Because SharePoint is so widely used platform for document management, collaboration, and workflow automation, can indeed be qualified and demonstrate compliance with regulatory requirements such as GxP, Annex 11, and 21 CFR Part 11, we are often asked about SharePoint validation. However, it’s important to understand the distinction between certification, validation, and qualification when it comes to SharePoint and cloud applications in general.
As mentioned earlier, SharePoint itself is not certified by regulatory agencies like the FDA or TGA. Certification typically refers to a formal process carried out by regulatory authorities to verify that a product or system meets specific requirements. In the case of SharePoint, it is the responsibility of the implementing company to ensure compliance with applicable regulations.
SharePoint Validation, on the other hand, is the process of documenting and providing evidence that a system or application, such as SharePoint, performs as intended and meets the user’s requirements. This involves a series of activities including installation qualification (IQ), operational qualification (OQ), and performance qualification (PQ). The validation process ensures that the application functions correctly, reliably, and securely within the regulated environment.
Qualification is similar to validation but focuses more specifically on the cloud environment in which SharePoint or any other application operates. It involves assessing and documenting the infrastructure, controls, and processes of the cloud service provider to ensure they meet regulatory requirements. The implementing company is responsible for qualifying the cloud environment, including verifying its security measures, data privacy, disaster recovery plans, and adherence to relevant standards.
SharePoint CFR Part 11
To achieve compliance with regulations such as 21 CFR Part 11, a SharePoint implementation must address specific requirements related to electronic records, electronic signatures, audit trails, data integrity, and security. This typically involves implementing appropriate configurations, user access controls, version control mechanisms, audit trail features, and ensuring data integrity throughout the system.
SharePoint in the cloud
Cloud-based SharePoint deployments can be qualified by following established methodologies like the Software Development Life Cycle (SDLC) or the GAMP (Good Automated Manufacturing Practice) framework. These approaches provide guidance on requirements gathering, risk assessment, system design, testing, and documentation. The implementing company, in collaboration with a GxP SharePoint Consultant or internal QA, validation, and IT departments, can carry out the necessary qualification activities and produce the required documentation.
Furthermore, SharePoint in the cloud can also demonstrate compliance with specific industry standards such as IEC 62304 for medical device software validation or ISO 27001 for information security management. By aligning SharePoint with these standards, organizations can ensure that the application meets the necessary requirements and controls for their specific industry.
In summary, while SharePoint and cloud vendors do not provide pre-certified or pre-validated applications, it is possible to qualify SharePoint in the cloud by following established validation and qualification processes. The implementing company bears the responsibility for ensuring compliance with applicable regulations, industry standards, and internal quality requirements throughout the implementation and operation of SharePoint.
Is SharePoint certified by the US FDA?
One of the most frequently asked questions is “Is SharePoint certified by the FDA or TGA before we buy it?”.
The answer, of course, is that neither the FDA nor TGA certify any applications. What the regulatory agencies do expect is that the implementation of the hardware and software by regulated company is done in such a way that the hardware and software is compliant with the CFRs or other regulations. GAMP 5 provides a useful guidance on how to do this. So, Microsoft cannot certify that the SharePoint application is TGA or FDA compliant, by simply providing validation documentation to the company. Usually, a regulated company would need their internal QA, validation and IT departments to work closely with a vendor or a GxP SharePoint Consultant.
Is the Cloud Validated?
Another question that is frequently encountered is “Is the cloud validated?”
Again, the answer is that cloud vendors do not provide validated applications, but rather provide applications that are qualified through standard URS, and other specifications, and IQ, OQ and PQ approaches that are well documented. Of course, the implementing company is responsible for validating their application against the guiding regulations and standards.
Is SharePoint 21 CFR Part 11 compliant?
So, we have discussed SharePoint Validation, Qualification, Certification, and not yet discussed 21 CFR Part 11 regulations, can applications in the cloud demonstrate compliance with CFR Part 11?
The answer to those questions is a resounding “Yes!”