But this isn’t the wild west. Contract manufacturers in the medical device space must comply with complex regulatory requirements—namely, the US Food and Drug Administration’s Title 21 CFR Part 11, as well as the European Medicines Agency comparable Annex 11.
These guidelines extend to the manufacturing, testing, packaging, and distribution of medical devices, and include stringent documentation and audit requirements.
Generally speaking, these guidelines set out the conditions under which regulators consider electronic signatures and electronic records to be trustworthy, reliable, and equivalent to traditional handwritten signatures on paper. They define the conditions under which a medical device manufacturer (or a supplier in the supply chain) must operate to meet these requirements if electronic records and signatures are being used in lieu of paper records and handwritten signatures.
Medical device manufacturers don’t have to use electronic records and digital signatures, but if they do, the requirement to be compliant with these regulations becomes mandatory.
The Impact of Industry 4.0
While 21 CFR Part 11 and EU Annex 11 have existed for more than 20 years, the rise of data-driven manufacturing and quality control processes typical of Industry 4.0 have heightened their importance.
Modern data analytics platforms and off-the-shelf data collection and management tools have become far less costly and difficult to implement in recent years. The ease of adding more integrated, standardized, and centralized data collection and analysis capability to the production line has raised the stakes for manufacturers. If their competitors are making these Industry 4.0 investments, and reaping the benefits, they must, too.
One practical example is found with the instruments for leak and/or blockage testing. Such testing is a crucial quality assurance process for many elevated risk Class III medical devices. In keeping with the Industry 4.0 trend, test instruments have evolved to collect and analyze larger and more granular volumes of data. This is meant to help optimize the test, boost quality, improve yield, and reduce unexpected production downtime, as well as deliver proof of compliance, both with any regulatory requirements and with a customer’s specifications.
With lives literally on the line, what medical device manufacturer would not want to pull more insight from a leak or blockage test if the result is a faster and more reliable pass/fail determination? This can only serve to bolster its standing with customers with a higher standard of quality and dependability.
How this test instrument data is secured, accessed, and manipulated falls under the scope of 21 CFR Part 11 and EU Annex 11, which raises the fundamental question: What capabilities must a modern test instrument with enhanced data collection and reporting capabilities have to ensure it is Part 11 and Annex 11 compliant?
Contract manufacturers that wish to invest in a smarter and more insightful test instrument should consider the following:
Unique User IDs to Prevent Unauthorized/Undocumented Data Access
Can unique user profiles be stored within the instrument, with user authentication that requires a unique password for each user? The intent is to limit access for specific functions to permitted users only and limit the ability to create unique user roles, and to define security parameters for each user, to a designated administrator.
This corresponds to the 21 CFR Part 11 requirements for an electronic signature that has two distinct identification components—an identification code and password:
“…electronic signatures to be unique to one individual” by “employing at least two distinct identification components such as an identification code and password” and “maintaining the uniqueness of each combined identification code and password, such that no two individuals have the same combination of identification code and password.”
And that the system can ensure only authorized access, as stated in 21 CFR Part 11:
“Use authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand.”
An Audit/Activity Log
Is there a non-editable Audit Log with restricted access that is independent of any authorized user and time-stamped? 21 CFR Part 11 requires such a user-independent, time-stamped audit trail.
Instrument Edit Comments
Administrators can force users to enter reasons and comments when any changes are made with the instrument. This is not specifically required under Part 11 or Annex 11, but it can provide an additional layer of security and assurance, and adds another degree of transparency to ensure all user actions are above board and defensible.
It should be possible for all reports—such as Test Result Data, Program Configuration, Instrument Setup, Audit/Activity Log—to be exported in some non-editable fashion. A non-editable .pdf document is one example. This ensures data security, while at the same time, making that data accessible and usable across the organization.
Data Retention and Security
Part 11 and Annex 11 guidelines require long-term data retention for easy retrieval and examination. Whatever the onboard storage capacity of the test instrument in question, there should be an easy and secure means to export and store data elsewhere as required, whether that is by network communication, USB flash drive, or some other method.
Administrator Configurable Security
Other standard administrator-level functions to look for include:
- Password expiration days
- Max login attempts
- Inactivity timeout and expiration
This meets the 21 CFR Part 11 requirement that “passwords issuances are periodically checked, recalled, or revisited.” In addition, testing process sequences, as defined by the type of test being performed, should be strictly controlled and only modifiable by an authorized administrator.
The need and desire to collect and analyze greater and more granular volumes of process and test station data from the production line has long been a holy grail for manufacturers in many verticals. As the technology to do so has become more powerful and intelligent, and less costly and complex to deploy, manufacturers find themselves in something of an arms race with their competition.
This includes competitors in the medical device manufacturing industry. But any such investments in this domain must abide by the regulatory requirements laid out by The U.S. Food and Drug Administration’s Title 21 CFR Part 11 and European Medicines Agency Annex 11.
The need to comply with these regulatory requirements should be considered with any purchase of a modern leak test instrument with enhanced data collection and analysis capability. In fact, the checklist included in this article could be used in the due diligence process for most any process or test instrument on the line that generates data that must be secured.
For the contract manufacturer, the benefits of making more effective and widespread use of such production data typically outweighs the headaches of the added regulatory burden that it incurs. The manufacturer gains a sharper competitive edge by improving the efficiency and yield of its production line, and by boosting the standard of quality and assurance it can deliver to its customers.
David Kralovetz has served as the primary medical device market specialist for Cincinnati Test Systems for over a decade. He directs the design and development of products used for leak, flow, and functional testing of medical devices, and provides application assistance and global support coordination for major medical device manufacturers.