It is evident from reviewing recent health agency citations that the FDA expects that firms have a deep understanding of any systems that generate data/records and that this is reflected in the firm’s lifecycle management of those systems.

What does that mean, in a practical sense?

Well, a component of this understanding must extend to all the various system audit trails, system logs, and message centers such that it is known what type of metadata is captured within each, along with the criticality/risk. It must be clear within a firm’s operational procedure/s who has the responsibility for reviewing such metadata, the process for the review, and what specific activities are being reviewed, along with the required actions (dependent on what is observed).  The frequency of the review should be risk-based considering the criticality/risk associated with that metadata, which in turn links to the Data Integrity Risk Assessment for that system and the known residual risk. The process of review should reflect what was validated e.g., if data transfer between systems is required. Ultimately, it should be demonstrated by the firm that no metadata is being “ignored” (such as system error messages) and that the complete record from that system is defined (considering the various sources of metadata), being reviewed per defined procedure, along with specified actions (such as initiation of an incident if objectionable activities are detected).

Quality Oversight should ensure that lifecycle controls for a system consider the various sources of system metadata, and this is reflected during qualification, operation, periodic assessment, and system retirement.

If you have any questions relating to how to address system logs/audit trails/message centers or would like an assessment of your firms’ practices, please reach out to us at