Are PDFs secure enough for GxP?

A document exists within a system, and in the case of GxP environments, that system is tightly controlled. In the case of Vaisala’s viewLinc monitoring system, the GMP data is always in viewLinc’s database.
This is a question that came up during our webinar on Data Integrity. In this blog, we answer at length. This is a common concern because, with the right software, PDFs are editable. But consider how no document or file exists in a vacuum. A document exists within a system, and in the case of GxP environments, that system is tightly controlled. In the case of Vaisala’s viewLinc monitoring system, the GMP data is always in viewLinc’s database. The .PDF report is only representation of that data which facilitates review and approval of the data, either on paper, or by import of the .PDF file into an electronic signature system. The .PDF electronic file, in a properly controlled system, should never be sitting around unattended for someone to edit.
However, let’s say someone did attempt to do some editing on a viewLinc report, here is what would happen:
First, the data on the .PDF would no longer match the data in the viewLinc database. A mismatch between the data base and the .PDF document would reveal evidence of the changes.
Second, the .PDF (which is a graphics file) might be changed to show a different temperature value, but the meta data of the .PDF file, would show the change; This is further evidence file tampering.
In a properly controlled system, the .PDF report would be sent directly and electronically to the Electronic Document Management System to be routed for signature. There would be no chance for editing before or during transmission, and once in the Signature System, it would be protected from changes. (And notably, the document only remains valid as long as it stays within the Signature System. Removing it renders it invalid.
As an analogy, consider a common paper-based system such as real estate transactions. Those signatures are given in front of a notary, so there is an independent record of the signature events, the proof of identity of the people, and the paper-signed copies in the hands of a disinterested 3rd party. You could claim that such a paper record is easy to edit and fake, but what happens if you take a copy, made some changes, and walk into the local land authority (here in the US it might be the Title Agency, or the Tax Assessors office) and claim that, with your edited document, you are the owner of the property that is actually owned by someone else? They wouldn’t give you the house because your edited document is outside the system used to protect authenticity of the paper documents.
It’s a similar situation with electronic files as for paper records. They lose authenticity when uncontrolled. Imagine someone bringing a .PDF from a USB in his pocket and trying to claim that it is the authentic GMP record (say for batch release, or for a computer validation), not the time-stamped and controlled file that has been integrated into a system meant to protect files. This is obviously absurd, but it makes the point that documents are protected by the system they belong to.
Electronic files, of any format, are derived of a system that is controlled by SOPs (and workflows that enforce SOPs), to remain valid.
The benefit of a .PDF is that it is harder to change than Excel or Word or .txt files, which are not graphics files, but are data files, which can easily serve as a data source for future transfer. The meta data of the PDF that can be viewed against the image and compared.
WHO – TRS 966 – Annex 5
Guidance on good data and record management practices glossary definition:
Static record format. A static record format, such as a paper or pdf record, is one that is fixed and allows little or no interaction between the user and the record content. For example, once printed or converted to static pdfs, chromatography records lose the capability of being reprocessed or enabling more detailed viewing of baselines.
Later in the same document:
Special risk management considerations for review of original records
Data integrity risks may occur when people choose to rely solely upon paper printouts or PDF reports from computerized systems without meeting applicable regulatory expectations for original records. Original records should be reviewed – this includes electronic records. If the reviewer only reviews the subset of data provided as a printout or PDF, risks may go undetected and harm may occur.
In other words, documentation reviews (properly performed) will include a crosscheck of the static records against another source, such the data base of the system that generated the report.
Read more here!
For more information, please contact:
Vaisala
Janne Halonen
+46 40 298 991
forsaljning@vaisala.com
Vaisala is a global leader in weather, environmental, and industrial measurements. Building on over 85 years of experience, Vaisala provides observations for a better world, with space-proof technology even exploring Mars and beyond. We are a reliable partner for customers around the world, offering a comprehensive range of innovative observation and measurement products and services. Headquartered in Finland, Vaisala employs over 2,000 professionals worldwide and is listed on the Nasdaq Helsinki stock exchange.
Published: May 16, 2023