Just to add briefly to this discussion…
There are some important points that may prove tricky…
Validation and maintaining a validated state is all about control. This means that any potential updates need to be reviewed for potential effect on the validated state before installing and testing… Most mobile devices update themselves and this would prove to be an issue.
part 11 requires actuall device identification… this would mean a server checking the imei # of the phone and performing some sort of a handshake before accepting a connection… Im not sure if this has been considered. To this end you will need to decide on a make and model and lock users into that make and model… also this will need to go to the OS/firmware level.
There needs to be some system whereby your organisation reviews sofware / firmware updates before installation on the mobile device… this is would be a QA system but run by IT in my estimation. people are required for this. microsoft updates windows monthly so you can image that once a month it would be hectic to assess the effect a software/os update will have on your validated state
if the mobile device is used remotely your system is by definition open, as the data you are sending will have to travel over third party hardware such as internet service provider servers etc. so you need to encrypt the data. im not a software developer so I cant give any more info on this.
regarding logins… the regulation states that if there is more than one approval per session is being done only password needs to be entered. if there is a break in the session both user name and password need to be entered.
sessions should be programmed to autologout after a time period. This time should be set to a maximum of 8-10 mins (based on direct experience of dealing with the FDA)
Also some browsers keep the user session active when the browser is closed. this is not acceptable from the regulations point of view. EG if a user is logged in on their iphone and is interrupted with a call and needs to close the browser app. they should be forced to log in again after hanging up the call. there is no clarification from the FDA that the definition of the word session aligns with the way it is used with browsers… unfortunately!
finally the last thing I can think of is password complexity and ageing needs to be enforced from the server.
thats all… sorry about the length of the mail… if anyone has more info let me know!