Hi, my company is currently using DocuSign to approve all our documents. We would like to move away from it as it is costly and another software we need to validate. We are looking in Microsoft Approvals, does this comply with ISO 13485:2016? I'm also not sure if approvals makes sense for a CAPA procedure where multiple approvals are required at different stages of the process. Thanks everyone in advance!
Document control approval/signature requirements?from DocuSign to MS Approvals
- Thread starter mer9856
- Start date
Elsmar Forum Sponsor
According to Microsoft's compliance website, Microsoft products are 21 CFR §11 compliant so if you are in the US, this is important. You can supposedly request their compliance reports through your Microsoft representative. It looks like Microsoft Approvals runs through Microsoft Teams. I've never used that functionality before so I cannot comment on any specifics. I would recommend following your internal software qualification procedures to assess the risk of the product and determine what validations may be required.
ISO 13485:2016 doesn't state anything specifically related to electronic records or signatures so you'll just need to complete software validation. Also, consider how visible software version changes are. You don't have control over the Microsoft product so make sure you won't encounter a surprise software version change that requires re-validation or an assessment of why re-validation isn't necessary. I'm not an IT professional so I don't know if there is any "behind the scenes" space that this is more visible or not.
As for the CAPA question, it does make sense to have some additional approvals at strategic stages of your CAPA. Otherwise, one person may complete the entire CAPA, including implementation of actions, and overlooked something, potentially that one of the corrective actions had an adverse impact on the product or QMS. This must be verified before actions are implemented so it definitely makes sense to have at least someone else review at this point. The other stages don't have the same level of risk, but it never hurts to have at least one other person review to ensure you correctly scoped the problem, your root cause analysis was thorough and complete, your corrective/preventive actions make sense (and do not have an adverse impact on the product or QMS!) and that the verification tasks were appropriately defined. These gate approvals don't need to involve everyone who signs for CAPA closure, but ideally should be someone with familiarity of the process or perhaps the owner of the process/product impacted (if this isn't the CAPA owner). A second set of eyes on things never hurts!
ISO 13485:2016 doesn't state anything specifically related to electronic records or signatures so you'll just need to complete software validation. Also, consider how visible software version changes are. You don't have control over the Microsoft product so make sure you won't encounter a surprise software version change that requires re-validation or an assessment of why re-validation isn't necessary. I'm not an IT professional so I don't know if there is any "behind the scenes" space that this is more visible or not.
As for the CAPA question, it does make sense to have some additional approvals at strategic stages of your CAPA. Otherwise, one person may complete the entire CAPA, including implementation of actions, and overlooked something, potentially that one of the corrective actions had an adverse impact on the product or QMS. This must be verified before actions are implemented so it definitely makes sense to have at least someone else review at this point. The other stages don't have the same level of risk, but it never hurts to have at least one other person review to ensure you correctly scoped the problem, your root cause analysis was thorough and complete, your corrective/preventive actions make sense (and do not have an adverse impact on the product or QMS!) and that the verification tasks were appropriately defined. These gate approvals don't need to involve everyone who signs for CAPA closure, but ideally should be someone with familiarity of the process or perhaps the owner of the process/product impacted (if this isn't the CAPA owner). A second set of eyes on things never hurts!
Switching applications won't address this!
I have no regular experience with DocuSign (I've used it when contractors have used it) and zero experience with Microsoft Approvals.
My best experience (easiest, and easiest to tell if someone was "cheating") was leveraging a classic Adobe Acrobat with a touchscreen. I did NOT appreciate or enjoy using the Adobe web service for e-signatures. It was possible to route for layered/sequential/simultaneous approvals, but it was (a) clumsy and (b) expensive. I'm not sure about the total cost, but I felt like the small company that was using it was burning a LOT of money needlessly to use it. I think Acrobat licenses would have ended up being cheaper (and more efficient) for that circumstance.
Hexagon (formerly EtQ) offers "software as a service" (hosted) that can rather smoothly handle CA/PA for medical device companies as part of its Reliance package. The advantage of Reliance was IMO that the licenses were floating, so you could have as many people with accounts as you wanted, but only a fixed number could log in and use the system at one time. Reliance workflows were not particularly difficult to configure, but if they host you may have to make compromises. Reliance is not a good "document approval" system; rather it is very good at documenting approvals for common workflows.
My best experience (easiest, and easiest to tell if someone was "cheating") was leveraging a classic Adobe Acrobat with a touchscreen. I did NOT appreciate or enjoy using the Adobe web service for e-signatures. It was possible to route for layered/sequential/simultaneous approvals, but it was (a) clumsy and (b) expensive. I'm not sure about the total cost, but I felt like the small company that was using it was burning a LOT of money needlessly to use it. I think Acrobat licenses would have ended up being cheaper (and more efficient) for that circumstance.
Hexagon (formerly EtQ) offers "software as a service" (hosted) that can rather smoothly handle CA/PA for medical device companies as part of its Reliance package. The advantage of Reliance was IMO that the licenses were floating, so you could have as many people with accounts as you wanted, but only a fixed number could log in and use the system at one time. Reliance workflows were not particularly difficult to configure, but if they host you may have to make compromises. Reliance is not a good "document approval" system; rather it is very good at documenting approvals for common workflows.
A suggestion from my former life is to make each signoff from your CAPA process it's own controlled form, SOF-1 (Investigation/Root Cause) SOF-2 (Implementation/Proposed VOE), SOF-3 (VOE Results/Closure), or CAPA Procedure Attachments 1-3, etc. Using Adobe Sign for a "Paper-Based" CAPA System was a pain for this reason so we found it best to have 3 distinct word files.
Regardless of which software you choose, you're still going to have to reevaluate it and review what validation documentation exists. If you're US based or sell into the US, make sure to notify FDA of your use of electronic signatures that's buried in Part 11
When getting certified for ISO 13485, an auditor wouldn't expect e-signatures on all our documents/records correct? Approvals would be able to provide the name, date and comments.
For CAPA's, is it acceptable to replace the signature field with an approved field? That way we don't need to use an e-signature software and we could move forward with Microsoft Approvals. We don't intend to sell/distribute to the US, so our focus and basis of our QMS is just ISO 13485!A suggestion from my former life is to make each signoff from your CAPA process it's own controlled form, SOF-1 (Investigation/Root Cause) SOF-2 (Implementation/Proposed VOE), SOF-3 (VOE Results/Closure), or CAPA Procedure Attachments 1-3, etc. Using Adobe Sign for a "Paper-Based" CAPA System was a pain for this reason so we found it best to have 3 distinct word files.
Regardless of which software you choose, you're still going to have to reevaluate it and review what validation documentation exists. If you're US based or sell into the US, make sure to notify FDA of your use of electronic signatures that's buried in Part 11
I don't which regulatory jurisdiction you're operating in which likely does have a similar requirement for document approvals, however the ISO 13485 practical guide certain states that signatures, either hand written, or electronic are expected:
"This could include, but is not limited to, access, storage, reproducibility, readability, audit trails and electronic signatures, if appropriate."
"Hand-written entries should be made by indelible medium. Persons making authorized entries on records or verifying such entries should do so in clear legible writing, and should confirm the entry by adding their initials, signature or equivalent, and the date."
Checking an "approved" box with no mention of who is making that determination isn't sufficient enough.
No, you just need to be able to trace the signature back to the person doing the signing. E-signatures are absolutely not required. However, if you elect to use e-signatures, you should have basic GDP covered (ALCOA or ALCOA+ for instance). Note that is a should and not a shall. ISO 13485 states nothing about how document/record approvals are recorded.
Thank you so much for the insight! I previously worked in a company who had ISO 17025 certification and e-signatures also weren't required.
Do you have any thoughts on one of the above replies regarding the ISO 13485 practical guide?
Similar threads
