Hello Tamiko,
To provide a "simple" answer, if a regulation requires you maintain a specific record, and you are doing so using an electronic format as your primary / original documentation, then you must meet FDA Part 11 requirements for the document and the system in which the document is stored.
You are right that there is no risk basis attached to whether or not you have to meet Part 11 requirements in this type of scenario.
If you are using electronic systems to manage, record, store, and/or submit the regulatory-required records, reduction in the risk in regard to loss, unintended changes, etc., for those records always applies. You need procedures which reduce that risk as low as possible which leads to business continuity and disaster recovery (duplicate servers, server access security, etc.), and best practices in IT (security, access controls, etc.).
I think there is some confusion here as to "significant risk device" vs a data/document management system used to record, store, submit (etc.) required records. The person you talked to seems to be thinking about an actual medical device such as a heart monitor or other device as these are classified as significant risk or not. In all my years, I have never seen a data/document management system classified by risk. Richard Vincens' response seems to call this out as well.
------------------------------
Barbara Rusin
GxP Consultant
Eastpointe MI
United States
------------------------------
Original Message:
Sent: 13-Jun-2022 22:52
From: Tamiko Eto
Subject: 21 CFR 11: Are "non-significant risk" devices included?
Someone told me that only significant risk devices are bound to 21 CFR Part 11 and that anything that doesn't have a Significant Risk determination does not need to comply. Is this accurate?
Section 11.1 Scope:
"This part applies to records in electronic form that are
created, modified, maintained, archived, retrieved, or
transmitted, under any records requirements set forth in
agency regulations. This part also applies to electronic
records submitted to the agency under requirements
of the Federal Food, Drug, and Cosmetic Act and the
Public Health Service Act, even if such records are not
specifically identified in agency regulations."
The way I read this, it means that the regulatory framework applies to ALL electronic records that are used for regulated purposes. None of that says anything about "significant risk" or "not significant risk". So if we had a non-significant risk investigational device that was subject o submitting stuff to the FDA, that would still be bound to Part 11.
Can anyone provide clarification on this? I can't imaging the applicability is "risk based".
------------------------------
Tamiko Eto
Research Compliance and IRB Manager
Oakland, CA
United States
------------------------------