Four Lessons Learned: Managing 21 CFR Part 11 Compliance For Medical Devices

A new wave of medical device manufacturers are looking at ways to leverage the mobile health space, but that doesn't come without regulatory challenges.

A new wave of medical device manufacturers are looking at ways to leverage the mobile health space. The idea is to combine medical devices with the computing power of smartphones to increase the functionality of these devices and extend their value.

Of course, those innovations come with design considerations, including regulations such as 21CFR Part 11, 45CFR164, ISO 27k, and DPA.  Quality assurance, regulatory affairs, and validation processes are sometimes overlooked by manufacturers when it comes to competitive advantage, but they can help deliver better performing products.

Numerous apps are available to assist healthcare providers and patients with important tasks like information and time management, health record maintenance and access, communications and consulting, reference and information gathering, patient management and monitoring, clinical decision-making, and medical education and training.

AgaMatrix was one of the first medical device companies to link its blood glucose meter to smartphone technology so patients could monitor blood sugar, chart activity and allow transfer of data to their smartphone—allowing all pertinent information to be shared with healthcare providers, family, personal trainers, and friends.

White label opportunities

Although more progressive doctors recognize the opportunities technology offers for better care, many are still resistant to change. One way around this is to white label products to get them into patients’ hands. This approach has been very successful for AgaMatrix, with white-labeled blood glucose meters sold commercially at almost every major retailer, including Target, Amazon, and CVS. With several new products in the works, they have looked to not only build smart medical devices, but to create an ecosystem of innovative solutions.

AgaMatrix has experienced rapid growth over the past few years, expanding from 70 to more than 500 personnel. One challenge has been managing the transformation from manual processes to automated ones while remaining in compliance with all regulations. According to Frost and Sullivan, the cost of 21CFR Part 11 compliance, which establishes the Food and Drug Administration (FDA) regulations on electronic records and electronic signatures (ERES), varies from $5 million to $400 million, depending on a company’s size and current systems. Here are the lessons learned along the way.

Lesson 1: Risk assessments and the role of the PLM

Conducting a risk assessment should always be a device manufacturer’s first step, and it should include understanding the current good manufacturing practices as mandated by the FDA. Device manufacturers are required to record, track, manage, store, and easily access various production documents and their detailed change history, including engineering change orders (ECOs).

It’s vital to figure out which systems are paper-based or not compliant. You must analyze each system to determine risk and also how much it would cost to convert the paper system to an electronic system. During an evaluation, the team at Agamatrix realized that rather than using several single-purpose products, it could do everything necessary to comply with CFR Part 11 with product lifecycle management (PLM) software.

PLM software like Omnify handles ECOs and manages electronic documents; it also stores technical feasibility studies, engineering source code, release notes, product images and audit requirements. The system also assists the team with providing access to engineering drawings to suppliers and contract manufacturers. With the proper permissions, outside parties can easily access bills of materials, product documentation, and testing scripts. PLM software is configured to access the corporate website to be able to manage where medical claims can be filed. The PLM software is helping with compliance by properly tracking electronic signatures, providing electronic audit trails/history tracking, security controls, and reporting.

Lesson 2: Software validation

All software used to design medical devices must be validated to ensure it’s in compliance with all appropriate regulations, and all validation results must be carefully tracked. One of the first things a project manager does on a new project is to see what software is available for use (i.e., already validated). This list is available within the PLM system.

If the project requires software that has not yet been validated, the project manager can easily check the PLM system to see what testing is needed for the software to be validated. The project manager can initiate the validation project within PLM so that IT can refer to it and tracking of the validation process can begin.

Lesson 3: International regulations

To maintain CFR Part 11 compliance for devices sold internationally, regulations must be addressed for multiple countries. Omnify PLM software manages multiple global locations and a variety of country-specific regulations. Device manufacturers must pay attention to European and US certifications such as CE Mark and GS Mark, in which the TUV (the German technical Inspection Association) and FDA come in to conduct compliance audits. In addition, security audits for ISO 2001 compliance, penetrative testing of the cloud environment, and user space should be analyzed. All smartphones and tablets used to connect medical devices to the cloud must be tested to ensure they comply with the UK’s Data Protection Act.

Many countries have strict laws around data and where it resides. For instance, France insists on an approval process for data leaving the physical confines of the country unless it is through a preapproved vendor such as Microsoft Azure or Amazon Web Services.

From a fifty-thousand-foot perspective, it seems relatively simple to ensure one is creating a safe, quality medical device. The reality is that companies must ensure all country-specific and local standards are being met. Companies often need to work with several external auditors and legal counselors to ensure compliance is achieved in every jurisdiction. PLM helps ensure all regulations are met and tracked throughout the product lifecycle. Audits can be completed with ease.

Lesson 4: New workflows

PLM software helps create new electronic workflows for a device manufacturer. For example, rather than holding a team meeting to discuss what needs to happen with an ECO, the team may simply rely on the software to provide them with the details they need to sign off.

In general, this is a positive change. However, it’s important not to do away with so much human interaction that relationships between co-workers or departments are affected.

In addition, just because multiple reviews can be specified for a particular ECO doesn’t mean it’s a good idea. It’s important to find a balance between efficiency and thoroughness. Keep reviews to an efficient number, and make sure one person has the authority to look at every department’s ECOs and make the final decision.

As with any major software implementation, it’s critical to review all processes to see which are working, which need to be adjusted, and which need to be eliminated once the teams are up and running on the system. For example, even though Microsoft Word is used during projects, it doesn’t need to be validated for the device to be in compliance. Similarly, there may be processes that are essentially holdovers from paper-based systems that can be eliminated, as well as some system-based processes that don’t add value.


The time savings achieved from moving from a paper-based compliance system to a PLM are enormous, allowing AgaMatrix to grow rapidly without compromising quality and ensuring all products remain in full compliance with regulations. However, their team learned the importance of encouraging collaboration between individuals and teams, even as processes changed and frequent interaction became less necessary.

Marlee Rosen is a Research Analyst at Rosen Associates. 

More in Operations