21 CFR Part 11 regulates electronic records and electronic signatures for medical devices. It aims to ensure data security and authentication of users. To comply, companies must validate electronic systems through qualification tests and risk assessments. They must also ensure strong authentication, such as passwords, along with audit trails to track changes to records. As remote work has increased, compliance with Part 11 is critical to secure electronic records and systems.

1. How to Comply with 21 CFR Part 11
By: Madison Wheeler
The FDApublished 21 CFR Part11 in1997 to regulateelectronicrecords and electronicsignatures.
Technology has advanced considerably since 1997, but the regulation still applies and is more
critical than ever. Due to the COVID-19 pandemic and most firms transitioning to remote work,
companies need to make sure that their system is compliant with the regulation. Once a QMS
record is scanned, uploaded to a server, or otherwise electronically stored it automatically falls
under the scope of 21 CFR Part 11 despite there also being a paper record.
The first step in working with an electronic system, and ensuring it is compliant, is to validate it.
Installation, operational, and performance qualification (IQ,OQ, and PQ) are utilized to ensure
that your system or software is installed correctly, can do what you intend it to do, and will
perform in the environment you intend to utilize it. Your approach to validation should be based
on a documented risk assessment, which should evaluate how your electronic system could affect
product quality and record integrity.1 In the case of storing, transferring, or otherwise using an
electronic system to manipulate QMS records, a full validation should be completed.
One of the largest components of Part 11 is data security. Securing your system, records, and
product information from intentional (or unintentional) adulteration forms the basis of Part 11.
As withmostsystemsweare used to, yourelectronicQMSshould authenticateusersbefore giving
access to the system, and it should also ensure that users can only access information that they
have permission to. The regulation itself is vague as pertains to how to comply with the
aforementioned, but password best practices should be utilized. Additionally, the agency
references ISO/IEC 17799 (Information Technology – Security Techniques) in their Part 11
Guidance. Before deploying any form of electronic record system in your QMS, you need to make
sure that user permissions and authentication is set up.2 This will tie into establishing audit trails
for traceability. You should be able to see which user manipulated what record, in what way, and
when.
The ultimate responsibility for Part 11 compliance always lies with the medical device firm.
Validation, set up, and maintenance of your electronic system should be unique to your firm and
how you utilize it. Especially with the boom in work from home, and the transition to remote
collaboration utilizing electronic systems, it is more critical than ever to ensure that your firm is
compliant with Part 11. EMMA International has a team of in-house experts that can help your
team comply with 21 CFR Part 11, call us at 248-987-4497 or email info@emmainternational.com
to get started today!
1 FDA (2003) Part 11, Electronic Records;Electronic Signatures – Scope and Application retrieved on 11/29/2020
from: https://www.fda.gov/media/75414/download
2 ISO (2005) ISO/EC 17799:2005 Information Technology – Security techniques – Code of practicefor information
security management retrieved on 11/29/2020 from: https://www.iso.org/standard/39612.html