Search the Elsmar Cove!
**Search ALL of** with DuckDuckGo Especially for content not in the forum
Such as files in the Cove "Members" Directory

21 CFR Part 11 - Implicit requirements - Validation plan for a Software as a Service

Dear all,

I am currently implementing a new validation plan for a Software as a Service. The criteria shall take explicit requirements defined in 21 CFR part 11 into consideration, but should also cover implicit requirements.
Section 11.10 (e) only specifies some certain criteria which shall be available in the audit log.
From my point of view, the following user actions are relevant:
  1. Log on
  2. Log off
  3. Automatically log-off (safety measure to prevent unauthorized access when nobody is in front of the workstation/laptop)
  4. Download a draft report
  5. Sign off a final report
  6. Download a final report
  7. Reissuing a report incl. ‘label new report version as’ feature to specify the change category (drop down) and reason (free text) for reissuing the report
  8. Electronic signature applied
  9. Encryption
  10. Password changes (successful / unsuccessful)
  11. Password recovery
  12. Configuration changes
  13. Changes in the report template
  14. Unsuccessful log-in attempts
What is your opinion and experience about best-practices?
Best, Franz


Staff member
Super Moderator
Just to be clear, the SaaS is NOT a medical device, right? Just something used in execution of the QMS?

Without knowing more about the product, I'm having a hard time seeing the relation between Part 11 and items 4 - 7 and 13.

Password aging is typically required (depending on risk, require password change periodically). While not explicitly called out, typically, password controls are implemented (complexity rules, prohibit use of previously-used passwords, prohibit things like including the user's name / login id in the password, etc.)

I don't see where you address audit trail (explicitly).

Do recognize there are probably different levels of access (admin, general user, etc.). Access should be limited to what's required.

There is the concept of continuous session in the regulation. Maybe it's not applicable for your application.
Top Bottom