ISO 13485 signing of Procedures etc.

[Sue789]

I have come across a Company where the ISO 13485 Quality Management System (Procedures etc.) are stored in ‘Box’.

My query is that the Approved Procedures have no signature or a Watermark to show that the procedure has been approved, instead they reference the Change Request form. The company electronically signs in Box (21 CFR 11 compliant I believe) and the change control request shows approval of all documents being approved and released.

Would this be acceptable at a Notified body audit? If not, what would it fail against?

Would be interested to hear your thoughts.

 

[ScottK]

I have come across a Company where the ISO 13485 Quality Management System (Procedures etc.) are stored in ‘Box’.

My query is that the Approved Procedures have no signature or a Watermark to show that the procedure has been approved, instead they reference the Change Request form. The company electronically signs in Box (21 CFR 11 compliant I believe) and the change control request shows approval of all documents being approved and released.

Would this be acceptable at a Notified body audit? If not, what would it fail against?

Would be interested to hear your thoughts.

I don't see a problem with this if the system is well defined and executed.
Are you concerned with printed copies of documents not having the signatures?
This has been very common for me in the last 10-15 years.
Signoffs are either electronic or on a change form stored physically - the documents themselves don't have signatures on them.

 

[mihzago]

this is common in companies that run document approval through a change order process.
One thing I would check is whether the approved procedure has controls in place to prevent the document from being modified.

 

[Sue789]

Thank you for your comments, I am concerned with my risk hat on that an employee could be using an out of data procedure and without the controls in place can be modified.

 

[Zero_yield]

1). Is there any revision number posted on the documents (rev 1, rev 2, rev 3)?
2). Are there procedures to maintain control over the revisions? For example, when SOP-ABC goes from rev 2 to rev 3, does someone gather up the copies and destroy/securely maintain them, or do they just throw rev 3 in the box while copies of rev 2 still circulate on the floor?

 

[victorsyj]

It is totally normal for the approval to appear in another form or be done digitally.

Most importantly is to check whether the relevant controls are in place and effective.

 

[Tagin]

Thank you for your comments, I am concerned with my risk hat on that an employee could be using an out of data procedure and without the controls in place can be modified.

How do they currently address 4.2.4h ("prevent the unintended use of obsolete documents and apply suitable identification to them") in their document control procedures?

 

[Enternationalist]

Thank you for your comments, I am concerned with my risk hat on that an employee could be using an out of data procedure and without the controls in place can be modified.

If that's your concern, then that's what you should test. What stops them using out-of-date things or making unapproved modifications?

 

[Ronen E]

This is a common situation in orgs that have moved to e-QMS/document management. Typically (or at least preferably) in such orgs access to documents for use is done through the same digital system, which ensures that only the last approved version is accessible for most team members. The main issue is with paper copies, which seem to still be around quite abundantly even in orgs that have supposedly "made the leap" to e-systems.

In orgs using e-doc control all paper copies printed out would show the revision level etc. (otherwise it's a major breakdown), so it's not a matter of identifying the (paper) version at hand. Mostly, the question is "is this revision in force?". Some such orgs decide that all paper copies of controlled documents are Reference-Only, and would typically have the system print this fact as a watermark, footer etc. on all paper copies. Others might allow a short "grace period" (say, a week) past the print date, which the system would similarly print on each copy (this entails some risk, but not a big one if the period is short enough). Normally, a user of a printed document would check in the e-system if the version they hold is indeed in force, each time they use it, or at least periodically at fairly short intervals (e.g. once a week or two).

The real problem starts when staff ignore this policy and start using paper copies as if they had official force without checking and beyond any called out timeframe. There isn't much that can be done against that, but in honesty - this problem is ancient. Even in the "good old" days of pure paper-based systems with wet signatures and someone doing rounds replacing all old version copies with the newly issued ones, people were keeping "private" (not to say "pirate", haha) copies and using "Reference Only" copies as if they had official force. Nothing new under the sun - if the org culture doesn't drive self moderation and compliance with the org's own policies and procedures, no magicware (thanks @Sidney Vianna) in the world will help.

 

[Zero_yield]

The real problem starts when staff ignore this policy and start using paper copies as if they had official force without checking and beyond any called out timeframe. There isn't much that can be done against that, but in honesty - this problem is ancient. Even in the "good old" days of pure paper-based systems with wet signatures and someone doing rounds replacing all old version copies with the newly issued ones, people were keeping "private" (not to say "pirate", haha) copies and using "Reference Only" copies as if they had official force. Nothing new under the sun - if the org culture doesn't drive self moderation and compliance with the org's own policies and procedures, no magicware (thanks @Sidney Vianna) in the world will help.

When I was working on the production line as an associate, we had an e-QMS. There were only so many computers that could access it, and they weren't particularly fast. There was also a cabinet in the room with a physical copy of every relevant procedure to the production line.

Yeah, the auditors had a field day with that one.