Five Key Issues to Consider as Your Company Addresses FDA 21 CFR Part 11
Modern medical device companies use electronic systems in almost every part of their daily operations. Word processing, email, and voice over Internet Protocol (VoIP) programs have superseded handwritten and telephone business communications. Spreadsheets have displaced handwritten ledgers. Computers are ubiquitous, enabling world-wide research, financial transactions, and global communication. Companies that once stored reams of information about their products and processes in paper files now store hundreds of thousands of documents on a disk smaller than a person’s palm.
Companies that once stored reams of information about their products and processes in paper files now store hundreds of thousands of documents on a disk smaller than a person’s palm.
Given that companies now develop and store the majority of their business and product information in electronic systems, it follows that documenting changes to that information could be done electronically as well. Transitioning from paper-based documentation to an electronic system can increase efficiency and productivity. This article is intended to assist medical device companies who plan to upgrade their paper systems or augment their electronic records management with an electronic change control system.
21 CFR Part 11 — The Regulation Governing Electronic Signatures
Medical device companies who plan to move from paper change order processes to electronic change management are responsible for meeting the requirements set forth in 21 CFR Part 11 Electronic Records: Electronic Signatures: Final Rule, effective March 20, 1997. Companies already using electronic systems to track employee training records, corrective actions or other data requiring traceable documentation may already be familiar with this regulation.
21 CFR Part 11 “sets forth the criteria under which the [FDA] considers electronic records, electronic signatures and handwritten signatures executed to electronic records to be trustworthy, reliable, and generally equivalent to signatures executed on paper.” While the complete details of this regulation are not covered below, this article summarizes five critical guidelines that medical device companies should consider as they move toward efficient, validated electronic change management:
1. Select an electronic change system that supports your current business processes.
Whether your company has a well established or brand new change process, the change management system you select must support that process. Typically this means that the system must allow users to do some or all of the following actions:
- Create change orders.
- Submit change orders for review, with attached documentation for reviewers to assess.
- Document decisions of a panel of reviewers, either serially or in parallel.
- Report on the status (submitted, open, rejected, approved) of change orders in the system, who has signed off, and who has yet to sign off.
- Assess implementation of the change order after the change order is approved.
Your company will rapidly increase change process efficiency if you are able to successfully map your current change process into your new electronic tool. If your company uses a feedback mechanism of change requests or issue management to generate change orders, your new tool should support this change creation process. You probably already have specific groups of people required to approve change orders. Perhaps these groups differ depending on the type of change being considered.
Select a change management system that allows you to easily create approver groups that mirror your current groups. Consider whether you might save time by enabling multiple people or groups to review a change order simultaneously, and determine if your potential tool supports this type of structure.
Moving to an electronic change management process streamlines your company’s ability to responsibly update your company and product data. Optimally, your employees will adopt your new process seamlessly, with no disruption to their regular workflow.
2. Document your company’s intent to use electronic signatures.
An electronic document cannot be signed in the traditional sense of putting pen to paper. Adopting electronic change management practices means using electronic signatures—and understanding what electronic signatures entail. For the purposes of the FDA, an electronic signature is defined as “a computer compilation of any symbol or series of symbols executed, adopted, or authorized by an individual to be the legally binding equivalent to the individual’s handwritten signature.” Typically this means biometric data, a user identifier, and password, or some combination thereof.
In addition, an electronic signature is required by 21 CFR Part 11 to include “the printed name of the signer, the date and time when the signature was executed, and the meaning associated with the signature (review, approval, responsibility, authorship, etc.)” In order to meet FDA regulations, your company must declare that it both understands the substance of electronic signatures and that it intends to use them.
21 CFR Part 11 requires that your company officially certify its intention to utilize electronic signatures in its business practices.
21 CFR Part 11 requires that your company officially certify its intention to utilize electronic signatures in its business practices. Your company should submit a certification document to this effect, with a traditional handwritten signature, to the address provided in the regulation.
3. Document your company’s Standard Operating Procedures with respect to electronic records access and electronic signature use.
Adopting the use of an electronic change management process typically also entails the development of internal documents or standard operating procedures (SOPs) that clearly state the role of electronic signatures in the company’s business practices and the supremacy of one type of documentation (paper or electronic copies) over another for any given business function. Your company should declare in writing which document classes are controlled as electronic records, and which are controlled using paper copies as the primary documents. Standards should be adopted for updating and approving electronic documents and applying electronic signatures to them.
Furthermore, your company should develop and document policies regarding employee access and signature use within your system. Your company should be particularly clear about how employee access to your product data is assigned and removed. Employee hiring and departure should be specifically addressed. Keep in mind that an electronic system may be accessible from computer terminals outside your building, and therefore former employees may continue to have access to your product data if you do not decommission them appropriately. Your standard operating procedures should include a checklist of steps for assigning access when an employee is hired, and removing access and signature authority when an employee leaves your company.
4. Document your employees’ understanding that an electronic signature is equivalent to a handwritten signature for the purposes of your company business.
This agreement clarifies the employee’s understanding of electronic signatures and provides a legal record that their electronic signature is the legal equivalent of their handwritten signature.
Once your company has determined that electronic signatures will be used in daily business transactions, it is incumbent upon management to document that this use is well understood by the employees of the company. Typically this entails documenting the role of each user with respect to identity, system access, and agreement by the employee that his/her electronic signature will be considered legally equivalent to his/her handwritten signature.
It is a good business practice to verify the identity of each employee, link that identity to a person’s signature, and keep documentation of this information in the employee’s personnel file. In addition, your company is required to establish and adhere to “written policies that hold individuals accountable and responsible for actions initiated under their electronic signatures in order to deter record and signature falsification.” In order to document both the policy and the employee’s understanding of said policy, companies typically draft and have each employee sign an electronic signature agreement. This agreement clarifies the employee’s understanding of electronic signatures and provides a legal record that their electronic signature is the legal equivalent of their handwritten signature.
5. Select an electronic system that meets both the security requirements of your company and those set forth by FDA regulations.
To effectively implement an electronic change management system, your company must be completely confident of the integrity of the change data and sign off process. As a result, carefully consider the security precautions enabled by the change management system you select. Does the system use a combination of user identifier, password and/or biometrics that you feel is secure? Do you have confidence that your data is safe from outside manipulation or alteration? If your data is accessible via the internet, is it encrypted? Do you have confidence that your data is backed up, easily retrievable, and easily accessible for audits, investigations and everyday use?
21 CFR Part 11 states the requirements for record authenticity, integrity, and confidentiality in detail. The crux of the requirements is control of user access to electronic data. When moving to an electronic change process, carefully evaluate how user access levels are set and maintained, and how user identity is verified.
Be sure that the people you want interfacing with your data are enabled to do their jobs efficiently and also prevented from inadvertently corrupting your data. Your electronic change process should provide a mechanism to prevent the modification of change data while a change order is being evaluated. It should provide a mechanism for allowing some users to simply view the change order, while others can comment, approve, or reject it. At all times, your company should feel certain that a change order moving through your system is as secure—or more secure—than a paper equivalent.
Making the Switch to Electronic Change Management
Moving to an electronic change management system can be accomplished in a cost-effective and timely manner. The move should significantly increase the visibility and efficiency of your change management process. It is an opportunity to communicate change order data throughout your company to all relevant stakeholders with the touch of a button. With appropriate forethought and planning, adopting an electronic change management system while meeting relevant federal regulatory requirements can be completely straightforward.
Many options for electronic change management exist in the market today. Review 21 CFR Part 11 and consider the five factors in this article before you select the electronic change management system that is right for your company.
Moving From Paper to Electronic Change Management Checklist
- Document existing change processes and map them to your new electronic system.
- Document your intent to use electronic records management and electronic signatures in a certification memo to the FDA.
- Create standard operating procedures (SOPs) regarding:
- Supremacy of electronic or paper documentation
- Use of electronic signatures by your company
- Employee access, including hiring and departure events
- Document employee understanding and acceptance of electronic signature policies through use of an electronic signature agreement.
- Assess data security and user authentication measures of your new electronic system.