SAS is a standard product, so it needs Installation Qualification and Change Control.
You need to put much more effort in the design and verification of the custom programs for analyses and reports that you (or the statisticians) develop using SAS as the tool. Those are the risky ones.
Need to comply with Part 11 depends on the type of use. For example, we just couple it with a Version Control system to implement security and audit trail of the custom programs, but we manage the data with other software, and SAS comes into play only at the very end of the process.
You should audit SAS to verifiy their testing of the Base SAS procedures and qualify the installation of the infrastructure and Base SAS software. SAS are happy to host audits at any time (I was just in Cary with SAS last week).
You should then focus your efforts on the risk-based validation of your SAS programmes and it is here that you should focus your efforts defining User Requirements.
It’s relatively easy to write a Validation Master Plan to define this approach, and then a relatively simple Validation Plan (etc) for each suite of SAS programmers. This would depend on what you were intending to use SAS for; but, unless you are doing something quite different with the product, then I would say that your Vendor Assessment could be restricted to a review of public information regarding the establishment and trusted nature of the product. SAS is so low risk that I would not consider a formal audit to be necessary – my approach would be to read the vendor documentation – user guides and release notes, etc. and carry out a documented risk assessment to show that my intended application of the various software modules was within it’s designed scope and there were no known issues.
Then I would spend all your time on working on the validation process for the programs that you are going to write with the software – that is where all your real risk lies. IQ and so on for SAS itself and careful specs and risk assessments for any SAS programs making part of your system.
I was involved in doing this for a large SAS system and I would say you need to add a Version control system to control your data and programs. This is not really because of CFR 21 part 11 (although it does cover the auditing part of that) but because the FDA can ask you to reproduce past outputs and this is a stronger requirement on a production system. By itself SAS does not cover this need. (and I am aware of SDD and versioning in the Clin reporting tool).
You are getting good advice here 🙂 If you want more detail you can contact me I am free at the moment.