For highly regulated medical device companies and life science industries, it has become a challenge to achieve 21 CFR Part 11 compliance and a matter of concern for the companies who are subjected to FDA inspections. Organizations are required to follow best practices for maintaining the compliance and quality process by following the 21 CFR Part 11 regulation. However, as more medical device manufacturers have moved from paper based to electronic quality systems, they have become subject to the new set of regulations: 21 CFR Part 11. When the regulation is viewed as a whole, we can see the goal is quite simple, to legitimize digital records by giving credibility to electronic signatures, audit trails, and digital authority checks.

Tips To Comply with 21 CFR Part 11

Here are some significant points and tips to be aware of to ensure you and your organization achieve compliance with 21 CFR Part 11:

  1. Determine whether 21 CFR Part 11 is applicable to your system or organization
  2. Assess your data integrity compliance status in terms of how your data is currently stored and protected
  3. Follow accepted processes to implement time stamped audit trails
  4. Ensure that access management is strictly controlled
  5. Ensure that your current digital signature process is as per the regulations
  6. Implement change control procedures for compliance
  7. Ensure the applicable predicate rules are implemented
  8. Validate electronic records and electronic signature i.e., IQ, OQ, PQ
  9. Provide training to the staff

The brief overview of 21 CFR Part 11

The FDA’s Code of Federal Regulations Title 21 Part 11 defines basic criteria for which electronic records and electronic signatures are considered reliable, trustworthy, and equivalent to paper documents with handwritten signatures.

Furthermore, it establishes requirements related to electronic signatures, electronic records, and controls on electronic record systems.

As we are moving more towards digitalization, it has become difficult for the companies to handle paper documentation. In Part 11, the FDA addressed the need for increased innovation in the industry’s working methods so that new products could be brought to market faster with the help of digital tools.

While it may seem like 21 CFR Part 11 was created to make your life more difficult, the intent is actually the opposite. The goal is to ensure that your electronic records and electronic signatures can be trusted.

As digital record keeping becomes more and more commonplace and eliminates the use of paper copies for data, it is essential to protect the integrity and accuracy of the information. This regulation will help with accountability and traceability of information throughout the documentation processes. It helps to protect against falsified records, unauthorized access to information, and ensures that everything is stored safely.

Having a SaaS validated learning management platform that is compliant with 21 CFR Part 11 can help you not only understand the FDA regulatory requirements but more importantly, comply with those rules.

Let’s take a deep dive into understanding the tips which can help medical device companies improve CFR Part 11 compliance.

#01- Determine whether 21 CFR Part 11 is applicable to your system or organization

The first consideration is to identify if 21 CFR Part 11 is applicable to your system or your organization. Any medical device company releasing a product in the market who thinks they won’t be subject to the regulation because their ‘master copies’ of documentation are all in paper form are probably mistaken. If you store or have uploaded any of your documents onto any computer system as part of your development process, you are certainly subjected to the regulatory requirements.

In section 11.3, the FDA defines “electronic record” to mean; “any combination of text, graphics, data, audio, pictorial, or other information representation in digital form that is created, modified, maintained, archived, retrieved, or distributed by a computer system”. As the definition describes, a broad swath of electronic records are covered by the FDA statute. Whether you are a heavy user of electronic or computerized systems or an infrequent user, you and your organization is most likely covered under Part 11.

Moreover, the FDA has broadened its perspective on the electronic records and specifically defines which records are applicable for Part 11.

#02- Assess your data integrity compliance status in terms of how your data is currently stored and protected

There must be procedures in place to ensure that the data is stored and protected from modification or loss of data. The companies must assess if their systems are closed or open and implement procedures accordingly. Companies which use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records. The procedures and control is defined in the 21 CFR Part 11 statute under section 11.10(c) as Protection of records to enable their accurate and ready retrieval throughout the records retention period.

Also, Part 11 requires that electronic systems be able “to generate accurate and complete copies of records in both human readable and electronic form for inspection, review, and copying by the agency”. The FDA guidance specifies that during inspection, a company should provide the FDA investigator with reasonable access to records.

#03- Follow accepted processes to implement time stamped audit trails

The use of electronic records has grown exponentially since Part 11 was issued, making the audit trail more crucial today. Clear audit trails are required to show date, time, or sequence of events in a particular instance to ensure trustworthiness and reliability of the records. The audit trail can help reveal data tampering or fabrication of results. Audit trail provides the information of the users who create, modify, or delete regulated records.

Recording the detail of every change and sign off event by author, date and time will provide complete traceability and accountability over all the decision making that happens in a development process and easy availability of audit trail can ease the process of inspection as well.

#04- Ensure that access management is strictly controlled

Part 11 specifies the controls you need to have over access and editing rights within your system. The regulation includes many exacting requirements to prevent the accidental loss and deletion of data, as well as security breaches that can result as a consequence. The system should restrict access in accordance with preconfigured rules that can be maintained.

#05- Ensure the current digital signature process is as per the regulations

The requirements regarding the use of electronic signatures are clearly defined in Part 11. It says, “A digital signature is an electronic signature based upon cryptographic methods of originator authentication, computed by using a set of rules and a set of parameters such that the identity of the signer and the integrity of the data can be verified.”

The FDA allows and recommends electronic signatures to be used on electronic documents in place of ‘wet signatures’ on paper documents to streamline and standardize the business activities. To be compliant, the electronic records must include the printed name of the signer, the date/time it was signed, and the electronic signature’s intention.

#06- Implement change control procedures for compliance

After the system has been released for operation, system maintenance activities take over. The importance of such activities is characterized by recent FDA remarks related to the lack of change control management by regulated organizations. The companies must implement procedural control to implement the changes.  Change control must be rigorously applied. The impact (criticality) of new versions on the standard product must be reviewed and appropriate action must be taken. Adherence to change management practices for computer technologies provides a process by which a change to a computer system must be proposed, evaluated, approved, or rejected, scheduled, tracked, and audited.

#07- Ensure the applicable predicate rules are implemented

Predicate rules are FDA regulations that require companies to maintain certain records and submit information (both paper and electronic sources) as part of compliance. For FDA regulated companies where electronic systems and records are used, companies must know the predicate rules that apply to their industry in order to use Part 11. Any predicate rule that calls for a record or signature must be satisfied with an electronic record and electronic signature respectively.

The predicate rule details the kind of records required and the signatures needed to validate/certify. Therefore, it is crucial for companies to improve their awareness of the predicate rules that lay the groundwork for Part 11 compliance.

The Predicate Rule requirements must be the basis of the decisions to maintain the electronic records and the associated risk must be documented. The record retention period is also defined on the basis of the applicable predicate rule. It determines the value of the records over time.

#08- Validate electronic records and electronic signature i.e., IQ, OQ, PQ

Validation of the quality systems is critical to ensure consistency, accuracy, and reliability. In simple words, you need proper documentation to define the elements and their intended functions to validate their functionality at regular intervals of time.

The validation is performed through IQ, OQ and PQ.

  • Installation Qualification (IQ) is tested to provide the confirmation that the software is configured and installed correctly
  • Operational Qualification (OP) is performed to ensure that the functionality is working correctly and there was no bugs
  • Performance Qualification (PQ) confirms that the software is fit for its intended use

FDA recommends that the validation approach must be justified and document a risk assessment and a determination of the potential of the system to affect product quality and safety, and record integrity.

#09- Provide training to the staff

Part 11 clearly defines that all the system users should undergo the necessary training required to perform their assigned tasks and projects. Companies must establish and deploy proper training and SOPs so that their trained staff is well versed in their processes and procedures. The establishment of, and adherence to written policies that hold individuals accountable and responsible for actions is a core piece for maintaining compliance with 21 CFR Part 11.

Outcome of compliance with Part 11

21 CFR Part 11 provides an opportunity for Life Science companies to gain the organizational benefits of paperless record-keeping systems. It also helps the FDA ensure that when companies use electronic record-keeping systems, that they document security procedures and that authenticity is adequately maintained.

The goal is quite simple, which is to achieve a system where electronic records and signatures can be trusted. Companies in FDA-regulated industries must view investing in 21 CFR Part 11 compliance as an investment in their long-term success.