Search the Elsmar Cove!
**Search ALL of Elsmar.com** with DuckDuckGo including content not in the forum - Search results with No ads.

Integrity of electronic digital records - Medical Devices

Jamesv

Starting to get Involved
#1
Hi

Just wondered if 13485 requires demonstrable security / integrity of systems used for electronic record keeping?

One of the departments under my MDR / 13485 scope (with Health Institution Exemption) for class 1 devices uses an MS Access database for some client records, relating to devices issued to them, including the manufacturing notes for custom made devices. There is no robust audit system inherent to the database to see what text changed / when / by whom, which means that records could effectively be altered. This doesn't seem appropriate to me. Printing the record to a time stamped PDF or similar may be a way of managing this. Any views?

Thanks

James
 
Paid Advertisement - Forum Supporter

William55401

Involved In Discussions
#2
Short answer, yes, integrity of digital / electronic records is important to the standard.

Longer answer. To me, the use of a pdf is a snapshot in time and does not address the core issue of modifications to the electronic record. How is the MS database used? Will individuals go to the pdf or is the MS Access data base truly the system in use?

Citations from the standard (13485:2016)

"4.1.6 The organization shall document procedures for the validation of the application of computer
software used in the quality management system. Such software applications shall be validated prior to
initial use and, as appropriate, after changes to such software or its application.
The specific approach and activities associated with software validation and revalidation shall be
proportionate to the risk associated with the use of the software. Records of such activities shall be maintained (see 4.2.5)."

from 4.2.5 Records
"Records shall remain legible, readily identifiable and retrievable. Changes to a record shall remain identifiable."
 
Last edited:

Jamesv

Starting to get Involved
#3
Longer answer. To me, the use of a pdf is a snapshot in time and does not address the core issue of modifications to the electronic record. How is the MS database used? Will individuals go to the pdf or is the MS Access data base truly the system in use?
Thanks - the PDF would be used to evidence record keeping integrity, but as you have highlighted its far from ideal, and doesn't comply with 4.2.5

We'll need to think again I think
 

Ronen E

Problem Solver
Staff member
Super Moderator
#4
One of the departments under my MDR / 13485 scope (with Health Institution Exemption) for class 1 devices uses an MS Access database for some client records, relating to devices issued to them, including the manufacturing notes for custom made devices.
Hi James,

Not answering your question but still important -

You might want to keep a clear identification of the different product/regulatory categories. To me, what you wrote above doesn't seem to reconcile. Where the "Health Institution Exemption" applies, the rest of the MDR doesn't, so device classification is N/A and there's no meaning or need in the designation "class 1 devices". The same goes for (true) custom made devices, which are governed by yet other parts of the MDR (i.e. either you go by the "Health Institution Exemption" (Article 5 s. 5) or by the custom made devices provisions, but not both). Further, the "Health Institution Exemption" applies only where the devices are made and used within the health institution, so you might want to make sure that "issuing devices to clients" (as noted) doesn't violate that.

Cheers,
Ronen.
 

Jamesv

Starting to get Involved
#5
Where the "Health Institution Exemption" applies, the rest of the MDR doesn't, so device classification is N/A and there's no meaning or need in the designation "class 1 devices".
Thanks Ronen, I guess I've got into the habit of indicating class 1, just to clarify that our devices are low risk which may be relevant. In terms of the HIE, this has caused some consternation because our trust is commissioned by NHS England to also provide services to neighbouring trusts (not commercially). I discussed this with the MHRA, who felt it reasonable that the 'legal entity' could apply to other trusts under commissioned arrangements, as long as manufacturing accountabilities were explicit.
 
Top Bottom