nephicsDMS standard compliance
Statement on standard and regulatory compliance
The DMS software can be used to maintain documents and records in a quality management system (QMS) in a way that is compliant with most standard and regulatory requirements.
Depending on your application the requirements to quality systems for maintaining documents and records comes from the following standards and regulations:
- Medical devices:
- ISO 13485:2016 standard (sections 4.2.4 and 4.2.5 states the relevant requirements for compliance)
- FDA CFR 21 part 11
- General products and services: ISO 9001 section 4 and 7.5
If your organization has a quality management system according to any of the above mentioned standards and regulations, you can leverage DMS to meet many of the requirements.
DMS is a purpose built document management system with a built in workflow for reviewing (approve or reject) document revisions, designating approved versions of documents, and maintaining records of documentation related processes in a quality system.
The DMS software allows teams to create, gather, share and manage quality related documentation efficiently. It acts as a document repository that keeps full tracking of what changed in each document, when, and by whom, and it tracks which documents have been approved (or rejected) by document review, and also the state of documents (normal, archived, discarded).
Access to DMS is based on individual user accounts secured with password and/or passkeys.
The DMS software is intended as a self-hosted service that run on a server, which may be placed behind the company firewall and/or accessible through a VPN.
ISO 13485:2016 requirements
The sections 4.2.4 Control of documents and 4.2.5 Control of records provide requirements that are applicable to document management software.
| Requirement | DMS statement |
|---|---|
| 4.2.4 (a) Review and approve documents for adequacy prior to issue |
DMS enforce a document review and approval process for documents. This approval process is supported by password/passkey-secured accounts (equivalent to electronic signatures). Following a document review, the document revision is approved and assigned a version number. Each document is identified by a unique number assigned automatically by the software, and there is automatic document revision control with preservation of the complete history of each document. |
| 4.2.4 (b) Review, update as necessary and re-approve documents |
DMS supports an ongoing document management process that includes updating/revising and reviewing and re-approving documents. Documents can also be archived or discarded, as needed. |
| 4.2.4 (c) Ensure that the current revision status, and changes to documents are identified |
DMS clearly distinguish between approved versions and draft revisions of documents. The software provides a full change history for each document with records for review details and revision comments. DMS also allows for comparison between different revisions of a document so it is clear what has changed. |
| 4.2.4 (d) Ensure that relevant versions of applicable documents are available at points of use |
DMS will by default display the last approved version of a document. Depending on the network/security configuration, users with an DMS account can access documents via the Internet using a web-browser. Documents can also be exported by users to PDF or printed on paper. Exported documents will not, however, contain the full change log, but will include a notice that refers to the original digital version. |
| 4.2.4 (e) Ensure that documents remain legible and readily identifiable |
The DMS software ensures that documents remain legible by storing them as Markdown formatted text. The organisation is responsible for ensuring that the server running the DMS software is available, and that an effective backup/restore process is in place, as described in the Admin Guide. Each document is readily identifiable by a unique document number assigned automatically by the software. DMS clearly distinguish between approved versions and draft revisions of documents. |
| 4.2.4 (f) Ensure that documents of external origin are identified and their distribution controlled |
External documents can either be referenced in DMS documents, e.g., using weblinks, or attached (as PDF or other file types) to DMS documents. This leverages the built-in process for reviewing and approving the use of external documents, as well as provides the same mechanism for distribution control as used for other DMS documents. |
| 4.2.4 (f) Prevent deterioration or loss of documents |
DMS prevents deterioration or loss of documents by storing documents digitally, but it is necessary for the organisation to mitigate possible hardware failures, software bugs or cyber security incidents by having effective backup routines for the software database and data directories, as described in the Admin Guide. |
| 4.2.4 (g) Prevent the unintended use of obsolete documents and apply suitable identification to them |
Documents in DMS can be archived or discarded, as needed, to prevent the unintended use of obsolete documents. Archived documents are clearly identified as such in DMS, and they can be retained as long as needed (throughout the lifetime of medical device, or as specified by regulatory requirements). |
| 4.2.5 Records shall be maintained to provide evidence of conformity to requirements and of the effective operation of the quality management system. Records shall remain legible, readily identifiable and retrievable. Changes to a record shall remain identifiable. |
DMS automatically retains records of document revision and review processes. Records of other quality processes can be stored as documents or as attachments to documents in DMS, as formalised in the organisation's QMS procedures. Access to documents and records are limited to those with a valid user account to DMS. Each document is readily identifiable by a unique document number assigned automatically by the software, and the software provides a full change history for each document with records for review details and revision comments. DMS prevents deterioration or loss of documents by storing documents digitally See also items 4.2.4 (e), (f) and (g) above. |
To be compliant with the standard requirement the use of the DMS software shall be supported by additional QMS processes such as:
- Periodical review of approved documents to ascertain whether they are still actual or have become obsolete.
- Create and maintain forms and document templates that support processes in the QMS.
- Validate that the DMS software meets the requirements of your quality management system.
FDA CFR 21 part 11
DMS can be used to maintain documents and records in quality processes compliant with the FDA regulations. The DMS software acts as a closed system where the access to the system is fully controlled by the company.
The CFR 21 part 11 describes requirements to:
- Electronic records (Subpart B)
- Electronic signatures (Subpart C)
Subpart B - Electronic Records
| Requirement | DMS statement |
|---|---|
| 11.10 (a) Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records. |
The organisation is responsible for validation of their document management system, and should therefore create a validation plan that defines scope and methods of validation appropriate to how the system shall be used. DMS ensures that documents and records are maintained so that they can be retrived accurately and reliably in a consistent manner. DMS clearly discerns between document states and does not allow creation of invalid or altered records. |
| 11.10 (b) The ability to generate accurate and complete copies of records in both human-readable and electronic form suitable for inspection, review, and copying by the agency. Persons should contact the agency if there are any questions regarding the ability of the agency to perform such review and copying of the electronic records. |
DMS allows users to export (clearly marked) electronic copies of documents (as PDF or paper print) and makes both documents and records easily accessible for inspection, review and copying. |
| 11.10 (c) Protection of records to enable their accurate and ready retrieval throughout the records retention period. |
The DMS software ensures that documents remain legible by storing them as Markdown formatted text. The organisation is responsible for ensuring that the server running the DMS software is available, and that an effective backup/restore process is in place, as described in the Admin Guide. |
| 11.10 (d) Limiting system access to authorized individuals. |
DMS limits access to documents and records are to those individuals with a valid user account. |
| 11.10 (e) Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Record changes shall not obscure previously recorded information. Such audit trail documentation shall be retained for a period at least as long as that required for the subject electronic records and shall be available for agency review and copying. |
DMS automatically retains records of document revision and review processes. The software provides a full change history for each document with records for review details and revision comments. Document are never deleted, but may be archibed or marked as discarded (though they are still available for retrieval by an admin). DMS also allows for comparison between different revisions of a document so it is clear what has changed. The organisation shall employ a backup strategy to ensure that documents and records can be restored in a hardware/software failure event. |
| 11.10 (f) Use of operational system checks to enforce permitted sequencing of steps and events, as appropriate. |
DMS has a predfined document review workflow that is underlies the document approval process. A draft document can be assigned a specific reviewer (if required, based on the organisation's procedures). The review workflow requires a digital signature (password or passkey) to approve or reject a draft document. Progress through the review worflow steps can be notified by email (requires mailserver configuration). |
| 11.10 (g) Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand. |
DMS requires that the user has the necessary authority to access documents, and requires electronically signed approvals in document reviews. |
| 11.10 (h) Compliant Electronic Document Management Systems must use device (e.g., terminal) checks to determine, as appropriate, the validity of the source of data input or operational instruction. |
Not applicable - the source of data is not a device. |
| 11.10 (i) Determination that persons who develop, maintain, or use electronic record/electronic signature systems have the education, training, and experience to perform their assigned tasks. |
The organisation must ensure that the team is properly trained to use DMS and the review workflow / document approval process. The organisation should also maintain training records, as needed. |
| 11.10 (j) The establishment of, and adherence to, written policies that hold individuals accountable and responsible for actions initiated under their electronic signatures, in order to deter record and signature falsification. |
The organisation should enforce a security policy regarding user credentials (password/passkey) to access DMS, to prevent unauthorised use of the system. |
| 11.10 (k)(1) Use of appropriate controls over systems documentation including: 1) Adequate controls over the distribution of, access to, and use of documentation for system operation and maintenance. 2) Revision and change control procedures to maintain an audit trail that documents time-sequenced development and modification of systems documentation. |
DMS can manage system documentation. The software automatically enforce the review workflow for document approvals, and it ensures that documents are maintained with time-sequenced audit trail of any modifications. The organisation may export system documentation (as PDF or paper print) so that it can be used even in the event that the DMS cannot be accessed due to hardware/software failure. The organisation may require that such exported documentation should be kept secured to avoid a security breach. |
| 11.50 (a) Compliant Electronic Document Management Systems ensure that signed electronic documents contain information associated with the signing, clearly indicating all of the following: 1) The printed name of the signer. 2) The date and time when the signature was executed. 3) The meaning (such as review, approval, responsibility, or authorship) associated with the signature. |
DMS provides a document info page with detailed data for each document review and approval (electronic signature), including the full names of the author and reviewer, the date and time of approval, the unique document id, revision and version numbers, which constitutes the meaning of the signature. |
| 11.50 (b) The items identified in paragraphs (a)(1), (a)(2), and (a)(3) of this section shall be subject to the same controls as for electronic records and shall be included as part of any human readable form of the electronic record (such as electronic display or printout). |
DMS ensures that the information required by 11.50 (a) is available on-screen display as well as in exported printout and PDF-files. |
| 11.70 Electronic signatures and handwritten signatures executed to electronic records shall be linked to their respective electronic records to ensure that the signatures cannot be excised, copied, or otherwise transferred to falsify an electronic record by ordinary means |
DMS maintains the integrity of signatures in the internal database tables and the information cannot be falsified through manipulation of the software's user interface. The organisation may enforce a security policy regarding access to files created and used by the DMS software, to prevent modification of the software's data storage. |
Subpart C - Electronic Signatures
| Requirement | DMS statement |
|---|---|
| 11.100 (a) Each electronic signature shall be unique to one individual, and shall not be reused by, or reassigned to, anyone else. |
The organisation should put policies in place to ensure that user's credentials (password/passkey) are not reused or reassigned, and that a request for user password/passkey change cannot be intercepted, and that user passwords are chosen and stored in a secure way (or that passkeys are used instead of passwords). |
| 11.100 (b) Before an organization establishes, assigns, certifies, or otherwise sanctions an individual's electronic signature, or any element of such electronic signature, the organization shall verify the identity of the individual. |
The organisation should put policies in place to verify the identity of individuals before they are granted access. |
| 11.100 (c) Persons using electronic signatures shall, prior to or at the time of such use, certify to the agency that the electronic signatures in their system, used on or after August 20, 1997, are intended to be the legally binding equivalent of traditional handwritten signatures. |
The organisation should submit a document describing it's use of electronic signatures to the FDA. |
| 11.200 (a)(1) Electronic signatures shall employ at least two distinct identification components, such as an identification code and password. |
In DMS an individual user electronically signs a document approval by providing their credentials; either (1) either username and password, or (2) their secure passkey (which is a website-unique long cryptograhical key stored in their personal computer's credential storage, and protected by either a biometeric credential or an additional credential pair such as username and password). |
| 11.200 (a)(1)(i) When an individual executes a series of signings during a single, continuous period of controlled system access, the first signing shall be executed using all electronic signature components; subsequent signings shall be executed using at least one electronic signature component that is only executable by, and designed to be used only by, the individual. |
DMS requires that valid credentials are provided for system access and for each signature. See also 11.200 (a) above. |
| 11.200 (a)(1)(ii) When an individual executes one or more signings not performed during a single, continuous period of controlled system access, each signing shall be executed using all of the electronic signature components. |
See 11.200 (a)(1)(i) above. |
| 11.200 (a)(2) Electronic signatures shall be used only by their genuine owners | See 11.100 (a) above. |
| 11.200 (a)(3) Electronic signatures shall be administered and executed to ensure that attempted use of an individual's electronic signature by anyone other than its genuine owner requires collaboration of two or more individuals. | A digital signature in DMS can only be performed by the owner of the credentials, or by any individual that the owner has shared the credentials with. See also 11.200 (a)(1)(i) above. DMS encryptically hash the user credentials stored in the internal database. A system admin may request a user password change, but cannot access the stored user credentials in a useful way. |
| 11.300 (a) Persons who use electronic signatures based upon use of identification codes in combination with passwords shall employ controls to ensure their security and integrity. Such controls shall include: (a) Maintaining the uniqueness of each combined identification code and password, such that no two individuals have the same combination of identification code and password. |
In DMS the email address of the user is used as a unique username, the user chose their own password. See also 11.100 (a) above. |
| 11.300 (b) Ensuring that identification code and password issuance are periodically checked, recalled, or revised (e.g., to cover such events as password aging). |
DMS does not enforce a specific password policy. The organisation should put in place policies for ensuring that user credentials are safe and valid, and that access rights are current. |
| 11.300 (c) Following loss management procedures to electronically de-authorize lost, stolen, missing, or otherwise potentially compromised tokens, cards, and other devices that bear or generate identification code or password information, and to issue temporary or permanent replacements using suitable, rigorous controls. |
The system administrator can revoke access to DMS, and it is also possible to request a password change for individual accounts. |
| 11.300 (d) Use of transaction safeguards to prevent unauthorized use of passwords and/or identification codes, and to detect and report in an immediate and urgent manner any attempts at their unauthorized use to the system security unit, and, as appropriate, to organizational management. |
The organisation should put in places policies for securing the DMS server and required infrastructure, such as requiring the use of encrypted communication and limiting access to the DMS server and backups. |
| 11.300 (e) Initial and periodic testing of devices, such as tokens or cards, that bear or generate identification code or password information to ensure that they function properly and have not been altered in an unauthorized manner. |
The organisation should put in places policies for use of secure devices for storing credentials. |