Validation of Dropbox for File Sharing, Storage, and Retrieval

tebusse

Involved In Discussions
#1
Greetings,


I just started working for a "typical" start up (low cost + high return) and the company is using Dropbox for file sharing, storage, and retrieval. However, according to ISO 13485:2016 clause 4.1.6 we're required to validate the system.

Does anyone have experience validating this software? Or, is the software too cumbersome to validate? Our main concern is validating updates and possibly not knowing when updates are pushed.

Any assistance will be most helpful.

Regards, Tonia
 
Elsmar Forum Sponsor

Statistical Steven

Statistician
Leader
Super Moderator
#2
Tonia

Sounds like Dropbox will store your QMS documents and procedures for retrieval. Not sure you can validate it. It was probably not developed for that purpose. There is no audit trail. Documents can be downloaded, edited and uploaded. You would need control systems to avoid this. If you can configure it this way, you can validate the control system. In general, does not sound like a good idea to use Dropbox for QMS documents.
 

tebusse

Involved In Discussions
#3
Re: Validation of Dropbox

Thanks, Steve.

However, Dropbox does include a version history for each document. This history includes a time stamp, date, and who viewed/edits the document.

I believe this would meet the audit trail requirement, correct?
 

Statistical Steven

Statistician
Leader
Super Moderator
#4
Re: Validation of Dropbox

Because it's an outside system, how are usernames controlled? If I leave the company, can I still log in? How can you ensure that? It's about control. I am not familiar with Dropbox and it's version control...but if it timestamps each version and keeps all of them sequentially you should be ok.
 

MC Eistee

Starting to get Involved
#5
First of all it would be good to know for what kind of documents you use Dropbox for.

QMS Documents as Statistical Stevens supposes? Just some Presentations you are working on?
Do you want to use Dropbox to store records that show evidence that you fulfil external requirements i.e. ISO 13485:2016? Or just everything you Start up does?

Dropbox will be quite hard, probably impossible to validate out of my perspective. But everyone is free to prove me wrong ;).

As you pointed out Dropbox does not care about your risk when they perform changes to it. But based on ISO 13485:2016 4.1.6 and also 7.5.6 you are required to take actions based on the risk that a change can affect your system.
I don't know whether Dropbox provides a list of updates they apply, but even when they do it will be hard to jugde them. And they probably apply them all the time.
Cloud Systems aren't impossible to validate. You could use testautomation (needs to be validated / verified as well) for that purpose.

I'm rather worried about possible missing requirements:

- Approval function. You are required to approve documents / records.

- What happens to the version control if you delete a document? Just looked into my Dropbox and it seems like its gone forever.

- And as Steven pointed out people can just change controlled documents. There should be some sort of controlled environment / workflow for that.
If you use it for SOPs or records and everyone in your company can just come along and edit them it is not really controlled.


But still it all depends what you are using Dropbox for.
 

DEVigil

Involved In Discussions
#6
It is possible to restrict permissions to view-only with the paid version of Dropbox, so you can mitigate the risk of someone changing or deleting a controlled document. There is also a mechanism to recover deleted files (requires you to be looking at the web version). However, it has no workflow capability of which I am aware, so the approvals process would have to be handled outside in some fashion.
 

tebusse

Involved In Discussions
#7
The company is using Dropbox for management of the QMS. For subscription payers, the company can control who has access to the documents/records, so if an individual leaves their access is removed.

The system does allow for read only assignments and does have the ability to prevent people from deleting a document/file, adding a new folder, etc. in controlled areas.

While the system does not include e-signature capabilities, my company is trying to get around that with electronic signatures in adobe, however, we do recognize that those aren't 21 CFR 11 compliant.

Audit trails are another issue - the only trail is a time stamp and who edited the document/record. There's not trail of what information was changed, etc.

The company does have their own workflow in place for using Dropbox and they seem to like it. We're currently researching eQMS systems, but my VP of Software wanted to know the ease of validating Dropbox.
 

iimp24ii

Starting to get Involved
#8
My company is trying to use Adobe Acrobat Pro 2017 as their digital signature solution also. Do we know specifically which part 11 requirements Acrobat does not meet by any chance?
 

Ed Panek

QA RA Small Med Dev Company
Leader
Super Moderator
#9
Online QMS systems are fairly new and Part 11 is adapting. Part of an online storage file systems business model would include the items part 11 requires. Its just part of their business model. I used to work at the VA (US Government) and their storage was validated to high hell yet it was constantly compromised; meanwhile Gmail was less often hacked. Why? Google has a business interest in their server security.
 
S

snoopy2017

#10
Nowadays, even Microsoft OneDrive has version control as does Google Drive. Cloud-based systems are more popular than ever; many eQMS platforms are built on cloud servers. If companies are willing to splurge on these fancy eQMS platforms which are also built on cloud, no reason why they cannot also use DropBox or Google Drive to store documents. Just ensure access to these documents are controlled.
 
Thread starter Similar threads Forum Replies Date
B Transport Validation For Non-sterile Medical Devices ISO 13485:2016 - Medical Device Quality Management Systems 4
D Software Validation Question ISO 13485:2016 - Medical Device Quality Management Systems 10
G Pad Printing Validation OR Verification ISO 13485:2016 - Medical Device Quality Management Systems 4
A ETHYLENE OXIDE STERILIZATION VALIDATION Manufacturing and Related Processes 4
C. Tejeda Computer system validation approach for Minitab Statistical software Software Quality Assurance 7
D 8.5.1.2 Validation and control of special processes requirements for Heat Treat External Processor AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 4
S Performance Qualification and Process Validation ISO 13485:2016 - Medical Device Quality Management Systems 5
L ISO 11607-1 Packaging system validation Design and Development of Products and Processes 6
John C. Abnet ...validation of computer software ISO 13485:2016 - Medical Device Quality Management Systems 14
D Machine rebuilds versus process re-validation IATF 16949 - Automotive Quality Systems Standard 1
R Cloud-based SaMD Validation IEC 62304 - Medical Device Software Life Cycle Processes 8
G Process Validation Before/After Sterilization? Design and Development of Products and Processes 3
D Laboratory Refrigerator Validation ISO 13485:2016 - Medical Device Quality Management Systems 2
T SQL Server 2019 - Master Data Services - Validation needed? ISO 13485:2016 - Medical Device Quality Management Systems 4
G Shipping Validation of Non-Sterile Parts? Other Medical Device and Orthopedic Related Topics 9
J Hardware Validation Qualification and Validation (including 21 CFR Part 11) 1
B ERP software validation - risk assessment vs validation scope ISO 13485:2016 - Medical Device Quality Management Systems 11
blackholequasar Validation of new ERP system ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 6
G How to Record Informal Testing (Not Verification/Validation) Other Medical Device and Orthopedic Related Topics 15
B Clean room shut down and re-validation or re-qualification? Other Medical Device Related Standards 6
B Vision system process validation Manufacturing and Related Processes 1
R Validation of Software used in Verification Testing ISO 13485:2016 - Medical Device Quality Management Systems 2
D Glassware cleaning validation Qualification and Validation (including 21 CFR Part 11) 3
M Do i need to have equipment validation if 100% testing is completed? Qualification and Validation (including 21 CFR Part 11) 6
R SaMD Verification & Validation IEC 62304 - Medical Device Software Life Cycle Processes 6
B SPECIAL PROCESS VALIDATION & REVALIDATION Qualification and Validation (including 21 CFR Part 11) 4
R Validation of processes Oil and Gas Industry Standards and Regulations 2
L Guidance for validation - mixing homogeneity Qualification and Validation (including 21 CFR Part 11) 0
E DESIGN VALIDATION, USABILITY AND CLINICAL EVALUATION request Medical Device and FDA Regulations and Standards News 0
S In Field Validation Requirements Other Medical Device Related Standards 1
L Validation of mixers Capability, Accuracy and Stability - Processes, Machines, etc. 2
L Validation of mixers Qualification and Validation (including 21 CFR Part 11) 0
B How to satisfy clause 5.7.1.5 process validation for valve production API 6D Oil and Gas Industry Standards and Regulations 13
A Applying agile model for Computer system Validation Medical Device and FDA Regulations and Standards News 3
H Production Validation- CE Mark ISO 13485:2016 - Medical Device Quality Management Systems 3
Watchcat Software validation vs design V&V? Other US Medical Device Regulations 27
M Initial Importer/Distributor and Software Validation IEC 62304 - Medical Device Software Life Cycle Processes 1
P Test Method Validation (TMV) for all Measurement Methods in Rec/Inspection Gage R&R (GR&R) and MSA (Measurement Systems Analysis) 1
M Validation of Data verification tool per 21 CFR 820 Quality Assurance and Compliance Software Tools and Solutions 1
G Number of Destructively Tested Devices Needed for Ethylene Oxide Validation Other Medical Device Related Standards 4
E ISO 13485 software validation ISO 13485:2016 - Medical Device Quality Management Systems 7
R SAP B1 Computer System Validation Qualification and Validation (including 21 CFR Part 11) 0
A GAGE R&R Binomial with master list (for method validation) Gage R&R (GR&R) and MSA (Measurement Systems Analysis) 0
Y ISO 13485:2015 Software Validation IQ/OQ/PQ ISO 13485:2016 - Medical Device Quality Management Systems 13
N Validation of special processes - thread closed Oil and Gas Industry Standards and Regulations 3
L Validation without Tolerance Qualification and Validation (including 21 CFR Part 11) 0
shimonv Test Method Validation ISO 13485:2016 - Medical Device Quality Management Systems 10
R Debug mode in software/device validation IEC 62304 - Medical Device Software Life Cycle Processes 2
M Software verification and validation AS9100 AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 4
Melissa Process Validation of Rotary Heat Sealer Speeds Design and Development of Products and Processes 4

Similar threads

Top Bottom