0 évaluation0% ont trouvé ce document utile (0 vote)
49 vues5 pages
The computerized audit trail of a laboratory's data system holds the evidence of who did what to a record and when. An audit trail is required for "actions that create, modify, or delete [an] electronic record" it must be "secure, computer-generated, [and] timestamped"
The computerized audit trail of a laboratory's data system holds the evidence of who did what to a record and when. An audit trail is required for "actions that create, modify, or delete [an] electronic record" it must be "secure, computer-generated, [and] timestamped"
The computerized audit trail of a laboratory's data system holds the evidence of who did what to a record and when. An audit trail is required for "actions that create, modify, or delete [an] electronic record" it must be "secure, computer-generated, [and] timestamped"
ensuring that the steps in the workflow follow the permitted sequence, and the proof of this correct process is linked to a given electronic record (Figure 1). Audit Trails: The Electronic Nanny A prerequisite for trustworthy records, apart from data security, is traceability. Analogous to the good old lab notebook, the computerized audit trail of a laboratorys data system holds the evidence of who did what to a record and when. As Ron Tetzlaff has said, If its not written, its a rumor (4). Paul Motise refers to the computerized audit trail as the electronic nanny (5). According to McDowall, the audit trail is a software utility that monitors changes to selected data sets within the main application (6). Part 11 Section 11.10 (e) states that an audit trail is required for actions that create, modify, or delete [an] electronic record and that it must be secure, computer-generated, [and] time- stamped (7). It is neither new nor surprising that previous entries in the audit trail must be unobscured, a practice well known to the keepers of paper records in a GMP environment. During FDA inspections, auditors refer to laboratory logs for the sequence of analyses and of manufacturing steps. Audit trails help to manage, control, and provide an inspection record of the changes made to the programs used for calculations. Audit trails are essential for tracking or inspecting when (and why) the authority to delete records or override computer systems settings was employed by a user equipped with the appropriate access rights. The audit trail method chosen by Agilent Technologies (Palo Alto, CA) in its ChemStation Plus system is a good example of how records can be tracked. Security-relevant audit log entries are captured in a protected database log. For instance, potential security breaches or modifications of user access rights are logged. The log entries themselves cannot be modified or deleted by ordinary means. The crux of the matter lies in the granularity of the audit function (that is, the level of detail of each entry in the audit log). As mentioned in Part 1 of this series, an audit trail that logs too many entries soon becomes unmanageable and defeats the purpose of the Part 11 rule (3). An audit trail significant rule in good manufacturing practices (GMP) reemphasized in 21 CFR Part 11 is that ensuring data integrity by protecting original data from accidental or intentional modification, falsification, or even deletion is the key for reliable and trustworthy records that withstand scrutiny from regulators. Robert McDowall recently wrote an excellent article on Computer (In)security in which he states that There are no secure computers. All we are talking about are the degrees of acceptable insecurity (1). Action plans for implementing 21 CFR Part 11 and for assessing data security often get no further than investigating system security and user authorization, discussed in Part 2 of this series, and fail to investigate the integrity of the data maintained on a secured system (2). The greatest data system challenge in todays laboratories is not controlling and securing access, but ensuring data integrity. In the context of chromatography data systems (CDS), data integrity has two major components. One is document control for metadata, such as method parameters. The other is revision control for data that is reanalyzed, as when the original analysis fails. This third installment of in our series outlines some of the design criteria required in a modern data system to fulfill the data integrity requirements of 21 CFR Part 11. The first article in the series, which appeared in the November 1999 issue of BioPharm, provided an overview of the regulations governing electronic signatures and records in analytical laboratories and concluded with key recommendations for implementing a paperless record system in analytical labs (3). Part 2 focused on security mechanisms that prevent unauthorized people from gaining access to, altering, or deleting records from your laboratory system (2). Trustworthy records also mean that data has been entered in context. The rule mandates operational checks. Operational Wolfgang Winter and Ludwig Huber Implementing 21 CFR Part 11 in Analytical Laboratories Part 3: Ensuring Data Integrity in Electronic Records Wol f gang Wi nt er is worldwide product manager, data systems, and corresponding author Ludw i g Huber is worldwide product marketing manager, HPLC, at Agilent Technologies GmbH, PO Box 1280 D-76337, Waldbronn, Germany, +49 7243 602 209, fax +49 7243 602 501, ludwig_huber@agilent.com. A P ro te c tin g th e in te g rity o f d a ta will c h a lle n g e a n a lytic a l la b s a s th e y b e c o m e c o m p lia n t with th e re q u ire m e n ts o f 2 1 C F R P a rt 1 1 . O th e r re sp o n sib ilitie s in c lu d e e n su rin g th e re lia b ility a n d tru stwo rth in e ss o f e le c tro n ic re c o rd s u se d to su p p o rt p a rtic u la r d e c isio n s, su c h a s re le a se o f a p ro d u c tio n b a tc h . Regulat ory Mat t ers Regulat ory Mat t ers when an electronic batch record system spans different time zones? FDAs response to the question emphasizes two features of time stamps in an audit trail: The time stamp in the audit trail needs to clearly document the sequence of events in human terms, and it helps to authenticate an electronic signature and minimize chances of signer repudiation (10). An author elaborating on the time stamp regulations hypothesizes For example, the local time stamp can be correlated with the whereabouts of the purported signer to help establish authenticity; if the person who supposedly signed the record was at a meeting, or otherwise unable to sign the record at the time of signature execution, the time stamp would help show that an imposter executed the signature. A firm could then initiate an appropriate investigation. (10) The time stamp complication needs a state-of-the-art and pragmatic technical solution because modern client/server data systems that generate, maintain, store, and archive electronic records are distributive and dispersed. In client/server data systems used by international companies, records can be exchanged between departments that work in different continents. Individual users can access the system from remote sites (such as on a business trip) and initiate actions that are recorded in the audit trail. If the time stamp reflects the local time of that user only, the sequence of actions logged for an individual record (for example the review and approval history of a chromatographic sequence) could appear inconsistent. For example, the approval by a peer reviewer could be signed at 9:00 AM on a chromatographic analysis that was performed at 11:00 AM! Without some indication that the analysis was done in the Central European time zone (CET) and the Regulat ory Mat t ers Figure 2. The Event Log Settings dialog box for the Microsoft Windows NT Event Viewer allows changing or deleting of audit trail entries, which is unacceptable for Part 11 regulations. function in a chromatography data system and the search criteria it offers must be carefully designed. In some countries, such as Germany, information systems that monitor employee performance are subject to deployment authorization by the responsible work council organization. That makes it important to realize that the purpose of a laboratory data system is not to control personnel or to measure performance or efficiency, but to establish that the data used to make informed decisions has a clean record showing its integrity. Useful queries to the audit log should therefore help to answer the questions like these: Did any instrument or processing errors occur during the analysis of a specific sample that could have caused the analysis result to be invalid? What particular changes were made to the integration parameters of a specific injection within the sequence? Was the analysis result reviewed and subsequently peer reviewed? Why was the analysis result rejected and excluded from the result calculation? An interesting feature of audit trails is the so called audit comment, which is meant to aid the originator as well as the reviewer in understanding why the originator performed a specific action. Entering the reason for a record change is not required by Part 11, but some predicate rules do expect an explanation, such as good laboratory practices (GLP) regulations. Some modern data systems offer a function for fixed or user-definable audit comments. With the help of that function, the data system records for example that a certain method parameter was changed from value X to value Y, and in the comment section the analyst can write that the change was because of a revised SOP. FDA accepts audit comments only if the mechanism for entering them leaves the integrity of the original audit record uncompromised. Adding the comment must not allow manipulation of the audit record (8). For compliance with that regulation, an audit trail configuration that permits easy or even automated modification and deletion of audit log information, such as Event Viewer (Microsoft Windows NT, Redmond, WA) would be unacceptable. Data system solutions that rely on the event logging mechanisms of the operating system also may require special attention to meet requirements (Figure 2). In addition to operational controls that enforce the systemic sequence of permitted steps, audit trails also play a role in preventing pencil whipping: The entry of data before an action occurs or at the end of the day, as an afterthought (5). Traceability and Time Stamps Global companies that deploy large, distributed client/server data systems have expressed concerns about Part 11 and time stamps. Particularly with electronic batch record systems, the initial FDA rule started a controversy about time stamps and time zones. The rule states The signers local time is the one to be recorded in systems that operate across time zones (9). Companies responded with, Does an electronic signature time stamp need to be local to the signer or to a central network Figure 1. The trustworthiness of electronic records is ensured by appropriate measures for data security, data integrity, and traceability. Regulatory Implications of Electronic Data Change control. Link raw data and results Who did what, when, and why? Previous entries must not be obscured Limit access. Prevent data modification Traceability Security Integrity review was conducted in the eastern standard time zone (EST), the audit trail would look dubious. According to Motise, Part 11 does not, however, prohibit a firm from supplementing the local time stamp with the time stamp of a remote central server that may be in a different time zone from the signer. Where dual stamps are recorded, though, it is important that the electronic record clearly indicate which one is local to the signer (8). A modern and adequate time stamp method proposed for data systems at our company stores time stamps internally according to a central time base (such as Greenwich Mean Time, GMT) and represents them in the local time zone of the reviewer. This approach guarantees a consistent representation of the sequential flow of events recorded in the system regardless of the local time zone(s) of its initiator(s). The Typewriter Excuse According to previous interpretations of GLP and GMP regulations, the regulated company was able to define raw data. Often, printed and signed paper reports were defined as the raw data that was kept and archived for record retention. Barbara Immel wrote in BioPharm that the rules intent was to get rid of the typewriter excuse, the statement made by some that The real record is the hard copy. We just use computers to generate the record, as shown in Figure 3 (11). In LCGC, McDowall wrote that A move to electronic records will require a definition of raw data (original observations taken to be the raw data files) together with other files such as the associated, integration file and injection sequence to enable the work to be reassembled (12). As mentioned in Part 1 of this series, FDA will cease to accept paper copies of electronic records (3). Part 11 says that if you keep the record in electronic form, you must preserve it in electronic form. More specifically, a record is considered raw data that has to be maintained and archived as soon as it hits a durable storage device, such as a computers hard disk (Figure 4). Thus a report printed from a CDS and signed by the analyst does not qualify anymore as original raw data! Why? The printout of an electronic record is generally not a complete and accurate copy of the original electronic record; it lacks important information like processing parameters and audit trail logs. When a record contains all that information, including the processing parameters and audit trail, it is generally called metadata (Figure 5). The typewriter excuse is now unacceptable. As Immel states, Only if a computer is truly being used as a typewriter when no electronic record is created does the rule not apply, and Motise writes, There is nothing inherently trustworthy that comes out of your printer, because the paper printout does not contain the metadata that is necessary to reliably reconstruct or even replay the original data (11,13). Metadata, therefore, becomes the key differentiator in distinguishing the trustworthiness of records and compliance with the recent FDA rule. Without metadata, it is impossible to replay the original result using the original input parameters. Without metadata, the traceability of a final result record is limited. The complete and uncorrupted package of raw data, metadata, and results represents a trustworthy and reliable set of information that helps to generate knowledge that things like results, production processes, or product quality are under control (Figure 6). Frequently, the archive solutions of analytical laboratories have disregarded the importance of metadata. Inadequate archive solutions that do not allow replaying the original result from the raw data and the metadata will cause complications during regulatory inspections. Referential Integrity Ensuring data integrity requires maintaining an unbreakable link between related electronic records, a process referred to as referential integrity, the integrity of the relationship between records. With a CDS, data integrity means confidence that a specific record, such as a calculated chromatographic result, is unmodified, unmanipulated, and otherwise uncorrupted after its creation, and that it still carries references to the other electronic records Figure 3. With some devices, the real record is a hard copy. Typewriter, strip-chart recorder, integrator Raw data Paper page x of y Figure 4. With chromatography data systems, the raw data typically is an electronic record subject to 21 CFR Part 11 rules. Chromatographic data stored digitally on a durable storage device Raw data Electronic record Figure 5. The printed copy of an electronic record is no longer considered raw data. The typewriter excuse is no longer accepted. Printed report from a ODS No raw data page x of y Regulat ory Mat t ers that were used to generate it, such as the chromatographic signal, the processing parameters, the calculations, and, of course, the audit trail. The record itself is traceable, reliable, and trustworthy only if the entire set of related records is maintained on the system. A network of relationships between items that can be revised individually is difficult to manage. Think of the following scenario: Sample XYZ needs to be analyzed using method A, revision 4 (the current revision). A shortage of solvent during the chromatographic analysis causes chromatogram 1 of sample XYZ to be invalid. The sample has to be reinjected. The system stores a revision of the binary chromatogram without deleting or overwriting the original. (Check your chromatographic data system to determine whether it can really do that.) Chromatogram 2 is now processed to quantify the main compounds and the impurities, generating result XYZ.2-A4-1. One point of the calibration curve is subsequently marked invalid because the reviewing analyst found a previously undetected sample preparation error with the corresponding standard. Chromatogram 2 has to be processed a second time, generating result revision XYZ.2-A4-2. The results are reviewed, approved, and archived. Over the course of the next months, method A is updated because of a specification change on the impurities. The new revision of method A is now 5. In the course of an FDA audit the same year, the results for sample XYZ are revisited. A system with good referential integrity will retrieve the requested revisions of those results, including the correct references to the revisions of the raw data (XYZ.2) and processing method (A4). Most current systems will allow users to find the result and the raw data but fail to produce the correct version of the processing method and display processing method A at revision 5. In some systems, the previous revisions of method A no longer exist despite a detailed audit trail. Deficiencies inlegacy methods. Traditionally, laboratory information management systems (LIMS), and some chromatography data systems, were based on a relational database management system (RDBMS). An RDBMS stores data in related tables and is powerful because it requires few assumptions about how data are related or how they will be extracted from the database. As a result, the same database can be viewed in many different ways. An RDBMS offers excellent functionality to store, organize, and retrieve large volumes of data records. However, an RDBMS has inherent difficulties in handling complex and binary data including methods, raw instrument data, and images, (14). Creating an additional difficulty, systems based on an RDBMS can typically only handle an individual objects audit history but not the audit history of an association of a collection of objects (14). For example, let us assume that an RDBMS-based CDS tracks revisions of instrument, processing, and reporting methods. The CDS will almost certainly track the individual revisions of the parent method set as well as the submethods (so that, for example, if an analyst modifies the integration parameters and saves the processing method, a new revision of the processing method will be stored in the database). However, the parent method set probably will not pick up the change in the submethod and will not be revised. Another analyst retrieving the method set from the database may then inherit an implicit change without knowing it unless he or she tracks all the revisions of each subcomponent. A standard DBMS usually lacks native support for referential integrity (15). The situation is often worse with systems that are not based on a DBMS at all. With file-based systems, maintaining referential integrity between the various files that make up a complex record (such as binary raw data, methods, and calculated results) means tracking them manually or through careful collation on the file server. Even with tight access security, detailed operating procedures, and computer generated auditing, the referential integrity of the records and the specifics of their relationships may be difficult to maintain on those systems. Modernmethods. In contrast, object database management systems (ODBMS) are specifically designed to manage and store complex objects and their complex relationships. ODBMS support modeling and creation of data as objects including support for classes of objects and the inheritance of class properties and methods by subclasses and their objects. That allows greater flexibility in tracking parent method sets and subcomponents. Recent publications discuss the implementation of modern information management systems based on ODBMS (14,15). The storage of objects as objects, rather than fields of tables, not only maintains the inherent nature of the object, but can also eliminate 3070% of a projects total code, which is typically used to map objects to tables(15). Applications are available now that superimpose object-oriented concepts on relational databases, and applications based on ODBMS are now starting to surface. Some vendors are offering hybrid object- relational systems that maintain the ad hoc query capabilities and reliability of the Oracle RDBMS storage engine while extending the object model so that it includes relationship objects (14). By their inherent design for referential integrity, systems based on an ODBMS or a hybrid objectrelational scheme appear to be better suited for the data integrity requirements laid out by 21 CFR Part 11. Recommendations To ensure the data integrity necessary to meet 21 CFR Part 11, I recommend the following guidelines. Be ready for a major change if your current processes rely on paper printouts of electronic records that are subject to Part 11. Chromatography data systems used in industries subject to 21 CFR Part 11 need to be carefully evaluated for data security, data integrity, and audit trails in order to follow current compliance policies. Database systems help but do not guarantee data integrity and security. When addressing the deviations in an existing system or when selecting a new one, Figure 6. A trustworthy electronic record result consists of the raw data and its associated metadata. Record Raw Meta Raw data Original binary signal Result data Calculated results Metadata Processing parameters used for calculation Metadata Processing parameters Areas, response factors Calculation Calibration data Other information consider more than just raw data and results; recognize the importance of metadata. To ensure the traceability of results, the data system must possess a computer generated, time stamped audit trail that is operator independent and that tracks which users and at what time they created, modified, or destroyed records. The system must prevent changing or deleting the audit trail. Audit trails based on the Windows NT Event Viewer are unacceptable without appropriate measures to prevent deletion of audit trail entries. When evaluating a CDS that is based on a database management system, verify that the system makes an unbreakable link between results, raw data, and metadata. Tight revision control of each data object is mandatory to achieve that goal. Looking Ahead In the next installment of this series, planned for BioPharms May 2000 issue, we will focus on the implications of 21 CFR Part 11 for the transcription or migration of electronic records to new data systems. One difficulty raised by Part 11 is how to create and manage complete and accurate copies of electronic records, without being forced to maintain a series of obsolete computer systems to run old records being kept for the required record retention period. References (1) R.D. McDowall, Computer (In)security, Sci. Data Manage. 3(6), 815 (1999). (2) W. Winter and L. Huber, Implementing 21 CFR Part 11 in Analytical Laboratories: Part 2, Security Aspects for Systems and Applications, BioPharm 13(1), 4450 (2000). (3) L. Huber, Implementing 21 CFR Part 11 in Analytical Laboratories: Part 1, Overview and Requirements, BioPharm 12(11), 2834 (1999). (4) C. Burgess and R. McDowall, Practical Computer Validation short course at Pittcon 98, p. 6. (5) P. Motise, Human Drug CGMP Notes 5(4) (1997). (6) R. D. McDowall: Operational Measures to Ensure the Continued Validation of Computerised Systems in Regulated or Accredited Laboratories, Lab. Autom. Inf. Manage. 31, 2534 (1995). (7) Code of Federal Regulations, Food and Drugs, Title 21, Part 11, Sections 11.10(b) and 11.30, Electronic Records; Electronic Signatures; Controls for Closed Systems; and Controls for Open Systems (U.S. Government Printing office, Washington, DC). Also Federal Register 62(54), 1342913466. (8) Personal email communication between Hewlett-Packard Company (Wilmington, DE) and Paul Motise (Office of Compliance, CDER, FDA, Rockville, MD) (1999). (9) Code of Federal Regulations, Food and Drugs, Final Rule Preamble to Part 11, at Comment Paragraph 101, 21 CFR 11.50(a)(2) (U.S. Government Printing Office, Washington, DC). Also Federal Register 62(54), 13453 (1997). (10) P. Motise, Human Drug CGMP Notes 6(2) (1998). (11) B.K. Immel, GMP Issues: An Electronic Eye Opener, BioPharm 12(6), 6063 (1999). (12) R.D. McDowall, Chromatography Data Systems II: Specifying, Evaluating, and Selecting a System, LCGC Int. 12(7), 422431 (1999). (13) P. Motise, FDA Requirements for Computers in Analytical Laboratories, paper presented at the ECA Conference, Berlin, September 1999 (available at www.labcompliance.com/conferences/ august99.htm). (14) T.P. Loomis, The Best of LIMS Object and Relational DBMS Can be Combined, Sci. Comput. Autom. 15(3), 7376 (1998). (15) L. Guzenda, Seven Signs That You Need an Object Database, Sci. Data Manage. 3(5), 3033 (1999). BP Agilent Technologies Publication Number 5980-1305E Reprinted from BIOPHARM, March 2000 AN ADVANSTAR # PUBLICATION Printed in U.S.A. Copyright Notice Copyright by Advanstar Communications Inc. Advanstar Communications Inc. retains all rights to this article. This article may only be viewed or printed (1) for personal use. User may not actively save any text or graphics/photos to local hard drives or duplicate this article in whole or in part, in any medium. Advanstar Communications Inc. home page is located at http://www.advanstar.com.