Amongst the important changes introduced in the management and use of computerised systems as a consequence of the increasing expectations on Data Integrity assurance, is the implementation of Audit Trail review routines.

We should remember that not so long ago, Audit Trail functionality was something which was not available in the many GMP relevant systems that pharmaceutical companies have been using for a long time. Of course this functionality has been there for decades, from many suppliers and modern systems; however, its availability did now mean that, automatically, all GMP regulated companies have it up and running.

It was in the beginning of the millennium, when compliance to 21 CFR Part 11 was being seriously introduced in companies and increasingly required by the authorities, that Audit Trail became more and more common. However, it was not until the recent Data Integrity guidelines and requirements became the ‘hot-topic’ in GxP environments that, having or not having Audit Trail capabilities in certain systems has defined the border between compliance and non-compliance to DI expectations.

However, having Audit Trail does not ensure by itself compliance to the requirements. You can have Audit Trail in your system but if you don’t look at it systematically to take advantage of its features, having Audit Trail is completely useless. Therefore, you need to have in place and apply procedures that make Audit Trail functionality a routine part of your Quality System.

When you decide to implement Audit Trail routines, uncertainties on WHAT, HOW and HOW MUCH do I have to review, turn up immediately. As usual, and common to most of the GMP areas, the risk assessment and the criticality of the GMP data managed are the key factors making possible to answer those questions.

Just to point out what’s behind the importance of making a proper use of Audit Trail capabilities, let’s remember what FDA states in their 2018 Guidance on data Integrity:

‘Audit trail review is similar to assessing cross-outs on paper when reviewing data. Personnel responsible for record review under CGMP should review the Audit Trails that capture changes to data associated with the record as they review the rest of the record´


After these years of ‘Data Integrity Awareness’ many companies are implementing two types of Audit Trail reviews:

  • Routine Audit Trail Review, related to batch to batch data review
  • Periodic Audit Trail Review, related to the system configuration and management

Whilst the first type has a close relationship with the previous FDA citation, the second is actually a direct indicator of the level of control and stability that we have on our system.







Octavi Colomina

TDV Technical Director at TDV