Medical Device Companies and 21 CFR Part 11 Compliance
The regulations from the US Food and Drug Administration (FDA) that apply to how various life sciences companies handle electronic files and electronic signatures is known as 21 CFR Part 11. One category of companies that must pay special attention to these regulations are those that manufacture and sell medical devices. But medical device companies also have some very particular areas to which they must pay special attention, which will be the focus of this article.
For more information on Part 11 compliance, see all the resources we’ve created at CFR Part 11 Terms and Definitions, as well as our recent article, Life Sciences Companies and 21 CFR Part 11 Compliance. The focus here is on software used at medical device companies, both generally as it relates to overall operations and then more specifically when software is used in medical devices as part of their design and functionality.
Non-Product Software (NPS) Used in Medical Device Companies
Not all software used in a medical device company falls under the purview of 21 CFR Part 11. The computer systems and software that would need to comply are any that store electronic records and/or use electronic signatures for anything that would ever need to be submitted to the FDA as part of the company’s regulatory compliance when seeking or maintaining medical device approvals.
As every medical device company knows, however, there is still a lot of software that goes into the manufacturing, design, testing, maintenance, packaging, and distribution of medical devices. Because those various software apps have the potential to impact medical device quality and safety, they are necessarily subject to Part 11 compliance. Just a few examples of NPS software include the following:
- Software embedded in measurement tools used designing and making a medical device
- Software used for in-line sampling statistical process control
- Programmable logic controllers (PLCs) used in the manufacturing process
- High-speed inspection systems
- CAD software used in in medical device engineering and design
- Complaint handling or corrective action databases and systems
- Database software used for unique device identification (UDI), lot tracking, and regulatory data
- Electronic signature software used for document control systems
- Project management applications used to manage medical device projects
- Spreadsheets used for compiling or analyzing device data
- Software utilized for quality management system (QMS) documentation
- Software used in the training of anyone who works on designing, making, distributing, or monitoring the quality of medical devices and/or regulatory compliance.
The above is just a sampling of potential software applications that would be subject to Part 11 compliance. If a software app has anything to do with a medical device such that if the software didn’t do its job could result in a defective medical device, then Part 11 applies because the potential risk to human health is high.
Software Incorporated into Medical Devices
Where things become increasingly complex for medical device companies is when their devices have software embedded in them to provide vital functionalities. This software may be designed by the medical device company, in which case it would be designed with Part 11 compliance in mind, or it might be off-the-shelf (OTS) software, in which case the company would want to consult the FDA guidance document called Off-The-Shelf Software Use in Medical Devices, which was issued in September 2019.
The document is important to study because it “…lays out in broad terms how the medical device manufacturer can consider what is necessary to document for submission to the Agency. A basic set of need-to-document items is recommended for all OTS Software, and a detailed discussion is provided on additional (special) needs and responsibilities of the manufacturer when the severity of the hazards from OTS Software failure become more significant.”
Be Ready for the Shift from Validation to Assurance
What the FDA requires of these different computer systems and software applications as they relate to Part 11 has been called validation, as in “Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records” (as found in the actual language of Title 21 CFR Part 11, subpart B) or CSV (computer system validation) for short. For now, validation still applies. If you want to get into the weeds of how to go about validating software, you can check out this FDA document: General Principles of Software Validation; Final Guidance for Industry and FDA Staff.
What’s coming down the pike, however, is a shift from CSV to CSA (computer software assurance). In part this shift is because companies were spending so much time on the documentation piece of CSV they were spending very little time on actual testing of the software or improving it. In fact, CSV is now viewed as stifling innovation in the software being used. Those are the big reasons behind the shift. For more information on this coming shift, we recommend taking a look at two different articles about it, the first being relatively short and the second being longer and more detailed: Computer Software Assurance (CSA): The FDA’s New Approach to CSV and then Are You Ready? FDA’s Transition from Computer System Validation to Computer Software Assurance.
eLeaP: An LMS Fully Compliant with 21 CFR Part 11
If you examine the list of software examples presented earlier that fall under the compliance requirements of Part 11, you’ll notice one of the items listed was software used in the training of anyone who works on designing, making, distributing, or monitoring the quality of medical devices and/or regulatory compliance. If your medical device company uses a learning management system (LMS) for training and education, it needs to be compliant with Part 11. Find out from your vendor if they can provide documentation of Part 11 compliance. And if your company is seeking an LMS, we invite you to explore eLeaP, which is fully compliant with Part 11 and can help you stay compliant as well. It was designed to be easy to use and yet powerful enough to handle all your training and learning management needs. It can also easily scale if your company will be growing. As a cloud-based subscription offering, you never have to worry about downloading or installing it or updating it. Explore our website to learn more, sign up for a free trial, or contact us for more information.