Last week, the FDA released a guidance doc on Electronic Systems, Electronic Records, and Electronic Signatures for Clinical Investigations. 🧐
When the world went remote, MedTech learned about 21 CFR Part 11 – Electronic Records & Signatures.
(And I bought an Aeron Chair look-alike…)
Part 11 isn't new - it actually came out back in March of '97...
It’s an FDA requirement for electronic signatures to include (Sec. 11.50):
💥 Printed name of the signer
💥 Date and time when the signature was executed
💥 The meaning (such as review, approval, responsibility, or authorship) associated with the signature.
(Etienne, that doesn’t seem so bad!)
I know, I thought the same thing – and then I read Section 11.100 & 11.200:
1. Before an organization sanctions an individual's electronic signature the organization shall verify the identity of the individual.
(Ok, makes sense)
2. Persons using electronic signatures shall, prior to or at the time of such use, certify to the agency that the electronic signatures in their system are intended to be the legally binding equivalent of traditional handwritten signatures.
(Wait what? Before you sign anything off this way, you have to CERTIFY TO THE FDA that you plan to sign things off this way? Yep.)
3. Persons using electronic signatures shall, upon agency request, provide additional certification or testimony that a specific electronic signature is the legally binding equivalent of the signer's handwritten signature.
(Have you told your employees that “legally binding” part?)
4. Electronic signatures shall: Employ at least two distinct identification components such as an identification code and password.
(I guess this means that screen shot of my handwritten signature I just copy & pasted is probably a no-go…)
5. Electronic signatures shall: Be administered and executed to ensure that attempted use of an individual's electronic signature by anyone other than its genuine owner requires collaboration of two or more individuals.
(Yep, definitely no copy/paste action…)
Essentially... It has to be REALLY hard for someone to sign for anyone else – because that signature is legally binding.
As an employee, you should WANT it to be difficult for someone else to sign off using your name, because in a product liability case (if a patient gets hurt and sues your company), approvers of documents could called into court – and that could be YOU.
This is from the Part 11 Guidance Document (link in the comments): “…when persons choose to use records in electronic format in place of paper format, Part 11 would apply.”
If you're storing “controlled” docs in Sharepoint, Google Drive, Dropbox, or a server with no hard copy backup… You're subject to Part 11.
Validating those tools... just google "IQ/OQ/PQ."
Most MedTech companies are better off buying a Part 11-compliant system.
I like tools built for what I do (like an ergonomic chair, instead of waiting for signs of spinal dysfunction).
www.greenlight.guru
Biomedical Engineer | Medical Device QARA | QMS - ISO 13485 Lead Auditor | Design Controls, DHF, Risk, Usability, SaMD
1yThanks for the post Etienne Nichols Can we also say DHF is subset of DMR/Medical Device File?