A guide to document control for medical device developers

Document controls bring order to complex medical device projects. They are the processes and procedures that ensure documents in a company are created, approved, distributed, and archived in a systematic way throughout their lifecycle.  Document controls are central to the quality management standard ISO 13485:2016, as well FDA 21 CFR Part 820 and the MHRA GxP. They are key to minimising the risk of product failure and harm to patients.

File sharing platforms like Google Drive and DropBox are all firms in some sectors need to manage their business documents. They let them collaborate across devices, sharing new ideas and comments on files with selected colleagues and third parties.

Other companies need more. They need to structure their filing to prevent overwriting and improve search. They need robust storage, versioning and indexing solutions to help manage their business effectively.

If you’re working in the medical device industry: you need more

Medical device developers need the most robust digital tools in place to keep their complex projects on track. They need to ensure documents can be kept secure, formally reviewed, approved and released to prevent dangerous lapses and mistakes in process. They need to ensure procedures are followed, while recording evidence that products have been built to required safety standards. They need to make the full records of their development processes available to auditors on demand.

They don’t just need to manage their documents - they need to control them.

It’s helpful to think of this like a pyramid, a hierarchy of information management needs, with the med dev sector needing access to the highest levels of control to deliver required quality outcomes.

Document management is about storing, sharing, and tracking documents to improve the efficiency of your operations. But document control is about marshalling the flow of knowledge and data in your organisation through workflows. It’s about automating and streamlining the way you handle critical information, to minimise the risk of product failure and harm to patients.

The stakes are high in medical device development

A typical med device product now takes between 3 and 7 years to come to market.
Failing audits can result in delays to launch, recall of products, costly reworking of procedures and heavy fines for noncompliance. The financial cost of quality failure in med dev has been estimated by McKinsey at $2.5 billion - $5 billion annually.

Document control can be a life and death matter

But the potential human cost of medical device failure can be even more devastating, as your customers can be seriously injured, or even die, as a result of malfunctioning products.

The ISO standard and FDA regulation, therefore, focuses on the way requirements are met, outputs are continually validated against inputs, and risk is managed throughout the product lifecycle.

Accountability and traceability loom large in the med dev regulatory landscape.

Required document controls are exacting in the standards and regulation to ensure the ultimate safety of end-users..

There are more mandated processes and procedures for you to define and follow than in other quality standards such as ISO 9001;2015. These include:

• Risk management
• Change control
• Design controls
• Customer complaint procedures
• CAPA reporting
• Post-market surveillance 

In the last few years, enterprise solutions created by Google, Microsoft One Drive, DropBox and Box have started offering packages with many more document management features included.

They’re offering more sophisticated version control capabilities to keep track of changing documentation, tools for limited workflow automation, digital signature integration, as well as collaboration tools that have always excelled at. In doing so they’re becoming more than simply file-sharing platforms and becoming better at document management.

But they’re still falling short on delivering the granular control throughout the document lifecycle that is required for an effective med dev Quality Management System.

The document lifecycle is the stages that a document goes through from when it is created, to when it is archived or deleted at the end of its useful life.

If you’re using a paper-based filing system or a mix of digital platforms to drive your med dev project, omissions and mistakes can easily go unspotted and uncorrected over time. This, in turn, can lead to serious quality and compliance issues later on.

But if you have control over the entire lifecycle within an Electronic Document Management System (eDMS) you can automate the flow of information and data, closing process gaps - ensuring quality and consistency in the way you develop your products.

An eDMS retains the integrity of the data and knowledge vital for the production of safe and effective products even as your documents change and evolve.

The right eDMS is vital to help you build an ISO 13485 compliant Quality Management System and meet the demands of the FDA .

820.40a outlines the following QMS requirements for document approval and distribution:

• Each manufacturer shall designate an individual(s) to review for adequacy and approve prior to issuance all documents established to meet the requirements of this part.
• The approval, including the date and signature of the individual(s) are approving the document, shall be documented.
• Documents established to meet the requirements of this part shall be available at all locations for which they are designated, used, or otherwise necessary, and all obsolete documents shall be promptly removed from all points of use or otherwise prevented from unintended use.

Meanwhile, 820.40b concentrates on the detail of required document change control.

• Changes to documents shall be reviewed and approved by an individual(s) in the same function or organization that performed the original review and approval, unless specifically designated otherwise.
• Approved changes shall be communicated to the appropriate personnel in a timely manner.
• Each manufacturer shall maintain records of changes to documents.
• Change records shall include a description of the change, identification of the affected  documents, the signature of the approving individual(s), the approval date, and when the change becomes effective.

Medical device development requires a whole different level of document approval and change control than other quality standards like ISO 9001:2016.

Developers need a cast iron way to prove who has signed off on what documents and when, and make every decision in a development process trackable and traceable.

Because of this, FDA CFR 21 Part 11 specifies exactly how electronic signatures need to be configured and deployed by medical device developers to guarantee the security and the effectiveness of your document controls.

The FDA require you to protect e-signatures from falsification and misuse, by ensuring:

• Only administrators can control the use of e-signatures in the system
• E-signatures remain unique to individuals
• E-signatures are password protected (with passwords changed frequently)
• Authentication takes place when they are used
• An approval can always be linked to a specific individual
• Documents show the printed name of the signatory
• Documents always show the date and time a signature was applied
• Documents show the meaning of the approval - i.e. what the signatory intended
• The signing event is added to the documents’ secure audit trail
• The signature cannot be removed once it is applied
  
  These requirements for document control via e-signatures help to manage the integrity of the information within your quality management system.
  

  They ensure documents can be:

• Approved and reapproved by appropriate people when required
• Protected from unauthorised change throughout their lifecycle
• Have a full audit trail proving who approved each iteration of a document and when
  
  

Automation with the right document control software can help you marshall your processes to deliver safe and effective medical device products in the required way. They can cut the risk of omissions, delays and mistakes, making auditing a more efficient and painless process.

Right now, the required pace and complexity of medical device development projects makes it a an absolute necessity. Faster innovation in the sector is being driven by urgent challenges like Covid-19 and a rapidly ageing population - while strides in new technology like SaMD and IOT are making development, validation and testing much more complex and time-consuming.

Paper-based systems are groaning under the strain - and Google Docs just can’t deliver the level of required control you need.

So, what are the key features you should look for in eDMS software

to give you maximum velocity and control?

1. Security

The tools for managing a digital hierarchy of access control is critical to ensuring that everyone in your organisation has secure and rapid access to the material they need to do their job.

You need the right people to be able to find and share data easily, but you also need to keep sensitive medical data secure. An electronic document management system built to the standards of ISO 27001 should give you confidence that you can prevent lapses and leaks that lead to extra work and fines.

2. Flexible workflows

One size fits all workflows won’t work for a scaling med dev business. Document control software gives you complete control over workflows for different document types so you’re always working in a way that suits you.

It helps to have templates for mandated SOPs such as complaint management, nonconformance reporting and CAPA - but you still need the ability to configure them to match the way you want to work. Flexibility with workflows is critical if you don’t want to be unnecessarily tied into a vendors’ way of doing things.

3. Intelligent review and approval tools

Intelligent rules for required review and approval makes information flow through at the right time to the right people. This is important in med dev where a huge amount of mission critical data is shared daily between teams. Great document control software makes this process as Lean and slick as possible through:

• Conditional routing options
• Parallel routing options to send documents to a group or named individuals all at once
• Reminders to notify users about upcoming and overdue document approvals
• Automation of periodic review of key documentation (SOPs etc)

The right solution will ensure your people and their teams are alerted when they need to act. It will automate review processes and offer e-signature approvals to eliminate the long waits for multiple sign-offs that can haunt a manual process.

The right electronic review and approval tools will help you strip back unnecessary communications and the background noise that can distract a team from getting work done.

4. Control over metadata

Metadata helps you categorise, search, filter and report on documents more effectively. The right solution will let you add metadata as needed, creating unique fields, categories and keywords to your system, linking documents, speeding up search and audit, ensuring vital knowledge and data does not get lost or ignored. In a powerful document control system meta-data can even be used to trigger process workflows helping you customise your solution in ways that always answer your specific project needs.

5. Seamless knowledge sharing

Document controls help you build a hub of organisational knowledge that everyone in your business can refer to for guidance and training. The right solution helps you make all training and process documentation available in the most suitable format for its purpose (from written documents, photos, videos, to flow diagrams). Document controls ensure this material is always usable, up-to-date and available whenever and wherever it is needed.

6. Document phase-gating for design controls

Medical device developers need to phase gate their design process for ISO 13485 and FDA Part 820 compliance. This means marshaling lots of complex documentation to support cycles of planning, execution and review; continually validating deliverables against designs and user requirements.

‘Document holders’ should be used to assemble required documentation for each phase of a development process (including user specs, engineering designs, validation matrices), triggering approval sequences when the right documents are in place and completed. When approval is given from all stakeholders, documents can then be formally published and the next phase of the project started.

Automating design controls and creating vital STOP/GO moments in your process, optimise your use of resource, minimise validation errors, and ensure your whole team is always focusing their effort where it’s needed most.

7. Robust version control and obsolescence processes

These processes should drive consistency, efficiency and control to ensure the ease of navigation in your system and reduce mistakes. A great piece of document control software ensures:

• There is only one master version of every document visible in your system at any time
• New documents replace old ones and previous documents are held until they are superseded
• Current issues, obsolete and superseded versions of documents are clearly labelled and water marked in your system.
• Documentation no longer required can be is archived correctly for retrieval as required by the regulation

8. Change control tools

Document change control prevents scope creep, unauthorised work, and dangerous mistakes. The right automated process helps you ensure change requests go through required sequences of scrutiny by key stakeholders before they are accepted.

The nature of these changes and who approved them will then be instantly recorded as part of your audit trail. When changes are made they can be automatically reviewed by key stakeholders at a later date, to ensure they have had their intended effect.

9. Forms should come as standard

A great document control system should let you set up forms to automate mandatory SOPs such as CAPA, Change Control, training attestation, complaints and calibration. These forms should be templated, but flexible enough for you to edit, creating your own drop-down menus, labels, free form boxes etc, so you’re capturing the information you need to drive your unique process as efficiently as possible.

10. E-signatures built-in

FDA 21 CFR part 11 and MHRA’s GXP require changes and approvals to quality documentation in a digital system to be signed off with e-signatures. These e-signatures should be:

• Controlled by administrators to ensure they cannot be misused or falsified
• Unique to individuals
• Authenticated in certain ways every time they are used

Records of sign-off, including the date and time of approval, as well as the identity of the signatory, should be automatically added to documents in their audit trail.

The right document control software shouldn’t rely on expensive third-party digital signature integrations but should have a compliant solution built-in.

11. Traceability

With the right document controls in place, you should have complete accountability and traceability throughout your product development process. You should be able to see the details of every change made to every quality document in unalterable audit trails.

In medical device development this is essential so that the source of non-conformities in products can be rapidly traced and corrected.

As medical device scandals such as PIP and Theranos continue to break and force changes in legislation - companies need to ensure they have complete transparency around process, clinical evidence and compliance. Not only is this a requirement for regulators but it will reassure investors that your innovations are safe and efficacious.