WTH is FDA 21 CFR Part 11? That’s a question many medical device developers considering entering the US market must have asked themselves - in one way or another.
It’s easy to be intimidated by the slew of schedules and initials you’ll be confronted with when trying to break through into this huge and powerful marketplace, so here’s a guide to help you understand what Part 11 really means for you.
So, what is it?
It’s Part 11 of Title 21 of the Code of Federal Regulations, of course.
But what does that mean?
Put simply, Part 11 sets out how a company operating in the US can use electronic quality records and digital signatures in place of paper based documentation and ‘wet signatures’ in such a way that complies with FDA regulations.
Background to Part 11
First published in 1996, there have been various iterations of Part 11 released over the years to keep up with changes in technology.
It exists, fundamentally, as a regulatory response to security concerns about managing the distribution, storage and retrieval of records by biotechnology, drug and medical equipment manufacturers in the digital age. But, it was also intended to address the huge cost to these companies of maintaining paper based filing systems to satisfy the regulator. A key objective of the regulation was ultimately to allow these firms to shift to virtualised systems.
Does 21 CFR Part 11 apply to me, then?
Almost certainly. Any developer releasing a product in the US who believes they will not be subject to the regulation because their ‘master copies’ of documentation are all in paper form, are probably mistaken. If you store or have uploaded any of your documents onto any computer system it is almost certain the regulations will apply to you.
Part 11 makes life easier (honestly)
The good news is that Part 11 is really there to make life easier for you - showing you the ways you can streamline your business by creating a compliant and paperless eQMS.
But, allowing for virtualisation in such a highly regulated sector necessarily means the compliance bar for the eQMS (electronic quality management system) that you choose to deploy is set very high.
With that in mind, here are 7 key requirements for a compliant eQMS as laid out by the FDA that you need to consider when implementing a solution.
7 critical requirements of 21 CFR Part 11
Part 11 requires:
“Validation of systems to ensure accuracy, reliability, [and] consistent intended performance’
In other words - you should formally define how all elements of your system are supposed to work, then develop scripts and test routines to validate it is functioning as it should. Although it can feel burdensome, the process of validating your eQMS should give you reassurance on the security of your data and audit logs, as well as increasing the integrity of your record keeping.
2. Record generation
Part 11 stipulates that your eQMS must have an indexing and search functionality, so that records can be found quickly and easily (by you or an inspector).
A good proprietary eQMS will have just this kind of search function with search results showing all document changes and iterations, indicating what is a ‘final version’, as well displaying the digital signatures of any approval they were subject to.
3. Audit Trails
“Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records.”
A good QA function ensures that the development of all your processes are well documented, traceable to a specific originator and have an associated audit history. This audit history should be automatically generated and should not be modifiable.
4. Operational Controls
A sophisticated eQMS will allow for quality procedures to be monitored and controlled by ‘phase gating’. This will ensure documents are reviewed by specified individuals and that they meet certain requirements before they are signed off and a contingent phase begun.
The right eQMS solution will offer a readily accessible Business Process Map for FDA inspectors to examine and easily understand those procedures for themselves
5. Security Controls
Entry to a system should be controlled by unique log in and password for every user.
Your eQMS should have the ability to specify the number of people who can alter certain documents, tracking each version of the file, as well as identifying those who have altered it in the past. Final records should be read only.
6. Digital Signatures
The requirements for the use of digital signatures are clearly mapped out in Part 11 and we have dealt with them in detail in a separate blog post.
Part 11 reminds us of their specific definition, (one that sets them apart from other kinds of e-signature), where a recognised Certification Authority acts as a notary to verify the identity of a signer.
"A digital signature is an electronic signature based upon cryptographic methods of originator authentication, computed by using a set of rules and a set of parameters such that the identity of the signer and the integrity of the data can be verified." (FDA CFR Part 11)
The FDA allows digital signatures to be used in place of ‘wet signatures’ on paper documents so that business activities can be streamlined and virtualised. In order to be compliant they must Include the printed name of the signer, the date/time the signature was applied, and the ‘meaning’ or intention of the electronic signature.
A good eQMS will give an administrator complete visibility and control over the use of these signatures across their systems. They should be able to create and cancel signature requests as well as setting the locations where signatures can be used to guard against fraud.
Part 11 dictates that all system users have the necessary training to perform their assigned tasks and projects. An eQMS can itself assist with these requirement by accepting conditions upon signing into the system or procedurally by documenting this responsibility as part of training
For medical device developers who are seeking to enter the competitive and lucrative US market, it makes sense to find an eQMS specifically developed to deal with those regulatory challenges. It will certainly help to make the complex process of compliance less hellish.
And the truth is, it’ll be worth the investment for many other reasons, too. Because the eQMS that can deliver against those kind of challenges could, at the same time, bring helpful new tools, rigour and efficiency to your entire development process.