Complying with 21 CFR 11

[Quality_Goblin]

Hi Everyone,

We are a small manufacturing company (ISO13485 registered) that makes components, assemblies, and sub-assemblies for medical devices - we do not make finished products, design products, or make any products under our company name. We want to be compliant with 21 CFR 11 for electronic signatures but I am having a hard time figuring out if we need to comply with all 3 subparts of Section 11. We don't have password protected signatures or IDs for our employees, we don't use any biometrics, and we don't have any audit trails with timestamps for any of our records either. I've been searching through lots of resources but I haven't found anything that answers my question.

Also, what documents are required to be compliant? Anything specific or can we just apply this to all our documents?

Basically, we just use Adobe to sign documents, but not all employees have the E-Sign option activated and they just use the standard signature option where it creates a cursive version of your name for you to stamp on the document.

I should add that the only time we use electronic signatures is mainly for our internal training records, NDAs and other internal documents.

What do we need to do to be compliant?

 

[yodon]

what documents are required to be compliant?

Only those that are required by regulation. This is your best starting point: figure out what's required.

the only time we use electronic signatures is mainly for our internal training records, NDAs and other internal documents.

And there you go. The last 2 are not required by regulation. Evidence of competency (can be shown through training records) are required; however, the regulations do not require these be signed. (Your procedures may require signatures in which case the signatures would need to be Part 11 compliant).

Pasting in "cursive versions" of a signature is by no means Part 11 compliant.

FDA is still practicing enforcement discretion but you really should understand the requirements and be able to defend why what your doing upholds data integrity expectations.

 

[Quality_Goblin]

Thank you for your response. It helps, but I guess I am still thoroughly confused. I've read a few translations of the regulation and still don't feel like I understand it any better, and have yet to find anywhere that states what documents are required by regulation. Everything is so broadly described which is difficult for me because I really work best with concrete and definitive answers, lol.

And we are not registering with the FDA as we are not required to because of the nature of our company. We just want to be compliant to 21 CFR 11 since we do make medical parts. Is it possible to only be compliant to Subpart C?

 

[yodon]

Other than the parts themselves, what do you deliver to your customer? Do you retain any responsibility for maintaining records required by regulation?

Is it possible to comply only with the requirements established in Subpart C? Yes. Does that (alone) make you Part 11 compliant? No.

As noted above, the FDA is still practicing enforcement discretion. As you only supply parts, at best, you're a tiny blip at the edge of the radar screen. You want to put your customers in a defensible position, though, so ensuring integrity of an e-signature of any record required by predicate rule (regulation) should be something you want to do. (The idea of ensuring integrity of e-signatures on everything else is a good idea but you're not going to get any FDA scrutiny for those.) If you can absolutely say for certain that the e-signature on any required record you deliver belongs to the person who applied the e-signature, then you're going to be ok.

 

[Quality_Goblin]

The records we save for the parts we make are the DHR and DMR which include the job traveler, FAIR, in-process inspections, material certs, outside process certs, as well as customer drawings and any other documents the customers require us to save for them.

 

[yodon]

If you're making components, by definition, you don't own the entire DHR or DMR. The records you mention are a bit of a mix in terms of signatures (required for in-process inspections, not required for the certs you cite). If you manage the records electronically, they SHOULD comply with Part 11. Most will be snapshots and so audit trail is probably not necessary. You could probably get away with arguing that you just capture a snapshot of the other records and so audit trail is unnecessary (maybe a bit of a stretch but since you're making components, probably defensible under enforcement discretion). The traveler is a concern as it's likely updated by multiple people along the way (assuming it's managed completely electronically). I would probably WANT to see an audit trail there and ensure e-signature authenticity.

 

[Tidge]

Thank you for your response. It helps, but I guess I am still thoroughly confused. I've read a few translations of the regulation and still don't feel like I understand it any better, and have yet to find anywhere that states what documents are required by regulation. Everything is so broadly described which is difficult for me because I really work best with concrete and definitive answers, lol.

The key feature of 21 CFR 11 when it comes to electronic signatures: It must be unambiguous which individual signed a documents, on which specific date. If either of those two things can be subverted, the system is not compliant with the e-sig portion of part 11. If I can put someone else's signature on a records, or back-date... these are evidence of non-compliance.

There are separate requirements for control of records... again those requirements exist in an effort to prevent fraud/falsification of records.

 

[Ed Panek]

The core of part 11 is "where we once reviewed hard copy records, its required to demonstrate equivalent softcopy records have the same security attributes."

Our memo looks like this Snippet:

Guidance Ref. No.​	Requirement​	Answer​	Compliant?​	Document Reference​
11.10	Controls for closed systems	XXX is designed to be a closed system and uses username and password credentials to authenticate each user.	Yes	SRBM-TT-100, Software Design Specification
11.10a	Validation of Systems	Validation reporting within QMS	Yes	SOP-DSC-005 Design Verification SOP-DSC-006 Design Validation

11.10b	FDA Copies	All quality relevant data is available electronically as well as in a human readable format.	Yes	TM-TT300, UR22: Patch will transmit historical saved temperature measurements TM-TT300, UR121ata Retention
11.10c.	Protection and recoverability	XXXX data is stored on at least two distributed servers in parallel. This ensures high availability and duplication of the data (fail-over). Furthermore, we regularly backup the data for added protection	Yes	WI-DSC-002, Cloud Platform/Medical Device Software maintenance and Problem Resolution 7.1.1 Verifying Database Backups. Google Cloud Platform is HITRUST and FEDRAMP (Federal Risk and Authorization Management Program) certified