21 CFR Part 11 (and EU) compliant Digital Signatures on a Production Line

[kreid]

Hello,

I have spent many hours reading around the subject of digital signatures and still do not have a good solution for implementing digital signatures in a medical device company that complies with FDA and EU regulation.

My reading has included the thread on the Cove.

My most recent attempt at applying these regs is for the following scenario:

There is a medical device production line that consists of 12 or so specific and defined steps through which the device passes to be manufactured.

These steps are completed in series (one after the other) but can be completed by different individuals.

The production line is a virtual PC based production line.

The company believes that each production operative must sign for the work they do.

The production line system is a 'closed' system in that the process and records of created during that process are created and maintained within the company.

I do not want to recommend a commercial solution that is expensive.

I am wondering if there is a way to internally create a software solution that meets the requirements of the FDA and EU.

As an aside do you think that the production operative does have to sign for the work they carry out?

Thanks, in advance.

Keith

 

[Gert Sorensen]

I do not want to recommend a commercial solution that is expensive.

I am wondering if there is a way to internally create a software solution that meets the requirements of the FDA and EU.

First of all: EU does not have any requirements for Electronic Signatures when it comes to medical devices. Annex 11 is for Pharma.

Second: Yes, it is possible to create a solution, but it is not likely to be feasible. Using a reputable OTS solution is probably a lot cheaper, and way more robust.

As an aside do you think that the production operative does have to sign for the work they carry out?

That highly depends on the work that they do. 21 CFR 820 is pretty specific about the required signatures. What can make it burdensome is that the company may have their own internal requirements that will also need to be incorporated.

 

[kreid]

Hi Gert,

Thanks for your reply.

I included the EU because they do have the EU Electronic signatures directive, and although not specific to medical devices I assume if we are claiming our signatures to be 'legally binding' then we might sometimes have to look outside medical device regs, but you are right to highlight this point, thanks.

The sort of non-OTS solution I was thinking about was something like the following:

If the production operative completes a production step and at the end of it he/she presses a button to confirm completion and then is prompted to enter "two distinct identification components such as an identification code and password", with these details being logged in a secure database (remember this production process is entirely PC based).
Then at the end of the production process a QA rep retrieves the production run data that includes the details of the 'who, what & when' produced the device and creates a record of this.

(And let's assume the general management of identifying codes and passwords etc. is i.a.w. 21CFR11.)

Would this suffice?

 

[BradM]

Questions...
Must precedence be enforced? Do all steps need to be completed in order, or can they be completed at different times with no impact on the step in front of it or bedind it?

Does each step involve the recording of observed/measured data?

Does one of the steps represent a critical point; where product is rejected/ cannot proceed?

I guess what I'm getting at here is asking if you have mapped out your processes. Set aside for a second how the information is recorded. Do you have a clear understanding of what is required, what is value added, and what is not needed? Once this is done, that can then translate to the requirements/deliverables of whatever tool you use to record information.


What software application are you currently using to record activity?

Gert and some others here have forgotten more about software validation than I will ever remember. I will say, that every project I am aware of to validate a software application that wasn't previously designed to be compliant, was abandoned. It's just too much, and the costs are too great. Not to mention the scrutiny that endeavor would face in an audit scenario.

If you have performed a gap analysis and there are deficiencies with your current application, that should help drive funding a new package for your application. Yes it's not cheap; but many of them already have IOQ document packages that you can purchase; saving a ton of time and money. Then, you just have to develop the PQ for how you are going to use it.

 

[BradM]

The sort of non-OTS solution I was thinking about was something like the following:

If the production operative completes a production step and at the end of it he/she presses a button to confirm completion and then is prompted to enter "two distinct identification components such as an identification code and password", with these details being logged in a secure database (remember this production process is entirely PC based).
Then at the end of the production process a QA rep retrieves the production run data that includes the details of the 'who, what & when' produced the device and creates a record of this.

(And let's assume the general management of identifying codes and passwords etc. is i.a.w. 21CFR11.)

Would this suffice?

When you state that QA "creates a record of this", is that a printed record or a paperless record? Is QA willing to go into your current paperless system to review/ approve/ etc.?

Others may provide a different answer. But... I'm not sure you have covered all the basis. What assurance do you have that the records cannot be altered? Is there an audit trail? Are there different security levels and permission levels? Is there a time stamp on everything?

What about Electronic Archiving/ Records Retention? Have you fully tested all the security requirements of the "secure" database? Who can see that information?

Will the system(s) prompt users to periodically change their passwords? Will the system lock out their account if there are too many attempts?

You certainly may have addressed all these. it's just... to assure that your electronic records are secure (and compliant) there is a lot you have to verify is in place; and it's easy to miss something.

 

[kreid]

Hi Brad,

To address your second post first - let's assume that all of the security and audit trail stuff is taken care of in the company wide IT security regime.
And assume that QA record will be paperless.

To your first post, each step is sequential and critical and includes the recording of necessary data. The steps have to be carried out in order but can be fulfilled by different operators at different times.

The deficiency in the current process is that the electronic signatures used do not comply with 21CFR11 (and let's assume everything else is great ).

The production process is controlled by/hosted in an in-house developed suite of software - let's call it Fred.

My question is - if I add functionality to Fred that means the production operative has to provide "two distinct identification components such as an identification code and password" on completion of each production step (and records all of the audit trial and ensures the data is secure etc.) would this be good enough (in the realm of 21CFR11 and any FDA audit)?

Or do I have to assume that the OTS providers (of digital sig software) have some magic that no other mortals have? (and yes that magic could just be the necessary time and resources to develop something that is compliant).