SharePoint for CFR Part 11 Compliance

Recently we had a prospect who contacted us to evaluate how SharePoint can help in meeting the requirements of 21 CFR part 11. The evaluation was done at multiple level including analysis of the regulation, evaluation of compliant environments and talks with subject matter expert. With aggressive marketing, SharePoint’s adoption is increasing in life sciences and related industries for content management.  I thought of collating the findings to save time for those who will undertake such evaluations in future.

  1. Process and Technology– The regulations main intend is to encourage organizations to implement processes that pins responsibility on individuals. This translates to two components- process and solution to supplement the process. Process are internal definitions created by organization and solutions can help in capturing metrics to verify if the process is followed. Therefore there is no IT solution that can help an organization to be part 11 compliant as process definition is at the core of the compliance.
  1. Identify the Content– Not all content in an organization needs to comply with part 11 clauses. So as first activity you have to identify the content to focus on and understand how it is being managed in the organization. Primarily the following content needs to be compliant
    1. Electronic format of documents which needs to be maintained under predicate rule

o    Where electronic document replaces physical doc

o    Where electronic document along with physical doc but electronic document is used for regulated activities

  1. Records submitted to FSA in electronic format
  1. SharePoint Features– SharePoint has enough features to build a solution with required checks and balances in place to help be compliant. The following features should be utilized
    1. Authentication and authorization- Limiting system access is one of the most important requirements. SharePoint helps in implementing claims or FBA based authentication along with user group driven authorization to content.
    2. Auditing- SharePoint can be configured to capture and report usage metrics e.g. opening, downloading or moving documents, deleting content, changing authorization and permissions. In SharePoint it can be configured at a collection, site or repository level
    3. Versioning- Document versioning in SharePoint captures the timestamp of change and also the actual change made, which helps in building traceability on changes
    4. Workflows- SharePoint workflow help in being process compliant through the implementation of BPM solutions for identified processes. Workflows automatically capture audit trail for each action taken which helps with compliance reporting
    5. Record management- Once a content is approved its important the system has feature in place that ensures that it cannot be modified. Record management feature (in place and record center) helps meet this requirement
    6. Security – the following security consideration should be evaluated and implemented in SharePoint

o    Content access- Properly planned and designed information architecture should be implemented to have user group based access to content

o    SSL implementation- Ensure communication between client and server is encrypted

o    DB level- It’s possible for a direct access and change to values in DB. This is tough to track and prevent without custom scripts. Scripts can be deployed to track changes made in DB and timer job can identify records which were modified and send them for approval

o    Right management service – Helps control doc edit outside the SharePoint environment

  1. Digital signature – Due to the tight coupling between Office and SharePoint, there are solution available to capture electronic signature in document but due to various legal requirement, digital signature issued by third party are preferred. There are numerous vendors with various solution available to meet this requirement.
  1. System Validation– The regulation also places importance on proper validation of the implemented system. This translates to use of mature development and implementation process with focus on documentation. Primarily, it requires release note, deployment note, and logging for installation, test cases, and test plan and acceptance criteria. The process should allow trace into the specific actions taken to validate the system
  1. Training– User training on the system is mandatory for compliance and therefore a more formal approach is required to meet the training requirement
  1. Miscellaneous
    1. SOP on content usage- this is the internal process that needs to be designed by the organization. SharePoint document management along with approval workflow provides a formal mechanism to maintain and access this content
    2. Governance- System implemented should have a governance plan in place for administration

When it comes to regulatory compliances, SharePoint has features to build framework for your organization. However, the eminent flexibility that SharePoint offers can also pose challenges if a wholly haphazard approach is taken. It’s always better to consult a trusted partner who have technical expertise and process maturity to guide you along the compliance journey. At Trigent, our Microsoft certified experts work closely with your team to understand compliance specific requirements and can fast track implementation. If you have any queries, do let us know for a no-obligation meeting.