Audit trails are becoming a topic of increasing awareness in the pharmaceutical industry, due not only to increased focus on regulatory compliance, but also the additional complexity that often comes with enhanced technologic capabilities in today’s pharma labs. Labs facing audit findings need a place to start when it comes to remediating observations and having robust audit trails can factor heavily into resolving compliance issues.
Defined as a “secure, computer-generated, time stamped electronic record that allows for reconstruction of the course of events relating to the creation, modification, or deletion of an electronic record,” an audit trail essentially provides metadata – data regarding the context of collecting data – for a lab.
The goal of an audit trail is to provide the complete context of an analytical measurement, as well as provide an accounting for when and where errors may have occurred. This context involves the creation and management of data, for example: who created or obtained it, what was involved in its creation i.e. sample information, instrumentation, actions involving specimens or technology, when was the data obtained, where was it stored or transferred and why actions involving data were taken.
While a single audit finding or unexpected result does not necessarily dictate a compliance crisis, those issues related to instrument error, reagent mishap or human non-compliance, should most certainly give pause to lab supervisors.
In this article, we will discuss specifics of what should be captured in an audit trail, as well as what it looks like for a lab to be out of compliance, the process of investigation and remediation of aberrant results, and the meaningful outcomes that a failed audit can bring to future data integrity.
Compliance issues: how do they arise?
For labs that have not yet experienced a serious audit finding, a common question is how compliance issues arise. There is a strong systemic component to what many lab managers often report feeling is an increased likelihood of having audit findings. This can be attributed to evolution of audit trail guidelines and requirements over the years; the regulations are often purported to be more in-depth and time consuming than ever before.
As part of their determination of product quality, regulatory agencies are now recommending that pharmaceutical companies have a predetermined strategy for maintaining and assuring data integrity over the life cycle of products. Not only does this include having audit trails, but also reviewing them to confirm that the information seems accurate.
It is one thing to reserve time to make sure captured data is auditable; adding additional hours for review is sometimes not feasible in a fast-paced, minimally staffed lab. This time burden is a source of potential error. Compliance issues may go unnoticed or slip through the cracks when not addressed in a timely manner.
There are some key data points that lab technology must capture as part of an audit trail, in order to maintain the transparency of data collection and analysis. This begins with accounting for what types of samples were being analyzed and on what type of equipment, and what sort of actions were taken with the samples.
Time is another critical factor that must be captured; it is important to know not only when samples were run, but also if and when their relevant data was moved elsewhere. This and other actions involving the data, including its analysis on certain machines, downstream processing, archiving, and, if relevant, restoration, are all key contributors to data integrity. Finally, there are human factors. This includes documentation of who performed sample processing or analysis – “were they qualified?” – as well as system administration activities like creation or deletion of users, password updates, changes to access and permissions, and more.
Given the demands on lab technology, it can certainly become a focal source of compliance issues. Instruments are becoming increasingly complex and deliver capabilities, audit-related and otherwise, that many scientists probably never dreamed. However, with progress comes opportunity, and in this case, it is the opportunity for more challenging issues to arise.
Lab staff must verify that instruments are capturing an appropriate data trail for audit purposes. This can mean needing to be especially selective of lab instruments and equipment, rather than making a quick “off the shelf” decision. Having to compare product features closely against data trail requirements is both time-consuming and may prove financially unfeasible for smaller labs.
Having to select audit-compliant instruments may also mean choosing between those that serve their intended purpose in the most efficient manner and those that are more compliant with audit regulations. All of these possible inroads for instrument compliance issues amount to increased time spent on the administration of lab work, rather than focus on research itself.
It would be insufficient to discuss compliance findings without addressing the topic of human factors as a potential source of non-compliance. Humans are subject to mistakes, misinterpretations and lapses in judgment. While it makes sense to assume that lab staff should be trained to do their everyday tasks, they may not have received enough training to understand what exactly their roles and responsibilities are regarding maintaining a compliant audit trail. Regulatory compliance can prove quite burdensome, and without adequate training, lab employees are prone to fall victim to errors in data trail management.
More so than ever, labs need to recruit and hire candidates who are qualified to be able to wear both hats, scientist and data manager, and make sure these staff are adequately trained for their everyday tasks as well as compliance-based activities. This presents the dual issues of finances and time; a lab may not have the funds to hire more experienced employees, but also might not have the financial bandwidth to train existing employees on additional duties.
Between leaping over systemic hurdles and navigating the challenges of technical and human-based compliance, labs can often feel overwhelmed; the problem is further aggravated by the inevitable appearance of aberrant results.
Investigation and remediation is how labs resume compliance
When labs receive an audit observation or warning letter regarding concerning findings, the first step is to address the source of non-compliance. This is where the data captured as part of audit trails becomes most useful, because it provides traceability and credibility.
To differentiate findings, poor data integrity – which is the focus of most audits – doesn’t necessarily manifest as Out of Specification (OOS) or Out of Trend (OOT) results.
These findings can be the result of things like poor lab protocol or non-validated analytical methods, adulterated samples, etc. Data integrity involves determining whether these results are real, as part of an investigation. A good audit trail can help determine whether the OOS/OOT results may have been due to something like a mishap in sample analysis – “was the right sample analyzed?” – or data processing – “were certain results accidentally omitted by way of saving them in the wrong folder?”
Regulatory guidelines usually require that a formal investigation be conducted whenever there is a significant OOS finding. The purpose of this is not punitive, but rather to determine the cause of the unexpected result, e.g. whether it was an error in the measurement process, or if it had something to do with manufacturing.
The first step of an investigation includes an assessment of data accuracy, which relies heavily on a lab’s audit trail. Often, there is a simple explanation and a lab can begin rectifying the problem immediately. However, if this first stage of investigation does not find an error source, then further investigation should be initiated.
In the case of employee-centric compliance issues, the key to remediation is generally education and training. An example of human error as it pertains to lab technology and audit trails would be failure to keep up on documentation of QA/QC data review. The data may be there and correct, but if it’s not reviewed, then the lab is failing to meet federal recommendations. Audits themselves are a source of education, because they might point out blind spots in internal observations of non-compliance.
Alternatively, if the lab’s software isn’t capable of capturing data as needed for a robust audit trail, then it is up to the lab to determine whether these gaps can be mitigated with add-on or manual tasks (e.g., a paper lab notebook) or software re-configuration. Workarounds are often not ideal, after all, they require more time spent on non-research activities, but may help a lab remain in compliance or prevent unnecessary expenditure in the form of new instruments or equipment.
The FDA notes that certain labs have tried to “re-test into compliance,” i.e. repeating testing until a passing result is obtained. This is viewed as being both “unscientific and objectionable” under Good Manufacturing Practices (GMPs), as the maximum number of retests that should be performed on a sample should have been specified in advance as part of a lab’s overall compliance plan.
Regardless of the source of non-compliance, labs should at all times during the investigation be allowed “timely, thorough, and well-documented review.” This review should specifically detail the reason for investigation, as well as provide a summary of hypothesized aspects of the manufacturing process that may have contributed to the findings. The hypothesized cause should be based on the results of a review of lab documentation, including assignment of “actual or probable cause” and determination of whether the problem may have affected other batches.
Finally, the review will include a delineation of whatever corrective actions may have already been undertaken or will need to occur. Depending on the nature and severity of the findings, corrective actions may range from simply having to reject a batch of product to upgrading computer software or recruiting external staff trainers.
Assurance of future compliance
When it comes to compliance activities, labs tend to be successful following a proactive versus reactionary approach. Not only does this constitute a less objectionable ethical stance, it has also proven itself to be more efficient than trying to put out a proverbial “fire” after an audit finding. The most obvious advantage to a proactive approach is being able to potentially prevent unnecessary expenditure of financial and human capital (lab employee hours) on a time-consuming investigation or list of remediation activities.
In addition, avoiding recurrent audit findings can strengthen a lab’s reputation and provide both internal and external reassurance of a robust scientific approach. Therefore, it is simply better for labs to take a proactive approach to managing their audit trails.
Additionally, labs must choose between taking on all compliance activities in house or working with a QA/QC solutions provider. A third-party consultant can provide unbiased observations and recommendations that may be valuable, but possibly harder to implement than those of internal teams. Lab managers may want to avoid the additional cost of outsourcing, but the costs of non-compliance are often greater.
While compliance endeavors can seem daunting, they are ultimately quite important to the scientific integrity of the pharmaceutical industry and, down the line, to the safety and well-being of consumers. Eventually, a product is only as efficacious and effective as the metadata used to substantiate it; it’s not necessarily total avoidance of errors that makes a lab great, but rather the ability of a lab to be accountable for its results.
This accountability strengthens a lab’s data integrity and serves to reassure stakeholders of research validity, as well as the soundness of their investment in a project or product.
- Niederhuber, John. E. et al. Abeloff’s Clinical Oncology E-Book. Page 314.