未分類

Electronic Raw Data Identification and Data Integrity Assurance

Electronic Raw Data Identification and Data Integrity Assurance

The Critical Importance of Electronic Raw Data Identification

The foundation of ensuring data integrity lies in the proper identification of electronic raw data. Due to the inherent characteristics of electronic records, identical copies can be created through multiple replications, making it extremely challenging to determine which data represents the true raw data. Given this characteristic, it becomes essential to clearly define electronic raw data within Standard Operating Procedures (SOPs).

Understanding this concept requires recognizing a fundamental difference between paper and electronic records. When you photocopy a paper document, subtle differences in quality, alignment, or marks typically distinguish the original from the copy. However, electronic files can be copied perfectly with no distinguishable differences between the original and subsequent copies. This perfect reproducibility creates both opportunities and challenges for pharmaceutical quality systems.

Definition of Raw Data and Maintaining Consistency

The definition of raw data must specifically address how data is handled at each stage of its lifecycle. For instance, consider a temperature and humidity monitoring system: data may exist on the SD card of the measuring instrument connected to the monitoring device, then be transferred to a computer, and subsequently backed up to a server. Within this data lifecycle, organizations must clearly determine which point represents the official raw data.

To illustrate this concept more concretely, imagine a stability study where temperature data is critical for regulatory compliance. The same temperature reading might exist in multiple locations simultaneously:

  • On the SD card of the data logger itself
  • In a local computer database after download
  • On a network server after backup
  • In printed reports generated for review

Each of these represents the same information, but from a regulatory perspective, only one should be designated as the raw data. This designation determines where controls must be most stringent and where the official record resides for regulatory inspection purposes.

Once this definition is established, it must be maintained rigorously to prevent arbitrary changes that could compromise data integrity. Any modification to the raw data definition should follow a formal change control process with documented justification and appropriate approvals. This consistency is crucial because changing the definition of raw data could be used as a means to circumvent data integrity controls or conceal data that does not support desired outcomes.

Requirements for Raw Data Management

Data designated as raw data must meet several stringent requirements that reflect current Good Manufacturing Practice (cGMP) and Good Laboratory Practice (GLP) expectations:

Security Measures: Implementation of robust security controls to prevent unauthorized access is paramount. This includes role-based access controls, strong authentication mechanisms (such as multi-factor authentication for critical systems), and physical security measures where applicable. Modern systems should implement the principle of least privilege, where users only have access to the specific data and functions necessary for their job responsibilities.

Audit Trail: All changes to the data must be captured in a comprehensive audit trail that records who made the change, what was changed, when it was changed, and why it was changed (the “reason for change” field). The audit trail itself must be secure, computer-generated, and time-stamped. It should be independently reviewable and not modifiable by system administrators or other users. Contemporary regulatory expectations, as articulated in FDA’s guidance on data integrity and compliance (updated in 2018 and reinforced through subsequent warning letters), emphasize that audit trails should capture both successful and unsuccessful attempts to access or modify data.

Backup Systems: Establishment of a robust backup regime to prevent data loss is essential. This should include regular automated backups, verification of backup integrity, and documented procedures for data restoration. Best practices include following the 3-2-1 backup rule: maintaining three copies of data, on two different media types, with one copy stored off-site. Additionally, organizations should periodically test their restoration procedures to ensure backups are viable.

Additional Contemporary Considerations: Modern data integrity frameworks, influenced by the ALCOA+ principles (Attributable, Legible, Contemporaneous, Original, Accurate, plus Complete, Consistent, Enduring, and Available), require additional considerations:

  • Data should be retained in its original electronic format throughout the required retention period
  • Systems should prevent or detect unauthorized data deletion
  • Metadata (data about data) must be preserved alongside the primary data
  • Systems should have documented disaster recovery and business continuity plans

Portable media such as SD cards often cannot adequately satisfy these requirements due to their limited security features, lack of built-in audit trail capabilities, and vulnerability to physical damage or loss. Therefore, organizations should consider transitioning to appropriate electronic systems that can meet these comprehensive requirements. Modern cloud-based or server-based solutions with validated data integrity controls are typically more suitable for GxP applications than portable media storage.

The Typewriter Excuse Problem

A particularly important concept in electronic record management is what is known as the “typewriter excuse.” This refers to an attempt to treat a computer as merely a printing device, similar to a typewriter, when printing electronic records onto paper for signature. This approach argues that since the final record is paper with a handwritten signature, the electronic system need not comply with electronic record regulations.

However, this argument is categorically rejected by regulatory authorities, and understanding why reveals important principles about data integrity. The fundamental distinction lies in the functional differences between typewriters and computers:

Typewriter Limitations: A typewriter can only produce a single original document at the time of typing. Once created, that physical document is unique, and any attempt to recreate it would produce a visibly different document. The temporal relationship between the creation of the content and its physical manifestation is essentially locked together.

Computer Capabilities: In contrast, a computer retains the electronic record indefinitely and can reproduce it perfectly at any time. This creates a critical vulnerability: data could theoretically be modified just before an inspection, reprinted, and backdated with a signature to appear as though it was created and approved at an earlier time. The temporal relationship between data creation, review, and approval can be manipulated if only paper records are controlled.

Consider this scenario to understand the regulatory concern: An analyst conducts a test and records results electronically on Monday, showing out-of-specification (OOS) results. If proper electronic controls are not in place, the analyst could theoretically modify the electronic data on Friday (before an inspection), reprint it showing passing results, and have it signed with Monday’s date, making it appear as though the OOS results never occurred. The paper signature would provide no protection against this type of fraud because the electronic record—the true original—was altered before printing.

Regulatory Authority Perspectives

United States Regulations

The U.S. Food and Drug Administration (FDA) has clearly articulated that even when ultimate management is conducted using paper records, as long as electronic records are maintained, FDA 21 CFR Part 11 (commonly referred to as “Part 11”) applies to those electronic records. This regulation, formally titled “Electronic Records; Electronic Signatures,” establishes the criteria under which electronic records and electronic signatures are considered trustworthy, reliable, and equivalent to paper records and handwritten signatures.

Part 11 encompasses two main components:

Subpart B – Electronic Records: This section addresses requirements for systems that create, modify, maintain, or transmit electronic records. Key requirements include validation of systems, the ability to generate accurate and complete copies of records, protection of records throughout their retention period, and audit trail functionality.

Subpart C – Electronic Signatures: This section establishes requirements for electronic signatures to be legally equivalent to handwritten signatures. Requirements include unique identification of individuals, non-repudiation (the signer cannot later deny having signed), and appropriate controls to ensure signature integrity.

The FDA has issued additional guidance documents to clarify the application of Part 11, including:

  • “Guidance for Industry: Part 11, Electronic Records; Electronic Signatures – Scope and Application” (2003), which narrowed the focus to records required by predicate rules
  • “Data Integrity and Compliance With Drug CGMP: Questions and Answers” (December 2018), which provides contemporary expectations for data integrity practices

Japanese Regulations

In Japan, similar principles are established through the “ER/ES Guidance” (full title: “Guidance on the Use of Electromagnetic Records and Electronic Signatures in Applications for Approval or Licensing of Pharmaceuticals”). This guidance was issued by the Ministry of Health, Labour and Welfare (MHLW) and harmonizes with international standards, particularly ICH guidelines.

The Japanese regulatory framework emphasizes several key principles that align with FDA expectations:

  • Electronic records must maintain their integrity throughout their lifecycle
  • Systems must be validated to ensure they function as intended
  • Access controls must prevent unauthorized modification of data
  • Audit trails must capture all relevant data changes
  • Electronic signatures must be uniquely attributable to individuals and secured against falsification

International Harmonization

The consistency between U.S. and Japanese regulations reflects broader international harmonization efforts. The International Council for Harmonisation of Technical Requirements for Pharmaceuticals for Human Use (ICH) has developed several relevant guidelines:

ICH Q7 (Good Manufacturing Practice Guide for Active Pharmaceutical Ingredients): Contains specific provisions regarding data integrity and electronic records in API manufacturing.

ICH E6(R2) (Good Clinical Practice): Updated in 2016 to include explicit requirements for computerized systems used in clinical trials, emphasizing the importance of data integrity, audit trails, and system validation.

ICH Q9 (Quality Risk Management): While not specifically about electronic records, this guideline provides a framework for assessing data integrity risks in electronic systems.

Additionally, the Pharmaceutical Inspection Co-operation Scheme (PIC/S), of which both the U.S. FDA and Japan’s Pharmaceuticals and Medical Devices Agency (PMDA) are members, has issued guidance on data integrity (PI 041-1, September 2021). This guidance emphasizes the ALCOA+ principles and provides detailed expectations for managing electronic data throughout its lifecycle.

European Union Perspective

For completeness, it’s worth noting that the European Medicines Agency (EMA) and EU member state authorities have similarly addressed these issues through:

  • Annex 11 to the EU GMP Guidelines (Computerised Systems)
  • EMA guidance on GMP for medicinal products for human and veterinary use
  • MHRA guidance on GMP data integrity definitions and guidance for industry (March 2018, revised March 2021)

These documents consistently reinforce that electronic records require appropriate controls regardless of whether they are ultimately printed to paper, and that the “typewriter excuse” is not acceptable in any regulated pharmaceutical operations.

Practical Implementation Considerations

Organizations implementing electronic data integrity controls should consider the following practical steps:

System Selection: When choosing electronic systems for GxP applications, ensure they have built-in audit trails, appropriate security features, and can be validated according to regulatory requirements. Systems should be evaluated against user requirement specifications that explicitly address data integrity needs.

Risk Assessment: Conduct a thorough risk assessment of existing electronic systems to identify where data integrity vulnerabilities may exist. This assessment should consider not only the technical capabilities of the system but also the procedural controls and human factors that influence data integrity.

SOP Development: Develop comprehensive SOPs that clearly define raw data, specify how electronic records should be handled at each lifecycle stage, and establish procedures for backup, archival, and retrieval of electronic data. These procedures should be specific enough to prevent ambiguity but flexible enough to accommodate reasonable variations in practice.

Training: Ensure all personnel who work with electronic records receive appropriate training not only on how to use the systems but also on the importance of data integrity and the regulatory expectations. Training should include real-world examples of data integrity failures and their consequences.

Periodic Review: Establish a program for periodic review of electronic data integrity controls to ensure they remain effective as systems evolve and as regulatory expectations continue to develop. This should include periodic audit of audit trails to detect any unusual patterns that might indicate integrity issues.

Conclusion

The identification and management of electronic raw data represent critical elements of pharmaceutical quality systems in the modern era. As technology continues to evolve, the fundamental principles of data integrity remain constant: data must be attributable, legible, contemporaneous, original, and accurate throughout its lifecycle. The “typewriter excuse” fails because it ignores the fundamental reality that electronic records possess capabilities far beyond simple printing devices, and these capabilities create both opportunities for improved efficiency and risks that must be managed through appropriate controls.

Organizations must embrace the reality that electronic records require electronic controls, regardless of whether those records are eventually printed to paper. By clearly defining raw data, implementing robust technical and procedural controls, and maintaining these standards consistently over time, pharmaceutical manufacturers and researchers can ensure their data integrity programs meet current regulatory expectations and protect patient safety—the ultimate goal of all pharmaceutical quality systems.

The international harmonization of regulatory requirements in this area reflects a global consensus on the importance of data integrity and provides a clear framework for organizations operating across multiple jurisdictions. As we move further into 2026 and beyond, the trend toward fully electronic quality systems will continue, making the principles discussed in this article even more relevant for pharmaceutical operations worldwide.

FDA Organization and Inspection System Previous post What is R-MAP? Next post

Related post

Comment

There are no comment yet.