Document approval workflow

CFR 21 Part 11 Compliance & Electronic Signature

Title 21 CFR Part 11 is the part of Title 21 of the Code of Federal Regulations that establishes the United States FDA regulations on electronic records and electronic signatures. Part 11 defines the criteria under which electronic records and electronic signatures are considered trustworthy, reliable, and equivalent to paper records.

In this article we present a simple use case to configure a system for 21 CFR Part 11 compliance.

To handle the “signing signature” referred to in Part 11 documentation, a couple departures from BPA Quality and SharePoint are needed. The first is an e-signature custom field to capture the username and password and the second is a workflow that handles the document approval from start to finish.

Microsoft and SharePoint technologies propose many tools for regulatory compliance, like active directory services, SQL Server database and BI services, SharePoint list and library permission settings, version and audit settings.

In this typical use case, document managers (editors, approvers, distributors) have contributor rights for the document library. Approved documents will be published in another library or site (e.g. company intranet) where end users have reader rights.

Document approval workflow

Example of a graphical document approval workflow.

The e-signature module stores, in an encrypted form, the user identity, time and date of signing. This ensures only authorized persons can modify a document, document properties or any quality record. E-signature is required each time documents, document properties or quality records are modified. With no valid signature, a red stamp will be visible in the document or record properties.

Document properties

The e-signature custom field in the document properties makes sure the document was approved by the right people prior publishing.

With BPA Quality, end users can easily access published documents from an organizational chart or a process map.

Process map

The process map is the ideal entry page for end users to access published documents for the different processes.

Risk assessment

Risk Based Thinking

Risk based thinking is a big change in the new ISO 9001:2015 standard. Risk management is a proactive way to take action prior unfortunate events happen.

Where should you start? How can you detect risks and hazards in your organization?

After having determined the context of the organization, like stakeholder expectations, competitive analysis… you have to describe key processes in your organization with their input, output, activities and indicators. Risk factors can be identified with a SWOT analysis for any process. In the daily business, risk factors will be identified from any P-D-C-A improvement process, like objectives, KPIs, nonconformities, audits, management reviews, etc.

50+ described processes

BPA comes with 50+ described processes to help you to identify risk factors.

How to handle risks?

The Deming improvement wheel applies for risk management. Risks need to be identified, periodically assessed, treated and monitored.

How to assess risks? What is the cost of risks?

Risks can’t be measured but will be periodically assessed by your responsible team, based on impact (if the risk occurs) and probability (of occurrence). Additional factors can be added like a detection factor (used with FMEA). The risk severity is a multiplication of these factors. Based on the risk severity, controls and treatment actions will be done. The cost of a risk can be calculated based on severity multiplied by cost factors (e.g. number of non-production hours * cost of a non-production hour).

Risk assessment

The risk scorecard allows displaying risk assessment values and trends for each risk and period.

How to control risks?

Controls can be physical assets (e.g. sprinklers, detectors) or procedures (e.g. procedure in case of fire) to reduce the impact or probability of a risk. Controls need to be periodically verified.

Considered controls

Frequency and compliance of each control can be monitored easily with the BPA linear calendar.

How to treat risks?

Based on the risk severity or cost, treatment (corrective, preventive) actions will be declared and tracked. Effectiveness of actions will be verified. A prebuilt workflow makes sure actions are followed-up until resolution.

How to monitor risks?

A risk scorecard is ideal to monitor the risk severity and trends for the different periods (e.g. monthly or quarterly). A heat chart can be used to display the risk severity for specific risks.

Risk

The BPA heat chart displays risk severity and trends for selected risks.

Why Excel is not enough? What tools can you use?

Microsoft Excel is not a relational tool. You won’t be able to optimally track actions, tasks, emails or documents related to risks with a spreadsheet. More important, Excel is not a collaborative tool and you won’t be able to automate the risk treatment process, distribute tasks automatically or collaborate with you team to assess, treat or monitor risks.

BPA’s integrated QMS and risk management software is the ideal tool to identify, assess, treat and monitor risks. BPA is built on the #1 Microsoft SharePoint technology and brings a simple and powerful framework to help you to deploy a collaborative risk based thinking tool.

Risk details

A collaborative risk management tool like BPA allows tracking treatment actions, tasks, emails and documents related with any risk. Automatic reminders and alerts will be sent to the concerned persons.

BPA’s risk based thinking software applies for any standard like ISO 9001:2015, ISO 31000, HACCP, FMEA or any other risk methodology.

Access your BPA Quality Trial