When it comes to regulatory compliance for medical device companies, there can be some confusion around FDA 21 CFR Part 11. A huge pitfall that we’ve found is that many companies think they’re in compliance (often due to misunderstanding the requirements), but, in reality, they are not.
If you’ve been led to believe that it’s just about your validation, audit trail, records, and retention, and that you’re “safe” because of your paper-based “master” file, you must understand Part 11 is much more complex than that.
Medical device companies can use these tips to ensure compliance with 21 CFR Part 11:
- Determine whether 21 CFR Part 11 applies to your company.
- Follow best practices in data protection and password security.
- Establish clear audit trails for traceability.
- Follow guidelines on electronic signatures.
- Do not outsource responsibility:you’re in charge of 21 CFR Part 11 compliance.
- Validate for IQ, OQ, and PQ.
- Consider 21 CFR Part 11 compliance when choosing your QMS.
This guide will expand on these tips and provide helpful information to clear common points of confusion around this regulation. Here’s what medical device companies need to know to familiarize themselves with the regulation and comply with FDA’s 21 CFR Part 11:
WHAT IS 21 CFR PART 11?
21 CFR Part 11 is the FDA's regulations for electronic documentation and electronic signatures. It outlines the administration of electronic records in a medical device company’s quality management system.
Since 21 CFR Part 11 was first published in 1997, our electronic systems and their capabilities have advanced tremendously. However, the purpose of 21 CFR Part 11 still remains applicable over two decades later.
Part 11 was designed to cater to the evolving needs of the medical device industry, with the purpose of helping companies:
- Know how to use computer systems and software, particularly when it isn’t working properly.
- Maintain data safely and securely, and ensure data is not corrupted or lost.
- Ensure that approval and review signatures cannot be disputed.
- Trace changes to data
- Prevent and/or detect falsified records
We have also had to be more practical about how paperwork is managed across organizations that may have multiple offices or multiple people that need to access and update records. Using a paper-based system in a single office is challenging, and with offices based around the globe, it’s simply not practical.
With electronic records becoming widely used in the industry, the vast majority of companies will find that FDA 21 CFR Part 11 applies to them. As with many regulations, this isn’t always received well.
Many companies find the prospect of validating for 21 CFR Part 11 daunting. It’s necessary to prove to regulators that your system is robust enough to meet their standards, and this can be a challenge.
For example, there are a number of companies that are somewhat apprehensive of 21 CFR Part 11 because of the things needed to prove a system is robust enough to meet its standards.
#1. DETERMINE WHETHER 21 CFR PART 11 APPLIES TO YOUR COMPANY
Companies unwilling to embrace 21 CFR Part 11 often say their “master records” are paper-based, although they do upload documents to a shared file or some accessible place on a server. They think that “paper-based” records mean no need to deal with Part 11, but this is not the case.
For starters, “master records” is a misuse of the term. People will say that the piece of paper is their “master record” and think that what they do afterward (such as scanning and uploading) doesn’t matter, as long as the master piece of paper remains intact. The truth is, the moment the document is uploaded to a server, the company is subject to compliance with 21 CFR Part 11.
In section 11.3, the FDA defines “electronic record” to mean; “any combination of text, graphics, data, audio, pictorial, or other information representation in digital form that is created, modified, maintained, archived, retrieved, or distributed by a computer system.” As you can see, this makes the definition covered by 21 CFR Part 11 quite broad, and most companies will be affected.
Therefore, even though companies may say they have a paper-based system, they probably do have a pervasive electronic system, even if it’s via folder trees. You still need to validate your records to ensure that the scanned version matches the paper version.
#2. FOLLOW 21 CFR PART 11 DATA SECURITY AND PASSWORD PROTECTION BEST PRACTICES
Data security is a big aspect of Part 11. All users with access need the right roles and permissions. This is true whether you use a quality system solution like Greenlight Guru or you have a simple folder tree structure. If you do opt for folder trees, note that they tend to be cumbersome.
You need to go into individual folders and check permissions. You’ll need to pull valuable resources from IT to check it all, making it a big deal for compliance.
When it comes to digital security, passwords are a major component. How will you access the system? Security is the biggest area of concern with 21 CFR Part 11 because you must know that the right people have the right permissions and that not just anyone can jump in.
Password best practices should apply, but the regulation itself is vague.
We consulted experts on 21 CFR Part 11 about the design of our Greenlight Guru platform and approach with respect to security. We wanted to ensure that we would meet Part 11 compliance and could give advice to users for doing so.
Access to electronic records should be controlled by a unique login, with username and password. Users inactive for 10-20 minutes should be logged out automatically.
We also advise that your system lock out users after 3-5 failed password attempts.
If the account has been inactive for a period of time, the user should be locked out. The recommended period for this is 30 days.
All of these best practices are implemented in the Greenlight Guru system.
#3. ESTABLISH CLEAR AUDIT TRAILS FOR TRACEABILITY
Clear audit trails are required so you can view which user performed any given action, at what time, to your records. When were records created, modified, deleted, or made obsolete?
All events should be recorded with the exact username, date, and time. The Greenlight Guru platform assigns a role to a user who can access audit trails for this purpose.
In addition to change management, audit trails apply to moments of access. You should always know when users are logging in and when they are locked out. You might call it a “complete history of your record-keeping system.”
A key part of your audit trail is that FDA can view these records upon inspection. The easier it is to find and understand this information, the smoother your inspection is likely to be.
#4. FOLLOW 21 CFR PART 11 GUIDELINES ON ELECTRONIC SIGNATURES
You may comply with 21 CFR Part 11 guidelines on reviewing and approving information a number of different ways:
- Biometric, e.g., fingerprint or retinal scan
- Digital signatures
- Handwriting capture in software
- Electronic signatures (we use these in Greenlight Guru)
We use electronic signatures, which assign unique usernames and passwords to signees. Generic department usernames aren’t advised. To maintain transparency, usernames should be tied to a single person, not to a group.
When something requires approval in Greenlight Guru, an "Approve" or "Reject" button may be clicked to convey the intent, as well as the date and time. Once something is signed in this way, the item is permanently locked and unable to be revised or edited again.
With paper, this is a bit of a loophole because there is an opportunity to mark up paper by hand or track changes in word-processing programs. There is less control than with Greenlight Guru. On our platform, the document is locked in the approval process so that you stay in compliance with 21 CFR Part 11.
No editing is allowed; otherwise, you’re back to formal approval processes.
Another thing that you must be aware of if you intend to use electronic signatures is the expectation that you notify the FDA that you’re doing so: you need to send them a letter to inform them that you’re using electronic signatures.
#5. DO NOT OUTSOURCE RESPONSIBILITY: YOU’RE IN CHARGE OF YOUR 21 CFR PART 11 COMPLIANCE
We have seen a trend of software platforms claiming that they can take care of all of your 21 CFR Part 11 compliance. Ultimately, this is not true because Part 11 compliance is ALWAYS the responsibility of the medical device company. A software company shouldn’t be saying they have taken care of it all, because your company is not absolved of the responsibility.
Greenlight Guru does testing and validation of the platform and can provide supporting documentation, but compliance is ultimately your responsibility.
We can also provide the following:
- A Part 11 compliance checklist
- A template letter to send to the FDA to inform them of your intent to use electronic signatures
- A certificate of conformance for the platform design
- A QMS solution compliant with 21 CFR Part 11, including pre-validated templates and features that have passed hundreds of audits and inspections
#6. VALIDATE FOR IQ, OQ, AND PQ
IQ, OQ, and PQ are acronyms that stand for installation qualification, operational qualification, and performance qualification. Because the regulation was written 20 years ago, the acronyms originally referred to equipment.
This is how you can think about IQ, OQ, and PQ in software terms:
- Installation Qualification: Is the software installed correctly?
- Operational Qualification: Is the software capable of meeting the regulatory requirements?
- Performance Qualification: Is the software
The Greenlight Guru software has an internal checklist built-in to ensure that your browsers, operating systems, etc., comply with IQ. OQ has been done in-house and a report is available. We offer PQ protocols as well as on-boarding and training.
#7. CONSIDER 21 CFR PART 11 COMPLIANCE WHEN CHOOSING A QMS SOLUTION
Compliance is an ongoing process, and you’ll need to ensure that you’re handling electronic documents and signatures correctly throughout your project life cycle.
Your choice of QMS will play a key role in CFR Part 11 compliance. If your QMS isn’t aligned with CFR Part 11 or doesn’t come with pre-validated templates, you’ll need to factor that into your business plan. General-purpose solutions will require a lot of configuration, staff training, validation testing, and perhaps outside help to ensure compliance.
All of this requires significant time and capital investment. We recommend that you look into various QMS solutions and consider the needs of your company when it comes to validating for CFR Part 11. Does your solution offer everything you need to bring your device to market?
Final Thoughts on 21 CFR Part 11
Complying with 21 CFR Part 11 doesn’t need to be an onerous task, particularly if you remember that any idea of a “paper-based master record” is a complete misnomer the second anything is uploaded to a computer system.
In other words, almost every medical device company must comply with 21 CFR Part 11 unless they truly do have everything on paper only, with no electronic copies of documents stored anywhere.
Follow these tips to ensure the security and integrity of your records and you should be prepared for an FDA inspection. Remember: medical device companies are ultimately responsible for their own compliance, no matter what third parties may promise.
Still using a manual or paper-based approach to manage your design controls or quality processes? Click here to learn more about how Greenlight Guru's medical device QMS (MDQMS) software platform exclusively for medical device companies is helping device makers in more than 270 cities and 25 countries get safer products to market faster, with less risk, while ensuring regulatory compliance.
Looking for a design control solution to help you bring safer medical devices to market faster with less risk? Click here to take a quick tour of Greenlight Guru's Medical Device QMS software →