Ensuring the Integrity of Electronic Laboratory Notebook Records Antony N. Davies and Ann McDonough

June 1, 2005
Pharmaceutical Technology, Pharmaceutical Technology-06-01-2005, Volume 205 Supplement, Issue 3

Paper notebooks are the accepted method for recording laboratory data and the ideas generated from that information in the pharmaceutical, biotech, and chemical industries. Nonetheless, the revolution in digital data processing has improved the way data is created, organized, and managed electronically, whether in the form of analytical data, images, documents, or multimedia files. The preservation of such information into a digital form offers the potential for online storage and retrieval, efficient search processes, and worldwide data transmission.

Paper notebooks are the accepted method for recording laboratory data and the ideas generated from that information in the pharmaceutical, biotech, and chemical industries. Nonetheless, the revolution in digital data processing has improved the way data is created, organized, and managed electronically, whether in the form of analytical data, images, documents, or multimedia files. The preservation of such information into a digital form offers the potential for online storage and retrieval, efficient search processes, and worldwide data transmission.

Nonetheless, the benefits of digital data also brings with it a major problem: the ease with which improperly secured information can be copied and manipulated without leaving forensic evidence.

The US Food and Drug Administration believes that the risks of falsification, misinterpretation, and change without leaving evidence are just as great with electronic than with paper records and, therefore, specific controls are required. FDA stated:

"...people determined to falsify records may find a means to do so despite whatever technology or preventive measures are in place. The controls in part 11 are intended to deter such actions, make it difficult to execute falsification by mishap or casual misdeed, and to help detect such alterations when they occur." (1)

Table I: Fraud possibilities on paper-based versus electronic laboratory notebooks.

Therefore, new technologies must safeguard the integrity and authenticity of digital laboratory records, particularly if such records are subject to legal and/or ethical scrutiny. The preservation of digital records integrity is particularly important when they are subject to concerted and possible criminal attack.

FDA's 21 CFR Part 11 regulations outline criteria for the acceptance of electronic records and electronic signatures so that electronic submissions of drug approvals are as genuine and traceable as paper records and handwritten signatures. To be specific, 21 CFR Part 11 applies to:

"...records in electronic form that are created, modified, maintained, archived, retrieved, or transmitted, under any records requirements set forth in agency regulations." (1)

Electronic records guidelines

How can one incorporate this regulation into an electronic solution? First, the system architecture must take into account the managing and controlling of electronic records. To adhere to regulations, electronic records must abide by the following guidelines:

  • The system must be validated to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records.

  • Electronic records must be reproducible (in general and upon request) in electronic from or as paper printouts, including audit trail and meta data.

  • Electronic records must be retrievable throughout the specified retention period.

  • System access must be limited to authorized users.

  • A human-readable transaction log or audit trail, created by individual entries, must be implemented. The log should include creation, update, and deletion information for electronic records or data.

  • The transaction log or audit trail details must contain user identification (user ID) (i.e., printed name of the user), date and time stamp, transaction type (i.e., meaning associated with the activity), and what data was changed. Time can be recorded either as a local or reference time zone, provided it is unambiguous in the context of the application. Recording the time to the nearest second is usually acceptable unless there is a specific need for more accurate records.

  • The transaction log or audit trail must not be editable. Audit trails must be computer generated automatically and protected from any other change. It is not acceptable for an operator to enter the audit trail into the computer manually or to record it on paper.

  • The transaction log or audit trail records must be reproducible in electronic and paper form upon request. An acceptable time frame is within 4 hours.

  • The transaction log or audit trail records must be retrievable throughout the electronic record's retention period, regardless of the technical platform or media.

  • The transaction log or audit trail functionality must be operational at all times when the system is available. When it is not operational, companies must shut down the system or restrict its access.

  • Record changes shall not obscure, previously recorded information. An audit trail must parallel the paper process whereby an individual changes a record by striking through the previous record and initialing and dating the change. Some regulations also require that the reason for the change be documented in this manner. When viewing an electronic record, it must be clear (e.g., by highlighting revised records in a different color or indicating changes on the screen) that a record was altered or deleted. An external event log is not an adequate audit trail.

  • Users cannot change clock settings that write to the audit trail.

System controls guidelines

Along with electronic records, system controls are needed to verify the data's integrity by assigning the proper privileges and access rights:

  • Each combination of identification code and password should be unique so that no two individuals have the same combination.

  • A password expiration must be enforced within a specified time period (e.g., every 90 days).

  • The system must not allow previously assigned user IDs to be reused.

  • The system must ensure proper sequencing of steps or transactions. Sequencing controls are only applicable to the system if it is automating a process in which sequencing is a requirement (e.g., charge-in of raw materials).

  • Access to data and functionality must be controlled within the system.

  • The system must perform authority checks upon login, based on the defined security hierarchy.

  • The system administrator must not allow records to be altered unless they are directly attributable to an individual (e.g., an inspectable system log for the system administrator activities can change or delete records or audit trails).

  • The system must provide a read-only user role to facilitate inspections. This requirement is recommended for systems in which the technical platform allows for it. If implemented, the system also includes the definition and management of such user accounts.

  • The system must detect invalid sources of data input or operational instructions. Device checks only apply to a system if the location or type of device is considered a control over the legitimacy of its operations or transactions.

  • Controls (technical and/or procedural) should ensure that the system date and time are correct.

Admissibility of electronic records in US court

One of the most important aspects to address when replacing paper-based laboratory notebooks with electronic equivalents is the notebooks' potential use as legal evidence of fraud. Paper notebooks, when backed by clear procedures, are acceptable evidence for laboratory work preferred in the pharmaceutical, biotech, and chemical industries. In practice, the creation and maintenance of electronic laboratory notebooks does not differ from those of paper-based notebooks.

Nevertheless, among certain groups there is still an unfounded fear about whether electronic information can hold up in court under patent or liability laws. Regulatory and governmental organizations such as the European Patent Office, the US Environmental Protection Agency, and FDA have placed electronic records and signatures on equal footing with signed paper documents.

Electronic and paper records are admissible in court under specific rules such as the Business Record Exception (FRE Rule 803[6] Records of Regularly Conducted Activity). Records may be kept in any form, but companies must be able to prove that:

  • records were made at or near the time by a person with knowledge;

  • records were kept in the course of regularly conducted business activity;

  • it was the regular practice of the business activity to make the records.

This information can be proven by testimony or written declaration by the custodian or a qualified witness. Records will not be admitted as evidence if they fail to prove these points before a court.

Conclusion

The 21 CFR Part 11 regulation has created a demand for an electronic solution that incorporates standard laboratory notebook practices such as documentation, reviews, version control, signatures, and archiving to meet the needs of laboratories working under any regulatory compliance demands, including good manufacturing, laboratory, and good clinical practices. With the right administration and security tools, user access and records management can be properly monitored and controlled.

It is important to remember that the key to having evidence accepted by a court of law is to prove that the agreed record-keeping procedures were followed and not to focus on the media in which records were stored.

Antony N. Davies is the senior marketing manager at Waters Informatics and Ann McDonough is the corporate communications contact at Waters Corporation, 5 Tech Drive, Milford, MA 01757, tel. 508.482.3729, ann_mcdonough@waters.com

Reference

1. Code of Federal Regulations, Title 21, Food and Drugs, Part 11, "Electronic Records; Electronic Signatures, Final Ruling," Fed. Regist. 62 (54), 13429–13466 (1997), http://www.21cfrpart11.com/files/library/government/21cfrpart11_final_rule.pdf.

*To whom all correspondence should be addressed.