Inherent in the decision to use any medical device is the belief that it will perform as intended and that it will provide a therapeutic benefit while posing minimal risk to the user. Our belief in the safety and efficacy of devices is rooted in the rigorous regulatory review processes required to approve new devices. Manufacturing systems should be able to mass-produce products that deliver the same quality and efficacy of the approved product.
Think about the types of medical devices used and how people rely on them. Devices like these are used in the millions every day, with each reliant on the demonstrable, repeatable quality and durability of the manufacturing processes that produce them:
- Infusion pumps
- Glucose meters
- Catheters—IV tubes
- Syringes and injection pens
- Controlled-dose inhalers
The trust of regulators and consumers in manufactured medical devices is primarily based on accumulated data that demonstrate the consistency and repeatability of manufacturing processes. This is why data integrity—the primary focus at the center of FDA's Code of Federal Regulations (CFR) Title 21 Part 11—is so important. To strengthen the foundation of trust, data must be entirely authentic, free of the threat of manipulation or fear of loss, so that the people, processes, and organizations whose work is reflected in the data can be trusted or held accountable.
Because defects of any medical device can directly affect human health, FDA and other global regulators demand that each medical device being manufactured is uniquely traceable, again by way of data whose integrity is unquestioned. This increased demand for traceability applies to all forms of data such as data that provides a complete audit trail and data that can trace finished devices—by lot or individually—to their component parts and manufacturing activities/operations, right down to the day, time, and operator in charge.
Along with data integrity comes data security. The need for increased data security is reflected by our reliance on digital transformation in factories, homes, and products, plus the constant threat or risk of data corruption, theft, or loss. Thus, it is also essential that high-integrity data be safeguarded not only during its creation and storage but also through features that limit access and ensure complete, secure data transfer from the point of manufacture to remote global locations for use by corporate systems or global regulators.
Key Facts on Cybersecurity and FDA 21 CFR Part 11
Addressing these twin challenges—data integrity and data security—required Emerson’s software development team to take a fundamentally new view of the position and role of automated ultrasonic welding equipment. We determined that in order to meet data security and integrity challenges, our software upgrades would have to provide security features modeled on those of typical “front-line” IT equipment—computers and servers exposed directly to the internet. Historically, welding equipment, like other manufacturing tools, has not had data integrity and security safeguards in place.
Addressing these two concerns is at the core of our recent product strategy, which included two major software upgrades to Emerson’s Branson GSX-E1 ultrasonic welding platform. The first upgrade makes Branson GSX-E1 welders capable of supporting 21 CFR Part 11 standards for data integrity, which includes validating users for system security and creates audit trails for the identification of manipulated data as well as the ability to satisfy FDA traceability requirements. The second major software upgrade provides encryption technology that ensures the integrity of data transfers from welders on the manufacturing floor to local or remote enterprise quality management systems. Additionally, the welder is capable of authenticating who is requesting data. This ensures that the data is coming from a reliable source (the welder) and that the welder is not sending data to an unidentified fraudulent attacker.
It is up to medical device companies to demonstrate and validate achievement of 21 CFR Part 11 compliance, and the capabilities provided in this software upgrade enable users to ensure integrity of their data, complete and unchanged, from every welder on the manufacturing floor.
The first of the two software upgrades provides four essential components that make systems 21 CFR Part 11 capable:
- Enhanced welder security. The upgraded software provides a new user login with an automatic feature that locks access to the welding system and its data if any user makes four unsuccessful login attempts. There is also the added benefit that the software will enforce passwords to be changed after a user-configurable amount of time. And finally, all new users are required to create a new password upon logging into the system for the first time.
- Multilevel user authorization. The new software enables the GSX-E1 welder to support four levels of user authority and access—Executive, Supervisor, Technician, Operator—for an unlimited number of unique system users. Supervisor and Technician users may create, access, and manage validated production recipes within a change-controlled production database, enabling authorized operators to access the current versions of validated recipes to meet production welding requirements.
- Audit trails. The enhanced software also supports the extensive weld data collection needed to create audit trails and provide complete weld traceability by device, time and manufacturing lot, right down to the component level. Specifically, the system enhancements:
- Support bar code scanning essential to unique device and component identification.
- Capture and store production data for every weld.
- Track all changes within the system with clear delineation of what the new value is versus the previous value, including the user who made the modification.
- Offer six PDF reports, including event logs, user IDs, weld results, alarm logs, weld recipes, and welder system configurations.
- Data retention. These weld system enhancements provide data retention, enabling each GSX-E1 welder to store extensive weld history for up to 200,000 welds.
The second software upgrade, complementary to the first, provides secure data transfer to ensure the total integrity of data, complete and unchanged, from any Branson GSX-E1 welder on the manufacturing floor to another secure customer system using an Emerson-engineered Web Services capability.
Above: Emerson's upgrade offers secure data transfer with an authentication key.
Web Services offers secure data access and transfer capability and closely resembles the security used for online bank transactions. A remote user such as a remote manufacturing software server or quality management system seeking weld data must first follow standard Secure Sockets Layer (SSL) server/client encryption negotiation to establish a secure connection with the welder containing the data. Then, that remote server must also utilize a unique authentication key, uploaded previously to both systems, to gain access and initiate data transfer. In addition, this secure data-transfer capability also delivers Industry 4.0/industrial internet of things (IIOT) capabilities while supporting everything from secure system software upgrades to remote data analysis and remote system troubleshooting and diagnostics.
Above: The upgrade offers flexible data export.
Together, the two major upgrades offer GSX-E1 customers the capability to comply with the latest FDA security mandates and also provide them a leg up in meeting the postponed European Union (EU) Medical Device Regulation (MDR) standards, which are expected to demand similar security measures.
In addition, it is believed that approximately 80% of the data-collection, -retention, -integrity, and -security capabilities required by medical device manufacturers will match with the needs of global electronics and automotive manufacturers. Although these manufacturers do not face the regulatory requirements of medical device makers, they do demand essentially similar, high-integrity manufacturing data to ensure production efficiency, validate product quality, and enable product traceability for longer-term service and support.