Ensuring the integrity of electronic laboratory notebook records: a properly designed, implemented, and deployed electronic laboratory notebook system can ensure data integrity and allow the records to stand up in courtAntony N. Davies
Paper notebooks are the accepted method for recording laboratory data and the ideas generated from that information in the pharmaceutical, biotech, and chemical industries. Nonetheless, the revolution in digital data processing has improved the way data is created, organized, and managed electronically, whether in the form of analytical data, images, documents, or multimedia files. The preservation of such information into a digital form offers the potential for online storage and retrieval, efficient search processes, and worldwide data transmission.
Nonetheless, the benefits of digital data also brings with it a major problem: the ease with which improperly secured information can be copied and manipulated without leaving forensic evidence.
The US Food and Drug Administration believes that the risks of falsification, misinterpretation, and change without leaving evidence are just as great with electronic than with paper records and, therefore, specific controls are required. FDA stated:
...people determined to falsify
records may find a means to do
so despite whatever technology
or preventive measures are in
place. The controls in part 11 are
intended to deter such actions,
make it difficult to execute falsification
by mishap or casual misdeed,
and to help detect such alterations
when they occur (1).
Therefore, new technologies must safeguard the integrity and authenticity of digital laboratory records, particularly if such records are subject to legal and/or ethical scrutiny. The preservation of digital records integrity is particularly important when they are subject to concerted and possible criminal attack.
FDA's 21 CFR Part 11 regulations outline criteria for the acceptance of electronic records and electronic signatures so that electronic submissions of drug approvals are as genuine and traceable as paper records and handwritten signatures. To be specific, 21 CFR Part 11 applies to:
...records in electronic form that
are created, modified, maintained,
archived, retrieved, or transmitted,
under any records requirements
set forth in agency regulations
Electronic records guidelines How can one incorporate this regulation into an electronic solution? First, the system architecture must take into account the managing and controlling of electronic records. To adhere to regulations, electronic records must abide by the following guidelines:
* The system must be validated to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records.
* Electronic records must be reproducible (in general and upon request) in electronic from or as paper printouts, including audit trail and meta data.
* Electronic records must be retrievable throughout the specified retention period.
* System access must be limited to authorized users.
* A human-readable transaction log or audit trail, created by individual entries, must be implemented. The log should include creation, update, and deletion information for electronic records or data.
* The transaction log or audit trail details must contain user identification (user ID) (i.e., printed name of the user), date and time stamp, transaction type (i.e., meaning associated with the activity), and what data was changed. Time can be recorded either as a local or reference time zone, provided it is unambiguous in the context of the application. Recording the time to the nearest second is usually acceptable unless there is a specific need for more accurate records.
* The transaction log or audit trail must not be editable. Audit trails must be computer generated automatically and protected from any other change. It is not acceptable for an operator to enter the audit trail into the computer manually or to record it on paper.
* The transaction log or audit trail records must be reproducible in electronic and paper form upon request. An acceptable time frame is within 4 hours.
* The transaction log or audit trail records must be retrievable throughout the electronic record's retention period, regardless of the technical platform or media.
* The transaction log or audit trail functionality must be operational at all times when the system is available. When it is not operational, companies must shut down the system or restrict its access.
* Record changes shall not obscure, previously recorded information. An audit trail must parallel the paper process whereby an individual changes a record by striking through the previous record and initialing and dating the change. Some regulations also require that the reason for the change be documented in this manner. When viewing an electronic record, it must be clear (e.g., by highlighting revised records in a different color or indicating changes on the screen) that a record was altered or deleted. An external event log is not an adequate audit trail.
* Users cannot change clock settings that write to the audit trail.
System controls guidelines
Along with electronic records, system controls are needed to verify the data's integrity by assigning the proper privileges and access rights:
* Each combination of identification code and password should be unique so that no two individuals have the same combination.
* A password expiration must be enforced within a specified time period (e.g., every 90 days). The system must not allow previously assigned user IDs to be reused.
* The system must ensure proper sequencing of steps or transactions. Sequencing controls are only applicable to the system if it is automating a process in which sequencing is a requirement (e.g., charge-in of raw materials).
* Access to data and functionality must be controlled within the system.
* The system must perform authority checks upon login, based on the defined security hierarchy. The system administrator must not allow records to be altered unless they are directly attributable to an individual (e.g., an inspectable system log for the system administrator activities can change or delete records or audit trails).
* The system must provide a read-only user role to facilitate inspections. This requirement is recommended for systems in which the technical platform allows for it. If implemented, the system also includes the definition and management of such user accounts.
* The system must detect invalid sources of data input or operational instructions. Device checks only apply to a system if the location or type of device is considered a control over the legitimacy of its operations or transactions.
* Controls (technical and/or procedural) should ensure that the system date and time are correct.
Admissibility of electronic records in US court
One of the most important aspects to address when replacing paper-based laboratory notebooks with electronic equivalents is the notebooks' potential use as legal evidence of fraud. Paper notebooks, when backed by clear procedures, are acceptable evidence for laboratory work preferred
in the pharmaceutical, biotech, and chemical industries. In practice, the creation and maintenance of electronic laboratory notebooks does not differ from those of paper-based notebooks.
Nevertheless, among certain groups there is still an unfounded fear about whether electronic information can hold up in court under patent or liability laws. Regulatory and governmental organizations such as the European Patent Office, the US Environmental Protection Agency, and FDA have placed electronic records and signatures on equal footing with signed paper documents.
Electronic and paper records are admissible in court under specific rules such as the Business Record Exception (FRE Rule 80316] Records of Regularly Conducted Activity). Records may be kept in any form, but companies must be able to prove that:
* records were made at or near the time by a person with knowledge;
* records were kept in the course of regularly conducted business activity;
* it was the regular practice of the business activity to make the records.
* This information can be proven by testimony or written declaration by the custodian or a qualified witness. Records will not be admitted as evidence if they fail to prove these points before a court.
The 21 CFR Part 11 regulation has created a demand for an electronic solution that incorporates standard laboratory notebook practices such as documentation, reviews, version control, signatures, and archiving to meet the needs of laboratories working under any regulatory compliance demands, including good manufacturing, laboratory, and good clinical practices. With the right administration and security tools, user access and records management can be properly monitored and controlled.
It is important to remember that the key to having evidence accepted by a court of law is to prove that the agreed record-keeping procedures were followed and not to focus on the media in which records were stored.
Table I: Fraud possibilities on paper-based versus electronic
Paper laboratory Electronic laboratory
Category notebook notebook
User Fraud can only be Users are identified by
authentication detected by examining their user names and
and signature the handwriting. passwords. Impostors would
fraud have to know this
Document Manipulations are Objects are assigned
alteration always possible, even version numbers and
after signing. signed. Changes are not
invalidating an existing
signature. After approval,
changes are not possible.
Date and time Changing the date of an Changing the time requires
manipulation entry is always manipulating the server,
possible. which is not accessible to
Retrospective Pages may be left empty See "Date and time
document to add data manipulation."
generation retroactively. See also
"Date and time
(1.) Code of Federal Regulations, Title 21, Food and Drugs, Part 11, "Electronic Records Electronic Signatures, Final Ruling," Fed. Regist. 62 (54), 13429-13466 (1997), http://www.21cfrpart11.com/files/ library/government/21cfrpart11_final_ rule.pdf.
Antony N. Davies and Ann McDonough *
Antony N. Davies is the senior marketing manager at Waters Informatics and Ann McDonough is the corporate communications contact at Waters Corporation, 5 Tech Drive, Milford, MA 01757, tel. 508.482.3729, ann_mcdonough @waters.com.
* To whom all correspondence should be addressed.
COPYRIGHT 2005 Advanstar Communications, Inc.
COPYRIGHT 2005 Gale Group