Our eQMS has a DocuSign plugin for external signatures. Would that be Part 11 compliant?**
*This is a great and interesting question. DocuSign offers a separate software module that is Part 11 compliant, which would need to be validated. Like any other SaaS provider, DocuSign provides validation test cases and requirements, but these do not cover everything you need for your specific implementation.
I have validated DocuSign multiple times, and it's crucial to ensure that the specific DocuSign module you are using is Part 11 compliant and has been properly validated. Although I haven't encountered an integration of DocuSign directly within an eQMS, if you are using DocuSign for electronic signatures, you must ensure you have the Part 11 compliant module and validate it.
Recently, I audited a company that was using DocuSign without the Part 11 module and had not validated it. They had to redo all their electronic signatures manually for their SOPs and other documents. Ensuring you have the correct setup is essential to avoid significant rework and potential regulatory citations.
If a vendor's testing addresses our intended use/requirements can we not leverage their testing?
Yes, absolutely. You can leverage the vendor's testing, but you must ensure it aligns with your templates and specific requirements. Make sure you are only using the parts relevant to your needs, rather than everything the vendor provides.
Some people tend to overdo it, testing more than necessary. It's important to strike the right balance; the vendor's testing might include elements that are not applicable to your use case. You need to make thoughtful decisions about which tests to leverage and ensure everything is well-documented. Regulatory agencies look for evidence that you are in control of the process, not necessarily that everything is perfect.
I am currently reviewing the eQMS software. There is a company that says that they can do the validation by clicking some function in their software. Have you come across something like this? Is it acceptable?
No, it's not acceptable, and there's a lot of confusion about this. They might be confusing it with verification, which is just a part of the validation process. Validation involves much more, including planning, defining requirements, and ensuring the system works as intended. Simply clicking a function is not sufficient for validation.
However, there are many SaaS systems where clicking a function generates a detailed report, typically related to the installation or configuration of the system. While these reports can be useful, they are not a substitute for a comprehensive validation process.
To what extent can you reuse the validation done by the vendor in your own validation?
You should reuse as much of the vendor's validation as you can. Review what the vendor provides and utilize everything that aligns with your requirements. Make sure that the documentation is appropriate and meets your specific needs. If any requirements are not covered by the vendor's validation, you will need to create additional test cases to fill those gaps.
Remember, no vendor validation is perfect and will likely require some additional work from your end to ensure it fully meets your requirements.
Can you talk about the difference in the extent of validation - i.e., Category 3 versus 4 and configurations?
Category 3 validation involves simpler configurations that do not require the three components of "plan, actual, and analysis." For instance, consider a fridge that needs to maintain a specific temperature range. If the temperature goes outside this range, an alert must be generated. The configuration here would be setting the acceptable temperature range and ensuring that an alert is triggered in case of an excursion.
On the other hand, Category 4 involves more detailed configurations. For example, in a training system, you need to configure various components such as assigning training modules, determining which departments and individuals need specific training, identifying managers, and setting escalation protocols. Category 4 requires a higher level of detail and complexity in configuration compared to Category 3.
