When it comes to compliance among medical device companies, there is a lot of misleading information about FDA 21 CFR Part 11.
A huge pitfall that we’ve found is that many companies think they’re in compliance (often due to misunderstanding the requirements), but in reality they are not.
If you’ve been led to believe that it’s just about your validation, audit trail, records and retention and that you’re “safe” because of your paper-based “master” file, it is actually more complex than that.
Here’s what medical device companies need to know about being compliant with 21 CFR Part 11:
What is 21 CFR Part 11?
In a nutshell, for the first part, 21 CFR Part 11 is about electronic records and record keeping, while the second part governs electronic signatures. It sets out how your company must consider them.
One thing to remember is that this did come out in 1997, so obviously what we now know about electronic systems and what we can achieve with them, has changed a great deal in 20 years.
We have also had to become more practical about how paperwork is managed across companies that may have multiple offices or multiple people that need to access and update records. It’s just not pragmatic to stick with a paper-based system if you have offices all over the globe.
In fact, basically all companies will find that Part 11 applies to them, despite misinformation suggesting that it won’t. For example, there are a number of companies that are somewhat afraid of Part 11 because of the things needed to prove a system is robust enough to meet its standards. They often say their “master records” are paper-based, although they do upload documents to a shared file or some accessible place on a server. They think that “paper based” records means no need to deal with Part 11.
For starters, “master records” is a misuse of the term. People will say that the piece of paper is their “master record” and think that what they do afterwards (such as scanning and uploading), doesn’t matter, as long as the master piece of paper remains intact. The fact is, the second that document is uploaded to a server, they are subject to compliance with Part 11.
In section 11.3, the FDA defines “electronic record” to mean; “any combination of text, graphics, data, audio, pictorial, or other information representation in digital form that is created, modified, maintained, archived, retrieved, or distributed by a computer system.” As you can see, this makes the definition covered by Part 11 quite broad and most companies will be affected.
Call your paper copy whatever you want, but the moment you scan it and put it on a server, it fits under the context of a Part 11 electronic record. Therefore, even though companies may say they have a paper-based system, they probably do have a pervasive electronic system, even if it’s via folder trees. You still need to validate your records to ensure the scanned version matches the paper version.
Tip #1. The moment you upload any record to a computer system, you are subject to complying with Part 11.
The purpose of Part 11
The slide below is taken from a presentation that we put together on 21 CFR Part 11. It identifies the key purposes of Part 11:
Major components of Part 11
Security is a big aspect of Part 11. All users with access need the right roles and permissions. This is whether you use a system like greenlight.guru or if you have a simple folder tree structure. If you do opt for folder trees, note that they tend to get hairy. You need to go into individual folders and check permissions. You’ll need to pull valuable resources from IT to check it all, making it a big deal for compliance.
Tip #2. The concept of the “God” role is a big deal security-wise. It’s a no-no. No one should have this level of access and ability to alter anything permanently.
Passwords are, of course, another major component of the security side of the system. How will you access the system? Security is the biggest area of concern with Part 11 because you must know that the right people have the right permissions and that not just anyone can jump in.
Password best practices should apply, but the regulation itself is vague. We consulted experts on Part 11 about the design of our greenlight.guru platform and approach with respect to security. We wanted to ensure that we would meet Part 11 compliance and could give advice to users for doing so. With regard to passwords, we have a few “best practice” tips, which we’ve included in a printable guide below:
Access to electronic records should be controlled by a unique login, with username and password. There is also a recommendation that the user is logged out for a period of time for inactivity (10-20 minutes is standard). Also, lock users out after 3-5 failed password attempts.
If the account has been inactive for a period of time, the user should be locked out. The recommended time period for this is 30 days.
All of these best practices are implemented in the greenlight.guru system.
Tip #3. Ensure that all users of your system are following password best practices.
The gist of the audit trail requirement is to know which user did what and when to your records. When were records created, modified, deleted or made obsolete? All events should be recorded with the exact username, date and time. (The greenlight.guru platform assigns a role to a user who can access audit trails).
Many people think it only applies to a change of management; however, it’s much more than that. You should always know when users are logging in and should be aware of any lock-outs. This should raise a flag with whoever is in charge. Remember, purposes of Part 11 include fraud detection and simply knowing when changes have been made. You might call it a “complete history of your record-keeping system.”
A key part of your audit trail is that, theoretically, if the FDA were to review your system, this will be the applicable information they need to see. They want proof of everything that has happened.
Tip #4. “Audit trail” is not just applicable to management changes. It’s about knowing at all times who is doing what with your records.
These are about your method of review and approval of information. There can be a few different ways of complying:
- Biometric, e.g. fingerprint or retinal scan
- Digital signatures
- Handwriting capture in software
- Electronic signatures (We use these in greenlight.guru)
An electronic signature uses the username that is unique to the person and a password. One common mistake we would caution about is that generic department usernames aren’t advised. Usernames should be tied to a single person not a group so that transparency is maintained.
Tip #5. Avoid creating usernames for groups or departments. Each username should be tied to an individual.
When something requires approval in greenlight.guru, there is an "Approve" or "Reject" button. The signature must convey the intent, as well as the date and time. Once something is signed, the item should be permanently locked, unable to be revised or edited again. With paper, this is a bit of a loophole because there is an opportunity to mark-up paper by hand or track changes in word processing programs. There is less control than with greenlight.guru. On our platform, the document is locked in the approval process so that you stay in compliance with Part 11.
No editing is allowed; otherwise, you’re back to formal approval process.
Another thing that you must be aware of if you intend to use electronic signatures is the expectation that you notify the FDA that you’re doing so. You need to send them a letter to inform them that you’re using electronic signatures.
Tip #6. Inform the FDA if you intend to use electronic signatures.
We have seen a trend of software platforms claiming that they can take care of all of your Part 11 compliance. Ultimately, this is not true because Part 11 compliance is ALWAYS the responsibility of the medical device company. A software company shouldn’t be saying they have taken care of it all because your company is not absolved of the responsibility.
greenlight.guru does testing and validation of the platform and can provide supporting documentation, but it’s still ultimately your responsibility.
We can also provide:
- A checklist to show what applies compliance-wise
- A template letter to send to the FDA to inform of your use of electronic signatures
- A certificate of conformance for the platform design
- Compliance with Part 11 through having a QMS -- we have mapped out our practices and follow a consistent methodology
Tip #7. Part 11 compliance ALWAYS rests ultimately with the medical device company.
IQ, OQ and PQ
Yep, more acronyms! These mean; Installation Qualification, Operational Qualification and Performance Qualification. They are somewhat confusing in a 2017 context because they come from the time when the policy was introduced two decades ago. This means these terms tend to make more sense with equipment, but here is how you can think about them in a software sense:
IQ - Is the software installed correctly?
OQ - Is the software operating “from 0 to 100?” (Just as an example of operational range).
PQ - Although the software may go from 0-100, we’re concerned with 20-80 so that’s where our company will be scrutinized.
greenlight.guru has a checklist to ensure that you have browsers, operating systems etc. for compliance with IQ. OQ has been done in-house and a report is available. For PQ, we have written and can provide protocols, as well as including with onboarding and training.
Tip #8. Greenlight.guru can help you to comply with IQ, OQ and PQ requirements.
Complying with 21 CFR Part 11 doesn’t need to be an onerous task, particularly if you remember that any idea of a “paper-based master record” is a complete misnomer the second anything is uploaded to a computer system.
In other words, almost every medical device company will need to comply with Part 11 unless they truly do have everything on paper and no electronic copies of documents.
Follow a few simple tips for the security and integrity of your records and you should be prepared for an FDA inspection. Remember, ultimate responsibility for compliance will always rest with the medical device company and is not replaced with software, no matter what claims you might hear.
Still using a manual or paper-based approach to manage your design controls or quality processes? Click here to learn more about how greenlight.guru's modern eQMS software platform exclusively for medical device companies is helping devicemakers all over the globe in more than 270 cities and 25 countries get safer products to market faster with less risk while ensuring regulatory compliance.