Validation of Dropbox for File Sharing, Storage, and Retrieval

tebusse

Involved In Discussions
#1
Greetings,


I just started working for a "typical" start up (low cost + high return) and the company is using Dropbox for file sharing, storage, and retrieval. However, according to ISO 13485:2016 clause 4.1.6 we're required to validate the system.

Does anyone have experience validating this software? Or, is the software too cumbersome to validate? Our main concern is validating updates and possibly not knowing when updates are pushed.

Any assistance will be most helpful.

Regards, Tonia
 
Elsmar Forum Sponsor

Statistical Steven

Statistician
Staff member
Super Moderator
#2
Tonia

Sounds like Dropbox will store your QMS documents and procedures for retrieval. Not sure you can validate it. It was probably not developed for that purpose. There is no audit trail. Documents can be downloaded, edited and uploaded. You would need control systems to avoid this. If you can configure it this way, you can validate the control system. In general, does not sound like a good idea to use Dropbox for QMS documents.
 

tebusse

Involved In Discussions
#3
Re: Validation of Dropbox

Thanks, Steve.

However, Dropbox does include a version history for each document. This history includes a time stamp, date, and who viewed/edits the document.

I believe this would meet the audit trail requirement, correct?
 

Statistical Steven

Statistician
Staff member
Super Moderator
#4
Re: Validation of Dropbox

Because it's an outside system, how are usernames controlled? If I leave the company, can I still log in? How can you ensure that? It's about control. I am not familiar with Dropbox and it's version control...but if it timestamps each version and keeps all of them sequentially you should be ok.
 

MC Eistee

Starting to get Involved
#5
First of all it would be good to know for what kind of documents you use Dropbox for.

QMS Documents as Statistical Stevens supposes? Just some Presentations you are working on?
Do you want to use Dropbox to store records that show evidence that you fulfil external requirements i.e. ISO 13485:2016? Or just everything you Start up does?

Dropbox will be quite hard, probably impossible to validate out of my perspective. But everyone is free to prove me wrong ;).

As you pointed out Dropbox does not care about your risk when they perform changes to it. But based on ISO 13485:2016 4.1.6 and also 7.5.6 you are required to take actions based on the risk that a change can affect your system.
I don't know whether Dropbox provides a list of updates they apply, but even when they do it will be hard to jugde them. And they probably apply them all the time.
Cloud Systems aren't impossible to validate. You could use testautomation (needs to be validated / verified as well) for that purpose.

I'm rather worried about possible missing requirements:

- Approval function. You are required to approve documents / records.

- What happens to the version control if you delete a document? Just looked into my Dropbox and it seems like its gone forever.

- And as Steven pointed out people can just change controlled documents. There should be some sort of controlled environment / workflow for that.
If you use it for SOPs or records and everyone in your company can just come along and edit them it is not really controlled.


But still it all depends what you are using Dropbox for.
 

DEVigil

Involved In Discussions
#6
It is possible to restrict permissions to view-only with the paid version of Dropbox, so you can mitigate the risk of someone changing or deleting a controlled document. There is also a mechanism to recover deleted files (requires you to be looking at the web version). However, it has no workflow capability of which I am aware, so the approvals process would have to be handled outside in some fashion.
 

tebusse

Involved In Discussions
#7
The company is using Dropbox for management of the QMS. For subscription payers, the company can control who has access to the documents/records, so if an individual leaves their access is removed.

The system does allow for read only assignments and does have the ability to prevent people from deleting a document/file, adding a new folder, etc. in controlled areas.

While the system does not include e-signature capabilities, my company is trying to get around that with electronic signatures in adobe, however, we do recognize that those aren't 21 CFR 11 compliant.

Audit trails are another issue - the only trail is a time stamp and who edited the document/record. There's not trail of what information was changed, etc.

The company does have their own workflow in place for using Dropbox and they seem to like it. We're currently researching eQMS systems, but my VP of Software wanted to know the ease of validating Dropbox.
 

iimp24ii

Starting to get Involved
#8
My company is trying to use Adobe Acrobat Pro 2017 as their digital signature solution also. Do we know specifically which part 11 requirements Acrobat does not meet by any chance?
 

Ed Panek

QA RA Small Med Dev Company
Trusted Information Resource
#9
Online QMS systems are fairly new and Part 11 is adapting. Part of an online storage file systems business model would include the items part 11 requires. Its just part of their business model. I used to work at the VA (US Government) and their storage was validated to high hell yet it was constantly compromised; meanwhile Gmail was less often hacked. Why? Google has a business interest in their server security.
 
#10
Nowadays, even Microsoft OneDrive has version control as does Google Drive. Cloud-based systems are more popular than ever; many eQMS platforms are built on cloud servers. If companies are willing to splurge on these fancy eQMS platforms which are also built on cloud, no reason why they cannot also use DropBox or Google Drive to store documents. Just ensure access to these documents are controlled.
 
Thread starter Similar threads Forum Replies Date
Y We found out we have been using a equipment without validation for past 4 years Quality Manager and Management Related Issues 6
Z Is IQ necessary for laser marking validation? EU Medical Device Regulations 3
E 13485:2016, Sections 4.1.6, 7.5.6 and 7.6 - Validation of Software - Need some Advice please ISO 13485:2016 - Medical Device Quality Management Systems 2
A Validation of Forced Aeration Process ISO 13485:2016 - Medical Device Quality Management Systems 3
E Mentor for Test Method Validation (TMV) Design and Development of Products and Processes 2
M API 4F/7K/8C Design Package Validation Oil and Gas Industry Standards and Regulations 1
I ISO 2233:2000 Question - Medical Device Shipping/Transportation Validation Other ISO and International Standards and European Regulations 1
T Annual Validation as a detection mode on a PFMEA? FMEA and Control Plans 5
B TMV - Selection of TM's for Validation ISO 13485:2016 - Medical Device Quality Management Systems 5
S Forced ServiceNow validation - No change in our current user and functional requirements IT (Information Technology) Service Management 6
P Human Factors / Usability validation in the time of COVID Human Factors and Ergonomics in Engineering 9
C Template for Excel Validation Reliability Analysis - Predictions, Testing and Standards 5
M IT validation for a paper based MD repair company QMS ISO 13485:2016 - Medical Device Quality Management Systems 6
P Unrealistic Packaging Validation Sample Size 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 13
D Test summary report example for design validation wanted - ISO 13485 ISO 13485:2016 - Medical Device Quality Management Systems 1
M Is Validation of Plating Processes required and who is responsible? Qualification and Validation (including 21 CFR Part 11) 11
T ISO 13485 - Process validation at critical suppliers ISO 13485:2016 - Medical Device Quality Management Systems 7
K Software Validation for Measurement Tools used in Process Validation ISO 13485:2016 - Medical Device Quality Management Systems 2
Stoic Manual soldering processes - 100% verifiable, or always requiring validation? 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 15
P Design verification driven by new equipment. How is this different than process validation? 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 1
S Rees System Validation Qualification and Validation (including 21 CFR Part 11) 1
K PQ validation qualification - Asked to write a PQ protocol ISO 13485:2016 - Medical Device Quality Management Systems 6
Stoic Are any medical device companies using the 2011 FDA process validation guidance instead of GHTF/SG3/N99-10:2004? 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 1
K Old medical devices -> 7.3.7. Design and development validation ISO 13485:2016 - Medical Device Quality Management Systems 1
S SOP for ISO 13485:2016 Quality related Software validation ISO 13485:2016 - Medical Device Quality Management Systems 9
Y Retrospective Validation - Class I device 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 10
S High voltage testing - ISO 17025 - 7.2.2 Validation of methods and 7.3 Sampling ISO 17025 related Discussions 3
M Production approval testing - Alternative ideas for Validation Reliability Analysis - Predictions, Testing and Standards 4
M Validation of two nearly identical products Other Medical Device Regulations World-Wide 5
J Requested Validation plan and reports Manufacturing and Related Processes 4
S Validation Records - Very young QMS Qualification and Validation (including 21 CFR Part 11) 2
M Test method validation - Is MSA (MSA1, MSA2, MSA3 and linearity) a good solution? Medical Device and FDA Regulations and Standards News 1
G Devices from IQ, OQ or PQ process to be used for verification, validation and summative? 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 5
K ERP System Software Validation - ISO13485 2016 4.1.6 Design and Development of Products and Processes 8
W ASTM F1929 dye penetration test - Validation for in-house testing ISO 13485:2016 - Medical Device Quality Management Systems 13
Bev D Verification and Validation of Measurement Systems Misc. Quality Assurance and Business Systems Related Topics 0
Y Does Solidworks (2D/3D drafting modules) need validation? Other Medical Device and Orthopedic Related Topics 5
D Software validation in Medical Equipment Other Medical Device and Orthopedic Related Topics 20
K Validation of new machine (second machine of the same type) Pharmaceuticals (21 CFR Part 210, 21 CFR Part 211 and related Regulations) 2
A Literature review/HACCP validation of metal detection Food Safety - ISO 22000, HACCP (21 CFR 120) 0
Y Packaging validation for non-sterile Medical Equipment Other Medical Device Related Standards 1
A Our auditor told if we didn't have a patent we would have to do a validation or verification ISO 13485:2016 - Medical Device Quality Management Systems 6
N Design Verification & Process Validation - Statistical sample sizes Design and Development of Products and Processes 2
E Equipment Qualification - IQ/OQ per ISO 13485:2016 section 7.5.6 Process validation ISO 13485:2016 - Medical Device Quality Management Systems 7
Q Clean Line Validation ISO 13485:2016 - Medical Device Quality Management Systems 6
D 510K and Changes to Verification and Validation US Food and Drug Administration (FDA) 2
H EO Sterilization Validation - Sterility Testing and Load Configuration Other Medical Device Related Standards 1
C Looking for simple Software Validation IQ templates. Qualification and Validation (including 21 CFR Part 11) 4
R Which pieces of equipment require equipment validation? ISO 13485:2016 - Medical Device Quality Management Systems 1
D Validation of existing equipment - Risk based approach example ISO 13485:2016 - Medical Device Quality Management Systems 3

Similar threads

Top Bottom