21 CFR Part 11 (and EU) compliant Digital Signatures on a Production Line

kreid

Involved In Discussions
#1
Hello,

I have spent many hours reading around the subject of digital signatures and still do not have a good solution for implementing digital signatures in a medical device company that complies with FDA and EU regulation.

My reading has included the thread on the Cove.

My most recent attempt at applying these regs is for the following scenario:

There is a medical device production line that consists of 12 or so specific and defined steps through which the device passes to be manufactured.

These steps are completed in series (one after the other) but can be completed by different individuals.

The production line is a virtual PC based production line.

The company believes that each production operative must sign for the work they do.

The production line system is a 'closed' system in that the process and records of created during that process are created and maintained within the company.

I do not want to recommend a commercial solution that is expensive.

I am wondering if there is a way to internally create a software solution that meets the requirements of the FDA and EU.

As an aside do you think that the production operative does have to sign for the work they carry out?

Thanks, in advance.

Keith
 
Elsmar Forum Sponsor

Gert Sorensen

Forum Moderator
Moderator
#2
I do not want to recommend a commercial solution that is expensive.

I am wondering if there is a way to internally create a software solution that meets the requirements of the FDA and EU.
First of all: EU does not have any requirements for Electronic Signatures when it comes to medical devices. Annex 11 is for Pharma.

Second: Yes, it is possible to create a solution, but it is not likely to be feasible. Using a reputable OTS solution is probably a lot cheaper, and way more robust.

As an aside do you think that the production operative does have to sign for the work they carry out?
That highly depends on the work that they do. 21 CFR 820 is pretty specific about the required signatures. What can make it burdensome is that the company may have their own internal requirements that will also need to be incorporated.
 

kreid

Involved In Discussions
#3
Hi Gert,

Thanks for your reply.

I included the EU because they do have the EU Electronic signatures directive, and although not specific to medical devices I assume if we are claiming our signatures to be 'legally binding' then we might sometimes have to look outside medical device regs, but you are right to highlight this point, thanks.

The sort of non-OTS solution I was thinking about was something like the following:

If the production operative completes a production step and at the end of it he/she presses a button to confirm completion and then is prompted to enter "two distinct identification components such as an identification code and password", with these details being logged in a secure database (remember this production process is entirely PC based).
Then at the end of the production process a QA rep retrieves the production run data that includes the details of the 'who, what & when' produced the device and creates a record of this.

(And let's assume the general management of identifying codes and passwords etc. is i.a.w. 21CFR11.)

Would this suffice?
 

BradM

Staff member
Admin
#4
Questions...
Must precedence be enforced? Do all steps need to be completed in order, or can they be completed at different times with no impact on the step in front of it or bedind it?

Does each step involve the recording of observed/measured data?

Does one of the steps represent a critical point; where product is rejected/ cannot proceed?

I guess what I'm getting at here is asking if you have mapped out your processes. Set aside for a second how the information is recorded. Do you have a clear understanding of what is required, what is value added, and what is not needed? Once this is done, that can then translate to the requirements/deliverables of whatever tool you use to record information.


What software application are you currently using to record activity?

Gert and some others here have forgotten more about software validation than I will ever remember. I will say, that every project I am aware of to validate a software application that wasn't previously designed to be compliant, was abandoned. It's just too much, and the costs are too great. Not to mention the scrutiny that endeavor would face in an audit scenario.

If you have performed a gap analysis and there are deficiencies with your current application, that should help drive funding a new package for your application. Yes it's not cheap; but many of them already have IOQ document packages that you can purchase; saving a ton of time and money. Then, you just have to develop the PQ for how you are going to use it.
 

BradM

Staff member
Admin
#5
The sort of non-OTS solution I was thinking about was something like the following:

If the production operative completes a production step and at the end of it he/she presses a button to confirm completion and then is prompted to enter "two distinct identification components such as an identification code and password", with these details being logged in a secure database (remember this production process is entirely PC based).
Then at the end of the production process a QA rep retrieves the production run data that includes the details of the 'who, what & when' produced the device and creates a record of this.

(And let's assume the general management of identifying codes and passwords etc. is i.a.w. 21CFR11.)

Would this suffice?
When you state that QA "creates a record of this", is that a printed record or a paperless record? Is QA willing to go into your current paperless system to review/ approve/ etc.?

Others may provide a different answer. But... I'm not sure you have covered all the basis. What assurance do you have that the records cannot be altered? Is there an audit trail? Are there different security levels and permission levels? Is there a time stamp on everything?

What about Electronic Archiving/ Records Retention? Have you fully tested all the security requirements of the "secure" database? Who can see that information?

Will the system(s) prompt users to periodically change their passwords? Will the system lock out their account if there are too many attempts?

You certainly may have addressed all these. :) it's just... to assure that your electronic records are secure (and compliant) there is a lot you have to verify is in place; and it's easy to miss something.
 

kreid

Involved In Discussions
#6
Hi Brad,

To address your second post first - let's assume that all of the security and audit trail stuff is taken care of in the company wide IT security regime.
And assume that QA record will be paperless.

To your first post, each step is sequential and critical and includes the recording of necessary data. The steps have to be carried out in order but can be fulfilled by different operators at different times.

The deficiency in the current process is that the electronic signatures used do not comply with 21CFR11 (and let's assume everything else is great :)).

The production process is controlled by/hosted in an in-house developed suite of software - let's call it Fred.

My question is - if I add functionality to Fred that means the production operative has to provide "two distinct identification components such as an identification code and password" on completion of each production step (and records all of the audit trial and ensures the data is secure etc.) would this be good enough (in the realm of 21CFR11 and any FDA audit)?

Or do I have to assume that the OTS providers (of digital sig software) have some magic that no other mortals have? (and yes that magic could just be the necessary time and resources to develop something that is compliant).
 
Thread starter Similar threads Forum Replies Date
S Is Adobe Sign - E-signature for QMS documents - 21 cfr part 11 compliant? ISO 13485:2016 - Medical Device Quality Management Systems 2
M Suggestions for Electronic Signature Software (FDA 21 CFR Part 11 Compliant) Qualification and Validation (including 21 CFR Part 11) 12
A Alternative to keeping hard copy records that is 21 CFR part 11 compliant Document Control Systems, Procedures, Forms and Templates 0
M How to validate a system to make it compliant with 21 CFR Part 11 Qualification and Validation (including 21 CFR Part 11) 2
D FDA 21 CFR Part 11 Compliant Digital (electronic) Signatures Document Control Systems, Procedures, Forms and Templates 7
A 21 CFR part 11 compliant Electronic Document Management Systems Document Control Systems, Procedures, Forms and Templates 20
D Affordable electronic CAPA system (compliant to FDA 21 CFR Part 11) ISO 13485:2016 - Medical Device Quality Management Systems 1
J Software Outsourcing - 21 CFR Part 11 and HIPAA Compliant Applications Career and Occupation Discussions 1
M 21 CFR 820 vs 21CFR820 vs 21 CFR Part 820 Document Control Systems, Procedures, Forms and Templates 3
Anonymous16-2 21 CFR Part 11 - Steps to take if we want to validate an electronic system Pharmaceuticals (21 CFR Part 210, 21 CFR Part 211 and related Regulations) 2
A 21 CFR part 11 - section 11.100 - Electronic Signature Certification Other US Medical Device Regulations 6
L Wearables 21 CFR Part 11 compliance Pharmaceuticals (21 CFR Part 210, 21 CFR Part 211 and related Regulations) 1
Ed Panek 21 CFR Part 820 - FDA Label Requirements 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 8
F 21 CFR Part 11 - Implicit requirements - Validation plan for a Software as a Service Other US Medical Device Regulations 1
C 21 CFR Part 11- What about handwritten signatures? Other US Medical Device Regulations 1
Ed Panek Do Cloud services require 21 CFR Part 11 compliance? Qualification and Validation (including 21 CFR Part 11) 7
QIE FDA 21 CFR Part 11 "Meaning of Signature" Other US Medical Device Regulations 6
J Business Intelligence and 21 CFR Part 11 Compliance Qualification and Validation (including 21 CFR Part 11) 1
R Addressing training requirements - 21 CFR Part 820.25 (1) & (2) Other US Medical Device Regulations 4
R How to improve a Validation program and procedures to FDA (21 CFR part 820) & ISO13485 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 3
Marc Problem with 21 CFR Part 820 - US FDA Quality System Regulations (QSR) sub-forum link - 2 May 2019 Elsmar Cove Forum Suggestions, Complaints, Problems and Bug Reports 1
R 21 CFR Part 820 Contract Manufacturer of Medical Device Component 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 4
C Signature manifestations - 21 CFR Part 11 Qualification and Validation (including 21 CFR Part 11) 4
I GMP 21 CFR Part 11 Electronic Records Compliance Project Help Qualification and Validation (including 21 CFR Part 11) 9
D Use of password managers on validated computer systems (21 CFR Part 11) Medical Information Technology, Medical Software and Health Informatics 2
Q 21 CFR Part 111 - Requirements for Dietary Supplement Manufacturing Water Quality Document Control Systems, Procedures, Forms and Templates 1
N Change Control - Compliance with FDA 21 CFR Part 820 Document Control Systems, Procedures, Forms and Templates 3
D 21 CFR Part 820 (Subpart A) - Question about "Authority" 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 2
D 21 CFR Part 11 - Electronic Signature Management SOP Other US Medical Device Regulations 0
I 510(k) Raw Data from Studies - 21 CFR Part 11 Compliance Qualification and Validation (including 21 CFR Part 11) 4
V Use of e-records and e-Signatures in Clinical Investigations Under 21 CFR part 11 Q&A Qualification and Validation (including 21 CFR Part 11) 1
R 21 CFR Part 820.186 - Types of Quality System Records Document Control Systems, Procedures, Forms and Templates 1
M Does the Scope of 21 CFR Part 820.72 (Equipment) apply to Design? 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 4
C Validation of Applications in a Cloud, CFR 21 part 11 (Environmental Monitoring) Other US Medical Device Regulations 3
C 21 CFR Part 820.184 - Label Requirements ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 9
L MDR (Medical Device Reporting) under 21 CFR Part 803 Other US Medical Device Regulations 5
Q How to apply 21 CFR Part 11 and/or cGMP in the Life Sciences industry Qualification and Validation (including 21 CFR Part 11) 3
L Design software for a spectrophotometer for 21 CFR Part 11 compliance Qualification and Validation (including 21 CFR Part 11) 1
Pmarszal Clarification for 21 CFR Part 11.100 - General Requirements Other US Medical Device Regulations 14
shimonv CFR Part 830.50 - Changes that require use of a new device identifier Other US Medical Device Regulations 2
S Looking for a checklist comparing ISO 13485:2016 and 21 CFR Part 820 ISO 13485:2016 - Medical Device Quality Management Systems 14
Q Internal Audit of Product Quality Complaint System (21 CFR Part 820) Customer Complaints 9
R Managing Employee Training Files - 21 CFR Part 820.25 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 4
M Treatment system data analysis - Subject to CFR part 11? Entire system? Qualification and Validation (including 21 CFR Part 11) 7
J Minimum staff per 21 CFR Part 820 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 2
M Interpreting Process Controls - 21 CFR Part 820.70(a) 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 5
M Help interpreting 21 CFR Part 806 (corrections and removals) Other US Medical Device Regulations 1
S How others have defined "reaudits"? 21 CFR Part 820.22 Internal Auditing 1
K 21 CFR Part 11 Biometrics for electronic signatures Other US Medical Device Regulations 2
P Is it required to audit per 21 CFR Part 211 ? Pharmaceuticals (21 CFR Part 210, 21 CFR Part 211 and related Regulations) 2

Similar threads

Top Bottom