FDA 21 CFR 820 - FDA's Quality System Regulation (QSR) for Medical Devices

21 CFR Part 820 is a set of regulations from FDA that outlines the current good
manufacturing practice (CGMP) requirements that medical device manufacturers in the
United States must follow with regards to their quality system. These CGMP requirements
ensure medical device companies establish a QMS (quality measurement system) that enables
the delivery of safe, effective, and compliant products.

As stated by FDA, 21 CFR Part 820 covers “the design, manufacture, packaging, labeling,
storage, installation, and servicing of all finished devices intended for human use,” including
the facilities and designs used for those processes.

21 CFR 820, though a dense document, lays out medical device quality system regulations
(QSR) in a digestible way for manufacturers to best interpret and apply to their own specific
device. The QSR consists of 15 subparts and is structured by way of order from big picture
questions regarding scope to detailed rules about what manufacturers should do and when.

The very first section, Sec. 820.1 Scope, lays out the applicability, authority, and exemptions
involved. It explains the intention of 21 CFR Part 820 (“to ensure that finished devices will
be safe and effective”) and to whom it applies (“manufacturers of finished medical devices”).
Important to this latter point, it notes that manufacturers that only engage in parts of the
medical device manufacturing process only need to comply with relevant requirements.

This first section also establishes a rule that applies throughout the regulation: if a conflict
between regulations emerges, “the regulation specifically applicable to the device in question
shall supersede the more general.”

FDA conducts regular inspections to ensure QMS compliance. FDA uses the Quality System
Inspection Technique (QSIT) to evaluate the alignment of internal processes with regulatory
requirements. The stakes of compliance are clear. Violations will result in 483 Observations
and Warning Letters.

FDA 21 CFR 11

21 CFR Part 11 is divided into three sub-parts:

• The General Provisions section discusses the scope of the regulations, when and how it
should be implemented, and defines some of the key terms used in the regulations.
• The Electronic Records section sets forth the requirements for administration of closed
and open electronic record-keeping systems, then discusses signature manifestations and
requirements for establishing a link between signatures and records.
• The Electronic Signatures section is split into three parts: general requirements for
electronic signatures, electronic signature components and controls, and controls for
identification codes/passwords.

21 CFR Part 11: Subpart A—General Provisions

As the opening section of 21 CFR Part 11, Subpart A provides us with the who, what, where,
when, and why of the regulation. In three succinct sections, Subpart A of 21 CFR Part 11
establishes:
• The purpose of 21 CFR Part 11
• How 21 CFR Part 11 works
• The circumstances, settings, and when the regulation should be applied
• Definitions for the key terms used throughout the 21 CFR Part 11 regulation’s text

Sec. 11.1 Scope—The regulations in 21 CFR Part 11 set forth the criteria under which the
FDA considers records and signatures in an electronic format to be trustworthy, reliable, and
generally equivalent to paper records. 21 CFR Part 11 applies to records in electronic form
that are created, modified, maintained, archived, retrieved, and/or transmitted under any
records requirement set forth by the FDA.
While there are some examples listed of agency-required records that are not subject to 21
CFR Part 11, quality management records are not listed among the exclusions here. As soon
as a medical device company uploads any part of their quality management system to a
computer, they are subject to the requirements of 21 CFR Part 11. (And this is a little known
fact that many paper-based companies are not aware of.)

Sec. 11.2 Implementation—This section explicitly states that medical device companies can
use paperless record-keeping systems if they are in compliance with this regulation. For
medical device companies who wish to transmit electronic records to the FDA, they may do
so if they comply with this regulation and if the documentation they wish to submit is
identified in docket No. 92S-0251 as a type of submission that the agency accepts in
electronic form.

Pay attention to the difference in definitions between closed systems and open systems. A
closed system is a record-keeping system where system access is controlled by persons who
are responsible for the content of electronic records on the system. In an open system, access
is not controlled by persons who are responsible for the contents of the electronic records on
the system.
This terminology should not be confused with “open source” or other uses of “open/closed”
as a descriptor. In this context, a closed system is one where the company keeps the records
only on its own hardware and is accessible through its own internal network, while an open
system is one where a vendor offers record- keeping software through a license to the medical
device company and therefore controls access to the software and the records.

Sec. 11.10 Controls for closed systems—This section sets forth 11 separate and distinct
security management requirements for companies that wish to keep electronic records using a
closed software system.
• Validation to provide proof that the data in a computer system can be trusted.
• Rendering Records to ensure that all electronic records are provided in a
readable format that humans (not just computers) can understand.
• Document Storage & Record Retention to safeguard documentation and keep it available as
long as needed
• System Access to ensure that only the right people have access to each computer system.
• Audit Trails to provide a complete history of all electronic records automatically captured
by a computer system
• Workflows to ensure computer systems function correctly.
• Authority Checks to limit user access (system level and record level) and verify
that the users performing functions in the system are authorized to do so.
• Device Checks to verify that equipment being used for regulated purposes is functioning
properly.
• Personnel Qualifications which ensures only trained and qualified people perform functions
on or within the system.
• Personnel Accountability which holds individuals accountable for the integrity of their
actions related to electronic records and electronic signatures.
• Document Control for electronic records related to system operation and maintenance and
the preservation of the complete history of changes made to these documents.

The audit trail requirements in this section are similar to the document control requirements
of 21 CFR Part 820. Medical device companies must maintain appropriate control over
systems documentation, including revision and change control procedures to maintain an
audit trail that documents changes in the system. An audit trail ensures that every activity
which happens in the record-keeping system generates a record and can be reviewed later.

Sec. 11.30 Controls for open systems—Open systems typically mean that more people have
access to the record-keeping system, so the security requirements should be slightly more
comprehensive to help ensure that the records kept are accurate and reliable. This section
recommends that open systems are subject to the same 11 security requirements as closed
systems, along with any additional appropriate measures such as document encryption and
the use of digital signature standards to ensure the integrity and confidentiality of the records.

Sec. 11.50 Signature Manifestations—This section deals with how signatures should appear
on electronic records. The FDA expects to see the printed name of the signer, the date and
time that the signature was executed, and the meaning of the signature (approval, review,
authorship, etc.) subjected to the same controls as the records themselves and included on any
human readable form of the electronic record.

Sec. 11.70 Signature record/linking—A section so short, we can quote it:

Electronic signatures and handwritten signatures executed to electronic records shall be
linked to their respective electronic records to ensure that the signatures cannot be excised,
copied, or otherwise transferred to falsify an electronic record by ordinary means.
This means that medical device companies must use a record-keeping software that tracks the
approval status of documents using secure attribution data. The system should not allow any
user with inadequate permissions to affect a signature by copying a signature from one
document and attaching it onto another.

21 CFR Part 11: Subpart C—Electronic Signatures

You can’t have electronic records without electronic signatures, and 21 CFR Part 11 makes
this abundantly clear in Subpart C. In three distinct section, Subpart C establishes:
• Requirements for identity verification in electronic signatures • Security controls for
electronic signatures
• Guidance on the usage of logins and passwords
Sec. 11.100 General Requirements—This section sets forth some of the requirements for
personal accountability in electronic signatures that are central to this regulation. It requires
organizations to verify the identity of any individual who is assigned an electronic signature
on the system and that medical device companies who wish to use electronic signatures must
notify the FDA in writing by mail. The agency’s Rockville, MD address is provided.
Sec. 11.200 Electronic signature components and controls—The FDA wants electronic
signatures to use at least two identifying components—such as including an identification
code and a password. Electronic signatures should be assigned
to individual persons—not to groups or departments—such that each electronic signature can
only be executed by a single person to whom it is assigned and whose identity was verified in
compliance with this part. The FDA really wants to make sure that approval and review
signatures cannot be disputed once they are entered into the system.
Sec. 11.300 Controls for identification codes/passwords—21 CFR Part 11 requires special
security measures for the control of passwords. No two individuals should use the same
identification/password to access the system, and passwords should be changed periodically
to protect against password aging. Medical device companies must establish transaction
safeguards that prevent unauthorized use of passwords. Loss management procedures should
be established to ensure that compromised security tokens, cards or other devices are
deauthorized to prevent security breaches.

Key takeaways of 21 CFR Part 11

21 CFR Part 11 provides an opportunity for medical device companies to reap the
organizational benefits of paperless record-keeping systems. It also helps the FDA ensure that
when medical device companies use electronic record-keeping systems, that document
security and authenticity are adequately maintained.
While some may argue that regulations of 21 CFR Part 11 place an additional regulatory
burden on these companies, it’s important to note significant benefits can be derived from
implementing these electronic systems.
The FDA guidelines from Part 11 help establish accountability and traceability throughout
your documentation processes, by ensuring that:
• Access to electronic records is limited to authorized individuals
• Account sharing between individuals, groups or departments
is not permitted
• Adequate security protocols are followed to ensure the integrity of passwords and login
credentials for all users
• Electronic signatures cannot be transferred or copied between documents
• Electronic signatures are certified to be the same as handwritten signatures, and that the
certification is mailed to the FDA
• Records are tracked through document controls and an audit trail that monitors changes and
discerns invalid or altered records
Medical device companies will benefit from embracing the regulations of 21 CFR Part 11
because it will serve as a catalyst in protecting the integrity and confidentiality of their
proprietary data.

HIPAA

The Health Insurance Portability and Accountability Act of 1996 was passed to create
national standards for the protection of sensitive patient health information from being
disclosed without a patient’s consent or knowledge.

Covered entities, meaning those that must comply with HIPAA rules, include:

Healthcare providers
Health insurance plans
Healthcare clearinghouses (companies that process nonstandard health information received
from another entity into a standard format)

HIPAA compliance is also required of business associates of a covered entity. That means if a
covered entity engages with another business to help it fulfill its activities and functions, that
associated business must also comply with HIPAA rules.

The three main HIPAA rules regarding Protected Health Information (PHI) in the US are:

The Privacy Rule (Part 164 Subpart E): This rule safeguards the privacy of an individual's
health information and gives patients control over how their personal health information is
used and disclosed, including the right to acquire a copy of their records.

The Security Rule (Part 164 Subpart C): This rule establishes national standards for the
security measures covered entities must take to protect electronic health information they
create, receive, use, or maintain.

The Breach Notification Rule (Part 164 Subpart D): This rule requires covered entities and
their business associates to provide notification if there is a breach of unsecured protected
health information.

HIPAA and GDPR share some common goals and principles, but they do have many
differences, and compliance with one does not necessarily mean you’ll be in compliance with
the other.

HIPAA and GDPR are both concerned with protecting the personal health information of
individuals and both regulations give people rights over the use of their data and their access
to that data.

They both also require organizations that process personal health data to create specific
safeguards for that data. Additionally, HIPAA and EU GDPR require organizations
processing personal health information to notify anyone who is affected in the event of a data
breach.

The biggest difference between HIPAA and GDPR is their scope.

The General Data Protection Act covers any organization processing personal data that could
be used to identify someone in the EU. HIPAA is limited to the covered entities that process
the Protected Health Information (PHI) we mentioned earlier.

But there are still a handful of other differences to note:

One of the biggest differences between the two regulations is GDPR’s inclusion of a “right to
be forgotten”. Essentially, this means that individuals have the right to have their data erased
by the organization controlling it, except under a limited number of specific circumstances.
HIPAA deals solely with Protected Health Information, while GDPR applies to any data that
could be used to identify someone, directly or indirectly.
The penalties for failure to comply with HIPAA can run up to $1.5 million per year, while
GDPR’s fines can reach 4% of global revenue or up to €20 million.
In the US, sponsors of a medical device clinical trial will need to abide by all three of the
HIPAA rules (Privacy, Security, Breach Notification), but the Privacy Rule has the most
immediate impact on research.

The Privacy Rule defines research as “a systematic investigation, including research

development, testing, and evaluation, designed to develop or contribute to generalizable
knowledge.” When it comes to research, the Privacy Rule is meant to protect health
information that could identify individuals while also making sure that researchers can access
the data they need.

In practice, this means there are instances where a covered entity may use or disclose PHI
without authorization by the individual.

For instance, this can occur when the covered entity receives approval from an Institutional
Review Board (IRB) or Privacy Board. The Department of Health and Human Services
provides a full list of the specific situations in which the covered entity may use or disclose
PHI without authorization.

Just remember that in the US, regulations around personal data in clinical trials are not
limited to HIPAA. The HHS and FDA’s Protection of Human Subjects Regulations have
provisions that are separate from those of the Privacy Rule, but must still be followed when
carrying out research with human subjects.

According to the GDPR, clinical trial sponsors can be categorized as both a processor and a
data controller. This is because a clinical trial operation includes data not only from subjects,
but also personnel, sales, and sub-contractors.

This means there are a number of different obligations that MedTech companies must fulfill
when conducting clinical trials in the EU, including:

GDPR states that a clear and documented consent must be acquired from all data subjects in
order to process their information. Such consent is not new to the industry, and in most cases,
a trial subject is asked to sign an informed consent before initiating any data collection.
Medical device companies, or clinical trial sponsors, must now identify the data to be
processed, where it will be transferred to, who is processing it, what it will be used for, and
which risks are involved. All of which must now be included in a separate informed consent
(not the protocol-specific consent).
Organizations that process and manage clinical trial data must now conduct data impact
assessments (DIA) on both electronic and hard copy data. A data impact assessment should
cover what the data is used for, how it’s managed, and what action is needed to mitigate any
risks.
Sponsors are also required to appoint a Data Protection Officer (DPO) which shall take part
in managing and documenting many of the activities that surround data and information
processing. In addition, the DPO will also act as the main interface to the company if there
are any data breaches or inbound inquiries. The DPO can either be an external hire or a
current employee who you train for the role.
Similarly to HIPAA, GDPR does provide some exemptions regarding provisions like the right
to be forgotten in certain cases. For instance, clinical trial data is considered “special data”,
because processing of such data is necessary for research-specific purposes.
This is due to the fact that clinical data cannot just be removed or transferred from a dataset,
without affecting the audit trail or the statistical outcome. Subjects can, however, choose to
withdraw their consent to prevent any additional data collection.