21 CFR Part 11 ComplianceBecause 21 CFR Part 11 compliance focuses on data accuracy and authentication, life sciences organizations sometimes underestimate its complexity. Superficially, it does seem simple. After all, the goal is just to make sure electronic records are up to FDA standards for paper records. If you keep audit trails and make sure your electronic signatures are accurate, you’re compliant, right?

 

Not so fast.

 

The problem is, there’s a world of difference between making sure a few scientists are filling out a log book correctly in one lab, and ensuring the accuracy and integrity of digital records across hundreds of staff members and partners in dozens of locations across the world. Fortunately, we’ve got your 21 CFR 11 compliance needs covered.

 

21 CFR Part 11 Compliance Basics

 

The goal of 21 CFR Part 11 compliance is to ensure GxP records are kept accurately, and reviewed and signed in a way that prevents tampering and ensures accountability, without interfering with the benefits of cloud computing in biotechnology.

 

Because electronic records can be remotely edited, this requires careful authentication practices designed to prevent impersonation or unauthorized access. At minimum, workers should use two-factor authentication, and organizations may want to use biometric measures like voice recognition and fingerprint scans, as well as passwords, ID numbers, or identity badge scanning. Logins should automatically sign the record with the worker’s name, the time and date, and the purpose of the login (e.g. verifying record accuracy). That metadata, along with all changes in records, needs to be stored and audited for accuracy.

 

21 CFR Part 11 Compliance Obstacles

 

The problem is, basic signing and auditing aren’t enough for 21 CFR Part 11 compliance. Errors, identity theft, hacking, or improper security could lead to inaccuracy in the records. To comply, you need to implement sophisticated documentation and monitoring at every level.

 

GRC software should monitor access, alert staff of problems, and help remediate compliance issues like SOD conflicts. All your architecture is in scope and subject to audits as well, so 21 CFR compliant data centers and workstations need to be meticulously documented, and carefully maintained to ensure SOPs are maintained.

 

Even external security risks need to be taken into consideration — a task far outside the means of most in-house 21 CFR Part 11 compliance teams. You need to make sure your system is resilient with network and Basis layer hardening, regularly look for new vulnerabilities penetration testing, and quickly respond to new threats with 24/7/365 monitoring and incident response. For all but the largest organizations, it’s simply not feasible in-house.

 

Symmetry is a Full-Service 21 CFR Part 11 Compliance Partner

 

The power and complexity of modern computers allows life sciences to do things that would have sounded miraculous even a couple decades ago. The cost of that power is 21 CFR 11 compliance. Whether that cost is a burden to your business or just a minor expense depends on the skill set and competence of your managed security and compliance partner.

 

Symmetry is a full-service hosting, security, and 21 CFR compliance provider, with expertise at every phase of the compliance process. Whether you’re looking for a partner to modernize, migrate, and maintain your IT landscape in a state of continuous compliance, a cyber security partner, or just someone to fill in for compliance staff, we’re here to support you.

 

To learn more, contact us or check out our case study, Migrating to SAP HANA® Case Study: New England Biolabs.

About Scott Goolik - VP, Compliance and Security Services

Scott Goolik is VP of Compliance and Security Services at Symmetry. A recognized expert in the field of SAP security and compliance, Scott has over 20 years of expertise in SAP security and is a regular presenter at SAP industry tradeshows and ASUG events. His experience includes working for one of the Big Four accounting firms and developing auditing tools, including those for segregation of duties (SOD). Scott is also responsible for architecting the ControlPanelGRC® solution which provides audit automation and acceleration of security and control processes.