Any life sciences company who sells, or proposes to sell, medical devices in the U.S. knows that they are required by the Food and Drug Administration (FDA) to implement and maintain a quality system. The FDA-regulated quality system should cover anything that could affect the quality of the end product – from design control, raw material inspections, and in-process quality control checks, to equipment maintenance programs and customer complaint handling.
Having and following a solid quality system ensures that medical devices are of consistently high quality, and are safe and effective for their intended uses. The quality system regulatory requirements are enshrined in the Code of Federal Regulations, Title 21, part 820 (21 CFR part 820).
However, as more medical device manufacturers have moved from paper-based to electronic quality systems, they have become subject to a whole new set of regulations: the FDA CFR 21 part 11.
What Is 21 CFR Part 11?
The requirements of 21 CFR part 11 covers electronic records. 21 CFR part 11 compliance applies to both in-house developed computer systems, as well as commercial off-the-shelf software. The basic idea of the 21 CFR part 11 requirements and the 21 CFR part 11 software requirements is that electronic records must be protected from being altered without some indication of who altered them.
This means that any 21 CFR part 11 compliant software must have security measures in place (by means of individual user names and security credentials) in an accessible, computer-generated time-stamped audit trail showing who did what and when, as well as a way of recording electronic signatures.
The 21 CFR part 11 requirements apply to software (both “open systems” and “closed systems”) used to implement any part of a quality system. The 21 CFR part 11 checklist includes, but is not limited to:
- Document control – lifecycle management and review/approval workflow for standard operating procedures (SOPs), forms used in manufacturing, device history records, product labels, and other documents
- Non conformance, including corrective and preventive action (CAPA) management
- Customer complaint management
- Manufacturing equipment calibration and maintenance records
- Device manufacturing records
In the 21 CFR part 11 summary, any quality system records electronically stored and managed come under the FDA 21 CFR part 11 compliance umbrella.
A 21 FDA CFR Part 11 Compliance Checklist
Although an FDA 21 CFR part 11 summary is available to discuss the regulation’s interpretation by the FDA, 21 CFR part 11 can still be tricky to navigate. To help you evaluate a system’s CFR 21 part 11 compliance, we provide the following 21 CFR part 11 compliance checklist; please note that none of this constitutes legal advice of any kind.
To the FDA, 21 CFR part 11 software compliance means, in part, that the software must be validated, meaning that its design, development, and testing were controlled and documented against its user and functional requirements. Points to evaluate for FDA 21 CFR part 11 validation include:
- Are all documents related to the 21 CFR part 11 software requirements, design, testing, and implementation available? Do they show that the pertinent software development and validation process were followed?
- Does the system enforce 21 CFR part 11 security requirements? Does each authorized user (and only authorized users) have a unique username and password? Is system data encrypted?
- Is there an SOP that governs how the system is used, who can use it, and for what purposes? Are there records showing that all users have been trained on this SOP?
- Does the system maintain records at least as long as the defined record retention period for each record type?
Audit trails and 21 CFR part 11 electronic signatures
An important aspect of 21 CFR part 11 compliant software involves the way that 21 CFR part 11 electronic records are created, reviewed, approved, modified, and controlled.
- Does the system feature time stamped audit trails for every document and record? Does the audit trail show who modified the record, the date and time the record was modified, and what specific items in the record were modified? Is the audit trail easily retrieved and displayed or printed?
- Does the system enforce 21 CFR part 11 digital signatures? Just like paper records that are signed in ink, 21 CFR part 11 electronic records must have a way to be digitally signed. 21 CFR part 11 compliant electronic signatures mark the records in a way that positively ties an action, such as creation, review, or approval, to a specific person.
When FDA regulated inspectors come calling, they want to see records. Every 21 CFR part 11 implementation should have a way to generate reports and documents that doesn’t require a database expert to develop a custom query.
- Can the system produce an audit trail report for each record (computer generated, time stamped)? 21 CFR part 11 requires that a specific user be tied to every change that happens to an electronic record.
- Can the system generate printouts of electronic documents, such as batch records and equipment maintenance records?
CFR 21 Part 11 Compliance and ERP Systems
Although numerous software systems meeting 21 CFR part 11 certification requirements are available, many of them have narrowly defined intended uses, such as product labeling, document control, or electronic batch records management.
Some general-purpose ERP systems, such as IFS, that can perform many functions related to medical device manufacturing, can also be certified for FDA CFR 21 part 11 compliance. Doing so can automate much of the quality system record keeping that must otherwise be duplicated outside the ERP system in a separate, 21 CFR part 11-compliant system.
We hope the 21 CFR part 11 checklist presented here will help you evaluate current or proposed quality system software. If your business is interested in CFR 21 part 11 compliance for ERP systems, contact our experts at Corning Data today to learn more about how we can help.