These guidelines extend to the manufacturing, testing, packaging and distribution of medical devices. They set out the conditions under which regulators consider electronic signatures and electronic records to be trustworthy, reliable and equivalent to traditional handwritten signatures on paper. They define the conditions under which a medical device manufacturer (or a supplier) must operate to meet these requirements.
Medical device manufacturers don’t necessarily have to use electronic records and digital signatures, but if they do, it is mandatory that they comply with these regulations.
Key test instrument features for medical manufacturing in the era of Industry 4.0These regulatory requirements have existed for more than 20 years, but the rise of data-driven manufacturing and quality control processes typical of Industry 4.0 have heightened their importance.
One practical example is found with the instruments for leak and/or blockage testing. Such testing is a crucial quality assurance process for many elevated risk Class III medical devices. Test instruments have evolved to collect and analyze larger and more granular volumes of data to help optimize the test, boost quality, improve yield and reduce unexpected production downtime, as well as deliver proof of compliance.
How this test instrument data is secured, accessed and manipulated falls under the scope of 21 CFR Part 11 and the EMA’s Annex 11. Here are several key safeguard features that a modern test instrument should have to ensure it is compliant with these regulations:
Unique User IDs for the prevention of unauthorized / undocumented data accessUnique user profiles stored within the instrument, with user authentication that requires a unique password for each user, to limit access for specific functions to permitted users only. The ability to create unique user roles, and to define security parameters for each user, should be limited to a designated administrator.
This corresponds to the 21 CFR Part 11 requirements for an electronic signature that has two distinct identification components – an identification code and password – and for the system to be able to ensure only authorized access.
Audit / Activity LogsA non-editable Audit Log with restricted access that is independent of any authorized user and time-stamped directly corresponds with 21 CFR Part 11 requirements for a user-independent, time-stamped audit trail.
Comment tools on the instrumentAdministrators can force users to enter reasons and comments when any changes are made with the instrument. This is not specifically required under Part 11 or Annex 11, but it can provide an additional layer of security and add another degree of transparency to ensure all user actions are above board and defensible.
Exportable reportsTo balance security and accessibility, all reports – such as Test Result Data, Program Configuration, Instrument Setup, Audit/Activity Log – should be exportable in some non-editable fashion. A non-editable .pdf document is one example.
Long-term, secure data retentionPart 11 and Annex 11 guidelines require long-term data retention for easy retrieval and examination. Whatever the onboard capacity of the test instrument in question, there should be an easy and secure means to export and store data elsewhere as required.
Other standard administrator-level functions that will serve regulatory requirements include:
Configurable security precautions for administrators
- Password expiration days
- Max login attempts
- Inactivity timeout and expiration
Finding the right leak testing and function testing solution for your medical devicesWith medical device manufacturing, applying modern techniques to ensure compliance with regulatory requirements can have countless benefits on your line, including decreased scrap or rework costs and improved production efficiency.
Cincinnati Test Systems has decades of expertise in helping medical device manufacturers secure medical device leak testing solutions that fit their needs. Contact us to learn more about solutions specific to your application.