SharePoint is popular in many industries (including Biotech, Pharmaceutical, and Medical Device) for document management, local Intranet, and many other applications. However, if SharePoint is being used for any GxP purpose, it is subject to 21CFR11 (US) and/or Annex 11 (Europe).
In 2012, Microsoft published it’s own whitepaper entitled “SharePoint Configuration Guidance for 21 CFR Part 11 Compliance,” available here. The whitepaper covers technical configuration details for “on-premise” SharePoint deployments and implies that with such configurations there is low risk for non-compliance.
But the world of software is moving to the cloud for ease of deployment and maintenance, lower cost, and increased redundancy and security, among other factors. Can SharePoint Online (in the cloud) be compliant with 21CFR11/Annex 11 as well?
I asked around and found that some people say cloud solutions absolutely cannot be compliant. I also found people that say cloud solutions can be compliant. The answer seems to correlate with what they’re selling. Of course, compliance is never binary, black or white, but shades of grey, levels of risk. In my opinion, the biggest compliance challenges for cloud solutions, including SharePoint Online, are:
- No Supplier Audit – Your QA department is not going to be able to go to Microsoft for a vendor audit.
- No Personalized SLA – Microsoft is not going to provide any personalized service or service-level agreement (SLA).
- No Hardware IQ – As is the nature of the cloud, you’re not going to know what specific hardware your application is running on.
- Changes Outside QA Control – Changes are going to be rolled out without warning, and certainly without any opportunity for prior QA review/approval.
To address these concerns:
- Microsoft undergoes independent third party audits. Details here.
- Microsoft offers a standard SLA. The latest is here: OnlineSvcsConsolidatedSLA(WW)(English)(April2016)(cr).
- Microsoft has proposed a “qualify a platform once” approach, detailed here.
- Microsoft has its own internal change management system, as documented in their audit reports, but evaluation of changes will have to be performed retrospectively by the organization for impact to their specific needs, and mitigation plans will have to be in place to resolve any impact.
Cloud computing is still new, and that alone brings inherent risk. As with any validation/qualification effort, each case is unique, and compliance risks must be identified and mitigated on a case-by-case basis. I will note that, as of this writing, a search of the FDA Warning Letter database for the string “SharePoint” returned only one result. A medical device company was explicitly cited for not validating their SharePoint implementation used in a Quality System. The letter is viewable here. There are no warning letters that explicitly cite the use of a “non-validated” cloud environment. Yet?