Medical device companies that wish to sell their devices in the US and EU must implement a quality management system that meets the requirements of 21 CFR Part 820 and ISO 13485:2016.
We believe in “right-sizing” your quality management system (QMS), allowing it to scale with your company as you work through product development to establishing supplier controls and a CAPA process, etc. But what are you going to do with all of that paper being generated as a result?
Many medical device companies today can see the value of investing in a medical device specific eQMS that helps to bring your product to market faster, and can make FDA inspections and ISO audits go smoother; however, the added caveat is that these systems are subject to validation.
Specifically, 21 CFR Part 11, the FDA's regulations for electronic documentation and electronic signatures. This regulation is widely misunderstood and this confusion even causes some medical device companies to resist moving to an electronic systems when they know it’s the right move.
In this comprehensive guide, we'll take you through each section of 21 CFR Part 11, explaining what the requirements actually mean and expounding the most important points for you to know as a medical device company.
Then in the conclusion, we'll also highlight a few key features of Greenlight Guru's eQMS platform and how those have proven to be instrumental in helping medical device companies get to market faster while remaining compliant with 21 CFR Part 11.
What is 21 CFR Part 11?
In March of 1997, the United States FDA issued regulations that established the criteria for the acceptance by the FDA of electronic records, electronic signatures and handwritten signatures executed to electronic documents. While our focus is on medical device companies and the compliance of their quality systems with this regulation, the rules also apply to companies in pharma, biotech, biologics developers, and other FDA-regulated industries. These laws are codified as Part 11 of Title 21 in the Code of Federal Regulations, or 21 CFR Part 11, or Part 11 for shorthand.
21 CFR Part 11 is divided into three sub-parts:
The General Provisions section discusses the scope of the regulations, when and how it should be implemented, and defines some of the key terms used in the regulations.
The Electronic Records section sets forth the requirements for administration of closed and open electronic record-keeping systems, then discusses signature manifestations and requirements for establishing a link between signatures and records.
Finally, the Electronic Signatures section is split into three parts: general requirements for electronic signatures, electronic signature components and controls, and controls for identification codes/passwords.
Since its original publication, 21 CFR Part 11 has generated a significant amount of confusion among medical device makers and other industry professionals that may use electronic records. The FDA published a guidance document in August 2003 to clarify the scope and implications of various parts of the regulations. This document also served to further elucidate the requirements for software validation, audit trails, managing legacy systems, keeping copies of records and record retention. This document provides helpful information about what companies need to do in order to comply with its 21 CFR Part 11 requirements. With that said, it is important to remember these kinds of guidance documents themselves are not the law and medical device companies should always refer directly to 21 CFR Part 11 when assessing their compliance status with FDA regulations.
Ten Chapters of 21 CFR Part 11
In this section, we'll take an in-depth look into each section of 21 CFR Part 11 and pick out the most important points that medical device companies need to be aware of.
Subpart A - General Provisions
Sec. 11.1 Scope - This is the first section of 21 CFR Part 11 and its goal is to establish what this regulation does and when it should be applied. The regulations in 21 CFR Part 11 set forth the criteria under which the FDA considers electronic records and signatures to be trustworthy, reliable, and generally equivalent to paper-based records. 21 CFR Part 11 applies to records in electronic form that are created, modified, maintained, archived, retrieved, and/or transmitted under any records requirement set forth by the FDA.
While there are some examples listed of agency-required records that are not subject to 21 CFR Part 11, quality management records are not listed among the exclusions here. As soon as a medical device company uploads any part of their quality management system to a computer, they are subject to the requirements of 21 CFR Part 11. (And this is a little known fact that many paper-based companies are not aware.)
Sec. 11.2 Implementation - This section explicitly states that medical device companies can use paperless record-keeping systems if they are in compliance with this regulation. For medical device companies who wish to transmit electronic records to the FDA, they may do so if they comply with this regulation and if the documentation they wish to submit is identified in docket No. 92S-0251 as a type of submission that the agency accepts in electronic form.
Sec. 11.3 Definitions - The FDA provides definitions for some of the terminology that will be used later in Part 11. One example would be the difference in definitions between closed systems and open systems. A closed system is a record-keeping system where system access is controlled by persons who are responsible for the content of electronic records on the system. In an open system, access is not controlled by persons who are responsible for the contents of the electronic records on the system.
This terminology should not be confused with "open source" or other uses of "open/closed" as a descriptor. In this context, a closed system is one where the company keeps the records only on its own hardware and is accessible through its own internal network, while an open system is one where a vendor offers a record-keeping software through a license to the medical device company and therefore controls access to the software and the records.
Subpart B - Electronic Records
Sec. 11.10 Controls for closed systems - This section sets forth 11 separate and distinct security management requirements for companies that wish to keep electronic records using a closed software system. Some of the requirements include limiting system access to authorized individuals, authority and device checks to verify the integrity of data and signatures, the establishment of written accountability policies for maintaining system security, and the appropriate validation of the record-keeping system to ensure consistency in its intended performance.
The FDA also establishes the audit trail requirements in this section, similar to the document control requirements of 21 CFR Part 820. Medical device companies must maintain appropriate control over systems documentation, including revision and change control procedures to maintain an audit trail that documents changes in the system. An audit trail ensures that every activity which happens in the record-keeping system generates a record and can be reviewed later.
Sec. 11.30 Controls for open systems - Open systems typically mean that more people have access to the record-keeping system, so the security requirements should be slightly more comprehensive to help ensure that the records kept are accurate and reliable. This section recommends that open systems are subject to the same 11 security requirements as closed systems, along with any additional appropriate measures such as document encryption and the use of digital signature standards to ensure the integrity and confidentiality of the records.
Sec. 11.50 Signature Manifestations - This section deals with how signatures should appear on electronic records. The FDA expects to see the printed name of the signer, the date and time that the signature was executed, and the meaning of the signature (approval, review, authorship, etc.) subjected to the same controls as the records themselves and included on any human readable form of the electronic record.
Sec. 11.70 Signature record/linking - A section so short, we can quote it:
Electronic signatures and handwritten signatures executed to electronic records shall be linked to their respective electronic records to ensure that the signatures cannot be excised, copied, or otherwise transferred to falsify an electronic record by ordinary means.
This means that medical device companies must use a record-keeping software that tracks the approval status of documents using secure attribution data. The system should not allow any user with inadequate permissions to effect a signature by copying a signature from one document and attaching it onto another.
Subpart C - Electronic Signatures
Sec. 11.100 General Requirements - This section sets forth some of the requirements for personal accountability in electronic signatures that are central to this regulation. It requires organizations to verify the identity of any individual who is assigned an electronic signature on the system and that medical device companies who wish to use electronic signatures must notify the FDA in writing by mail. The agency's Rockville, MD address is provided.
Sec. 11.200 Electronic signature components and controls - The FDA wants electronic signatures to use at least two identifying components - such as including an identification code and a password. Electronic signatures should be assigned to individual persons - not to groups or departments - such that each electronic signature can only be executed by a single person to whom it is assigned and whose identity was verified in compliance with this part. The FDA really wants to make sure that approval and review signatures cannot be disputed once they are entered into the system.
Sec. 11.300 Controls for identification codes/passwords - 21 CFR Part 11 requires special security measures for the control of passwords. No two individuals should use the same identification/password to access the system, and passwords should be changed periodically to protect against password aging. Medical device companies must establish transaction safeguards that prevent unauthorized use of passwords. Loss management procedures should be established to ensure that compromised security tokens, cards or other devices are deauthorized to prevent security breaches.
How Does Greenlight Guru Help You Comply with 21 CFR Part 11
Greenlight Guru is a SaaS company that offers the only electronic Quality Management Software (eQMS) designed specifically to meet the unique needs of medical device companies. Our unique system has a suite of superior functionalities, specifically with our “no-effort” validation process, which is a borrowed term we’ll discuss in more detail later in this piece. We designed this no-effort, turn-key solution specifically for medical device companies to ensure compliance with 21 CFR Part 11. Our customized approach allows companies to seamlessly carry out the validation process through our own validated OQPQ process, which includes key requirement components of Part 11.
We believe it’s imperative for us as a company to implement the same practices that we ask of our customers. So, with every new release of our software platform, we include validation documentation of executed test cases confirming the steps that were followed in the validation process. We provide objective evidence from a 3rd party assessment confirming the validation of the automated process we use – adhering to the same stringent document and record security and audit trail requirements set forth by the FDA for compliance with 21 CFR Part 11.
Let’s consider other contrary methods to approaching this process. Companies who use paper-based systems must manually oversee these operations, ensuring complete accuracy and efficacy with document control and security-based activities. A lot of effort is required for doing it this way, not to mention the myriad of risks associated with the likelihood of human error.
Let’s say you’re not paper-based but instead use a general purpose eQMS to manage your quality system. Given the fact it’s general purpose means that you will need to spend a great deal of time and effort to engineer the system you want. This introduces a lot of risk because medical device QMS best practices won’t be built in. But let’s say you have a great team and are able to pull it off. Now once you reach the validation check point, this stage presents a whole new set of challenges. Because your environment is customized this means you will need to carry out all the tests yourself to validate your system which will likely take weeks if not months. Then any time you’re looking to make a change, you’re looking at going through that whole validation process again.
At Greenlight Guru, it’s our goal to alleviate those efforts and streamline your processes through our multi-tenant, cloud-based SaaS platform. According to a LNS Research ‘State of the Market’ piece on Software Validation in the Life Sciences industry, they assert, “Cloud-based technologies create new opportunities to streamline validation [and] industry leading vendors are providing pre-validated platforms, pre-validated functions, and pre-validated pre-configurations.” This article goes on to describe the “no-effort “approach we’ve pioneered with our software, establishing an automated system for the validation process and ultimately providing companies with a steadfast track for compliance with 21 CFR Part 11.
Summary of a complete guide TO 21 cfr part 11
21 CFR Part 11 provides an opportunity for medical device companies to reap the organizational benefits of paperless record-keeping systems. It also helps the FDA ensure that when medical device companies use electronic record-keeping systems, that document security and authenticity are adequately maintained.
While some may argue that regulations of 21 CFR Part 11 place an additional regulatory burden on these companies, it’s important to note significant benefits can be derived from implementing these electronic systems. The FDA guidelines from Part 11 help establish accountability and traceability throughout your documentation processes, by ensuring that:
- Access to electronic records is limited to authorized individuals
- Account sharing between individuals, groups or departments is not permitted
- Adequate security protocols are followed to ensure the integrity of passwords and login credentials for all users
- Electronic signatures cannot be transferred or copied between documents
- Electronic signatures are certified to be the same as handwritten signatures, and that the certification is mailed to the FDA
- Records are tracked through document controls and an audit trail that monitors changes and discerns invalid or altered records
Medical device companies will benefit from embracing the regulations of 21 CFR Part 11 because it will serve as a catalyst in protecting the integrity and confidentiality of their proprietary data. Greenlight Guru’s QMS software platform is simply that final missing piece of the puzzle for medical device companies to take their product to market faster, with less risk and more security to ensure optimal outcomes for the patients’ lives it improves.