Paper notebooks are the accepted method for recording laboratory data and the ideas generated from that information in the pharmaceutical, biotech, and chemical industries. Nonetheless, the revolution in digital data processing has improved the way data is created, organized, and managed electronically, whether in the form of analytical data, images, documents, or multimedia files. The preservation of such information into a digital form offers the potential for online storage and retrieval, efficient search processes, and worldwide data transmission.
Nonetheless, the benefits of digital data also brings with it a major problem: the ease with which improperly secured information can be copied and manipulated without leaving forensic evidence.
The US Food and Drug Administration believes that the risks of falsification, misinterpretation, and change without leaving evidence are just as great with electronic than with paper records and, therefore, specific controls are required. FDA stated:
"...people determined to falsify records may find a means to do so despite whatever technology or preventive measures are in place. The controls in part 11 are intended to deter such actions, make it difficult to execute falsification by mishap or casual misdeed, and to help detect such alterations when they occur." (1)
Table I: Fraud possibilities on paper-based versus electronic laboratory notebooks.
Therefore, new technologies must safeguard the integrity and authenticity of digital laboratory records, particularly if such records are subject to legal and/or ethical scrutiny. The preservation of digital records integrity is particularly important when they are subject to concerted and possible criminal attack.
FDA's 21 CFR Part 11 regulations outline criteria for the acceptance of electronic records and electronic signatures so that electronic submissions of drug approvals are as genuine and traceable as paper records and handwritten signatures. To be specific, 21 CFR Part 11 applies to:
"...records in electronic form that are created, modified, maintained, archived, retrieved, or transmitted, under any records requirements set forth in agency regulations." (1)
Electronic records guidelines
How can one incorporate this regulation into an electronic solution? First, the system architecture must take into account the managing and controlling of electronic records. To adhere to regulations, electronic records must abide by the following guidelines:
- The system must be validated to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records.
- Electronic records must be reproducible (in general and upon request) in electronic from or as paper printouts, including audit trail and meta data.
- Electronic records must be retrievable throughout the specified retention period.
- System access must be limited to authorized users.
- A human-readable transaction log or audit trail, created by individual entries, must be implemented. The log should include creation, update, and deletion information for electronic records or data.
- The transaction log or audit trail details must contain user identification (user ID) (i.e., printed name of the user), date and time stamp, transaction type (i.e., meaning associated with the activity), and what data was changed. Time can be recorded either as a local or reference time zone, provided it is unambiguous in the context of the application. Recording the time to the nearest second is usually acceptable unless there is a specific need for more accurate records.
- The transaction log or audit trail must not be editable. Audit trails must be computer generated automatically and protected from any other change. It is not acceptable for an operator to enter the audit trail into the computer manually or to record it on paper.
- The transaction log or audit trail records must be reproducible in electronic and paper form upon request. An acceptable time frame is within 4 hours.
- The transaction log or audit trail records must be retrievable throughout the electronic record's retention period, regardless of the technical platform or media.
- The transaction log or audit trail functionality must be operational at all times when the system is available. When it is not operational, companies must shut down the system or restrict its access.
- Record changes shall not obscure, previously recorded information. An audit trail must parallel the paper process whereby an individual changes a record by striking through the previous record and initialing and dating the change. Some regulations also require that the reason for the change be documented in this manner. When viewing an electronic record, it must be clear (e.g., by highlighting revised records in a different color or indicating changes on the screen) that a record was altered or deleted. An external event log is not an adequate audit trail.
- Users cannot change clock settings that write to the audit trail.