A complete guide to 21 CFR Part 11 for medical device manufacturers


    Making sure that medical devices meet the required quality standards is essential to protecting public safety. In order to ensure compliance, medical device companies need to be familiar with 21 CFR Part 11—a set of regulations by the U.S. Food and Drug Administration governing electronic records and signatures.

    Compliance with 21 CFR Part 11 means med device manufacturers need to have systems in place that ensure the authenticity, integrity, and confidentiality of electronic records. These systems must be built within 21 CFR Part 11 compliant software that make electronic records accessible to authorized individuals and track any changes. In addition, electronic signatures used to sign these records must meet certain requirements in order to be considered valid.

    Overall, 21 CFR Part 11 provides a framework for how medical device manufacturers can use electronic records and signatures in a way that protects the public and meets regulatory requirements. While compliance may seem daunting at first, understanding the requirements and benefits can help simplify the process. Familiarizing yourself with this regulation is essential for any company that manufactures medical devices and will help you ensure the safety of your products. 

    RELATED READING: A [printable] 21 CFR Part 11 compliance checklist to follow step-by-step

    An overview of 21 CFR Part 11

    21 CFR Part 11 is the FDA’s section of regulations that governs electronic records and electronic signatures. Every document and record that you create to demonstrate compliance with FDA requirements for 21 CFR Part 820 or other regulations, must also meet the regulations found in 21 CFR Part 11. 

    There are several benefits to complying with 21 CFR Part 11, including increased efficiency and accuracy. By moving to an electronic record-keeping system, life sciences organizations can save time and money while still maintaining a high level of quality control. In addition, electronic records are easier to track and manage than paper records, making it simpler to ensure compliance with regulatory requirements.

    Does 21 CFR Part 11 apply to medical device companies?

    These regulations apply to all medical device manufacturers, regardless of size; startups and small businesses are expected to fully comply the same as multinational conglomerates with bigger budgets. 

    When does 21 CFR Part 11 apply?

    This section of the code has been in effect for over 20 years, so it’s expected that all medical device manufacturers will be complying at this point. If you’re a small business just transitioning away from paper records, understanding and complying with 21 CFR Part 11 will be key to your successful transition. If you’re a medical device startup, use this guide to get your systems set up correctly out of the gate. 

    RELATED READING: Guide to 21 CFR Part 11 compliance for clinical trials

    What qualifies as an electronic record?

    An electronic record is any document, record or electronic form that you are generating and are saving in a digital format. This includes records that are generated through an electronic Quality Management System (eQMS) software solution, but also records that are simply scanned copies of paper documents if the scanned copy becomes the official record. All electronic records with signatures must indicate the 1) printed name of the signer 2) date and time of the signature 3) the meaning of the signature (approval, review, etc.). 

    Digital signatures vs. electronic signatures 

    This is where things start to get a little bit more technical. Part 11 discusses both digital signatures and electronic signatures. 

    A digital signature is encrypted using a computer algorithm, the signer’s identity is verifiable, and this type of signature is highly secure and difficult to tamper with. 

    An electronic signature is more common and is simply some sort of electronic representation of a signature that is saved to a document with the signer’s identity, the intent of the signature, and the date and time that the signature was applied. 

    As an alternative, the regulation makes an allowance for signatures that are applied with a stylus to be equivalent to a wet ink signature. If applying this method of signature to your system, it’s critical that your personnel are well-trained and understand that saving an image of their stylus signature to use repeatedly does not meet this requirement.

    Each signature must be uniquely written just as if signing a piece of paper. As a best practice, the date should also be handwritten to further indicate that it is an original signature and not a copy. Further, the document should be converted to a PDF or similar that is not easily edited to prevent tampering. This is an easy means of signature compliance for very small medical device companies, especially now that touch screens are commonplace both on computers and phones. 

    RELATED READING: How to maintain and improve your quality management system while working remotely

    Applying 21 CFR Part 11 to your QMS

    One of the first steps to establishing a Part 11 compliant system is to notify the FDA that you will be using electronic signatures (refer to 21 CFR 11.100 (c) for mailing details). This notification must be completed in paper format with handwritten signatures. This certification must specifically document that you will be using electronic signatures in place of handwritten signatures and that these electronic signatures are intended to be legally binding the same as handwritten signatures. A copy of this letter should be retained in your QMS records for future reference. 

    Closed system vs. open system

    You will also need to decide what type of a system you will be using to manage your electronic documents and records. There are two main types of systems: closed system vs. open system. A closed system is self-contained and common in an eQMS for medical device companies. In contrast, an open system is something more along the lines of a series of electronic folders or a Sharepoint system with documents filed. Some medical device companies may use some combination of closed and open systems.

    RELATED READING: What's the best 21 CFR Part 11 compliant software?

    Closed systems

    The easiest way to ensure compliance is to use a closed system that is 21 CFR Part 11 compliant. A closed system must be validated, which can either be completed by your company, or often a validation can be provided by the software provider. There is no 21 CFR Part 11 certification, so you’ll need to do your due diligence when evaluating the supplier to ensure that the system is truly Part 11 compliant. As part of the assessment, you’ll want to verify that the supplier can meet the following requirements:

    Software provider evaluation checklist for 21 CFR Part 11

    • Are records retrievable for the required retention period?
      • You will want to consider how records can be retrieved if the software company goes out of business or no longer provides support for that version of the software. Can the records be exported out of the closed system for archival purposes?

    • Are appropriate security measures in place to limit access?
      • Password protection, time-outs if inactive for a few minutes, regular password resets should all be in place for a strong system.

    • Do administrator accounts have “god powers” where they can make backdoor edits?
      • This should be a red-flag. The system should not rely on the integrity of your personnel, but rather should be robustly built to prohibit backdoor access. For example, if administrators can update the file directory through the server instead of through the closed system, the system isn’t truly closed. This could be a potential liability and a system with this limitation should come at a much lower cost.

    • Is there a clear audit trail in place for all revisions to documents or records with time stamps?
      • Time stamps need to include the time zone as well. You should be able to verify the order signatures were applied to a document or record even if signers are in multiple time zones.

    Open systems

    An open system is generally more cost-effective, however, it is more manual and inherently riskier. Keep in mind that there may be increased labor costs that should be considered as part of your cost-benefit analysis. For an open system, you must maintain the same requirements of a closed system to the extent possible. Access to edit documents should be limited to appropriate personnel, retrieval should be possible throughout the retention period, and, where possible, an audit trail should be maintained. 

    For some basic security, computer logins should use a unique username and password to apply an initial layer of security and authentication to documents and records. User passwords should be routinely changed (quarterly is a good starting point) to minimize the risk of password sharing.

    When are electronic/digital signatures required?

    Compliant signatures are one of the trickier parts of meeting Part 11 requirements for small manufacturers, but with a close reading of 21 CFR 820, there are only a few places where signatures are explicitly required. Signatures are required in the following places:

    •     21 CFR 820.30 (c) Design Inputs
    •     21 CFR 820.30 (d) Design Outputs
    •     21 CFR 820.40 Document Control
    •     21 CFR 820.75 Process Validation
    •     21 CFR 820.80 Receiving, In-Process, and Finished Device Acceptance
    •     21 CFR 820. 120 (b) Device Labeling Inspection
    •     21 CFR 820.90 (b) Nonconformity Review and Disposition

    If signatures are not explicitly required, you can use another means of documenting the requirements of the regulation. For example, 820.30 (i) identifies that there must be procedures for identification, documentation, validation, verification, review, and approval of design changes. Typically, review and approval are documented with a signature, but this does not have to be the case. Review and approval could be documented with a stamp, an email confirmation, or other means, as long as any process used is clearly defined in your procedures. 

    The FDA document Guidance for Industry: Part 11, Electronic Records; Electronic Signature – Scope and Application clarifies that the FDA is not intending for this to be a burdensome process and they are only enforcing a narrow scope. If records are not required to be retained under other rules, such as Part 820, then Part 11 will not apply. Keep this in mind when you’re defining how to apply these requirements.  

    In practice: 21 CFR Part 11 example

    Outlined below is a Non-Conformance Report (NCR) process for both systems. The first example is the process in an open system and, secondly, a closed system. These two examples illustrate how the respective systems differ.

    Open system example

    This is most similar to processing a NCR on paper. The NCR record will be typed up in your word processing software (Microsoft Word, Google Docs, etc.). This record will include all of your documentation of your identification, documentation, evaluation, investigation, segregation, and disposition of your nonconforming product. 

    For a typical NCR the person completing the form can simply type their name or initials and the date of completion into the form, then ideally PDF the form, and save to your quality records. This is very similar to sending a document around for review and then filing it away in a binder on a shelf. 

    If the product will be released for use, 820.100(b) requires a justification for use and the signature of the person authorizing the release of the product for use. A signature can then be collected on the form either as an electronic or digital signature, or through a handwritten signature (written with a stylus or print, sign, & scan). 

    The files should be set to have limited access so that only personnel that require edit access have that access. Training should be documented for all personnel that they understand that file access is limited, that files should never be deleted, and how the electronic process will be executed. 

    Closed system example

    In a closed system the record will be generated within the NCR module of the system and the system will prompt the user to fill in a series of fields, checkboxes, and possibly attach supporting documentation. Once the form is completed it may be automatically sent to other users for review and/or approval, depending on what approval requirements you have set up for the document type. The reviewers will then log-in to the closed system to be able to access the NCR and review the document. Any signatures required would be applied either electronically or digitally. The record would then be saved in the eQMS system and anyone wishing to review the document would need to sign into the eQMS system.

    Get started with 21 CFR Part 11 compliance

    Compliance with 21 CFR Part 11 can feel daunting, but it doesn’t have to be. The most important thing is to have a plan in order to make the process of compliance as smooth as possible. First, notify FDA of your intent to use electronic signatures and/or records and then start writing procedures to control your applicable processes. Having well-defined controls in place will make it easier to defend your electronic records and signatures procedures. The goal is not for this to become a burdensome and expensive task, but there should be safeguards in place to ensure that document integrity remains at least equivalent to paper records.

    If you need help getting started, use our 21 CFR Part 11 compliance checklist that can help you get up to speed. And, if you’re looking for an eQMS that is built with 21 CFR Part 11 compliance in mind, check out Qualio.