I'm a bit hesitant to discuss QT9 because I was using it in 2014 to 2015. At the rate they were going with changes back then, the QT9 software you use today may be quite a bit different than what I used. The thing that is both good and bad about QT9 is that there is minimal customization. This is bad because there is not much flexibility. This is good because it makes it much easier to leverage the software validation documentation that QT9 provides.
As far as part 11 is concerned, I do know that QT9 requires a log in and password when accessing the software, and then an additional password is used for electronic signature. I can't remember if these two are required to be different.
Some issues that I had when using it include DCO attachments not being protected from deletion after record closure, minimal options in customizing reports, having to use workarounds for documenting regulatory assessment and material dispositions, software updates being pushed to us without permission or notification. I'm going to go ahead and assume they solved these issues.
As I recall, I had to create incredibly elaborate Excel spreadsheets to create reports out of QT9 exported data. This might still be an issue for users since every company is going to have different metrics for their processes.
Hope that helps.