Nearly every medical device company is subject to software validation requirements, regardless of whether your medical device has any software component at all. Remember that 21 CFR Part 11 applies to electronic signatures and electronic records.
If you scan a signature or upload documents to be stored on a server or cloud service, FDA 21 CFR Part 11 applies to you, with validation requirements that apply whenever paper records are converted to electronic versions.
Since compliance is a requirement for manufacturers to legally sell a medical device in the US marketplace, it’s imperative that you use a quality system designed to facilitate this process and simplify compliance.
21 CFR Part 11 validation can be challenging depending on the type of quality management system you’re using, but it shouldn’t deter you from using a software of any sort to manage these functions.
The FDA itself encourages the use of new technologies. In a webinar with Greenlight Guru, Cisco Vicenty, CDRH Program Manager at FDA said, “The FDA supports and encourages the use of automation, information technology, and data solutions throughout the product lifecycle.” Vicenty extolled the benefits of software, saying it can “reduce or eliminate errors, increase business value, optimize resources, and reduce patient risk.”
With all of this value available at your fingertips, the key is finding the best QMS software that not only provides compliance but exceeds it. If you have to invest in 21 CFR Part 11 software, and you likely do, look for software that will give you returns beyond compliance.
Let's take a look at six key benefits of the best 21 CFR Part 11 compliant software to help you understand the true value it can offer your medical device company:
The main purpose of 21 CFR Part 11 is to make sure your system is validated. Some 21 CFR Part 11 software, like Greenlight Guru, comes validated out of the box. Greenlight Guru provides a 21 CFR Part 11–compliant installation qualification (IQ) protocol and completed operational qualification (OQ) and performance qualification (PQ) reports.
And FDA has stated that you do not have to reinvent the wheel and can leverage a software provider’s validation documentation--provided it addresses the requirements of Part 11 (which the validation package for the Greenlight Guru Medical Device QMS platform does.)
According to 21 CFR Part 11 Sec. 11.10(a), the purpose of validation is to “ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records.” In other words, a validated process is one that you can rely on to perform consistently.
You can split process validation into three components: installation qualification (IQ), operational qualification (OQ), and performance qualification (PQ). To better understand IQ, OQ, PQ, think of each by asking these questions:
IQ: Is the software correctly installed?
OQ: Is the software operating as expected, and do users understand its limits?
PQ: Does the software reliably produce the correct result?
(Note: The terms IQ, OQ, and PQ are historical terms that typically relate to hardware and long ago were adapted to software too.)
For a process to be validated, you must systematically put it through the test of answering these questions and get fitting answers. A yes to all three components proves your process is validated.
FDA suggests that “your decision to validate computerized systems, and the extent of the validation, take into account the impact the systems have on your ability to meet predicate rule requirements.” In other words, consider the actual effect that the systems you are validating will have on your company’s ability to reliably produce safe, effective medical devices.
FDA further suggests that you base this assessment on risk. A word processor that you use only to generate SOPs, an example cited by FDA, would not be considered high risk.
21 CFR Part 11 requires extensive documentation. Greenlight Guru, the only QMS designed for medical device companies, makes documentation nearly automatic. Without 21 CFR Part 11 software, you might be stuck tracking documents manually.
Surely you’ve had the experience of getting lost in a labyrinth of Dropbox, Sharepoint, or Google Drive folders, each click leading you further down the maze. Software that wasn’t designed with 21 CFR Part 11 in mind makes documentation burdensome and nearly impossible to control.
Harder still is that FDA doesn’t merely require manufacturers to store all documents. FDA requires medical device companies to have procedures in place that can identify devices with a “failure to perform” and “facilitate corrective action.”
FDA calls this “traceability,” and experts in the medical device industry refer to it as closed-loop traceability (CLT) when you can go a step further and connect all processes that occur throughout the entire product lifecycle.
The trouble is, without the right 21 CFR Part 11 software, demonstrating CLT can be difficult. Our 2021 State of Medical Device Report revealed more than half of respondents cannot currently document closed-loop traceability with a surprising 14% reporting they do not plan to prioritize finding a resolution for achieving CLT for at least the next two years.
This is a troublesome revelation given that closed-loop traceability is a requirement for many manufacturers and regulatory bodies placing a significant emphasis on it.
Feature-rich 21 CFR Part 11 software can integrate all your processes and procedures together in one place, making document control automatic. Greenlight Guru, for instance, can integrate your document control processes together, achieving full traceability from the beginning of product development to the ongoing post-market surveillance of the product.
Legacy systems give you a place to store your documents. Greenlight Guru gives you access to a living, single source of truth to manage your documents, records, and quality system data.
The document management software lets companies easily control documentation within an interconnected web of quality system workflows and extract data-driven insights for full control of every document. Reduce time spent looking for documents. Time spent looking is time wasted.
21 CFR Part 11 requires document-approval processes, but with 21 CFR Part 11 software, you can make approval and routing instant. The seemingly simple process of getting documents approved and deciding which need approval can quickly become increasingly complex.
With 21 CFR Part 11 software, you can make approval and routing simple. Greenlight Guru, for instance, makes document approval instant and trackable. If anyone on your team makes a mistake, you can even revert the document to a previous version.
Many medical device companies stumble over the document-approval regulations in 21 CFR Part 11. FDA requires companies that use electronic records to use “secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries, and actions that create, modify, or delete electronic records.”
That’s only the start, however. FDA states, “Even if there are no predicate rule requirements to document, for example, date, time, or sequence of events in a particular instance, it may nonetheless be important to have audit trails or other physical, logical, or procedural security measures in place to ensure the trustworthiness and reliability of the records.”
Beyond compliance, FDA recommends doing a “justified and documented risk assessment, and a determination of the potential effect on product quality and safety and record integrity” to inform your decision on establishing audit trails.
21 CFR Part 11 requires authenticated signatures, a feature built into the Part 11-compliant software of Greenlight Guru that ensures users have compliant signatures that are stored in an easily accessible place.
An electronic signature combines two authentication methods: a public-facing username or email address, and a private token, such as a password or biometric identity.
FDA further stipulates, for signatures not backed by biometric authentication, that valid signatures are:
only used by their genuine owners, and
administered such that two or more individuals would have to work together to use a signature that wasn’t theirs.
Legacy systems make the process of even signing a document difficult. Without the stipulations 21 CFR Part 11 dictates, any given signature might be invalid.
For quality managers, that means checking and double-checking every signature. It means chasing down the same stakeholders again to verify that you not only got a signature, but you got a valid signature. It turns quality managers into paper managers.
Unsurprisingly then, after that work, quality managers want to be able to store electronic documents in a safe and secure way. 21 CFR Part 11, though, regulates the proper storage of electronic records.
Key to storage, at least for FDA, is your ability to extract records from storage. 21 CFR Part 11 Sec. 11.10(c) notes that the protection of records should be such that it enables “their accurate and ready retrieval throughout the records retention period.”
FDA’s focus, perhaps unsurprisingly, pertains to the inspectors: “You should provide an investigator with reasonable and useful access to records during an inspection.” Essentially, FDA wants you to store your records in such a way that when an inspector requests them, you can easily access the records and present them in a readable format.
21 CFR Part 11 compliant software can help. The best QMS software solutions make the transmission of document approval instantaneous. You can easily send documents to the right people and collect authenticated signatures with the click of a button.
Better, with audit management workflows from Greenlight Guru, your 21 CFR Part 11 software can play a key role in ensuring that audits go smoothly.
21 CFR Part 11 requires strict data security, and the right 21 CFR Part 11 software can make this a background task while giving you secure access control over the permissions each user of the software is granted.
Greenlight Guru, for instance, lets you set granular user permissions as part of its advanced document management workflow. You can choose which documents you wish to share with both internal and external stakeholders, based on the user, role or geographic location, all while maintaining strict access control.
21 CFR Part 11 includes strict authorization requirements. Among other regulations, companies must have procedures for, as noted in 21 CFR Part 11 Sec. 11.10(d), “limiting system access to authorized individuals.”
Beyond broad authorization, 21 CFR Part 11 Sec. 11.10(g) requires the “use of authority checks” to ensure that only certain individuals can access certain systems, make changes, and sign records.
21 CFR Part 11 Sec. 11.10(h) goes a step further, stating medical device companies must make “[u]se of device (e.g., terminal) checks to determine, as appropriate, the validity of the source of data input or operational instruction.”
Regulations like these lead companies to rethink security in strict terms. One idea that often comes in handy is the minimum necessary principle, as it’s known in the cybersecurity world.
“Minimum necessary” refers to users being given access to only the information they need to do their work, and nothing else. The general rule of this principle lies in someone being given the minimum amount of information they need, as a way of ensuring that as much data as possible is kept secure.
This method is difficult to carry out using a legacy system, but 21 CFR Part 11 software equipped with user permissions lets you realize the minimum necessary principle.
21 CFR Part 11 is a complex regulation, but it only scratches the surface of all requirements you’ll need to follow for compliance. 21 CFR Part 11 software connects your team’s workflows together, making compliance easier and quality more attainable.
Best-in-class quality management solutions are able to easily adapt to an increasingly remote workforce, providing built-in regulatory guardrails that keep teams focused on value-adding activities.
Accountability is a theme that runs throughout 21 CFR Part 11. 21 CFR Part 11 Sec. 11.10(j), in particular, emphasizes that medical device companies adhere to “written policies that hold individuals accountable and responsible for actions initiated under their electronic signatures, in order to deter record and signature falsification.”
21 CFR Part 11 compliance is high stakes. Not only is your company responsible for compliance, but each individual signatory is responsible, too. FDA inspections of your quality management system can result in Form 483s or warning letters if noncompliance is observed. The risks are too high for your team to remain disconnected and separated by the inefficient tools you use.
The right 21 CFR Part 11 software doesn’t merely offer compliance; it creates a collaborative team environment that makes compliance easier to achieve.
Greenlight Guru, for instance, offers a collaborative working environment that ensures each document can easily and instantly receive adequate reviews from all relevant stakeholders. You can combine this extra level of internal scrutiny with greater task efficiency, meaning you can do more in less time.
Since 21 CFR Part 11 makes signatories responsible for what they sign, you want 21 CFR Part 11 software that makes it easy for signatories to access, review, make any necessary changes, and ultimately approve the documents that need to be signed.
Looked at one way, 21 CFR Part 11 can feel like another set of rules that makes implementing software difficult, time-consuming and cumbersome. But looked at another way, 21 CFR Part 11 is the incentive you need to implement a software that will help you take your medical device company to the next level. With 21 CFR Part 11 software, you can make compliance easier to maintain and quality easier to achieve.
Greenlight Guru’s Part 11-compliant QMS software comes out of the box with the six benefits we listed here, and many more. Get your free demo of our software today.
Looking for an all-in-one QMS solution to advance the success of your in-market devices and integrates your quality processes with product development efforts? Click here to take a quick tour of Greenlight Guru's Medical Device QMS software →
Jon Speer is a medical device expert with over 20 years of industry experience. Jon knows the best medical device companies in the world use quality as an accelerator. That's why he created Greenlight Guru to help companies move beyond compliance to True Quality.