13485 do e-signatures have to be 21 CFR Part 11 compliant?

[KarenA01]

We don't make medical devices or software but we are looking to do contract fermentations for enzymes/biologics (and maybe eventually our own products) for companies that make diagnostic kits and/or vaccines - components fro such things... Ours would be technical grade which our customers would then polish and either use themselves or sell to others to incorporate into such products. We know other companies who do such things are 12485 even though they don't make medical devices.

As such, even though it would not be required, management believes it would help us in that market to be ISO-13485, and we are starting on that path (we just recently got ISO-9001 certified and are looking to have/keep both). The goal is to get IS013485 certified by next April

We are running what is basically paper quality system adopted from my last job (which I left over 13 years ago). Their system was all paper, but here, after wet sign-off (everything including SOPs, batch records, CAPAs etc) the documents and filled-out forms get scanned and stored in Google drive. Those scanned versions are the official controlled copies, and the paper destroyed.

BTW I am not a Quality or GMP expert by any means ... my training and career has been as a chemist.

When I was in Pharma I was in in R&D so my exposure to GMP was indirect.... But with a Pharma background, and being more detail oriented than most, I got put in charge of Quality here when we pivoted from R&D to doing contract manufacturing.

My current question revolves around 21 CFR Part 11 signatures.

We need to go to electronic signature for efficiency, so my question is for 13485 do e-signatures have to be 21 CFR Part 11 compliant?
If so, what sorts of things does that apply to? I would assume things like issuance of SOPs, Master batch records, Batch record approval, CAPAs , Engineering Change control sign-offs...

But what about things like Purchase Recs and Work orders? I would not think so but I really don't know.

21 CFR Part 11 talks about predicate records, but I don't know what they are or how they are defined or how they relate to ISO 13485

I know there is a a lot of learning we need to do!

Thanks for any feedback,

-Karen

 

[SusanM0812]

First off, assuming you're going to do business in the US, then yes, FDA requirements (meaning part 11) apply. If not, then no. But in Europe you have Annex 11, the part 11 equivalent to comply with. So while 13485 doesn't explicitly have requirements around part 11 topics, you can't do business in the US without complying also to FDA regulations (or in Europe, to the relevant EU regs). Now, sounds like you're not making any finished products, just components/raw materials. You aren't likely to deal directly with the FDA yourself, the customers you sell to will. So, you'll be expected to comply to the same regs they do (which is probably where the 13485 is coming from). I personally think you are sufficient with 9001, but that's a decision for your management and how you market your products and services
Part 11 applies to any records you are keeping under the "predicate rule" - that means if you were keeping them to comply with 21CFR820 (the QSR), or even 210/211, on paper, then the rules about electronic signatures will also apply to those electronic files. Purchasing and work orders are records you would be keeping for compliance reasons, so then yes, part 11 applies there too. I have not had experience with the hybrid approach you describe for your quality system, where I have worked with places that scan paper and then destroy it, we only destroyed the paper after a required retention period, as those paper files are your "original records".

 

[Tidge]

21 CFR Part 11 talks about predicate records, but I don't know what they are or how they are defined or how they relate to ISO 13485

For Medical Devices, the predicate records are those described in 21 CFR 820. I don't know what part applies to your product. (maybe 600?)

 

[Ronen E]

We don't make medical devices or software but we are looking to do [...] for companies that make diagnostic kits and/or vaccines

"Diagnostic kits" are most likely medical devices (e.g. IVD).
Vaccines are regulated by the Center for Biologics Evaluation and Research (CBER), i.e. they are biologics, in my understanding (caveat: not my specialty).

We need to go to electronic signature for efficiency, so my question is for 13485 do e-signatures have to be 21 CFR Part 11 compliant?

Part 11 is a regulation in a specific jurisdiction. What ISO 13485 calls for, in relation to jurisdictional regulations, is that the org identify and document its role within the regulatory system at hand, and the requirements in that system that apply to activities taken under that role; and address these requirements in its QMS.

The regulatory framework(s) that seem relevant in this case is/are 21 CFR Parts 8xx and 6xx(?). According to the description provided, it seems that your role is that of a supplier (e.g. of materials), or a supplier to a supplier; not that of a Manufacturer. Normally the "predicate rules" (see more below) would not directly apply to suppliers, let alone suppliers to suppliers, of e.g. materials; and hence Part 11 has no practical, direct applicability to suppliers. As far as IVD devices (which are medical devices) go, I'm certain of that; I'm not sure about vaccines (biologics?), but I tend to think that that regulatory framework has a similar rationale and a similar structure.

So (at least in the case of IVD) ISO 13485:2016 does not implicate incorporating any of Part 11 requirements into your QMS (let alone following them). This is the ISO 13485 angle, which is what you asked about. This, of course, doesn't provide a blanket exemption from any regulation; it just means that ISO 13485 doesn't require it.

BTW, from ISO 13485's own perspective (i.e. not necessarily from all perspectives it's used in, for whatever business, or other, reasons), it applies only to/in medical devices supply chains. Strictly speaking, it would not / should not apply to any aspects solely related to vaccines (or biologics). In the latter context, the question of whether e-signatures are Part 11 compliant or not is totally unrelated to ISO 13485 (at least as far as the true intent of this standard is concerned).

21 CFR Part 11 talks about predicate records, but I don't know what they are or how they are defined or how they relate to ISO 13485

I assume you meant Predicate Rules, not predicate records.

A predicate rule is any FDA regulation that requires a company to maintain certain records and submit specific information to the agency as part of compliance.

[FDA 21 CFR Part 11 and Predicate Rules | What You Need to Know] 2022-AUG-06

In the case of IVD (medical devices) that would apply in connection with all and any records, as well as all and any specific information required to be submitted to the FDA, under all relevant 8xx parts (not just 820; e.g. 807 where it's applicable).

If so, what sorts of things does that apply to? I would assume things like issuance of SOPs, Master batch records, Batch record approval, CAPAs , Engineering Change control sign-offs...

But what about things like Purchase Recs and Work orders? I would not think so but I really don't know.

Short answer: Yes, purchase recs and work orders most likely too, and many other things.

Shorter answer: Anything and everything required under the applicable 8xx parts.

 

[KarenA01]

First off, assuming you're going to do business in the US, then yes, FDA requirements (meaning part 11) apply.

Hi Susan,

Thanks for the reply!

Yes we are in the US... but we will not have to deal with the FDA as we ar only providing components or raw materials that with more processing could be used in the manufacture of things like vaccines and diagnostic kits. I guess what we produce could be described as being "technical grade"
We would be selling to someone who processes what we provide further and either uses it to make those things, or after further polishing sells what we produced to someone who does make such things.

So as you and others have pointed out we don't HAVE to be ISO 13485 at all to do that, but management believes it will be easier to sell into that market if we are certified Iso 13485.

So what our goal is to meet teh expectations of Auditor from the registration body (we are going to use TV SUD) and potential customer of our quality system.

At this stage the are not sure to what extent we need to go for things like electronic signatures.
21 CFR part 11 Signatures cost more that other types of electronic signatures from places like DocuSign etc...

Now, sounds like you're not making any finished products, just components/raw materials. You aren't likely to deal directly with the FDA yourself, the customers you sell to will. So, you'll be expected to comply to the same regs they do (which is probably where the 13485 is coming from).

Yes, we will never be producing finished products.... but it sounds like we may have to be part 11 compliant with all our signatures.

I personally think you are sufficient with 9001, but that's a decision for your management and how you market your products and services

That is what I have come to think, but I am not the boss.

Part 11 applies to any records you are keeping under the "predicate rule" - that means if you were keeping them to comply with 21CFR820 (the QSR), or even 210/211, on paper, then the rules about electronic signatures will also apply to those electronic files. Purchasing and work orders are records you would be keeping for compliance reasons, so then yes, part 11 applies there too.

As i said, the only requirements with respect type of signatures are what an ISO-13485 auditor and customers find acceptable, but it sounds like it may be the same thing!

Thanks,
-Karen

 

[KarenA01]

"Diagnostic kits" are most likely medical devices (e.g. IVD).

Why I am unsure about that, is in my least job we were developing an ultrasound contrast agent to look at myocardial perfusion. The Idea was to be able to replace the nuclear stress tress test wit ultrasound so it could be dome in a doctors office. While it was In0Vivo and non in-vitro ,it was still for diagnostic testing.

The FDA debated for a while if the product should be considered a device or a drug, but eventually came down on the drug side (they decided that the inert perflurocarbon gas we encapsulated that reflected the ultrasound was the "Active" Pharmaceutical ingredient.)

Vaccines are regulated by the Center for Biologics Evaluation and Research (CBER), i.e. they are biologics, in my understanding (caveat: not my specialty).

The idea is that 13485 would serve a security blanket for potential customers in lieu of being cGMP regulated.

Part 11 is a regulation in a specific jurisdiction. What ISO 13485 calls for, in relation to jurisdictional regulations, is that the org identify and document its role within the regulatory system at hand, and the requirements in that system that apply to activities taken under that role; and address these requirements in its QMS.

We have no required role. As i mentioned above it is all about the expectations of a 13485 auditor and potential customers, which makes it hard to know exactly what we need to do with respect to such things.

So (at least in the case of IVD) ISO 13485:2016 does not implicate incorporating any of Part 11 requirements into your QMS (let alone following them). This is the ISO 13485 angle, which is what you asked about. This, of course, doesn't provide a blanket exemption from any regulation; it just means that ISO 13485 doesn't require it.

So you are saying we should be able to get 13485 certified without part 11 compliance?

In the case of IVD (medical devices) that would apply in connection with all and any records, as well as all and any specific information required to be submitted to the FDA, under all relevant 8xx parts (not just 820; e.g. 807 where it's applicable).

Short answer: Yes, purchase recs and work orders most likely too, and many other things.

Shorter answer: Anything and everything required under the applicable 8xx parts.

That is if we would not just selling components... It would seem that we should either go all in on Part 11, or not at all, as anything in-between would be hard to justify if either way would be OK with a certification body for companies like us.

Thanks,
- Karen

 

[Ronen E]

@KarenA01: Yes, of course, diagnostics can be in-vivo (not IVD). I guess what through me off was the word "kits", which is common in the IVD area. Additionally, the case you described is not run-of-the-mill - borderline drug/device. Either way, and more generally, in such cases the regulatory framework for a diagnostic device (regardless of variety - IVD or not) would be 21 CFR Part(s) 8xx; or other 21 CFR parts that apply to drugs. In the former case my answers remain essentially the same. In the latter, it would be along the lines of what I wrote about biologics (I only have limited exposure to drugs regulation - not my specialty either).

it is all about the expectations of a 13485 auditor and potential customers, which makes it hard to know exactly what we need to do with respect to such things.

I'd like to point out that the expectations of a 13485 auditor and potential customers are quite different by nature. A certification body auditor is obliged to follow the standard as written. They have some leeway in interpreting the standard, but it's not big, and they have an obligation to back every NC with clear references to specific clauses from the standard, and a clear rationale that they should be able to elaborate if challenged by the auditee (many don't follow this obligation, but it's your right to insist on it and you can appeal if you don't get reasonable answers). Customers, on the other hand, can require whatever they want, interpret a standard (including 13485) any way they see fit, and can even be vague, inconsistent, even irrational, about their expectations. Sometimes they would pursue some expectation without even clearly acknowledging to themselves that they expect it... It's all about market forces, and it's up to your org to decide how high you are willing to jump for any particular business opportunity. This is especially true in cases like this, where compliance has little to do with applicable regulatory requirements (because there would be none), and standard certification is purely a business decision.

So you are saying we should be able to get 13485 certified without part 11 compliance?

It sounds like it. If, however, your products are not in the regulatory domain of medical devices (but rather biologics- or drugs-related) I am less confident about your regulatory situation.

That is if we would not just selling components...

Yes, my comments near the end of my last post were in relation to the Predicate Rules for medical devices - more generally (not necessarily applicable in your specific case). If you are not deemed a Manufacturer of medical devices (which may include some finished diagnostic injectable/ingestible/etc. agents) Parts 8xx don't apply. For other types of products regulated by the FDA a careful analysis would be required, but I tend to think that the regulatory rationale would be similar.

we should either go all in on Part 11, or not at all, as anything in-between would be hard to justify if either way would be OK with a certification body for companies like us.

As a very general statement, I agree. Considering the specifics you provided, my current stance is that you should refrain from applying Part 11. What would be the rationale? That it looks fancy? It is a serious undertaking. From the certification body perspective, the only thing that matters (or should matter) is the word of the standard. If the standard prompts you to analyse and document your role under the regulation, and your documented analysis determines (solidly) that you have no role under the regulation and thus that regulation is N/A, that's all that matters, and the certification body (i.e. the auditor) should grant you full marks on this item. Any considerations around going above and beyond, to make potential customers "happier", should - IMO - be avoided by the certification body. Managements can be irrational if they choose to, but CB auditors must stay aligned with the word of the standard they certify to.

 

[SusanM0812]

I agree with everything Ronen E has stated above - you're definitely in an interesting position from a regulatory perspective. The bottom line is, that ISO 13485 and 21CFR Part 11 are not related. Yes, you can do 13485 without part 11 compliance, and you can save a little bit of money along the way using off the shelf tools like DocuSign (which as an e-signature tool by itself, is compliant with the part 11 specifics about the signature itself, but part 11 has more requirements than just the signature element) - where you won't be compliant if you don't go with a fully featured eQMS tool is all the other requirements under part 11 about audit trails, and back up/recovery processes. As someone who currently works for a service provider to life sciences, I will say that we finally stopped trying to defend our position that part 11 doesn't apply to us and implemented a very light touch part 11 policy internally. It isn't our NBs that expect this, it's our customer base. The majority of our customers are always trying to apply regulations to us that THEY follow, but don't actually apply to us. We make software, not devices or drugs. You make "components" - not finished devices or drugs. So, GMP, part 11, all that does not apply to you. But you will spend more time arguing with customers who audit you to their standards than it's worth - trust me. So, go for 13485, even though it really doesn't apply to you, and make sure you have a SOLID case for the applicability statements in your quality manual - and write your scope and justifications for things you do follow/don't follow, and you'll be just fine

 

[KarenA01]

Between and vactions and other things at work I'm just getting back to this

@Ronen E
@SusanM0812
Thanks for your repiles. I think I have a better idea of what we may need... though I think we will likely tend to go more to the FDA regulated environment... Last year we had an audit by a potential customer that just about audited us to FDA standards ... and that could happen again.

I have another question but I'll start a new thread for it.

Thanks
-Karen