Announcement by the National Medical Products Administration on the Release of Requirements for Pharmaceutical Records and Data Management (Trial)

　　(No. 74 of 2020)

　　Release date: 2020-07-01

　　To implement the relevant provisions of the "Drug Administration Law" and the "Vaccine Administration Law," strengthen the recording and data management of drug research and development, production, distribution, and use activities, and ensure that the relevant information is authentic, accurate, complete, and traceable, the National Medical Products Administration has organized the drafting of the "Requirements for Drug Records and Data Management (Trial)." These requirements are hereby promulgated and shall take effect as of December 1, 2020.

　　Hereby announced.

　　Attachment: Requirements for Pharmaceutical Records and Data Management (Trial)

　　National Medical Products Administration

　　June 24, 2020

　　Attachment

　　Requirements for Pharmaceutical Records and Data Management (Trial)

　　Chapter 1 General Provisions

　　Article 1: In order to standardize the recording and data management of activities related to drug research and development, manufacturing, distribution, and use, these requirements are formulated in accordance with the "Drug Administration Law of the People's Republic of China," the "Vaccine Administration Law of the People's Republic of China," the "Implementation Regulations of the Drug Administration Law of the People's Republic of China," and other relevant laws and administrative regulations.

　　Article 2: This requirement applies to records and data generated in the course of conducting drug research, manufacturing, distribution, and use activities within the territory of the People’s Republic of China that are required to be submitted to the drug regulatory authorities.

　　Article 3: Data refers to information generated during the research and development, manufacturing, distribution, and use of pharmaceutical products, which reflects the implementation status of these activities. Such data includes text, numerical values, symbols, images, audio recordings, photographs, charts, barcodes, and the like. Records refer to documents formed through the recording of one or more pieces of data during the aforementioned activities, serving as evidence that reflects both the process and outcomes of these related activities.

　　Chapter 2: Basic Requirements

　　Article 4: Records may be categorized into different types—such as ledgers, logs, labels, procedures, and reports—depending on their intended use. Those engaged in the research and development, production, distribution, and use of pharmaceutical products shall, according to the needs of their activities, employ one or more types of records to ensure that information throughout the entire process is authentic, accurate, complete, and traceable.

　　The recording medium may take one or more forms, such as paper, electronic, or hybrid.

　　Article 5: Where records or data are generated using a computerized (or automated) system, appropriate administrative measures and technical means shall be implemented to ensure that the information generated is authentic, accurate, complete, and traceable.

　　Article 6: Electronic records shall, at a minimum, achieve the same functionality as the original paper records and meet the requirements for activity management.

　　In cases where both electronic and paper records coexist, the form to be used as the baseline should be clearly specified in the relevant operating procedures and management systems.

　　Article 7: Record management procedures shall be established based on the purpose, type, and format of the records, clearly defining record management responsibilities and standardizing methods for controlling records.

　　Article 8: Activities such as data collection, processing, storage, generation, retrieval, and reporting shall comply with the requirements for recording or data entry specific to the corresponding data type, ensuring that the data is authentic, accurate, complete, and traceable.

　　Article 9: Based on the source and intended use of data, data can be categorized into basic information data, behavioral activity data, metering instrument data, electronic data, and other types of data. Different types of data should be subject to appropriate management measures and technical approaches.

　　Article 10: Personnel engaged in record-keeping and data management shall receive the necessary training, master the relevant management requirements and operational skills, and abide by the code of professional ethics.

　　Article 11: Records and data generated by a third party pursuant to contractual agreements shall comply with the provisions of these requirements and clearly specify the management responsibilities of each party to the contract.

　　Chapter 3: Requirements for Paper Record Management

　　Article 12: The design and creation of documentation files shall meet actual operational needs. The format should facilitate identification, recording, collection, preservation, traceability, and use. The content must be comprehensive, complete, and accurately reflect the corresponding activities.

　　Article 13: The responsibilities for reviewing and approving documented records shall be specified, and the management requirements for ensuring the effective version of documented records shall be clearly defined to prevent the use of invalid versions.

　　Article 14: The printing and distribution of record documents shall, depending on the different purposes and types of records, employ controlled methods commensurate with the importance of the records, to prevent substitution or tampering with the records.

　　Article 15: The responsibility for recording information that must be clearly documented shall not be arbitrarily delegated to others, and the tools or methods used must be capable of long-term preservation and difficult to erase.

　　Raw data shall be recorded directly on the prescribed records and must not be temporarily written down or transcribed via uncontrolled media.

　　Article 16: Any changes made to the records shall be annotated with the name of the person making the change and the date of the change, and the original information shall remain clear and legible. If necessary, the reason for the change shall also be stated.

　　Article 17: The collection time, archiving method, storage location, retention period, and management personnel for records shall be clearly specified, and appropriate preservation or backup measures shall be implemented. The retention period for records shall comply with relevant regulatory requirements.

　　Article 18: Appropriate measures shall be taken when using and copying records to prevent their loss, damage, or alteration. When making copies of records, procedures for approving, distributing, and controlling record copies shall be established, and a clear distinction shall be made between the original records and their copies.

　　Article 19: An appropriate method for destroying records shall be established, and corresponding destruction records shall be maintained.

　　Chapter 4: Requirements for Electronic Records Management

　　Article 20: Computerized systems that use electronic records shall meet the following facility and configuration requirements:

　　(1) Install in an appropriate location to prevent interference from external factors;

　　(2) Servers or hosts that support the normal operation of the system;

　　(3) A stable and secure network environment and a reliable information security platform;

　　(4) A local area network environment that enables information transmission and data sharing among relevant departments and between different job positions;

　　(5) Application software and related databases that comply with relevant legal requirements and management needs;

　　(6) Terminal devices and ancillary equipment capable of performing recording operations;

　　(7) Operation manuals, drawings, and other technical documents for the supporting systems.

　　Article 21: Computerized systems that employ electronic records shall, at a minimum, meet the following functional requirements:

　　(1) Ensure the authenticity, accuracy, and consistency of recorded time with system time;

　　(2) Able to display all data from electronic records, with the generated data being readable and printable;

　　(3) System-generated data shall be backed up regularly, and the backup and recovery procedures must be verified. Corresponding records shall be maintained for data backups and deletions.

　　(4) When a system undergoes changes, upgrades, or retirement, measures shall be taken to ensure that the original system data can be accessed and traced within the prescribed retention period.

　　Article 22: Electronic records shall implement operational permission and user login management, including at least:

　　(1) Establish separate permissions for operation and system administration. The user permissions of those responsible for business processes should be commensurate with their assigned duties and must not include administrator privileges for the system (including the operating system, applications, databases, etc.).

　　(2) Possesses user permission setting and assignment functions, and is capable of tracking and querying permission modifications.

　　(3) Ensure the uniqueness and traceability of logged-in users. When using electronic signatures, such signatures shall comply with the relevant provisions of the “Electronic Signature Law of the People’s Republic of China.”

　　(4) Relevant information on system operations shall be recorded, including at a minimum: the operator, the time of operation, the operation process, and the reason for the operation; the generation, modification, deletion, reprocessing, renaming, and transfer of data; as well as any changes or modifications to the settings, configurations, parameters, and timestamps of computerized systems.

　　Article 23: The scope and extent of validation for computerized systems that employ electronic records shall be determined based on multiple factors, including the system’s underlying architecture, system functions, business functions, as well as the system’s maturity and complexity, to ensure that the system’s functions meet their intended purposes.

　　Chapter 5: Data Management Requirements

　　Article 24: With regard to the basic information data of activities and the behavioral activity data generated through operations, inspections, verifications, manual calculations, and other similar actions, the relevant operating procedures and management systems shall specify requirements for recording personnel, recording time, recorded content, as well as methods for confirmation and review.

　　Article 25: When reading data from measuring instruments, the instruments shall be verified or calibrated in accordance with the law.

　　Article 26: Electronic data obtained through the collection, processing, and reporting by computerized (or automated) systems shall be subject to necessary administrative measures and technical safeguards.

　　(1) Electronic data obtained through processing by application software after manual input shall be protected against unauthorized modification of software functions and settings. The input data and the data generated by the system shall be subject to review, and the original data shall be retained in accordance with relevant regulations.

　　(2) Electronic data generated and processed by a computerized (or computer-based) system shall comply with the relevant regulatory requirements. Metadata must be preserved and backed up, and the backup and recovery procedures must be verified.

　　Article 27: Other types of data refer to data stored in the form of documents, images, audio, pictures, charts, and other similar formats. Other types of data that meet the following conditions shall be deemed to satisfy the requirements set forth herein:

　　(1) Able to effectively present the contained information and readily accessible for retrieval and reference at any time;

　　(2) If the data format is converted, it shall be ensured that the converted data is consistent with the original data.

　　Chapter VI Supplementary Provisions

　　Article 28: The terms used in these requirements shall have the following meanings:

　　(1) Raw Data

　　Refers to data collected for the first time or at the source, which has not been processed.

　　(2) Electronic Records

　　Refers to a digitally formatted record composed of text, charts, data, audio, illustrations, or other digital information. Its creation, modification, maintenance, archiving, reading, distribution, and use are all carried out by computerized systems.

　　(3) Electronic Signature

　　Refers to data contained in or attached to an electronic record in electronic form, used to identify the signer’s identity and indicate that the signer approves of the content therein.

　　(4) Metadata

　　Metadata is data used to define and describe other data. By defining and describing data, metadata can support a wide range of management tasks related to the data objects it describes, including locating, querying, exchanging, tracking, access control, evaluating, and preserving such data.

　　Article 29: Those engaged in the research and development, production, distribution, and use of pharmaceutical products shall comply with laws, regulations, rules, standards, and guidelines; establish operational procedures and management systems; and clearly define requirements for the management of records and data.

　　Article 30: These requirements shall take effect as of December 1, 2020.