The term audit trail can be daunting for companies, but this is a regulatory requirement. Simply put, when it comes to the trial master file (TMF), if an action is not recorded in the audit trail, then it didn’t occur and is likely to be subject to an inspection finding.
There are several regulations and guidelines to consider in the context of managing your eTMF, including the 1997 Part 11 regulations from the US Food and Drug Administration (FDA)i; guidelines on computerised systems and electronic data from the European Medicines Agency (which replaced a 2010 reflection paper on expectations for electronic source data)ii ; the FDA’s guidance on electronic source dataiii; and UK’s Medicines and Healthcare products Regulatory Agency (MHRA) guidance on data integrityiv.
How, then, do you go about ensuring your TMF audit trail doesn’t fall foul of these regulations, and ultimately the inspectors’ expectations?
To start with, it helps to consider what an audit trail is in the context of the TMF. If we think of the TMF as the story of a clinical trial, the audit trail is its back story. It’s therefore important to ensure that the story is a documentary, not fiction, and that means maintaining TMF data integrity.
The principles of data integrity, as established by the FDAiii, are “attributable, legible, contemporaneous, original, and accurate” (ALCOA). Various groups built on this definition over time, with the addition of “complete, consistent, enduring, and available” to the original principles now commonly referred to as ALCOA+.
EMA’s guideline on computerised systems and electronic data in clinical trialsii introduced the term “traceable,” now referred to ALCOA++. This principle is central to the idea of having audit trails.
If the audit trail fails to meet these principles, it’s likely the company will face inspection citations or critical findings. For example, a 2021 report from EMAv shows a number of minor, major and critical findings on audit trails. These included deletion of documents with no record of these being deleted, lack of procedure for review of user access, and lack of audit trails to reconstruct the course of events.
MHRA has in recent yearsvi issued several critical findings related to record keeping or essential documents, noting, among other issues: 1) the eTMF system audit trail was extremely limited and could not be used for the review of TMF completeness over time; 2) there was no clear audit program in place or periodic review of the eTMF system audit trail to demonstrate oversight and quality assurance of completeness and accuracy of the TMF systems in place; and 3) eTMFs were not being updated regularly and therefore not kept in an inspection-ready state.
What all these findings show is that inspectors are using the audit trail to review TMF completeness, oversight and quality. So, it’s vital that companies understand the importance of timely filing to the system, inspection readiness, and how audit trails work, or they can come back to bite you.
Given the critical findings from inspections, companies need to find ways to make their audit trails work for them. It helps to break the audit trail down into various elements to assess workflow and history of the documents. Here, we’ll discuss the who, what, when, where and why of three key areas to focus on with your audit trail: user oversight, TMF completeness and TMF accuracy.
Audit trails and user oversight
The audit trails from electronic systems capture information every time a human and system interacts with a document, including when the document is viewed. However, documents in the TMF should only be accessible to users with assigned roles and permissions. So, it's important to maintain TMF user oversight.
As part of your TMF user oversight, it is recommended to define the process, the evidence, and the outcome. For example, your process might state that you will review the audit trail information each quarter to see who from the study team has access the system, and that information will be detailed in your standard operating procedures (SOPs). The evidence would be a report showing which users have access to the study and when they last accessed the system. You will need to consider where that evidence will be stored (a SharePoint site, a QA system, or other designated repository) because the inspectors may want you to provide evidence. The outcome will be information on users that have not accessed the system within a certain timeframe and therefore have had their permission revoked – in other words you’re taking care of who accesses your eTMF.
Audit trails and TMF completeness
TMF completeness is very much about document management – are the expected documents in the TMF? Many of the same criteria that apply to user oversight again apply to completeness.
The outcome of this meticulous process is having better TMF health with greater clarity about its completeness.
Audit trails and TMF accuracy
When thinking about TMF accuracy, a primary focus should be on document quality. As noted in 21 CFR Part 11, procedures and controls are expected to include “the ability to generate accurate and complete copies of records in both human readable and electronic form suitable for inspection, review, and copying by the agencyi.” As part of the audit trail, you want to verify your document quality, make sure documents filed in the TMF are final, that they are TMF ready and that they adhere to good documentation practices.
The objective with a TMF accuracy audit trail is to demonstrate the process is working, that everything that you say is happening is captured, and if not, determining what you need to do to address any inconsistency.
Think smart with your audit trail
The audit trail can be overwhelming, so it’s important to tackle elements rather than every aspect of the TMF. Make it work for you, where possible take a risk-based approach, and don’t rely on a one-size-fits-all approach. And finally, think process, evidence and outcome, and remember, if it’s not documented, it didn’t happen.
About the authors:
This blog is based on a presentation given by Rob Jones, director of TMF professional services at PharmaLex, and Marcin Hernik, expert TMF services lead at PharmaLex. The full presentation can viewed on-demand at https://www.phlexglobal.com/on-demand-elevate-utilize-audit-trails.
This blog is intended to communicate PharmaLex's capabilities which are backed by the author’s expertise. However, PharmaLex and its parent, Cencora, Inc., strongly encourage readers to review the references provided with this blog and all available information related to the topics mentioned herein and to rely on their own experience and expertise in making decisions related thereto as the blog may contain certain marketing statements and does not constitute legal advice.
[1] Part 11, Electronic Records; Electronic Signatures - Scope and Application, FDA. https://www.fda.gov/regulatory-information/search-fda-guidance-documents/part-11-electronic-records-electronic-signatures-scope-and-application
[1] Guideline on computerised systems and electronic data in clinical trials, March 2023, EMA. chrome-extension://efaidnbmnnnibpcajpcglclefindmkaj/https://www.ema.europa.eu/en/documents/regulatory-procedural-guideline/guideline-computerised-systems-and-electronic-data-clinical-trials_en.pdf
[1] Electronic Source Data in Clinical Investigations, FDA, 2013.
[1] Guidance on GxP data integrity, MHRA, 2019. https://www.gov.uk/government/publications/guidance-on-gxp-data-integrity
5 EMA Annual Report of the Good Clinical Practice (GCP) Inspectors Working Group (IWG) 2021. https://www.ema.europa.eu/en/documents/report/annual-report-good-clinical-practice-inspectors-working-group-2021_en.pdf
6 MHRA GCP INSPECTIONS METRICS REPORT, 2018-2019 https://assets.publishing.service.gov.uk/media/602a8e3cd3bf7f03190cbe43/GCP_INSPECTIONS_METRICS_2018-2019_final_12-02-21.pdf and MHRA GCP INSPECTIONS METRICS REPORT, 2016-2017 https://assets.publishing.service.gov.uk/media/5af56e0740f0b622d4e9808d/GCP_INSPECTIONS_METRICS_2016-2017__final_11-05-18_.pdf