Regulatory Open Forum

 View Only

  • 1.  21 CFR 11: Are "non-significant risk" devices included?

    Posted 13-Jun-2022 22:52
    Someone told me that only significant risk devices are bound to 21 CFR Part 11 and that anything that doesn't have a Significant Risk determination does not need to comply. Is this accurate? 

    Section 11.1 Scope:

    "This part applies to records in electronic form that are
    created, modified, maintained, archived, retrieved, or
    transmitted, under any records requirements set forth in
    agency regulations. This part also applies to electronic
    records submitted to the agency under requirements
    of the Federal Food, Drug, and Cosmetic Act and the
    Public Health Service Act, even if such records are not
    specifically identified in agency regulations."

    The way I read this, it means that the regulatory framework applies to ALL electronic records that are used for regulated purposes. None of that says anything about "significant risk" or "not significant risk". So if we had a non-significant risk investigational device that was subject o submitting stuff to the FDA, that would still be bound to Part 11. 

    Can anyone provide clarification on this? I can't imaging the applicability is "risk based". 



    ------------------------------
    Tamiko Eto
    Research Compliance and IRB Manager
    Oakland, CA
    United States
    ------------------------------


  • 2.  RE: 21 CFR 11: Are "non-significant risk" devices included?

    Posted 14-Jun-2022 01:01
    Hello Tamiko,

    Yes, 21 CFR Part 11 applies to all classes or forms of medical devices where the intent is to have electronic records and/or electronic signatures.  Just note Part 11 was/is intended for documents received by FDA as part of submissions and record retention under a quality management system.  There are different aspects and context which should be considered.  In addition, Part 11 applies to medical devices, pharmaceuticals, biologics, and others as the regulation is broad across many different product regulated by the FDA.

    ------------------------------
    Richard Vincins ASQ-CQA, MTOPRA, RAC
    Vice President Global Regulatory Affairs
    ------------------------------

    Original Message


  • 3.  RE: 21 CFR 11: Are "non-significant risk" devices included?

    Posted 14-Jun-2022 09:51
    Edited by Lucas Fernandez 14-Jun-2022 09:53
    I think the question may be coming up due to recent presentations and communications from FDA regarding computer system assurance (CSA). It is meant to be a risk based approach to the effort and documentation used for computer systems which are part of the QMS and therefore are electronic records. USDM provides a nice summary here: https://usdm.com/resources/blogs/qa-csv-csa-and-why-the-paradigm-shift

    21 CFR Part 11 has been around a long time with the guidance published in 2003. You are correct in that it does speak to a risk based approach for its application. I would certainly not advocate using a spreadsheet with no audit trail for your NSR record keeping but there are many modern software tools that will naturally meet a lot of the part 11 requirements if not all of them out of the box.

    ------------------------------
    Lucas Fernandez
    Director, Medical Devices Compliance
    Broomfield CO
    United States
    ------------------------------

    Original Message


  • 4.  RE: 21 CFR 11: Are "non-significant risk" devices included?

    Posted 14-Jun-2022 10:23
    The discussion on risk-based approach (thinking) continues to create confusion across the industry and manufacturers need to understand the difference between the risk-based approach (used in the Quality Management System) vs. Risk Management (used in product development). The risk-based approach is used to determine the level of risk in what you are doing. In this case, what is the risk that electronic records could be a problem (data integrity, unauthorized changes, loss of the record, inability to read a record, unauthorized approval or lack of approval, etc.). All systems will have some risk, but this should be reduced to an acceptable level through system validation. However, the type of record and the decisions made from those records have different levels of risk. Consider the use of Office 365 applications (MS Word, MS PowerPoint) may have a lower risk if saved to a limited access directory than if they are saved to a completely open directory (risk of loss or someone changing it reduced through the limited access). Having an electronic system with a full audit trail reduces this further (although small company (1-2 people total have access) vs. large company (5-10 people have access) may be another input).  Records being used for product release verification also have a different level of risk than those being used for other in-process data--you need to treat them according to the associated risk. You can also see though that this risk can be associated with the product since you can readily understand an example of product release records for a sterile implantable product has a higher risk level than a non-sterile instrument. So you can't just rely on product risk but consider all the risk associated.

    Remember, the risk-based approach is also being used by FDA as they consider the risk associated with the observation in determining their response (official action or voluntary). The risk-based approach is everywhere and is not new. Consider risk by asking, "what could happen if....?"

    ------------------------------
    Regards,
    Mark Swanson, ASQ CBA, CMQ/OE, CQE ASQ, MBA
    Becker MN
    United States
    ------------------------------

    Original Message


  • 5.  RE: 21 CFR 11: Are "non-significant risk" devices included?

    Posted 14-Jun-2022 11:45
    Hello Tamiko,

    To provide a "simple" answer, if a regulation requires you maintain a specific record, and you are doing so using an electronic format as your primary / original documentation, then you must meet FDA Part 11 requirements for the document and the system in which the document is stored.

    You are right that there is no risk basis attached to whether or not you have to meet Part 11 requirements in this type of scenario.  

    If you are using electronic systems to manage, record, store, and/or submit the regulatory-required records, reduction in the risk in regard to loss, unintended changes, etc., for those records always applies.  You need procedures which reduce that risk as low as possible which leads to business continuity and disaster recovery (duplicate servers, server access security, etc.), and best practices in IT (security, access controls, etc.).

    I think there is some confusion here as to "significant risk device" vs a data/document management system used to record, store, submit (etc.) required records.  The person you talked to seems to be thinking about an actual medical device such as a heart monitor or other device as these are classified as significant risk or not.  In all my years, I have never seen a data/document management system classified by risk.  Richard Vincens' response seems to call this out as well.

    ------------------------------
    Barbara Rusin
    GxP Consultant
    Eastpointe MI
    United States
    ------------------------------

    Original Message


  • 6.  RE: 21 CFR 11: Are "non-significant risk" devices included?

    This message was posted by a user wishing to remain anonymous
    Posted 14-Jun-2022 15:48
    This message was posted by a user wishing to remain anonymous

    To provide a different perspective, I have often seen software (design automation, manufacturing software, inspection software, doc control, traceability controls, label controls, etc) be carefully analyzed for risk.  If the software malfunctions, what happens (patient harm? traceability loss?).  Are there downstream controls to catch these errors or not?

    The extent of validation can and (in my opinion) should be adjusted commensurate with the risks associated with software malfunction, misprogramming, potential user misuse/confusion.  This allows the appropriate focus of always limited resources on the software with highest risk, and a lower degree of validation (or no validation if properly analyzed) for software with minimal/no risks.

    TIR 36 provides a nice framework for such an assessment.
    Original Message


  • 7.  RE: 21 CFR 11: Are "non-significant risk" devices included?

    Posted 14-Jun-2022 12:49
    When Part 11 was originally promulgated in 1997, it didn't clearly provide for a risk-based discretionary approach.  Consequently, Part 11 was interpreted strictly by way of the 11.1 scope narrative you've quoted.  But by 2003, FDA had received enough ongoing public objection that FDA softened its stance and introduced a risk-based approach by way of the enforcement discretion detailed in this FDA guidance document.

    For example, FDA via that enforcement discretion aims to permit certain risk-based thinking in association with Part 11's requirements for validation, audit trails, and record retention.  So, it is by way of that 2003 guidance document and its related enforcement discretion (which remains in place today) that FDA in fact permits firms to apply a risk-based approach to their Part 11 compliance tactics.

    That said, I wouldn't generally characterize such a risk-based approach to simply boil down to meaning "only significant risk devices", nor to just meaning anything that doesn't have a "Significant Risk" determination.  Those labels could be overgeneralizations or oversimplifications of the dynamics of the risk-based approach.  For example, it could be sensible to apply Part 11 for a moderate risk scenario.  And while it can be said that the risk-based approach allows us to commensurately calibrate our Part 11 efforts, I wouldn't say it means that low-risk scenarios are exempt from Part 11.

    The particular risk-based approach and tactics for a given scenario can be subject to interpretation.  Consequently, you'll need to carefully study and interpret the aforesaid 2003 guidance document for yourself so that you can tailor a risk-based approach that is appropriate for your particular case.

    ------------------------------
    Kevin Randall, ASQ CQA, RAC (U.S., Europe, Canada)
    Principal Consultant
    Ridgway, CO
    United States
    © Copyright 2022 by ComplianceAcuity, Inc. All rights reserved.
    ------------------------------

    Original Message


Related Content