Medical device companies that wish to sell their devices in the US and EU must implement a quality management system that meets the requirements of 21 CFR Part 820 and ISO 13485:2016.
We believe in “right-sizing” your quality management system (QMS), allowing it to scale with your company as you work through product development to establishing supplier controls and a CAPA process, etc. But what are you going to do with all of that paper being generated as a result?
Many medical device companies today can see the value of investing in a medical device specific eQMS that helps to bring your product to market faster, and can make FDA inspections and ISO audits go smoother; however, the added caveat is that these systems are subject to validation.
Specifically, 21 CFR Part 11, the FDA’s regulations for electronic documentation and electronic signatures. This regulation is widely misunderstood and this confusion even causes some medical device companies to resist moving to an electronic systems when they know it’s the right move.
In this comprehensive guide, we’ll take you through each section of 21 CFR Part 11, explaining what the requirements actually mean and expounding the most important points for you to know as a medical device company.
In March of 1997, the United States FDA issued regulations that established the criteria for the acceptance by the FDA of electronic records, electronic signatures and handwritten signatures executed to electronic documents. While our focus is on medical device companies and the compliance of their quality systems with this regulation, the rules also apply to companies in pharma, biotech, biologics developers, and other FDA-regulated industries. These laws are codified as Part 11 of Title 21 in the Code of Federal Regulations, or 21 CFR Part 11, or Part 11 for shorthand.
21 CFR Part 11 is divided into three sub-parts:
The General Provisions section discusses the scope of the regulations, when and how it should be implemented, and defines some of the key terms used in the regulations.
The Electronic Records section sets forth the requirements for administration of closed and open electronic record-keeping systems, then discusses signature manifestations and requirements for establishing a link between signatures and records.
Finally, the Electronic Signatures section is split into three parts: general requirements for electronic signatures, electronic signature components and controls, and controls for identification codes/passwords.
Since its original publication, 21 CFR Part 11 has generated a significant amount of confusion among medical device makers and other industry professionals that may use electronic records. The FDA published a guidance document in August 2003 to clarify the scope and implications of various parts of the regulations. This document also served to further elucidate the requirements for software validation, audit trails, managing legacy systems, keeping copies of records and record retention. This document provides helpful information about what companies need to do in order to comply with its 21 CFR Part 11 requirements. With that said, it is important to remember these kinds of guidance documents themselves are not the law and medical device companies should always refer directly to 21 CFR Part 11 when assessing their compliance status with FDA regulations.
In this section, we’ll take an in-depth look into each section of 21 CFR Part 11 and pick out the most important points that medical device companies need to be aware of.
Sec. 11.1 Scope – This is the first section of 21 CFR Part 11 and its goal is to establish what this regulation does and when it should be applied. The regulations in 21 CFR Part 11 set forth the criteria under which the FDA considers electronic records and signatures to be trustworthy, reliable, and generally equivalent to paper-based records. 21 CFR Part 11 applies to records in electronic form that are created, modified, maintained, archived, retrieved, and/or transmitted under any records requirement set forth by the FDA.
While there are some examples listed of agency-required records that are not subject to 21 CFR Part 11, quality management records are not listed among the exclusions here. As soon as a medical device company uploads any part of their quality management system to a computer, they are subject to the requirements of 21 CFR Part 11. (And this is a little known fact that many paper-based companies are not aware.)
Sec. 11.2 Implementation – This section explicitly states that medical device companies can use paperless record-keeping systems if they are in compliance with this regulation. For medical device companies who wish to transmit electronic records to the FDA, they may do so if they comply with this regulation and if the documentation they wish to submit is identified in docket No. 92S-0251 as a type of submission that the agency accepts in electronic form.
Sec. 11.3 Definitions – The FDA provides definitions for some of the terminology that will be used later in Part 11. One example would be the difference in definitions between closed systems and open systems. A closed system is a record-keeping system where system access is controlled by persons who are responsible for the content of electronic records on the system. In an open system, access is not controlled by persons who are responsible for the contents of the electronic records on the system.
This terminology should not be confused with “open source” or other uses of “open/closed” as a descriptor. In this context, a closed system is one where the company keeps the records only on its own hardware and is accessible through its own internal network, while an open system is one where a vendor offers a record-keeping software through a license to the medical device company and therefore controls access to the software and the records.
Sec. 11.10 Controls for closed systems – This section sets forth 11 separate and distinct security management requirements for companies that wish to keep electronic records using a closed software system. Some of the requirements include limiting system access to authorized individuals, authority and device checks to verify the integrity of data and signatures, the establishment of written accountability policies for maintaining system security, and the appropriate validation of the record-keeping system to ensure consistency in its intended performance.
The FDA also establishes the audit trail requirements in this section, similar to the document control requirements of 21 CFR Part 820. Medical device companies must maintain appropriate control over systems documentation, including revision and change control procedures to maintain an audit trail that documents changes in the system. An audit trail ensures that every activity which happens in the record-keeping system generates a record and can be reviewed later.
Sec. 11.30 Controls for open systems – Open systems typically mean that more people have access to the record-keeping system, so the security requirements should be slightly more comprehensive to help ensure that the records kept are accurate and reliable. This section recommends that open systems are subject to the same 11 security requirements as closed systems, along with any additional appropriate measures such as document encryption and the use of digital signature standards to ensure the integrity and confidentiality of the records.
Sec. 11.50 Signature Manifestations – This section deals with how signatures should appear on electronic records. The FDA expects to see the printed name of the signer, the date and time that the signature was executed, and the meaning of the signature (approval, review, authorship, etc.) subjected to the same controls as the records themselves and included on any human readable form of the electronic record.
Sec. 11.70 Signature record/linking – A section so short, we can quote it:
Electronic signatures and handwritten signatures executed to electronic records shall be linked to their respective electronic records to ensure that the signatures cannot be excised, copied, or otherwise transferred to falsify an electronic record by ordinary means.
This means that medical device companies must use a record-keeping software that tracks the approval status of documents using secure attribution data. The system should not allow any user with inadequate permissions to effect a signature by copying a signature from one document and attaching it onto another.
Sec. 11.100 General Requirements – This section sets forth some of the requirements for personal accountability in electronic signatures that are central to this regulation. It requires organizations to verify the identity of any individual who is assigned an electronic signature on the system and that medical device companies who wish to use electronic signatures must notify the FDA in writing by mail. The agency’s Rockville, MD address is provided.
Sec. 11.200 Electronic signature components and controls – The FDA wants electronic signatures to use at least two identifying components – such as including an identification code and a password. Electronic signatures should be assigned to individual persons – not to groups or departments – such that each electronic signature can only be executed by a single person to whom it is assigned and whose identity was verified in compliance with this part. The FDA really wants to make sure that approval and review signatures cannot be disputed once they are entered into the system.
Sec. 11.300 Controls for identification codes/passwords – 21 CFR Part 11 requires special security measures for the control of passwords. No two individuals should use the same identification/password to access the system, and passwords should be changed periodically to protect against password aging. Medical device companies must establish transaction safeguards that prevent unauthorized use of passwords. Loss management procedures should be established to ensure that compromised security tokens, cards or other devices are deauthorized to prevent security breaches.
21 CFR Part 11 provides an opportunity for medical device companies to reap the organizational benefits of paperless record-keeping systems. It also helps the FDA ensure that when medical device companies use electronic record-keeping systems, that document security and authenticity are adequately maintained.
While some may argue that regulations of 21 CFR Part 11 place an additional regulatory burden on these companies, it’s important to note significant benefits can be derived from implementing these electronic systems. The FDA guidelines from Part 11 help establish accountability and traceability throughout your documentation processes, by ensuring that:
Reference: www.greenlight.guru
