When metadata is used in the context regulated GxP activities, we must carefully consider its relationship with GxP electronic records and its regulatory impact.
The regulatory requirements for electronic records are defined within the FDA’s 21 CFR Part 11 regulations, however, the requirements pertaining to metadata are less clear. Let's uncover the regulatory impact of metadata and what actions could be taken to mitigate regulatory risks.
What is metadata?
For those who are not too familiar with what metadata is, a commonly used analogy is that of a library catalog card, which contains high level information about a book, including, its author, title, subject, etc. The purpose of the catalog card is to make it easier for a person to find a specific book stored within the library’s entire collection. Likewise, the main purpose of metadata is to facilitate in the discovery of relevant information. In some cases, metadata may also be used to provide supplementary information about the data, such as:
-
Time and date of creation
-
Creator or author of the data
-
Location on a computer network where the data were created
How does metadata relate to GxP activities?
The regulatory impact of metadata is largely dependent on how the metadata is used in the context of regulated activities. When metadata is used to provide information on a regulated electronic record, it likely has a direct regulatory impact. The following are several examples of how metadata can be used in relation to electronic records:
-
To capture audit trail information about the electronic record
-
To classify the electronic record and facilitate navigation
-
As a parameter within an automated business process
-
To provide business intelligence metrics
In order to determine the specific regulatory impact, the first thing we need to do is identify the electronic records that are being managed within a given computerized system. In some cases, the electronic records may be in the form of discreet data elements, such as test results from an HPLC laboratory instrument. In other cases, the records may be in the form of documents, stored within an Electronic Document Management System (EDMS).
Let’s take a look at a typical example of a GxP record and its associated metadata:
A Standard Operating Procedure (SOP) is stored as a PDF document within an EDMS and is used in the context of regulated activities. Metadata is used to describe key attributes of the document, including its Title, Document Type, Effective Date, Department, etc. Metadata is also used to capture audit trail information and to automatically provide users with access to the record based on the department to which they belong.
Should the metadata on the document not accurately reflect the SOP’s information, the system could mistakenly provide users with access to the incorrect SOP, or the record’s audit trail information could be inaccurate. In this example, the metadata plays a crucial role in a regulated process and therefore poses a regulatory risk.
How do we mitigate the regulatory risks?
To mitigate regulatory risks it is vital that proper controls be implemented to ensure the accuracy and integrity of the meta data be maintained throughout the SOP’s lifecycle. These controls can be both technical and procedural, as described in the following table.
Control |
Purpose / Objective |
---|---|
Logical Security |
Protection of database where metadata is stored to prevent unauthorized access |
Electronic Record Retention |
Prevent deletion of records and associated audit trail information throughout retention period |
Computer System Validation |
Validation testing to verify metadata accuracy and to verify the effectiveness of controls used to manage the metadata throughout its lifecycle
|
The key steps
We have seen that through its relationship with electronic records, metadata can have a direct regulatory impact and actions should be taken to ensure regulatory risks are mitigated. So to summarize briefly, the following are the steps that I recommend following whenever dealing with metadata in the context of GxP regulated electronic records: