Note: The content of this paper is a chapter of a new book on computer systems validation using Annex 11. This will be published by early 2015.
The safety of a computer system is reflected by the confidentiality, integrity, and availability of the system. The integrity of the systems includes the integrity of the electronic records (erecs). Records provide evidence of various actions taken to demonstrate compliance with instructions (e.g., activities, events, investigations, and, in the case of manufactured batches, a history of each batch of product, including its distribution). Records include the raw data that is used to generate other records. For electronic records, regulated users should define which data are to be used as raw data. At least, all data on which quality decisions are based should be defined as raw data (1).
Data Integrity - The property that data has not been altered in an unauthorized manner. Data integrity covers data in storage, during processing, and while in transit. (2)
When an inspector of a competent authority has to assess an installed computer system at a regulated user’s site, the inspector considers the potential risks, from the computer system to product/material quality or data integrity, as identified and documented by the regulated user in order to assess the fitness for purpose of the particular system (3).
Erecs can be easily changed with no cross-outs or other indications of the change. The design of database software systems can incorporate functions to automatically maintain an audit trail of changed erecs. This audit trail should maintain original erecs, its source, and any changed erecs, along with the date and identity of the initiator(s). Alternatively, access to software and erecs files can be restricted with physical and logical methods to authorized individuals in addition to the use of manual methods to create and maintain audit trails.
The ability to write to critical software or erecs files can be restricted by hardware or software. The access to individual records within a database or a file should be controlled to prevent simultaneous editing of a record or a file by more than one user. Record-locking is a software technique that limits access, with editing authority, to individual records in a database. Similar techniques are employed in source code control programs to prevent unauthorized changes to a program's source code files.
This paper discusses the controls proposed by the European Union (EU) Annex 11 (4) in support of electronic records integrity.
EU Annex 11 is not a legal requirement; it is a guideline in the context of the EU good manufacturing practices (GMPs). However, Annex 11 is mandatory on each EU national level since the member states have to endorse the EU GMP Guideline within the scope of the national healthcare legislation.
The precise implementation of Annex 11 ensures that the computer systems can be used in the manufacture of medicinal products without any adverse impact on quality, efficacy, or patient safety, including electronic records integrity.
Latest data integrity issues uncovered by the regulatory agencies and competent authorities to the regulated users have resuscitated the dialog within the industry on this subject.
Figure: Inspection Trends from 1990 to 2014.
Since 2004, worldwide inspection trends have seen an increased focus on data integrity. The regulatory requirements regarding the integrity of electronic records cover paper-based records as well.
This attention to the erecs integrity may be related with the better understanding by the regulatory agencies, competent authorities, and the industry around the United States Food and Drug Administration Code of Federal Regulations Title 21 Part 11, Electronic Records: Electronic Signatures.
Table I depicts the recent cases on computer-related data integrity documented by regulatory agencies or competent authorities after the associated inspections.
Table I: 2013– 2014 Data Integrity Cases.
|Hospira||March 2013||483||211.180(d)||Data Integrity.|
|Puget Sound Blood Center and Program||April 2013||Warning Letter (WL)||211.68(b)||Lack of I/O Verification (Data Accuracy).|
|RPG Life Sciences Limited||May 2013||WL||211.68(b)||The computer system being used for high-performance liquid chromatography (HPLC) did not have adequate controls to prevent unrecorded changes to data.|
|Fresenius Kabi AG||July 2013||WL||API||Unacceptable practices in the management of electronic data.|
|Aarti Drug Limited||July 2013||WL||API||Failure to implement access controls and audit trails for laboratory computer systems.|
|Wockhardt Limited||July 2013||WL||211.194(a)||Fail to ensure that laboratory records included complete data derived from all tests necessary to assure compliance with established specifications and standards.|
|Posh Chemicals Pvt Ltd||August 2013||WL||API||Failure to protect computerized data from unauthorized access or changes.|
|Agila Specialist Private Limited||September 2013||WL||211.68(b)||The computer system being used for HPLC did not have adequate controls to prevent unrecorded changes to data.|
|Smruthi Organics Ltd.’s||October 2013||Statement of non-compliance with GMPs.||European Union’s GMP guideline||The agency observed manipulation and falsification of documents and data in different departments. There was no raw data available in the quality control laboratory for the verification of compendial analytical methods (French Health Products Safety Agency).|
|Ind-Swift Limited||October 2013||Statement of non-compliance with GMPs.||European Union’s GMP guideline||It was not possible to confirm the validity of stability testing data. Several falsified and inaccurate results had been reported in long-term stability and batch testing. Discrepancies between electronic data and those results formally reported were identified. Established processes to verify data accuracy and integrity had failed, and there had been no formal investigation raised by the company. The company provided commitments to address the data integrity concerns and initiated a wider review of quality critical data. Additional discrepancies were identified in process validation and release data. During on-going communications with the licensing authority regarding the data review, the company failed to disclose data integrity issues for all products. No satisfactory explanation was given for this discrepancy (Medicines and Healthcare Products Regulatory Agency [MHRA]).|
|Zeta Analytical Ltd||November 2013||Statement of non-compliance with GMPs.||European Union’s GMP guideline||The computer system being used for HPLC did not have adequate controls to prevent unrecorded changes to data (MHRA).|
|Wockhardt Limited||December 2013||WL||211.68(b)||The computer system being used for HPLC did not have adequate controls to prevent unrecorded changes to data.|
|Seikagaku Corporation||December 2013||Statement of non-compliance with GMPs.||European Union’s GMP guideline||The critical deficiency concerns systematic rewriting/manipulation of documents, including QC raw data. The company has not been able to provide acceptable investigations and explanations to the differences seen in official and non-official versions of the same documents (Competent Authority of Sweden).|
|Ranbaxy Laboratories, Inc.||January 2014||483||211.68(b)||The computer system being used for HPLC did not have adequate controls to prevent unrecorded changes to data.|
|Punjab Chemicals and Crop Corporation Limited||January 2014||Statement of non-compliance with GMPs.||European Union’s GMP guideline||One individual training file of an employee has been observed to be recently re-rewritten; the batch manufacturing record was lacking details with regards to manufacturing steps and in-process controls. The sample retention logbook for Trimethoprim had falsified entries (French Health Products Safety Agency).|
|USV Limited||February 2014||WL||211.68(b)||The computer system being used for quality control laboratory did not have adequate controls to prevent unrecorded changes to data.|
|Canton Laboratories Private Limited||February 2014||WL||API||The computer system being used for atomic absorption spectrophotometer did not have adequate controls to prevent unrecorded changes to data.|
|SOMET||March 2014||Statement of non-compliance with GMPs.||European Union’s GMP guideline||Complete records of raw data generated during cleanliness tests by thin layer chromatography are missing (French Health Products Safety Agency).|
|Smruthi Organics Ltd.’s||March 2014||WL||API||Failure to maintain complete and accurate laboratory test data generated in the course of establishing compliance of APIs to established specifications and standards.|
The deficiencies found in the recent cases of data integrity include:
- Insufficient controls on security
- Inconsistencies between erecs and paper-based records
- Computer users in the laboratory being able to delete data from analyses
- Audit trail function disabled
- Lack of records for the acquisition or modification of laboratory data
- Personnel sharing login IDs for systems
- No procedure for the backup and protection of data on the standalone workstations
- Analysts sharing the username and password for the Windows operating system
- No computer lock mechanism being configured to prevent unauthorized access to the operating systems.
The principles set forth in Annex 11 won’t correct the behavior of the regulated users that deliberately employ unreliable or unlawful behavior.
In December 2013, the MHRA, UK’s medicines and medical devices regulatory agency, declared that as of 2014, pharmaceutical manufacturers, importers, and contract laboratories are expected to verify data integrity in the context of self-inspections.
Annex 11 Erecs Integrity Basics
Erecs integrity controls maintain and assure the accuracy and consistency of erecs over its entire lifecycle, and it is a critical aspect to the design, implementation, and usage of any system that stores, processes, or retrieves GMP-related records (i.e., regulated records in this paper) in electronic format.
The Commission Directive 2003/94/EC, setting out the legal requirements for EU GMP, establishes the basic principles of erecs integrity in its Chapter II, Article 9 (5):
“When electronic, photographic or other data processing systems are used instead of written documents, the manufacturer shall first validate the systems by showing that the data will be appropriately stored during the anticipated period of storage. Data stored by those systems shall be made readily available in legible form and shall be provided to the competent authorities at their request. The electronically stored data shall be protected, by methods such as duplication or back-up and transfer on to another storage system, against loss or damage of data, and audit trails shall be maintained.”
A similar requirement can be found in 91/412/EEC (6).
These two directives are implemented via the Annex 11. As depicted in Table II, Annex 11 covers the preservation of the content, context, and structure of the electronic records implementing the following controls on erecs, erecs storage, audit trails and periodic review, and security.
Table II: Annex 11 Clauses and Erec Lifecycle
|Analysis and Design||Erecs Creation, Access, and Use and Reuse||Erecs Archiving||Erecs Destruction|
|11-1 Note: Based on Annex 11-1, the implementation to the Annex 11 items listed under “Access, use and Reuse” are designed project phase.||11-4.8; 11-5; 11-6; 11-7; 11-8; 11-9;11-11; 11-12; 11-16||11-17||Discard and purged erecs according to an approved procedure.|
Each of the Annex 11 clauses are implemented during the applicable system lifecyle (SLC) phase. Refer to Table III.
Annex 11 Erecs Integrity Approach
To establish the integrity of the erecs, they must be trustworthy.
In the context of the good clinical practice (GCP) (7), to consider trustworthy the electronic source data (8) and the erecs that hold those source data, a number of attributes must be achieved. These include that the data and records are:
- Available when needed.
Centered on the US National Archives and Records Administration (NARA) record management viewpoint, all of the above trustworthy attributes to an erecs can be summarized as: reliability, authenticity, integrity, and usability:
- Reliability: A reliable record is one whose contents can be trusted as a complete and accurate representation of the transactions, activities, or facts to which they attest and can be depended upon in the course of subsequent transactions or activities (9).
- Authenticity: A condition that proves that a record is authentic and/or genuine based on its mode (i.e., method by which a record is communicated over space or time), form (i.e., format and/or media that a record has when it is received), state of transmission (i.e., the primitiveness, completeness, and effectiveness of a record when it is initially set aside after being made or received), and manner of preservation and custody (10).
- Integrity: Data that has retained its integrity has not been modified or tampered with.
- Usability: In the context of erecs, usability is the extent to which the erecs can be used by specified users to achieve specified goals with effectiveness, efficiency, and satisfaction in a specified context of use (11).
These attributes allow those individual who depend on the erecs to correctly fulfill their business function.
To ensure authentic, reliable, complete, and usable records, a record-keeping system must preserve the following:
- Content: The information within the records
- Context: The circumstances under which the records were created or received (who, when, how, and why)
- Structure: The relationship between the parts of the record.
“A means of ensuring data protection should be established for all computerized systems.” (12).
If these three factors are not properly controlled, the information that the erecs must convey might not be complete, accurate, or usable.
The processing and integrity of the data initially recorded in electronic format (electronic source data) to the final output (erecs) is considered to be critical for every computer system. Added criticality can be characterized to computer systems performing decisions on product quality.
The technical and procedural controls of a computer system should address the erecs integrity issues thought the lifecycle of the records: the source data, erecs throughout the record retention period, and destruction of the record.
The validation of a computer system must address the implementation and maintenance of the controls to enable integrity, including data entered manually and automatically acquired and data processing.
Technical and procedural controls are required to maintain the accuracy, integrity, and reliability of erecs. Documentary evidence is needed to demonstrate these controls are fit for purpose, including:
- A written specification and design that describes the purpose of the system and the system’s methodology
- A written test plan based on the specification and design, including both structural and functional analysis
- Test results and an evaluation of how these results demonstrate that the predetermined specification, design, and controls have been met; furthermore, periodic verifications and evaluations of the implementation of the controls to assess business and regulatory compliance.
Understanding the erecs lifecycle concept can help in conceptualizing the controls applicable to ensure authenticity and trustworthiness of the records. Creation, access, use and reuse, and, finally, destruction of erecs can be considered as the phases of erecs lifecycle The lifecycle is all phases in the life of the system from initial requirements until retirement including design, specification, programming, testing, installation, operation, and maintenance (4). Refer to Table II.
Table III: Controls Based on SLC Phase
|Computer SLC Phase||Records Life Cycle||Erecs Controls|
|General Phase – Requirements||Analysis||
|Project Phase – Specification, Design, Programming, Testing, Installation||Analysis||
|Operational and Maintenance Phases||Creation, Access, Use and Reuse, Archiving, Transfer, Archiving, or Destruction||
|Retirement Phase||Erec Destruction||
The above correlation establishes the applicable controls relative to the computer system lifecycle phase. Note that a risk evaluation and mitigation must be applied during the operational phase via the regular periodic reviews (11-11).
One of the most neglected areas in erecs integrity is the preservation of erecs as part of the planning to retire the computerized system-generating erecs.
The erecs preservation plan must include one of the following options:
- Assurance that a new system will be able to retrieve erecs from previous systems
- Preservation of previous applications
- An archive of hard copies (when allowed)
- Completion of system documentation and validation dossier.
After executing the erecs preservation plan, ensure that Quality Assurance (QA) Unit of the regulated user performs an audit on the preservation documentation. The audit will verify the traceability between planning and implementation and will assess the successful execution of the preservation plan (14).
Since 2004, the worldwide inspection trends have focused on data integrity. The key factor in order to consider erecs as trustworthy records is that the record-keeping functions within the computer system must preserve the content, context, and structure of the electronic records. The controls to preserve the content, context, and structure of an electronic record are comprehensively contained in the Annex 11.
These controls must be part of the design and enforced during the operations of computer systems. During the periodic reviews, the system and the risks associated with the computer system are reviewed, and the controls may be re-evaluated.
- European Commission, EudraLex - Volume 4 Good manufacturing practice (GMP).
- NIST, Special Publication 800-33: Computer Security, National Institute of Standard and Technology, December 2011.
- PIC/S, PIC/S Guide PI 011-1, Section 4.12, Good Practices for Computerised Systems in Regulated “GXP” Environments, August 2003.
- EU, EudraLex - Volume 4 Good manufacturing practice (GMP): Annex 11 Computerized Systems (January, 2011).
- EU, Directive 2003/94/EC, European Commission Directive Laying Down the Principles and Guidelines of Good Manufacturing Practice for Medicinal Products for Human Use and Investigational Medicinal Products for Human Use, 2003.
- EU, Directive 91/412/EEC, European Commission Directive Laying Down the Principles and Guidelines of Good Manufacturing Practice for Veterinary Medicinal Products, 1991.
- EMA, “Reflection paper on expectations for electronic source data and data transcribed to electronic data collection tools in clinical trials,” EMA/INS/GCP/454280/2010, GCP Inspectors Working Group (GCP IWG), 2010.
- Electronic Source Data: Data initially recorded in electronic format or certified copies of original records. (EMA/ INS / GCP/ 454280 / 2010 GCP Inspectors Working Group (GCP IWG), “Reflection paper on expectations for electronic source data and data transcribed to electronic data collection tools in clinical trials.” Certified Copy: A copy (paper or electronic) of original information that has been verified, as indicated by a dated signature, as an exact copy, having all of the same attributes and information as the original (FDA, Guidance for Industry – Electronic Source Data in Clinical in Clinical Investigations (Rockville, MD, Sept. 2013).
- National Archives and Records Administration, USA National Archive.
- DOD, 5015.2-STD Electronic Records Management Software Applications Design Criteria Standard, USA Department of Defense (Washington, D.C., April 25th, 2007).
- ISO 9241, Ergonomics of Human System Interaction, August 2009.
- HC-GC, Health Canada GMP Guidelines for API (GUI-0104) (Ottawa, CA, December 6th, 2013) and ICH Q7, Good Manufacturing Practices for Active Pharmaceutical Ingredients (Geneva, CH, November 10th, 2000).
- CEFIC, Computer Validation Guide, API Committee of CEFIC, December 2002.
- ISPE/PDA, Good Electronic Records Management (GERM), 2002.
- WHO, “Validation of Computerized Systems, Annex 4, Part 5” Technical Report Series 937, 2006,
- G. Wingate, Validating Automated Manufacturing and Laboratory Applications: Putting Principles into Practice, Taylor & Francis, 1997.
- O. López, “Maintaining the Validated State in Computer Systems,” Journal of GXP Compliance 17 (2), 2013, available here.