Medical device quality records carry legal and regulatory weight. A complaint investigation, a CAPA decision, a risk assessment approval, or a 21 CFR Part 11 electronic signature can each be called up in an FDA inspection or a notified body audit, sometimes years after the event. That history is only credible if the data behind it was protected from the moment it was created.
The regulatory expectations are specific. FDA 21 CFR Part 11 requires access limited to authorised individuals, an audit trail that records every creation, modification, and deletion with a timestamp and user attribution, and system controls that prevent backdating or alteration of closed records. ISO 13485:2016 Clause 4.2.5 requires records to remain legible, readily identifiable, and retrievable. EU MDR Article 87 adds requirements around adverse event report completeness and retention.
Data integrity in practice runs on the ALCOA+ principles: every record must be attributable to the person who made it, legible, contemporaneous, original, accurate, complete, consistent, enduring across the retention period, and available for review. Meeting those principles requires role-based access control with no shared logins, encrypted storage and transmission, a reliable backup and recovery process, and controls that lock closed records against modification without a traceable amendment process.
The whitepaper below shows how qmsWrapper protects quality records and meets data security requirements for medical device teams.
