A Novel, Enhanced, and Sustainable Approach to Audit Trail Review

What would it be like to reduce the audit trail review (ATR) burden in laboratories and manufacturing spaces all while satisfying inspector expectations? With more than 100 external inspections of Eli Lilly and Company’s commercial manufacturing sites conducted in the two years since the company published a novel and enhanced ATR assessment process, Lilly has established a sustainable and tested approach. This article describes how the company was able to achieve this.

Based on both external evaluation and internal assessment, the need to examine the data integrity (DI) governance program to ensure it remains in alignment with current regulatory expectations was determined. One area identified for further review was ATR. At that time, a need to make the ATRs more consistent was recognized, and the global requirements also needed to be enhanced. Additionally, requirements for data review needed to be more standardized. These enhancements were essential to maintaining trusted data and meeting ALCOA+ (attributable, legible, contemporaneous, original, accurate, complete, consistent, enduring, and available) principles.

A data management team

Desiring to upgrade the approach across all sites, external consultants were hired to help build an enhanced global ATR process. However, the implementation of this global process was not specific enough, and uncovered potential inconsistencies in implementation, confusion from site and global teams, and frustration about the global process being too open-ended. Because the implementation strategy was open to local interpretation, information technology (IT) support teams were responsible for determining how to assess their systems and independently determined the DI gaps that needed an ATR. They also determined the justification for DI gaps that would not have an ATR. These independent assessments of the global ATR process were not sufficient to support an overall implementation, so a more holistic approach was needed. With the advances in technology in the pharmaceutical industry, as well as evolving regulatory expectations, a more specific and global process was warranted.

As a result, a centralized data management team was added to the organization to ensure sustainable DI processes were developed and maintained. This team is an independent, strategic, global quality and compliance-level team that supports all functions across operations, research, and commercial. This team is fully dedicated to DI governance and is a key organizational component that establishes DI policy.

Audit trail review: research

To create a more robust ATR process, the original process’ authors were interviewed to understand theprocess state, and site and global teams that had started to use the first version were also consulted. It was determined that global data management needed to provide more specific ATR tools to the local manufacturing teams so they could continue to focus on producing high-quality products. The available regulations and industry guidance were then studied that govern ATR (Table I). Lastly, a deep dive into the existing established DI requirements was performed, and it was determined that they were strong and well-developed. The conclusion of the research was that the company needed an ATR assessment process that was comprehensive and robust, but also easy to follow, keeping in mind the end users’ experience with ATR.

Enhancing the ATR process

Cross-referencing the company’s DI requirements with the industry regulations and guidance, a specific set of logical controls were documented as expected controls for identified DI vulnerabilities. If systems could not be configured with the expected logical control, minimum ATR activities are expected to be performed and were consequently outlined for each DI vulnerability. Therefore, the result of following this process would mean that DI requirements are either met through a logical control or ATR is performed to mitigate the vulnerability, ensuring no compliance gaps.

The workflow for developing an ATR assessment process is represented in Figure 1.

The following process was designed for areas to use when evaluating their ATR responsibilities. A lead assessor from the quality, business, or IT group would be appointed and organize the appropriate team of subject matter experts (SMEs) to assess the system. Assessment teams would then:

• evaluate potential DI risks based on the established minimum DI requirements
• determine if there are the specified logical controls in place that mitigate each risk
• document the ATR expectations when those controls do not exist.

This three-part assessment process was expanded upon in a global standard operating procedure (SOP), and an assessment template was created to make it easy for teams to pick up and utilize. When ATR is required, teams follow the process in Figure 2.

Figure 3 shows two hypothetical examples of how the process can work with this ATR process flow if the requirement is “end users must not have the ability to modify or delete output data.” These examples are provided for illustrative purposes only, as each company will have its own systems and controls and should not rely on these specific examples.

The assessment process would look like this:

Notice the template phrasing above is “Do users have the ability…?” It is not “Will they…?” Phrases like “Will they…?” or “Can they…?” imply a procedural control is acceptable, and a procedural control is not an acceptable control strategy in the industry. Although a determination of “No Audit Trail Review required” is made in the second hypothetical example, keep in mind there may be additional data reviews for batch release based on other requirements or different regulations. However, if there are logical controls in place that have been validated, the data integrity risk drops significantly.

Novel, enhanced, sustainable approach for ATR

The newly structured ATR SOP has been well-received, and teams were eager to use the assessment template. There is an added benefit in that the SOP has transformed employees’ understanding that if a system can be designed and validated to meet the expected controls in the assessment, a review is not needed, and the time and expense of performing non-value-added data reviews is drastically cut. An in-depth training program was also established and rolled out to every manufacturing site and global support team. The training program introduced the novel and enhanced process and instructed teams on how to effectively assess systems for their ATR needs. This process has directly translated into other improvement initiatives and is another tool to complement the DI by design approach when implementing new systems. This means that systems are designed to meet the expected control instead of the required long-term reviews that would otherwise be required. And when an ATR is required, there is a globally consistent approach that can stand up to external audits.

In conclusion, a more sustainable ATR assessment process was developed and implemented that reduced the ATR burden, enhanced DI compliance, and aligned with current good manufacturing practice expectations. The process involved a three-part evaluation of potential DI risks, logical controls, and ATR expectations based on a set of internal DI requirements and industry standards. The process also led to improved system designs that meet the expected controls and more specifically define when an ATR is needed. The procedure has been completely integrated into the manufacturing space and has been able to withstand external scrutiny.

About the author

Diana Russo has more than 20 years of experience in the pharmaceutical industry. She has built her career in the areas of computer system validation, IT quality, and computer systems quality assurance. And while her current role focuses on data integrity, DI has been an important driving force throughout her entire career. She is an audit trail review subject matter expert, a leader in process improvement, and happily challenges the status quo.