FDA Requirements 21 CFR Part 11 Explained

What does the FDA requirements 21 CFR Part 11 stand for? It is important to understand it for medical device developers, who are considering entering the US market.

There are lots of requirements and regulations in this huge and complex marketplace, in this article we will provide a guide to help understand what this Part 11 of Title 21 of the Code of Federal Regulations really means.

What is it about?

The Part 11 of this regulation describes how a company which will be operating in the US in this sector, can use electronic quality records and digital signatures in place of the regular paper based documentation and ‘wet signatures’ in such a way that it will comply with the strict FDA regulations.

Background information

Since its first publication by the United States Food and Drug Administration (FDA) in 1996, there have been various iterations of Part 11 that were released over the subsequent years, in order to keep up with the changes in technology. Its 2007 iteration revolutionized the role of the use of electronic records and electronic signatures (ERES) within these sectors.

Fundamentally now it exists as a regulatory response to the security concerns about managing the distribution, storage and retrieval of digital records made by biotechnology, drug and medical equipment manufacturers in the modern digital age.

It was also intended to reduce the cost of maintaining paper-based filing systems for the companies, and eventually shift them over to using virtualized digital systems.

21 CFR Part 11 application

The regulation applies to any developers who are releasing a relevant medical product in the US, and any of their systems that stores or uploads any documents onto a computer system.

Actually Part 11 regulations are there to help developers and businesses by creating compliant and paperless eQMS systems (electronic quality management system).

Because the sector is highly regulated, this will necessarily mean that the used eQMS system’s compliance level has to be very high.

The regulator requires evidence of adherence to specific file formats, as well as using record retention, security and data integrity best practices. In addition, they needed the confirmation of companies’ SOPs (Standard Operating Procedures) and the assurances surrounding system validation.

Below we list 7 key requirements for a compliant eQMS system, as laid out by the FDA that will need to be considered when you are implementing such a solution.

7 critical requirements of 21 CFR Part 11

1. Validation

As noted by FDA, Part 11 requires:

“Validation of systems to ensure accuracy, reliability, [and] consistent intended performance” (FDA CFR Part 11)

This basically means that the used system has to formally define how all of its elements are supposed to work, and test routines, scripts and other automated methods should be defined to validate that it is functioning as it should.

The process of validating an eQMS should give assurance on the security of the stored data and the audit logs, as well as increasing the integrity of the record keeping.

2. Record generation

The used eQMS system must have indexing and search functionality, so that the necessary records can be found quickly and easily by any authorized individual or during an inspection.

A compliant eQMS system will have this search function, with the search results showing all preceding document changes and iterations, indicating the ‘final version’ document, and displaying the digital signatures of any approval the documents were subject to.

3. Audit Trails

The requirement states:

“Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records.” (FDA CFR Part 11)

All processes in the system should be well documented, traceable to a specific originator and have an associated audit history. Also, this history should be automatically generated and non-modifiable.

• Version control should be of key importance to any good business process, but being able to properly audit the changes of a document and the way it has been approved at each stage, is often essential for regulators.
• Using tamper-proof digital signatures within a DMS (Document Management System) will enable complete data integrity as well as transparency and traceability.

4. Operational Controls

A good, compliant eQMS will allow for its quality procedures to be monitored and controlled by ‘phase gating’. This will ensure that all documents are reviewed only by specified individuals, and that they meet certain stringent requirements before they are signed off and a contingent phase could begin.

A good eQMS solution will offer a readily accessible Business Process Map (in digital form) for FDA inspectors to examine and easily understand all procedures themselves.

5. Security Controls

An important part is that the entry to the system should be controlled by unique user logins and passwords for every user.

The eQMS needs to have the ability to specify the number of people who can alter certain documents, be able to track each version of the file, as well as identifying those users who have altered it in the past. These records should be read only but easily exportable.

6. Training

All users must have the necessary training to perform their assigned tasks and projects in the system. An eQMS can itself offer assistance with this requirement by accepting conditions upon signing into the system (such as providing on-screen tutorials), or procedurally by documenting this responsibility as part of the user training.

For medical device developers who are seeking to enter this competitive and complex US market, it is necessary to find or develop an eQMS that is specifically designed to deal with the regulatory challenges.

A good compliant eQMS could also bring helpful new tools and efficiency to the development process.

7. Digital Signatures

Part 11 specifically defines this requirement (which is making it different from other kinds of e-signature), where a recognized Certification Authority will act as a notary to verify the identity of a signer:

“A digital signature is an electronic signature based upon cryptographic methods of originator authentication, computed by using a set of rules and a set of parameters such that the identity of the signer and the integrity of the data can be verified.” (FDA CFR Part 11)

In simple terms, a digital signature is like a person’s fingerprint; it is unique to an individual. When a digital signature is added to a document, a trusted third party known as a Certificate Authority (CA) will serve as notary and verify the identity of the signer.

The FDA allows digital signatures in place of ‘wet signatures’ on paper documents, so that business activities can be better streamlined and virtualized. In order to be compliant, all these must be included:

• the printed name of the signer
• the date/time the signature was applied
• the ‘meaning’ or intention of the electronic signature

A good eQMS will give an administrator or authorized user a complete visibility and control over the use of these signatures across the entire system, creating a clear and verifiable audit trail to prove compliance.

Such certificates must be able to be created and revoked, and a secure data storage has to be used where the signatures can be stored and used, to guard against fraud.

Digital signatures work through the Public Key Infrastructure (PKI) technology – this represents the highest level of security and universal acceptance for digital documentation.

For example, a page of verifiable signatures could be added to the end of a PDF file. This will act as a proof that all of the appropriate, authorized people have seen and approved the file using their signatures.

Used this way, digital signatures can guarantee every signer’s identity and intent. It will also add the date and time when the signature was applied, further guarding against fraudulent use or from human error in the completion of a documentation.

Once a document has been digitally signed with a signature, it cannot be tampered with; if the content of a file is changed or modified in any way, the signature will be invalidated.

Using signatures in a DMS

When integrated into a DMS (document management system), the use of digital signatures can help to minimize the document anarchy within an organization, give better efficiency and productivity, and also proving that the necessary compliance procedures have been followed correctly – reducing the risk of censure or fines from the inspecting authorities who oversee them.

Such measures will allow businesses to coordinate launch efforts from multiple locations around the world, helping them to bring new products to the US and other markets more quickly and efficiently.

For managing documents in a DMS which require multiple signatories, it’s recommended to:

• Provide a way for a document owner to request multiple signatures from key stakeholders and superiors to acknowledge that they have had sight of and approved the relevant documentation.
• Send out email notifications when a user’s signature is required, and notify the document owners when the approval is complete.
• Manage all approvals that are required for compliance from a central location in the system, and they should be handled quickly. This method is much quicker and less tedious than gathering ‘ink signatures’ from multiple authorized persons.

DMS recommended enhanced management features:

• Support the creation, revocation and management of multiple signing certificates, including the ability to block users and their certificates if security has been compromised.
• The signing certificates should require periodic renewal (signature expiration), to ensure the authorization is still valid. Document signing must only occur from trusted locations and after proper authorization (user login).
• Full reporting needs to be supported, including the ability to search for any signed or unsigned documentation in the approval flow, and generate a report at any time.
• As an option, formatted signature pages should be able to append to the signed documents, including a full version history and any notes added by any signatories.

Conclusion

There are lots of requirements and regulations in the huge and complex US medical marketplace, in this article we have provided a guide to help understand what this Part 11 of Title 21 of the Code of Federal Regulations really means, and providedrecommendations for implementing a good, compliant DMS system.

A DMS software that properly integrates the use of digital signatures is optimal for meeting the FDA requirements. However, this functionality can actually help any organization to give better efficiency and productivity in their systems.