Regulatory agencies are increasingly looking at the TMF audit trail to gain greater insight into data integrity. We review practical steps to help ensure that your TMF audit trail is ready for inspection, based on regulatory guidelines and lessons learned from actual inspections.
Data integrity is one of the biggest issues facing regulatory agencies today, leading to the audit trail for some documents coming under review more frequently during inspections. This added scrutiny is especially common when the inspector believes documents do not meet mandated requirements, or that there was a failure to follow proper procedure - bringing the information contained within those documents into question.
To better understand the reasons behind this increased scrutiny, it’s helpful to review key excerpts from relevant regulatory requirements:
(MHRA Grey Guide chapter 10, p.345)
Audit trails are a required feature for managing electronic documents associated with a clinical trial. What should an audit trail contain - The system must have an audit trail in place to identify date/time/user details for creation, uploading, approval and changes to a document.
- Ensure that the systems are designed to permit data changes in such a way that the data changes are documented and that there is no deletion of entered data (i.e. maintain an audit trail, data trail, edit trail).
- Changes to source data should be traceable, should not obscure the original entry, and should be explained if necessary (e.g., via an audit trail).
- an audit trail in place to identify date/time/user details for creation, uploading, approval and deletion of and changes to a document
4.1.2. Sponsor/CRO Electronic Trial Master File
- An audit trail in place to identify date/time/user details for creation and/or uploading deletion of and changes to a document (explanation of the deletion or modification, if necessary);
4.2. Quality of Trial Master File
Article 57 of the Regulation states “The clinical trial master file shall at all times contain the essential documents”. The sponsor and/or investigator/institution should implement risk-based quality checks (QC) or review processes to ensure the TMF is being maintained up-to-date and that all essential documents are appropriately filed in the TMF. Areas to consider during QC and review include the following:
- all essential documents generated available in the TMF (note too that there could be multiple systems which comprise a Trial Master File - which means they should all have audit trails)
- documents filed in the appropriate locations
- documents added to the TMF in a timely manner
- documents correctly indexed
- documents only accessible according to the assigned roles and permissions
- review of the audit trail (for eTMF) [emphasis ours]
This last point - review of the audit trail with the qualifier that it applies only to electronic Trial Master File (eTMF) systems - demonstrates the near-impossibility of conducting audit trail review with a paper TMF, or with a TMF managed through spreadsheets or generic systems such as SharePoint.
While eTMFs are not mandated (yet) by regulatory agencies, inspectors have told us quite frankly that it makes their jobs much easier and faster. At the same time, using an eTMF means that complying with TMF mandates requires far less effort on the part of your organization, while improving inspection-readiness.
What are some of the benefits of reviewing your audit trail with an eTMF? You ensure that your audit trail is logging activity and showing the steps outlined in your SOPs, which assists in validating your data. In addition, you support critical oversight activities such as tracking user activity as well as the permissions / functionality they have within the system.
What Should Be Included In Your Audit Trail Review
Audit trails from electronic systems automatically capture a tremendous amount of information valuable to regulatory compliance. For example, they will record every time the system moves or touches a document, and every instance where a human being interacts with the document - including when it is simply viewed but not acted on.
At a minimum, your audit trail review should consist of the following:
- User profile history (what has changed e.g. live vs decommissioned)
- Time/date a document was set to final and viewable by all members of the study team
- Who participated in the processing of a document
- What steps a document went through before being set to final
- Number of issues / types of issues associated with the document
- Documents that were deleted – by whom, and why
In addition, one of the most important – and often overlooked – activities is to review the audit trail for process. What we mean by that is the system should be logging the activities that were taken on a document, which allows you to verify and validate your documented process outlined in your SOP and provide evidence that it has been appropriately followed.
One of the keys is examining your process for user management in your system of record. Are user accounts being disabled or changed when roles change or people leave? Are permissions set up correctly; for example, does a particular document processor have the correct authorizations to act within the scope of their role, but cannot impact anything outside what is defined by the SOP? Are there safeguards in place to prevent access to unblinded data without the precise permissions and context?
Keep in mind, however, that your process does not have to consist of hundreds of pages of every detail – it simply has to cover the key steps so that an inspector can see that you have thought the process through and have the main components (see Figure 1).
Figure 1: Guidelines for documenting your audit trail review and processes.
Not All Audit Trails Are Created Equal
It is pretty much standard for any eTMF system today to include basic audit trail capability. From the perspectives of usability, compliance, and inspection support, however, there is a wide variance that you should be aware of.
Some of the critical capabilities that make audit trail review faster and easier for all concerned include:
- The audit trail is in a human readable format. That is, anyone can look at it and it is in actual legible language as opposed to using a format and terms unique to that system - or perhaps even in binary which needs to be converted.
- The audit trail is accessible within the system by end users at any time. Today there is no reason to have to go to IT or a service provider and put in a request to see the audit trail; modern eTMF systems are eliminating this layer and making it easy for you, as the line-of-business responsible, to directly access the information you need.
- The audit trail can be filtered and provide specific reports. Can you easily define the parameters of the information or area you want to review, and generate detailed reports - or do you have to scroll through multiple folders and thousands of documents to find what you’re looking for?
In a recent Phlexglobal survey, 41% of respondents said that they are not currently reviewing their TMF audit trail, while 39% said they review it only as needed. As we have seen, however, regulatory agencies are increasingly including the audit trail in their inspections, leading to a greater likelihood of critical findings. With electronic systems automating the creation of the audit trail and making review a far more streamlined process, there is today no reason not to include audit trail review in your standard operating procedures.
Originally published in the January 2021 edition of HSRAA ONrecord.
To learn more about ways to keep your TMF inspection ready, check out this on-demand webinar featuring Marion Mays and Rob Jones.