When it comes to regulatory requirements for medical device companies, there can be some confusion around FDA 21 CFR Part 11 compliance.
A huge pitfall that we’ve found is that many companies think they’re in compliance (often due to misunderstanding the requirements), but, in reality, they are not.21 CFR Part 11 is the FDA’s regulation for electronic documentation and electronic signatures. It outlines the administration of electronic records in a medical device company’s quality management system and gives guidance for industry best practices.
Part 11 was designed to cater to the evolving needs of the medical device industry, with the purpose of helping companies:
Know how to use computer systems and software, particularly when it isn’t working properly.
Maintain data safely and securely, and ensure data is not corrupted or lost.
Ensure that approval and review signatures cannot be disputed.
Trace changes to data
Prevent and/or detect falsified records
If you’ve been led to believe that it’s just about your validation, audit trail, records, and retention, and that you’re “safe” because of your paper-based “master” file, you must understand being Part 11 compliant is much more complex than that.
Here’s what medical device companies need to know to familiarize themselves with the regulation and comply with FDA’s 21 CFR Part 11:
FREE DOWNLOAD: Download our free checklist of 7 steps you can take to achieve compliance with Part 11.
Companies unwilling to embrace 21 CFR Part 11 often say their “master records” are paper-based, although they do upload documents to a shared file or some accessible place on a server. They think that “paper-based” records mean no need to deal with Part 11, but this is not the case.
For starters, “master records” is a misuse of the term. People will say that the piece of paper is their “master record” and think that what they do afterward (such as scanning and uploading) doesn’t matter, as long as the master piece of paper remains intact. The truth is, the moment the document is uploaded to a server, the company is subject to compliance with 21 CFR Part 11.
In Section 11.3 of Part 11, the FDA defines “electronic record” to mean,
any combination of text, graphics, data, audio, pictorial, or other information representation in digital form that is created, modified, maintained, archived, retrieved, or distributed by a computer system.
As you can see, this makes the definition covered by 21 CFR Part 11 quite broad, and most companies will be affected.
Therefore, even though companies may say they have a paper-based system, they probably do have a pervasive electronic system, even if it’s via folder trees. You still need to validate your records to ensure that the scanned version is equivalent to paper records.
Data security is a big aspect of Part 11. All users with access need the right roles and permissions. This is true whether you use a quality system solution like Greenlight Guru or you have a simple folder tree structure. If you do opt for folder trees, note that they tend to be cumbersome.
You need to go into individual folders and check permissions. You’ll need to pull valuable resources from IT to check it all, making it a big deal for Part 11 compliance.
When it comes to digital security, passwords are a major component. How will you access the system? Security is the biggest area of concern with 21 CFR Part 11 because you must know that the right people have the right permissions and that not just anyone can jump in.
Password best practices should apply, but the regulation itself is vague.
We consulted experts on 21 CFR Part 11 about the design of our Greenlight Guru platform and approach with respect to security. We wanted to ensure that we would meet Part 11 compliance and could give advice to users for doing so.
With regard to passwords, we have a few “best practice” tips, which we’ve included in a printable resource, 9 Tips for Password Compliance with 21 CFR Part 11.
Clear audit trails are required so you can trace back to which user performed any given action, and at what time, to your records. When were records created, modified, deleted, or made obsolete?
All events should be recorded with the exact username, date, and time. Greenlight Guru’s validated and fully traceable platform logs this user information with each action made in the software and gives the right users the ability to reference and streamline activities audit trails.
In addition to keeping track of change management activities, audit trails apply to moments of access. You should always know when users are logging in and when they are locked out. You might call it a “complete history of your record-keeping system.”
A key part of your audit trail is that FDA can view these records upon inspection. The easier it is to find and understand this information, the smoother your inspection is likely to be.
You may comply with 21 CFR Part 11 guidelines on reviewing and approving information a number of different ways:
Biometric, e.g., fingerprint or retinal scan
Digital signatures
Scanning
Handwriting capture in software
Electronic signatures (we use these in Greenlight Guru)
We use electronic signatures, which assign unique usernames and passwords to signees. Generic department usernames are not allowed. To maintain transparency, usernames should be tied to a single person, not to a group.
When it comes to your review and approval process, Greenlight Guru ensures all changes are not only Part 11 compliant, but also exactly what you meant to do. Changes made will require the user to lock in changes by clicking “Approve” or “Reject,” before exiting the document, and will include the accurate timestamps for documentation purposes. While these are locked and immutable, we still allow you to check out the item and revise it under a new file version.
With paper, this is a bit of a loophole because there is an opportunity to mark up paper by hand or track changes in word-processing programs. While this seemingly helps teams work faster, there is more risk and loss of control in tracking important changes.
Greenlight Guru helps teams balance both. In our platform, the document is locked in the approval process so that you stay in compliance with 21 CFR Part 11. No editing is allowed; otherwise, you’re back to formal approval processes.
Another thing that you must be aware of if you intend to use electronic signatures is the expectation that you notify the FDA that you’re doing so: you need to send them a letter to inform them that you’re using electronic signatures.
We have seen a trend of software platforms claiming that they can take care of all of your 21 CFR Part 11 compliance. Ultimately, this is not true because Part 11 compliance is ALWAYS the responsibility of the medical device company. A software company shouldn’t be saying they have taken care of it all, because your company is not absolved of the responsibility.
Greenlight Guru performs ongoing testing and validation of its platform and can provide supporting documentation, but compliance is ultimately your responsibility.
We can also provide the following:
A Part 11 compliance checklist
A template letter to send to the FDA to inform them of your intent to use electronic signatures
A certificate of conformance for the platform design
A QMS solution compliant with 21 CFR Part 11, including pre-validated templates and features that have passed hundreds of audits and inspections
Want a more in-depth overview of the Part 11 regulation and what’s expected of you? Check out our 21 CFR Part 11: A Complete Guide.
IQ, OQ, and PQ are acronyms that stand for installation qualification, operational qualification, and performance qualification. Because the regulation was written 20 years ago, the acronyms originally referred to equipment.
This is how you can think about IQ, OQ, and PQ in software terms:
Installation Qualification: Is the software installed correctly?
Operational Qualification: Is the software capable of meeting the regulatory requirements?
Performance Qualification: Is the software consistently able to produce acceptable results under normal operating conditions?
As a cloud-based solution, Greenlight Guru provides executable IQ templates which walk you through the qualification process for your operating systems, browsers, network connection, and display resolution. We also give you pre-executed OQPQ protocols to save in your production file, and can provide any necessary onboarding and training on these topics for you and your team.
FREE DOWNLOAD: Download our free checklist of 7 steps you can take to achieve compliance with Part 11.
Compliance is an ongoing process, and you’ll need to ensure that you’re handling electronic documents and signatures correctly throughout your project lifecycle.
Your choice of QMS will play a key role in Part 11 compliance. If your QMS isn’t aligned with CFR Part 11 or doesn’t come with pre-validated templates, you’ll need to factor that into your business plan. General-purpose solutions will require a lot of configuration, staff training, validation testing, and perhaps outside help to ensure compliance.
For years, Greenlight Guru has brought deep expertise to help medical device companies achieve MedTech Excellence. Our software is the only QMS designed by medical device professionals specifically for medical device professionals.
It is the only purpose-built platform based on the latest FDA and ISO standards with built-in industry best practices to guide medical device companies throughout the entire product lifecycle. With our secure, cloud-based Document Management Software workflow you can review and approve with ease by getting Part 11 compliant signatures for each of your documents so you’re always audit-ready.
Now, with Greenlight Guru’s QMS software platform, you can be sure you have a partner to help you achieve and maintain 21 CFR Part 11 compliance.
Ready to learn more? Contact us today for your free, personalized demo →
Etienne Nichols is the Head of Industry Insights & Education at Greenlight Guru. As a Mechanical Engineer and Medical Device Guru, he specializes in simplifying complex ideas, teaching system integration, and connecting industry leaders. While hosting the Global Medical Device Podcast, Etienne has led over 200...