How to Comply with 21 CFR Part 11

by | Nov 30, 2020 | CFR, Compliance, FDA, Medical Devices, Quality, Regulatory

The FDA published 21 CFR Part 11 in 1997 to regulate electronic records and electronic signatures. Technology has advanced considerably since 1997, but the regulation still applies and is more critical than ever. Due to the COVID-19 pandemic and most firms transitioning to remote work, companies need to make sure that their system is compliant with the regulation. Once a QMS record is scanned, uploaded to a server, or otherwise electronically stored it automatically falls under the scope of 21 CFR Part 11 despite there also being a paper record.

The first step in working with an electronic system, and ensuring it is compliant, is to validate it. Installation, operational, and performance qualification (IQ, OQ, and PQ) are utilized to ensure that your system or software is installed correctly, can do what you intend it to do, and will perform in the environment you intend to utilize it. Your approach to validation should be based on a documented risk assessment, which should evaluate how your electronic system could affect product quality and record integrity.1 In the case of storing, transferring, or otherwise using an electronic system to manipulate QMS records, a full validation should be completed.

One of the largest components of Part 11 is data security. Securing your system, records, and product information from intentional (or unintentional) adulteration forms the basis of Part 11. As with most systems we are used to, your electronic QMS should authenticate users before giving access to the system, and it should also ensure that users can only access information that they have permission to. The regulation itself is vague as pertains to how to comply with the aforementioned, but password best practices should be utilized. Additionally, the agency references ISO/IEC 17799 (Information Technology – Security Techniques) in their Part 11 Guidance. Before deploying any form of electronic record system in your QMS, you need to make sure that user permissions and authentication is set up.2 This will tie into establishing audit trails for traceability. You should be able to see which user manipulated what record, in what way, and when.

The ultimate responsibility for Part 11 compliance always lies with the medical device firm. Validation, set up, and maintenance of your electronic system should be unique to your firm and how you utilize it. Especially with the boom in work from home, and the transition to remote collaboration utilizing electronic systems, it is more critical than ever to ensure that your firm is compliant with Part 11. EMMA International has a team of in-house experts that can help your team comply with 21 CFR Part 11, call us at 248-987-4497 or email info@emmainternational.com to get started today!


1FDA (2003) Part 11, Electronic Records; Electronic Signatures – Scope and Application retrieved on 11/29/2020 from: https://www.fda.gov/media/75414/download

2ISO (2005) ISO/EC 17799:2005 Information Technology – Security techniques – Code of practice for information security management retrieved on 11/29/2020 from: https://www.iso.org/standard/39612.html

Madison Wheeler

Madison Wheeler

Director of Technical Operations - Ms. Wheeler serves as EMMA International’s Director of Technical Operations. She has experience in technical writing, nonconforming product management, issue evaluations, and implementing corrective and preventative actions in the pharmaceuticals and medical device industries. She has experience cross-functionally between R&D, lean manufacturing operations, and RA compliance. Ms. Wheeler also has academic and work experience with human health-risk engineering controls, physiological biophysics, and clinical research. Ms. Wheeler holds a Bachelor of Science in Biosystems Engineering with a concentration in Biomedical Engineering from Michigan State University. She is also a Certified Quality Auditor (CQA), and is currently pursuing her M.S. in Quality Management.

More Resources

FDA Adverse Event Reporting 

FDA Adverse Event Reporting 

When reporting an Adverse Event to the Food and Drug Administration (FDA) the best method is to utilize the FDA Adverse Event Reporting System (FAERS). FAERS is a database that contains adverse event reports, product quality complaints that led to an adverse event, and medication error reports1. All FAERS reports are easily accessible to the public. 
De Novo Classification

De Novo Classification

A device can be registered for the De Novo pathway if there is evidence of the safety and effectiveness of the device and there is not a previously legally marketed predicate device1. When determining if your device can go through the De Novo process there are two pathways available to determine the device classification.
Abbreviated 510k submission

Abbreviated 510k submission

There are three types of 510K, Premarket Notifications, which can be submitted to the Food and Drug Administration (FDA) traditional, abbreviated, and special. Abbreviated and Special 510K submissions can be utilized when the submissions meet the certain factors presented by the FDA. When submitting an abbreviated 510K the submission must include the elements that are identified in 21CFR 807.87 for the information required in a premarket notification submission.

Ready to learn more about working with us?

Pin It on Pinterest

Share This