checks in a computer system extend the

concept of controlling user access rights to

ensuring that the steps in the workflow
follow the permitted sequence, and the proof
of this correct process is linked to a given
electronic record (Figure 1).
Audit Trails: The Electronic Nanny
A prerequisite for trustworthy records, apart
from data security, is traceability.
Analogous to the good old lab notebook, the
computerized audit trail of a laboratorys
data system holds the evidence of who did
what to a record and when. As Ron Tetzlaff
has said, If its not written, its a rumor
(4). Paul Motise refers to the computerized
audit trail as the electronic nanny (5).
According to McDowall, the audit trail is a
software utility that monitors changes to
selected data sets within the main
application (6). Part 11 Section 11.10 (e)
states that an audit trail is required for
actions that create, modify, or delete [an]
electronic record and that it must be
secure, computer-generated, [and] time-
stamped (7). It is neither new nor surprising
that previous entries in the audit trail must
be unobscured, a practice well known to the
keepers of paper records in a GMP
environment.
During FDA inspections, auditors refer to
laboratory logs for the sequence of analyses
and of manufacturing steps. Audit trails help
to manage, control, and provide an
inspection record of the changes made to the
programs used for calculations. Audit trails
are essential for tracking or inspecting when
(and why) the authority to delete records or
override computer systems settings was
employed by a user equipped with the
appropriate access rights. The audit trail
method chosen by Agilent Technologies
(Palo Alto, CA) in its ChemStation Plus
system is a good example of how records
can be tracked. Security-relevant audit log
entries are captured in a protected database
log. For instance, potential security breaches
or modifications of user access rights are
logged. The log entries themselves cannot
be modified or deleted by ordinary means.
The crux of the matter lies in the
granularity of the audit function (that is, the
level of detail of each entry in the audit log).
As mentioned in Part 1 of this series, an
audit trail that logs too many entries soon
becomes unmanageable and defeats the
purpose of the Part 11 rule (3). An audit trail
significant rule in good
manufacturing practices (GMP)
reemphasized in 21 CFR Part 11 is
that ensuring data integrity by
protecting original data from accidental or
intentional modification, falsification, or
even deletion is the key for reliable and
trustworthy records that withstand scrutiny
from regulators. Robert McDowall recently
wrote an excellent article on Computer
(In)security in which he states that There
are no secure computers. All we are talking
about are the degrees of acceptable
insecurity (1). Action plans for
implementing 21 CFR Part 11 and for
assessing data security often get no further
than investigating system security and user
authorization, discussed in Part 2 of this
series, and fail to investigate the integrity of
the data maintained on a secured system (2).
The greatest data system challenge in
todays laboratories is not controlling and
securing access, but ensuring data integrity.
In the context of chromatography data
systems (CDS), data integrity has two
major components. One is document
control for metadata, such as method
parameters. The other is revision control
for data that is reanalyzed, as when the
original analysis fails.
This third installment of in our series
outlines some of the design criteria required
in a modern data system to fulfill the data
integrity requirements of 21 CFR Part 11.
The first article in the series, which appeared
in the November 1999 issue of BioPharm,
provided an overview of the regulations
governing electronic signatures and records
in analytical laboratories and concluded with
key recommendations for implementing a
paperless record system in analytical labs
(3). Part 2 focused on security mechanisms
that prevent unauthorized people from
gaining access to, altering, or deleting
records from your laboratory system (2).
Trustworthy records also mean that data
has been entered in context. The rule
mandates operational checks. Operational
Wolfgang Winter and
Ludwig Huber
Implementing 21 CFR
Part 11 in Analytical Laboratories
Part 3: Ensuring Data Integrity in Electronic Records
Wol f gang Wi nt er is worldwide product manager,
data systems, and corresponding author Ludw i g
Huber is worldwide product marketing manager,
HPLC, at Agilent Technologies GmbH, PO Box
1280 D-76337, Waldbronn, Germany, +49 7243
602 209, fax +49 7243 602 501,
ludwig_huber@agilent.com.
A
P ro te c tin g th e in te g rity o f d a ta will
c h a lle n g e a n a lytic a l la b s a s th e y
b e c o m e c o m p lia n t with th e
re q u ire m e n ts o f 2 1 C F R P a rt 1 1 .
O th e r re sp o n sib ilitie s in c lu d e
e n su rin g th e re lia b ility a n d
tru stwo rth in e ss o f e le c tro n ic
re c o rd s u se d to su p p o rt p a rtic u la r
d e c isio n s, su c h a s re le a se o f a
p ro d u c tio n b a tc h .
Regulat ory Mat t ers Regulat ory Mat t ers
when an electronic batch record system
spans different time zones?
FDAs response to the question
emphasizes two features of time stamps in
an audit trail: The time stamp in the audit
trail needs to clearly document the
sequence of events in human terms, and it
helps to authenticate an electronic signature
and minimize chances of signer repudiation
(10). An author elaborating on the time
stamp regulations hypothesizes
For example, the local time stamp can be
correlated with the whereabouts of the purported
signer to help establish authenticity; if the
person who supposedly signed the record was at
a meeting, or otherwise unable to sign the record
at the time of signature execution, the time
stamp would help show that an imposter
executed the signature. A firm could then initiate
an appropriate investigation. (10)
The time stamp complication needs a
state-of-the-art and pragmatic technical
solution because modern client/server data
systems that generate, maintain, store, and
archive electronic records are distributive
and dispersed. In client/server data systems
used by international companies, records can
be exchanged between departments that
work in different continents. Individual
users can access the system from remote
sites (such as on a business trip) and initiate
actions that are recorded in the audit trail. If
the time stamp reflects the local time of that
user only, the sequence of actions logged for
an individual record (for example the review
and approval history of a chromatographic
sequence) could appear inconsistent. For
example, the approval by a peer reviewer
could be signed at 9:00 AM on a
chromatographic analysis that was
performed at 11:00 AM! Without some
indication that the analysis was done in the
Central European time zone (CET) and the
Regulat ory Mat t ers
Figure 2. The Event Log Settings dialog box
for the Microsoft Windows NT Event
Viewer allows changing or deleting of
audit trail entries, which is unacceptable
for Part 11 regulations.
function in a chromatography data system
and the search criteria it offers must be
carefully designed. In some countries, such
as Germany, information systems that
monitor employee performance are subject
to deployment authorization by the
responsible work council organization. That
makes it important to realize that the
purpose of a laboratory data system is not to
control personnel or to measure performance
or efficiency, but to establish that the data
used to make informed decisions has a clean
record showing its integrity.
Useful queries to the audit log should
therefore help to answer the questions like
these: Did any instrument or processing
errors occur during the analysis of a specific
sample that could have caused the analysis
result to be invalid? What particular changes
were made to the integration parameters of a
specific injection within the sequence? Was
the analysis result reviewed and
subsequently peer reviewed? Why was the
analysis result rejected and excluded from
the result calculation?
An interesting feature of audit trails is the
so called audit comment, which is meant to
aid the originator as well as the reviewer in
understanding why the originator performed
a specific action. Entering the reason for a
record change is not required by Part 11, but
some predicate rules do expect an
explanation, such as good laboratory
practices (GLP) regulations. Some modern
data systems offer a function for fixed or
user-definable audit comments. With the
help of that function, the data system records
for example that a certain method parameter
was changed from value X to value Y, and
in the comment section the analyst can write
that the change was because of a revised
SOP. FDA accepts audit comments only if
the mechanism for entering them leaves the
integrity of the original audit record
uncompromised. Adding the comment must
not allow manipulation of the audit record
(8). For compliance with that regulation, an
audit trail configuration that permits easy or
even automated modification and deletion of
audit log information, such as Event Viewer
(Microsoft Windows NT, Redmond, WA)
would be unacceptable. Data system
solutions that rely on the event logging
mechanisms of the operating system also
may require special attention to meet
requirements (Figure 2).
In addition to operational controls that
enforce the systemic sequence of permitted
steps, audit trails also play a role in
preventing pencil whipping: The entry of
data before an action occurs or at the end of
the day, as an afterthought (5).
Traceability and Time Stamps
Global companies that deploy large,
distributed client/server data systems have
expressed concerns about Part 11 and time
stamps. Particularly with electronic batch
record systems, the initial FDA rule started a
controversy about time stamps and time
zones. The rule states The signers local
time is the one to be recorded in systems
that operate across time zones (9).
Companies responded with, Does an
electronic signature time stamp need to be
local to the signer or to a central network
Figure 1. The trustworthiness of electronic records is ensured by appropriate measures for
data security, data integrity, and traceability.
Regulatory Implications of
Electronic Data
Change control.
Link raw data
and results
Who did what, when, and why?
Previous entries must not
be obscured
Limit access.
Prevent data
modification
Traceability
Security Integrity
review was conducted in the eastern
standard time zone (EST), the audit trail
would look dubious.
According to Motise, Part 11 does not,
however, prohibit a firm from
supplementing the local time stamp with the
time stamp of a remote central server that
may be in a different time zone from the
signer. Where dual stamps are recorded,
though, it is important that the electronic
record clearly indicate which one is local to
the signer (8). A modern and adequate time
stamp method proposed for data systems at
our company stores time stamps internally
according to a central time base (such as
Greenwich Mean Time, GMT) and
represents them in the local time zone of the
reviewer. This approach guarantees a
consistent representation of the sequential
flow of events recorded in the system
regardless of the local time zone(s) of its
initiator(s).
The Typewriter Excuse
According to previous interpretations of
GLP and GMP regulations, the regulated
company was able to define raw data. Often,
printed and signed paper reports were
defined as the raw data that was kept and
archived for record retention. Barbara Immel
wrote in BioPharm that the rules intent was
to get rid of the typewriter excuse, the
statement made by some that The real
record is the hard copy. We just use
computers to generate the record, as shown
in Figure 3 (11). In LCGC, McDowall wrote
that A move to electronic records will
require a definition of raw data (original
observations taken to be the raw data files)
together with other files such as the
associated, integration file and injection
sequence to enable the work to be
reassembled (12). As mentioned in Part 1
of this series, FDA will cease to accept
paper copies of electronic records (3). Part
11 says that if you keep the record in
electronic form, you must preserve it in
electronic form. More specifically, a record
is considered raw data that has to be
maintained and archived as soon as it hits a
durable storage device, such as a
computers hard disk (Figure 4).
Thus a report printed from a CDS and
signed by the analyst does not qualify
anymore as original raw data! Why? The
printout of an electronic record is generally
not a complete and accurate copy of the
original electronic record; it lacks important
information like processing parameters and
audit trail logs. When a record contains all
that information, including the processing
parameters and audit trail, it is generally
called metadata (Figure 5). The typewriter
excuse is now unacceptable. As Immel
states, Only if a computer is truly being
used as a typewriter when no electronic
record is created does the rule not apply,
and Motise writes, There is nothing
inherently trustworthy that comes out of
your printer, because the paper printout
does not contain the metadata that is
necessary to reliably reconstruct or even
replay the original data (11,13).
Metadata, therefore, becomes the key
differentiator in distinguishing the
trustworthiness of records and compliance
with the recent FDA rule. Without metadata,
it is impossible to replay the original
result using the original input parameters.
Without metadata, the traceability of a final
result record is limited. The complete and
uncorrupted package of raw data, metadata,
and results represents a trustworthy and
reliable set of information that helps to
generate knowledge that things like results,
production processes, or product quality are
under control (Figure 6).
Frequently, the archive solutions of
analytical laboratories have disregarded the
importance of metadata. Inadequate archive
solutions that do not allow replaying
the original result from the raw data and the
metadata will cause complications during
regulatory inspections.
Referential Integrity
Ensuring data integrity requires maintaining
an unbreakable link between related
electronic records, a process referred to as
referential integrity, the integrity of the
relationship between records. With a CDS,
data integrity means confidence that a
specific record, such as a calculated
chromatographic result, is unmodified,
unmanipulated, and otherwise uncorrupted
after its creation, and that it still carries
references to the other electronic records
Figure 3. With some devices, the real record is a hard copy.
Typewriter, strip-chart
recorder, integrator
Raw data
Paper
page x of y
Figure 4. With chromatography data systems, the raw data typically is an electronic record
subject to 21 CFR Part 11 rules.
Chromatographic
data stored digitally
on a durable
storage device
Raw data
Electronic
record
Figure 5. The printed copy of an electronic record is no longer considered raw data. The
typewriter excuse is no longer accepted.
Printed report
from a ODS
No raw data
page x of y
Regulat ory Mat t ers
that were used to generate it, such as the
chromatographic signal, the processing
parameters, the calculations, and, of course,
the audit trail. The record itself is traceable,
reliable, and trustworthy only if the entire
set of related records is maintained on the
system. A network of relationships between
items that can be revised individually is
difficult to manage.
Think of the following scenario: Sample
XYZ needs to be analyzed using method A,
revision 4 (the current revision). A shortage
of solvent during the chromatographic
analysis causes chromatogram 1 of sample
XYZ to be invalid. The sample has to be
reinjected. The system stores a revision of
the binary chromatogram without deleting or
overwriting the original. (Check your
chromatographic data system to determine
whether it can really do that.)
Chromatogram 2 is now processed to
quantify the main compounds and the
impurities, generating result XYZ.2-A4-1.
One point of the calibration curve is
subsequently marked invalid because the
reviewing analyst found a previously
undetected sample preparation error with the
corresponding standard. Chromatogram 2
has to be processed a second time,
generating result revision XYZ.2-A4-2. The
results are reviewed, approved, and
archived.
Over the course of the next months,
method A is updated because of a
specification change on the impurities. The
new revision of method A is now 5. In the
course of an FDA audit the same year, the
results for sample XYZ are revisited. A
system with good referential integrity will
retrieve the requested revisions of those
results, including the correct references to the
revisions of the raw data (XYZ.2) and
processing method (A4). Most current
systems will allow users to find the result and
the raw data but fail to produce the correct
version of the processing method and display
processing method A at revision 5. In some
systems, the previous revisions of method A
no longer exist despite a detailed audit trail.
Deficiencies inlegacy methods. Traditionally,
laboratory information management systems
(LIMS), and some chromatography data
systems, were based on a relational
database management system (RDBMS).
An RDBMS stores data in related tables and
is powerful because it requires few
assumptions about how data are related or
how they will be extracted from the
database. As a result, the same database can
be viewed in many different ways. An
RDBMS offers excellent functionality to
store, organize, and retrieve large volumes
of data records. However, an RDBMS has
inherent difficulties in handling complex
and binary data including methods, raw
instrument data, and images, (14). Creating
an additional difficulty, systems based on an
RDBMS can typically only handle an
individual objects audit history but not the
audit history of an association of a
collection of objects (14).
For example, let us assume that an
RDBMS-based CDS tracks revisions of
instrument, processing, and reporting
methods. The CDS will almost certainly
track the individual revisions of the parent
method set as well as the submethods (so
that, for example, if an analyst modifies the
integration parameters and saves the
processing method, a new revision of the
processing method will be stored in the
database). However, the parent method set
probably will not pick up the change in the
submethod and will not be revised. Another
analyst retrieving the method set from the
database may then inherit an implicit change
without knowing it unless he or she tracks
all the revisions of each subcomponent.
A standard DBMS usually lacks native
support for referential integrity (15). The
situation is often worse with systems that are
not based on a DBMS at all. With file-based
systems, maintaining referential integrity
between the various files that make up a
complex record (such as binary raw data,
methods, and calculated results) means
tracking them manually or through careful
collation on the file server. Even with tight
access security, detailed operating
procedures, and computer generated auditing,
the referential integrity of the records and the
specifics of their relationships may be
difficult to maintain on those systems.
Modernmethods. In contrast, object database
management systems (ODBMS) are
specifically designed to manage and store
complex objects and their complex
relationships. ODBMS support modeling
and creation of data as objects including
support for classes of objects and the
inheritance of class properties and methods
by subclasses and their objects. That allows
greater flexibility in tracking parent method
sets and subcomponents. Recent
publications discuss the implementation of
modern information management systems
based on ODBMS (14,15). The storage of
objects as objects, rather than fields of
tables, not only maintains the inherent
nature of the object, but can also eliminate
3070% of a projects total code, which is
typically used to map objects to tables(15).
Applications are available now that
superimpose object-oriented concepts on
relational databases, and applications based
on ODBMS are now starting to surface.
Some vendors are offering hybrid object-
relational systems that maintain the ad hoc
query capabilities and reliability of the
Oracle RDBMS storage engine while
extending the object model so that it
includes relationship objects (14). By their
inherent design for referential integrity,
systems based on an ODBMS or a hybrid
objectrelational scheme appear to be better
suited for the data integrity requirements
laid out by 21 CFR Part 11.
Recommendations
To ensure the data integrity necessary to
meet 21 CFR Part 11, I recommend the
following guidelines.
Be ready for a major change if your
current processes rely on paper printouts of
electronic records that are subject to Part 11.
Chromatography data systems used in
industries subject to 21 CFR Part 11 need to
be carefully evaluated for data security, data
integrity, and audit trails in order to follow
current compliance policies. Database
systems help but do not guarantee data
integrity and security.
When addressing the deviations in an
existing system or when selecting a new one,
Figure 6. A trustworthy electronic record
result consists of the raw data and its
associated metadata.
Record Raw Meta
Raw data Original binary signal
Result data Calculated results
Metadata Processing parameters
used for calculation
Metadata
Processing parameters
Areas, response factors
Calculation
Calibration data
Other information
consider more than just raw data and results;
recognize the importance of metadata.
To ensure the traceability of results, the
data system must possess a computer
generated, time stamped audit trail that is
operator independent and that tracks which
users and at what time they created,
modified, or destroyed records. The system
must prevent changing or deleting the audit
trail. Audit trails based on the Windows NT
Event Viewer are unacceptable without
appropriate measures to prevent deletion of
audit trail entries.
When evaluating a CDS that is based on a
database management system, verify that the
system makes an unbreakable link between
results, raw data, and metadata. Tight
revision control of each data object is
mandatory to achieve that goal.
Looking Ahead
In the next installment of this series, planned
for BioPharms May 2000 issue, we will
focus on the implications of 21 CFR Part 11
for the transcription or migration of
electronic records to new data systems. One
difficulty raised by Part 11 is how to create
and manage complete and accurate copies of
electronic records, without being forced to
maintain a series of obsolete computer
systems to run old records being kept for the
required record retention period.
References
(1) R.D. McDowall, Computer (In)security, Sci.
Data Manage. 3(6), 815 (1999).
(2) W. Winter and L. Huber, Implementing 21
CFR Part 11 in Analytical Laboratories: Part 2,
Security Aspects for Systems and
Applications, BioPharm 13(1), 4450 (2000).
(3) L. Huber, Implementing 21 CFR Part 11 in
Analytical Laboratories: Part 1, Overview and
Requirements, BioPharm 12(11), 2834
(1999).
(4) C. Burgess and R. McDowall, Practical
Computer Validation short course at Pittcon
98, p. 6.
(5) P. Motise, Human Drug CGMP Notes 5(4)
(1997).
(6) R. D. McDowall: Operational Measures to
Ensure the Continued Validation of
Computerised Systems in Regulated or
Accredited Laboratories, Lab. Autom. Inf.
Manage. 31, 2534 (1995).
(7) Code of Federal Regulations, Food and Drugs,
Title 21, Part 11, Sections 11.10(b) and 11.30,
Electronic Records; Electronic Signatures;
Controls for Closed Systems; and Controls for
Open Systems (U.S. Government Printing
office, Washington, DC). Also Federal
Register 62(54), 1342913466.
(8) Personal email communication between
Hewlett-Packard Company (Wilmington, DE)
and Paul Motise (Office of Compliance,
CDER, FDA, Rockville, MD) (1999).
(9) Code of Federal Regulations, Food and Drugs,
Final Rule Preamble to Part 11, at Comment
Paragraph 101, 21 CFR 11.50(a)(2) (U.S.
Government Printing Office, Washington, DC).
Also Federal Register 62(54), 13453 (1997).
(10) P. Motise, Human Drug CGMP Notes 6(2)
(1998).
(11) B.K. Immel, GMP Issues: An Electronic Eye
Opener, BioPharm 12(6), 6063 (1999).
(12) R.D. McDowall, Chromatography Data
Systems II: Specifying, Evaluating, and
Selecting a System, LCGC Int. 12(7),
422431 (1999).
(13) P. Motise, FDA Requirements for Computers
in Analytical Laboratories, paper presented at
the ECA Conference, Berlin, September 1999
(available at
www.labcompliance.com/conferences/
august99.htm).
(14) T.P. Loomis, The Best of LIMS Object and
Relational DBMS Can be Combined, Sci.
Comput. Autom. 15(3), 7376 (1998).
(15) L. Guzenda, Seven Signs That You Need an
Object Database, Sci. Data Manage. 3(5),
3033 (1999). BP
Agilent Technologies
Publication Number
5980-1305E
Reprinted from BIOPHARM, March 2000 AN ADVANSTAR
#
PUBLICATION Printed in U.S.A.
Copyright Notice Copyright by Advanstar Communications Inc. Advanstar Communications Inc. retains all rights to this article. This article may only be viewed or printed (1) for personal use. User may not
actively save any text or graphics/photos to local hard drives or duplicate this article in whole or in part, in any medium. Advanstar Communications Inc. home page is located at http://www.advanstar.com.