Please disable your adblock and script blockers to view this page
Search the Elsmar Cove!
**Search ALL of Elsmar.com** with DuckDuckGo including content not in the forum - Search results with No ads.

Do Cloud services require 21 CFR Part 11 compliance?

Ed Panek

VP QA RA Small Med Dev Company FDA and ISO13485:16
Trusted
#1
We design, manufacture, and sell a 510K Class II device and we recently introduced a clinical application for the device to used in hospitals. Our device takes and transmits a biometric data point to be processed and stored in the cloud and accessible by nurses and later manually entered into the EHR of each patient. Does our device and supporting data structure need to conform to 21 CFR Part 11?
 

yodon

Staff member
Super Moderator
#2
If I understand you correctly, it sounds more like your application should be more concerned with HIPAA / GDPR type stuff (as well as cybersecurity).

21 CFR Part 11 is for when you have electronic records or signatures applied electronically to records required under the regulations.
 
Last edited by a moderator:

Ed Panek

VP QA RA Small Med Dev Company FDA and ISO13485:16
Trusted
#3
Thanks. One of our customers is a large pharma company running clinical trials. I think they asked about part 11 because they currently manage this biometric as a manual measurement later entered into the EHR. Our device allows automated measurements electronically.


If I understand you correctly, it sounds more like your application should be more concerned with HIPAA / GDPR type stuff (as well as cybersecurity).

Part 11 is for when you have electronic records or signatures applied electronically to records required under the regulations.
 

yodon

Staff member
Super Moderator
#4
If it's for clinical trial records, then Part 11 may well apply.

Irrespective of the applicability, the concepts in Part 11 are sound: ensure you have good control over the records (nobody can change anything without a complete audit trail) and electronic signatures cannot be reputed (there's more but hopefully you get my drift).
 

JJ_FDA

Involved In Discussions
#5
Part 11 would apply if a predicate rule (i.e., the GxPs) applies to records that need to maintained and submitted to FDA.

I don't know anything about medical device world, but from the perspective of your customer who wants to use it in clinical trials (GCP is predicate rule), the system should be capable of complying to the regulation. This means having features such as audit trails, access control, validatable, non-repudiatability of electronic signatures (if used), and so on. As an example, have a look at this sell sheet from BD (PDF) for their device.

One note that systems are never part 11 compliant until they are validated by your customer in their environment. They can be part 11 capable, but not compliant out of the box. So it's important that you client understands that there would be some additional work to do once they acquire your system other than the usual systems integration work. Vendors touting their systems as compliant out of the box is a pet peeve of mine.
 

Ed Panek

VP QA RA Small Med Dev Company FDA and ISO13485:16
Trusted
#6
So We did a gap analysis and we are fixing the gaps. How does the end result get communicated to potential customers and into our QMS?
 

Tagin

Involved In Discussions
#7
I saw this on Amazon's AWS site: GxP Compliance - Amazon Web Services (AWS)

There is no GxP certification for a commercial cloud provider such as AWS. AWS offers commercial off-the-shelf (COTS) IT services according to IT quality and security standards such as ISO 27001, ISO 27017, ISO 27018, ISO 9001, NIST 800-53 and many others. GxP-regulated life sciences organizations are responsible for purchasing and using AWS services to develop and operate their GxP systems, and to verify their own GxP compliance.
That page also has a link to a pretty useful-looking PDF: "Using AWS In GxP Systems".
 

JJ_FDA

Involved In Discussions
#8
So We did a gap analysis and we are fixing the gaps. How does the end result get communicated to potential customers and into our QMS?
I still like the BD sell sheet I linked to above for communicating to potential customers.

For your quality system, the standard requirement specification - specification testing - testing report process would be expected.
 
Top Bottom