FDA Part 11 for Medical Device Manufacturers: Are You Complying With These Four Critical Requirements?
The first paragraph of 21 CFR Part 11 seems disarmingly straightforward. It says: “The regulations in this part set forth the criteria under which the agency considers electronic records, electronic signatures, and handwritten signatures executed to electronic records to be trustworthy, reliable, and generally equivalent to paper records and handwritten signatures executed on paper.” So simple…or so it seems. But as you are discovering, the “devil is in the details.”
The Top Four Part 11 Compliance Requirements for Medical Device Companies
Part 11 applies to a wide variety of records, including test protocols, work instructions, production records, design drawings, specifications, premarket submissions, and much more. Those records are not just text documents – they also include images and videos. It’s important to note that FDA differentiates between “closed systems” with inherently controlled access (e.g., closed section of the company intranet only accessible to developers) versus an “open system” that connects to the internet (e.g., Dropbox, Google Drive, etc.). Requirements for both systems are shown here.
Let’s walk through four important aspects of Part 11 compliance that you need to consider.
1. Maintaining Security and User Access Controls
The key point here is that you need to conduct authority checks to make sure that only authorized people can use the system, sign records, change records, or access the system in some other way. You’ll also need to keep close watch over documentation that shows how to operate and maintain the system. If an unauthorized person does access your system, there needs to be a means of automatically and immediately reporting the breach to the system security unit or organizational management. Best practices, and Part 11, dictate that passwords must be changed periodically.
Here’s are two real life examples of noncompliance taken from actual FDA Warning Letters:
“Firm failed to exercise appropriate controls over computer or related systems to ensure that only authorized personnel institute changes in master production and control records, or other records.”
“IT staff share user names and passwords to access your electronic storage system for data – your IT staff can delete or change directories and files without identifying individuals making changes.”
2. Complying with Electronic Signature Requirements
There’s more to this than meets the eye. Electronic signatures need to include the printed name of the signer, the date and time of the signature, and the meaning of the signature (reviewed, approved, drafted by, etc.). A few other important points to note. First, a signature must be unique to a specific individual and cannot be signed as “QA Manager” or “Regulatory Department.” Second, you are required to have a written policy that holds signatories accountable for any actions initiated under their signature. Third, the signature must be linked to a specific document and include the date and time signed.
A common red flag that could catch the attention of an FDA inspector includes a mixture of documented reviews and approvals, some of which are electronically scanned while others are paper-based and stored in binders. This commonly occurs between different areas of the organization.
The problem with this scenario is that because the paper records were scanned and stored electronically – and those documents are used to perform regulated activities – the company is obligated to comply with Part 11. Electronic signatures and handwritten signatures executed to electronic records are held to the same standard of compliance.
What Is an FDA Predicate Rule?
This is an FDA term that refers to the underlying requirements set forth in the Food, Drug, and Cosmetic Act, the Public Health Service Act, and other FDA regulations. It refers to any FDA regulation that includes record-keeping requirements such as what records must be maintained, the contents of those records, signature requirements, and duration of record retention. Any requirement in Part 11 is always associated with a predicate rule.
Here’s a brief example. 21 CFR Part 820.80(e)(4) says: “Each manufacturer shall document acceptance activities required by this part. These records shall include the signature of the individual(s) conducting the acceptance activities.” As such, the expectation in Part 11 is that this predicate rule will be met by the manufacturer using an electronic signature.
3. Validating Your Process
You know the drill. Once you have implemented a process you need to validate it. FDA makes this pretty clear in Subpart B of Part 11, noting that procedures and controls for closed systems shall include: “Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records.” Once a system is identified, its validation should be planned. Part 11 System Validation Process includes activities such as project management, system risk assessment, validation planning, system design and specs description, testing, traceability, and validation reporting. Part of your validation process should include testing to ensure that only authorized people can sign records and make changes. Also, you must have documented training in place for everyone using the system. For more on this, see Part 11, Subpart B.
4. Creating an Audit Trail
Part 11 mandates that you are able to generate accurate and complete records for review and copying by the FDA. This audit trail needs to be computer generated and time-stamped so that an entire sequence of document development and modification is clearly evident. The audit trail part of the system is designed so the audit trail cannot be tampered with and remains permanent. You’ll need to make sure that your system is set up so that the signer cannot claim that the document is not genuine. This is important because nobody wants to be in a “I never signed that” situation. The need to implement audit trails should really be based on the underlying need to meet specific predicate rules in other regulations.
Mobile technology can make audit trails tricky. Many medical device manufacturers are integrating mobile technology such as tablets and smartphones into the QMS processes for activities, including design and development, inventory control, receiving/shipping, equipment/facility maintenance, and more. When this technology is used it can sometimes obscure the originator of the record or compromise the security of the record.
FDA Part 11 Compliance Checklist
The Part 11 regulation is deceptively short and, as a result, people underestimate what it takes to comply. In summary, the regulation requires that you make sure…
- No electronic records are missing.
- Backups of electronic records are verifiable.
- Operations personnel don’t all have admin rights.
- Audit trails are reviewed by the quality unit.
- Quality personnel are adequately trained to audit electronic data and regulated systems.
- Legacy computer systems have adequate validation or controls.
- Formal risk analysis is performed for changes to the system.
- Databases for analysis, tracking, and trending are validated.
- Not to blindly trust suppliers for validation activities.
- Changes to data cannot be done by unauthorized personnel.
- Electronic data remains secure, especially with open systems.
- Analysts do not have system administrator access.
- Audit trails show deletion of data and audit trail reviews are conducted.
- A secondary review of laboratory results is conducted for accuracy.
- Raw data is maintained for review.
- Controls are established to prevent deletion of raw data and unauthorized access to data changes.
FDA Is Not Inspecting You for Part 11 Compliance
Keep in mind that FDA’s core focus is on patient safety. As such, they continue to focus on compliance with 21 CFR Part 820. We most often see that manufacturers get dinged for lack of Part 11 compliance as the inspector encounters these issues. Citations typically reference predicate rules.
Want to Learn More?
We have only scratched the surface of this topic and there is so much more to know about Part 11 compliance and data integrity. If you’re ready to take then next step, please consider our training course on Part 11 compliance and medical device data integrity.