Audit Trail Review for Devices with "StandardAudit Trail"
Functions

具有"標準審計追蹤"功能的設備的審計追蹤審核

Devices andequipment often have standard audit trail functions.There is a huge amount of data being recorded (on/off), and only a fraction ofthis data is critical and relevant for audit trail reviews. What is the best way to proceed witha review?

設備通常具有標準審計追蹤功能。大量的數據（開/關）被記錄，其中只有一小部分數據是關鍵，并需要審計追蹤審核的。這種審核的最佳方法是什么？

SolutionApproach

解決方案

Especially withregard to the audit trail, the view has changed. Before the revision of the EUGMP Guideline Annex 11, the general view was that of the conservation ofevidence in order to have further data available in case of a deviation.Statements made by the US American FDA in its dockets also nourished this view:"Audit Trail... we may use it for anuseful purpose e.g prosecution". Consequently, the emphasis inthe software was not put on later evaluability, but on the recording. For thisreason, the audit trail data was simply stored sequentially in tables.

特別是在審計追蹤方面，現在觀點發生了變化。在修訂歐盟GMP附錄11之前，一般的看法是保存證據，以便在出現偏差時獲得進一步的數據。美國FDA在其訴訟檔案上的聲明也滋養了這種觀點："審計追蹤...我們可能會在需要是使用它，如訴訟"。因此，軟件的重點不是后來的可評價性，而是記錄。因此，審計追蹤數據只是按順序存儲在表中。

So far thereare only a few systems that fully support the new requirements. Now, with theadditional demand also after the reason of the change, there are furtherdemands on the systems and also further sorting criteria. In addition, it hasbeen clarified that the audit trail can be limited using a risk-based approach.Here, the opportunity lies in the limitation to the essential data. What theseare is described both in Annex 11 §9 and in Chapter 4 of the EU GMP Guidelines.Further information can be found in the "Aide-Memoire" (Aide-mémoire 07121202) publishedin the German ZLG, where the following quotation can be found:

到目前為止，只有少數系統完全支持新的要求。現在，隨著需求增加的原因，對系統有進一步的要求，也進一步整理了標準。此外，已經明確可以使用基于風險的方法進行審計追蹤。在這里，機會在于對基本數據的限制。歐盟GMP附錄11和附錄9以及第4章都介紹了這些內容。更多信息見德國ZLG發布的"備忘錄"（備忘錄07121202），其中可找到以下引文：

S. 26 2.4.5 Audit Trails - "1 - Based on a risk assessment, considerationshould be given to integrating the recording of all GMP relevant changes anddeletions into the system (a system generated "audit trail"). 2 - IfGMP relevant data are changed or deleted, the reason should be documented. 3 -Audit Trails must be available, must be able to be converted into a generallyreadable form and must be checked regularly".

S. 26 2.4.5 審計追蹤 - "1 - 根據風險評估，應考慮將所有 GMP 相關更改和刪除的記錄集成到系統中（系統生成的"審計追蹤"）。2 - 如果更改或刪除 GMP 相關數據，應記錄原因。3 - 審核追蹤必須可用，必須能夠轉換為一般可讀的表單，并且必須定期檢查"。

It is thereforeadvisable to first derive the definition of the relevant data for the audittrail from the definition of the raw data, and then to determine for which dataa review must be performed and which criteria of the assessment must becreated. This is in line with the requirements of Chapter 4, where it is statedthat at least the data on which a quality decision is based must be named asraw data.

因此，建議首先從原始數據的定義中得出審計追蹤相關數據的定義，然后確定必須對哪些數據執行審核以及必須創建哪些評估標準。這符合第 4 章的要求，其中指出，至少用于質量決策的數據必須作為原始數據。

As the data itselfis usually not changeable even in the case of control systems (PLC) and processcontrol systems, it can also be argued, if necessary, that no audit trail iscarried out, precisely because the data cannot be changed. However, thisargumentation must be supported by appropriate validation with evidence of theraw data protected by proprietary formats or strong access protection. Thismeans that there must be test scenarios that prove that these defined raw datacannot be changed accidentally or with simple effort.

對于控制系統（PLC）和過程控制系統，由于數據本身通常不可修改，也有聲音表示：沒有必要執行審計追蹤，因為數據無法修改。但是，此論證必須得到適當的驗證支持，并證明原始數據受專有格式或健壯的訪問保護。這意味著必須有測試方案來證明這些定義的原始數據不會被意外或輕易更改。

For suchsystems that do not have an audit trail, the Aide-Mémoire mentioned abovepoints out that for legacy systems without an audit trail, in exceptional casesit can be regulated, e.g. by an SOP, to document the corresponding change in alogbook and have this verified by a second person. It should be noted here thatonly those systems are defined as old systems that were installed before Annex11 (1992) came into force (see Aide-Mémoire 07121202, page 28, running no.2.4.5.9). There you will also find the sentence: "First of all it must be clarified whether data can be changed at all (e.g.electronic recorders). If not, no audit trail is required."

對于沒有審計追蹤的系統，上述備忘錄指出，對于沒有審計追蹤的舊系統，在特殊情況下，可以由SOP 監管，以在日志中記錄相應的更改，并由第二人進行確認。這里應當指出，這些系統被定義為在附錄11（1992年）生效之前安裝的舊系統（見備忘錄07121202，第28頁，第2.4.5.9頁）。在那里，還將找到以下句子："首先，必須明確數據是否可以更改（例如電子記錄）。如果不能，則不需要審計追蹤。

For those systemswhere there is a simple audit trail, a reporting tool should be used to performthe query based on the definition of the raw data. As a minimum, the entriesthat belong to process values that are needed for a quality decision should bedisplayed. If the data, e.g. temperatures, are directly related to the batchrelease, it should be checked whether the associated audit trail must also beevaluated before the batch isreleased. In systems that also record the reason for the change, groups can besorted by reason and clusters can be recorded and valuated according to reason.The evaluation should always be prioritized according to the risk for theproduct and thus the patient. In the second instance, the accumulation ofreasons can also give cause to question technical defects.

對于存在簡單審計追蹤的系統，應使用報告工具根據原始數據的定義進行查詢。至少，應能夠顯示與用于質量決策的工藝數值相關的項目。如果數據（例如溫度）與批放行直接相關，應在批放行前檢查相關的審計追蹤。在修改原因也進行記錄的系統中，可以按原因篩選，然后可以根據原因進行記錄和評估。評估應始終根據產品的風險，從而根據患者的風險進行優先級評估。在第二種情況下，可以根據原因的積累改進技術缺陷。

It is notpossible to derive from the laws and guidelines themselves the requirement fora technical audit trail which gives reason for virtually all configurations andrecords them in the audit trail. The change control procedure exists for theseprocesses. Consequently, no reviews of this data are expected at this point.However, this view is not uncontroversial, since many companies and also someinspectors derive the requirement for monitoring the configuration (technicalaudit trail) from the Data Integrity Guidancerecently published. Here, each company must decide for itself what acceptancerisk is taken. It seems appropriate to take a risk-based approach here as well.Since a configuration always has an impact on the future and does not changeany data already recorded, this should serve as an approach to decide wheremonitoring of the software itself is or is not necessary. This is certainlydifferent for an HPLC than for a controller. However, if the configurationparameters (e.g. limit values and set points) are known and printed out, forexample, the data generated from them can also be evaluated in context. Not toforget that in general a rigid change control applies which, if necessary, alsoproves with a regression test that the new configuration meets therequirements. Another aspect is that the cycles of the review for the technicalpart are certainly different from cycles for the data review, where undercertain circumstances the audit trail should be considered for each batchrelease (e.g. MES), depending on the risk for the release and thus for thepatient. A final note on this point is that many systems do not currentlysupport the "technical audit trail", especially for individualcontrols. The good news is that changes are rather rare here and a well-running,validated process is changed more rarely. The control here is done by a rigidchange control and the periodic review which also records the incidents andlogbook entries.

法律和指南本身沒有對技術方面的審計追蹤（所有配置修改的原因并將其記錄在審計追蹤中）的要求。這些過程可以使用變更控制程序。因此，目前不要求對此數據進行任何審查。但是，這種觀點并非沒有爭議，因為許多公司以及一些檢查員從最近發布的《數據完整性指南》中得出了需要對配置進行監測（技術方面的審計追蹤）的要求。這里，每個公司必須自行決定接受什么樣的風險。這里也應該采取基于風險的方法。由于配置始終會對未來產生影響，并且不會對已記錄的任何數據進行更改，因此，這應作為一種方法來確定是否需要監測軟件本身。這對于HPLC而言，與控制器是不同的。但是，例如，如果已知并打印出配置參數（例如限值和設定點），則由它們生成的數據也可以在此環境中進行評估。不要忘記，通常會進行嚴格的變更控制，如果需要，還可以通過回歸測試證明新的配置符合要求。另一方面是技術部分的審核周期與數據審核的周期肯定不同，在某些情況下，應根據對放行和患者的風險，考慮每次批放行進行數據審核（例如MES）。關于這一點的最后一點是，許多系統當前不支持“技術方面的審計追蹤”，尤其是對于獨立的控制器。好消息是，這里的修改很少，而運行良好且經過驗證的工藝很少更改。這里的控制是通過嚴格的變更控制和定期檢查事件和日志條目來完成的。

It should benoted that the guidelines always assume that values have changed, so theinitial entry only records who entered it, in the sense of a hand signal forpaper documents. This distinction is very well described in Vote V1100302.There it says in section B, second last paragraph: "Automatic logging ofthe user is suitable to replace a hand signal".

In order tomeet the requirement for audit trail review, further technical functions willbe necessary in the future, which, for example, allow configurable selectionmenus for determining the reason for the change and also offer standard reportsand at least descriptive statistics.

應當指出，指南始終假定數值已更改，因此初始條目僅記錄輸入該值的人，即紙質文檔的手信號。這種區別在Vote V1100302中有很好描述。在B部分中，最后一段："用戶自動記錄可以代替手動信號"。為了滿足審計追蹤審核的要求，今后還需要進一步的技術功能，例如，允許可配置的選擇菜單來確定更改的原因，并提供標準報告和至少描述性統計數據。