21CFR11 is to Food and Pharmaceutical professionals what Dr. Kelso was to Sacred Heart Hospital in the television series Scrubs. Annoying, but necessary.
What is 21CFR11?
21CFR11 refers to the 11th Part of the 21st Title of the Code of Federal Regulations. That may look like a worthless definition, but if we break it down, it illuminates an interesting paradox concerning the importance of this "Part." Reading 21CFR11 as the "11th Part of the 21st Title of the Code of Federal Regulations" makes it seem boring, incredibly boring in fact. It sounds like some little detail of some particular regulation that no one would every take time to pay attention to.
Instead, for quality professionals in food and pharma, it's always around. It's in webinars, seminars, and white papers. Entire lecture series have been about 21CFR11, and entire company's have been created to help organizations adhere to the 11th Part of the 21st Title of the Code of Federal Regulations.
21CFR11 concerns the FDA, and it's a specific set of regulations that speak to how electronic signatures work versus paper signatures. 21CFR11 outlines how electronic signatures can be considered "trustworthy," or on par with the trustworthiness of paper signatures.
As Software as a Service aficionados, we would actually argue that many, many times, paper records are less reliable than electronic records: they can be edited, altered, and changed much easier in many circumstances. However, 21CFR11 still remains, and it is a daunting task for many organizations to adhere to it's requirements.
Those requirements are a three-headed monster that can be broken down into the following faces, or "keys":
- Secure, Unalterable Data
- Unique Users
- Audit Trail
1. Secure, Unalterable Data
Data must be secure. For many food and pharma producers, that means proving that for each process and machine in your facility, an individual couldn't alter the hard data in any way. With data loggers, for example, you have to validate a data logging system to verify that the data being taken, and the data being displayed, do not differ from one another. Also, that data that is being displayed can't be altered by any users within the system. It can only be viewed, and analyzed.
2. Unique Users
Users are obviously unique, as cloning hasn't quite caught up with us yet. By saying "Unique Users" then, we are stating that they must prove they are unique. On a paper document, a signature, or mark of recognition differentiates one user from another. An electronic signature is different, however. Instead of physically "signing" a document, users in a system have unique accounts. Therefore, when they are working within that system, approving, signing, working with the secure data, their actions are monitored and stored, as their specific actions, not someone else's. Organizations prove users are unique through unique accounts with passwords. Therefore, when someone "signs off" electronically, there is a record, and they can be held accountable for their action.
3. Audit Trail
The last main key to 21CFR11, is an audit trail. An a audit trail is a record of what has happened within a system. In the olden days, that system could be your entire operation, and each event was logged on a piece of paper, signed for, and stored for when an auditor showed up. Audit trails keep auditors informed of a company's historical operations and data, which allows them to see what the company has been up to, and if the company's quality has suffered for any number of reasons. The key to an audit trail is consistency and accuracy. Everything must be documented electronically, from a user signing in, to data being stored about a product. If there is a gap in the audit trail, well, bad things happen.
Do you see how 21CFR11 can be so important? It is mundane on the surface, but once it has been read over, it's influence is . . . significant. With the rise of electronic data storage, Cloud-computing, and local sever systems, 21CFR11 will only become more and more important for organizations to follow.
