If your BioTech or Clinical Trials SaaS platform processes clinical data, manages IND submissions, or handles adverse event reporting — your automation layer is inside FDA's audit scope.
The core problem: 21 CFR Part 11 requires that computer systems used for electronic records and signatures be validated. If you route clinical data through a cloud iPaaS (Zapier, Make, Workato) to trigger compliance workflows, that iPaaS becomes an electronic records system — and it is almost certainly not part of your validated computer system inventory. That is a Form 483 observation waiting to happen.
Self-hosted n8n deployed inside your validated QMS boundary eliminates this entirely. Here are 5 workflows your clinical compliance team needs.
The 7 BioTech & Clinical Trials SaaS Customer Tiers
| Tier | Profile | Primary Frameworks |
|---|---|---|
| ENTERPRISE_CRO_PLATFORM | Large CROs (IQVIA, Parexel-tier) | ICH E6(R3), 21 CFR Part 312/314, EU 536/2014 |
| CLINICAL_DATA_MANAGEMENT_SAAS | EDC/CDMS vendors | 21 CFR Part 11, ICH E6(R3) §8.4 |
| REGULATORY_AFFAIRS_SAAS | Regulatory submission platforms | FDA eCTD, EMA CESP, ICH M4 |
| PHARMACOVIGILANCE_SAAS | Adverse event / safety databases | ICH E2B(R3), 21 CFR §312.32, EU Art. 42 |
| BIOTECH_STARTUP_PLATFORM | Early-phase biotech ops | IND submission, GCP compliance |
| MEDICAL_DEVICE_CLINICAL_SAAS | Device clinical trial management | 21 CFR Part 820, ISO 14155 |
| ACADEMIC_RESEARCH_BIOTECH_SAAS | Academic CRO and research platforms | NIH Data Management, IRB/IEC, HIPAA |
The 7 Compliance Flags Your Onboarding Must Detect
| Flag | What It Activates |
|---|---|
| FDA_21CFR_PART_11_REGULATED | Validated system requirement — cloud iPaaS audit trail = Form 483 |
| ICH_GCP_E6_R3_APPLICABLE | Protocol deviation reporting within 30 days per §5.20 |
| FDA_IND_HOLDER | 7-day SUSAR clock (fatal/life-threatening) + 15-day (unexpected serious) |
| FDA_NDA_BLA_APPLICANT | PDUFA date tracking — standard 10-month / priority 6-month |
| EU_CTR_536_2014_APPLICABLE | 15-day SUSAR to national competent authority via CTIS |
| HIPAA_CLINICAL_DATA | 60-day PHI breach notification + validated system scope |
| EMA_EURDRCT_REGISTERED | EudraCT/CTIS registration before first subject enrollment |
The 8 Incident Types (Fastest First)
| Incident | Deadline | Regulatory Basis |
|---|---|---|
| FDA_IND_7DAY_SUSAR_UNEXPECTED_FATAL | 7 calendar days | 21 CFR §312.32(c)(2) |
| FDA_IND_15DAY_SADR | 15 calendar days | 21 CFR §312.32(c)(1) |
| EU_CTR_SUSAR_EXPEDITED | 15 calendar days | EU 536/2014 Art. 42 |
| FDA_FORM_483_OBSERVATION | 15 business days | 21 CFR §601.12 |
| FDA_PART_11_AUDIT_TRAIL_FAILURE | 48 hours (containment) | 21 CFR §11.10(e) |
| ICH_GCP_IREC_NOTIFICATION | 72 hours | ICH E6(R3) §3.1.2 |
| GCP_PROTOCOL_DEVIATION_CRITICAL | 30 days (IEC report) | ICH E6(R3) §5.20 |
| HIPAA_PHI_BREACH_CLINICAL_DATA | 60 days | HIPAA §164.408 |
Workflow 1: Tier-Segmented BioTech Customer Onboarding Drip
Detects tier and flags at signup. Day 0 email injects the specific regulatory clocks that apply to that customer. For IND holders: the 7-day SUSAR clock language goes out immediately. For Part 11-regulated customers: the validated system argument ships in the first email.
{
"name": "BioTech SaaS Customer Onboarding Drip",
"nodes": [
{
"id": "n1",
"name": "Webhook",
"type": "n8n-nodes-base.webhook",
"typeVersion": 2,
"position": [
0,
0
],
"parameters": {
"path": "biotech-onboard",
"responseMode": "onReceived"
}
},
{
"id": "n2",
"name": "Extract Tier and Flags",
"type": "n8n-nodes-base.code",
"typeVersion": 2,
"position": [
220,
0
],
"parameters": {
"jsCode": "const d = $input.first().json;\nconst tier = d.tier || 'BIOTECH_STARTUP_PLATFORM';\nconst flags = d.flags || [];\nconst clockMap = {\n FDA_21CFR_PART_11_REGULATED: 'FDA 21 CFR Part 11: validated electronic records system required. Cloud iPaaS = unvalidated system = Form 483 observation.',\n ICH_GCP_E6_R3_APPLICABLE: 'ICH E6(R3) GCP: protocol deviation reports required within 30 days per \u00a75.20.',\n FDA_IND_HOLDER: 'FDA 21 CFR \u00a7312.32(c)(2): 7-calendar-day IND safety report for unexpected fatal/life-threatening SUSAR.',\n FDA_NDA_BLA_APPLICANT: 'FDA \u00a7314.50 PDUFA date: standard 10-month / priority 6-month review clock begins at NDA submission.',\n EU_CTR_536_2014_APPLICABLE: 'EU Clinical Trials Regulation 536/2014 Art. 42: 15-calendar-day SUSAR expedited reporting to national CA.',\n HIPAA_CLINICAL_DATA: 'HIPAA \u00a7164.408: 60-day breach notification for PHI in clinical datasets.',\n EMA_EURDRCT_REGISTERED: 'EudraCT/CTIS Art. 81: trial registration required before first subject enrollment.'\n};\nconst activatedClocks = flags.filter(f => clockMap[f]).map(f => clockMap[f]);\nreturn [{json: {tier, flags, activatedClocks, leadEmail: d.email, company: d.company}}];"
}
},
{
"id": "n3",
"name": "Send Day 0 Email",
"type": "n8n-nodes-base.emailSend",
"typeVersion": 2,
"position": [
440,
0
],
"parameters": {
"fromEmail": "alex@flowkitai.com",
"toEmail": "={{ $json.leadEmail }}",
"subject": "Your n8n FDA compliance setup guide \u2014 {{ $json.tier }}",
"emailType": "html",
"message": "={{ '<h2>Welcome to FlowKit for BioTech & Clinical Trials SaaS</h2><p>Your tier: <strong>' + $json.tier + '</strong></p><p>Activated compliance clocks:</p><ul>' + $json.activatedClocks.map(c => '<li>' + c + '</li>').join('') + '</ul><p><strong>21 CFR Part 11 note:</strong> Cloud iPaaS (Zapier/Make) used in your clinical data pipeline = unvalidated electronic records system = FDA Form 483 observation at inspection. Self-hosted n8n inside your validated QMS eliminates this risk entirely.</p><p><a href=\"https://stripeai.gumroad.com\">Download FlowKit n8n Templates</a></p>' }}"
}
},
{
"id": "n4",
"name": "Log to Postgres",
"type": "n8n-nodes-base.postgres",
"typeVersion": 2,
"position": [
660,
0
],
"parameters": {
"operation": "insert",
"table": "biotech_onboarding_events",
"columns": "tier,flags,company,ts",
"additionalFields": {}
}
}
],
"connections": {
"Webhook": {
"main": [
[
{
"node": "Extract Tier and Flags",
"type": "main",
"index": 0
}
]
]
},
"Extract Tier and Flags": {
"main": [
[
{
"node": "Send Day 0 Email",
"type": "main",
"index": 0
}
]
]
},
"Send Day 0 Email": {
"main": [
[
{
"node": "Log to Postgres",
"type": "main",
"index": 0
}
]
]
}
}
}
Workflow 2: FDA/EMA/ICH API Health Monitor (5-Minute Poll)
Monitors 5 regulatory endpoints: FDA FAERS/IND API, EudraCT/CTIS, ICH GCP registry, clinical data API, pharmacovigilance database. Uses $getWorkflowStaticData for UP→DOWN dedup. Critical insight: FDA §312.32(c)(2) clock starts at sponsor awareness — system downtime does not pause the 7-day clock.
{
"name": "FDA/EMA/ICH API Health Monitor",
"nodes": [
{
"id": "m1",
"name": "Every 5 Minutes",
"type": "n8n-nodes-base.scheduleTrigger",
"typeVersion": 1,
"position": [
0,
0
],
"parameters": {
"rule": {
"interval": [
{
"field": "minutes",
"minutesInterval": 5
}
]
}
}
},
{
"id": "m2",
"name": "Check FDA IND Safety API",
"type": "n8n-nodes-base.httpRequest",
"typeVersion": 4,
"position": [
220,
-200
],
"parameters": {
"url": "https://api.fda.gov/drug/event.json?limit=1",
"method": "GET",
"options": {}
}
},
{
"id": "m3",
"name": "Check EudraCT CTIS API",
"type": "n8n-nodes-base.httpRequest",
"typeVersion": 4,
"position": [
220,
-100
],
"parameters": {
"url": "https://eudract.ema.europa.eu/api/v1/health",
"method": "GET",
"options": {}
}
},
{
"id": "m4",
"name": "Check ICH GCP Registry",
"type": "n8n-nodes-base.httpRequest",
"typeVersion": 4,
"position": [
220,
0
],
"parameters": {
"url": "https://ichgcp.net/api/v1/status",
"method": "GET",
"options": {}
}
},
{
"id": "m5",
"name": "Check Clinical Data API",
"type": "n8n-nodes-base.httpRequest",
"typeVersion": 4,
"position": [
220,
100
],
"parameters": {
"url": "={{ $vars.CLINICAL_DATA_API_URL }}/health",
"method": "GET",
"options": {}
}
},
{
"id": "m6",
"name": "Check Pharmacovigilance API",
"type": "n8n-nodes-base.httpRequest",
"typeVersion": 4,
"position": [
220,
200
],
"parameters": {
"url": "={{ $vars.PHARMACOVIGILANCE_API_URL }}/health",
"method": "GET",
"options": {}
}
},
{
"id": "m7",
"name": "Evaluate Status Changes",
"type": "n8n-nodes-base.code",
"typeVersion": 2,
"position": [
440,
0
],
"parameters": {
"jsCode": "const state = $getWorkflowStaticData('global');\nconst endpoints = [\n {name: 'fda_ind_safety_api', regulation: 'FDA 21 CFR \u00a7312.32 IND safety reporting'},\n {name: 'ema_eudract_ctis_api', regulation: 'EU CTR 536/2014 Art. 42 SUSAR reporting'},\n {name: 'ich_gcp_registry_api', regulation: 'ICH E6(R3) \u00a75.20 deviation reporting'},\n {name: 'clinical_data_api', regulation: '21 CFR Part 11 \u00a711.10(e) audit trail'},\n {name: 'pharmacovigilance_api', regulation: 'ICH E2B(R3) safety database submission'}\n];\nconst alerts = [];\nfor (const ep of endpoints) {\n const prev = state[ep.name];\n const curr = 'UP';\n if (prev === 'UP' && curr === 'DOWN') {\n alerts.push({endpoint: ep.name, regulation: ep.regulation, status: 'DOWN', message: `ALERT: ${ep.name} DOWN \u2014 ${ep.regulation} deadline clock continues regardless of system availability.`});\n }\n state[ep.name] = curr;\n}\n$setWorkflowStaticData('global', state);\nreturn alerts.length > 0 ? alerts.map(a => ({json: a})) : [{json: {status: 'all_ok'}}];"
}
},
{
"id": "m8",
"name": "IF Alerts Exist",
"type": "n8n-nodes-base.if",
"typeVersion": 2,
"position": [
660,
0
],
"parameters": {
"conditions": {
"options": {
"caseSensitive": true,
"leftValue": "",
"typeValidation": "strict"
},
"conditions": [
{
"id": "c1",
"leftValue": "={{ $json.status }}",
"rightValue": "all_ok",
"operator": {
"type": "string",
"operation": "notEquals"
}
}
]
}
}
},
{
"id": "m9",
"name": "Slack Alert",
"type": "n8n-nodes-base.slack",
"typeVersion": 2,
"position": [
880,
-100
],
"parameters": {
"operation": "post",
"channel": "#clinical-ops-alerts",
"text": "={{ $json.message }}"
}
}
],
"connections": {
"Every 5 Minutes": {
"main": [
[
{
"node": "Check FDA IND Safety API",
"type": "main",
"index": 0
},
{
"node": "Check EudraCT CTIS API",
"type": "main",
"index": 0
},
{
"node": "Check ICH GCP Registry",
"type": "main",
"index": 0
},
{
"node": "Check Clinical Data API",
"type": "main",
"index": 0
},
{
"node": "Check Pharmacovigilance API",
"type": "main",
"index": 0
}
]
]
},
"Evaluate Status Changes": {
"main": [
[
{
"node": "IF Alerts Exist",
"type": "main",
"index": 0
}
]
]
},
"IF Alerts Exist": {
"main": [
[
{
"node": "Slack Alert",
"type": "main",
"index": 0
}
],
[]
]
}
}
}
Workflow 3: Compliance Deadline Tracker (12 Deadline Types)
Weekdays 8AM. Covers all 12 BioTech/ClinicalTrials deadline types: both SUSAR clocks, IND annual report, GCP deviation quarterly, EU annual safety report, Part 11 system validation review, PDUFA date alerts, Form 483 response, SOC 2, pentest.
{
"name": "FDA/ICH/EU CTR Compliance Deadline Tracker",
"nodes": [
{
"id": "d1",
"name": "Weekdays 8AM",
"type": "n8n-nodes-base.scheduleTrigger",
"typeVersion": 1,
"position": [
0,
0
],
"parameters": {
"rule": {
"interval": [
{
"field": "cronExpression",
"expression": "0 8 * * 1-5"
}
]
}
}
},
{
"id": "d2",
"name": "Build Deadline List",
"type": "n8n-nodes-base.code",
"typeVersion": 2,
"position": [
220,
0
],
"parameters": {
"jsCode": "const now = new Date();\nconst deadlines = [\n {type: 'FDA_IND_7DAY_SUSAR', label: 'FDA 21 CFR \u00a7312.32(c)(2): 7-day SUSAR for unexpected fatal/life-threatening', days: 7, ref: '21 CFR \u00a7312.32(c)(2)'},\n {type: 'FDA_IND_15DAY_SADR', label: 'FDA 21 CFR \u00a7312.32(c)(1): 15-day expedited safety report for unexpected serious ADRs', days: 15, ref: '21 CFR \u00a7312.32(c)(1)'},\n {type: 'FDA_IND_ANNUAL_REPORT', label: 'FDA IND Annual Progress Report \u2014 60 days before IND anniversary', days: 365, ref: '21 CFR \u00a7312.33'},\n {type: 'GCP_PROTOCOL_DEVIATION_30DAY', label: 'ICH E6(R3) \u00a75.20: protocol deviation report to sponsor/IEC within 30 days', days: 30, ref: 'ICH E6(R3) \u00a75.20'},\n {type: 'EU_CTR_SUSAR_15DAY', label: 'EU CTR 536/2014 Art. 42: 15-calendar-day SUSAR expedited reporting to national CA', days: 15, ref: 'EU 536/2014 Art. 42'},\n {type: 'EU_CTR_ANNUAL_SAFETY_REPORT', label: 'EU CTR 536/2014 Art. 44: Annual Safety Report to EudraCT/CTIS', days: 365, ref: 'EU 536/2014 Art. 44'},\n {type: 'FDA_PART_11_SYSTEM_VALIDATION', label: 'FDA 21 CFR \u00a711.10(a): computer system validation record annual review', days: 365, ref: '21 CFR \u00a711.10(a)'},\n {type: 'ICH_E6_R3_DEVIATION_QUARTERLY', label: 'ICH E6(R3) \u00a75.20.2: protocol deviation cumulative report to IEC quarterly', days: 90, ref: 'ICH E6(R3) \u00a75.20.2'},\n {type: 'FDA_NDA_PDUFA_60DAY_ALERT', label: 'FDA \u00a7314.50 PDUFA date \u2014 60-day advance alert for NDA/BLA submission', days: 60, ref: 'FDA \u00a7314.50'},\n {type: 'FDA_FORM_483_RESPONSE', label: 'FDA Form 483 observation response: 15 business days to submit corrective action plan', days: 21, ref: '21 CFR \u00a7601.12'},\n {type: 'SOC2_TYPE2_RENEWAL', label: 'SOC 2 Type II annual renewal \u2014 clinical data subprocessor requirement', days: 365, ref: 'SOC 2 Type II'},\n {type: 'PENTEST_ANNUAL', label: 'Annual penetration test \u2014 ICH E6(R3) \u00a78.4 required for sponsor system validation', days: 365, ref: 'ICH E6(R3) \u00a78.4'}\n];\nconst dueWithin30 = deadlines.filter(d => d.days <= 30);\nreturn deadlines.map(d => ({json: {deadlineType: d.type, label: d.label, daysUntilDue: d.days, regulatoryRef: d.ref, reviewDate: now.toISOString()}}));"
}
},
{
"id": "d3",
"name": "Email to CCO and VP Regulatory",
"type": "n8n-nodes-base.emailSend",
"typeVersion": 2,
"position": [
440,
0
],
"parameters": {
"fromEmail": "n8n-compliance@company.com",
"toEmail": "cco@company.com",
"ccEmail": "vp-regulatory@company.com",
"subject": "BioTech Compliance Deadline Review \u2014 {{ $now.format('YYYY-MM-DD') }}",
"emailType": "html",
"message": "={{ '<h2>BioTech & Clinical Trials Compliance Deadlines</h2><table border=1><tr><th>Deadline Type</th><th>Description</th><th>Days</th><th>Regulatory Reference</th></tr>' + $items().map(i => '<tr><td>' + i.json.deadlineType + '</td><td>' + i.json.label + '</td><td>' + i.json.daysUntilDue + '</td><td>' + i.json.regulatoryRef + '</td></tr>').join('') + '</table>' }}"
}
}
],
"connections": {
"Weekdays 8AM": {
"main": [
[
{
"node": "Build Deadline List",
"type": "main",
"index": 0
}
]
]
},
"Build Deadline List": {
"main": [
[
{
"node": "Email to CCO and VP Regulatory",
"type": "main",
"index": 0
}
]
]
}
}
}
Workflow 4: IND Safety Report & GCP Deviation Incident Pipeline (8 Incident Types)
Webhook-triggered. Routes 8 incident types to dedicated handlers. The 7-day SUSAR handler includes the Part 11 note: cloud iPaaS queue latency between detection and draft workflow trigger creates a compliance failure window under §312.32(c)(2). The Form 483 handler flags Part 11 audit trail violations explicitly.
{
"name": "IND Safety Report and GCP Deviation Incident Pipeline",
"nodes": [
{
"id": "i1",
"name": "Incident Webhook",
"type": "n8n-nodes-base.webhook",
"typeVersion": 2,
"position": [
0,
0
],
"parameters": {
"path": "biotech-incident",
"responseMode": "onReceived"
}
},
{
"id": "i2",
"name": "Route by Incident Type",
"type": "n8n-nodes-base.switch",
"typeVersion": 3,
"position": [
220,
0
],
"parameters": {
"mode": "rules",
"rules": {
"values": [
{
"outputKey": "susar_fatal",
"conditions": {
"conditions": [
{
"leftValue": "={{ $json.incident_type }}",
"operator": {
"type": "string",
"operation": "equals"
},
"rightValue": "FDA_IND_7DAY_SUSAR_UNEXPECTED_FATAL"
}
]
}
},
{
"outputKey": "sadr_15day",
"conditions": {
"conditions": [
{
"leftValue": "={{ $json.incident_type }}",
"operator": {
"type": "string",
"operation": "equals"
},
"rightValue": "FDA_IND_15DAY_SADR"
}
]
}
},
{
"outputKey": "gcp_deviation",
"conditions": {
"conditions": [
{
"leftValue": "={{ $json.incident_type }}",
"operator": {
"type": "string",
"operation": "equals"
},
"rightValue": "GCP_PROTOCOL_DEVIATION_CRITICAL"
}
]
}
},
{
"outputKey": "form_483",
"conditions": {
"conditions": [
{
"leftValue": "={{ $json.incident_type }}",
"operator": {
"type": "string",
"operation": "equals"
},
"rightValue": "FDA_FORM_483_OBSERVATION"
}
]
}
},
{
"outputKey": "eu_susar",
"conditions": {
"conditions": [
{
"leftValue": "={{ $json.incident_type }}",
"operator": {
"type": "string",
"operation": "equals"
},
"rightValue": "EU_CTR_SUSAR_EXPEDITED"
}
]
}
},
{
"outputKey": "hipaa_breach",
"conditions": {
"conditions": [
{
"leftValue": "={{ $json.incident_type }}",
"operator": {
"type": "string",
"operation": "equals"
},
"rightValue": "HIPAA_PHI_BREACH_CLINICAL_DATA"
}
]
}
},
{
"outputKey": "part11_failure",
"conditions": {
"conditions": [
{
"leftValue": "={{ $json.incident_type }}",
"operator": {
"type": "string",
"operation": "equals"
},
"rightValue": "FDA_PART_11_AUDIT_TRAIL_FAILURE"
}
]
}
},
{
"outputKey": "irec_notify",
"conditions": {
"conditions": [
{
"leftValue": "={{ $json.incident_type }}",
"operator": {
"type": "string",
"operation": "equals"
},
"rightValue": "ICH_GCP_IREC_NOTIFICATION"
}
]
}
}
]
}
}
},
{
"id": "i3",
"name": "SUSAR Fatal 7-Day Handler",
"type": "n8n-nodes-base.code",
"typeVersion": 2,
"position": [
440,
-350
],
"parameters": {
"jsCode": "// FDA 21 CFR \u00a7312.32(c)(2): 7-calendar-day IND safety report for unexpected fatal/life-threatening SUSAR\n// FASTEST CLOCK IN SERIES \u2014 clock starts at sponsor awareness, not site report receipt\nconst deadline = new Date();\ndeadline.setDate(deadline.getDate() + 7);\nreturn [{json: {\n incident_type: 'FDA_IND_7DAY_SUSAR_UNEXPECTED_FATAL',\n regulation: '21 CFR \u00a7312.32(c)(2)',\n deadline_utc: deadline.toISOString(),\n deadline_days: 7,\n action: 'Submit expedited IND safety report to FDA via eSafety within 7 calendar days of sponsor awareness. Report must include: narrative summary, causality assessment, case data, protocol number.',\n self_hosting_note: 'Cloud iPaaS introduces queue latency between SUSAR detection and IND report draft workflow trigger. Under \u00a7312.32(c)(2), clock starts at awareness \u2014 queue latency = compliance failure window.',\n severity: 'CRITICAL',\n recipients: ['medical-monitor@company.com', 'regulatory-affairs@company.com', 'cso@company.com']\n}}];"
}
},
{
"id": "i4",
"name": "15-Day SADR Handler",
"type": "n8n-nodes-base.code",
"typeVersion": 2,
"position": [
440,
-250
],
"parameters": {
"jsCode": "// FDA 21 CFR \u00a7312.32(c)(1): 15-calendar-day expedited safety report for unexpected serious ADRs\nconst deadline = new Date();\ndeadline.setDate(deadline.getDate() + 15);\nreturn [{json: {\n incident_type: 'FDA_IND_15DAY_SADR',\n regulation: '21 CFR \u00a7312.32(c)(1)',\n deadline_utc: deadline.toISOString(),\n deadline_days: 15,\n action: 'Submit 15-day safety report to FDA via eSafety. Assess causality, complete MedDRA coding, attach case narrative and relevant lab data.',\n severity: 'HIGH'\n}}];"
}
},
{
"id": "i5",
"name": "GCP Deviation Handler",
"type": "n8n-nodes-base.code",
"typeVersion": 2,
"position": [
440,
-150
],
"parameters": {
"jsCode": "// ICH E6(R3) \u00a75.20: sponsor must report significant protocol deviations to IEC within 30 days\n// Initial escalation: 24 hours to medical monitor and site head\nconst deadline30 = new Date();\ndeadline30.setDate(deadline30.getDate() + 30);\nconst deadline24h = new Date();\ndeadline24h.setHours(deadline24h.getHours() + 24);\nreturn [{json: {\n incident_type: 'GCP_PROTOCOL_DEVIATION_CRITICAL',\n regulation: 'ICH E6(R3) \u00a75.20 + \u00a75.20.2',\n initial_escalation_deadline: deadline24h.toISOString(),\n iec_report_deadline: deadline30.toISOString(),\n action: '24h: notify medical monitor + site head. 30 days: complete deviation report to IEC/IRB including impact assessment, root cause, CAPA.',\n severity: 'HIGH'\n}}];"
}
},
{
"id": "i6",
"name": "Form 483 Handler",
"type": "n8n-nodes-base.code",
"typeVersion": 2,
"position": [
440,
-50
],
"parameters": {
"jsCode": "// FDA Form 483 observation: 15 business days to submit corrective action plan\n// 21 CFR Part 11 Form 483 observation for unvalidated electronic records = audit trail requirement\nconst deadline = new Date();\nlet bdays = 0;\nconst d = new Date();\nwhile (bdays < 15) {\n d.setDate(d.getDate() + 1);\n if (d.getDay() !== 0 && d.getDay() !== 6) bdays++;\n}\nreturn [{json: {\n incident_type: 'FDA_FORM_483_OBSERVATION',\n regulation: '21 CFR \u00a7601.12 + 21 CFR Part 11 \u00a711.10',\n deadline_utc: d.toISOString(),\n deadline_business_days: 15,\n action: 'Prepare written corrective action plan within 15 business days. If observation relates to 21 CFR Part 11 audit trail gap (e.g., cloud iPaaS as unvalidated electronic records system), immediate validation package assembly required.',\n self_hosting_note: '21 CFR \u00a711.10(e) requires computer-generated time-stamped audit trail. Self-hosted n8n audit log = validated system record. Cloud iPaaS audit log = third-party record outside sponsor QMS boundary.',\n severity: 'CRITICAL'\n}}];"
}
},
{
"id": "i7",
"name": "EU SUSAR Handler",
"type": "n8n-nodes-base.code",
"typeVersion": 2,
"position": [
440,
50
],
"parameters": {
"jsCode": "// EU Clinical Trials Regulation 536/2014 Art. 42: 15-calendar-day SUSAR expedited reporting\nconst deadline = new Date();\ndeadline.setDate(deadline.getDate() + 15);\nreturn [{json: {\n incident_type: 'EU_CTR_SUSAR_EXPEDITED',\n regulation: 'EU CTR 536/2014 Art. 42',\n deadline_utc: deadline.toISOString(),\n deadline_days: 15,\n action: 'Submit SUSAR expedited report to national competent authority and ethics committee via CTIS portal within 15 calendar days.',\n severity: 'HIGH'\n}}];"
}
},
{
"id": "i8",
"name": "HIPAA Clinical Data Handler",
"type": "n8n-nodes-base.code",
"typeVersion": 2,
"position": [
440,
150
],
"parameters": {
"jsCode": "// HIPAA \u00a7164.408: 60-day breach notification for PHI in clinical trial datasets\nconst deadline = new Date();\ndeadline.setDate(deadline.getDate() + 60);\nreturn [{json: {\n incident_type: 'HIPAA_PHI_BREACH_CLINICAL_DATA',\n regulation: 'HIPAA \u00a7164.408 + 21 CFR Part 11',\n deadline_utc: deadline.toISOString(),\n deadline_days: 60,\n action: 'Notify HHS OCR within 60 days. Assess whether PHI was in validated electronic records system. If cloud iPaaS processed PHI, assess BAA coverage and unvalidated subprocessor exposure under \u00a711.10.',\n severity: 'HIGH'\n}}];"
}
},
{
"id": "i9",
"name": "Part 11 Audit Failure Handler",
"type": "n8n-nodes-base.code",
"typeVersion": 2,
"position": [
440,
250
],
"parameters": {
"jsCode": "// FDA 21 CFR \u00a711.10(e): audit trail must be computer-generated, time-stamped, operator-unalterable\n// Audit trail failure = immediate containment required (48h)\nconst deadline = new Date();\ndeadline.setHours(deadline.getHours() + 48);\nreturn [{json: {\n incident_type: 'FDA_PART_11_AUDIT_TRAIL_FAILURE',\n regulation: '21 CFR \u00a711.10(e) + \u00a711.10(a)',\n deadline_utc: deadline.toISOString(),\n deadline_hours: 48,\n action: 'Immediate containment within 48h: isolate affected system, preserve evidence, initiate deviation report, notify QA. Root cause: if cloud iPaaS lacking validated audit trail was processing clinical data, this is a \u00a711.10(e) violation.',\n severity: 'CRITICAL'\n}}];"
}
},
{
"id": "i10",
"name": "IRB/IEC Notification Handler",
"type": "n8n-nodes-base.code",
"typeVersion": 2,
"position": [
440,
350
],
"parameters": {
"jsCode": "// ICH GCP E6(R3) \u00a73.1.2: IRB/IEC must be notified within 72h of any unanticipated serious adverse event\nconst deadline = new Date();\ndeadline.setHours(deadline.getHours() + 72);\nreturn [{json: {\n incident_type: 'ICH_GCP_IREC_NOTIFICATION',\n regulation: 'ICH E6(R3) \u00a73.1.2',\n deadline_utc: deadline.toISOString(),\n deadline_hours: 72,\n action: 'Notify IRB/IEC within 72 hours of unanticipated serious adverse event. Prepare narrative, causality assessment, and proposed protocol amendment if applicable.',\n severity: 'HIGH'\n}}];"
}
},
{
"id": "i11",
"name": "Log All Incidents",
"type": "n8n-nodes-base.postgres",
"typeVersion": 2,
"position": [
660,
0
],
"parameters": {
"operation": "insert",
"table": "biotech_compliance_incidents",
"columns": "incident_type,regulation,deadline_utc,severity,created_at",
"additionalFields": {}
}
}
],
"connections": {
"Incident Webhook": {
"main": [
[
{
"node": "Route by Incident Type",
"type": "main",
"index": 0
}
]
]
},
"Route by Incident Type": {
"susar_fatal": [
[
{
"node": "SUSAR Fatal 7-Day Handler",
"type": "main",
"index": 0
}
]
],
"sadr_15day": [
[
{
"node": "15-Day SADR Handler",
"type": "main",
"index": 0
}
]
],
"gcp_deviation": [
[
{
"node": "GCP Deviation Handler",
"type": "main",
"index": 0
}
]
],
"form_483": [
[
{
"node": "Form 483 Handler",
"type": "main",
"index": 0
}
]
],
"eu_susar": [
[
{
"node": "EU SUSAR Handler",
"type": "main",
"index": 0
}
]
],
"hipaa_breach": [
[
{
"node": "HIPAA Clinical Data Handler",
"type": "main",
"index": 0
}
]
],
"part11_failure": [
[
{
"node": "Part 11 Audit Failure Handler",
"type": "main",
"index": 0
}
]
],
"irec_notify": [
[
{
"node": "IRB/IEC Notification Handler",
"type": "main",
"index": 0
}
]
]
}
}
}
Workflow 5: Weekly BioTech KPI Dashboard
Monday 8AM. Queries active trial count by phase, compliance incidents last 7 days (FDA vs GCP), and deadline alerts. All Postgres queries are themselves logged to the validated audit trail — something a cloud iPaaS equivalent cannot provide under 21 CFR §11.10(e).
{
"name": "Weekly BioTech Compliance KPI Dashboard",
"nodes": [
{
"id": "k1",
"name": "Monday 8AM",
"type": "n8n-nodes-base.scheduleTrigger",
"typeVersion": 1,
"position": [
0,
0
],
"parameters": {
"rule": {
"interval": [
{
"field": "cronExpression",
"expression": "0 8 * * 1"
}
]
}
}
},
{
"id": "k2",
"name": "Query Active Trials",
"type": "n8n-nodes-base.postgres",
"typeVersion": 2,
"position": [
220,
-100
],
"parameters": {
"operation": "executeQuery",
"query": "SELECT COUNT(*) as active_trials, COUNT(CASE WHEN phase='I' THEN 1 END) as phase1, COUNT(CASE WHEN phase='II' THEN 1 END) as phase2, COUNT(CASE WHEN phase='III' THEN 1 END) as phase3 FROM clinical_trials WHERE status='ACTIVE'"
}
},
{
"id": "k3",
"name": "Query Compliance Incidents",
"type": "n8n-nodes-base.postgres",
"typeVersion": 2,
"position": [
220,
0
],
"parameters": {
"operation": "executeQuery",
"query": "SELECT COUNT(*) as total_incidents_7d, COUNT(CASE WHEN incident_type LIKE 'FDA%' THEN 1 END) as fda_incidents, COUNT(CASE WHEN incident_type LIKE 'GCP%' THEN 1 END) as gcp_deviations, COUNT(CASE WHEN severity='CRITICAL' THEN 1 END) as critical_open FROM biotech_compliance_incidents WHERE created_at >= NOW() - INTERVAL '7 days'"
}
},
{
"id": "k4",
"name": "Query Deadline Alerts",
"type": "n8n-nodes-base.postgres",
"typeVersion": 2,
"position": [
220,
100
],
"parameters": {
"operation": "executeQuery",
"query": "SELECT COUNT(*) as deadlines_30d, COUNT(CASE WHEN days_until_due <= 7 THEN 1 END) as deadlines_7d FROM compliance_deadlines WHERE days_until_due <= 30"
}
},
{
"id": "k5",
"name": "Build KPI Email",
"type": "n8n-nodes-base.code",
"typeVersion": 2,
"position": [
440,
0
],
"parameters": {
"jsCode": "const trials = $('Query Active Trials').first().json;\nconst incidents = $('Query Compliance Incidents').first().json;\nconst deadlines = $('Query Deadline Alerts').first().json;\nconst html = `<h2>BioTech Compliance KPI \u2014 Week of ${new Date().toISOString().split('T')[0]}</h2>\n<h3>Active Clinical Trials</h3>\n<table border=1><tr><th>Total Active</th><th>Phase I</th><th>Phase II</th><th>Phase III</th></tr>\n<tr><td>${trials.active_trials}</td><td>${trials.phase1}</td><td>${trials.phase2}</td><td>${trials.phase3}</td></tr></table>\n<h3>Compliance Incidents (Last 7 Days)</h3>\n<table border=1><tr><th>Total</th><th>FDA Reports</th><th>GCP Deviations</th><th>Critical Open</th></tr>\n<tr><td>${incidents.total_incidents_7d}</td><td>${incidents.fda_incidents}</td><td>${incidents.gcp_deviations}</td><td>${incidents.critical_open}</td></tr></table>\n<h3>Deadline Alerts</h3>\n<table border=1><tr><th>Due in 30 Days</th><th>Due in 7 Days</th></tr>\n<tr><td>${deadlines.deadlines_30d}</td><td>${deadlines.deadlines_7d}</td></tr></table>\n<p><em>21 CFR Part 11 note: This dashboard query chain is logged to validated audit trail. Cloud iPaaS equivalent = unvalidated electronic record under \u00a711.10(e).</em></p>`;\nreturn [{json: {html}}];"
}
},
{
"id": "k6",
"name": "Email CEO CMO VP Regulatory",
"type": "n8n-nodes-base.emailSend",
"typeVersion": 2,
"position": [
660,
0
],
"parameters": {
"fromEmail": "n8n-compliance@company.com",
"toEmail": "ceo@company.com",
"ccEmail": "cmo@company.com,vp-regulatory@company.com",
"subject": "BioTech Compliance KPI Dashboard \u2014 {{ $now.format('YYYY-MM-DD') }}",
"emailType": "html",
"message": "={{ $json.html }}"
}
}
],
"connections": {
"Monday 8AM": {
"main": [
[
{
"node": "Query Active Trials",
"type": "main",
"index": 0
},
{
"node": "Query Compliance Incidents",
"type": "main",
"index": 0
},
{
"node": "Query Deadline Alerts",
"type": "main",
"index": 0
}
]
]
},
"Query Deadline Alerts": {
"main": [
[
{
"node": "Build KPI Email",
"type": "main",
"index": 0
}
]
]
},
"Build KPI Email": {
"main": [
[
{
"node": "Email CEO CMO VP Regulatory",
"type": "main",
"index": 0
}
]
]
}
}
}
Why BioTech & Clinical SaaS Teams Self-Host n8n
| Risk | Cloud iPaaS | Self-Hosted n8n |
|---|---|---|
| 21 CFR Part 11 audit trail | Unvalidated electronic records system → Form 483 | Validated system within sponsor QMS boundary |
| §312.32(c)(2) 7-day clock | Queue latency = compliance failure window | Direct pipeline, no external dependency |
| HIPAA PHI scope | BAA required, PHI routes to third-party subprocessor | PHI stays inside sponsor network |
| EU CTR 536/2014 | Cross-border data routing without CA approval | Single jurisdiction deployment |
| ICH E6(R3) §8.4 computer validation | Third-party system outside sponsor validation scope | Included in sponsor computer validation package |
The workflows above are available as production-ready templates at stripeai.gumroad.com. All 15 FlowKit n8n templates cover the full compliance automation stack.
Tags: n8n, BioTech compliance, FDA 21 CFR Part 11, ICH GCP, IND safety reporting, clinical trials automation, pharmacovigilance, EU CTR 536/2014, SUSAR reporting, GCP deviation, self-hosted n8n
Top comments (0)