Validation of Dropbox for File Sharing, Storage, and Retrieval

tebusse

Involved In Discussions
#1
Greetings,


I just started working for a "typical" start up (low cost + high return) and the company is using Dropbox for file sharing, storage, and retrieval. However, according to ISO 13485:2016 clause 4.1.6 we're required to validate the system.

Does anyone have experience validating this software? Or, is the software too cumbersome to validate? Our main concern is validating updates and possibly not knowing when updates are pushed.

Any assistance will be most helpful.

Regards, Tonia
 
Elsmar Forum Sponsor

Statistical Steven

Statistician
Leader
Super Moderator
#2
Tonia

Sounds like Dropbox will store your QMS documents and procedures for retrieval. Not sure you can validate it. It was probably not developed for that purpose. There is no audit trail. Documents can be downloaded, edited and uploaded. You would need control systems to avoid this. If you can configure it this way, you can validate the control system. In general, does not sound like a good idea to use Dropbox for QMS documents.
 

tebusse

Involved In Discussions
#3
Re: Validation of Dropbox

Thanks, Steve.

However, Dropbox does include a version history for each document. This history includes a time stamp, date, and who viewed/edits the document.

I believe this would meet the audit trail requirement, correct?
 

Statistical Steven

Statistician
Leader
Super Moderator
#4
Re: Validation of Dropbox

Because it's an outside system, how are usernames controlled? If I leave the company, can I still log in? How can you ensure that? It's about control. I am not familiar with Dropbox and it's version control...but if it timestamps each version and keeps all of them sequentially you should be ok.
 

MC Eistee

Starting to get Involved
#5
First of all it would be good to know for what kind of documents you use Dropbox for.

QMS Documents as Statistical Stevens supposes? Just some Presentations you are working on?
Do you want to use Dropbox to store records that show evidence that you fulfil external requirements i.e. ISO 13485:2016? Or just everything you Start up does?

Dropbox will be quite hard, probably impossible to validate out of my perspective. But everyone is free to prove me wrong ;).

As you pointed out Dropbox does not care about your risk when they perform changes to it. But based on ISO 13485:2016 4.1.6 and also 7.5.6 you are required to take actions based on the risk that a change can affect your system.
I don't know whether Dropbox provides a list of updates they apply, but even when they do it will be hard to jugde them. And they probably apply them all the time.
Cloud Systems aren't impossible to validate. You could use testautomation (needs to be validated / verified as well) for that purpose.

I'm rather worried about possible missing requirements:

- Approval function. You are required to approve documents / records.

- What happens to the version control if you delete a document? Just looked into my Dropbox and it seems like its gone forever.

- And as Steven pointed out people can just change controlled documents. There should be some sort of controlled environment / workflow for that.
If you use it for SOPs or records and everyone in your company can just come along and edit them it is not really controlled.


But still it all depends what you are using Dropbox for.
 

DEVigil

Involved In Discussions
#6
It is possible to restrict permissions to view-only with the paid version of Dropbox, so you can mitigate the risk of someone changing or deleting a controlled document. There is also a mechanism to recover deleted files (requires you to be looking at the web version). However, it has no workflow capability of which I am aware, so the approvals process would have to be handled outside in some fashion.
 

tebusse

Involved In Discussions
#7
The company is using Dropbox for management of the QMS. For subscription payers, the company can control who has access to the documents/records, so if an individual leaves their access is removed.

The system does allow for read only assignments and does have the ability to prevent people from deleting a document/file, adding a new folder, etc. in controlled areas.

While the system does not include e-signature capabilities, my company is trying to get around that with electronic signatures in adobe, however, we do recognize that those aren't 21 CFR 11 compliant.

Audit trails are another issue - the only trail is a time stamp and who edited the document/record. There's not trail of what information was changed, etc.

The company does have their own workflow in place for using Dropbox and they seem to like it. We're currently researching eQMS systems, but my VP of Software wanted to know the ease of validating Dropbox.
 

iimp24ii

Starting to get Involved
#8
My company is trying to use Adobe Acrobat Pro 2017 as their digital signature solution also. Do we know specifically which part 11 requirements Acrobat does not meet by any chance?
 

Ed Panek

QA RA Small Med Dev Company
Leader
Super Moderator
#9
Online QMS systems are fairly new and Part 11 is adapting. Part of an online storage file systems business model would include the items part 11 requires. Its just part of their business model. I used to work at the VA (US Government) and their storage was validated to high hell yet it was constantly compromised; meanwhile Gmail was less often hacked. Why? Google has a business interest in their server security.
 
S

snoopy2017

#10
Nowadays, even Microsoft OneDrive has version control as does Google Drive. Cloud-based systems are more popular than ever; many eQMS platforms are built on cloud servers. If companies are willing to splurge on these fancy eQMS platforms which are also built on cloud, no reason why they cannot also use DropBox or Google Drive to store documents. Just ensure access to these documents are controlled.
 
Thread starter Similar threads Forum Replies Date
A Has anyone implemented the Adobe Acrobat Sign Validation Pack to be 21 CFR Part 11 Compliant? ISO 13485:2016 - Medical Device Quality Management Systems 1
C Test Method Validation - ISO Standards Qualification and Validation (including 21 CFR Part 11) 1
J API Q1 - 5.7.1.5 - Validation of Processes for Production and Servicing Oil and Gas Industry Standards and Regulations 4
A Validation Plastic Injection Molding Process protocol ISO 13485:2016 - Medical Device Quality Management Systems 5
M Use of statistical techniques for Process Validation ISO 13485:2016 - Medical Device Quality Management Systems 9
M Risk-based approach to Test Method Validation for Design Verification? US Medical Device Regulations 4
K Design: Verification Vs Validation And Validation Vs Transfer ISO 13485:2016 - Medical Device Quality Management Systems 19
C Medical Device Gamma Irradiation Validation per VDmax25 (ISO 11137) Qualification and Validation (including 21 CFR Part 11) 1
A Human Factor Validation Human Factors and Ergonomics in Engineering 4
B Verification and Validation of calculations (FEA) in OCTG components. Oil and Gas Industry Standards and Regulations 9
B Validation of FEA Analyses in Oil&Gas Industries. There are a lot of guidelines for other activities. There is a similar proposal for O&G? Design and Development of Products and Processes 0
K Analytical Method Qualification Vs Validation expectations ISO 13485:2016 - Medical Device Quality Management Systems 1
C. Tejeda Process validation of rework assembly methods (medical devices) Medical Device and FDA Regulations and Standards News 3
B Validation of design for valve api 6d 25 edition ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 0
P Validation for RUO (Research Use Only) ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 2
B Hi , everyone i need a procedure for validation of design prototype api 6d (valve manufacturing) Oil and Gas Industry Standards and Regulations 1
Ed Panek Validation of Signature Software (Off the shelf) US Medical Device Regulations 4
Q Combining Validation Protocol & Report into 1 template Document Control Systems, Procedures, Forms and Templates 4
K ISO 17025 Method Validation and Verification for Test Lab ISO 17025 related Discussions 4
S Environment Monitoring System Validation ISO 14001:2015 Specific Discussions 1
B Supplier Evaluation report - Validation required or not ISO 13485:2016 - Medical Device Quality Management Systems 3
M Cleaning Validation of components Manufacturing and Related Processes 2
P Validation Methods of Machine learning and Artificial intelligence Pharmaceuticals (21 CFR Part 210, 21 CFR Part 211 and related Regulations) 10
M How to respond to 483 validation finding we disagree with? 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 33
I Cryogenic Container Closure Integrity for HCT/P, Validation Method US Food and Drug Administration (FDA) 0
G Mfr. Process Validation BEFORE Design Transfer? Other Medical Device and Orthopedic Related Topics 1
G Injection Molded Parts in Verification & Validation Other Medical Device and Orthopedic Related Topics 3
B Spreadsheet - Used for complaint investigation - Validation required or not ISO 13485:2016 - Medical Device Quality Management Systems 9
T Vacuum Heat Treatment Validation Manufacturing and Related Processes 1
M Root Cause and Corrective Action for CAPA's lacking validation/verification ISO 13485:2016 - Medical Device Quality Management Systems 19
M Software Validation SAP B1 for ERP ISO 13485:2016 - Medical Device Quality Management Systems 2
V Retrospective validation medical devices Qualification and Validation (including 21 CFR Part 11) 7
P Software validation for FPGA Software Quality Assurance 1
I Are suppliers required to hand over process validation reports? ISO 13485:2016 - Medical Device Quality Management Systems 20
N Computerized System Validation ISO 13485:2016 - Medical Device Quality Management Systems 12
M 3D Scanner Software validation ISO 13485:2016 - Medical Device Quality Management Systems 7
E Cybersecurity for Internal Tool Validation Medical Device and FDA Regulations and Standards News 1
B Transport Validation For Non-sterile Medical Devices ISO 13485:2016 - Medical Device Quality Management Systems 4
D Software Validation Question ISO 13485:2016 - Medical Device Quality Management Systems 10
G Pad Printing Validation OR Verification ISO 13485:2016 - Medical Device Quality Management Systems 4
A ETHYLENE OXIDE STERILIZATION VALIDATION Manufacturing and Related Processes 4
C. Tejeda Computer system validation approach for Minitab Statistical software Software Quality Assurance 11
D 8.5.1.2 Validation and control of special processes requirements for Heat Treat External Processor AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 4
S Performance Qualification and Process Validation ISO 13485:2016 - Medical Device Quality Management Systems 5
L ISO 11607-1 Packaging system validation Design and Development of Products and Processes 9
John C. Abnet ...validation of computer software ISO 13485:2016 - Medical Device Quality Management Systems 17
D Machine rebuilds versus process re-validation IATF 16949 - Automotive Quality Systems Standard 1
R Cloud-based SaMD Validation IEC 62304 - Medical Device Software Life Cycle Processes 8
G Process Validation Before/After Sterilization? Design and Development of Products and Processes 3
D Laboratory Refrigerator Validation ISO 13485:2016 - Medical Device Quality Management Systems 2

Similar threads

Top Bottom