SBS - The best value in QMS software

Do Cloud services require 21 CFR Part 11 compliance?

Ed Panek

QA RA Small Med Dev Company
Trusted Information Resource
#1
We design, manufacture, and sell a 510K Class II device and we recently introduced a clinical application for the device to used in hospitals. Our device takes and transmits a biometric data point to be processed and stored in the cloud and accessible by nurses and later manually entered into the EHR of each patient. Does our device and supporting data structure need to conform to 21 CFR Part 11?
 
Elsmar Forum Sponsor

yodon

Staff member
Super Moderator
#2
If I understand you correctly, it sounds more like your application should be more concerned with HIPAA / GDPR type stuff (as well as cybersecurity).

21 CFR Part 11 is for when you have electronic records or signatures applied electronically to records required under the regulations.
 
Last edited by a moderator:

Ed Panek

QA RA Small Med Dev Company
Trusted Information Resource
#3
Thanks. One of our customers is a large pharma company running clinical trials. I think they asked about part 11 because they currently manage this biometric as a manual measurement later entered into the EHR. Our device allows automated measurements electronically.


If I understand you correctly, it sounds more like your application should be more concerned with HIPAA / GDPR type stuff (as well as cybersecurity).

Part 11 is for when you have electronic records or signatures applied electronically to records required under the regulations.
 

yodon

Staff member
Super Moderator
#4
If it's for clinical trial records, then Part 11 may well apply.

Irrespective of the applicability, the concepts in Part 11 are sound: ensure you have good control over the records (nobody can change anything without a complete audit trail) and electronic signatures cannot be reputed (there's more but hopefully you get my drift).
 

JJ_FDA

Involved In Discussions
#5
Part 11 would apply if a predicate rule (i.e., the GxPs) applies to records that need to maintained and submitted to FDA.

I don't know anything about medical device world, but from the perspective of your customer who wants to use it in clinical trials (GCP is predicate rule), the system should be capable of complying to the regulation. This means having features such as audit trails, access control, validatable, non-repudiatability of electronic signatures (if used), and so on. As an example, have a look at this sell sheet from BD (PDF) for their device.

One note that systems are never part 11 compliant until they are validated by your customer in their environment. They can be part 11 capable, but not compliant out of the box. So it's important that you client understands that there would be some additional work to do once they acquire your system other than the usual systems integration work. Vendors touting their systems as compliant out of the box is a pet peeve of mine.
 

Ed Panek

QA RA Small Med Dev Company
Trusted Information Resource
#6
So We did a gap analysis and we are fixing the gaps. How does the end result get communicated to potential customers and into our QMS?
 

Tagin

Trusted Information Resource
#7
I saw this on Amazon's AWS site: GxP Compliance - Amazon Web Services (AWS)

There is no GxP certification for a commercial cloud provider such as AWS. AWS offers commercial off-the-shelf (COTS) IT services according to IT quality and security standards such as ISO 27001, ISO 27017, ISO 27018, ISO 9001, NIST 800-53 and many others. GxP-regulated life sciences organizations are responsible for purchasing and using AWS services to develop and operate their GxP systems, and to verify their own GxP compliance.
That page also has a link to a pretty useful-looking PDF: "Using AWS In GxP Systems".
 

JJ_FDA

Involved In Discussions
#8
So We did a gap analysis and we are fixing the gaps. How does the end result get communicated to potential customers and into our QMS?
I still like the BD sell sheet I linked to above for communicating to potential customers.

For your quality system, the standard requirement specification - specification testing - testing report process would be expected.
 
Thread starter Similar threads Forum Replies Date
E Cloud Services for Medical Devices with CE Mark EU Medical Device Regulations 5
S DHF/DMR/MDF for a software-only, cloud-based, single-instance device Medical Information Technology, Medical Software and Health Informatics 1
B Oracle Cloud ERP Validation during Quarterly Patch ISO 13485:2016 - Medical Device Quality Management Systems 1
P Testing cloud-based backups IT (Information Technology) Service Management 7
shimonv Classification of a cloud- base viewer for the output from a medical device US Food and Drug Administration (FDA) 7
O ZenQMS cloud solution? Quality Assurance and Compliance Software Tools and Solutions 0
Q Storing and developing SAMD (Software as a Medical Device) in the Cloud IEC 62304 - Medical Device Software Life Cycle Processes 3
was named killer CLOUD BASED QUALITY DOCUMENTATION vs. SERVER BASED Document Control Systems, Procedures, Forms and Templates 5
S Validation of eQMS - Cloud based out of the box solution Other Medical Device Related Standards 18
S Moving from client-server to cloud-based, is that a new submission? Medical Information Technology, Medical Software and Health Informatics 3
Z Security for Approvals - Cloud based Complaint, NC, and CAPA systems Qualification and Validation (including 21 CFR Part 11) 8
T QMS - Documentation Cloud Storage EU Medical Device Regulations 0
R Validation of mobile app and cloud servers for data security IEC 62304 - Medical Device Software Life Cycle Processes 4
S Saving QMS documents in cloud drive - Compliance with ISO 13485 ISO 13485:2016 - Medical Device Quality Management Systems 3
T FDA proposed labeling standalone software cloud based US Food and Drug Administration (FDA) 4
R Online / Cloud Based Software as Medical Device EU Medical Device Regulations 8
S Cloud-Based Stand Alone Software - Software Medical Device (Class II) US Food and Drug Administration (FDA) 2
C Validation of Applications in a Cloud, CFR 21 part 11 (Environmental Monitoring) Other US Medical Device Regulations 3
D Anyone using a cloud based QMS software? Document Control Systems, Procedures, Forms and Templates 12
Q File Management system in Cloud for Medical Mobile Apps IEC 62304 - Medical Device Software Life Cycle Processes 2
D Can Cloud Data Management resources be qualified? Should they be? Quality Manager and Management Related Issues 3
R Cloud Computing Requirements for Design History Files for Software Medical Devices 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 4
Marc Anyone here affected by the volcano ash cloud? April 2010 Travel - Hotels, Motels, Planes and Trains 33
Jen Kirley What's procedurally required for "cloud computing"? TS16949 Clause 4.2.4. Records and Data - Quality, Legal and Other Evidence 8
K Definition Point-Cloud Data - Understanding of the term "Point-Cloud Data" Definitions, Acronyms, Abbreviations and Interpretations Listed Alphabetically 3
Marc Biggest Wi-Fi Cloud Is in Rural Oregon After Work and Weekend Discussion Topics 4
R Point Cloud Technology Validation - Point Cloud to CAD model comparisons for FAIR General Measurement Device and Calibration Topics 2
C Nerve stimulation Implant cleaning services ISO 13485:2016 - Medical Device Quality Management Systems 3
K AS9100D 8.2.1 Review Requirements for Products and Services AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 4
A 8.6 Release of products and services, 8.3 Design and development - evidence required ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 9
S ISO 9001 Clause 8.2.3 - Review of the requirements for products and services in a Cafe ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 8
L Special Processes for SERVICES AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 10
T ISO 9001 8.5.2. - Identification and traceability to Identify Outputs - Services ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 2
V IATF 16949 8.4.1 Control of externally provided processes, products and services - Should the CB be on our Approved Supplier List? IATF 16949 - Automotive Quality Systems Standard 10
I Custom software services to be used by medical software ISO 13485:2016 - Medical Device Quality Management Systems 1
M Informational EU – New notified body designated under the MDR – NB 1912 – DARE!! Services B.V. – Netherlands Medical Device and FDA Regulations and Standards News 0
M Authorized Representative services for the EU Recommendations EU Medical Device Regulations 3
S Responsibility of intercessor services provider about services's quality ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 2
A Design and development of products and services ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 2
S Education authority requires approval of all courses - Training services provider ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 2
S Clause 8.2.2 Determining the requirements for products and services ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 5
S ISO 9001 Clause 8.3 Design for an education services provider ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 8
S Maintain and repair services company require ISO 9001 ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 3
J ISO 17020 concerns of independence & impartiality of services Other ISO and International Standards and European Regulations 1
DuncanGibbons Why is 8.4 post-delivery activities before 8.6 release of products and services in AS9100D? AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 5
Jen Kirley Conway Business Services LLC - Jen Kirley ISO 14001:2015 Specific Discussions 0
A Medical device CER (clinical evaluation report) training/seminar services EU Medical Device Regulations 2
M Informational EU – Eudamed Data exchange services and entity models introductions Medical Device and FDA Regulations and Standards News 4
M Informational EU – M2M Data Exchange available services for accessing MDR EUDAMED data available for Economic Operator (EO) organisations Medical Device and FDA Regulations and Standards News 0
M NIST is one of the government services shut down General Measurement Device and Calibration Topics 2

Similar threads

Top Bottom