Compliance Solutions

Cognidox helps organisations comply quickly and easily with regulations and quality standards.

Cognidox offers a QMS and a product development platform that is a certified, validated software application for regulated industries like medical devices and high tech products. Select the sections below to find out how we support each standard.

FDA 21 CFR 11 Compliance

Clause Regulation summary Cognidox document management system

B

Electronic records

11.10

Controls for closed systems.

Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine. Such procedures and controls shall include the following:

Cognidox is document management software for the high-tech, medical device, and life science product sectors. It is a closed system that improves visibility and control for the development process and the entire business.

11.10a

Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records.

Cognidox provides a software validation pack to assist customers to validate their use of Cognidox in relation to medical device regulatory requirements. The pack includes a Validation Report, an IQ template, a PQ template, a completed PQ-OP example and test specifications and results.

Cognidox prevents approved documents from being altered. Approved documents cannot be changed. The event log stores time-stamped records of all actions taken and by whom; these records cannot be amended or deleted. Users cannot delete previous versions (only system administrators can do this, and the event log records what has been done).

11.10b

The ability to generate accurate and complete copies of records in both human readable and electronic form suitable for inspection, review, and copying by the agency. Persons should contact the agency if there are any questions regarding the ability of the agency to perform such review and copying of the electronic records.

Documents are available in their original format and in read-only PDF form; these can be downloaded as required, subject to the user having an appropriate security profile.

Cognidox can also export meta-data, version, and approval information subject to the user having an appropriate security profile.

11.10c

Protection of records to enable their accurate and ready retrieval throughout the records retention period.

All documents and metadata are protected from deletion by users even if marked as obsolete. Manually deleting documents and metadata is a restricted right and the action is recorded and time-stamped in the system log. There is no automatic deletion at the end of a retention period.

All documents and metadata, even if marked as obsolete, can be found via the enterprise-level search facility.

11.10d

Limiting system access to authorized individuals.

System access is controlled via unique user IDs and strong passwords. All Cognidox actions are controlled by user rights. There are over 180 user rights that can be assigned via role groups or individually allowing fine grained access to the system.

Attempts to access the system can be blocked for a period after a specified number of incorrect password attempts. System access via Windows Active Directory can be provided. Authentication can also be configured to use a customer's SAML based single identity provider.

11.10e

Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Record changes shall not obscure previously recorded information. Such audit trail documentation shall be retained for a period at least as long as that required for the subject electronic records and shall be available for agency review and copying.

Documents, metadata, and system access have event log entries that provide time-stamped records of all actions taken and by whom. The log cannot be amended or deleted and there is no time limit applied to the records. These read-only records can be made available to users with rights to view the event log.

11.10f

Use of operational system checks to enforce permitted sequencing of steps and events, as appropriate.

Cognidox has an established workflow for all documents. System settings can make these workflow steps, and supporting information, mandatory.

The system can enforce the workflow and prevent inappropriate sequencing; it can also made the use of specific named users for approving documents mandatory.

11.10g

Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand.

System access is controlled via unique, robust passwords – with definable length and format – for each user. Regular changes of password can be enforced. Attempts to access the system can be blocked for a period after a specified number of incorrect password attempts.

System access via Windows Active Directory can be provided. Authentication can also be configured to use a customer's SAML based single identity provider.

If ‘authentication on approval’ functionality is enabled the user also has to authenticate their identity when approving documents by re-entering their unique user ID and strong password (or authenticator token if this option is selected by the system administrator).

Each user has a security profile that defines which documents the user has access to and which actions the user is able to take.

11.10h

Use of device (e.g., terminal) checks to determine, as appropriate, the validity of the source of data input or operational instruction.

Users log-on to the system as described in 11.10d and g and are only given permission to take the actions permitted by their prescribed security profile.

Checksums can be used to verify that documents downloaded from Cognidox are identical to the ones stored. If checksums on uploaded documents change because of ‘pre-filtering’, i.e. fields in the document that automatically update, the event log records both original and new checksums for the upload.

11.10i

Determination that persons who develop, maintain, or use electronic record/electronic signature systems have the education, training, and experience to perform their assigned tasks.

Qualifications, records of experience, and training records can be held in Cognidox. The ‘View Policies’ function can be used to record users’ access to the relevant documents and to record their declarations that they have read the documents.

11.10j

The establishment of, and adherence to, written policies that hold individuals accountable and responsible for actions initiated under their electronic signatures, in order to deter record and signature falsification.

Written policies can be held in Cognidox. The ‘View Policies’ function can be used to record users’ access to the relevant documents and to record their declarations that they have read the documents. The event log records the use of electronic signatures.

11.10k

Use of appropriate controls over systems documentation including:
(1) Adequate controls over the distribution of, access to, and use of documentation for system operation and maintenance.
(2) Revision and change control procedures to maintain an audit trail that documents time-sequenced development and modification of systems documentation.

(1) The system has rigorous security controls so that users are given the appropriate permissions to access documentation for system operation and maintenance. (2) A read-only date-stamped event log is kept which shows the history of all document uploads and changes. Users cannot alter the event log.

11.30

Controls for open systems.

Persons who use open systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, as appropriate, the confidentiality of electronic records from the point of their creation to the point of their receipt. Such procedures and controls shall include those identified in 11.10, as appropriate, and additional measures such as document encryption and use of appropriate digital signature standards to ensure, as necessary under the circumstances, record authenticity, integrity, and confidentiality.

Cognidox is a closed system.

11.50

Signature manifestations.

11.50a

Signed electronic records shall contain information associated with the signing that clearly indicates all of the following:
(1) The printed name of the signer;

(2) The date and time when the signature was executed; and
(3) The meaning (such as review, approval, responsibility, or authorship) associated with the signature.

The Cognidox ‘authentication on approval’ functionality requires a document approver’s unique user ID and strong password to be re-entered on approval along with an approvers role and meaning of the electronic signature. When this has been done the system stores electronic records that show the signer’s:

  • Name and role
  • Date, time, and location
  • Meaning of the approval (such as review, approval, responsibility, or authorship) associated with the signature
  • A unique ID for each authenticated approval.

This information is recorded and controlled in Cognidox. An Approval Manifest page is added to the human readable PDF to show all this information as well as the version history of the document.

The event log stores time-stamped records of all actions taken and by whom, including electronic signatures; these records cannot be amended or deleted.

11.50b

The items identified in paragraphs (a)(1), (a)(2), and (a)(3) of this section shall be subject to the same controls as for electronic records and shall be included as part of any human readable form of the electronic record (such as electronic display or printout).

The ‘authentication on approval’ information in paragraphs (a)(1), (a)(2), and (a)(3) is is recorded and controlled in Cognidox and an Approval Manifest page is added to the human readable PDF to show all of this information, as well as the version history of the document.

11.70

Signature/record linking.

Electronic signatures and handwritten signatures executed to electronic records shall be linked to their respective electronic records to ensure that the signatures cannot be excised, copied, or otherwise transferred to falsify an electronic record by ordinary means.

Electronic signatures are linked to their respective electronic records to ensure that the signatures cannot be excised, copied, or otherwise transferred to falsify an electronic record by ordinary means.

C

Electronic signatures

11.100

General requirements

11.100a

Each electronic signature shall be unique to one individual and shall not be reused by, or reassigned to, anyone else.

The Cognidox ‘authentication on approval’ functionality requires a document approver’s unique user ID and strong password – as stored in their user account – to be re-entered on signing and approving a document.

User accounts are unique and cannot be shared or re-used. Passwords are only known by the end user and the system can mandate high security passwords with regualr changes enforced.

11.100b

Before an organization establishes, assigns, certifies, or otherwise sanctions an individual's electronic signature, or any element of such electronic signature, the organization shall verify the identity of the individual.

This is governed by a company’s Standard Operating Procedures.

11.100c

Persons using electronic signatures shall, prior to or at the time of such use, certify to the agency that the electronic signatures in their system, used on or after August 20, 1997, are intended to be the legally binding equivalent of traditional handwritten signatures.
(1) The certification shall be submitted in paper form and signed with a traditional handwritten signature, to the Office of Regional Operations (HFC-100), 5600 Fishers Lane, Rockville, MD 20857.
(2) Persons using electronic signatures shall, upon agency request, provide additional certification or testimony that a specific electronic signature is the legally binding equivalent of the signer's handwritten signature.

This is governed by a company’s Standard Operating Procedures. (1) This is governed by a company’s Standard Operating Procedures. (2) This is governed by a company’s Standard Operating Procedures.

11.200

Electronic signatures components and controls

11.200a

Electronic signatures that are not based upon biometrics shall:
(1) Employ at least two distinct identification components such as an identification code and password.
(i) When an individual executes a series of signings during a single, continuous period of controlled system access, the first signing shall be executed using all electronic signature components; subsequent signings shall be executed using at least one electronic signature component that is only executable by, and designed to be used only by, the individual.
(ii) When an individual executes one or more signings not performed during a single, continuous period of controlled system access, each signing shall be executed using all of the electronic signature components.
(2) Be used only by their genuine owners; and
(3) Be administered and executed to ensure that attempted use of an individual's electronic signature by anyone other than its genuine owner requires collaboration of two or more individuals.

(1) The Cognidox ‘authentication on approval’ functionality requires a document approver’s unique user ID and strong password to be re-entered on approval of documents. For Single Sign On system users, the Cognidox ‘authentication on approval’ functionality requires a document approver’s unique user ID and authentication token to be entered on approval of documents. (i) With the Cognidox ‘authentication on approval’ functionality the first and any subsequent signings will require all of the electronic signature components. These are designed to be used only by the individual. (ii)With the Cognidox ‘authentication on approval’ functionality the first and any subsequent signings will require all of the electronic signature components.(2)Electronic signatures require both the document approver’s unique user ID and password to be re-entered. These are designed to be used only by the individual. (3) A users password is only accessable by the user and is not accessable by even the highest level access administrators. Therefore, the password must be supplied by the genuine owner.

11.200b

Electronic signatures based upon biometrics shall be designed to ensure that they cannot be used by anyone other than their genuine owners.

n/a

11.300

Controls for identification codes/passwords

Persons who use electronic signatures based upon use of identification codes in combination with passwords shall employ controls to ensure their security and integrity. Such controls shall include:

11.300a

Maintaining the uniqueness of each combined identification code and password, such that no two individuals have the same combination of identification code and password.

The system ensures that no two individuals can share a login; duplicate passwords and user IDs cannot be used.

11.300b

Ensuring that identification code and password issuances are periodically checked, recalled, or revised (e.g., to cover such events as password aging).

Maximum password age can be configured in Cognidox’s password control mechanism and is available with most external single sign-on systems.

11.300c

Following loss management procedures to electronically deauthorize lost, stolen, missing, or otherwise potentially compromised tokens, cards, and other devices that bear or generate identification code or password information, and to issue temporary or permanent replacements using suitable, rigorous controls.

User accounts can be de-activated to prevent access to the system whilst preserving records of actions taken by the user before de-activation.

To access the Cognidox system the username and password are required. Having access to a username and token based authentication will not give access to the system.

11.300d

Use of transaction safeguards to prevent unauthorized use of passwords and/or identification codes, and to detect and report in an immediate and urgent manner any attempts at their unauthorized use to the system security unit, and, as appropriate, to organizational management.

Attempts to access the system can be blocked for a period after a specified number of incorrect password attempts.

Server side security bans IPs that show the malicious signs -- too many password failures, seeking for exploits, etc.

11.300e

Initial and periodic testing of devices, such as tokens or cards, that bear or generate identification code or password information to ensure that they function properly and have not been altered in an unauthorized manner.

This is governed by a company’s Standard Operating Procedures.

FDA 21 CFR Part 820 Compliance

Clause Regulation summary Cognidox document management system

A

General Provisions

820.5

Quality system

820.5

Each manufacturer shall establish and maintain a quality system that is appropriate for the specific medical device(s) designed or manufactured, and that meets the requirements of this part.

Cognidox is an enterprise level document management system, designed for engineering teams to manage complex product developments in the high-tech, medical device, and life science product sectors. It includes built-in workflows and a process-based graphical business management platform. A compliant quality management system can be built using Cognidox.

B

Quality System Requirements

820.20

Management responsibility

820.20e

Each manufacturer shall establish quality system procedures and instructions. An outline of the structure of the documentation used in the quality system shall be established where appropriate.

Cognidox stores and makes it easy for users to find and access quality system documents, the structure of which is made evident through the use of configurable categories (folders) and, where applicable, graphical quality management system pages (Intranet).

820.22

Quality audit

Cognidox manages quality audit plans, processes, records and reports, including the use of templates and forms to make the collection of information consistent and efficient.

820.25

Personnel

Cognidox manages training plans and records, including restricting access to the appropriate personnel.

C

Design Controls

820.30

Design controls

Cognidox was designed for engineering teams to manage complex product developments and is optimised for storing, reviewing / collaborating, approving, finding and making available, and maintaining:

  • Design and development plans
  • Design and development processes and procedures
  • Design inputs
  • Design outputs
  • Test results
  • Processes, forms, templates and records of design reviews, validation and verification, design transfer (NPI),

Cognidox document categories enable the controlled collection and management of Design History Files. The Document Holder feature collects and manages a range of other documents within Cognidox as a single item and manages the approval and release of design information.

D

Document Controls

820.40

Document controls

820.40a

Each manufacturer shall establish and maintain procedures to control all documents that are required by this part. The procedures shall provide for the following:

Document approval and distribution.

Each manufacturer shall designate an individual(s) to review for adequacy and approve prior to issuance all documents established to meet the requirements of this part.

The approval, including the date and signature of the individual(s) approving the document, shall be documented.

Documents established to meet the requirements of this part shall be available at all locations for which they are designated, used, or otherwise necessary, and all obsolete documents shall be promptly removed from all points of use or otherwise prevented from unintended use.

Cognidox enables the storing, reviewing/collaborating, maintaining and makes it easy for users to find and access documented procedures and for controlling documents, records and other information. Cognidox automates key aspects of document control.

All documents and information in Cognidox can be set to be reviewed for content, and approved prior to use, by designated individuals.

Approval can be set to require electronic signatures; the date of approval and electronic signature is stored in the system and is also available as an approval manifest in the read-only (PDF) versions of the document.

Security settings make documents available only to persons that have permission to access to them, and prevent access to obsolete or unapproved versions. Obsolete documents are conspicuously identified.

The latest approved version of a document can be linked from other documents, and from graphical business management system (Intranet) pages, making it easy to ensure that the correct approved version of a document is used.

820.40b

Document changes.

Changes to documents shall be reviewed and approved by an individual(s) in the same function or organization that performed the original review and approval, unless specifically designated otherwise.

Approved changes shall be communicated to the appropriate personnel in a timely manner.

Each manufacturer shall maintain records of changes to documents.

Change records shall include a description of the change, identification of the affected documents, the signature of the approving individual(s), the approval date, and when the change becomes effective.

All documents in Cognidox can be set to be reviewed for content, and approved prior to use, by designated individuals; this applies to changes as well as to the original documents.

Changes can be notified to users automatically. Where appropriate, positive attestation by the appropriate personnel can be mandated and recorded (‘view policies’).

Cognidox stores all previous versions of the document. Document metadata allows a description of changes to be recorded for any document; see below.

Cognidox allows any text or pdf version of a document to be compared with any other version – where the document format allows – to highlight the changes made. It allows or mandates a description of the change to be stored. If other documents could be affected by changes, this can be manually noted or added to the metadata. Approval can be set to require electronic signatures and the date is always stored.

The date when the change becomes effective is, by default, the approval date; if a separate effectivity date is required this can be added to the document metadata.

E

Purchasing Controls

820.50

Purchasing controls.

Cognidox stores and manages purchasing procedures, records and reports, including:

  • Evaluation procedures, requirements, controls and records for suppliers and third parties
  • Purchasing data including requirements, agreements and change records

This information is subject to the standard Cognidox document workflow: storing, reviewing/collaborating, approving, making available and maintaining. Templates and forms can be used to make the collection of information consistent and efficient.

F

Identification and Traceability

820.60

Identification

Cognidox stores and enables reviewing/collaborating, approving, maintaining and making it easy for users to find and access identification procedures. Customisable metadata can be used to associate documents and records with product types, where applicable. All information in Cognidox, including metadata, can be easily searched using the system’s enterprise-level search facility.

820.65

Traceability

Cognidox stores and enables reviewing/collaborating, approving, maintaining and making it easy for users to find and access traceability procedures. All information in Cognidox can be easily searched using the system’s enterprise-level search facility.

G

Production and Process Controls

820.70

Production and process controls.

Cognidox was designed for engineering teams to manage complex product development and production information, so stores and enables reviewing/collaborating, approving, maintaining and making it easy for users to find and access production processes, requirements, standards, work instructions / SOPs, and records.

820.72

Inspection, measuring, and test equipment.

Cognidox stores and enables reviewing/collaborating, approving, maintaining and making it easy for users to find and access inspection, measuring, test and calibration procedures and records.

820.75

Process validation.

Cognidox stores and enables reviewing/collaborating, approving, maintaining and making it easy for users to find and access process validation procedures and records including date, named individual, method, changes or process deviations, etc.

H

Acceptance Activities

820.80

Receiving, in-process, and finished device acceptance.

Cognidox stores and enables reviewing/collaborating, approving, maintaining and making it easy for users to find and access procedures and records for acceptance and release activities. The records include dates and results.

Approval of these procedures and records can be set to require electronic signatures; the date of approval and electronic signature is stored in the system and is also available as an approval manifest in the read-only (PDF) versions of the document.

(See 820.184 for Device History Records).

I

Nonconforming Product

820.90

Nonconforming product.

Cognidox stores and enables reviewing/collaborating, approving, maintaining and making it easy for users to find and access procedures and records for nonconforming product management and rework.

Cognidox provides templated forms to enable the consistent capture and management of nonconforming product information (and complaints, incidents, supplier issues, and similar) without needing the user to write separate text documents or spreadsheets – the information can be entered directly into the pre-formatted form via the Cognidox user interface.

Configurable reports can be run to show the results from multiple forms, allowing them to be monitored, reported and analysed.

(See 820.184 for Device History Records).

J

Corrective and Preventive Action

820.100

Corrective and preventive action.

Cognidox stores and enables reviewing/collaborating, approving, maintaining and making it easy for users to find and access procedures and records for identifying and managing corrective and preventive actions (‘CAPA’).

Cognidox provides templated CAPA forms to enable the consistent capture and management of CAPAs without needing the user to write separate text documents or spreadsheets – the information can be entered directly into the pre-formatted form via the Cognidox user interface and managed through the multi-stage process required to resolve the CAPA.

Configurable reports can be run to show the results from multiple CAPA forms, allowing monitoring, reporting and analysis of corrective and preventive actions.

K

Labeling and Packaging Control

820.120

Device labelling

Cognidox stores and enables reviewing/collaborating, approving, maintaining and making it easy for users to find and access procedures for device labeling.

L

Handling, Storage, Distribution, and Installation

820.140
820.150
820.160
820.170

Handling.
Storage.
Distribution.
Installation.

Cognidox stores and enables reviewing/collaborating, approving, maintaining and making it easy for users to find and access procedures, instructions and other documents related to product handling, storage, distribution, and installation.

M

Records

820.180

General requirements

All records required by this part shall be maintained at the manufacturing establishment or other location that is reasonably accessible to responsible officials of the manufacturer and to employees of FDA designated to perform inspections.

Such records, including those not stored at the inspected establishment, shall be made readily available for review and copying by FDA employee(s).

Such records shall be legible and shall be stored to minimize deterioration and to prevent loss.

Those records stored in automated data processing systems shall be backed up.

Records can be easily and effectively stored in Cognidox. The Cognidox server is normally based at a designated server center and made available via secure cloud access to designated persons. However, if a server is required to be on-premise this can be arranged.

Secure cloud access can be provided to any person/s who are deemed suitable.

Cognidox preserves the integrity and visibility of all documents and information stored in it. All documents, as well as system access, have time-stamped event log entries that record all actions taken and by whom; the log cannot be amended or deleted and there are no time limits. To verify a document an MD5 checksum is created by Cognidox for all documents. After a document has been downloaded, a checksum utility can be used to verify that it is the correct version of the file.

Each hosted node runs a backup client that reports to a Cognidox central backup server in the Cognidox’s cloud service datacentre. Each node takes regular deltas of changed files during the day and a nightly snapshot of any customer databases. The files to be backed up are encrypted using AES-256 and transmitted over a TLS connection to the central backup server where they’re stored encrypted at-rest. Encryption is performed using a key that is unique to each node, and the key (for restoration) is itself held GPG encrypted offline and only accessible by authorised Cognidox full-time staff. The central backup store is backed up to an Amazon Web Service (AWS) storage facility, ensuring that the data is stored on two distinct cloud service providers. In the event of a security breach of either the central backup server or the AWS storage, the backup data will remain secure as the decryption keys are not stored online. Cognidox monitors each node’s backup space to ensure it is being regularly updated and that any alerts generated by the backup process are reported to Cognidox system administrators. The storage layer used on all hosted services is held on physically redundant hardware maintained by the service provider.

820.180a

Confidentiality

Records deemed confidential by the manufacturer may be marked to aid FDA in determining whether information may be disclosed under the public information regulation in part 20 of this chapter.

The confidentiality status of a document can be added to the document title or to its customer-configurable metadata. Security profiles can be used to watermark confidential PDFs.

820.180b

Record retention period.

All records required by this part shall be retained for a period of time equivalent to the design and expected life of the device, but in no case less than 2 years from the date of release for commercial distribution by the manufacturer.

There is no automatic expiry of documents in Cognidox; they are stored indefinitely. If any document is to be reviewed for deletion after a given amount of time, this can be set by a ‘shared reminder’ which will notify identified individuals, via email, to conduct the review on a specified date. Event log records are maintained for deleted documents.

820.180c

Exceptions.

This section does not apply to the reports required by 820.20(c) Management review, 820.22 Quality audits, and supplier audit reports used to meet the requirements of 820.50(a) Evaluation of suppliers, contractors, and consultants, but does apply to procedures established under these provisions. Upon request of a designated employee of FDA, an employee in management with executive responsibility shall certify in writing that the management reviews and quality audits required under this part, and supplier audits where applicable, have been performed and documented, the dates on which they were performed, and that any required corrective action has been undertaken.

This information can be stored in Cognidox and the certification similarly can be stored in Cognidox. Cognidox’s own ISO 9001 and 27001 certificates are available to customers for their own supplier audits; in addition Cognidox may be willing to host customer-specific audits.

820.181

Device master record










820.181a




820.181b



820.181c



820.181d


820.181e

Each manufacturer shall maintain device master records (DMR's). Each manufacturer shall ensure that each DMR is prepared and approved in accordance with 820.40. The DMR for each type of device shall include, or refer to the location of, the following information:

Device specifications including appropriate drawings, composition, formulation, component specifications, and software specifications;

Production process specifications including the appropriate equipment specifications, production methods, production procedures, and production environment specifications;

Quality assurance procedures and specifications including acceptance criteria and the quality assurance equipment to be used;

Packaging and labeling specifications, including methods and processes used; and

Installation, maintenance, and servicing procedures and methods.

All the items described in 820.181a-e can be managed in a highly effective way through the use of a ‘Document Holder’.

Each Document Holder can hold specific versions of other documents stored and approved in Cognidox, including spreadsheets or other records, and allows this collection of other documents to be managed, reviewed and approved as a single entity. The specific versions of documents held in the Document Holder are retained even if those documents subsequently change.

Categories can also be assigned to hold the required records in an easily accessible and clear manner.

820.184

Device history record











820.184a

820.184b

820.184c

820.184d



820.184e


820.184f

Each manufacturer shall maintain device history records (DHR's). Each manufacturer shall establish and maintain procedures to ensure that DHR's for each batch, lot, or unit are maintained to demonstrate that the device is manufactured in accordance with the DMR and the requirements of this part.

The DHR shall include, or refer to the location of, the following information:

The dates of manufacture;

The quantity manufactured;

The quantity released for distribution;

The acceptance records which demonstrate the device is manufactured in accordance with the DMR;

The primary identification label and labeling used for each production unit; and

Any unique device identifier (UDI) or universal product code (UPC), and any other device identification(s) and control number(s) used.

All the information described in 820.184a-f can be managed by storing the information in categories that have been configured to hold the required records in an easily accessible and clear manner.

The information described in 820.184a-f can also be managed via a Document Holder. Each Document Holder can hold specific, approved versions of other documents, including spreadsheets or other records, and allows this collection of other documents to be managed, reviewed and approved as a single entity. The specific versions of documents held in the Document Holder are retained even if those documents subsequently change.

Categories can also be configured to hold the required records in an easily accessible and clear manner.

For larger enterprises or high throughput environments we would often expect their ERP or MRP systems to be used to hold device history records because of the efficiency gained through tight integration with their manufacturing systems.

820.186

Quality system record

Each manufacturer shall maintain a quality system record (QSR). The QSR shall include, or refer to the location of, procedures and the documentation of activities required by this part that are not specific to a particular type of device(s), including, but not limited to, the records required by 820.20. Each manufacturer shall ensure that the QSR is prepared and approved in accordance with 820.40.

Cognidox stores and enables reviewing/collaborating, approving, maintaining and making it easy for users to find and access documented procedures and to control documents, records and other information including those described in this section.

The configuration of categories in Cognidox can be used to automate the production of a quality system record; a Document Holder (see above) may also be used.

820.198

Complaint files


820.198a


















820.198b








820.198c






820.198d




















820.198e























820.198f







820.198g

Each manufacturer shall maintain complaint files. Each manufacturer shall establish and maintain procedures for receiving, reviewing, and evaluating complaints by a formally designated unit.

Such procedures shall ensure that:

1. All complaints are processed in a uniform and timely manner;

2. Oral complaints are documented upon receipt; and

3. Complaints are evaluated to determine whether the complaint represents an event which is required to be reported to FDA under part 803 of this chapter, Medical Device Reporting.

Each manufacturer shall review and evaluate all complaints to determine whether an investigation is necessary. When no investigation is made, the manufacturer shall maintain a record that includes the reason no investigation was made and the name of the individual responsible for the decision not to investigate.

Any complaint involving the possible failure of a device, labeling, or packaging to meet any of its specifications shall be reviewed, evaluated, and investigated, unless such investigation has already been performed for a similar complaint and another investigation is not necessary.

Any complaint that represents an event which must be reported to FDA under part 803 of this chapter shall be promptly reviewed, evaluated, and investigated by a designated individual(s) and shall be maintained in a separate portion of the complaint files or otherwise clearly identified.

In addition to the information required by 820.198(e), records of investigation under this paragraph shall include a determination of:

1. Whether the device failed to meet specifications;

2. Whether the device was being used for treatment or diagnosis; and

3. The relationship, if any, of the device to the reported incident or adverse event.

When an investigation is made under this section, a record of the investigation shall be maintained by the formally designated unit identified in paragraph (a) of this section.

1. The record of investigation shall include:

2. The name of the device;

3. The date the complaint was received;

4. Any unique device identifier (UDI) or universal product code (UPC), and any other device identification(s) and control number(s) used;

5. The name, address, and phone number of the complainant;

6. The nature and details of the complaint;

7. The dates and results of the investigation;

8. Any corrective action taken; and

Any reply to the complainant.

When the manufacturer's formally designated complaint unit is located at a site separate from the manufacturing establishment, the investigated complaint(s) and the record(s) of investigation shall be reasonably accessible to the manufacturing establishment.

If a manufacturer's formally designated complaint unit is located outside of the United States, records required by this section shall be reasonably accessible in the United States at either:

1. A location in the United States where the manufacturer's records are regularly kept; or

2. The location of the initial distributor.

Categories can be assigned to hold complaint files and related records in an easily accessible and clear manner. Cognidox stores and enables reviewing/collaborating, approving, maintaining and making it easy for users to find and access documented procedures for complaint management. Cognidox can also provide templated complaint forms to enable the consistent capture and management of information about the complaint, and its resolution, without needing the user to write separate documents – the information can be entered directly into a pre-formatted form via the Cognidox user interface and managed through the multi-stage process required to resolve the complaint.

Reports can be run to show the results from multiple forms, allowing monitoring, reporting and analysis of complaints.

‘Shared reminders’ can be set up on documents to notify selected users after a period of time to ensure they are reviewed and/or processed in a timely manner.

Secure cloud access can be provided to any person/s deemed suitable and given appropriate access rights.

ISO 13485 Compliance

Clause Regulation summary Cognidox document management system

4

Quality management system

4.1

General requirements

4.1.1

The organization shall document a quality management system and maintain its effectiveness in accordance with the requirements of this International Standard and applicable regulatory requirements.

The organization shall establish, implement and maintain any requirement, procedure, activity or arrangement required to be documented by this International Standard or applicable regulatory requirements.

The organization shall document the role(s) undertaken by the organization under the applicable regulatory requirements.

NOTE Roles undertaken by the organization can include manufacturer, authorized representative, importer or distributor.

Cognidox is an enterprise level document management system, designed for engineering teams to manage complex product developments in the high-tech, medical device, and life science product sectors. It includes built-in workflows and a process-based graphical business management platform. A compliant quality management system can be built using Cognidox.

4.1.2

The organization shall:

4.1.2a

determine the processes needed for the quality management system and the application of these processes throughout the organization taking into account the roles undertaken by the organization;

Cognidox stores and makes it easy for users to find and access quality management system documents, the structure of which is made evident through the use of configurable categories (folders) and, where applicable, graphical quality management system pages (Intranet).

4.1.2b

apply a risk based approach to the control of the appropriate processes needed for the quality management system;

To manage the risk of inappropriate access to information, document access rights can be restricted to those with relevant roles, and the appropriate levels of review and approval for process documentation can be mandated. All documents and system access have time-stamped event log entries that record all actions taken and by whom; the log cannot be amended or deleted and there are no time limits so the integrity of process documentation can be proven.

4.1.2c

determine the sequence and interaction of these processes.

The sequence and interaction of process documents can be shown within the documents themselves and, where applicable, via graphical quality management system pages (Intranet) to illustrate the relationship between them. Documents in Cognidox can include hyperlinks to other documents, further enhancing usability and showing the links between processes.

4.1.4






4.1.4a


4.1.4b


4.1.4c

The organization shall manage these quality management system processes in accordance with the requirements of this International Standard and applicable regulatory requirements. Changes to be made to these processes shall be:

evaluated for their impact on the quality management system;

evaluated for their impact on the medical devices produced under this quality management system;

controlled in accordance with the requirements of this International Standard and applicable regulatory requirements.

All documents and information in Cognidox can be set to be reviewed for content, and approved prior to use, by designated individuals; this applies to changes as well as to the original documents. Changes can be notified to users automatically. Cognidox stores all previous versions of the document, whether draft or issued. Any text or pdf version of a document – where the document format allows – can be compared with any other version to highlight the changes made. It allows or mandates a description of the changes to be stored, and an evaluation of the impact of changes can be appended to the document.

4.1.5

When the organization chooses to outsource any process that affects product conformity to requirements, it shall monitor and ensure control over such processes. The organization shall retain responsibility of conformity to this International Standard and to customer and applicable regulatory requirements for outsourced processes. The controls shall be proportionate to the risk involved and the ability of the external party to meet the requirements in accordance with 7.4. The controls shall include written quality agreements.

Written quality agreements and process information provided to third parties can be stored and maintained in Cognidox and, where appropriate, made accessible to third-party users.

4.1.6

The organization shall document procedures for the validation of the application of computer software used in the quality management system. Such software applications shall be validated prior to initial use and, as appropriate, after changes to such software or its application.

The specific approach and activities associated with software validation and revalidation shall be proportionate to the risk associated with the use of the software.

Records of such activities shall be maintained (see 4.2.5).

A software validation pack is made available to assist customers to validate their use of Cognidox in relation to medical device regulatory requirements. The pack includes a Validation Report, an IQ template, a PQ template, a completed PQ-OP example, test specifications and results, and instructions.

Other software validation information can also be stored in Cognidox.

4.2

Documentation requirements

4.2.1




4.2.1a

4.2.1b

4.2.1c


4.2.1d



4.2.1e

General

The quality management system documentation (see 4.2.4) shall include:

documented statements of a quality policy and quality objectives;

a quality manual;

documented procedures and records required by this International Standard;

documents, including records, determined by the organization to be necessary to ensure the effective planning, operation, and control of its processes;

other documentation specified by applicable regulatory requirements.

Cognidox stores and enables reviewing/collaborating, approving, maintaining and making it easy for users to find and access documented procedures and to control documents, records and other information including those described in this section, through the use of configurable categories (folders) and, where applicable, graphical quality management system pages (Intranet).

4.2.2




4.2.2a


4.2.2b


4.2.2c

Quality manual

The organization shall document a quality manual that includes:

the scope of the quality management system, including details of and justification for any exclusion or non-application;

the documented procedures for the quality management system, or reference to them;

a description of the interaction between the processes of the quality management system.

The quality manual shall outline the structure of the documentation used in the quality management system.

Cognidox stores and enables reviewing/collaborating, approving, maintaining and making it easy for users to find and access documented procedures and to control documents, records and other information including those documents that make up the quality manual as described in 4.2.2, the structure of which is made evident through the use of through the use of configurable categories (folders) and, where applicable, graphical quality management system pages (Intranet).

The sequence and interaction of quality processes can be shown within the documents themselves and, where applicable, via graphical quality management system pages (Intranet) to illustrate the relationship between them. Documents in Cognidox can include hyperlinks to other documents, further enhancing usability and showing the links between processes.

4.2.3












4.2.3a



4.2.3b

4.2.3c


4.2.3d

4.2.3e

4.2.3f

Medical device file

For each medical device type or medical device family, the organization shall establish and maintain one or more files either containing or referencing documents generated to demonstrate conformity to the requirement of this International Standard and compliance with applicable regulatory requirements.

The content of the file(s) shall include, but is not limited to:

general description of the medical device, intended use/purpose, and labelling, including any instructions for use;

specifications for product;

specifications or procedures for manufacturing, packaging, storage, handling and distribution;

procedures for measuring and monitoring;

as appropriate, requirements for installation;

as appropriate, procedures for servicing.

Cognidox is highly effective for storing, maintaining and making it easy for users to access medical device files through the use of document categories, which enable the controlled collection and management of documents and records that demonstrate conformity in an easily accessible and clear manner.

The Document Holder feature collects and manages a range of other documents within Cognidox as a single item and manages the approval and release of design information. All the items described in 4.2.3 can be stored in Cognidox and added to – and managed by – a Document Holder. Document Holders are also ideal for grouping documents when making a Technical File submission.

4.2.4









4.2.4a


4.2.4b


4.2.4c


4.2.4d

4.2.4e


4.2.4f




4.2.4g

4.2.4h

Control of documents

Documents required by the quality management system shall be controlled. Records are a special type of document and shall be controlled according to the requirements given in 4.2.5.

A documented procedure shall define the controls needed to:

review and approve documents for adequacy prior to issue;

review, update as necessary and re-approve documents;

ensure that the current revision status of and changes to documents are identified;

ensure that relevant versions of applicable documents are available at points of use;

ensure that documents remain legible and readily identifiable;

ensure that documents of external origin, determined by the organization to be necessary for the planning and operation of the quality management system, are identified and their distribution controlled;

prevent deterioration or loss of documents;

prevent the unintended use of obsolete documents and apply suitable identification to them.

The organization shall ensure that changes to documents are reviewed and approved either by the original approving function or another designated function that has access to pertinent background information upon which to base its decisions.

The organization shall define the period for which at least one copy of obsolete documents shall be retained. This period shall ensure that documents to which medical devices have been manufactured and tested are available for at least the lifetime of the medical device as defined by the organization, but not less than the retention period of any resulting record (see 4.2.5), or as specified by applicable regulatory requirements.

Cognidox enables the storing, reviewing/collaborating, maintaining and makes it easy for users to find and access the documents required by the quality management system, including documented procedures and records. Cognidox automates key aspects of document control. All documents and information in Cognidox can be set to be reviewed for content, and approved prior to use, by designated individuals. This applies to updates as well as the original documents.

The Cognidox ‘authentication on approval’ electronic signature functionality requires a document approver’s user ID and password to be re-entered and ensures that signed electronic records show their name, role, date and time, location, and the meaning (such as review, approval, responsibility, or authorship) associated with the signature; all configurable. This is recorded in Cognidox and a configurable approval manifest page is added to the PDF to show this information. This includes a list of previous approved issues and who approved them with the date of that approval.

Cognidox conspicuously shows the latest approved version of the document. It also stores all previous versions of the document, whether draft or issued. Any text or pdf version of a document – where the document format allows – can be compared with any other version to highlight the changes made. It allows or mandates a description of the changes to be stored, and an evaluation of the impact of changes can be appended to the document.

Cognidox preserves the integrity and visibility of all documents and information stored in it. All documents, as well as system access, have event log entries that provide time-stamped records of all actions taken and by whom; the log cannot be amended or deleted and there are no time limits applied to the records. To verify a document an MD5 checksum is created by Cognidox for all documents. After a document has been downloaded, a checksum utility can be used to verify that it is the correct version of the file. Identifiability is ensured through document number metadata in Cognidox; this is supported for Microsoft Office documents via visible ‘pre-filter’ metadata fields within the document that are automatically updated by the system.

Externally sourced documents can be uploaded and distributed via Cognidox; access (read and/or write) is controlled by user permissions.

Documents do not automatically get deleted after a fixed time in Cognidox; they are stored indefinitely. If any document is to be reviewed for deletion after a given amount of time, this can be set by a shared reminder which will notify identified individuals, via email, to conduct the review on a specified date.

Obsolete documents are conspicuously identified in Cognidox, and can be moved to specific categories to show they should not be used. Security permissions can be configured in Cognidox to make documents available to any persons, or groups of persons, that should have access to them. Security permissions can be applied to prevent unauthorized access if required.

4.2.5

Control of records

Records shall be maintained to provide evidence of conformity to requirements and of the effective operation of the quality management system.

The organization shall document procedures to define the controls needed for the identification, storage, security and integrity, retrieval, retention time and disposition of records. The organization shall define and implement methods for protecting confidential health information contained in records in accordance with the applicable regulatory requirements.

Records shall remain legible, readily identifiable and retrievable. Changes to a record shall remain identifiable.

The organization shall retain the records for at least the lifetime of the medical device as defined by the organization, or as specified by applicable regulatory requirements, but not less than two years from the medical device release by the organization.

Records can easily be stored and managed via Cognidox and the results of reviews and approvals of these records stored. Cognidox can also provide templated forms to enable the consistent capture and management of information without needing the user to write separate text documents or spreadsheets – the information can be entered directly into a pre-formatted form via the Cognidox user interface.

The confidentiality status of a record can be added to the record title or to its customer-configurable meta-data; security permissions can be set to restrict access. Cognidox preserves the integrity and visibility of all records and information stored in it. All records, as well as system access, have event log entries that provide time-stamped records of all actions taken and by whom; the log cannot be amended or deleted and there are no time limits applied to the records. To verify a record an MD5 checksum is created by Cognidox for all records. After a record has been downloaded, a checksum utility can be used to verify that it is the correct version of the file.

Identifiability is ensured through metadata in Cognidox; this is supported for Microsoft Office documents via visible ‘pre-Filter’ metadata fields within the record that are automatically updated by the system.

Records do not automatically get deleted after a fixed time in Cognidox; they are stored indefinitely. If any record is to be reviewed for deletion after a given amount of time, this can be set by a shared reminder which will notify identified individuals, via email, to conduct the review on a specified date.

Obsolete records are conspicuously identified in Cognidox, and can also be moved to specific categories to show they should not be used. Security permissions can be configured in Cognidox to make records available to any persons, or groups of persons, that should have access to them. Security permissions can also be applied to prevent unauthorized access if required.

Obsolete records are conspicuously identified in Cognidox, and can also be moved to specific categories to show they should not be used. Security permissions can also be applied to prevent unauthorized access if required.

5

Management responsibility

5.3

Quality policy

5.3d


5.3e

Top management shall ensure that the quality policy:

is communicated and understood within the organization;

is reviewed for continuing suitability.

Cognidox makes it easy for users to find and access the quality policy. The ‘View Policies’ function can be used to record users’ access to the document and declarations that they have read it. A regular review of the policy can be facilitated through the use of a Shared Reminder (document metadata that alerts key individuals for a need to undertake a review after a given time period has elapsed).

5.6

Management review

5.6.1

General

The organization shall document procedures for management review. Top management shall review the organization’s quality management system at documented planned intervals to ensure its continuing suitability, adequacy and effectiveness. The review shall include assessing opportunities for improvement and the need for changes to the quality management system, including the quality policy and quality objectives.

Records from management reviews shall be maintained (see 4.2.5).

Cognidox enables the storing, reviewing/collaborating, maintaining and makes it easy for users to find and access the procedures and supporting documents for management review, and the subsequent records of the review.

A regular management review can be facilitated through the use of a ‘shared reminder’ (document metadata that alerts key individuals for a need to undertake a management review after a given time period has elapsed). Records can be easily, robustly and effectively stored in Cognidox.

5.6.2




5.6.2a

5.6.2b

5.6.2c

5.6.2d
5.6.2e

5.6.2f

5.6.2g

5.6.2h

5.6.2i

5.6.2j


5.6.2k

5.6.2l

Review input

The input to management review shall include, but is not limited to, information arising from:

feedback;

complaint handling;

reporting to regulatory authorities;

audits;

monitoring and measurement of processes;

monitoring and measurement of product;

corrective action;

preventive action;

follow-up actions from previous management reviews;

changes that could affect the quality management system;

recommendations for improvement;

applicable new or revised regulatory requirements.

The management review inputs can be stored as separate documents, or a single combined document, held in a suitable category in Cognidox. The separate input documents can also be combined into one Document Holder that is configured to hold the different, approved, input documents which are then managed and approved as a single entity.

5.6.3






5.6.3a



5.6.3b


5.6.3c

5.6.3d

Review output

The output from management review shall be recorded (see 4.2.5) and include the input reviewed and any decisions and actions related to:

improvement needed to maintain the suitability, adequacy, and effectiveness of the quality management system and its processes;

improvement of product related to customer requirements;

changes needed to respond to applicable new or revised regulatory requirements;

resource needs.

The management review outputs can be stored as separate documents, or a single combined document, held in a suitable category in Cognidox; the separate documents can also be combined into one Document Holder that is configured to hold the different, approved, input documents which can then be easily and effectively managed and approved as a single entity.

The management review inputs and outputs can similarly be combined in one document or one Document Holder.

6

Resource management

6.3

Infrastructure








6.3c

The organization shall document the requirements for the infrastructure needed to achieve conformity to product requirements, prevent product mix-up and ensure orderly handling of product. Infrastructure includes, as appropriate:

supporting services (such as transport, communication, or information systems). The organization shall document requirements for the maintenance activities, including the interval of performing the maintenance activities, when such maintenance activities, or lack thereof, can affect product quality. As appropriate, the requirements shall apply to equipment used in production, the control of the work environment and monitoring and measurement.

Records of such maintenance shall be maintained (see 4.2.5).

 

 

 

 

Cognidox is an infrastructure supporting service. If the provisioned system is in the cloud, Cognidox manages the integrity, maintenance and back-up of the system via its server provider and can provide further details and records as required. If the customer purchases an on-premise system then the customer has responsibility for server integrity, maintenance and back-up.

Cognidox also provides a software validation pack to assist customers in their validation of Cognidox in relation to medical device regulatory requirements. The pack includes a validation report, an IQ template, a PQ template, a completed PQ-OP example and test specifications & results.

7

Product realization

7.1

Planning of product realization

















7.1a


7.1b




7.1c





7.1d

The organization shall plan and develop the processes needed for product realization. Planning of product realization shall be consistent with the requirements of the other processes of the quality management system.

The organization shall document one or more processes for risk management in product realization. Records of risk management activities shall be maintained (see 4.2.5).

In planning product realization, the organization shall determine the following, as appropriate:

quality objectives and requirements for the product;

the need to establish processes and documents (see 4.2.4) and to provide resources specific to the product, including infrastructure and work environment;

required verification, validation, monitoring, measurement, inspection and test, handling, storage, distribution and traceability activities specific to the product together with the criteria for product acceptance;

records needed to provide evidence that the realization processes and resulting product meet requirements (see 4.2.5).

The output of this planning shall be documented in a form suitable for the organization’s method of operations.

NOTE Further information can be found in ISO 14971.

Cognidox is an enterprise level document management system, designed for engineering teams to manage complex product developments in the high-tech, medical device, and life science product sectors. It includes built-in workflows and a process-based graphical business management platform. A compliant quality management system, that includes the management of product realization, can be built using Cognidox.

Cognidox stores and enables reviewing/collaborating, approving, maintaining and making it easy for users to find and access process documentation and other key documents and records required for product realization and to control these documents, records and other information. This includes all the processes, documents and records described in 7.1.

7.2

Customer-related processes

7.2.2










7.2.2a

7.2.2b


7.2.2c

7.2.2d



7.2.2e

Review of requirements related to product

The organization shall review the requirements related to product. This review shall be conducted prior to the organization’s commitment to supply product to the customer (e.g. submission of tenders, acceptance of contracts or orders, acceptance of changes to contracts or orders) and shall ensure that:

product requirements are defined and documented;

contract or order requirements differing from those previously expressed are resolved;

applicable regulatory requirements are met;

any user training identified in accordance with 7.2.1 is available or planned to be available;

the organization has the ability to meet the defined requirements.

Records of the results of the review and actions arising from the review shall be maintained (see 4.2.5).

When the customer provides no documented statement of requirement, the customer requirements shall be confirmed by the organization before acceptance.

When product requirements are changed, the organization shall ensure that relevant documents are amended and that relevant personnel are made aware of the changed requirements.

 

Cognidox stores and enables reviewing/collaborating, approving, maintaining and making it easy for users to find and access process documentation and other key documents and records required for requirements management and to control these documents, records and other information. This includes all the processes, documents and records described in 7.2 and includes externally-provided documents e.g. information from customers. Cognidox can be used to identify and manage changes to documents in a planned and controlled way and to notify users of changes.

7.2.3




7.2.3a

7.2.3b


7.2.3c

7.2.3d

Communication

The organization shall plan and document arrangements for communicating with customers in relation to:

product information;

enquiries, contracts or order handling, including amendments;

customer feedback, including complaints;

advisory notices.

The organization shall communicate with regulatory authorities in accordance with applicable regulatory requirements.

 

Incoming and/or outgoing electronic communications can be stored and managed in Cognidox.

Cognidox can be used to communicate with selected customers or third parties by setting them up as Limited Access Partners with strictly limited permissions to view, upload or download information only in pre-determined areas of the Cognidox system.

Cognidox can optionally be set up to provide a cloud-based Extranet web portal, which includes a content licensing and publishing engine that allows the distribution of information and software to customers or other third parties to be strictly controlled.

7.3

Design and development

7.3.1

General

The organization shall document procedures for design and development.

 

Cognidox is an enterprise-level document management system, designed for engineering teams to manage complex product developments in the high-tech, medical device, and life science product sectors. It enables the storing, maintaining and making it easy for users to access design and development procedures and related documentation and files.

7.3.2










7.3.2a

7.3.2b


7.3.2c


7.3.2d


7.3.2e


7.3.2f

Design and development planning

The organization shall plan and control the design and development of product. As appropriate, design and development planning documents shall be maintained and updated as the design and development progresses.

During design and development planning, the organization shall document:

the design and development stages;

the review(s) needed at each design and development stage;

the verification, validation, and design transfer activities that are appropriate at each design and development stage;

the responsibilities and authorities for design and development;

the methods to ensure traceability of design and development outputs to design and development inputs;

the resources needed, including necessary competence of personnel.

 

Cognidox was designed for engineering teams to manage complex product developments and is optimised for storing, reviewing / collaborating, approving, finding and making available, and maintaining:

  • Design and development stages and plans
  • Design and development processes and procedures
  • Design and development review processes and results
  • Processes, forms, templates and records of validation, verification and design transfer (NPI), including proving the traceability of design outputs to design inputs
  • Responsibilities and authorities for control of design and development
  • Resource and competence information and records
    Cognidox document categories enable the controlled collection and management of this information. The Document Holder feature collects and manages a range of other documents within Cognidox as a single item and manages the approval and release of design information and records.

7.3.3





7.3.3a


7.3.3b

7.3.3c

7.3.3d

7.3.3e

Design and development inputs

Inputs relating to product requirements shall be determined and records maintained (see 4.2.5). These inputs shall include:

functional, performance, usability and safety requirements, according to the intended use;

applicable regulatory requirements and standards;

applicable output(s) of risk management;

as appropriate, information derived from previous similar designs;

other requirements essential for design and development of the product and processes.

These inputs shall be reviewed for adequacy and approved.

Requirements shall be complete, unambiguous, able to be verified or validated, and not in conflict with each other.

NOTE Further information can be found in IEC 62366–1.

 

Cognidox stores, maintains and makes it easy for users to access design and development input documentation, records and files. Reviews and changes to all documents, forms, records and files can be rigorously managed within Cognidox and the history of reviews, approvals and changes all recorded. Where appropriate, the Document Holder feature collects and manages a range of other documents within Cognidox as a single item and manages the approval and release of design information and records.

7.3.4


7.3.4a


7.3.4b


7.3.4c


7.3.4d

Design and development outputs

Design and development outputs shall:

meet the input requirements for design and development;

provide appropriate information for purchasing, production and service provision;

contain or reference product acceptance criteria;

specify the characteristics of the product that are essential for its safe and proper use.

The outputs of design and development shall be in a form suitable for verification against the design and development inputs and shall be approved prior to release.

Records of the design and development outputs shall be maintained (see 4.2.5).

 

Cognidox stores, maintains and makes it easy for users to access design and development output documentation, records and files. Reviews and changes to all documents, forms, records and files can be rigorously managed within Cognidox and the history of reviews, approvals and changes all recorded. Where appropriate, the Document Holder feature collects and manages a range of other documents within Cognidox as a single item and manages the approval and release of design information and records.

7.3.5






7.3.5a

7.3.5b

Design and development review

At suitable stages, systematic reviews of design and development shall be performed in accordance with planned and documented arrangements to:

evaluate the ability of the results of design and development to meet requirements;

identify and propose necessary actions.

Participants in such reviews shall include representatives of functions concerned with the design and development stage being reviewed, as well as other specialist personnel.

Records of the results of the reviews and any necessary actions shall be maintained and include the identification of the design under review, the participants involved and the date of the review (see 4.2.5).

 

Design and development review plans, processes, records and details of actions can be rigorously managed within Cognidox and the history of reviews and changes recorded. Cognidox has the ability to use templated forms to enable the consistent capture and management of this information. Design review records can, in turn, be reviewed and/or approved by the relevant staff, including the review attendees.

Design and development phase/gate reviews – in which a group of project or programme documents (e.g. specifications, plans, progress charts, design reviews, test results, budgets, marketing plans, etc.) are approved to move a project onto the next stage of activity – can be managed via the Document Holder feature which collects and manages a range of other approved documents within Cognidox as a single item.

7.3.6

Design and development verification

Design and development verification shall be performed in accordance with planned and documented arrangements to ensure that the design and development outputs have met the design and development input requirements.

The organization shall document verification plans that include methods, acceptance criteria and, as appropriate, statistical techniques with rationale for sample size.

If the intended use requires that the medical device be connected to, or have an interface with, other medical device(s), verification shall include confirmation that the design outputs meet design inputs when so connected or interfaced.

Records of the results and conclusions of the verification and necessary actions shall be maintained (see 4.2.4 and 4.2.5).

 

Verification plans, procedures, results, analyses, conclusions, action lists and other records can easily be stored and managed within Cognidox. These can be reviewed and/or approved by the relevant staff.

7.3.7

Design and development validation

Design and development validation shall be performed in accordance with planned and documented arrangements to ensure that the resulting product is capable of meeting the requirements for the specified application or intended use.

The organization shall document validation plans that include methods, acceptance criteria and, as appropriate, statistical techniques with rationale for sample size.

Design validation shall be conducted on representative product. Representative product includes initial production units, batches or their equivalents. The rationale for the choice of product used for validation shall be recorded (see 4.2.5).

As part of design and development validation, the organization shall perform clinical evaluations or performance evaluations of the medical device in accordance with applicable regulatory requirements. A medical device used for clinical evaluation or performance evaluation is not considered to be released for use to the customer.

If the intended use requires that the medical device be connected to, or have an interface with, other medical device(s), validation shall include confirmation that the requirements for the specified application or intended use have been met when so connected or interfaced.

Validation shall be completed prior to release for use of the product to the customer. Records of the results and conclusion of validation and necessary actions shall be maintained (see 4.2.4 and 4.2.5).

 

Validation plans, procedures, results, analyses, conclusions, action lists and other records can easily be stored and managed within Cognidox. These can be reviewed and/or approved by the relevant staff.

7.3.8

Design and development transfer

The organization shall document procedures for transfer of design and development outputs to manufacturing. These procedures shall ensure that design and development outputs are verified as suitable for manufacturing before becoming final production specifications and that production capability can meet product requirements.

Results and conclusions of the transfer shall be recorded (see 4.2.5).

 

Cognidox stores, maintains and makes it easy for users to access design and development transfer procedures, documentation, records and files.

Reviews of design and development outputs, and validation of the outputs as being suitable for manufacturing (including test and inspection results) can be rigorously managed within Cognidox.

7.3.9












7.3.9a

7.3.9b
7.3.9c

7.3.9d

Control of design and development changes

The organization shall document procedures to control design and development changes. The organization shall determine the significance of the change to function, performance, usability, safety and applicable regulatory requirements for the medical device and its intended use.

Design and development changes shall be identified. Before implementation, the changes shall be:

reviewed;

verified;

validated, as appropriate;

approved.

The review of design and development changes shall include evaluation of the effect of the changes on constituent parts and product in process or already delivered, inputs or outputs of risk management and product realization processes.

Records of changes, their review and any necessary actions shall be maintained (see 4.2.5).

 

Cognidox stores, maintains and makes it easy for users to access design and development change procedures and related documentation including evaluations of the impact of changes and verification and validation results, and – where permission has been given – make controlled changes to the design and development documentation and files.

Pre-determined format information (such as change requests or change notes) can make use of the Cognidox Forms functionality.

Reviews and changes to all documents, forms, records and files, and related records, can be rigorously managed within Cognidox and the history of reviews, approvals, evaluations of the impact of changes, verification and validation, and records of changes all recorded.

If required, multiple design and development documents can be stored and maintained as one entity through the use of Document Holders which would allow one Document Holder to manage changes in several other documents concurrently.

7.3.10

Design and development files

The organization shall maintain a design and development file for each medical device type or medical device family. This file shall include or reference records generated to demonstrate conformity to the requirements for design and development and records for design and development changes.

 

Cognidox document categories enable the controlled collection and management of Design History Files for each medical device type or medical device family, including evidence of conformity to requirements and records of changes.

Where appropriate, the Document Holder feature collects and manages a range of other documents within Cognidox as a single item and manages the approval and release of design information. Document Holders are also ideal for grouping documents when making a Technical File submission.

7.4

Purchasing

7.4.1









7.4.1a



7.4.1b

7.4.1c




7.4.1d

Purchasing process

The organization shall document procedures (see 4.2.4) to ensure that purchased product conforms to specified purchasing information.

The organization shall establish criteria for the evaluation and selection of suppliers. The criteria shall be:

based on the supplier’s ability to provide product that meets the organization’s requirements;

based on the performance of the supplier;

based on the effect of the purchased product on the quality of the medical device;

proportionate to the risk associated with the medical device.

The organization shall plan the monitoring and re-evaluation of suppliers. Supplier performance in meeting requirements for the purchased product shall be monitored. The results of the monitoring shall provide an input into the supplier re-evaluation process.

Non-fulfilment of purchasing requirements shall be addressed with the supplier proportionate to the risk associated with the purchased product and compliance with applicable regulatory requirements.

Records of the results of evaluation, selection, monitoring and re-evaluation of supplier capability or performance and any necessary actions arising from these activities shall be maintained (see 4.2.5).

 

Cognidox stores and manages purchasing procedures, records and reports, including:

  • Evaluation procedures, requirements, criteria, controls and records for suppliers and third parties
  • Purchasing data including requirements, agreements and change records
  • Necessary actions required to manage suppliers and their products.
    This information is subject to the standard Cognidox document workflow: storing, reviewing/collaborating, approving, making available and maintaining. Templates and forms can be used to make the collection of information consistent and efficient.

7.4.2




7.4.2a

7.4.b


7.4.2c


7.4.2d

Purchasing information

Purchasing information shall describe or reference the product to be purchased, including as appropriate:

product specifications;

requirements for product acceptance, procedures, processes and equipment;

requirements for qualification of supplier personnel;

quality management system requirements.

The organization shall ensure the adequacy of specified purchasing requirements prior to their communication to the supplier.

Purchasing information shall include, as applicable, a written agreement that the supplier notify the organization of changes in the purchased product prior to implementation of any changes that affect the ability of the purchased product to meet specified purchase requirements.

To the extent required for traceability given in 7.5.9, the organization shall maintain relevant purchasing information in the form of documents (see 4.2.4) and records (see 4.2.5).

 

Cognidox stores and manages purchasing procedures, records, reports and supporting information, including purchase requisitions, purchase orders, product descriptions/specifications, product requirements, supplier or product monitoring and evaluation results, agreements, terms and conditions of purchase, and incoming goods quality and other records.

This information is subject to the standard Cognidox document workflow: storing, reviewing/collaborating, approving, making available and maintaining.

Pre-determined format information (such as purchase requisitions or purchase orders) can make use of the Cognidox Forms functionality.

7.4.3

Verification of purchased product

The organization shall establish and implement the inspection or other activities necessary for ensuring that purchased product meets specified purchasing requirements. The extent of verification activities shall be based on the supplier evaluation results and proportionate to the risks associated with the purchased product.

When the organization becomes aware of any changes to the purchased product, the organization shall determine whether these changes affect the product realization process or the medical device.

When the organization or its customer intends to perform verification at the supplier’s premises, the organization shall state the intended verification activities and method of product release in the purchasing information.

Records of the verification shall be maintained (see 4.2.5).

Cognidox stores and manages purchased product verification procedures, records, reports and supporting information.

This information is subject to the standard Cognidox document workflow: storing, reviewing/collaborating, approving, making available and maintaining.

Pre-determined format information (such as inspection records) can make use of the Cognidox Forms functionality.

7.5

Production and service provision

7.5.1

Control of production and service provision

Production and service provision shall be planned, carried out, monitored and controlled to ensure that product conforms to specification.

 

Cognidox was designed for engineering teams to manage complex product development and production information, so it stores and enables reviewing/collaborating, approving, maintaining and making it easy for users to find and access production and service provision processes, requirements, standards, work instructions / SOPs, and records.

7.6

Control of monitoring and measuring equipment














7.6a

The organization shall determine the monitoring and measurement to be undertaken and the monitoring and measuring equipment needed to provide evidence of conformity of product to determined requirements.

The organization shall document procedures to ensure that monitoring and measurement can be carried out and are carried out in a manner that is consistent with the monitoring and measurement requirements.

As necessary to ensure valid results, measuring equipment shall:

be calibrated or verified, or both, at specified intervals, or prior to use, against measurement standards traceable to international or national measurement standards: when no such standards exist, the basis used for calibration or verification shall be recorded (see 4.2.5);

Cognidox stores and enables reviewing/collaborating, approving, maintaining and making it easy for users to find and access inspection, measuring, test and calibration procedures and records. including calibration results and certificates. Cognidox ‘Shared Reminders’ can be set on calibration or test result documents to remind identified individuals that the next test/calibration has become due (i.e. the system can notify users at selected intervals).

8

Measurement, analysis and improvement

8.2

Monitoring and measurement

8.2.1

Feedback

As one of the measurements of the effectiveness of the quality management system, the organization shall gather and monitor information relating to whether the organization has met customer requirements. The methods for obtaining and using this information shall be documented.

The organization shall document procedures for the feedback process. This feedback process shall include provisions to gather data from production as well as post-production activities.

The information gathered in the feedback process shall serve as potential input into risk management for monitoring and maintaining the product requirements as well as the product realization or improvement processes.

If applicable regulatory requirements require the organization to gain specific experience from post- production activities, the review of this experience shall form part of the feedback process.

 

Cognidox stores and makes it easy for users to find and access feedback or other intelligence about whether the organization has met customer requirements as well as the procedures that describe how this feedback is obtained and what analysis and follow-up actions are taken as a result of the findings. Records (including correspondence with the customer, regulatory authorities if appropriate, and others) can be stored.

8.2.2










8.2.2a

8.2.2b

8.2.2c


8.2.2d

8.2.2e

8.2.2f

Complaint handling

The organization shall document procedures for timely complaint handling in accordance with applicable regulatory requirements.

These procedures shall include at a minimum requirements and responsibilities for:

receiving and recording information;

evaluating information to determine if the feedback constitutes a complaint;

investigating complaints;

determining the need to report the information to the appropriate regulatory authorities;

handling of complaint-related product;

determining the need to initiate corrections or corrective actions.

If any complaint is not investigated, justification shall be documented. Any correction or corrective action resulting from the complaint handling process shall be documented.

If an investigation determines activities outside the organization contributed to the complaint, relevant information shall be exchanged between the organization and the external party involved.

Complaint handling records shall be maintained (see 4.2.5).

Categories can be assigned to hold complaint files and related records in an easily accessible and clear manner. Cognidox stores and enables reviewing/collaborating, approving, maintaining and making it easy for users to find and access documented procedures for complaint management. Cognidox can also provide templated complaint forms to enable the consistent capture and management of information about the complaint, and its resolution, without needing the user to write separate documents – the information can be entered directly into a pre-formatted form via the Cognidox user interface and managed through the multi-stage process required to resolve the complaint.

Reports can be run to show the results from multiple forms, allowing monitoring, reporting and analysis of complaints.

‘Shared reminders’ can be set up on documents to notify selected users after a period of time to ensure they are reviewed and/or processed in a timely manner.

Information exchanged between the organization and external parties can be stored in Cognidox and records kept of correspondence and actions taken.

8.2.3

Reporting to regulatory authorities

If applicable regulatory requirements require notification of complaints that meet specified reporting criteria of adverse events or issuance of advisory notices, the organization shall document procedures for providing notification to the appropriate regulatory authorities.

Records of reporting to regulatory authorities shall be maintained (see 4.2.5).

 

Procedures for providing notification to the appropriate regulatory authorities can be stored and made easy for users to find and use via Cognidox.

Cognidox can be used to provide information directly to selected third parties, e.g. regulatory authorities, through the setting up of Limited Access Partners which have strictly limited permissions to view, upload or download information in pre-determined areas of the Cognidox system.

Correspondence with regulatory authorities can be stored in the system where appropriate.

8.2.4





8.2.4a





8.2.4b

Internal audit

The organization shall conduct internal audits at planned intervals to determine whether the quality management system:

conforms to planned and documented arrangements, requirements of this International Standard, quality management system requirements established by the organization, and applicable regulatory requirements;

is effectively implemented and maintained.

The organization shall document a procedure to describe the responsibilities and requirements for planning and conducting audits and recording and reporting audit results.

An audit program shall be planned, taking into consideration the status and importance of the processes and area to be audited, as well as the results of previous audits. The audit criteria, scope, interval and methods shall be defined and recorded (see 4.2.5). The selection of auditors and conduct of audits shall ensure objectivity and impartiality of the audit process. Auditors shall not audit their own work.

Records of the audits and their results, including identification of the processes and areas audited and the conclusions, shall be maintained (see 4.2.5).

 

Cognidox manages quality audit plans, processes, records and reports, including the use of templates and forms to make the collection of information consistent and efficient.

8.3

Control of nonconforming product

8.3.1

General

The organization shall ensure that product which does not conform to product requirements is identified and controlled to prevent its unintended use or delivery. The organization shall document a procedure to define the controls and related responsibilities and authorities for the identification, documentation, segregation, evaluation and disposition of nonconforming product.

The evaluation of nonconformity shall include a determination of the need for an investigation and notification of any external party responsible for the nonconformity.

Records of the nature of the nonconformities and any subsequent action taken, including the evaluation, any investigation and the rationale for decisions shall be maintained (see 4.2.5)

Cognidox stores and enables reviewing/collaborating, approving, maintaining and making it easy for users to find and access procedures and records for nonconforming product management and rework.

Cognidox provides templated forms to enable the consistent capture and management of nonconforming product information (and complaints, incidents, supplier issues, and similar) without needing the user to write separate text documents or spreadsheets – the information can be entered directly into the pre-formatted form via the Cognidox user interface.

Configurable reports can be run to show the results from multiple forms, allowing them to be monitored, reported and analysed.

8.5

Improvement

8.5.2











8.5.2a


8.5.2b

8.5.2c

8.5.2d



8.5.2e





8.5.2f

Corrective action

The organization shall take action to eliminate the cause of nonconformities in order to prevent recurrence. Any necessary corrective actions shall be taken without undue delay. Corrective actions shall be proportionate to the effects of the nonconformities encountered.

The organization shall document a procedure to define requirements for:

reviewing nonconformities (including complaints);

determining the causes of nonconformities;

evaluating the need for action to ensure that nonconformities do not recur;

planning and documenting action needed and implementing such action, including, as appropriate, updating documentation;

verifying that the corrective action does not adversely affect the ability to meet applicable regulatory requirements or the safety and performance of the medical device;

reviewing the effectiveness of corrective action taken.

Records of the results of any investigation and of action taken shall be maintained (see 4.2.5).

 

Cognidox stores and enables reviewing/collaborating, approving, maintaining and making it easy for users to find and access procedures and records for identifying and managing corrective and preventive actions (‘CAPA’).

Cognidox provides templated CAPA forms to enable the consistent capture and management of CAPAs without needing the user to write separate text documents or spreadsheets – the information can be entered directly into the pre-formatted form via the Cognidox user interface and managed through the multi-stage process required to resolve the CAPA.

Configurable reports can be run to show the results from multiple CAPA forms, allowing monitoring, reporting and analysis of corrective and preventive actions.

8.5.3










8.5.3a


8.5.3b


8.5.3c


8.5.3d




8.5.3e

Preventive action

The organization shall determine action to eliminate the causes of potential nonconformities in order to prevent their occurrence. Preventive actions shall be proportionate to the effects of the potential problems.

The organization shall document a procedure to describe requirements for:

determining potential nonconformities and their causes;

evaluating the need for action to prevent occurrence of nonconformities;

planning and documenting action needed and implementing such action, including, as appropriate, updating documentation;

verifying that the action does not adversely affect the ability to meet applicable regulatory requirements or the safety and performance of the medical device;

reviewing the effectiveness of the preventive action taken, as appropriate.

Records of the results of any investigations and of action taken shall be maintained (see 4.2.5).

Cognidox stores and enables reviewing/collaborating, approving, maintaining and making it easy for users to find and access procedures and records for identifying and managing corrective and preventive actions (‘CAPA’).

Cognidox provides templated CAPA forms to enable the consistent capture and management of CAPAs without needing the user to write separate text documents or spreadsheets – the information can be entered directly into the pre-formatted form via the Cognidox user interface and managed through the multi-stage process required to resolve the CAPA.

Configurable reports can be run to show the results from multiple CAPA forms, allowing monitoring, reporting and analysis of corrective and preventive actions.

MHRA GXP Data Integrity Guidance

Clause Regulation summary Cognidox document management system

6 – Definition of terms and interpretation of requirements

In the following section, definitions where applicable, are given in italic text directly below the term.

6.1

Data

Facts, figures and statistics collected together for reference or analysis. All original records and true copies of original records, including source data and metadata and all subsequent transformations and reports of these data, that are generated or recorded at the time of the GXP activity and allow full and complete reconstruction and evaluation of the GXP activity.

Data should be:

A - attributable to the person generating the data

L – legible and permanent

C – contemporaneous

O – original record (or certified true copy)

A - accurate Data governance measures should also ensure that data is complete, consistent, enduring and available throughout the lifecycle, where;

Complete – the data must be whole; a complete set

Consistent - the data must be self-consistent

Enduring – durable; lasting throughout the data lifecycle

Available – readily available for review or inspection purposes

Cognidox is an enterprise level document management system, designed for engineering teams to manage complex product developments in the high-tech, medical device, and life science product sectors.

It is a flexible, powerful and secure system for storing data in a robust, scalable, and consistent way.

Cognidox preserves the integrity and visibility of all documents and information stored in it. All documents, as well as system access, have time-stamped event log entries that record all actions taken and by whom; the log cannot be amended or deleted and there are no time limits. To verify a document an MD5 checksum is created by Cognidox for all documents. After a document has been downloaded, a checksum utility can be used to verify that it is the correct version of the file. Metadata is used to associate each document or record with the person who generated, updated, reviewed and approved it.

6.2

Raw data (synonymous with ‘source data’ which is defined in ICH GCP)

Raw data is defined as the original record (data) which can be described as the first-capture of information, whether recorded on paper or electronically. Information that is originally captured in a dynamic state should remain available in that state.

Raw data must permit full reconstruction of the activities. Where this has been captured in a dynamic state and generated electronically, paper copies cannot be considered as ‘raw data’.

In the case of basic electronic equipment that does not store electronic data, or provides only a printed data output (e.g. balances or pH meters), then the printout constitutes the raw data. Where the basic electronic equipment does store electronic data permanently and only holds a certain volume before overwriting; this data should be periodically reviewed and where necessary reconciled against paper records and extracted as electronic data where this is supported by the equipment itself.

In all definitions, the term 'data' includes raw data.

Cognidox can store raw data which can be processed and managed in the same way as any other document, record or other data. In the case of equipment or communication channels that provide only printed data outputs or information, these can be scanned and stored in Cognidox in an appropriate format (PDF, JPG, etc.)

6.3

Metadata

820.30a

Metadata are data that describe the attributes of other data and provide context and meaning. Typically, these are data that describe the structure, data elements, inter-relationships and other characteristics of data e.g. audit trails. Metadata also permit data to be attributable to an individual (or if automatically generated, to the original data source).

Metadata form an integral part of the original record. Without the context provided by metadata the data has no meaning.

Example (i) 3.5

metadata, giving context and meaning, (italic text) are:

sodium chloride batch 1234, 3.5mg. J Smith 01/Jul/14

Example (ii) 3.5

metadata, giving context and meaning, (italic text) are:

Trial subject A123, sample ref X789 taken 30/06/14 at 1456hrs. 3.5mg. Analyst: J Smith 01/Jul/14

Cognidox enables customisable metadata to be associated with any document, record, data or other stored information. Customers can select the nature and format of the metadata to be stored within their Cognidox system, and the metadata is retained and treated as being integral to the data (or document or other information) in question.

6.4

Data integrity

Data Integrity Data integrity is the degree to which data are complete, consistent, accurate, trustworthy, reliable and that these characteristics of the data are maintained throughout the data life cycle. The data should be collected and maintained in a secure manner, so that they are attributable, legible, contemporaneously recorded, original (or a true copy) and accurate. Assuring data integrity requires appropriate quality and risk management systems, including adherence to sound scientific principles and good documentation practices.

Cognidox preserves the integrity and visibility of all documents and information stored in it. All documents, as well as system access, have time-stamped event log entries that record all actions taken and by whom; the log cannot be amended or deleted and there are no time limits. To verify a document an MD5 checksum is created by Cognidox for all documents. After a document has been downloaded, a checksum utility can be used to verify that it is the correct version of the file.

System access is controlled via unique user IDs and strong passwords for each user. Regular changes of password can be enforced. Attempts to access the system can be blocked for a period after a specified number of incorrect password attempts. System access via Windows Active Directory can be provided. Authentication can also be configured to use a customer's SAML based single identity provider.

All actions on documents and information are controlled by user rights that can be assigned via role groups or individually allowing fine grained access to the system.

Cognidox Ltd is registered to ISO 27001 to give customers reassurance of its compliance with high standards of information security, and to ISO 9001 to give reassurance of its compliance with high standards of quality management including risk management

6.5

Data governance

The arrangements to ensure that data, irrespective of the format in which they are generated, are recorded, processed, retained and used to ensure the record throughout the data lifecycle.

Data governance should address data ownership and accountability throughout the lifecycle, and consider the design, operation and monitoring of processes/systems to comply with the principles of data integrity including control over intentional and unintentional changes to data.

Data Governance systems should include staff training in the importance of data integrity principles and the creation of a working environment that enables visibility, and actively encourages reporting of errors, omissions and undesirable results.

Senior management should be accountable for the implementation of systems and procedures to minimise the potential risk to data integrity, and for identifying the residual risk, using risk management techniques such as the principles of ICH Q9.

Contract Givers should ensure that data ownership, governance and accessibility are included in any contract/technical agreement with a third party. The Contract Giver should also perform a data governance review as part of their vendor assurance programme.

Data governance systems should also ensure that data are readily available and directly accessible on request from national competent authorities. Electronic data should be available in human-readable form.

Cognidox Ltd restricts system access to authorised individuals and has documented policies and processes for ensuring good data governance, including modifying system settings or content. Cognidox Ltd staff are trained in these policies and processes and are required to confirm acceptance of them after any changes and on a regular basis. Cognidox records changes to, and approval of, all documents or files.

Cognidox Ltd raises a Security Incident if, and as soon as, a risk or damage to the integrity of information is identified; this mechanism is part of Cognidox’s ISO 27001-certified business processes and is used to eliminate, manage or mitigate the risk.

Cognidox Ltd uses a Corrective Action / Preventive Action process for continual improvement as part of its ISO 9001-certified quality management system, which includes risk management and mitigation.

Secure cloud access can be provided to any person/s deemed suitable and given appropriate access rights, e.g. national competent authorities. Documents and files, and lists of these, can be exported in bulk for third-party inspection and review.

Documents and other files are available in their original format (Microsoft Word, PowerPoint, Excel, CSV, etc.) and in human-readable PDF form where the format allows automatic conversion or when the user has converted the original data to PDF format and uploaded this to Cognidox.

6.6

Data lifecycle

All phases in the life of the data from generation and recording through processing (including analysis, transformation or migration), use, data retention, archive/retrieval and destruction.

Data governance, as described in the previous section, must be applied across the whole data lifecycle to provide assurance of data integrity. Data can be retained either in the original system, subject to suitable controls, or in an appropriate archive.

Cognidox applies the same controls and protection to all data stored in it, i.e. throughout the data lifecycle.

6.7

Recording and collection of data

No definition required.

Organisations should have an appropriate level of process understanding and technical knowledge of systems used for data collection and recording, including their capabilities, limitations and vulnerabilities.

The selected method should ensure that data of appropriate accuracy, completeness, content and meaning are collected and retained for their intended use. Where the capability of the electronic system permits dynamic storage, it is not appropriate for static (printed / manual) data to be retained in preference to dynamic (electronic) data.

As data are required to allow the full reconstruction of activities the amount and the resolution (degree of detail) of data to be collected should be justified.

When used, blank forms (including, but not limited to, worksheets, laboratory notebooks, and master production and control records) should be controlled. For example, numbered sets of blank forms may be issued and reconciled upon completion. Similarly, bound paginated notebooks, stamped or formally issued by a document control group allow detection of unofficial notebooks and any gaps in notebook pages.

Cognidox Ltd customers determine their own processes for recording and collection of data.

Cognidox Ltd provides end user training and system administrator training to customers. The Cognidox on-line help system provides context-sensitive help and training videos to help customers’ staff use the system correctly.

The Cognidox Forms utility enables customers to devise and use pre-set forms, which are automatically numbered and managed in a similar way to other documents in Cognidox, to capture and process data consistently.

6.8

Data transfer / migration

Data transfer is the process of transferring data between different data storage types, formats, or computerised systems.

Data migration is the process of moving stored data from one durable storage location to another. This may include changing the format of data, but not the content or meaning.

Data transfer is the process of transferring data and metadata between storage media types or computerised systems. Data migration where required may, if necessary, change the format of data to make it usable or visible on an alternative computerised system. 

Data transfer/migration procedures should include a rationale, and be robustly designed and validated to ensure that data integrity is maintained during the data lifecycle. Careful consideration should be given to understanding the data format and the potential for alteration at each stage of data generation, transfer and subsequent storage. The challenges of migrating data are often underestimated, particularly regarding maintaining the full meaning of the migrated records.

Data transfer should be validated. The data should not be altered during or after it is transferred to the worksheet or other application. There should be an audit trail for this process. Appropriate Quality procedures should be followed if the data transfer during the operation has not occurred correctly. Any changes in the middle layer software should be managed through appropriate Quality Management Systems.

Electronic worksheets used in automation like paper documentation should be version controlled and any changes in the worksheet should be documented/verified appropriately.

Documents and files can be imported and exported, in bulk, from and to other systems. All documents and files, as well as system access, have event log entries that provide time-stamped records of all actions taken and by whom; the log cannot be amended or deleted and there are no time limits applied to the records. To verify a document an MD5 checksum is created by Cognidox for all documents. After a document has been downloaded, a checksum utility can be used to verify that it is the correct version of the file.

All documents and files stored in Cognidox are rigorously version controlled and changes made to new versions can be identified by the author or document administrator in the system records. Cognidox also allows a text or pdf version of a document or file – where the document format allows – to be automatically compared with any other version to highlight the changes made.

Cognidox Ltd has a Data Transfer Policy that applies to customer data.

6.9

Data processing

A sequence of operations performed on data to extract, present or obtain information in a defined format.Examples might include: statistical analysis of individual patient data to present trends or conversion of a raw electronic signal to a chromatogram and subsequently a calculated numerical result

There should be adequate traceability of any user-defined parameters used within data processing activitiesto the raw data, including attribution to who performed the activity.

Audit trails and retained records should allow reconstruction of all data processing activities regardless of whether the output of that processing is subsequently reported or otherwise used for regulatory or business purposes. If data processing has been repeated with progressive modification of processing parameters this should be visible to ensure that the processing parameters are not being manipulated to achieve a more desirable result.

Cognidox does not process data; it is primarily a system for storing and managing data and other information effectively.

6.10

Excluding Data (not applicable to GPvP)

Note: this is not applicable to GPvP; for GPvP refer to the pharmacovigilance legislation (including the GVP modules) which provide the necessary requirements and statutory guidance.

Data may only be excluded where it can be demonstrated through valid scientific justification that the data are not representative of the quantity measured, sampled or acquired. In all cases, this justification should be documented and considered during data review and reporting. All data (even if excluded) should be retained with the original data set, and be available for review in a format that allows the validity of the decision to exclude the data to be confirmed.

Cognidox does not process data; it is primarily a system to storing and managing data and other information effectively.

6.11

Original record and true copy

6.11.1

Original record

The first or source capture of data or information e.g. original paper record of manual observation or electronic raw data file from a computerised system, and all subsequent data required to fully reconstruct the conduct of the GXP activity. Original records can be Static or Dynamic.

A static record format, such as a paper or electronic record, is one that is fixed and allows little or no interaction between the user and the record content. For example, once printed or converted to static electronic format chromatography records lose the capability of being reprocessed or enabling more detailed viewing of baselines.

Records in dynamic format, such as electronic records, allow an interactive relationship between the user and the record content. For example, electronic records in database formats allow the user to track, trend and query data; chromatography records maintained as electronic records allow the user or reviewer (with appropriate access permissions) to reprocess the data and expand the baseline to view the integration more clearly.

Where it is not practical or feasibly possible to retain the original copy of source data, (e.g. MRI scans, where the source machine is not under the study sponsor's control and the operator can only provide summary statistics) the risks and mitigation should be documented.

Where the data obtained requires manual observation to record (for example results of a manual titration, visual interpretation of environmental monitoring plates) the process should be risk assessed and depending on the criticality, justify if a second contemporaneous verification check is required or investigate if the result could be captured by an alternate means.

Cognidox stores all versions of a document, file or set of data in static format. Changes made to any document, file or set of data result in a new version which supersedes – but does not delete – previous versions.

Documents, files or sets of data can be searched, reported on, or aggregated via its enterprise-level search facility or ‘custom reports’ but cannot be altered via those mechanisms.

6.11.2.

True copy:

A copy (irrespective of the type of media used) of the original record that has been verified (i.e. by a dated signature or by generation through a validated process) to have the same information, including data that describe the context, content, and structure, as the original.

A true copy may be stored in a different electronic file format to the original record if required, but must retain the metadata and audit trail required to ensure that the full meaning of the data are kept and its history may be reconstructed.

Original records and true copies must preserve the integrity of the record. True copies of original records may be retained in place of the original record (e.g. scan of a paper record), if a documented system is in place to verify and record the integrity of the copy. Organisations should consider any risk associated with the destruction of original records.

It should be possible to create a true copy of electronic data, including relevant metadata, for the purposes of review, backup and archival. Accurate and complete copies for certification of the copy should include the meaning of the data (e.g. date formats, context, layout, electronic signatures and authorisations) and the full GXP audit trail. Consideration should be given to the dynamic functionality of a ‘true copy’ throughout the retention period (see ‘archive’).

Data must be retained in a dynamic form where this is critical to its integrity or later verification. If the computerised system cannot be maintained e.g., if it is no longer supported, then records should be archived according to a documented archiving strategy prior to MHRA GXP Data Integrity Guidance and Definitions; Revision 1: March 2018 Page 13 of 21 decommissioning the computerised system. It is conceivable for some data generated by electronic means to be retained in an acceptable paper or electronic format, where it can be justified that a static record maintains the integrity of the original data. However, the data retention process must be shown to include verified copies of all raw data, metadata, relevant audit trail and result files, any variable software/system configuration settings specific to each record, and all data processing runs (including methods and audit trails) necessary for reconstruction of a given raw data set. It would also require a documented means to verify that the printed records were an accurate representation. To enable a GXP compliant record this approach is likely to be demanding in its administration.

Where manual transcriptions occur, these should be verified by a second person or validated system. 

Cognidox provides an effective way to store true copies.

Metadata can be copied from the original record to a true copy by exporting the original record/s then using the import utility to replicate the record/s – with metadata, and with version information and version histories – as true copies.

These can be certified as true copies through the use of electronic signatures; the date of approval, purpose of approval (e.g. verification of this being a true copy) and electronic signature is stored in the system and is also available as an approval manifest in the read-only (PDF) versions of the document.

6.12

Computerised system transactions

A computerised system transaction is a single operation or sequence of operations performed as a single logical ‘unit of work’. The operation(s) that makes a transaction may not be saved as a permanent record on durable storage until the user commits the transaction through a deliberate act (e.g. pressing a save button), or until the system forces the saving of data.

The metadata (e.g. username, date, and time) are not captured in the system audit trail until the user saves the transaction to durable storage. In computerised systems, an electronic signature may be required for the record to be saved and become permanent.

A critical step is a parameter that must be within an appropriate limit, range, or distribution to ensure the safety of the subject or quality of the product or data. Computer systems should be designed to ensure that the execution of critical steps is recorded contemporaneously. Where transactional systems are used, the combination of multiple unit operations into a combined single transaction should be avoided, and the time intervals before saving of data should be minimised. Systems should be designed to require saving data to permanent memory before prompting users to make changes.

The organisation should define during the development of the system (e.g. via the user requirements specification) what critical steps are appropriate based on the functionality of the system and the level of risk associated. Critical steps should be documented with process controls that consider system design (prevention), together with monitoring and review processes. Oversight of activities should alert to failures that are not addressed by the process design. 

Transactions in Cognidox are processed as a result of event-logged key-presses with the exception of:

  • Conversion of documents to PDF format for read-only use
  • Conversion of Visio diagrams to SVG format, for use with the gBMS Intranet platform
  • Sending of reminder alerts, via email, to users after a selected period of time
  • Backups

(All of which are arranged automatically by Cognidox).

Document and record approval – for instance, to confirm validation or authorise their use – can be configured to require electronic signatures; the date of approval and electronic signature is stored in the system and is also available as an approval manifest in the read-only (PDF) versions of the document or record.

6.13

Audit trail

The audit trail is a form of metadata containing information associated with actions that relate to the creation, modification or deletion of GXP records. An audit trail provides for secure recording of life-cycle details such as creation, additions, deletions or alterations of information in a record,either paper or electronic, without obscuring or overwriting the original record.An audit trail facilitates the reconstruction of the history of such events relatingto the record regardless of its medium, including the “who, what, when and why”of the action.

Where computerised systems are used to capture, process, report, store or archive raw data electronically, system design should always provide for the retention of audit trails to show all MHRA GXP or deletion ofdata while retaining previous and original data. It should be possible to associate all data and changes to data with the persons making those changes, and changes should be dated and time stamped (time and time zone where applicable). The reason for any change, should also be recorded. The items included in the audit trail should be those of relevance to permit reconstruction of the process or activity.

Audit trails (identified by risk assessment as required) should be switched on. Users should not be able to amend or switch off the audit trail. Where a system administrator amends, or switches off the audit trail a record of that action should be retained.

The relevance of data retained in audit trails should be considered by the organisation to permit robust data review/verification. It is not necessary for audit trail review to include every system activity (e.g. user log on/off, keystrokes etc.).

Where relevant audit trail functionality does not exist (e.g. within legacy systems) an alternative control may be achieved for example defining the process in an SOP, and use of log books. Alternative controls should be proven to be effective.Where add-on software or a compliant system does not currently exist, continued use of the legacy system maybe justified by documented evidence that a compliant solution is being sought and that mitigation measures temporarily support the continued use. (1)

Routine data review should include a documented audit trail review where this is determined by a risk assessment. When designing a system for review of audit trails, thismay be limited to those with GXP relevance. Audit trails may be reviewed as a list of relevant data, or by an ‘exception reporting' process. An exception report is a validated search tool that identifies and documents predetermined ‘abnormal’ data or actions, that require further attention or investigation by the data reviewer.

Reviewers should have sufficient knowledge and system access to review relevant audit trails, raw data and metadata(see also ‘data governance’).

Where systems do not meet the audit trail and individual user account expectations, demonstrated progress should be available to address these shortcomings. This should either be through add-on software that provides these additional functions or by an upgrade to a compliant system. Where remediation has not been identified or subsequently implemented in a timely manner a deficiency may be cited.

(1). It is expected that GMP facilities with industrial automation and control equipment/ systems such as programmable logic controllers should be able to demonstrate working towards system upgrades with individual login and audit trails (reference: Art 23 of Directive 2001/83/EC).

All versions of documents, files and data stored in Cognidox, as well as system access, have event log entries that provide time-stamped records of all actions taken and by whom.

The event log is available to any user who has been granted the appropriate permission (security profile). The log cannot be amended or deleted and there are no time limits applied to the record.

To verify a document, file or data stored in Cognidox an MD5 checksum is created by Cognidox. After a document, file or data has been downloaded, a checksum utility can be used to verify that it is the correct version of the file.

6.14

Electronic signatures

A signature in digital form (bio-metric or non-biometric) that represents the signatory. This should be equivalent in legal terms to the handwritten signature of the signatory.

The use of electronic signatures should be appropriately controlled with consideration given to:

  • How the signature is attributable to an individual.
  • How the act of ‘signing’ is recorded within the system so that it cannot be altered or manipulated without invalidating the signature or status of the entry.
  • How the record of the signature will be associated with the entry made and how thican be verified.
  • The security of the electronic signature i.e. so that it can only be applied by the ‘owner’ of that signature.

It is expected that appropriate validation of the signature process associated with a system is undertaken to demonstrate suitability and that control over signed records is maintained.Where a paper or pdf copy of an electronically signed document is produced,the metadata associated with an electronic signature should be maintained with the associated document.

The use of electronic signatures should be compliant with the requirements of international standards. The use of advanced electronic signatures should be considered where this method of authenticationis required by the risk assessment.Electronic signature or E-signature systems must provide for “signature manifestations” i.e. a display within the viewable record that defineswho signed it, their title, and the date (and time, if significant)and the meaning of the signature(e.g. verified or approved).

An inserted image of a signature or a footnote indicating that the document has been electronically signed (where this has been entered by a means other than the validated electronic signature process) is not adequateWhere a document is electronically signed then the metadata associated with the signature should be retained.

For printed copies of electronically signed documents refer to True Copy section.

Expectations for electronic signatures associated with informed consent (GCPare covered in alternative guidance (MHRA/HRA DRAFT Guidance on the use of electronic consent).

Approval of documents, files and data stored in Cognidox can be set to require electronic signatures; these are compliant with the requirements of FDA 21 CFR Part 11 and GxP data integrity requirements.

The ‘authentication on approval’ electronic signature functionality requires a document approver’s user ID and password to be re-entered and ensures that signed electronic records show their name, role, date and time, location, and the meaning (such as review, approval, responsibility, validation, certification as a true copy, or authorship) associated with the signature; all these are configurable. An approval checksum is also given, to allow the integrity of the approval record to be proven.

This information is recorded in Cognidox as metadata. Signature manifestations are included in the PDF version of the viewable record. This defines who signed it, their title, the date/time and the meaning of the signature. This information is all included in the approval manifest sheet that is added to the PDF copy of the document; it is possible to restrict users to see only this PDF copy of the document if required.

The approval manifest includes a list of previous approved issues and who approved them, together with the times/dates of those previous approvals.

The PDF copy of the electronically signed document contains a checksum linking the document back to the records in Cognidox to prove integrity of the PDF.

Once given, approval cannot be rescinded.

6.15

Data review and approval

The approach to reviewing specific record content, such as critical data and metadata, crossouts (paper records) and audit trails (electronic records) should meet all applicable regulatory requirements and be risk-based.

There should be a procedure that describes the process for review and approval of data. Data review should also include a risk-based review of relevant metadata, including relevant audit trails records. Data review should be documented and the record should include a positive statement regarding whether issues were found or not, the date that review was performed and the signature of the reviewer.

A procedure should describe the actions to be taken if data review identifies an error or omission. This procedure should enable data corrections or clarifications to provide visibility of the original record, and traceability of the correction, using ALCOA principles (see ‘data’ definition).

Where data review is not conducted by the organisation that generated the data, the responsibilities for data review must be documented and agreed by both parties. Summary reports of data are often supplied between organisations (contract givers and acceptors). It must be acknowledged that summary reports are limited and critical supporting data and metadata may not be included.

Many software packages allow configuration of customised reports. Key actions may be incorporated into such reports provided they are validated and locked to prevent changes. Automated reporting tools and reports may reduce the checks required to assure the integrity of the data.

Where summary reports are supplied by a different organisation, the organisation receiving and using the data should evaluate the data provider’s data integrity controls and processes prior to using the information.

  • Routine data review should consider the integrity of an individual data set e.g. is this the only data generated as part of this activity? Has the data been generated and maintained correctly? Are there indicators of unauthorised changes?
  • Periodic audit of the data generated (encompassing both a review of electronically generated data and the broader organisational review) might verify the effectiveness of existing control measures and consider the possibility of unauthorised activity at all interfaces, e.g. have there been IT requests to amend any data post review? Have there been any system maintenance activities and has the impact of that activity been assessed?

Cognidox has an established workflow for all documents, files and data: storing, reviewing/collaborating, approving, making available and maintaining.

System settings can make these workflow steps, and supporting information such as document review or release comments, mandatory for all documents, files and data or for those of a specific type or related to a specific area of the business. Review and approval comments are added to the document or file metadata.

The system enforces the workflow and prevents inappropriate sequencing; it can also make specific named users mandatory for approving documents, files and data if required.

The procedures used for managing reviews and approvals are business processes that each Cognidox customer develops and implements in their own way. The process documentation or instructions can also be stored in Cognidox and, if appropriate, can be made available to users via the Cognidox gBMS Intranet platform.

Summary or customised reports, whether manually or automatically generated by Cognidox, can be stored and managed and their integrity protected in the same way as any other document or file.

6.16

Computerised system user access/system administrator roles

Full use should be made of access controls to ensure that people have access only to functionality that is appropriate for their job role, and that actions are attributable to a specific individual. Companies must be able to demonstrate the access levels granted to individual staff members and ensure that historical information regarding user access level is available. Where the system does not capture this data, then a record must be maintained outside of the system. Access controls should be applied to both the operating system and application levels. Individual login at operating system level may not be required if appropriate controls are in place to ensure data integrity (e.g. no modification, deletion or creation of data outside the application is possible).

For systems generating, amending or storing GXP data shared logins or generic user access should not be used. Where the computerised system design supports individual user access, this function must be used. This may require the purchase of additional licences. Systems (such as MRP systems) that are not used in their entirety for GXP purposes but do have elements within them, such as approved suppliers, stock status, location and transaction histories that are GXP applicable require appropriate assessment and control.

It is acknowledged that some computerised systems support only a single user login or limited numbers of user logins. Where no suitable alternative computerised system is available, equivalent control may be provided by third-party software or a paper-based method of providing traceability (with version control). The suitability of alternative systems should be justified and documented. Increased data review is likely to be required for hybrid systems because they are vulnerable to non-attributable data changes. It is expected that companies should be implementing systems that comply with current regulatory expectations. (2)

System administrator access should be restricted to the minimum number of people possible taking account of the size and nature of the organisation. The generic system administrator account should not be available for routine use. Personnel with system administrator access should log in with unique credentials that allow actions in the audit trail(s) to be attributed to a specific individual. The intent of this is to prevent giving access to users with potentially a conflict of interest so that they can make unauthorised changes that would not be traceable to that person.

System Administrator rights (permitting activities such as data deletion, database amendment or system configuration changes) should not be assigned to individuals with a direct interest in the data (data generation, data review or approval).

Individuals may require changes in their access rights depending on the status of clinical trial data. For example, once data management processes are complete, the data is ‘locked’ by removing editing access rights. This should be able to be demonstrated within the system.

(2). It is expected that GMP facilities with industrial automation and control equipment/ systems such as programmable logic controllers should be able to demonstrate working towards system upgrades with individual login and audit trails (reference: Art 23 of Directive 2001/83/EC).

System access is controlled via unique, robust passwords – with definable length and format – for each user. Regular changes of password can be enforced. Attempts to access the system can be blocked for a period after a specified number of incorrect password attempts.

System access via Windows Active Directory can be provided. Authentication can also be configured to use a customer's SAML based single identity provider.

If ‘authentication on approval’ functionality is enabled the user also has to authenticate their identity when approving documents by re-entering their unique user ID and strong password (or authenticator token if this option is selected by the system administrator).

Fine-grained, robust security profiles can be applied to all content to limit access, and available actions, to specific users. The rights can be further restricted by security profiles bound to documents, and these rights can only be changed by authorised system administrators.

All versions of documents, files and data stored in Cognidox, as well as system access, have event log entries that provide time-stamped records of all actions taken and by whom. This provides an effective audit trail.

6.17

Data retention

Data retention may be for archiving (protected data for long-term storage) or backup (data for the purposes of disaster recovery).

Data and document retention arrangements should ensure the protection of records from deliberate or inadvertent alteration or loss. Secure controls must be in place to ensure the data integrity of the record throughout the retention period and should be validated where appropriate (see also data transfer/migration).

Data (or a true copy) generated in paper format may be retained by using a validated scanning process provided there is a documented process in place to ensure that the outcome is a true copy.

Procedures for destruction of data should consider data criticality and where applicable legislative retention requirements. 

All documents, files and data are permanently protected from automatic deletion (there is no automatic deletion at the end of a retention period), even if marked as obsolete.

There is no automatic expiry of documents in Cognidox; they are stored indefinitely. If any document is to be reviewed for deletion after a given amount of time, this can be set by a ‘shared reminder’ which will notify identified individuals, via email, to conduct the review on a specified date. Event log records are maintained for deleted documents.

Manually deleting documents, files and data is a restricted right. For unapproved documents, only users with appropriate privileges can do this, and the action is recorded and time-stamped in the system log. Once a document, file or data has been approved, only users with the additional rights, or system administrators, can delete the documents and, again, the action is recorded and time-stamped in the system log.

All documents, files and data, even if marked as obsolete and even if moved to different parts (‘categories’) of the system, can be found via the enterprise-level search facility. When documents, files or data have reached the end of life, they can be placed into a restricted private workspace which makes them only accessible to authorised document archivists.

6.17.1.

Archive

A designated secure area or facility (e.g. cabinet, room, building or computerised system) for the long term, retention of data and metadata for the purposes of verification of the process or activity.

Archived records may be the original record or a ‘true copy’ and should be protected so they cannot be altered or deleted without detection and protected against any accidental damage such as fire or pest.

Archive arrangements must be designed to permit recovery and readability of the data and metadata throughout the required retention period. In the case of archiving of electronic data, this process should be validated, and in the case of legacy systems the ability to review data periodically verified (i.e. to confirm the continued support of legacy computerised systems). Where hybrid records are stored, references between physical and electronic records must be maintained such that full verification of events is possible throughout the retention period.

When legacy systems can no longer be supported, consideration should be given to maintaining the software for data accessibility purposes (for as long possible depending upon the specific retention requirements). This may be achieved by maintaining software in a virtual environment.

Migration to an alternative file format that retains as much as possible of the ‘true copy’ attributes of the data may be necessary with increasing age of the legacy data. Where migration with full original data functionality is not technically possible, options should be assessed based on risk and the importance of the data over time. The migration file format should be selected considering the balance of risk between long-term accessibility versus the possibility of reduced dynamic data functionality (e.g. data interrogation, trending, reprocessing etc). It is recognised that the need to maintain accessibility may require migration to a file format that loses some attributes and/or dynamic data functionality (see also ‘Data Migration’). 

All documents, files and data are permanently protected from automatic deletion (there is no automatic deletion at the end of a retention period), even if marked as obsolete.

When documents, files or data have reached the end of life, they can be placed into a restricted private workspace which makes them only accessible to authorised document archivists.

If required, documents, files or data can be exported and stored in other media to give long-term accessibility independent of Cognidox.

6.17.2

Backup

A copy of current (editable) data, metadata and system configuration settings maintained for recovery including disaster recovery.

Backup and recovery processes should be validated and periodically tested. Each back up should be verified to ensure that it has functioned correctly e.g. by confirming that the data size transferred matches that of the original record.

The backup strategies for the data owners should be documented.

Backups for recovery purposes do not replace the need for the long term, retention of data and metadata in its final form for the purposes of verification of the process or activity.

Each hosted node (customer cloud server) runs a backup client that reports to a Cognidox central backup server in the cloud service provider’s datacentre. Each node takes regular deltas of changed files during the day and a nightly snapshot of any customer databases.

The files to be backed up are encrypted using AES-256 and transmitted over a TLS connection to the central backup server where they’re stored encrypted at-rest. Encryption is performed using a key that is unique to each node, and the key (for restoration purposes) is itself held GPG encrypted offline and only accessible by authorised Cognidox staff. The central backup store itself is backed up to an Amazon Web Service (AWS) storage facility, ensuring that the data is stored on two distinct cloud service providers.

In the event of a security breach of either the central backup server or the AWS storage, the backup data will remain secure as the decryption keys are not stored online.

Cognidox Ltd monitors each node’s backup space to ensure it is being regularly updated and that any alerts generated by the backup process are reported to Cognidox system administrators. The storage layer used on all hosted services is held on physically redundant hardware maintained by the service provider.

6.18

File structure

File structure:

Data Integrity risk assessment requires a clear understanding of file structure. The way data is structured within the GXP environment will depend on what the data will be used for and the end user may have this dictated to them by the software/computerised system(s) available.

There are many types of file structure, the most common being flat files and relational databases.

Different file structures due to their attributes may require different controls and data review methods and may retain meta data in different ways. 

Cognidox uses category metadata to give the appearance and functionality of a configurable, hierarchical folder-based file structure, although documents, files and data are actually stored as flat files.

Strong controls are applied to individual documents and files, and also to the metadata categories to which they are assigned.

6.19

Validation – for intended purpose (GMP; See also Annex 11, 15)

Computerised systems should comply with regulatory requirements and associated guidance. These should be validated for their intended purpose which requires an understanding of the computerised system’s function within a process. For this reason, the acceptance of vendor supplied validation data in isolation of system configuration and users intended use is not acceptable. In isolation from the intended process or end-user IT infrastructure, vendor testing is likely to be limited to functional verification only and may not fulfil the requirements for performance qualification.

Functional verification demonstrates that the required information is consistently and completely presented. Validation for intended purpose ensures that the steps for generating the custom report accurately reflect those described in the data checking SOP and that the report output is consistent with the procedural steps for performing the subsequent review. 

Cognidox Ltd can supply a software validation pack to assist customers to validate their use of Cognidox in relation to medical device regulatory requirements. The pack includes a Validation Report, an IQ template, a PQ template, a completed PQ-OP example, and test specifications and results.

6.20

IT Suppliers and Service Providers (including Cloud providers and virtual service/platforms (also referred to as software as a service SaaS/platform as a service (PaaS) / infrastructure as a service (IaaS))

Where ‘cloud’ or ‘virtual’ services are used, attention should be paid to understanding the service provided, ownership, retrieval, retention and security of data.

The physical location where the data is held, including the impact of any laws applicable to that geographic location, should be considered.

The responsibilities of the contract giver and acceptor should be defined in a technical agreement or contract. This should ensure timely access to data (including metadata and audit trails) to the data owner and national competent authorities upon request. Contracts with providers should define responsibilities for archiving and continued readability of the data throughout the retention period (see archive).

Appropriate arrangements must exist for the restoration of the software/system as per its original validated state, including validation and change control information to permit this restoration.

Business continuity arrangements should be included in the contract, and tested. The need for an audit of the service provider should be based upon risk.

Cognidox Ltd can supply a software validation pack to assist customers to validate their use of Cognidox in relation to medical device regulatory requirements. The pack includes a Validation Report, an IQ template, a PQ template, a completed PQ-OP example, and test specifications and results.

Cognidox cloud services are usually delivered via the datacentres that are closest to the main users’ location. The current datacentre locations are London, Frankfurt, Newark and Tokyo but other locations may be used as demand grows.

Cognidox Ltd’s standard terms and conditions for supply of the service can be provided on request.

See 6.17.2 for more details about backup arrangements, re. business continuity.

ISO 9001 Compliance

Clause Regulation summary Cognidox document management system

4

Context of the organization

4.4

Quality management system and its processes

4.4.1











4.4.1a

4.4.1b


4.4.1c





4.4.1d


4.4.1e


4.4.1f


4.4.1g


4.4.1h

The organization shall establish, implement, maintain and continually improve a quality management system, including the processes needed and their interactions, in accordance with the requirements of this International Standard.

The organization shall determine the processes needed for the quality management system and their application throughout the organization, and shall:

determine the inputs required and the outputs expected from these processes;

determine the sequence and interaction of these processes;

determine and apply the criteria and methods (including monitoring, measurements and related performance indicators) needed to ensure the effective operation and control of these processes;

determine the resources needed for these processes and ensure their availability;

assign the responsibilities and authorities for these processes;

address the risks and opportunities as determined in accordance with the requirements of 6.1;

evaluate these processes and implement any changes needed to ensure that these processes achieve their intended results;

improve the processes and the quality management system.

Cognidox is an enterprise level document management system, designed for engineering teams to manage complex product developments in the high-tech, medical device, and life science product sectors. It includes built-in workflows and a process-based graphical business management platform. A compliant quality management system can be built using Cognidox.

Cognidox stores and makes it easy for users to find and access quality management system documents, the structure of which is made evident through the use of configurable categories (folders) and, where applicable, graphical quality management system pages (Intranet).

The sequence and interaction of process documents can be shown within the documents themselves and, where applicable, via graphical quality management system pages (Intranet) to illustrate the relationship between them. Documents in Cognidox can include hyperlinks to other documents, further enhancing usability and showing the links between processes.

4.4.2

4.4.2a


4.4.2b

To the extent necessary, the organization shall:

maintain documented information to support the operation of its processes;

retain documented information to have confidence that the processes are being carried out as planned.

Cognidox stores, retains and makes it easy to maintain quality management system documented information.

5

Leadership

5.2

Policy

5.2.2



5.2.2a


5.2.2b

5.2.2c

Communicating the quality policy

The quality policy shall:

be available and be maintained as documented information;

be communicated, understood and applied within the organization;

be available to relevant interested parties, as appropriate

Cognidox makes it easy for users to find and access the quality policy. 'View Policies’ functionality can be used to record users’ access to the quality policy and declarations that they have read it. A regular review of the policy can be facilitated through the use of a Shared Reminder (document metadata that alerts key individuals for a need to undertake a review after a given time period has elapsed).

6

Planning

6.1

Actions to address risks and opportunities

6.1.1





6.1.1a

6.1.1b

6.1.1c

6.1.1d

When planning for the quality management system, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to:

give assurance that the quality management system can achieve its intended result(s);

enhance desirable effects;

prevent, or reduce, undesired effects;

achieve improvement.

Cognidox makes it easy for users to find and access documented information regarding risks and opportunities, including processes, actions, analyses and records.

6.1.2

6.1.2a

6.1.2b





The organization shall plan:

actions to address these risks and opportunities;

how to:

1. integrate and implement the actions into its quality management system processes (see 4.4);

2. evaluate the effectiveness of these actions.

Actions taken to address risks and opportunities shall be proportionate to the potential impact on the conformity of products and services

NOTE 1 Options to address risks can include avoiding risk, taking risk in order to pursue an opportunity, eliminating the risk source, changing the likelihood or consequences, sharing the risk, or retaining risk by informed decision.

NOTE 2 Opportunities can lead to the adoption of new practices, launching new products, opening new markets, addressing new customers, building partnerships, using new technology and other desirable and viable possibilities to address the organization’s or its customers’ needs.

Cognidox makes it easy for users to find and access documented information regarding risks and opportunities, including actions, analyses and records, and to integrate risk and opportunity management within a quality management system.

6.2

Quality objectives and planning to achieve them

6.2.1







6.2.1a

6.2.1b

6.2.1c


6.2.1d

6.1.2e

6.2.1f

6.2.1g

The organization shall establish quality objectives at relevant functions, levels and processes needed for the quality management system.

The quality objectives shall:

be consistent with the quality policy;

be measurable;

take into account applicable requirements;

be relevant to conformity of products and services and to enhancement of customer satisfaction;

be monitored;

be communicated;

be updated as appropriate.

The organization shall maintain documented information on the quality objectives.

Cognidox makes it easy for users to find, access and – where appropriate – update documented information regarding quality objectives.

6.2

Planning of changes








6.2a

6.2b


6.2c

6.2d

When the organization determines the need for changes to the quality management system, the changes shall be carried out in a planned manner (see 4.4).

The organization shall consider:

the purpose of the changes and their potential consequences;

the integrity of the quality management system;

the availability of resources;

the allocation or reallocation of responsibilities and authorities.

Cognidox stores, maintains and makes it easy for users to access quality management system change procedures and related documentation, and – where appropriate – make controlled changes to quality management system documentation and files.

Pre-determined format information (such as change requests or change notes) can make use of the Cognidox Forms functionality.

Reviews and changes to all documents, forms, records and files, and related records, can be rigorously managed within Cognidox and the history of reviews, approvals, evaluations of the impact of changes, verification and validation, and records of changes all recorded.

7

Support

7.1.5

7.1.5.1










7.1.5.1a



7.1.5.1b







7.1.5.2








7.1.5.2a







7.1.5.2b



7.1.5.2c

Monitoring and measuring resources

General

The organization shall determine and provide the resources needed to ensure valid and reliable results when monitoring or measuring is used to verify the conformity of products and services to requirements.

The organization shall ensure that the resources provided:

are suitable for the specific type of monitoring and measurement activities being undertaken;

are maintained to ensure their continuing fitness for their purpose.

The organization shall retain appropriate documented information as evidence of fitness for purpose of the monitoring and measurement resources:

Measurement traceability

When measurement traceability is a requirement, or is considered by the organization to be an essential part of providing confidence in the validity of measurement results, measuring equipment shall be:

calibrated or verified, or both, at specified intervals, or prior to use, against measurement standards traceable to international or national measurement standards; when no such standards exist, the basis used for calibration or verification shall be retained as documented information;

identified in order to determine their status;

safeguarded from adjustments, damage or deterioration that would invalidate the calibration status and subsequent measurement results.

The organization shall determine if the validity of previous measurement results has been adversely affected when measuring equipment is found to be unfit for its intended purpose, and shall take appropriate action as necessary.

Cognidox stores and enables reviewing/collaborating, approving, maintaining and making it easy for users to find and access inspection, measuring, test and calibration procedures and records. including calibration results and certificates. Cognidox ‘Shared Reminders’ can be set on calibration or test result documents to remind identified individuals that the next test/calibration has become due (i.e. the system can notify users at selected intervals).

7.1.6

Organizational knowledge

The organization shall determine the knowledge necessary for the operation of its processes and to achieve conformity of products and services.

This knowledge shall be maintained and be made available to the extent necessary.

When addressing changing needs and trends, the organization shall consider its current knowledge and determine how to acquire or access any necessary additional knowledge and required updates.

NOTE 1 Organizational knowledge is knowledge specific to the organization; it is generally gained by experience. It is information that is used and shared to achieve the organization’s objectives.

NOTE 2 Organizational knowledge can be based on:

a) internal sources (e.g. intellectual property; knowledge gained from experience; lessons learned from failures and successful projects; capturing and sharing undocumented knowledge and experience; the results of improvements in processes, products and services); b) external sources (e.g. standards; academia; conferences; gathering knowledge from customers or external providers).

Cognidox makes it easy to configure documents, categories (folders) or document types that enable users to capture, share, identify and maintain organisational knowledge as documented information.

7.2

Competence



7.2a





7.2b



7.2c




7.2d

The organization shall:

determine the necessary competence of person(s) doing work under its control that affects the performance and effectiveness of the quality management system;

ensure that these persons are competent on the basis of appropriate education, training, or experience;

where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken;

retain appropriate documented information as evidence of competence.

NOTE Applicable actions can include, for example, the provision of training to, the mentoring of, or the reassignment of currently employed persons; or the hiring or contracting of competent persons.

Cognidox manages competency requirements, records, appraisals, training plans and records, including ensuring confidentiality by restricting access to those with appropriate security profiles.

7.3

Awareness





7.3a

7.3b

7.3c



7.3d

The organization shall ensure that persons doing work under the organization’s control are aware of:

the quality policy;

relevant quality objectives;

their contribution to the effectiveness of the quality management system, including the benefits of improved performance;

the implications of not conforming with the quality management system requirements.

The ‘View Policies’ function can be used to record users’ access to documented information such as the quality policy and objectives, and stores users’ declarations that they have read them.

7.4

Communication





7.4a

7.4b

7.4c

7.4d

7.4e

The organization shall determine the internal and external communications relevant to the quality management system, including:

on what it will communicate;

when to communicate;

with whom to communicate;

how to communicate;

who communicates.

Processes for managing incoming and outgoing communications, and the communications themselves, can be defined, stored and managed in Cognidox or directly from Microsoft Office® applications – including Outlook® – via the Cognidox Microsoft Office® add-in.

Cognidox can also be used to communicate directly with selected third parties by setting them up as Limited Access Partners with strictly limited permissions to view, upload or download information only in pre-determined areas of the Cognidox system.

Cognidox can optionally be set up to provide a cloud-based Extranet web portal, which includes a content licensing and publishing engine that allows the distribution of information and software to customers or other third parties to be strictly controlled.

7.5

Documented information

7.5.1



7.5.1a


7.5.1b

General

The organization’s quality management system shall include:

documented information required by this International Standard;

documented information determined by the organization as being necessary for the effectiveness of the quality management system.

NOTE The extent of documented information for a quality management system can differ from one organization to another due to:

— the size of organization and its type of activities, processes, products and services;

— the complexity of processes and their interactions;

— the competence of persons.

Cognidox enables the storing, reviewing/collaborating, maintaining and makes it easy for users to find and access the documented information required by the quality management system, including procedures and records.

7.5.2





7.5.2a


7.5.2b

7.5.2c

Creating and updating

When creating and updating documented information, the organization shall ensure appropriate:

identification and description (e.g. a title, date, author, or reference number);

format (e.g. language, software version, graphics) and media (e.g. paper, electronic);

review and approval for suitability and adequacy.

Documented information identification is via a document reference number and title; the date, author, and other fields of reference information are also stored.

Format and media information can be specified in metadata fields if required. The permissible document media for specific document types can also be specified.

Document metadata in Cognidox is supported for Microsoft Office® documents via visible ‘pre-filter’ metadata fields that are automatically updated by the system.

All documents and information – including metadata – in Cognidox can be set to be reviewed for content, and approved prior to use, by designated individuals; this applies to changes as well as to the original documents.

7.5.3

7.5.3.1




7.5.3.1a


7.5.3.1b


7.5.3.2



7.5.3.2a



7.5.3.2b

7.5.3.2c


7.5.3.2d

Control of documented information

Documented information required by the quality management system and by this International Standard shall be controlled to ensure:

it is available and suitable for use, where and when it is needed;

it is adequately protected (e.g. from loss of confidentiality, improper use, or loss of integrity).

For the control of documented information, the organization shall address the following activities, as applicable:

distribution, access, retrieval and use;

storage and preservation, including preservation of legibility;

control of changes (e.g. version control);

retention and disposition.

Documented information of external origin determined by the organization to be necessary for the planning and operation of the quality management system shall be identified as appropriate, and be controlled.

Documented information retained as evidence of conformity shall be protected from unintended alterations.

NOTE Access can imply a decision regarding the permission to view the documented information only, or the permission and authority to view and change the documented information.

Cognidox has fine-grained security permissions (access control) that governs who can view and/or download and/or modify what document. Documents can be superseded but cannot be deleted by users.

Cognidox preserves the integrity and visibility of all documents and information stored in it. All documents, as well as system access, have event log entries that provide time-stamped records of all actions taken and by whom; the log cannot be amended or deleted and there are no time limits applied to the records. Changes made to documents can be indicated in the metadata, and the differences between different versions can be highlighted. The version of a document is automatically shown and incremented as changes are made. Documents that have specific confidentiality requirements can be protected via use of confidential categories, via applied security profiles, and via the use of confidentiality metadata flags.

To verify a document an MD5 checksum is created by Cognidox for all documents. After a document has been downloaded, a checksum utility can be used to verify that it is the correct version of the file.

Documents do not automatically get deleted after a fixed time in Cognidox; they are stored indefinitely. If any document is to be reviewed for deletion after a given amount of time, this can be set by a shared reminder which will notify identified individuals, via email, to conduct the review on a specified date.

Obsolete documents are conspicuously identified in Cognidox, and can be moved to specific categories to show they should not be used. Security permissions can be configured in Cognidox to make documents available to any persons, or groups of persons, that should have access to them. Security permissions can be applied to prevent unauthorized access if required.

8

Operation

8.1

Operational planning and control









8.1a

8.1b





8.1c



8.1d



8.1e







The organization shall plan, implement and control the processes (see 4.4) needed to meet the requirements for the provision of products and services, and to implement the actions determined in Clause 6, by:

determining the requirements for the products and services;

establishing criteria for:

1. the processes;

2. the acceptance of products and services;

determining the resources needed to achieve conformity to the product and service requirements;

implementing control of the processes in accordance with the criteria;

determining, maintaining and retaining documented information to the extent necessary:

1. to have confidence that the processes have been carried out as planned;

2. to demonstrate the conformity of products and services to their requirements.

The output of this planning shall be suitable for the organization’s operations.

The organization shall control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary.

The organization shall ensure that outsourced processes are controlled (see 8.4).

Cognidox is an enterprise level document management system, designed for engineering teams to plan and manage complex product developments and operations in the high-tech, medical device, and life science product sectors. It includes built-in workflows and a process-based graphical business management platform. A compliant quality management system, that includes the management of operational planning and control, can be built using Cognidox.

Cognidox stores and enables reviewing/collaborating, approving, maintaining and making it easy for users to find and access process documentation and other key documents and records required for the provision of products and services and to control these documents and other information, including records demonstrating conformity to requirements and records of processes having being followed.

Changes to operational planning and control can be managed, recorded and reviewed in Cognidox.

8.2

Requirements for products and services

8.2.1



8.2.1a


8.2.1b


8.2.1c


8.1.2d

8.1.2e

Customer communication

Communication with customers shall include:

providing information relating to products and services;

handling enquiries, contracts or orders, including changes;

obtaining customer feedback relating to products and services, including customer complaints;

handling or controlling customer property;

establishing specific requirements for contingency actions, when relevant.

The processes used for communicating with customers can be stored and managed in Cognidox as can the incoming and/or outgoing electronic communications themselves.

Cognidox can be used to communicate with selected customers or third parties by setting them up as Limited Access Partners with strictly limited permissions to view, upload or download information only in pre-determined areas of the Cognidox system with no access to other areas of the system.

Cognidox can optionally be set up to provide a cloud-based Extranet web portal, which includes a content licensing and publishing engine that allows the distribution of information and software to customers or other third parties to be strictly controlled

8.2.2






8.2.2a







8.2.2b

Determining the requirements for products and services

When determining the requirements for the products and services to be offered to customers, the organization shall ensure that:

the requirements for the products and services are defined, including:

1. any applicable statutory and regulatory requirements;

2. those considered necessary by the organization;

the organization can meet the claims for the products and services it offers.

Cognidox stores and enables reviewing/collaborating, approving, maintaining and making it easy for users to find and access process documentation and other key documents and records required for requirements management, and to control these documents, records and other information.

This includes all the processes, documents and records described in 8.2 and includes externally-provided documents e.g. information from customers. Cognidox can be used to identify and manage changes to documents in a planned and controlled way and to notify users of changes.

8.2.3


8.2.3.1








8.2.3.1a



8.2.3.1b




8.2.3.1c


8.2.3.1d



8.2.3.1e

Review of the requirements for products and services

The organization shall ensure that it has the ability to meet the requirements for products and services to be offered to customers. The organization shall conduct a review before committing to supply products and services to a customer, to include:

requirements specified by the customer, including the requirements for delivery and postdelivery activities;

requirements not stated by the customer, but necessary for the specified or intended use, when known;

requirements specified by the organization;

statutory and regulatory requirements applicable to the products and services;

contract or order requirements differing from those previously expressed.

The organization shall ensure that contract or order requirements differing from those previously defined are resolved.

The customer’s requirements shall be confirmed by the organization before acceptance, when the customer does not provide a documented statement of their requirements.

NOTE In some situations, such as internet sales, a formal review is impractical for each order. Instead, the review can cover relevant product information, such as catalogues.

Cognidox stores and enables reviewing/collaborating, approving, maintaining and making it easy for users to find and access process documentation and other key documents and records required for requirements management, including verifying that customer requirements can be met, and to control these documents, records and other information. The results of requirements reviews are stored within Cognidox.

This includes all the processes, documents and records described in 8.2 and includes externally-provided documents e.g. information from customers.

Cognidox can be used to identify and manage changes to these documents in a planned and controlled way and to notify users of changes.

8.2.3.2


8.2.3.2a

8.2.3.2b

The organization shall retain documented information, as applicable:

on the results of the review;

on any new requirements for the products and services.

Cognidox enables and facilitates the retention of documented information as described in 8.2.3.2.

8.2.4

Changes to requirements for products and services

The organization shall ensure that relevant documented information is amended, and that relevant persons are made aware of the changed requirements, when the requirements for products and services are changed.

Cognidox can be used to identify and manage changes to requirements documents in a planned and controlled way and to notify users of changes.

8.3

Design and development of products and services

8.3.1

General

The organization shall establish, implement and maintain a design and development process that is appropriate to ensure the subsequent provision of products and services.

Cognidox is an enterprise level document management system, designed for engineering teams to manage complex product developments in the high-tech, medical device, and life science product sectors. It enables the storing, maintaining and making it easy for users to access design and development procedures and related documentation and files.

8.3.2





8.3.2a


8.3.2b

8.3.2c


8.3.2d


8.3.2e



8.3.2f



8.3.2g


8.3.2h


8.3.2i


8.3.2j

Design and development planning

In determining the stages and controls for design and development, the organization shall consider:

the nature, duration and complexity of the design and development activities;

the required process stages, including applicable design and development reviews;

the required design and development verification and validation activities;

the responsibilities and authorities involved in the design and development process;

the internal and external resource needs for the design and development of products and services;

the need to control interfaces between persons involved in the design and development process;

the need for involvement of customers and users in the design and development process;

the requirements for subsequent provision of products and services;

the level of control expected for the design and development process by customers and other relevant interested parties;

the documented information needed to demonstrate that design and development requirements have been met.

Cognidox was designed for engineering teams to manage complex product developments and is optimised for storing, reviewing / collaborating, approving, finding and making available, and maintaining:

  • Design and development stages and plans
  • Design and development processes and procedures
  • Design and development review processes and results
  • Processes, forms, templates and records of validation, verification and design transfer (NPI), including proving the traceability of design outputs to design inputs
  • Responsibilities and authorities for control of design and development
  • Resource and competence information and records

Cognidox document categories enable the controlled collection and management of this information. The Document Holder feature collects and manages a range of other documents within Cognidox as a single item and manages the approval and release of design information and records.

8.3.3





8.3.3a

8.3.3b


8.3.3c

8.3.3d


8.3.3e

Design and development inputs

The organization shall determine the requirements essential for the specific types of products and services to be designed and developed. The organization shall consider:

functional and performance requirements;

information derived from previous similar design and development activities;

statutory and regulatory requirements;

standards or codes of practice that the organization has committed to implement;

potential consequences of failure due to the nature of the products and services.

Inputs shall be adequate for design and development purposes, complete and unambiguous.

Conflicting design and development inputs shall be resolved.

The organization shall retain documented information on design and development inputs.

Cognidox stores, maintains and makes it easy for users to access design and development input documentation, records and files. Reviews and changes to all documents, forms, records and files can be rigorously managed within Cognidox and the history of reviews, approvals and changes all recorded. Where appropriate, the Document Holder feature collects and manages a range of other documents within Cognidox as a single item and manages the approval and release of design information and records.

8.3.4





8.3.4a


8.3.4b



8.3.4c



8.3.4d





8.3.4e





8.3.4f

Design and development controls

The organization shall apply controls to the design and development process to ensure that:

the results to be achieved are defined;

reviews are conducted to evaluate the ability of the results of design and development to meet requirements;

verification activities are conducted to ensure that the design and development outputs meet the input requirements;

validation activities are conducted to ensure that the resulting products and services meet the requirements for the specified application or intended use;

any necessary actions are taken on problems determined during the reviews, or verification and validation activities;

documented information of these activities is retained.

NOTE Design and development reviews, verification and validation have distinct purposes. They can be conducted separately or in any combination, as is suitable for the products and services of the organization.

Design and development review plans, processes, records and details of actions can be rigorously managed within Cognidox and the history of reviews and changes recorded. Cognidox has the ability to use templated forms to enable the consistent capture and management of this information. Design review records can, in turn, be reviewed and/or approved by the relevant staff, including the review attendees.

Design and development phase/gate reviews – in which a group of project or programme documents (e.g. specifications, plans, progress charts, design reviews, test results, budgets, marketing plans, etc.) are approved to move a project onto the next stage of activity – can be managed via the Document Holder feature which collects and manages a range of other approved documents within Cognidox as a single item.

Verification and validation plans, procedures, results, analyses, conclusions, action lists and other documented information can easily be stored and managed within Cognidox. These can be reviewed and/or approved by the relevant staff.

8.3.5



8.3.5a


8.3.5b


8.3.5c



8.3.5d

Design and development outputs

The organization shall ensure that design and development outputs:

meet the input requirements;

are adequate for the subsequent processes for the provision of products and services;

include or reference monitoring and measuring requirements, as appropriate, and acceptance criteria;

specify the characteristics of the products and services that are essential for their intended purpose and their safe and proper provision.

The organization shall retain documented information on design and development outputs.

Cognidox stores, maintains and makes it easy for users to access design and development output documentation, records and files. Reviews and changes to all documents, forms, records and files can be rigorously managed within Cognidox and the history of reviews, approvals and changes all recorded. Where appropriate, the Document Holder feature collects and manages a range of other documents within Cognidox as a single item and manages the approval and release of design information and records.

8.3.6












8.3.6a

8.3.6b

8.3.6c

8.3.6d

Design and development changes

The organization shall identify, review and control changes made during, or subsequent to, the design and development of products and services, to the extent necessary to ensure that there is no adverse impact on conformity to requirements.

The organization shall retain documented information on:

design and development changes;

the results of reviews;

the authorization of the changes;

the actions taken to prevent adverse impacts.

Cognidox stores, maintains and makes it easy for users to access design and development change procedures and related documentation including evaluations of the impact of changes and verification and validation results, and – where permission has been given – make controlled changes to the design and development documentation and files.

Pre-determined format information (such as change requests or change notes) can make use of the Cognidox Forms functionality.

Reviews and changes to all documents, forms, records and files, and related records, can be rigorously managed within Cognidox and the history of reviews, approvals, evaluations of the impact of changes, verification and validation, and records of changes all recorded.

If required, multiple design and development documents can be stored and maintained as one entity through the use of Document Holders which would allow one Document Holder to manage changes in several other documents concurrently.

8.4

Control of externally provided processes, products and services

8.4.1












8.4.1a



8.4.1b


8.4.1c

General

The organization shall ensure that externally provided processes, products and services conform to requirements.

The organization shall determine the controls to be applied to externally provided processes, products and services when:

products and services from external providers are intended for incorporation into the organization’s own products and services;

products and services are provided directly to the customer(s) by external providers on behalf of the organization;

a process, or part of a process, is provided by an external provider as a result of a decision by the organization.

The organization shall determine and apply criteria for the evaluation, selection, monitoring of performance, and re-evaluation of external providers, based on their ability to provide processes or products and services in accordance with requirements. The organization shall retain documented information of these activities and any necessary actions arising from the evaluations.

Cognidox stores and manages purchasing procedures, records and reports for externally provided processes, products and services, including:

  • Evaluation procedures, requirements, criteria, controls and records for suppliers and third parties
  • Purchasing data including requirements, agreements and change records
  • Necessary actions required to manage suppliers and their products.

This information is subject to the standard Cognidox document workflow: storing, reviewing/collaborating, approving, making available and maintaining. Templates and forms can be used to make the collection of information consistent and efficient.

8.4.2









8.4.2a


8.4.2b





8.4.2c





8.4.2d

Type and extent of control

The organization shall ensure that externally provided processes, products and services do not adversely affect the organization’s ability to consistently deliver conforming products and services to its customers..

The organization shall:

ensure that externally provided processes remain within the control of its quality management system;

define both the controls that it intends to apply to an external provider and those it intends to apply to the resulting output;

take into consideration:

1. the potential impact of the externally provided processes, products and services on the organization’s ability to consistently meet customer and applicable statutory and regulatory requirements;

2. the effectiveness of the controls applied by the external provider;

determine the verification, or other activities, necessary to ensure that the externally provided processes, products and services meet requirements.

Cognidox stores and manages purchasing procedures, records, reports and supporting information, including purchase requisitions, purchase orders, product descriptions/specifications, product requirements, supplier or product monitoring and evaluation results, agreements, terms and conditions of purchase, and incoming goods quality and other records.

Cognidox also stores and manages purchased product verification procedures, records, reports and supporting information.

This information is all subject to the standard Cognidox document workflow: storing, reviewing/collaborating, approving, making available and maintaining.

Pre-determined format information (such as inspection records) can make use of the Cognidox Forms functionality.

8.4.3







8.4.3a


8.4.3b






8.4.3c


8.4.3d


8.4.3e


8.4.3f

Information for external providers

The organization shall ensure the adequacy of requirements prior to their communication to the external provider.

The organization shall communicate to external providers its requirements for:

the processes, products and services to be provided;

the approval of:

1. products and services;

2. methods, processes and equipment;

3. the release of products and services;

competence, including any required qualification of persons;

the external providers’ interactions with the organization;

control and monitoring of the external providers’ performance to be applied by the organization;

verification or validation activities that the organization, or its customer, intends to perform at the external providers’ premises.

Requirements, quality agreements and process information provided to third parties can be stored and maintained in Cognidox and, where appropriate, made accessible to third-party users.

Where appropriate, Cognidox can be used to communicate directly with selected third parties by setting them up as Limited Access Partners with strictly limited permissions to view, upload or download information only in pre-determined areas of the Cognidox system.

8.5

Production and service provision

8.5.1








8.5.1a







8.5.1b


8.5.1c




8.5.1d


8.5.1e



8.5.1f




8.5.1g


8.5.1h

Control of production and service provision

The organization shall implement production and service provision under controlled conditions.

Controlled conditions shall include, as applicable:

the availability of documented information that defines:

1. the characteristics of the products to be produced, the services to be provided, or the activities to be performed;

2. the results to be achieved;

the availability and use of suitable monitoring and measuring resources;

the implementation of monitoring and measurement activities at appropriate stages to verify that criteria for control of processes or outputs, and acceptance criteria for products and services, have been met;

the use of suitable infrastructure and environment for the operation of processes;

the appointment of competent persons, including any required qualification;

the validation, and periodic revalidation, of the ability to achieve planned results of the processes for production and service provision, where the resulting output cannot be verified by subsequent monitoring or measurement;

the implementation of actions to prevent human error;

the implementation of release, delivery and post-delivery activities.

Cognidox was designed for engineering teams to manage complex product development and production information. It stores and enables reviewing/collaborating, approving, maintaining and making it easy for users to find and access production and service provision processes, requirements, standards, work instructions / SOPs, records, etc.

8.5.2

Identification and traceability

The organization shall use suitable means to identify outputs when it is necessary to ensure the conformity of products and services.

The organization shall identify the status of outputs with respect to monitoring and measurement requirements throughout production and service provision.

The organization shall control the unique identification of the outputs when traceability is a requirement, and shall retain the documented information necessary to enable traceability.

Cognidox stores and enables reviewing/collaborating, approving, maintaining and making it easy for users to find and access identification and traceability procedures and records. Customisable metadata can be used to associate documents and records with product types or other product, service or customer characteristics, where applicable. All information in Cognidox, including metadata, can be easily searched using the system’s enterprise-level search facility.

8.5.6

Control of changes

The organization shall review and control changes for production or service provision, to the extent necessary to ensure continuing conformity with requirements.

The organization shall retain documented information describing the results of the review of changes, the person(s) authorizing the change, and any necessary actions arising from the review.

Cognidox stores, maintains and makes it easy for users to access production or service provision change procedures and related documentation including evaluations of the impact of changes and verification and validation results, and – where appropriate – make controlled changes to the production or service provision documentation and files.

Pre-determined format information (such as change requests or change notes) can make use of the Cognidox Forms functionality.

Reviews and changes to all documents, forms, records and files, and related records, can be rigorously managed within Cognidox and the history of reviews, approvals, evaluations of the impact of changes, verification and validation, and records of changes all recorded.

If required, multiple production or service provision documents can be stored and maintained as one entity through the use of Document Holders which would allow one Document Holder to manage changes in several other documents concurrently.

8.6

Release of products and services

















8.6a


8.6b

The organization shall implement planned arrangements, at appropriate stages, to verify that the product and service requirements have been met.

The release of products and services to the customer shall not proceed until the planned arrangements have been satisfactorily completed, unless otherwise approved by a relevant authority and, as applicable, by the customer.

The organization shall retain documented information on the release of products and services. The documented information shall include:

evidence of conformity with the acceptance criteria;

traceability to the person(s) authorizing the release.

Verification, acceptance and release plans, procedures, results, analyses, conclusions, action lists and other records (‘documented information’) can easily be stored and managed within Cognidox. These can be reviewed and/or approved by the relevant staff.

Cognidox document categories enable the controlled collection and management of this information. The Document Holder feature collects and manages a range of other documents within Cognidox as a single item and manages the approval and release of design information and records.

8.7

Control of nonconforming outputs

8.7.1
















8.7.1a


8.7.1b


8.7.1c

8.7.1d

The organization shall ensure that outputs that do not conform to their requirements are identified and controlled to prevent their unintended use or delivery.

The organization shall take appropriate action based on the nature of the nonconformity and its effect on the conformity of products and services. This shall also apply to nonconforming products and services detected after delivery of products, during or after the provision of services.

The organization shall deal with nonconforming outputs in one or more of the following ways:

correction;

segregation, containment, return or suspension of provision of products and services;

informing the customer;

obtaining authorization for acceptance under concession.

Conformity to the requirements shall be verified when nonconforming outputs are corrected.

Cognidox stores and enables reviewing/collaborating, approving, maintaining and making it easy for users to find and access procedures and records for nonconforming output management and rework.

Cognidox provides templated forms to enable the consistent capture and management of nonconforming output information (and complaints, incidents, supplier issues, and similar) without needing the user to write separate text documents or spreadsheets – the information can be entered directly into the pre-formatted form via the Cognidox user interface.

Configurable reports can be run to show the results from multiple forms, allowing them to be monitored, reported and analysed.

8.7.2


8.7.2a

8.7.2b
8.7.2c

8.7.2d

The organization shall retain documented information that:

describes the nonconformity;

describes the actions taken;

describes any concessions obtained;

identifies the authority deciding the action in respect of the nonconformity.

Cognidox enables and facilitates the retention of documented information as described in 8.7.2.

9

Performance evaluation

9.1

Monitoring, measurement, analysis and evaluation

9.1.1


9.1.1a


9.1.1b



9.1.1c


9.1.1d

General

The organization shall determine:

what needs to be monitored and measured;

the methods for monitoring, measurement, analysis and evaluation needed to ensure valid results;

when the monitoring and measuring shall be performed;

when the results from monitoring and measurement shall be analysed and evaluated.

The organization shall evaluate the performance and the effectiveness of the quality management system.

The organization shall retain appropriate documented information as evidence of the results.

Cognidox stores and enables reviewing/collaborating, approving, maintaining and making it easy for users to find and access procedures and records for monitoring and measurement of performance, and the retention of documented information as described in 9.1.

9.1.2

Customer satisfaction

The organization shall monitor customers’ perceptions of the degree to which their needs and expectations have been fulfilled. The organization shall determine the methods for obtaining, monitoring and reviewing this information.

NOTE Examples of monitoring customer perceptions can include customer surveys, customer feedback on delivered products and services, meetings with customers, market-share analysis, compliments, warranty claims and dealer reports.

Cognidox stores and makes it easy for users to find and access feedback or other intelligence about whether the organization has met customer requirements as well as the procedures that describe how this feedback is obtained and what analysis and follow-up actions are taken as a result of the findings. Records (including correspondence with the customer, regulatory authorities if appropriate, and others) can be stored.

9.2

Internal audit

9.2.1




9.2.1a






9.2.1b

The organization shall conduct internal audits at planned intervals to provide information on whether the quality management system:

conforms to:

1. the organization’s own requirements for its quality management system;

2. the requirements of this International Standard;

is effectively implemented and maintained.

Cognidox manages quality audit plans, processes, records and reports, including the use of templates and forms to make the collection of information consistent and efficient.

9.2.2

9.2.2a








9.2.2b


9.2.2c


9.2.2d


9.2.2e


9.2.2f

The organization shall:

plan, establish, implement and maintain an audit programme(s) including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration the importance of the processes concerned, changes affecting the organization, and the results of previous audits;

define the audit criteria and scope for each audit;

select auditors and conduct audits to ensure objectivity and the impartiality of the audit process;

ensure that the results of the audits are reported to relevant management;

take appropriate correction and corrective actions without undue delay;

retain documented information as evidence of the implementation of the audit programme and the audit results.

NOTE See ISO 19011 for guidance.

Cognidox manages quality audit plans, processes, records and reports, including the use of templates and forms to make the collection of information consistent and efficient and to retain documented information as described in 9.2.2.

9.3

Management review

9.3.1

General

Top management shall review the organization’s quality management system, at planned intervals, to ensure its continuing suitability, adequacy, effectiveness and alignment with the strategic direction of the organization.

Cognidox enables the storing, reviewing/collaborating, maintaining and makes it easy for users to find and access the procedures and supporting documents for management review, and the subsequent records of the review. A regular management review can be facilitated through the use of a ‘shared reminder’ (document metadata that alerts key individuals for a need to undertake a management review after a given time period has elapsed). Records can be easily, robustly and effectively stored in Cognidox.

9.3.2




9.3.2a

9.3.2b




9.3.2c

















9.3.2d

9.3.2e

9.3.2f

Management review inputs

The management review shall be planned and carried out taking into consideration:

the status of actions from previous management reviews;

changes in external and internal issues that are relevant to the quality management system;

information on the performance and effectiveness of the quality management system, including trends in:

1. customer satisfaction and feedback from relevant interested parties;

2. the extent to which quality objectives have been met;

3. process performance and conformity of products and services;

4. nonconformities and corrective actions;

5. monitoring and measurement results;

6. audit results;

7. the performance of external providers;

the adequacy of resources;

the effectiveness of actions taken to address risks and opportunities (see 6.1);

opportunities for improvement.

The management review inputs can be stored as separate documents, or a single combined document, held in a suitable category in Cognidox. The separate input documents can also be combined into one Document Holder that is configured to hold the different, approved, input documents which are then managed and approved as a single entity.

9.3.3



9.3.3a

9.3.3b

9.3.3c

Management review outputs

The outputs of the management review shall include decisions and actions related to:

opportunities for improvement;

any need for changes to the quality management system;

resource needs.

The organization shall retain documented information as evidence of the results of management reviews.

The management review outputs can be stored as separate documents, or a single combined document, held in a suitable category in Cognidox; the separate documents can also be combined into one Document Holder that is configured to hold the different, approved, input documents which can then be easily and effectively managed and approved as a single entity.

The management review inputs and outputs can similarly be combined in one document or one Document Holder.

10

Improvement

10.2

Nonconformity and corrective action

10.2.1



10.2.1a





10.2.1b











10.2.1c

10.2.1d

10.2.2e


10.2.2f

When a nonconformity occurs, including any arising from complaints, the organization shall:

react to the nonconformity and, as applicable:

1. take action to control and correct it;

2. deal with the consequences;

evaluate the need for action to eliminate the cause(s) of the nonconformity, in order that it does not recur or occur elsewhere, by:

1. reviewing and analysing the nonconformity;

2. determining the causes of the nonconformity;

3. determining if similar nonconformities exist, or could potentially occur;

implement any action needed;

review the effectiveness of any corrective action taken;

update risks and opportunities determined during planning, if necessary;

make changes to the quality management system, if necessary.

Corrective actions shall be appropriate to the effects of the nonconformities encountered.

Cognidox stores and enables reviewing/collaborating, approving, maintaining and making it easy for users to find and access procedures and records for identifying and managing corrective and preventive actions (‘CAPA’) and for managing nonconforming product/material and performing rework.

Cognidox provides templated CAPA forms to enable the consistent capture and management of CAPAs without needing the user to write separate text documents or spreadsheets – the information can be entered directly into the pre-formatted form via the Cognidox user interface and managed through the multi-stage process required to resolve the CAPA. The forms functionality also enables the consistent capture and management of nonconforming product information (and complaints, incidents, supplier issues, and similar).

Configurable reports can be run to show the results from multiple CAPA, nonconformance and other forms, allowing monitoring, reporting and analysis.

10.2.2


10.2.2a

10.2.2b

The organization shall retain documented information as evidence of:

the nature of the nonconformities and any subsequent actions taken;

the results of any corrective action.

Cognidox manages corrective action and nonconformity processes, records and reports, including the use of templates and forms to make the collection of information consistent and efficient and to retain documented information as described in 10.2.2.