户友好”的、适当的以及容易审核数据完整性的。最大的挑战之一是，特别是在质量控制实验室，一些系统不生成审计追踪来进行定期审核。另一个挑战是，在签署或批准数据之前是否需要进行定期审核或评估审计追踪。我们可以所有GMP的影响的区域采取相同的方法吗，或者我们可以采取基于风险的方法。哪种方法更有价值，并且不仅仅是书面的的文件化活动？

Unfortunately Annex 11 andother data integrity philosophies fail to provide adequate guidance anddirection about how to regularly review audit trails. There is always thechallenge on how to deal with all the assumptions related to this requirementand this also includes resources to regularly review audit trails. In order toreview audit trails regularly qualified resources are needed to perform thiswork. The resource impact needs to be clearly understood based on the populationof impacted systems, the volume of the reviews and the defined frequency. Allthe potential challenges need to be well understood and addressed prior tocommitting to perform audit trails reviews, otherwise the effort will bemeaningless and simply a paper exercise.

不幸的是，附件11和其他数据的完整性指南无法对如何定期审查审计跟踪提供充分的指导。如何应对这一要求相关的所有设想也是一个挑战，这也包括满足定期审查审计跟踪的资源。为了审查审计追踪，需要定期确认硬件资源。资源的影响需要基于影响系统的种类、审核的范围、和定义的频率清楚地理解。所有潜在的挑战，需要在执行审计审查之前很好地理解和解决，否则将是毫无意义的和仅仅是纸上功夫。

AUDIT TRAIL ASSESSMENTS

审计跟踪评估

In order to align with therequirement to regularly review audit trails an assessment needs to beperformed for all impacted systems. The audit trail assessment is the first andthe most critical steps to implement audit trail reviews. An inventory of allimpacted systems need to be created. This inventory will identify all impactedsystems that need to be included in the audit trail assessment. The intent ofthe assessment is to identify whether each individual system provide audittrails that are adequate and that can be used for performing these reviews.

为了完成定期审查审计追踪的需求，需要对所有有影响的系统进行评估。审计追踪评估是实施审计追踪审核首要的也是最关键的步骤。需要创建一份所有有影响的系统的清单。这份清单将确定所有需要包括在审计评估的有影响的系统。评估的目的是确定是否每个系统提供审计追踪是充分的并可用于执行这些审核。

System level risk assessmentsneed to be performed to identify whether the system is high, medium or lowrisk. The system risk needs to be used to prioritize the audit trail assessmentand implementation of periodic reviews. For example a quality control system tomeasure critical quality attributes is probably high risk and should be a priority.A risk based approach will be discussed in more detail later in this article.

需要执行系统层面的风险评估确定系统是否是高风险、中等风险还是低风险。系统风险需要决定审计追踪评估和实施定期审核的优先级。例如，一个用来测量关键质量属性的质量控制系统可能是高风险的，应优先考虑。基于风险的方法将在本文后面详细讨论。

Each functional area that haveGxP computer systems need to perform the audit trail assessment to determinethe following:

每一个有GXP计算机系统的领域需要进行审计追踪评估以确定如下：

·        Who has access to view the audit trails?

·        谁有权访问查看审计追踪？

·        Can the audit trail be printed from the application?

·        审计追踪可以从软件中打印吗？

·        Can the reviewer select a data range?

·        审核人能选择数据范围吗？

·        Can the reviewer select a specific activity ofinterest during the audit trail review?

·        审核人审核审计追踪时能选择某一特定活动的审计追踪吗？

·        Will it feasible to include the audit trail with thedata results?

·        能否包括数据结果的审计追踪？

·        Will it be feasible for QC systems to include theaudit trail with the assay results?

·        质量控制体系是否包括检测结果的审计跟踪？

·        Are user’s action time and date stamped?

·        是否记录了用户活动的时间和日期？

·        Does the audit trail records creation, modificationand deletion of records?

·        审计跟踪能否记录记录的创建，修改和删除活动？

The answer to each questionwill be potentially being different for each system assessed. Based on theresults of this assessment remediation activities may be required to addressany gaps or improvements need for audit trails.

不同的系统对每个问题的答案可能是不同的。基于这一评估的结果，可能需要整改活动来处理任何缺口或改进审计追踪的需求。

To document the results of theaudit trail assessment a summary report should be created to summarize thefindings.

为了记录审计追踪评估的结果，应创建一份总结报告来总结发现的情况。

A remediation plan should becreated to describe the corrective actions that will be taken for each system.

应建立整改计划描述将为每个系统采取的纠正措施，。

Once all remediationactivities are closed procedures need to be created or revised to include thesteps for performing audit trails periodic review.

一旦所有的整改活动关闭，需要创建或修订程序将执行审计追踪定期审核的步骤写入规程。

RISK BASED APPROACH

基于风险的方法

A risk based approach to audittrail reviews is critical for an implementation that provide a meaningfulprocess without having a negative impact on cost and resources. The fact isthat without taking a risk based approach audit trail reviews can have anegative impact on cost and resources. Audit trail reviews for GxP systems area time consuming activity that requires resources to execute and manage theinformation an actions related to the review.

基于风险的审计追踪审核的方法是非常重要的实现，提供一个有意义的过程，而无需对成本和资源的负面影响。事实上，审计追踪的审核若不采取基于风险的方法可能对成本和资源有负面影响。GXP系统的审计追踪审核是一个耗时的活动，需要资源来执行和管理需要审核的活动相关的信息。

In order to take a risk basedapproach to audit trail reviews the system risk level need to be identified.Prioritizing the audit trail assessment based on the level of risk is criticalto prioritize the assessments and implementation. Systems involved in thetesting of Critical Quality Attributes are high risk and should be the highestpriority during the assessments and implementation.

为了采取基于风险的审计跟踪审核，需要确定系统的风险水平。按照系统的风险水平关键程度的优先级别，来评估和实施。参与关键质量属性的测试系统是高风险的，应在评估和实施过程中最高优先考虑。

The system risk level shouldbe used to establish the frequency and scope of the audit trails periodicreviews. For high risk systems such as those used in Quality Control the audittrails should be reviewed with the test results to ensure the integrity of thetest data. The scope of this review should include assessing the accuracy andintegrity of the data using the audit trail. In this situation the audit trailwill be reviewed for the following:

系统风险水平应该被用来建立审计追踪定期审核的频率和范围。对于那些高风险的系统，如用于质量控制的，审计追踪应该与测试结果一起审核以确保试验数据的完整性。这种审核的范围应包括使用审计跟踪评估数据的准确性和完整性。在这种情况下，审计追踪将审核以下：

·        Changes to test parameters

测试参数的变化

·        Changes to data processing parameters

数据处理参数的变化

·        Data deletion

数据删除

·        Data modifications

数据修改

·        Analyst actions

分析人员的行为

·        Data manipulation

数据篡改

·        Excessive integration of chromatography peaks

色谱峰过度整合

·        Security breaches related to data

与数据相关的安全漏洞

QC procedures need to definethe controls related to data integrity; this will ensure consistency during theaudit trail review.

QC程序应该定义数据完整性相关的控制；这将确保审计跟踪审核过程中的一致性。

For medium and low risksystems the approach will be less intensive that for high risk. For thesesystems it can be possible to review periodically the audit trails. Theperiodic review period should be established based on the level of system risk.Medium risk systems should be reviewed more frequently than low risk systems.For example a document management system is probably medium risk that should beon a periodic review schedule of every six months or a yearly schedule. Lowrisk system can be reviewed on a yearly or bi-annual basis.

对于中、低风险的系统，审计追踪的方法将没有高风险系统那么密集。这些系统可能定期审核审计追踪。定期审核的周期应根据系统风险水平建立。中等风险的系统应该比低风险的系统更频繁。例如，文档管理系统可能是中等风险，应定期计划每六个月或每年进行。低风险的系统可以每年或每年2次进行。

The scope of the audit trailreviews for medium and low risk systems should include the following:

对中、低风险的系统审计追踪的范围，应包括以下内容：

·        Data changes

数据的变化

·        Data deletions

数据删除

·        Unauthorized access or transactions

未经授权的访问或操作

To implement audit trailreviews is critical to take a risk based approach. A one size fits all approachcan have a significant impact on cost and resources.

实施审计追踪的审查是采取一种基于风险的方法的关键。它是一个放之四海而皆准的方法，可能对成本和资源有重大影响。

In summary a risk basedapproach is critical for the implementation of audit trail periodic reviews.

综上所述，基于风险的方法是实施审计追踪定期审核的关键。

IMPLEMENTATION

实施

Once the audit trailassessment are performed, system risk identified and all corrective actions areclosed the audit trail reviews can be implemented. Prior to implementation theimpact to resource need to be well understood based on the expected volume ofwork. Once this impact is understood hiring and reassigning of resource need tobe completed prior to formal implementation.

一旦进行审计追踪评估，识别出系统的风险并且所有纠正措施已关闭吗，就可以实施审计追踪的审核了。在实施之前，应该基于所期望的工作量好好理解对资源的影响。一旦理解这种影响，应该在正式实施之前完成资源的征用和重新分配。

Procedure may need to becreated or revised to include the approach of audit trails reviews for eachsystem based on the results of the assessment and system risk.

应该建立或修订规程，根据风险评估的结果将每个系统的审计追踪的审核写进去。

The last step is training allimpacted resources on the applicable procedures with an emphasis of dataintegrity.

最后一步是培训所有有关人员应用规程强调数据完整性。

SUMMARY

总结

Annex 11 requires that audittrails are reviewed regularly to ensure data integrity. The frequency and scopeof the audit trail reviews is not defined in annex 11. Audit trails periodicreviews have impact on resources and cost. To minimize the cost and resourceimpact and risk based approach should be taken for the implementation of audittrails review. The approach should be based on the system risk level which willfacilitate defining scope and frequency of the reviews.

附录11要求审计追踪定期审核，以确保数据的完整性。审计追踪审核的频率和范围并没有在附录11中定义。审计追踪定期审核对资源和成本有影响。为了最小化对成本和资源的影响，应该采取基于风险的方法来实施审计追踪的审核。该方法应基于系统风险水平，将有助于定义审核的范围和频率。

An audit trail review whenproperly implemented can increase the integrity of data generated by GxPsystems.

正确地实施审计追踪审核可以增加GXP系统产生的数据的完整性。

如果您觉得不错，请长按下面二维码关注，GMP办公室将为您推送更多精彩的内容！