ERES

The Three Requirements for Authenticity in Electronic Records

Introduction to Authenticity Requirements

The ER/ES Guidelines (Guidelines for Electronic Records and Electronic Signatures in Applications for Approval or Licensing of Pharmaceuticals), which came into effect on April 1, 2005 (Heisei 17), established fundamental requirements for the authenticity of electronic records in the pharmaceutical and medical device industries in Japan. These guidelines were developed in alignment with international standards, particularly the U.S. FDA’s 21 CFR Part 11 and the principles outlined in the Pharmaceutical Inspection Co-operation Scheme (PIC/S) guidelines.

The authenticity requirement for electronic records as defined in the ER/ES Guidelines is as follows:

Electronic records must be complete, accurate, and reliable, with clear accountability for their creation, modification, and deletion.

To ensure authenticity, the following requirements must be satisfied:

(1) Rules and procedures for maintaining system security must be documented and properly implemented.

(2) The creator of stored information must be clearly identifiable. When stored information is modified, the pre-modification information must also be preserved, and the person who made the modification must be clearly identifiable. It is preferable that audit trails be automatically recorded and that these recorded audit trails can be reviewed according to predetermined procedures.

(3) Backup procedures for electronic records must be documented and properly implemented.

The Three Core Requirements of Authenticity

The requirements for authenticity can be distilled into three fundamental elements:

  1. Security
  2. Audit Trail
  3. Backup

These three requirements form an interconnected framework that ensures the integrity, reliability, and traceability of electronic records throughout their lifecycle. Each element serves a specific purpose in protecting data integrity and supporting regulatory compliance.

Security: The First Line of Defense

Security encompasses both physical and logical security measures, forming the foundation of data integrity assurance.

Physical Security

Physical security refers to the management of physical access controls, such as locks on rooms and cabinets where systems and data are housed. In modern regulated environments, this extends to server rooms, data centers, and any physical locations where electronic records are created, processed, or stored.

Entry and exit records are critically important. Not only must the time of entry be recorded, but the time of exit must also be documented each time someone leaves the secured area. This requirement applies even to temporary exits, such as during breaks or lunch periods. The rationale is straightforward: any unauthorized access during unmonitored periods could potentially compromise data integrity.

Contemporary physical security measures often incorporate:

  • Biometric access controls (fingerprint, retinal scan, or facial recognition)
  • Security cameras with timestamped recordings
  • Access card systems with detailed logging
  • Segregated areas based on data sensitivity levels
  • Environmental controls to protect hardware integrity

Logical Security

Logical security primarily involves the management of user IDs and passwords, though modern implementations extend well beyond these basic controls.

When authenticating an individual’s identity, at least two types of information are required: publicly available information and confidential information. This principle is fundamental to authentication security.

For example, a door’s keyhole is visible to everyone, but only residents possess the key that fits that specific lock. Similarly, a bank account number may be publicly visible, but only the account holder should know the PIN or password for the cash card. In this way, only those who possess the confidential information corresponding to the publicly available information can be verified as the legitimate person.

Modern authentication frameworks have evolved to include:

  • Multi-factor authentication (MFA) combining something you know (password), something you have (token or mobile device), and something you are (biometric data)
  • Single sign-on (SSO) systems with enhanced security protocols
  • Role-based access control (RBAC) ensuring users only access information necessary for their job functions
  • Time-based access restrictions
  • Automatic session timeouts to prevent unauthorized access from unattended terminals

Now that readers understand the importance of security, let us consider: why is security necessary?

The Purpose of Security

The answer is: to prevent “spoofing” (the act of impersonating another person to create, modify, delete, or approve electronic records) and “falsification” (unauthorized alteration of data). Without adequate security measures, it is impossible to prevent impersonation or the falsification of electronic records.

Security serves as the preventive control in the data integrity framework. While it cannot guarantee that violations will never occur, robust security significantly raises the barrier for potential bad actors and creates a culture of accountability within the organization.

It is worth noting that in contemporary regulatory frameworks, including EU Annex 11, PIC/S guidance, and WHO guidance on computerized systems, the concept of security has been expanded to encompass the entire information security management system (ISMS), including cybersecurity measures to protect against external threats such as ransomware and data breaches.

Audit Trail: The Detective Control

An audit trail is a system-generated, time-stamped record of events that automatically captures critical information about electronic record activities. The audit trail must record the following events:

  • Who created which record, when, and what value was entered
  • Who changed which record, when, from what value to what value, and why the change was made
  • Who deleted which record, when, and why it was deleted
  • Who electronically approved the record and when

The Purpose of Audit Trail

So why is an audit trail necessary?

The answer is: to detect falsification. Without an audit trail, it is impossible to discover whether electronic records have been falsified or tampered with.

Here, you may notice an important limitation: “spoofing” (impersonation) can never be discovered through audit trails alone.

If someone successfully impersonates another person by using their user ID and password to create, modify, delete, or approve electronic records, it is impossible to detect this through audits. The audit trail will show the legitimate user’s credentials, making the unauthorized action appear legitimate.

This reveals a fundamental truth: the integrity of any system ultimately depends on the moral conduct of its users. Even the most sophisticated technological controls cannot overcome deliberate misconduct by authorized users who abuse their access privileges.

This is precisely why education and training on password management and data integrity principles are so critically important. Organizations must foster a culture where:

  • Users understand the ethical and regulatory implications of data integrity
  • The importance of password confidentiality is regularly reinforced
  • Users are aware that they are personally accountable for all actions performed under their credentials
  • Clear consequences for policy violations are established and enforced
  • Regular training and competency assessments are conducted

Modern Audit Trail Requirements

Contemporary regulatory guidance has expanded audit trail requirements beyond the basic elements outlined in the original ER/ES Guidelines. Current expectations include:

  • Audit trails must be enabled at all times during record creation, modification, and deletion
  • Audit trails should be reviewable by authorized personnel
  • Audit trails themselves must be protected from unauthorized modification or deletion
  • System administrators should not have the ability to disable or modify audit trails
  • Regular review of audit trails should be part of routine quality oversight
  • Audit trail data should be retained for the same period as the associated electronic records
  • Critical data fields should be clearly identified, and changes to these fields should trigger enhanced scrutiny

International standards such as GAMP 5 (Good Automated Manufacturing Practice) and ALCOA+ principles (Attributable, Legible, Contemporaneous, Original, Accurate, plus Complete, Consistent, Enduring, and Available) provide additional guidance on implementing robust audit trail systems.

Backup: Protecting the Evidence

The third requirement for authenticity is backup. Backup refers to the procedures and processes that enable data restoration in the event that systems are destroyed due to catastrophic disasters, fires, or other destructive events.

In essence, backup is a disaster recovery measure.

Why Backup is an Authenticity Requirement

But why is backup considered a requirement for authenticity?

The answer is: to protect the audit trail.

If backups have not been maintained, it becomes impossible to restore audit trails in the event of system failure or data loss. Regardless of the reason, if audit trails for electronic records are lost, it becomes impossible to verify whether falsification has occurred. Consequently, authenticity cannot be guaranteed.

This reveals the interconnected nature of the three requirements: backup serves not merely as a business continuity measure, but as a critical component of the data integrity framework. Without backup, even the most robust security and audit trail systems become vulnerable to complete failure.

Modern Backup and Business Continuity Practices

Contemporary backup strategies have evolved significantly beyond simple periodic copying of data. Modern approaches include:

Backup Strategies:

  • Regular automated backups on a predetermined schedule
  • Multiple backup copies stored in geographically separate locations
  • Versioned backups that allow restoration to specific points in time
  • Differential and incremental backups to optimize storage and recovery time
  • Cloud-based backup solutions providing enhanced redundancy

Disaster Recovery Planning:

  • Documented recovery procedures tested through regular drills
  • Defined Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO)
  • Alternative processing sites (hot sites, warm sites, or cold sites)
  • Regular validation of backup integrity through test restorations
  • Documentation of backup and restoration procedures with clearly assigned responsibilities

Data Integrity Considerations:

  • Backups must include both data and associated audit trails
  • Backup media must be stored under appropriate environmental conditions
  • Access to backup media must be controlled and logged
  • Periodic testing to ensure backups can be successfully restored
  • Verification that restored data maintains its integrity and authenticity

Regulatory guidance documents, including ICH Q7 (Good Manufacturing Practice Guide for Active Pharmaceutical Ingredients), EU GMP Annex 11 (Computerized Systems), and FDA guidance on electronic records, emphasize that backup and recovery procedures are essential elements of a compliant computerized system.

The Interconnected Framework of Authenticity

Understanding the relationship between these three requirements is essential for implementing an effective data integrity program:

Requirement Primary Function Purpose Failure Impact
Security Prevention Prevent unauthorized access, spoofing, and falsification Allows unauthorized individuals to create, modify, or delete records without accountability
Audit Trail Detection Detect and document all record creation, modification, deletion, and approval activities Makes it impossible to discover whether records have been falsified or to determine who performed actions
Backup Protection Protect audit trails and data through disaster recovery capabilities Results in permanent loss of evidence needed to verify authenticity, making data integrity verification impossible

These three requirements work in concert:

  • Security prevents unauthorized actions
  • Audit trails detect and record all actions (whether authorized or unauthorized)
  • Backup ensures that the evidence captured in audit trails remains available even in disaster scenarios

A weakness in any one of these areas compromises the entire authenticity framework. Organizations must implement all three requirements comprehensively and maintain them throughout the lifecycle of electronic records.

Conclusion: Building a Culture of Data Integrity

The three requirements for authenticity—security, audit trail, and backup—form the technical foundation for ensuring the integrity of electronic records in regulated industries. However, as this discussion has revealed, technology alone cannot guarantee data integrity.

Organizations must recognize that:

  1. Technical controls are necessary but not sufficient. While robust systems are essential, they must be complemented by effective policies, procedures, and training.

  2. Human factors are critical. The most sophisticated systems can be undermined by users who fail to protect their credentials or who deliberately circumvent controls. Building a culture where data integrity is valued and expected is as important as implementing technical controls.

  3. Continuous improvement is required. As threats evolve and technology advances, organizations must regularly reassess their controls and update them to address new challenges.

  4. Regulatory expectations continue to evolve. Organizations must stay informed about changes in regulatory guidance and industry best practices, adapting their systems and procedures accordingly.

The ER/ES Guidelines established in 2005 provided a foundational framework that remains relevant today. However, organizations implementing these requirements in the current environment should also consider more recent guidance from international regulatory bodies and adopt best practices that reflect contemporary understanding of data integrity principles.

By implementing comprehensive security measures, maintaining robust audit trails, and ensuring reliable backup and recovery capabilities—all supported by a culture that values data integrity—organizations can fulfill the authenticity requirements and maintain the trust of regulators, patients, and the public they serve.

Issuance of Administrative Notice on Manufacturing and Quality Management Systems for Pharmaceutical Manufacturers Previous post Differences in Regulatory Requirements Between Western Countries and Japan Next post

Related post

Comment

There are no comment yet.