Hello Sergio.
Please see my comments and response to your questions/comments below.
As you know, Totara provides Site Logs that capture system-level changes. However, in our case we are facing a couple of challenges:
The logs are not easily readable from a compliance/audit perspective.
The standard site logs can be modified by both labels and content to provide a simplified report of all activities. Alternatively, my organization developed a custom Site Logs report that collects the data. If any questions arise, we can revert to the primary site logs for Root Cause Analysis (RCA) and ultimately for Corrective and Preventive Actions (CAPA) activities.
In some areas (e.g. Perform), certain changes are not fully reflected (e.g. additions/removals in competencies).
What has your organization defined as “raw data” within the Learning Management System (LMS) or Learning Experience Platform (LXP)? This definition will determine the data sources you need to utilize and report on for skills achievement, completion, and qualification. We implemented a course in Totara Leern, which is a multi-activity format that includes two-choice and two-assignment activities, all of which are measured against our internal scale. This course culminated in the Totara Perform Skill (Competency) functionality. By adopting this approach, we overcame limitations and mitigated the risk of exposing sensitive employee performance data. Simultaneously, we presented the learner, their manager, and the organization with the advantages of the Skill interface and graphical dashboard capabilities.
At this point, we would really appreciate hearing from others in the community who have worked in similar regulated contexts.
In particular:
Have you successfully passed OQ/PQ using Totara Site Logs as audit trail evidence?
Yes, this was implemented with the direct input and approval of our Quality Assurance Unit (QAU) through the use of a custom Site Logs report. As part of our routine backup procedures in the system, we implemented a scheduled report that is placed into an external archival folder.
How have you addressed limitations in readability or missing “before/after” values?
The custom Site Logs report collected all the necessary activity to demonstrate ALCOA-compliant records as part of our Part 11 validation. We employed the approach of relabeling the field names and using plain text fields instead of system code values. These reports were then validated using internal validation procedures under our internal master validation procedures and associated SOPs. I’m making an assumption that your “before/after” comment may be related to the absence of sign-off/log-out data. We mandated through SOP that employees must sign out of the instance.
Have you implemented any workarounds (technical, reporting, or procedural) to support compliance?
Yes, we implemented custom reports for global and site-specific auditing purposes. These reports were cloned to provide internal and external auditors with the necessary information. As mentioned earlier, we also implemented a Skills course to assess skill competency and proficiency..
How have auditors or QA teams typically reacted to Totara’s audit trail capabilities?
We engaged our Quality Assurance Unit (QAU) from the outset of the process and executed overall leadership (stakeholder) engagement. Leadership was clear that all departments, including QA, Training, HR, Operations, and others, were invested in the process and actively contributed to finding an approved solution. The QAU approved the draft procedures used in our validation efforts and countersigned all final procedures in parallel with the System Owner and Executive Leadership.