Presentation is loading. Please wait.

Presentation is loading. Please wait.

USING ORACLE TO CREATE AUDIT TRAILS FOR PART 11 COMPLIANCE

Published byAbel Poole Modified over 6 years ago

Similar presentations

Presentation on theme: "USING ORACLE TO CREATE AUDIT TRAILS FOR PART 11 COMPLIANCE"— Presentation transcript:

1 USING ORACLE TO CREATE AUDIT TRAILS FOR PART 11 COMPLIANCE
Dr Peter Smith Project Director WYETH RESEARCH IS 11/7/2018

2 AGENDA REVIEW OF PART 11 AUDITING FUNCTIONALITY WRAPPER FUNCTIONALITY
11/7/2018

3 21 CFR PART 11 SUMMARY FDA Regulation as of April, 1997 on Electronic Records and Electronic Signatures Intent to ensure Electronic Records have the validity of Paper Records Part 11 is a sound regulation – we want to use electronic records Short regulation – major impact Revised Guidelines as of Feb. 2003 Emphasis on Risk Assessment New guidelines provide a sensible relief from extreme interpretations But the law has not changed! 11/7/2018

4 EXPERIENCE SHOWS Manual systems cannot be validated.
Data integrity requires administrative controls and redundant checking and detailed reviews. If it is not documented, it was not done. If you cannot prove it was done by a trained analyst using the approved procedure it was not done right. 11/7/2018

5 REQUIREMENTS OF PART 11 Electronic Records are secure
Auditing of who, when, what, why any changes to the record are made Electronic signatures are authenticated The person making the entry is who they say they are 11/7/2018

6 THE AUDIT TRAIL To assure that any record cannot be changed without recording Who makes the change When the change was made What the new value is and what the old one was Why the change was made It’s a Good Lab. Practice requirement, not directly Part 11 21 CFR (e) 11/7/2018

7 HOW TO IMPLEMENT AN AUDIT TRAIL IN ORACLE?
Standard Oracle auditing Serves different purpose Oracle 9i provides new fine-grained auditing => audit policies => Selective Audit product Not Part 11 specific however Any good Oracle programmer can implement via Triggers and good design The details make the case 11/7/2018

8 AT WYETH We wanted a Part 11 Audit tool which
Is certified by our Part 11 PMO Is of General utility We have written a globally-available, generic set of scripts that create the audit tables and business table triggers Will provide the flexibility to match different database designs Can be applied Retrospectively 11/7/2018

9 TWO MAIN MODELS FOR A GENERIC AUDIT TRAIL (GAT)
Column based, recording each change to a “cell” (column) E.g. change in three cells => three records in the audit database Row-based, recording each record as it is changed E.g. change in three cells in one source table row => one record in the audit database 11/7/2018

10 EXAMPLE OF COLUMN-BASED GAT
Source tables Old + New values RECORD 1 Trigger on INSERT UPDATE DELETE RECORD 2 AUDIT table with audit columns e.g. time stamp RECORD 3 UPSERTS? 11/7/2018

11 EXAMPLE OF ROW-BASED GAT
Source table New value RECORD 1 Old RECORD 1 New RECORD 1 Trigger on INSERT UPDATE DELETE SHADOW table with audit columns e.g. time stamp 11/7/2018

12 Empdept example Primary key change => automatically triggers both I and D 11/7/2018

13 AUDIT TABLE SHOWS INSERTIONS
No reason for insert necessary Primary key change => automatically triggers both I and D AUDIT TABLE SHOWS INSERTIONS 11/7/2018

14 Primary key change => automatically triggers both I and D
Making changes 11/7/2018

15 Primary key change => automatically triggers both I and D
11/7/2018

16 THREE VARIATIONS OF ROW-BASED GAT
Source table includes audit fields High overhead Referential integrity issues But good for snapshots/history Shadow Table includes all U, I, D changes Comprehensive auditing Need report or view to show history Shadow Table only records U, D Audit table divided between source and shadow Used when there are many inserts, few changes 11/7/2018

17 STRENGTHS Both approaches can be used at the same time Row based
Easy to track record history But hard to know what changed Concise audit tables Each schema has its own audit tables Best for point-in-time queries (e.g. research results) Column Based One audit table for several schemas Easily identifies which cell has changed But hard to reconstruct record We wrote a reporting procedure to address this Best for value-sensitive data (e.g. bank balances) Both approaches can be used at the same time 11/7/2018

18 REMOTE USERS How to utilize Oracle security for pooled user accounts?
Necessary to exploit mid-tier architectures 11/7/2018

19 11/7/2018 MIDDLEWARE BADBOY DATABASE Source TABLE
SET REMOTE USER ( JoeS) Audit Package JoeS UPDATE Mid-tier security Optional Mid-tier authentication against Oracle JoeS + GMT +… Table security Log into mid-tier JoeS TRIGGERS Shadow Audit TABLE 11/7/2018

20 GMT In order to track the sequence of changes, need one time standard => GMT We developed a Java module which computes GMT From the (Unix) System time-zone Plus conversion offset to GMT Oracle 9i includes this 11/7/2018

21 WRAPPER SOLUTIONS How to secure data collected and analyzed before entry to Oracle? EXCEL is widely used E.g. Instrument =>EXCEL=>Oracle Industry response is via Wrapper solutions Intercept the data before it reaches EXCEL, audit all transactions thereafter. 11/7/2018

22 EXAMPLE 11/7/2018 EXCEL Supervisor/control/admin
Database => results + Audit trail 11/7/2018

23 SEVERAL VENDORS For data: It’s not what you do, it’s how you do it
Nugenesis, Velquest, Automsoft, Stelex, SSI-Cyberlab, Cincom It’s not what you do, it’s how you do it Usability, non-intrusiveness 11/7/2018

24 If We Do Wrappers Right:
Paperless - Paper notebooks and data sheets replaced by electronic data. Authenticated Analysts - All electronic data from authenticated analysts using validated sources through validated connections. Part 11 Compliant - Electronic records stored in secure 21 CFR Part 11 compliant repository. Automated Verification - Verify that trained analysts, calibrated instruments, current analytical test methods and approved supplies perform the work. Dynamic Linking - Data and metadata dynamically linked in fully relational form to permit rapid review of results. Rapid Reporting - Compliance flags highlight specific data requiring review prior to approval. (Thanks to Velquest) 11/7/2018

25 Thanks smithp@wyeth.com To my excellent colleagues at Wyeth:
Tad Harrison Dave VanderBrooke Jack Tierney Jay Miller Nina Occhiolini Percy Ries-Burks Walter Romanski of Oracle technical staff Row-based GAT Column-based GAT DBAs 11/7/2018

Download ppt "USING ORACLE TO CREATE AUDIT TRAILS FOR PART 11 COMPLIANCE"

Similar presentations

ASYCUDA Overview … a summary of the objectives of ASYCUDA implementation projects and features of the software for the Customs computer system.

ASYCUDA Overview … a summary of the objectives of ASYCUDA implementation projects and features of the software for the Customs computer system.
Is your company drowning in a sea of documents and regulations ? Quality Systems Integrators presents... TMSWeb Quality Management Compliance System.

Is your company drowning in a sea of documents and regulations ? Quality Systems Integrators presents... TMSWeb Quality Management Compliance System.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 8 Application Data Auditing.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 8 Application Data Auditing.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 8 Application Data Auditing.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 8 Application Data Auditing.
EDRN’s Validation Study Information Management System Developed for EDRN by the DMCC Cancer Biomarkers Group Division of Cancer Prevention Jet Propulsion.

EDRN’s Validation Study Information Management System Developed for EDRN by the DMCC Cancer Biomarkers Group Division of Cancer Prevention Jet Propulsion.
2009 Architecture Plan Overview 2009 Architecture Plan Overview.

2009 Architecture Plan Overview 2009 Architecture Plan Overview.
Coping with Electronic Records Setting Standards for Private Sector E-records Retention.

Coping with Electronic Records Setting Standards for Private Sector E-records Retention.
Refunds More Hassle Than They’re Worth Utility Payment Conference.

Refunds More Hassle Than They’re Worth Utility Payment Conference.
SOX Compliance: A Practical Look at Application Auditor Presented By Sunita Sarathy Product Manager Absolute Technologies, Inc.

SOX Compliance: A Practical Look at Application Auditor Presented By Sunita Sarathy Product Manager Absolute Technologies, Inc.
10/25/2001Database Management -- R. Larson Data Administration and Database Administration University of California, Berkeley School of Information Management.

10/25/2001Database Management -- R. Larson Data Administration and Database Administration University of California, Berkeley School of Information Management.
Chapter 7 Database Auditing Models

Chapter 7 Database Auditing Models
Examine Quality Assurance/Quality Control Documentation

Examine Quality Assurance/Quality Control Documentation
Using EDC-Rave to Conduct Clinical Trials at Genentech

Using EDC-Rave to Conduct Clinical Trials at Genentech
Chapter 13 Auditing Information Technology

Chapter 13 Auditing Information Technology
Session 6: Data Integrity and Inspection of e-Clinical Computerized Systems May 15, 2011 | Beijing, China Kim Nitahara Principal Consultant and CEO META.

Session 6: Data Integrity and Inspection of e-Clinical Computerized Systems May 15, 2011 | Beijing, China Kim Nitahara Principal Consultant and CEO META.
Database Auditing Models Dr. Gabriel. 2 Auditing Overview Audit examines: documentation that reflects (from business or individuals); actions, practices,

Database Auditing Models Dr. Gabriel. 2 Auditing Overview Audit examines: documentation that reflects (from business or individuals); actions, practices,
Chapter 7 Database Auditing Models

Chapter 7 Database Auditing Models
CSIS 43100 Database Security, Dr. Guimaraes Adapted from Afyouni, Database Security and Auditing Database Auditing (Ch. 7) Overview of Auditing Overview.

CSIS Database Security, Dr. Guimaraes Adapted from Afyouni, Database Security and Auditing Database Auditing (Ch. 7) Overview of Auditing Overview.
Adapted from Afyouni, Database Security and Auditing Database Application Auditing – Ch. 8.

Adapted from Afyouni, Database Security and Auditing Database Application Auditing – Ch. 8.
10/5/1999Database Management -- R. Larson Data Administration and Database Administration University of California, Berkeley School of Information Management.

10/5/1999Database Management -- R. Larson Data Administration and Database Administration University of California, Berkeley School of Information Management.

Similar presentations

Ads by Google