Using Google Drive/Docs

KarenA01

Involved In Discussions
First let me say I'm not sure where this should go as I need to talk bout both ISO-9001 and 13485

I'm new to Quality and ISO regulations (my background is as a chemist who has worked both in manufacturing- many years ago- and R&D), and while I have been exposed to GMP and had some GMP training, I never personally had to work under the regs (I spent almost 14 years at a drug delivery startup that got to an NDA submission, but I was in R&D and did not wok under GMP- Got laid off from there about 13 years ago).

My current employer (small company now about 20ish people) pivoted from 100% R&D for over a decade, to a contract manufacturer of biologics (ferments) about 1.5 years ago... My employer realized that we needed to be ISO 9001 to get enough business last year... and more recently that we could get significantly more/higher margin business if we were ISO 13485 certified.

Last year we started on the path to ISO certification... and towards the end of this month will be having Pre-Audit with the registrar and hopefully be certified by early summer... and then start working towards 13485...

Though as we don't make medical devices or anything going into medical devices I'm not sure how 13485 applies to us and to what degree... We COULD potentially make things that would be raw materials for use in making things likes vaccines or incorporated into diagnostic test reagents etc as well as cosmetics. From what we see in this industry companies that get Iso 13485 advertise as "GMP like"... Does that make a difference to how the standard is applied?

Since I had a Pharma background, somehow recently I wound up as Director of Quality (A job I never expected to have!) ... While I think I have a reasonable 1000ft grasp of the general principles, I know the devil is always in the details.

We are using Google Drive to store all of our controlled documents and records as scanned PDFs (in PDF/A Format). Google Drive provides both access control and Audit trail, as does google sheets (which we don't use for calculations - just got logs and raw material inventory as a database). So basically a hybrid system that is run like a papery system...

The paper forms are signed with wet signatures and scanned.Batch records are manually filled in wet signed and scanned as well. Version control is essentially manual with forms (tha get scanned after being signed) and version numbers on the documents.

The scans are what we consider to be the controlled document and "official" records... Our SOPs donor require the we keep the paper.

After ISO 9001 certification we plan to switch to with Docusign or Adobe Sign fro 21 CFR Part 11 compliant electronic signatures) to sign the PDFs.

The quality system here is based on the one from my pharma employment which was paper based... but modified for google docs use....

BTW we do not have an IT department.

What we have not done yet is write an SOP that codifies who has what access level to what in google docs and why, though in practice I think we are doing the right things... I know that absolutely has to be written ...

But then comes the bigger issues with this electronic approach, particularly with 13485:

Validation... I know our usage of google needs to be validated but outside of know that I have to write a protocol that tests the functionality we are using to do black box software validation... but I have never even seen one before as an example to work off of! (any links to goo examples would be appreciated!)

Then there is the issue of software version control : Obviously we have no control over when google makes any software changes that would require revalidation...

What about long term storage /readability...
What about Disaster recovery?

Is this approach viable for both ISO 9001 and 13485? What problems am I likely to run into?

Thanks
-Karen
 

EricHeyworth

Starting to get Involved
Hi Karen

two quick things. 1) if you don’t have any involvement in meddev, think you will struggle to get BSI/SGS to audit you successfully as you won’t be in scope. Download the standard and review. 2) do you have a budget for doc control etc? If you can spend £6k or so, Cognidox is fantastic and compliant with with part 11 etc. On holiday at mo, but if you need help, contact me directly for more info #notaconsultant Good luck, Eric
 

KarenA01

Involved In Discussions
two quick things. 1) if you don’t have any involvement in medieval, think you will struggle to get BSI/SGS to audit you successfully as you won’t be in scope.

I'm in the US... TUV SUD said they could audit us for 13485 as supplier though I'm not sure they fully understand way we do yet (and as a contract manufacturer we could wind up supplying to anybody) ... That said I'm pretty sure I've seen some companies here in the US that don't do medical devices but do biologics and have 13485 .

Thanks,
-Karen
 

Zero_yield

"You can observe a lot by just watching."
I've seen several posts on the Cove with people talking about keeping controlled documents on a hard drive. I don't think there's that much difference between keeping them on a hard drive and keeping them on Google Drive.

I'll also echo Eric that it'd be better to invest in a document control software sooner rather than later. If you're branching out into more processes and trying to get more certifications, your number of documents can balloon. We have 3,000+ documents applicable to our local site in one of our document management systems (not including corporate documents, validation documents, and documents in the other document management systems!). Granted, I work for a large company, but you get the idea.

I would take a look at ISO 13485 4.2.4 and 4.2.5. Are the documents legible and identifiable? Are they being reviewed when they're made and changed? Are the current revisions documents available to the people who need them? Are only the current revisions available - i.e. is there a risk of people using obsolete documents? Do you have a retention period defined? Are you keeping at least one copy of obsoleted documents? The specific requirements are some of the biggest questions to address. Showing that your system is controlling documents properly is more important than a validation protocol for Google Drive.
 

Randy

Super Moderator
Validation... I know our usage of google needs to be validated
Validated? Can you access what you need, when you need it, it the required format? YES or NO? I've audited Google doc control 500 times and never a problem from what I've experienced.

What about Disaster recovery?
Onsite, offsite, zip drive kept in a cigar box, you decide what's best for you and your needs and check it out in a test of some type. Maybe even use 2 different methods.

Is this approach viable for both ISO 9001 and 13485?
Yep

What problems am I likely to run into?
You making it too complicated and getting a goofball auditor that wants everything "his" way
 

KarenA01

Involved In Discussions
I've seen several posts on the Cove with people talking about keeping controlled documents on a hard drive. I don't think there's that much difference between keeping them on a hard drive and keeping them on Google Drive.

I would think keeping it on a local server over which you have control of the hardware and software and the cloud where you don't control such things at all would be a difference in kind.

Are the documents legible and identifiable? Are they being reviewed when they're made and changed? Are the current revisions documents available to the people who need them? Are only the current revisions available
<snip>
Do you have a retention period defined? Are you keeping at least one copy of obsoleted documents?

The answer is yes to all those things.

The specific requirements are some of the biggest questions to address. Showing that your system is controlling documents properly is more important than a validation protocol for Google Drive.

I am pretty sure our system meets all the document and record control requirement as long as we make sure we dot all our i's and cross all our Ts, fill our our forms etc... It is largely a manual system with google docs just for storage and access control.

Thanks,
-karen
 

KarenA01

Involved In Discussions
Validated? Can you access what you need, when you need it, it the required format? YES or NO? I've audited Google doc control 500 times and never a problem from what I've experienced.

Thank you very much ... We had an issue with a potential customer because they called google docs unvalidated for doc control, which has me worried about a 13485 certification Audit. For that I would expect we would need to show that our use of Google Docs is validated....

So I just need to write simple tests of the functionality and expected result, have someone do them and record the results and (assuming the expected results are obtained ) just write a validation report saying it works as required?

Onsite, offsite, zip drive kept in a cigar box, you decide what's best for you and your needs and check it out in a test of some type. Maybe even use 2 different methods.
So we can't rely on Google's document storage?

Do you know if google does anything to help enable that?
Do they provide backup service or provide way to do things like incremental backup?
Downloading a lot data from the cloud can take a long time! And so doing to often could be prohibitive....

BTW would weekly be seen as reasonable?

BTW What happens if during an Audit there is a net outage?

You making it too complicated and getting a goofball auditor that wants everything "his" way

I hope we are not doing to much... Most of what we are doing (except for using Google Docs) is based on the SOPs from my previous employer and they had gone through an FDA audit... though that was like 15 years ago.

As to goof ball auditors, we have been warned by our ISO9001 consultant that their are auditors like that... and the first thing to do is non-confrontationally ask them what clause in the standard requires that as we don't read the standard that way, and don't understand ... and then discuss interpretations, and hopefully that would be enough and not need to contest finding with the registrar.

-Thanks
karen
 

Randy

Super Moderator
As to goof ball auditors, we have been warned by our ISO9001 consultant that their are auditors like that... and the first thing to do is non-confrontationally ask them what clause in the standard requires that as we don't read the standard that way, and don't understand ... and then discuss interpretations, and hopefully that would be enough and not need to contest finding with the registrar.
Right off the bat, I'm one of those goof ball auditors :bigwave:. (It's all I do and I've already got 42 days this year completed and about 20 more before the 1st of June scheduled). You said something pretty good and that is to "contest" and ask for specific clause requirements. Don't be afraid to stand your ground and say "Show Me". 1st and foremost don't waste time interpreting and don't let the auditor say "this is how I interpret it". He's not there to interpret squat, he's there to verify through the acquisition of objective evidence that you've effectively implemented your QMS according to its requirements and your procedures.

We had an issue with a potential customer because they called google docs un-validated for doc control
Is your customer going to be accessing your documents, revising them and everything else? If not, then how you maintain, access, and all that isn't their stinking business unless there's a regulatory, industry, standard or contractual requirement stating otherwise. Now how you might maintain "documents" with their sensitive information could be an entirely different matter. And yeah, just test the Google system, but I'll tell you right here in front of the whole world, I've seen Google doc's used so often I can count, including the Stage 2 I'm doing this week, without any problems.

I wasn't joking about the "zip" drive for storage and maybe an onsite server w/backup power, a cloud based system and or other method. You need a solid way to get stuff if there's an outage, the net down is no excuse (it's called accessibility).

Backup weekly, daily, whatever as long as it fits YOUR needs and again unless there's a regulatory, industry, standard or contractual requirement stating otherwise.

A really good move would be to get the latest version of ISO 9000 (it's essentially a dictionary and if you have it you don't need to waste your time "interpreting" diddly).

Don't do 1 stinking, blessed thing to make any auditor happy and get a warm fuzzy, his happiness or lack thereof is his problem, not yours and it's not in your contract with whoever your registrar is....and read your contract!

You're going to get other information and help, and some will be very good like from Sidney and a couple others, balance everything out and go for it.
 

KarenA01

Involved In Discussions
Right off the bat, I'm one of those goof ball auditors :bigwave:.

Well from what you said I know you are not that type of auditor. Our Consultant told us of an Auditor that gave one of his customesr a nonconformance for not having a corrective action procedure because their's was a CAPA procedure and ISO 9001:2015 does not do CAPA only CA!

I wasn't joking about the "zip" drive for storage and maybe an onsite server w/backup power, a cloud based system and or other method. You need a solid way to get stuff if there's an outage, the net down is no excuse (it's called accessibility).

Do they still make zip drives? I don't think I have seen one for at VERY long time!

In terms of an outage, are you referring to say a few hours or day when you can't get on the google for whatever reason or a major loss of data by the cloud provider?

The former would imply the need to have a parallel system ready to go (with all the access controls etc) if the net access went out even for such a short term (or a paper system). That is much more than a simple backup/ disaster recovery plan.

A really good move would be to get the latest version of ISO 9000 (it's essentially a dictionary and if you have it you don't need to waste your time "interpreting" diddly).

I have one and will read it.

balance everything out and go for it.

I don't have much choice... we are having an ISO-9001 "pre-Audit" by our registrar very soon!

After we get 9001 certified, then we need to start working to be ready for 13485!

Thanks,
-Karen
 

Randy

Super Moderator
Our Consultant told us of an Auditor that gave one of his customesr a nonconformance for not having a corrective action procedure because their's was a CAPA procedure and ISO 9001:2015 does not do CAPA only CA!
That's when you stop the audit and say "Leave". You can use whatever terminology you want including "The Humpty-Dumpty How We Fix Stuff Way" as long as it's clearly understood, controlled and everything else........That goes for everything

Do they still make zip drives?
Yep, but use anything that will allow you to store and access information.........I carry 2 "zips" myself with all my critical laptop stuff. Portable hard drive, server, whatever.

In terms of an outage, are you referring to say a few hours or day when you can't get on the google for whatever reason or a major loss of data by the cloud provider?

1 minute, 5 minutes, 5 hours, 3 days, if you can't access information due to system failure you're wrong.........Tell OSHA you can't get SDS information because of system failure and they'll help lighten your bank account, it's not an excuse and hoping it comes up is not a strategy.

I don't have much choice... we are having an ISO-9001 "pre-Audit" by our registrar very soon!
For certification purposes "Pre-Audits" shouldn't count and after you get your 1st NC, stop the audit and show that person the door.
 
Top Bottom