The FDA published 21 CFR Part 11 in 1997 to regulate electronic records and electronic signatures. Technology has advanced considerably since 1997, but the regulation still applies and is more critical than ever. Due to the COVID-19 pandemic and most firms transitioning to remote work, companies need to make sure that their system is compliant with the regulation. Once a QMS record is scanned, uploaded to a server, or otherwise electronically stored it automatically falls under the scope of 21 CFR Part 11 despite there also being a paper record.
The first step in working with an electronic system, and ensuring it is compliant, is to validate it. Installation, operational, and performance qualification (IQ, OQ, and PQ) are utilized to ensure that your system or software is installed correctly, can do what you intend it to do, and will perform in the environment you intend to utilize it. Your approach to validation should be based on a documented risk assessment, which should evaluate how your electronic system could affect product quality and record integrity.1 In the case of storing, transferring, or otherwise using an electronic system to manipulate QMS records, a full validation should be completed.
One of the largest components of Part 11 is data security. Securing your system, records, and product information from intentional (or unintentional) adulteration forms the basis of Part 11. As with most systems we are used to, your electronic QMS should authenticate users before giving access to the system, and it should also ensure that users can only access information that they have permission to. The regulation itself is vague as pertains to how to comply with the aforementioned, but password best practices should be utilized. Additionally, the agency references ISO/IEC 17799 (Information Technology – Security Techniques) in their Part 11 Guidance. Before deploying any form of electronic record system in your QMS, you need to make sure that user permissions and authentication is set up.2 This will tie into establishing audit trails for traceability. You should be able to see which user manipulated what record, in what way, and when.
The ultimate responsibility for Part 11 compliance always lies with the medical device firm. Validation, set up, and maintenance of your electronic system should be unique to your firm and how you utilize it. Especially with the boom in work from home, and the transition to remote collaboration utilizing electronic systems, it is more critical than ever to ensure that your firm is compliant with Part 11. EMMA International has a team of in-house experts that can help your team comply with 21 CFR Part 11, call us at 248-987-4497 or email info@emmainternational.com to get started today!
1FDA (2003) Part 11, Electronic Records; Electronic Signatures – Scope and Application retrieved on 11/29/2020 from: https://www.fda.gov/media/75414/download
2ISO (2005) ISO/EC 17799:2005 Information Technology – Security techniques – Code of practice for information security management retrieved on 11/29/2020 from: https://www.iso.org/standard/39612.html