This blog article is to explain how customers can operate BPA Quality and Medical software on Microsoft Office 365 in compliance with GxP (good practices) and regulatory requirements, such as FDA 21 CFR Part 11 Electronic Records, Electronic Signatures (21 CFR Part 11).
Our provider-hosted apps runs on SharePoint online, in the customer Office 365 environment. BPA app-related data, records and documents are stored in SharePoint online, as Software as a Service (SaaS) provided by Microsoft. The Azure Platform and Infrastructure as a Service (PaaS, IaaS) is needed by BPA apps for server-side operations. Regulated customers can decide to run their own dedicated Azure VM and decide when they want to upgrade BPA app versions.
BPAMedical365 is installed in the client Office 365 environment in the SharePoint App Catalogue.
Achieving a compliant cloud-based solution requires well-defined controls and processes, with shared responsibilities between Microsoft, BPA and our customers. Microsoft has implemented a series of technical and procedural controls to help ensure the dependability (availability, reliability, security, integrity, accessibility, and maintainability) of Office 365. We won’t discuss these in this document.
BPA has implemented procedures for data protection and security of our Azure-hosted services and internal testing procedures of our apps.
Office 365 is delivered as a SaaS solution where customers are responsible for establishing proper data classification, governance and rights management, managing client endpoints, as well as account and access management. Microsoft is responsible for all aspects surrounding physical infrastructure, network and application level controls, and shares responsibilities with respect to identity and access managing, as well and client and endpoint protection.
Shared responsibilities establishing GxP, image source: Microsoft Office 365 GxP Guidelines
Main GxP customer responsibilities when using BPA apps are related to Office 365/SharePoint:
- Granting user access
- Configure Office 365 and SharePoint audit logs
- Enable list and library versioning settings
- Define data classification and retention rules
- Configure information rights management
- Secure software and hardware used to access Office 365
- Conduct end-user training
- Manage Office 365 data inputs, processing, storage, and outputs for completeness, accuracy and timeliness
A formal process should be in place for change management that will ensure that application changes are implemented in a controlled manner. At BPA, our teams have implemented a robust software change process. Any new release is first tested and validated by the development team, then by the software testing team (automated and manual tests), followed by the whole BPA team prior releasing to clients.
Procedures should be in place to define the strategy for data recovery in the event of intentional or unintentional destruction and/or corruption of data. SharePoint Online applies recycle bin retention of data and documents for 90 days, and version control on document libraries.
A formal process should be in place to ensure that issues are raised, recorded, investigated, and resolved in a formal and controlled manner. Our community portal allows customers to log issues and alert our support team for a quick resolution.
Considerations for FDA 21 CFR Part 11 Compliance
As a SaaS solution provider, Microsoft is responsible for protecting customer’s data and ensuring the quality of their software solutions and services. Regulated customers are responsible for configuring available Office 365 and BPA app features and functional capabilities to address business and regulatory requirements (with BPA’s help).
The following table describes the features and capabilities of Office 365 and BPA apps that can be used to satisfy regulatory requirements of 21 CFR Part 11 pertaining to the management of electronic records:
Office 365/SharePoint and BPA App features
|Generation of accurate and complete copies of records in both human readable and electronic form.||SharePoint export to excel, Windows Explorer feature or audit trail log export.|
|Protection of records to enable their accurate and ready retrieval throughout the records retention period.||Office 365 records retention functionality, SharePoint version history, Information Rights Management features.|
|User access controls to limit system access to authorized individuals.||Azure Active Directory, Information Rights Management.|
|Secure, computer generated, time-stamped audit trails to independently record the date and time of user actions that create, modify, or delete electronic records.||SharePoint automatically captures user names and date/time when data is created/modified. Office 365 audit log functionality.|
BPA Electronic Signature features.
|Enforcement of permitted sequencing of steps and events (as necessary)||Power Automate workflows can be created to automate business processes.|
Preconfigured modules for quality and compliance.
Prebuilt workflows for compliance document approvals, incident tracking, changes, risks…
|Authority checks to ensure that only authorized individuals can use the system to perform permitted activities||SharePoint security groups and user permissions.|
|Data input validity verification (as necessary)||Azure Active Directory.|
Considerations for the Validation of GxP Applications
In the context of the Office 365 SaaS cloud service model, the customer does not have control over the underlying infrastructure hardware and software components, nor to the application itself. Microsoft is responsible for managing and maintaining these components.
Validation of infrastructure vs applications, image source: Microsoft Office 365 GxP Guidelines
Validation consists of demonstrating, with objective evidence, that a system meets the requirements of the users and their processes and is compliant with applicable GxP regulations. As such, validation is performed by the regulated customer using BPA apps on Office 365.
As custom GxP applications interfaced with Office 365, BPA apps should be treated as a GAMP 5 Software Category 5 – Custom Application and tested appropriately.
BPA provides a quick start package for our customers to simplify the software validation process, including the following document templates and some BPAMedical365 test case examples.
BPA Software Validation Quick Start Documentation Package.
This article was written based on the source document “Microsoft Office 365 GxP Guidelines” by Microsoft.