ISO 13485 - Control of Records (4.2.5) question

johnjflynn42

Registered
My apologies if this has been answered elsewhere, I could not find an answer.

The company I work for (I am the Quality Manager) is ISO 9001:2015 and we are working towards our ISO 13485:2016 certification.
We are a Contract Manufacturer (no design responsibilities - it is an exclusion) of silicone injected molded products.

4.2.5 states (in part)
Records shall be maintained to provide evidence of conformity to requirements and of the effective operation of the quality management system.

Records shall remain legible, readily identifiable and retrievable. Changes to a record shall remain identifiable.

The organization shall retain the records for at least the lifetime of the medical device as defined by the organization, or as specified by applicable regulatory requirements, but not less than two years from the medical device release by the organization.e organization.

Now - the question(s) I have regarding real world implementation of 4.2.5.....
Does this preclude using cloud based storage / software? (i.e. one drive)

How would you "maintain" one drive? We do not own or have control over it, especially over the lifetime of the medical product.

For companies that have cloud / web based QMS, does your auditor address this?

We have a local server, but several of our documents we use for quality / manufacturing are shared via one drive.

I am a former Navy Nuke and worked in the commercial nuclear industry for 20+ years, so I have a tendency to over complicate / overthink things so I would appreciate feedback and see what others have done.

Thanks.
John
 
Elsmar Forum Sponsor

yodon

Leader
Super Moderator
Does this preclude using cloud based storage / software? (i.e. one drive)
Not necessarily, but you have to be careful. For example, I think some cloud storage will NOT hold obsoleted copies for too long unless you make special arrangements (like making them their own file).

And you have to establish proper access controls. Not sure how to do that with One Drive but I have done it on other cloud storage services.

The positive thing about cloud storage is that you shouldn't have to worry about backup / recovery. That doesn't preclude accidental deletes so another area to be careful around. You may want a separate snapshot to recover any accidental deletes (so don't sync them!)
 

Rob_Kellock

Involved In Discussions
The problem with OneDrive (and many cloud systems) is that if you were to delete your content (accidentally or otherwise) you only have a limited time to retrieve it from the recycle bin before its gone for good. My recommendation (and this has nothing to do with the Medical Device standard) is to back up your cloud storage. The only time a backup isn't really required is if you know you have a system which retains the recycle bin indefinitely or it requires a secondary manual action to remove it from the recycle bin. 9

Almost all cloud storage allows you to limit access to content so at least it'll only be an authorised person who can lose your data.
 

QuinnM

Involved In Discussions
Hi John,

One of the differences between 9001 and 13485 is validations. Most 13485 QMS companies validate a document control system that includes records. We just received our 13485 certification, and the notified body did ask to see our validation documents on the eQMS. If you are using a paper based system and storing records electronically, would that system be 21 CFR Part 11 compliant if not validated? (I don't know if it would be, but others in the Cove may know.) The hard copy records we have are scanned then uploaded into an eQMS that is both validated and 21 CFR Part 11 compliant.

Your company may use any storage that is deemed fit, that is meets the regulations and your needs. I have stayed away from SharePoint, OneDrive, Google docs, etc. due to the regulatory requirements. It can be done within a 13485, but I think it is too difficult to do and maintain. Will be interesting to hear how other companies manage records.

Best regards,
Quinn
 

Renea Koski QAM

Involved In Discussions
Wouldn't that fall under Software Validation? Since it is an "OTC" product, we validated it with a low risk and did IQ and OQ only.
 

QuinnM

Involved In Discussions
Wouldn't that fall under Software Validation? Since it is an "OTC" product, we validated it with a low risk and did IQ and OQ only.
Hi Renea,
Could you please elaborate on the "...fall under Software validation?' Also what "OTC" product are you referencing?

What response are you referencing?
Quinn
 

Renea Koski QAM

Involved In Discussions
Could you please elaborate on the "...fall under Software validation?' Also what "OTC" product are you referencing?

What response are you referencing?

We have validated all software used . . .our ERP, Excel, Word, OneDrive, Adobe . . . plus the ones used for production like our CNC software and CAD software. All were OTS (Off the Shelf) (I see-- I said OTC (Over the counter . . .) . Meaning that they are main stream programs and not bespoke or made for us. I have ranked each software based on its usage and risk. For instance the software that runs our machines are at a higher risk than say Microsoft Word. It was told to me by an auditor, (who was not offering advice. . . wink wink,) that we needed to validate all software used.

Since you are using OneDrive, I would think that if you completed a software validation, this would cover you. You might also want to create back-up copies on your main server (hopefully you have back-ups to that,) in case there is a crash or something weird with OneDrive. For example, we use OneDrive Spreadsheet for NC data entry so multiple people can have access at the same time, then I take the data each month and plot it into Excel and safe to my server. It may a bit extra, but I feel comfortable knowing that my monthly data will not get lost in the cloud. Since you are only using OneDrive for sharing, I am not sure you would really need to worry about all of this, if you have the original docs on your server. You will just have to be sure they are retrievable and easily found. Another idea is to create additional drives that everyone can have access to that houses the documents they need, but they do not have editing privileges. I have a "Forms" "QM Docs" and "Work Instructions" drives that mimics my working folders, but are read-only for everyone to have access. That way I don't have to "share," they can go there anytime they need to get something.

Cloud based QMS. . . I use QT9, a cloud based eQMS that I LOVE (and very affordable.) They are actually validated to ISO 13485:2016 and multiple other QMS regulations. I have had to show this validation to my auditor. This is where I keep all my document control, customer feedback, CAPAs and more.

I hope this all made sense. I would be happy to chat more if you need additional info.
Renea
 

Renea Koski QAM

Involved In Discussions
. . .and they also are supposed to be mirror 13485:2016 soon . . .for about 8 years now. We'll see how long this stays in draft. lol So far its been since 9-2022. Thanks for the info though.

I have come to find that whatever you do, some auditor will find fault. As long as you have something in place, you should be better than having nothing.

Good luck with the 13485:2016! I was specifically hired so I could get my company certified to 13485. Their QMS was a mess from previous QAM--never updated since 2003 and did not do much but calibrate measurement tools. I have been here 2 years now and I still haven't been able to get through a cabinet of items he had "Hidden" away and did not properly NC them. SIGH.

We are also a contract manufacturer for precision surgical instruments. We do not have design, however I will tell you that you need to have some sort of Medical Device Files for families of instruments. All mine do it refer to our/customer's part number and where any documentation/instructions can be located and a risk management plan. I'd be happy to help you if you need. I feel your pain!
 

Enternationalist

Involved In Discussions
The simplest way to understand this is to realize that you can outsource requirements. They're your responsibility to ensure they are met, but that doesn't mean it's always you who does them.

One approach is to draft a quality agreement with the vendor or to look over the service agreement. These cloud solutions absolutely do maintenance on their end to ensure uptime, etc - you just want to be sure they do enough to cover your requirements. Any gaps you may be able to cover procedurally - e.g., take a local backup periodically, have an exit strategy for if OneDrive shuts down. It's definitely a software, so you will also need to validate your application of it.

In practice, though, any sort of mainstream cloud storage is almost certainly much less likely to be permanently lost or destroyed than anything you'd implement locally. Don't let interpreting the word of the standard get in the way of using a solution that is clearly better for meeting the intent of the standard.

Why does the standard ask you to 'maintain' records? To make sure they are there and that you have access to them if you need them. Will your cloud solution allow you to do that? If not, what additional things do you need to do?
 
Top Bottom