FDA 21 CFR Part 11 Compliance for Medical Device Manufacturers: Are You Complying With These Four Critical Requirements?
The first paragraph of 21 CFR Part 11 seems disarmingly straightforward. It says: “The regulations in this part set forth the criteria under which the agency considers electronic records, electronic signatures, and handwritten signatures executed to electronic records to be trustworthy, reliable, and generally equivalent to paper records and handwritten signatures executed on paper.” So simple…or so it seems. But as you are discovering, the “devil is in the details.”
The Top Four Part 11 Compliance Requirements for Medical Device Companies
Part 11 can apply to a wide variety of electronic records, including testing reports, quality control testing results, production records, design drawings, specifications, premarket submission content, and much more. Those records are not just documents containing text – these records also include images, drawings, and other electronic files. It’s important to note that FDA differentiates between “closed systems” with inherently controlled access (e.g., closed section of the company intranet only accessible to internal personnel) versus an “open system” that allows any access or external access like connections to the internet (e.g., in the “Cloud” storage, Google Drive, etc.). Requirements for both systems are shown here.
Let’s walk through four important aspects of Part 11 compliance that you need to consider.
1. Maintaining Security and User Access Controls
The key point here is that you need to conduct authority checks to make sure only authorized people can use the system, sign records, change records, or access the system and electronic records in some way. You’ll also need to keep close watch over documentation that shows how to operate and maintain the system. If an unauthorized person does access your system, there needs to be a means of automatically and immediately reporting the breach to the system security unit or organizational management. Best practices, and good compliance with Part 11, dictate that passwords must be changed periodically.
Here’s are two real life examples of noncompliance taken from actual FDA Warning Letters:
“Firm failed to exercise appropriate controls over computer or related systems to ensure that only authorized personnel institute changes in master production and control records, or other records.”
“IT staff share user names and passwords to access your electronic storage system for data – your IT staff can delete or change directories and files without identifying individuals making changes.”
2. Complying with Electronic Signature Requirements
There’s more to this than meets the eye. Electronic signatures must include the printed name of the signer, the date and time of the signature, and the relevance of the signature (reviewed, approved, drafted by, etc.). There are a few other important points to note. First, an electronic signature must be unique to a specific individual and cannot be signed as “QA Manager” or “Regulatory Department.” Second, you are required to have a written policy that holds signatories accountable for any actions initiated under their signature. Third, the signature must be linked to a specific document and include the date and time signed.
A common red flag that could catch the attention of an FDA inspector includes a mixture of documented reviews and approvals, some of which are electronically scanned while others are paper based and only stored in binders. This commonly occurs between different areas of the organization. There is a difference between electronic signatures and scanning signatures on hard copy documents; those scanned documents become electronic records. Organizations must be clear on when they are truly using electronic signatures versus when a signed document becomes an electronic record.
The problem with this scenario is that because the paper records were scanned and stored electronically – and those documents are used to perform regulated activities – the company is obligated to comply with Part 11. Electronic signatures and handwritten signatures executed to electronic records are held to the same standard of compliance.
What is an FDA predicate rule?
“Predicate rule” is an FDA term that refers to the underlying requirements set forth in the Food, Drug, and Cosmetic Act; the Public Health Service Act; and other FDA regulations. It refers to any FDA regulation that includes record-keeping requirements such as what records must be maintained, the contents of those records, signature requirements, and duration of record retention. Any requirement in Part 11 is always associated with a predicate rule; this means that if another regulation requires records to be maintained electronically, then Part 11 would apply.
Here’s a brief example. 21 CFR Part 820.80(e)(4) says, “Each manufacturer shall document acceptance activities required by this part. These records shall include the signature of the individual(s) conducting the acceptance activities.” As such, this “predicate rule” would apply appropriate parts of Part 11 if the manufacturer is using electronic signature(s) for recording acceptance activities.
3. Validating Your Process
You know the drill. Once you have implemented a process you need to validate it. FDA makes this pretty clear in Subpart B of Part 11, noting that procedures and controls for closed systems shall include: “[v]alidation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records.” Once a system is identified, its validation should be planned. Part 11 System Validation Process includes activities such as project management, system risk assessment, validation planning, system design and specifications, system description, testing, traceability, and validation reporting. Part of your validation process should include testing to ensure that only authorized people can access electronic records and make changes. Also, you must have documented training in place for everyone using the system. For more on this, see Part 11, Subpart B.
4. Creating an Audit Trail
Part 11 mandates that you are able to generate accurate and complete records for review and identify any changes made to these electronic records. As an example, if a database maintaining customer complaint data is changed for any reason, an audit trail is created to identify who made the change, the type of change made, and the date of the change. This audit trail needs to be computer generated and time-stamped so that an entire sequence of document development and modification is clear. The audit trail part of an electronic system is designed so the audit trail cannot be tampered with and remains permanent. You’ll need to make sure that your system is set up so that the author or person making the change cannot claim that the document is not genuine. This is important because nobody wants to be in a “I never signed that” or “I never changed that” situation. The need to implement audit trails should really be based on the underlying need to meet specific predicate rules in other regulations.
Mobile technology can make audit trails tricky. Many medical device manufacturers are integrating mobile technology such as tablets and smartphones into the QMS processes for activities, including design and development, inventory control, receiving/shipping, equipment/facility maintenance, and more. When this technology is used it can sometimes obscure the originator of the record or compromise the security of the electronic record.
FDA Part 11 Compliance Checklist
The Part 11 regulation is deceptively short and, as a result, people underestimate what it takes to comply. In summary, the regulation requires that you make sure…
- No electronic records are missing.
- Backups of electronic records are verifiable.
- Operations personnel don’t all have admin rights.
- Audit trails can be reviewed by an independent unit/entity.
- Personnel are adequately trained to audit electronic data and regulated systems.
- Legacy computer systems have adequate validation or controls.
- Formal risk analysis is performed for changes to the system.
- Databases for analysis, tracking, and trending are validated.
- Not to blindly trust suppliers for validation activities.
- Changes to data cannot be made by unauthorized personnel.
- Electronic data remains secure, especially with open systems.
- Audit trails show deletion/changing of data and audit trail reviews are conducted.
- Raw data may need to be maintained for review.
- Controls are established to prevent deletion of raw data and unauthorized access to data changes.
FDA Is Not Inspecting You for Part 11 Compliance
Keep in mind that FDA’s core focus is on patient safety. As such, they continue to focus on compliance with 21 CFR Part 820. We most often see that manufacturers get dinged for lack of Part 11 compliance as the inspector encounters these issues. Citations typically reference predicate rules.
Want to Learn More?
We have only scratched the surface of this topic and there is so much more to know about Part 11 compliance and data integrity. If you’re ready to take then next step, please consider our training course on Part 11 compliance and medical device data integrity.