AN FDA 21 CFR PART 11 COMPLIANT GMAO
Thursday 01 july 2021
When it comes to regulatory compliance for companies building or maintaining medical devices, there can be some confusion around FDA 21 CFR Part 11. We have found that many companies think they are in compliance (often due to a misunderstanding of the requirements), but in reality, they are not.
Let's start with some clarification:
What is the FDA? The United States Food and Drug Administration (FDA or USFDA) is a federal agency within the Department of Health and Human Services. The FDA is responsible for protecting and promoting public health through the control and oversight of food safety, tobacco products, dietary supplements, prescription and over-the-counter drugs, vaccines, biopharmaceuticals, blood transfusions, medical devices, electromagnetic radiation emitting devices, cosmetics, food and feed, and veterinary products.
What is CFR 21? The Code of Federal Regulations (CFR) is a codification of general and permanent rules issued by the United States federal government. Title 21 of the CFR is reserved for Food and Drug Administration regulations (see above).
What is Part 11? Part 11 of the regulations applies to records in electronic form that are created, modified, maintained, archived, retrieved, or transmitted under any of the registration requirements set forth in the Agency's regulations, namely the Federal Food, Drug, and Cosmetic Act and the Public Health Service Act.
What is the significance of Part 11 in 21 CFR?
Part 11 was designed to meet the evolving needs of the medical device industry, with the goal of helping companies:
- Know how to use computer systems and software, especially when they are not working properly.
- Keep data safe and secure, and ensure that data is not corrupted or lost.
- Ensure that approval and review signatures cannot be challenged.
- Track changes to data
- Prevent and/or detect falsified records
With the widespread use of electronic records in the industry, the vast majority of companies will find that FDA CFR 21 Part 11 applies to them. As with many regulations, this is not always well perceived.
For example, a number of companies are somewhat apprehensive about 21 CFR Part 11 because of the elements required to prove that a system is robust enough to meet its standards.
There you have it! If you build or maintain medical devices, you are concerned by FDA 21 CFR and if you have the good idea to use software for this and in particular a CMMS, Computerized Maintenance Management System, it must be in compliance with PART 1.
how to ensure 21 CFR Part 11 compliance for your CMMS project
- DOES 21 CFR PART 11 APPLY TO MY COMPANY
Companies that are not willing to adopt 21 CFR Part 11 often say that their "records" are on paper, even if they upload documents to a shared file or accessible location on a server. They think that "paper files" free them from having to deal with Part 11, but that is not the case. They think that what they do afterwards (such as scanning and uploading) doesn't matter, as long as the main record remains intact. In reality, as soon as the document is uploaded to a server, the company must comply with 21 CFR Part 11. For the FDA and according to section 11.3 an "electronic record" is defined as "any combination of text, graphics, data, sound, images, or any other representation of information in digital form that is created, modified, maintained, archived, retrieved, or distributed by a computer system." As you can see, this makes the definition covered by 21 CFR Part 11 quite broad, so most businesses will be affected.Therefore, even if businesses say they have a paper system, they probably have a ubiquitous electronic system, even if it is through file trees. You should always validate your documents to ensure that the scanned version matches the paper version.
2. FOLLOW 21 CFR PART 11 DATA SECURITY AND PASSWORD PROTECTION BEST PRACTICES
Data security is an important aspect of Part 11. All users with access must have the right roles and permissions.You must go into individual folders and check permissions. You'll need to bring in valuable IT resources to verify everything, which is not without compliance implications.When it comes to digital security, passwords are a critical component. How will you access the system? Security is the main concern under 21 CFR Part 11, as you need to make sure the right people have the right permissions and that no one can access it.Access to electronic records must be controlled by a unique login, with username and password. Users who are inactive for 10 to 20 minutes should be logged out automatically. We also recommend that your system lock users out after 3 to 5 unsuccessful attempts to enter the password.If the account has been inactive for a period of time, the user should be locked out. The recommended period for this is 30 days.All these best practices are implemented in the Yuman system.
3. ESTABLISH TRACEABILITY OF CHANGES
Change tracking must be in place so that you can see which user performed a given action, at what time, on your records. All events should be logged with the user name and time stamped. In addition to change management, traceability also applies to access times. In addition to change management, traceability also applies to access times. You must always know when users log in and when they log out. Of course, in the event of an audit, these records must be available.
4. FOLLOW THE 21 CFR PART 11 GUIDELINES ON ELECTRONIC SIGNATURES
You can comply with the 21 CFR Part 11 guidelines on reviewing and approving information in several different ways:
- Biometric, such as fingerprint or retinal scan.
- Digital Signatures
- Capture of handwriting in software
- Electronic signatures (we use them in Yuman)
We use electronic signatures, which assign unique usernames and passwords to signatories. Generic service usernames are not recommended. To maintain transparency, usernames should be linked to a single person, not a group.When something requires approval in Yuman, an "Approve" or "Reject" button can be clicked to communicate the intent, as well as the date and time. Once something is signed off in this way, the item is permanently locked and cannot be revised or edited.With paper, it is a bit of a loophole as it is possible to annotate the paper by hand or track changes in word processing programs. There is less control than with Yuman. On our platform, the document is locked into the approval process so that you remain in compliance with 21 CFR Part 11.
5. DON'T OUTSOURCE RESPONSIBILITY: YOU ARE IN CHARGE OF YOUR 21 CFR PART 11 COMPLIANCE
We have seen a trend of software platforms claiming that they can handle all of your 21 CFR Part 11 compliance. Ultimately, this is not true because Part 11 compliance is ALWAYS the responsibility of the company. A software company should not say they have taken care of everything, because your company is not absolved of this responsibility.
YUMAN does the testing and validation of the platform and can provide supporting documentation, but compliance is ultimately your responsibility.We can also provide the following:
- A Part 11 compliance checklist.
- A form letter to send to the FDA informing them of your intent to use electronic signatures.
- A certificate of compliance for the platform design
- A 21 CFR Part 11 compliant CMMS solution, including pre-validated templates and functionality that have passed hundreds of audits and inspections.
6. CONSIDER 21 CFR PART 11 COMPLIANCE WHEN CHOOSING A CMO SOLUTION
Compliance is an ongoing process, and you'll need to make sure you're properly handling electronic documents and signatures throughout your project's lifecycle.Your CMMS selection plays a key role in CFR Part 11 compliance. If your CMMS is not aligned with CFR Part 11 or does not come with pre-validated templates, you will need to factor this into your business plan. Multi-purpose solutions require a lot of configuration, staff training, validation testing, and possibly outside help to ensure compliance, all of which require a significant investment of time and capital. We recommend that you review the various CMMS solutions and consider your company's validation needs for CFR Part 11. Does your solution offer everything you need to bring your device to market?
FINAL THOUGHTS ON 21 CFR PART 11
Complying with 21 CFR Part 11 doesn't have to be an onerous task, especially if you remember that any idea of a "paper form" is completely wrong as soon as something is uploaded to a computer system. In other words, almost all companies and especially medical device companies must comply with CFR 21 Part 11, unless they really have everything on paper only, with no electronic copies of documents stored anywhere.So follow these tips to ensure the security and integrity of your records and you should be ready for an FDA inspection.
Back to the articles