SOP for Audit Trail Review and Privilege Policy 

Audit Trail Review In the Quality Control Laboratory of the pharmaceutical product manufacturing unit, Different instruments, and equipment being used to analyze the drug product. the documented tracking or list of activities known as the Audit trail.

An audit trail can be either a paper or electronically based trail that provides a documented history of a transaction within a company.

SOP for Audit Trail Review and Privilege Assigning Policy 

1.0      PURPOSE:

    • The purpose of this SOP is to define the procedure for Audit trail review and privilege assigning policy in the data acquisition software.

2.0      SCOPE:

    • This SOP is applicable to all data acquisition software’s operating as a workstation. (i.e. other than the server) which are utilized to acquire analytical data from the computerized system in the Quality Control Laboratory at the pharmaceutical drug manufacturing plant.

3.0      REFERENCES:

    • In – House

4.0     RESPONSIBILITY:

    • Analyst :

    • To operate the data acquisition systems as per their respective SOP.
    • To report any deviation or findings to their section in charge.
    • Reviewer/Checker :

    • Review of all the acquired data for the correctness.
    • To review the audit trails.
    • Inform to Head QC or Designee in case of any discrepancies observed.
    • Quality Control Head :

    • Training of concerns before the implementation of SOP.
    • Monitor the data acquisition systems or applications for any abnormal error messages.
    • Review the audit trail information periodically.
    • Ensure that the audit trails are reviewed in a timely manner.
    • Quality Assurance :

    • To check the SOP.
    • Ensure the implementation of the system as per SOP
    • Authorize the data backup, restoration, archival and retrieval request as and when required.
    • Periodic review of data, audit trail to ensure that the procedure is followed as defined.
    • Head of Quality Assurance :

    • Approval of the SOP.
    • Implement necessary technical controls to the required applications/ operating systems.
    • Ensure only licensed applications are installed in GLP mode for data acquisitions.
    • Ensure that privileges assigned to user groups and system policies in data acquisition systems are in line with the requirements.
    • Review any changes made to the assigned privileges or user groups.
    • Review and approval of audit trail information.
    • Ensure system implementation.

5.0     ABBREVIATIONS USED IN SOP FOR AUDIT TRAIL:

    • ER: Electronic Record
    • ES: Electronic Signature
    • FAT: Full Audit Trail
    • IT: Information Technology
    • QC: Quality Control
    • GLP: Good Laboratory Practices.

6.0     DEFINITION:

    • Electronic Signature: A computer data compilation of any symbol or series of symbols executed, adopted, or authorized by an individual to be the legally binding equivalent of the individual’s handwritten signature.

Also read: SOP for Maintenance of Laboratory Instrument

    • User Group: Applications or data acquisition software installed shall be accessed through the following user groups.
      • Level 1 (Analyst),
      • Level2 (Supervisor / Reviewer) and
      • Administrator.
    • Open System: System access is not controlled by persons who are responsible for the content of electronic records.
    • Closed System: System access is controlled by persons who are responsible for the content of electronic records.
    • The typical privileges assigned to user groups may be as follows.

 

 

Administrator

    • To monitor audit trail logs & comments, which are created by level 1& 2.
    • Monitor data security & supervise data archival system.
    • To back up the required data, as & when required.
    • Having all rights and controls pertaining to the application.
 

 

Level 1

 

(Supervisor / Chemist)

    • To create methods [Instrument, Processing & Report]
    • Edit methods [Instrument, Processing & Report]
    • To view audit trail logs created by level 1 & to feed necessary comments.
    • Start back up activity and to define the directory for data archival.
    • Having minimal controls to access the application and modify the data.
 

 

Level 2

 

(Supervisor / Chemist)

    • Run the created methods [Instrument, Processing & Report]
    • Edit reporting methods.
    • Prepare sequence or Batch file
    • No rights for data modification, root directory modification.
    • Having limited privileges to run the application, but doesn’t have privileges to modify the acquired data.

 

 

Also Read: SOP for GC Column Receipt, Performance Check and Storage

 

7.0    PROCEDURE FOR AUDIT TRAIL REVIEW:

    • During the installation of any software or data acquisition systems, Quality Head or designee need to verify following, but not limited to,
      • Structural Validation Certificate of the software or its equivalent provided by the manufacturer.
      • The application is being installed, in a suitable operating system, where compliance shall be achieved.
    • Create three user groups as defined above.
    • Record the same in software compliance after verification into the form provided in the Annexure -1
    • Review the software compliance form after completion and get approval from Quality Assurance Head for its desired applications.
    • Quality Head or his designee shall assign privileges to depend upon the structural and technical complexity of the applications, in such a way to achieve compliance.
    • Assigned privileges to user groups. Head QC shall review and the same and signed off.
    • The frequency for audit trail review shall be Monthly ± 7 days.
    • Review the following type of audit trail information as applicable to the data acquisition system.

    • Project audit trail, which may include timed events for change in Instrument Method, Processing method, Reporting method & Sample set or sequence tables
    • System audit trail, which may include timed events for change in InstrumentConfiguration, Data Archival history, User addition or deletions, User group addition or deletion, System addition or deletion, login history.
    • User audit trail.
    • Message center information or Alarm message audit trail.
    • Instrument/Equipment data log.
    • Any other time-stamped events captured or generated by the system.
    • In particular (but not limited to), the QC Head or designee shall review the audit trail information for any discrepancies related to data integrity, data security and other additional information as and when required as per the following checkpoints.
    • For Project audit trail:

    • Differences between method versions to determine any significant change has been made to the existing version.
    • For System audit trail:

    • Any change in System configuration, Data archival history, any change in addition or deletion of user groups/ systems.
    • User audit trail: Log in and Log out timed events
    • The Message center: Any abnormal or unusual, Alarm events
    • For Equipment data log: Usage of equipment.
    • For other Time-stamped events: as applicable to predictive rules.
    • If any observations or discrepancies are found during the review, QC Head or designee shall immediately inform the same to Quality Head or designee and the impact shall be evaluated for data integrity & security.
    • After reviewing the audit trail report, the QC Head or designee shall complete the necessary entries in the audit trail review register (Annexure – 2) and shall affix a “Reviewed by” on the audit trail report.
    • Quality Head shall sign for approval of the audit trail data for its necessary compliance.
    • Filed the signed out audit trail reports in accordance with good documentation practices for future reference as and when needed.

Also read: SOP for Disintegration Apparatus (DT)

    • During installation, administrators should set system policies in data acquisition systems should with the following requirements.
    • Password protection:

    • The system will be allowed to access only with a secure login ID & password.
    • Only administrators should be able to create a unique user login ID’s.
    • During set up, the administrator should create only user ID’s and the password shall be assigned by the user itself.
    • Password complexity:

    • The password should have a minimum of 8 characters.
    • Should have a possible combination of alphanumeric characters.
    • Should not have user ID itself as a password.
    • Do not allow users to use their previous passwords.
    • Disable of user ID’s after 3 unsuccessful attempts.

Also read: Operation and Calibration of Analytical Balance

    • Password aging:

    • The system should force users to change the password after the interval of60days.
    • Audit trail setting:

    • The default setting for Full Audit Trail [FAT] should be enabled to ensure all actions performed within a project, such as creating a method or sample set provides the complete path for the reconstruction of an electronic event with aid of time-stamped records.
    • This will ensure the audit trail setting will remain intact forever and default setting applies to all new projects created.
    • Do not allow to user to copy non-FAT projects or databases into FAT projects.

8.0     DISTRIBUTION:

    • Quality Control Department.
    • Quality Assurance Department.
    • Information Technology Department

9.0     ANNEXURES:

Annexure – 1:   Software Compliance Form. 

Name of the software
Version
Manufacturer
Desired application(s)
Verification details
Structural Validation certificate or it’s equivalent provided by manufacturer.  Yes / No
(If ‘No’ provide justification or explanation, the way the software will be used to acquire analytical data with minimal compliance related to 21 CFR part.11)*

*-Attach additional pages if required.

2. Operating environment  Windows 7 Any other, please specify __________________
3. Assigned user groups$ User group 1: _________________________________

Group 2:__________________________________

User group 3: __________________________________

$-Attach privileges assigned to each group, with duly signed.
Name, Designation/Dept Sign & date
Entries made by
Entries reviewed

 

APPROVAL

Based on the above observations and user settings, the software shall be used to acquire analytical data from the above mentioned desired application.

Name:

Designation:

Sign & Date:

Annexure – 2:   Format for Audit Trail Review Register.

Audit Trail Logbook

 

 

pharmabeginers

Janki Singh is experienced in Pharmaceuticals, author and founder of Pharma Beginners, an ultimate pharmaceutical blogging platform. Email: [email protected]

This Post Has 5 Comments

Leave a Reply

Close Menu