Are PDFs secure enough for GxP?

PDFs in GxP Monitoring system records
Paul Daniel, Senior Regulatory Compliance Expert
Paul Daniel
Senior GxP Regulatory Expert
Life Science

This is a question that came up during our webinar on Data Integrity. In this blog, we answer at length. This is a common concern because, with the right software, PDFs are editable. But consider how no document or file exists in a vacuum. A document exists within a system, and in the case of GxP environments, that system is tightly controlled. In the case of Vaisala’s viewLinc monitoring system, the GMP data is always in viewLinc’s database. The .PDF report is only representation of that data which facilitates review and approval of the data, either on paper, or by import of the .PDF file into an electronic signature system. The .PDF electronic file, in a properly controlled system, should never be sitting around unattended for someone to edit.

However, let’s say someone did attempt to do some editing on a viewLinc report, here is what would happen:

First, the data on the .PDF would no longer match the data in the viewLinc database. A mismatch between the data base and the .PDF document would reveal evidence of the changes.

Second, the .PDF (which is a graphics file) might be changed to show a different temperature value, but the meta data of the .PDF file, would show the change; This is further evidence file tampering.

In a properly controlled system, the .PDF report would be sent directly and electronically to the Electronic Document Management System to be routed for signature. There would be no chance for editing before or during transmission, and once in the Signature System, it would be protected from changes. (And notably, the document only remains valid as long as it stays within the Signature System. Removing it renders it invalid.

As an analogy, consider a common paper-based system such as real estate transactions. Those signatures are given in front of a notary, so there is an independent record of the signature events, the proof of identity of the people, and the paper-signed copies in the hands of a disinterested 3rd party. You could claim that such a paper record is easy to edit and fake, but what happens if you take a copy, made some changes, and walk into the local land authority (here in the US it might be the Title Agency, or the Tax Assessors office) and claim that, with your edited document, you are the owner of the property that is actually owned by someone else? They wouldn’t give you the house because your edited document is outside the system used to protect authenticity of the paper documents.

It’s a similar situation with electronic files as for paper records. They lose authenticity when uncontrolled. Imagine someone bringing a .PDF from a USB in his pocket and trying to claim that it is the authentic GMP record (say for batch release, or for a computer validation), not the time-stamped and controlled file that has been integrated into a system meant to protect files. This is obviously absurd, but it makes the point that documents are protected by the system they belong to.

Electronic files, of any format, are derived of a system that is controlled by SOPs (and workflows that enforce SOPs), to remain valid.

The benefit of a .PDF is that it is harder to change than Excel or Word or .txt files, which are not graphics files, but are data files, which can easily serve as a data source for future transfer. The meta data of the PDF that can be viewed against the image and compared. 

WHO - TRS 966 - Annex 5
Guidance on good data and record management practices glossary definition:

Static record format. A static record format, such as a paper or pdf record, is one that is fixed and allows little or no interaction between the user and the record content. For example, once printed or converted to static pdfs, chromatography records lose the capability of being reprocessed or enabling more detailed viewing of baselines.

Later in the same document

Special risk management considerations for review of original records 
Data integrity risks may occur when people choose to rely solely upon paper printouts or PDF reports from computerized systems without meeting applicable regulatory expectations for original records. Original records should be reviewed – this includes electronic records. If the reviewer only reviews the subset of data provided as a printout or PDF, risks may go undetected and harm may occur.

In other words, documentation reviews (properly performed) will include a crosscheck of the static records against another source, such the data base of the system that generated the report. 

GxP data integrity: What you don't know may make you non-compliant

In this webinar you will learn how to maintain data integrity in GxP-regulated environmental monitoring applications. Along with best practices, we provide an up-to-date overview of the current regulatory expectations. Attend the live session to take part in the question period. Vaisala's regulatory expert will answer your questions on data management best practices for GxP-compliant monitoring.

Watch now

Add new comment