QMS for medical device startups

Enternationalist

Involved In Discussions
#11
Especially now, I would consider the scenario where the system / your data suddenly become unaccessible.
Absolutely. This would be a basic element of any reasonable risk assessment and validation of software holding onto your documents. Periodic manual backups, automatic rolling backups, etc. If using a cloud provider (for instance), assurance on access/minimum uptime would also be a good thing to work into the agreement with that provider.
 
Elsmar Forum Sponsor

mmasiddiqui

Involved In Discussions
#12
Can someone please suggest the best suitable QMS software for medical device startups? I mean something that meets requirements as per ISO 13485:2016 and is not so expensive.
I have previous experience and expertise in developing and rolling out QMS. Just use tools to help in effective implementation and not for managing your QMS. You have to make sure to develop a RASIC to be successful in maintaining an effective QMS
 
#13
QT9 does exist. I have used it before and we used to joke that it was a "startup" for a "startup," meaning they were a startup software company, and were were a startup med device company. That software had its share of issues, but maybe they have fixed all those by now. :)
Can you please elaborate on your experience with QT9? I work for a small med device company (~50 employees). We're searching for an eQMS solution to completely replace our paper-based system and that will scale with us. Based on our evaluation, including trialing the product, we've determined that QT9 meets all of our requirements.

I've scoured the web for reviews and spoken with references, and the feedback has been mostly positive. The cons that I've seen in reviews (inability to customize workflows, no design control module, not intuitive, too many emails) don't concern me after trialing the product. I've also noticed that software updates in the last couple of years have addressed previous deficiencies. For example, the new Project module may be leveraged for design control. It's not perfect, but future improvements are already planned.

When trialing the product, I noticed a lot of spelling errors as well as minor inconsistencies (e.g. "customer1", "customer2", "customer 3") in the training academy documents and help section. It's puzzling, but from what I can tell, it doesn't affect functionality.

Any feedback that you can provide about your experience with QT9 would be greatly appreciated, especially any issues that you encountered. If you don't want to reply here, please feel free to message me.

Thank you!
Serena
 

yodon

Staff member
Super Moderator
#14
I have one client - a very small company (~4 people) - using it and they are quite happy with it. I don't know how well it would scale, though (it may, I just don't know). With only 4 people (and effectively only 2 using), things are a bit looser than would be required at a company your size. If you have to deal with FDA 21 CFR 11, I'm not completely convinced it does e-signatures in a fully compliant manner.

I wouldn't worry too much about inconsistencies in the training docs. Those materials are often cobbled together from various sources.
 
#15
I have one client - a very small company (~4 people) - using it and they are quite happy with it. I don't know how well it would scale, though (it may, I just don't know). With only 4 people (and effectively only 2 using), things are a bit looser than would be required at a company your size. If you have to deal with FDA 21 CFR 11, I'm not completely convinced it does e-signatures in a fully compliant manner.

I wouldn't worry too much about inconsistencies in the training docs. Those materials are often cobbled together from various sources.
Thank you for your reply! We do need a solution that is fully Part 11 compliant. When you say it may be lacking, are you referring to Sec 11.300? Do you think that we could make up for the gaps by supplementing with procedural controls?
 

yodon

Staff member
Super Moderator
#16
Actually, 11.200.a,1(i) is where I didn't think it was fully compliant (there may be other sections). However, you know, Part 11 is so, um, challenged, that, if you can demonstrate you have good controls, it may not be an issue. I'm just saying, be aware, and be careful.
 

indubioush

Quite Involved in Discussions
#17
Can you please elaborate on your experience with QT9?
I'm a bit hesitant to discuss QT9 because I was using it in 2014 to 2015. At the rate they were going with changes back then, the QT9 software you use today may be quite a bit different than what I used. The thing that is both good and bad about QT9 is that there is minimal customization. This is bad because there is not much flexibility. This is good because it makes it much easier to leverage the software validation documentation that QT9 provides.

As far as part 11 is concerned, I do know that QT9 requires a log in and password when accessing the software, and then an additional password is used for electronic signature. I can't remember if these two are required to be different.

Some issues that I had when using it include DCO attachments not being protected from deletion after record closure, minimal options in customizing reports, having to use workarounds for documenting regulatory assessment and material dispositions, software updates being pushed to us without permission or notification. I'm going to go ahead and assume they solved these issues. :)

As I recall, I had to create incredibly elaborate Excel spreadsheets to create reports out of QT9 exported data. This might still be an issue for users since every company is going to have different metrics for their processes.

Hope that helps.
 
#18
Actually, 11.200.a,1(i) is where I didn't think it was fully compliant (there may be other sections). However, you know, Part 11 is so, um, challenged, that, if you can demonstrate you have good controls, it may not be an issue. I'm just saying, be aware, and be careful.
Thank you for your reply! I reviewed Part 11 again and cross-referenced with QT9. I think that I understand your reasoning for challenging 11.200.a, 1(i). Breaking it down:
  1. "When an individual executes a series of signings during a single, continuous period of controlled system access, the first signing shall be executed using all electronic signature components; subsequent signings shall be executed using at least one electronic signature component..."
    1. Each user is uniquely identified by their username and full name. When signing into the system, users are required to enter their username and password. Then to sign a document, the system automatically pulls their full name based on their username, and the user is required to enter a signing reason and password. I'm not sure if the auto-populated full name in combination with the user password counts as "executed using all electronic signature components", especially when subsequent signings in one continuous period are the same as the first. Is that what you mean by not fully compliant? If that's the case, I can't think of procedural controls for this.
  2. "....that is only executable by..."
    1. It's not possible to execute another user's electronic signature from a different account, even with admin privileges. There are no controls to prevent someone from logging in as another user with that user's login credentials. However, if someone is forging another person's signature, that's a larger issue and not isolated to electronic signatures. Since this is a risk, procedural controls must be put in place to minimize to the lowest possible level.
  3. "...and designed to be used only by, the individual."
    1. It isn't possible to assign a username or full name that is already associated with an active, inactive, or deleted user. However, it is possible to change the username or full name of an active, inactive, or deleted user, and then reassign the old username or full name to another user. Procedural controls for username/full name assignment in the system would need to be put in place for this as well.
I wasn't sure about some parts of 11.300 as well but was able to verify compliance for the most part. I believe procedural controls may be sufficient to ensure full compliance.
  1. 11.300(a): "Maintaining the uniqueness of each combined identification code and password, such that no two individuals have the same combination of identification code and password."
    1. Same as 3.1.
  2. 11.300(b): "Ensuring that identification code and password issuances are periodically checked, recalled, or revised (e.g., to cover such events as password aging).
    1. Password expiration is a setting, allowing admins to specify time period in months.
  3. 11.300(d): "Use of transaction safeguards to prevent unauthorized use of passwords and/or identification codes, and to detect and report in an immediate and urgent manner any attempts at their unauthorized use to the system security unit, and, as appropriate, to organizational management."
    1. Automatic lockout due to inactivity is a setting, allowing admins to specify time period in minutes. Users can recover forgotten passwords through site. Admins are notified if anyone tries to log in and fails 3 times in a row. I would supplement the built-in safeguards with procedural controls. The notifications are useless if administrators do not follow up.
Thank you again for your feedback!

-Serena
 
#19
I'm a bit hesitant to discuss QT9 because I was using it in 2014 to 2015. At the rate they were going with changes back then, the QT9 software you use today may be quite a bit different than what I used. The thing that is both good and bad about QT9 is that there is minimal customization. This is bad because there is not much flexibility. This is good because it makes it much easier to leverage the software validation documentation that QT9 provides.

As far as part 11 is concerned, I do know that QT9 requires a log in and password when accessing the software, and then an additional password is used for electronic signature. I can't remember if these two are required to be different.

Some issues that I had when using it include DCO attachments not being protected from deletion after record closure, minimal options in customizing reports, having to use workarounds for documenting regulatory assessment and material dispositions, software updates being pushed to us without permission or notification. I'm going to go ahead and assume they solved these issues. :)

As I recall, I had to create incredibly elaborate Excel spreadsheets to create reports out of QT9 exported data. This might still be an issue for users since every company is going to have different metrics for their processes.

Hope that helps.
Thank you for your reply - it is extremely helpfull!

Based on the online reviews and speaking with existing customers, it does sound like there have been significant improvements since 2014-2015. The more I research different products, the less concerned I am about customization, as long as the out-of-box solution is FDA/ISO compliant. Like you said, it really simplifies validation. Our procedures will need overhauled to conform to the new system, but that would be necessary in any case to incorporate the eQMS.

User profiles are comprised of a username, full name, and password. The password is the same at login and for electronic signing. Based on this thread, the electronic signature part 11 compliance seems like a gray area that needs further clarification.

A few of the issues that you raised have been addressed since 2015, but some of them still exist:
  1. "DCO attachments not being protected from deletion after record closure"
    1. Thankfully, this is somewhat preventable. It's a user permission setting. However, admin users with certain permissions can reopen a DCO and delete attachments. While this is captured in the audit trail, it could go unnoticed. In addition, since the version that we're considering is cloud-based, I don't know that the deleted documents can necessarily be retrieved. This is something I hadn't considered before you mentioned it and definitely needs clarified.
  2. "minimal options in customizing reports"
    1. This is still an issue. Unfortunately, it's only a nice-to-have for us, as long as the data can be exported to Excel. We'll need to create (or use existing) templates to drop the exported data into. I just need to make sure that the exported data has all the info that we need.
  3. "having to use workarounds for documenting regulatory assessment and material dispositions"
    1. This seems to have been addressed. There's a Material Review Board module for documenting material dispositions now. It can be a standalone MRB or linked to an NCP.
    2. Documenting regulatory assessments will still require the use of workarounds and procedural controls. QT9 isn't as comprehensive as other systems, like Arena, for tracking product requirements and evaluating regulatory impact of quality events, product/process changes or deviations, etc. There's a Manage Products module that pulls together all quality events for each product in the system; it also has a Related Files tab, but it doesn't accept links to other controlled docs or modules such as a Project (new module that can be used for documenting product requirements). I'd probably use user defined fields module to incorporate regulatory assessment, but the onus is still on the user to do a thorough assessment and add regulatory review/approval to documents when necessary.
  4. "software updates being pushed to us without permission or notification."
    1. This could still be an issue. I'll follow up with QT9.
Thank you again for all of your help!

-Serena
 

yodon

Staff member
Super Moderator
#20
I do recall auto-populating passwords being one of my concerns and it looks like you did your due diligence. (Kudos!)

FDA is still (AFAIK) exercising enforcement discretion. I would expect that if you show reasonable controls, they're not likely to drill down into the details.
 
Thread starter Similar threads Forum Replies Date
JoCam Certified QMS for MDR - Class I medical device manufacturers EU Medical Device Regulations 4
R ISO 13485 and QMS related concepts Training - Small medical device startup company ISO 13485:2016 - Medical Device Quality Management Systems 9
A QMS - Medical Device - New company under a current one ISO 13485:2016 - Medical Device Quality Management Systems 3
A Determining Retention Period for Medical Device QMS documents Document Control Systems, Procedures, Forms and Templates 5
Q QMS Software for Startup Medical Device Company Other Medical Device and Orthopedic Related Topics 7
somashekar Electronic data Back-up procedure, for Medical device QMS and regulatory purpose. ISO 13485:2016 - Medical Device Quality Management Systems 4
D Where to buy "canned" Medical Device QMS Procedures and Documents IEC 62304 - Medical Device Software Life Cycle Processes 12
A Auditing a Medical Device Subcontractors QMS ISO 13485:2016 - Medical Device Quality Management Systems 4
G Costs associated with setting up new medical device QMS ISO 13485:2016 - Medical Device Quality Management Systems 4
C Medical Device QMS manual - MDD, AIMD, 21 CFR part 820, CMDCS, and the new ISO 13485 Quality Management System (QMS) Manuals 3
ebrahim QMS as per ISO 13485, Clause 4.2 Requirements for regulatory purposes for Medical Devices Authorized Representatives. ISO 13485:2016 - Medical Device Quality Management Systems 3
B QMS question in regards to multiple medical devices/products and N/A activities Other Medical Device Related Standards 12
J Medical Devices in Japan - Conformity of QMS to ISO 13485 Japan Medical Device Regulations 1
V QMS / QSR - Reference to Framework - Templates - Procedures for Medical Devices 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 11
J General QMS questions in regard to Medical Software ISO 13485:2016 - Medical Device Quality Management Systems 8
sagai Role and Use of Non QMS Standards and Guidances in the Medical Industry 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 17
bio_subbu GHTF Issues - Medical Devices - Guidance on CAPA and related QMS processes Other Medical Device Related Standards 1
D Medical Devices Company QMS Software - Recommendation for an off the shelf software ISO 13485:2016 - Medical Device Quality Management Systems 13
M Justifying Subcontractor (with no QMS) Service - Class 1 Medical Instruments ISO 13485:2016 - Medical Device Quality Management Systems 10
R ISO 13485 Medical Devices QMS - Requirements for Regulatory Purposes Checklist ISO 13485:2016 - Medical Device Quality Management Systems 26
J Quality Objective for QMS prior to Certification AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 8
V Remote QMS Coordinator Position Job Openings, Consulting and Employment Opportunities 0
A How to prepare QMS manual for purchasing department Quality Management System (QMS) Manuals 5
GreatNate Master Control QMS software Quality Tools, Improvement and Analysis 0
GreatNate Anyone using the Intellect QMS software? Quality Assurance and Compliance Software Tools and Solutions 1
A Electronic forms QMS Document Control Systems, Procedures, Forms and Templates 7
supadrai Remote Opportunity - Large Scale Glove Factory QMS / RA / Legal Job Openings, Consulting and Employment Opportunities 0
C Retention of QMS Plans and Reports ISO 13485:2016 - Medical Device Quality Management Systems 5
Q New QMS...Old Projects ISO 13485:2016 - Medical Device Quality Management Systems 5
M ERP / QMS related software standards for Validation IEC 62304 - Medical Device Software Life Cycle Processes 6
T Help with BS EN ISO - IEC 80079-34 2020 (Explosive atmospheres QMS) Other ISO and International Standards and European Regulations 0
R Gap Audit Aerospsace and Rail QMS Quality Manager and Management Related Issues 0
S AS9120 Store QMS packages AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 4
J Disappointed in leadership buy-in to QMS Quality Manager and Management Related Issues 67
E ISO 13485 QMS certification as a Supplier ISO 13485:2016 - Medical Device Quality Management Systems 8
T How you ensure that QMS is effective and efficient? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 6
J Implementing an ISO 13485 QMS Software ISO 13485:2016 - Medical Device Quality Management Systems 6
D ISO 9001 certificate issued by QMS International for 10 years - legit? Registrars and Notified Bodies 17
S Is QMS like a set of rules and regulations that a company follows? ISO 13485:2016 - Medical Device Quality Management Systems 10
B Timeframe for updating QMS / transitioning from ISO 14971:2012 to ISO 14971:2019 ISO 14971 - Medical Device Risk Management 10
W Using tailoring guidelines to tailor a QMS procedure ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 2
D Offsite storage of QMS documents ISO 13485:2016 - Medical Device Quality Management Systems 9
L Exemption from the Regulation COVID-19 and QMS requirements EU Medical Device Regulations 2
DuncanGibbons Model-Based procedures and Architecting the QMS as a System Document Control Systems, Procedures, Forms and Templates 2
SocalSurfer Can you recommend an enterprise QMS for new AS9100 startup AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 2
H Expanding our business and the implications to our QMS Manufacturing and Related Processes 2
SocalSurfer AS9100 new certificate, but need QMS software, help Quality Assurance and Compliance Software Tools and Solutions 2
M IT validation for a paper based MD repair company QMS ISO 13485:2016 - Medical Device Quality Management Systems 6
M QMS for a repair/servicing company ISO 13485:2016 - Medical Device Quality Management Systems 2
DuncanGibbons Should the requirements FAA/EASA Part 21 be addressed within the QMS and AS9100D quality manual? AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 5

Similar threads

Top Bottom