21 CFR Part 11 - Implicit requirements - Validation plan for a Software as a Service

#1
Dear all,

I am currently implementing a new validation plan for a Software as a Service. The criteria shall take explicit requirements defined in 21 CFR part 11 into consideration, but should also cover implicit requirements.
Section 11.10 (e) only specifies some certain criteria which shall be available in the audit log.
From my point of view, the following user actions are relevant:
  1. Log on
  2. Log off
  3. Automatically log-off (safety measure to prevent unauthorized access when nobody is in front of the workstation/laptop)
  4. Download a draft report
  5. Sign off a final report
  6. Download a final report
  7. Reissuing a report incl. ‘label new report version as’ feature to specify the change category (drop down) and reason (free text) for reissuing the report
  8. Electronic signature applied
  9. Encryption
  10. Password changes (successful / unsuccessful)
  11. Password recovery
  12. Configuration changes
  13. Changes in the report template
  14. Unsuccessful log-in attempts
What is your opinion and experience about best-practices?
Best, Franz
 
Elsmar Forum Sponsor

yodon

Staff member
Super Moderator
#2
Just to be clear, the SaaS is NOT a medical device, right? Just something used in execution of the QMS?

Without knowing more about the product, I'm having a hard time seeing the relation between Part 11 and items 4 - 7 and 13.

Password aging is typically required (depending on risk, require password change periodically). While not explicitly called out, typically, password controls are implemented (complexity rules, prohibit use of previously-used passwords, prohibit things like including the user's name / login id in the password, etc.)

I don't see where you address audit trail (explicitly).

Do recognize there are probably different levels of access (admin, general user, etc.). Access should be limited to what's required.

There is the concept of continuous session in the regulation. Maybe it's not applicable for your application.
 
Thread starter Similar threads Forum Replies Date
S 21 CFR part 11 version differences Qualification and Validation (including 21 CFR Part 11) 1
L FDA & 21 CFR Part 11 Medical Device and FDA Regulations and Standards News 19
D FDA Guidance on Computer Software Assurance versus 21 CFR Part 11 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 2
S ISO 9001:2015 vs 21 CFR Part 211 matrix Pharmaceuticals (21 CFR Part 210, 21 CFR Part 211 and related Regulations) 0
D CFR Title 14: Aeronautics and Space PART 120—DRUG AND ALCOHOL TESTING PROGRAM Federal Aviation Administration (FAA) Standards and Requirements 3
M 21 CFR 820 vs 21CFR820 vs 21 CFR Part 820 Document Control Systems, Procedures, Forms and Templates 3
Anonymous16-2 21 CFR Part 11 - Steps to take if we want to validate an electronic system Pharmaceuticals (21 CFR Part 210, 21 CFR Part 211 and related Regulations) 2
A 21 CFR part 11 - section 11.100 - Electronic Signature Certification Other US Medical Device Regulations 6
L Wearables 21 CFR Part 11 compliance Pharmaceuticals (21 CFR Part 210, 21 CFR Part 211 and related Regulations) 1
Ed Panek 21 CFR Part 820 - FDA Label Requirements 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 8
C 21 CFR Part 11- What about handwritten signatures? Other US Medical Device Regulations 1
Ed Panek Do Cloud services require 21 CFR Part 11 compliance? Qualification and Validation (including 21 CFR Part 11) 7
QIE FDA 21 CFR Part 11 "Meaning of Signature" Other US Medical Device Regulations 6
J Business Intelligence and 21 CFR Part 11 Compliance Qualification and Validation (including 21 CFR Part 11) 1
R Addressing training requirements - 21 CFR Part 820.25 (1) & (2) Other US Medical Device Regulations 4
R How to improve a Validation program and procedures to FDA (21 CFR part 820) & ISO13485 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 3
Marc Problem with 21 CFR Part 820 - US FDA Quality System Regulations (QSR) sub-forum link - 2 May 2019 Elsmar Cove Forum Suggestions, Complaints, Problems and Bug Reports 1
R 21 CFR Part 820 Contract Manufacturer of Medical Device Component 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 4
S Is Adobe Sign - E-signature for QMS documents - 21 cfr part 11 compliant? ISO 13485:2016 - Medical Device Quality Management Systems 2
C Signature manifestations - 21 CFR Part 11 Qualification and Validation (including 21 CFR Part 11) 4
I GMP 21 CFR Part 11 Electronic Records Compliance Project Help Qualification and Validation (including 21 CFR Part 11) 9
M Suggestions for Electronic Signature Software (FDA 21 CFR Part 11 Compliant) Qualification and Validation (including 21 CFR Part 11) 12
D Use of password managers on validated computer systems (21 CFR Part 11) Medical Information Technology, Medical Software and Health Informatics 2
Q 21 CFR Part 111 - Requirements for Dietary Supplement Manufacturing Water Quality Document Control Systems, Procedures, Forms and Templates 1
N Change Control - Compliance with FDA 21 CFR Part 820 Document Control Systems, Procedures, Forms and Templates 3
D 21 CFR Part 820 (Subpart A) - Question about "Authority" 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 2
A Alternative to keeping hard copy records that is 21 CFR part 11 compliant Document Control Systems, Procedures, Forms and Templates 0
D 21 CFR Part 11 - Electronic Signature Management SOP Other US Medical Device Regulations 0
I 510(k) Raw Data from Studies - 21 CFR Part 11 Compliance Qualification and Validation (including 21 CFR Part 11) 4
V Use of e-records and e-Signatures in Clinical Investigations Under 21 CFR part 11 Q&A Qualification and Validation (including 21 CFR Part 11) 1
R 21 CFR Part 820.186 - Types of Quality System Records Document Control Systems, Procedures, Forms and Templates 1
M Does the Scope of 21 CFR Part 820.72 (Equipment) apply to Design? 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 4
C Validation of Applications in a Cloud, CFR 21 part 11 (Environmental Monitoring) Other US Medical Device Regulations 3
C 21 CFR Part 820.184 - Label Requirements ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 9
L MDR (Medical Device Reporting) under 21 CFR Part 803 Other US Medical Device Regulations 5
Q How to apply 21 CFR Part 11 and/or cGMP in the Life Sciences industry Qualification and Validation (including 21 CFR Part 11) 3
L Design software for a spectrophotometer for 21 CFR Part 11 compliance Qualification and Validation (including 21 CFR Part 11) 1
Pmarszal Clarification for 21 CFR Part 11.100 - General Requirements Other US Medical Device Regulations 14
K 21 CFR Part 11 (and EU) compliant Digital Signatures on a Production Line Other US Medical Device Regulations 5
shimonv CFR Part 830.50 - Changes that require use of a new device identifier Other US Medical Device Regulations 2
S Looking for a checklist comparing ISO 13485:2016 and 21 CFR Part 820 ISO 13485:2016 - Medical Device Quality Management Systems 14
Q Internal Audit of Product Quality Complaint System (21 CFR Part 820) Customer Complaints 9
R Managing Employee Training Files - 21 CFR Part 820.25 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 4
M Treatment system data analysis - Subject to CFR part 11? Entire system? Qualification and Validation (including 21 CFR Part 11) 7
J Minimum staff per 21 CFR Part 820 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 2
M Interpreting Process Controls - 21 CFR Part 820.70(a) 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 5
M Help interpreting 21 CFR Part 806 (corrections and removals) Other US Medical Device Regulations 1
S How others have defined "reaudits"? 21 CFR Part 820.22 Internal Auditing 1
K 21 CFR Part 11 Biometrics for electronic signatures Other US Medical Device Regulations 2
P Is it required to audit per 21 CFR Part 211 ? Pharmaceuticals (21 CFR Part 210, 21 CFR Part 211 and related Regulations) 2

Similar threads

Top Bottom