Can an eQMS help you with 21 CFR Part 11 Compliance?
Some companies in the medical device industry might find demonstrating 21 CFR Part 11 compliance a daunting task. As the regulation scope is broad and far-reaching, it affects the vast majority of companies in the industry that use electronic records.
Many can find the regulation complicated or confusing, so it is no surprise that some businesses are looking for a simpler and quicker way to demonstrate 21 CFR Part 11 compliance.
MedQdoc is a validated and pre-configured eQMS that includes templates, functionalities and settings that assure full compliance to QSR and 21 CFR Part 11, meaning you will be up and running in no time.
But what does compliance with 21 CFR Part 11 mean? Read on to find out why compliance matters and how MedQdoc can help you fulfil some of the key requirements of this regulation.
1. What is Title 21 CFR Part 11?
Title 21 CFR Part 11 is part of the Code of Federal Regulations that establishes FDA regulations on electronic records and electronic signatures. Part 11 defines the criteria under which electronic records and electronic signatures are considered trustworthy, reliable, and equivalent to paper records.
In practical terms, Part 11 requires medical device manufacturers to implement controls including audits, system validations, audit trails, electronic signatures, and documentation for software and systems involved in processing the electronic data that FDA predicate rules (FDA rules not in Part 11) require them to maintain. The regulation applies to the US market, so if your medical device is to be sold in the US, you need to comply with 21 CFR Part 11.
Even if you are not planning to sell in the US, there are many benefits of working to 21 CFR Part 11. A 21 CFR Part 11 compliant eQMS, like our MedQdoc, is a state-of-the-art management system for electronic records and signatures. Our compliance-focused system will ensure you are always working to best practices and are positioned for possible future expansions.
MedQdoc gives you high levels of control over your QMS including the templates, functionality and settings, assuring full compliance to ISO 13485, ISO 14971, MDR 2017/745 and IVDR 2017/745.
Please contact us for more information >
Read on to find out more about how MedQdoc addresses some of the key components of 21 CFR Part 11 compliance.
2. Using MedQdoc to manage user access and privileges according to Title 21 CFR Part 11
Part 11 contains a lot of requirements concerning user access and privileges. Of the many important conditions in the regulation, here are some of the highlights:
One of the requirements is that there must be system checks to enforce the specific sequencing of actions related to a record. What this means is that, for example, you should not be able to approve a record before it has been reviewed, or that a record needs to be approved before it can be published.
This workflow is straightforward and easy to understand in MedQdoc. It is the standard system-controlled way of publishing a document, which goes from creating the record, reviewing the record, approving the record and finally publishing the record. It is as simple as that.
According to Part 11, there should also be controls to limit system access only to authorized individuals who have had appropriate training. There are three parts to this:
I. From a system operations point of view, the system platform developer must adhere to the rules set out in
ISO/IEC 27001 (requirements regarding information security management systems) to ensure that the persons within their organisation have the education, training and experience to perform their tasks.
II. From a system administration point of view, MedQtech, the developer of MedQdoc, must adhere to the rules set out in ISO 13485 to ensure that the persons within their organisation have the appropriate education, training and experience to perform their task around implementing and administering MedQdoc.
III. In your own organisation, you need to ensure that the personnel who are going to use MedQdoc have the appropriate education, training and experience to perform tasks related to the use of MedQdoc. In MedQdoc, templates for recording training for users are included, as well as a pre-defined folder structure for storing these training records. Furthermore, there is a template for a training procedure which you can readily adapt to reflect your own training process.
From a system access point of view, in MedQdoc you have the possibility to control access in two different ways. First of all, there are four user access profiles pre-defined in MedQdoc, with each group having different levels of access to system functionalities. A user will belong to one of these four profiles, which defines what they can access and do within MedQdoc. Part 11 also states that there should be written policies to define accountability and responsibility for actions initiated from a signature, as well as procedures for managing and protecting system documentation.
For this, MedQdoc includes a pre-defined IT policy that establishes accountability and responsibility. MedQdoc also includes written procedures describing control over system documentation, as well as revision and change control of these documents. Of course, your organisation needs to adapt these policies and procedures to reflect company-specific practices and deliver training for all users. Helping you in your training efforts are the training tools specified above.
Did you know that besides the IT policy, MedQdoc includes 130 templates that you can adopt to kick start the implementation of your quality management system?
3. Using MedQdoc to manage electronic records according to 21 CFR Part 11
First of all, Part 11 tells us to:
• Validate our system “…to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records.”
When MedQdoc is installed for you, it has already been validated. All documentation from this validation is included in the eQMS package and can be accessed by you. These records include validation strategy, validation plans and validation reports.
Of course, if you choose to modify part of the system, something that is very straightforward to do in MedQdoc, you may have to re-validate that specific functionality. However, since all validation records are already included in MedQdoc, you can easily utilize these records to validate the changes you have made.
Furthermore, Part 11 needs our system to be able to:
• “…generate accurate and complete copies of records in both human readable and electronic form suitable for inspection, review, and copying by the agency.”
In MedQdoc, records are viewed and edited in the built-in viewer and editor, which makes it very easy to manage records without the need for Office-based applications and without the hassle of checking-out/checking-in as well as the possible problems that might result from this.
But to be compliant with Part 11, all records should also be available to view, download and print in pdf-format. When a record is presented in pdf-format, disclaimers are provided to clearly state that it is an uncontrolled copy of the original record from within the system.
Last, but not least, Part 11 states that we need to:
• Protect “…records to enable their accurate and ready retrieval throughout the records retention period.”
To ensure continuous access to records, a back-up of all data including records and any attachments uploaded to the system is performed fully once a day as well as continuously throughout the day. All back-ups are saved in three separate geographic locations.
4. Using MedQdoc to manage electronic signatures according to 21 CFR Part 11
Regarding electronic signatures, a major aspect of Part 11 is enforcing a controlled system so that access is limited to authorized individuals only.
Like many other systems, MedQdoc controls access to records through unique login identifiers such as usernames and passwords. However, in MedQdoc you can also add an extra layer of security by enabling multi-factor authentication. This means that in addition to a username/password, you can force users to authenticate themselves via, for example, Microsoft Authenticator before they can access the system.
MedQdoc implements other best practices in accordance with Part 11 to ensure its users a secure system. After being granted access to the system via a valid username and password, users must enter their credentials again to carry out critical actions.
This sequential sign-on is one of the most important aspects of an eQMS when it comes to complying with Part 11. The way that MedQdoc addresses this is by letting your company decide the types of records, levels of documentation and types of actions that require sequential sign-on. For simplicity, some companies may choose to retain the need for sequential sign-on for all actions, documents and activities.
When a specific action has been taken by a user, Part 11 also requires us to show clear audit trails so that all events are recordable, viewable and traceable. Examples include showing the printed name of the signer, the date and time when the signature was made, as well as what the signature was for (review, approve, etc.).
In MedQdoc, this information can be found in the document header as well as in the audit trail of the document. These can all be accessed easily either digitally or in pdf-format as required by Part 11.
I hope that this blog post has answered some of your questions regarding compliance with the FDA’s QSR and more specifically 21 CFR Part 11.
If you want to know more about MedQdoc, don’t hesitate to book a demo where we can show you more in detail how MedQdoc can help you comply with not only QSR and 21 CFR Part 11, but also with ISO 13845, ISO 14971, MDR 2017/745 and IVDR 2017/746.
Request a MedQdoc consultative led DemonstrationRequest a Demonstration
8 Key QMS Considerations when Implementing ISO 13485Read more
Follow us on LinkedIn to see our latest features, templates and tools.Follow us