DMS Insights from Cognidox

Why not just use Google Drive for your medical device QMS?

Written by Joe Byrne | 08 Dec, 2021

A Quality Management System is a requirement for medical device developers across the globe. But should you build yours with Google Drive?

What can Google Drive do?

Google Drive is a file-sharing platform reportedly used by 2.6 billion people around the world every month.  In addition to this, 5 million paying businesses are using the enterprise version of the software to store and collaborate on their business documentation.

The G-Drive, used with the rest of Google's Workspace tools, allow colleagues to collaborate on documents across multiple platforms, sharing, editing and commenting on files in real-time.  Together they can support basic workflow automation to create approval sequences, using third party e-signature plug-ins where required.

But does Google bring the level of document control necessary to build out a quality management system that meets the requirements of ISO 13485 and FDA 21 CFR Part 820 and Part 11?

See how Cognidox can help you be ready for FDA compliance

What document controls do you need for a med dev QMS?

Document controls are central to building a medical device quality management system.

They are so important they have their own dedicated section in both the ISO 13485 standard and the FDA regulation. They are the tools and procedures you need to identify, protect, approve, review, retain, retrieve, share and manage changes in your documentation. They include detailed requirements for securing your systems, maintaining audit trails and integrating e-signature approval.

All these controls are intended to help you: preserve the integrity of the data you use, make your process transparent and trackable, and minimise the risk of product failure and harm to end-users.

Should you use Google Drive to build a med dev QMS?

Here are 7 questions to ask before you decide:

1. Can the G-Drive secure your data?

A medical device QMS must protect your data and information from loss, misuse or accidental deletion throughout their lifecycle. A digital Quality Management System should give you granular access control tools: the ability to assign and revoke access to the system at will, scan the system for misuse, and force regular password changes to prevent security breaches.

Within the system you need to ensure documents are always owned by named individuals.  You need the tools to restrict access and sharing rights to other individuals or groups.

Medical device developers often house sensitive personal data, so your system will also likely need to be GDPR compliant and even built to ISO 27001 security standards.

The G-Drive will struggle to deliver this level of security, access control, document ownership, editing and distribution rights - and it’ll be hard work to validate that it’s doing so.  Without a dedicated piece of document control software built to answer these stringent demands, you’ll find it hard to satisfy future auditors that you can guard against unauthorised access, data loss and deletion.

2. Can you approve documents prior to use with the G-Drive?

ISO 13485 and the FDA CFR 820 specify that you must be able to approve and reapprove documentation before use and as required in your documents’ lifecycle.

Google Drive lets you define and automate basic workflows allowing documents to be reviewed, approved/ or rejected by specific users before they are made available for general use. But what about more sophisticated approval workflows? Can you:

  • Automatically require reapproval when documents are changed?
  • Automate periodic checks of SOP documentation to ensure continuing compliance?
  • Automate approval reminders to keep documents flowing through the system?
  • Deliver required design controls in complex phase-gated projects?

Google Drive will struggle to move beyond the most basic approval features.  And it will be impossible to impose and automate the sophisticated design controls required for a FDA and ISO compliant QMS.

3. Design controls - can you phase gate your process with G-Drive?

ISO 13485 and FDA 820 both require medical device product design and development to be delivered and controlled in stages.

ISO states you should be continually reviewing deliverables against your designs in cycles of planning, implementation, review and optimisation (the classic PDCA sequence of ‘plan, do, check, act’).

“At suitable stages, systematic reviews of design and development shall be performed in accordance with planned and documented arrangements to:

a) evaluate the ability of the results of design and development to meet requirements;

b) identify and propose necessary actions"

The right digital Quality Management System will help you automate these processes allowing you to group required documents together for review at critical stages, only allowing the next phase of development to be triggered when the previous one has been completed, reviewed and approved.

Google Drive does not come with the ‘document holding’ features necessary to automate phase gating in this way.

Why design controls matters in medical device development

4. Can you authenticate E-signatures with G-Drive?

The FDA and the MHRA in the UK have many requirements for the use and authentication of e-signatures which will be difficult to customise and automate using third party plug-ins. For example,  the FDA specifies:

When an individual executes a series of signings during a single, continuous period of controlled system access, the first signing shall be executed using all electronic signature components; subsequent signings shall be executed using at least one electronic signature component that is only executable by, and designed to be used only by, the individual.

Many companies using Google Drive struggle to ensure that the right level of authentication controls for e-signatures are in place when they’re building their solutions.

A 21 CFR Part 11 checklist: 7 keys FDA e-signatures requirements

5. Are G-Drive audit trails sufficient for the FDA?

The FDA and ISO both require developers to have a complete audit trail for all their quality documentation.  In CFR 21 part 11 it specifies developers should have:

“secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records.”

In addition to this, the FDA requires that all changes to digital documents are approved with e-signatures which must include the date, time, and ‘meaning’ of the signing event (e.g. approval, rejection, approval with conditions).

If you’re using third-party e-signature tools, it can require considerable extra development to append the meaning of a signature to your audit trail in G-Drive.

6. Will documentation be accessible and usable in the G-Drive?

Medical device regulations require that documents are made accessible and usable for those who need them - at the point of need.

In modern, digital business documents are created and used in all kinds of formats from word documents to CAD files and even more specialist file types. A good eQMS will automatically store different document types as PDFs so they can be opened, reviewed and approved by everyone regardless of whether they have the required software installed on their device.

Google Drive does not come with this functionality, which makes it a less effective auditing and review tool.

Beyond this, the whole system needs to be structured logically and indexed with meta-data to ensure internal users and auditors can retrieve data as and when they need it.

But accessibility should be balanced with security.  Developing and maintaining an organised QMS, that is accessible, searchable and robust requires the very highest level of document control software.

7. Can Google Drive control your versioning?

In a medical device development project, the accuracy of the data and information you use is imperative.  Making mistakes in procedure and data analysis can result in expensive and potentially lethal errors.

Ensuring draft or obsolete documents cannot be used in error is a critical part of document control in a medical device QMS.

Google Drive does not automatically differentiate between drafts and issues.  There is no automated naming convention that allows users to quickly tell which is the latest and most up-to-date versions of documents as they look at a folder.

A good digital QMS will have just one master version of each document visible in the system at any time. Old versions of documents will be automatically archived when a new version supersedes it.

The labelling and watermarking of obsolete and draft documentation will make their status very clear to the reader - and that’s not something a G-Drive solution can do for you.

Is Google Drive the answer?

Google Drive is a popular and powerful tool that many businesses use successfully to store their documentation and run their companies. 

However, when it comes to meeting the complex demands of FDA and ISO compliance the document controls offered by Google Drive typically fall short of requirements.

From e-signature authentication to advanced document control and phase gating development, the G-Drive will struggle to help you build a Quality Management System that answers all these needs.  

At worst it’ll result in failed audits - at best it’ll suck up valuable time and resources as you build and maintain your patches and workarounds.