DropBox is a file sharing platform familiar to millions throughout the world. Once a personal file storage and sharing solution, its business version has now morphed into something closer to a document management system. But should you use Dropbox for your medical device QMS?
First launched as a ‘minimal viable product,’ over the years Dropbox has tracked how it has been adopted by customers and has productised business and enterprise versions of the software for team collaboration. Many businesses now use it as a central repository for their business filing - as it supports different kinds of document types, can store, and restore previous versions, show activity history in documents and automate workflows.
Should Dropbox be your med dev QMS?
Thanks to its ubiquity and low-cost reputation, Dropbox is often floated as a suitable candidate for medical device development companies as they look to digitise their operations and build a QMS. But is it up to the job?
Here are some pros and cons of the Dropbox for business solution - and an assessment of whether it can and should be used as the foundation of your med dev digital, Quality Management System.
Dropbox has many great collaboration features, as you’d expect from a product that has had tens of millions of dollars lavished on its development. You can work on any device (mobile, tablet or laptop). Documents of all sorts can be opened and edited within the app so you’re not bouncing about between different systems to make and review changes. There are notifications built in to tell people when they need to work on a document, respond to comments or make their additions. Slack and Zoom can be integrated so you can instantly feedback and discuss documents with others in real time. Large documents can be shared instantly, and all changes recorded centrally in real time. It’s a great user experience that can make your life easier and working a frictionless pleasure.
Access and security
Using Dropbox you can easily manage access rights to the system within your team, and by third parties. You can control access to individual folders and individual files. A control panel will give you the activity reports of individual files and by named individuals. With third party sharing you can see and send links to specific individuals and protect those links with passwords, while setting and managing expiration dates for access. These controls tick many of the boxes for using a digital document management system that are specified in FDA 21 CFR Part 11.
But now things start getting trickier for a medical device developer:
Your auditing trail in Dropbox
Audit trails are incredibly important in medical device development - you need a complete history of all the changes and iterations of your quality documentation to ensure traceability and answer the regulation.
Dropbox for business will create an audit trail for your documentation - it will give you access to all previous versions of a file and tell you who has changed what and when - but only for a maximum of 180 days for Business users. After that the versions won’t be available:
“Dropbox Sync automatically stores every previous version of a file. All of your files can then be accessed or reverted for up to 180 days. Sync also serves as a backup for the current version of the file.”
This is an obvious problem for a medical device developer who needs to keep documents and records for long periods, archiving them regularly to ensure the system is effective and navigable. You can buy access to extend this period, but if you add this feature later you won’t be able to retrieve those previous versions.
Approval and workflows
You can set up basic workflows easily in Dropbox. For example, Dropbox suggests you can use the system for onboarding:
- Step one: HR manager to send a welcome email with onboarding documents to all new hires
- Step two: New hire to read welcome email and open attached documents
- Step three: New hire to sign contract of work and send back to HR
- Step four: HR to process and store documentation
So far, so good. But what about more complex approval sequences, like seeking approval before documents are released for wider use and consumption? In the example above HR needs to manually process the documentation, rather than have it automatically published in a pre-selected folder.
You’re going to need specific workflow integrations to make multi-party approval sequences work in a way required by medical device regulation. There’ll be a lot of extra development required to ensure that documents are properly labelled as drafts and issues - and given periodic reviews by required parties. It will require extra effort to ensure quality documents can be automatically shared, withdrawn and superseded subject to their approval status.
Dropbox for business is going to struggle to manage design phase gating in the way required by ISO 13485 and FDA 21 CFR Part 11.
In both the standard and the regulation companies need to ensure ‘stage gates’ are imposed at specific points in the design and development process. This means user requirements and specification documents need to be reviewed against design deliverables at set intervals, to assess whether work has been done as required.
To automate this process and prevent omissions or mistakes in design validation, you’re going to require ‘document holders’. These are dynamic folders where multiple documents can be held in one place waiting for completion and subsequent review by named stakeholders. Once every document in the group has been completed, reviewed, and approved by each stakeholder, only then can the bundle as a whole be approved to trigger the next stage of development.
Without a lot of extra work, it’s going to be difficult for Dropbox to automate this process and record the actions you’ve taken to comply for future auditors
What’s more, the FDA requires that these approvals are given by electronic signatures - which must be set up and managed in very particular ways.
E-Signatures in Dropbox
FDA 21 CFR Part 11 says if you are using a digital document management system, required approvals must be given by electronic signature and these actions (together with their meaning) need to be recorded in an indelible audit trail.
The regulation specifies how they must be set up and managed in your system and how the identity of the user must be verified when they are deployed, to prevent misuse or falsification.
Dropbox offers HelloSign as its electronic signature plug in - but states in their own documentation:
“Dropbox and HelloSign do not offer compliance support under 21 CFR Part 11 specific to electronic signatures.”
If you are planning to use Dropbox for your Quality Management System, this should immediately set alarm bells ringing. You might be able to build in some kind of workaround to try and meet the letter of the regulation with the available tools, but it represents a big risk and a lot of potential work that could end up in a failed audit.
What’s the Cost?
Solutions like Dropbox are often chosen as the base for a QMS because their offerings are perceived as simple, accessible, and affordable.
They are certainly flexible in their payment structures - offering pay per seat, PAYG, monthly or annual licenses. But these costs can quickly escalate as your storage needs grow and you have to pay for extra seats for new starters and contractors.
Not only this, but a glossy user interface may only get you so far. Without adaptable workflow templates for mandatory processes like CAPA, you may spend considerable time and resources building out workflows that don’t work properly and don’t meet the regulation. You may end up getting sidetracked building out change and design control solutions that would be easier to configure within a proprietary Document Management System.
DropBox for business might be a great tool for frictionless, creative collaboration, but it isn’t straightforward (or always possible) for it to deliver against the requirements of ISO 13485 and FDA 21 CFR Part 11. And in some major respects, even Dropbox seem to think so.