Metadata, or "data about data," has become a component of many regulated GxP activities conducted electronically. Just like the records it's attached to, metadata has significant regulatory impact and brings its own set of compliance risks.
While FDA's 21 CFR Part 11 defines the requirements for electronic records in detail, the requirements pertaining to metadata are less clear. We've taken a closer look at what specific regulatory impact metadata has and the actions manufacturers should take to mitigate them.
What is GxP electronic record metadata?
Metadata is information attached to electronic records that provides supplementary details about the record and the information within it.
In addition to helping people search for and find particular records, metadata is used for a few other important tasks:
• Capturing audit trail information for electronic records
• Providing a parameter within an automated business process
• Classifying electronic records and facilitating navigation
• Offering business intelligence information
What is the regulatory impact of metadata?
The regulatory impact of a piece of metadata depends on the type of electronic record it's attached to within a computerized system. This could be a discreet data element, like HPLC testing results, or in the form of documents stored within an Electronic Document Management System (EDMS), such as Standard Operating Procedures (SOPs).
Free White Paper: Ensuring Enterprise-Wide Data Integrity in FDA-Regulated Industries
SOPs, for example, are stored within EDMS with metadata attached to them which describe the attributes of the document, such as its title, document type, effective date, department, etc.
Metadata also captures audit trail information and provide users with access to particular records based on department.
If the metadata attached to an SOP does not match the attributes of the document, the computer system could give users incorrect information. In the case of an audit trail, inaccurate metadata could make it difficult or impossible to retrieve particular audit trail records -– a major compliance risk.
How to mitigate the compliance risks of metadata
Appropriate controls must be implemented to ensure metadata is accurate throughout all computerized systems and the integrity of data is maintained at all times.
These controls are both technical and procedural. We've highlighted three crucial metadata controls below.
1. Computer System Validation
Validate to verify that metadata is accurate and ensure the effectiveness of controls used to manage the metadata throughout its lifecycle
2. Logical Security
Database security and protection to ensure metadata cannot be accessed by unauthorized personnel
3. Electronic Record Retention
Prevent electronic recored and their associated audit trails from being deleted
Four steps to handling GxP regulated metadata
The following steps offer a general guide to handling metadata associated with GxP regulated electronic records which can be adapted and applied to various activities throughout an organization.
1. Identify the electronic records you're required to maintain under the associated regulation
2. Determine which metadata is used in audit trails or part of controlled processes
3. Put procedural and technical controls in place to protect the integrity of the metadata and ensure it's maintained throughout the record's lifecycle
4. Validate the metadata attributes to make sure all relevant regulatory requirements are met and the accuracy of the meta data is verified.