Using SharePoint For Compliance Issues Of FDA Regulated Industries
The Food and Drug Administration, in short FDA, is the oldest comprehensive consumer protection agency in the U.S. federal government. Beginning in 1906, the FDA is still responsible for protecting public health by ensuring the safety, efficacy, and security of human and veterinary drugs, biological products, and medical devices. It is also responsible for protecting public health, by ensuring the safety of our nation's food supply, cosmetics, and products that emit radiation. In order to do this, they have enacted various regulations that businesses must follow to comply.
A regulation by the name of CFR 21, Part 11 was established by the FDA which basically ensures that companies and organizations implement good business practices, by defining the criteria under which electronic records and signatures are considered to be accurate, authentic, trustworthy, reliable, confidential, and equivalent to paper records and handwritten signatures on paper. Part 11, essentially, allows any paper records to be replaced by an electronic record, and allows any handwritten signature to be replaced by an electronic one.
Microsoft SharePoint provides the essential tools required by CFR 21, Part 11 such as audits, system validations, audit trails, electronic signatures and documentation involved in processing data. When it comes to compliance training, this is an invaluable tool that will save the stress and financial consequences of non-compliance.
What Can Happen If You Don’t Comply With CFR 21, Part 11?
There are a list of consequences ranging from a mild warning letter (FD-483) to more serious penalties, such as a consent decree that could result in significant delays in regulatory approval, time to market, product recalls or facility closures – all resulting in loss of time and money. Continued non-compliance may also result in possible criminal and civil actions under various federal and state statues.
The good part is that, with this regulation, the FDA has essentially enabled the Life Science community and other FDA regulated industries to streamline business processes, reduce turnaround time and costs, all by establishing standard criteria for the use of electronic records and signatures. If it were not for this rule, we would be unable to manage records and other content electronically, significantly increasing the risk of human errors, increasing operational costs and increasing time-to-market for pharmaceutical products.
How Does SharePoint Provide A Solution To CFR 21, Part 11 Requirements?
There are 3 main areas in which FDA regulated companies must look at, as primary areas of focus, when dealing with CFR 21, Part 11:
1. Features Of Your System
In accordance with CFR 21, Part 11 there are a range of features that you are required to have in place when implementing a computer system to manage electronic records and processes. Assurances for audit trail functionality, electronic signatures, security and data integrity, records retention and file formats are to name but a few.
SharePoint is a browser-based collaboration and document management platform from Microsoft. It has a built-in workflow engine, and can be configured to meet various business requirements, including electronic document management and records management. SharePoint 2013 is a configurable application and is considered a category 4 type system, as defined in GAMP5.
SharePoint excels first and foremost as a document management system and is ideal for any type of electronic records management. Having a centralized place to store all records is a big step in keeping compliance with strict regulations. Utilizing metadata allows you to easily find a particular file, as well as detailed information, such as when it was created and by whom, when it was modified, maintained, archived, retrieved or distributed by a computer. Not every business will be audited but if you are, SharePoint versioning, auditing and workflows will be a lifesaver.
Security and data integration is another area that SharePoint excels, especially when it comes to CFR 21, Part 11. Examples include:
- Active directory integration.
SharePoint integrates with active directory to ensure only authorized accounts can access the system. - Prevention of unauthorized users.
SharePoint is able to prevent unauthorized users from accessing areas of the system, where electronic records are created and maintained. It is also possible to configure the record center with separate access controls. - Restrict access to system administration.
For additional safety, SharePoint can also restrict access to system administration and configuration by setting up security groups or permissions. - Protect data records.
SharePoint can protect data records from deletion and enable their accurate retrieval. Administrators can set up the SharePoint Information Management Policy feature and apply retention policies to various content types for a required period of time. In addition, the record center can be configured with separate access controls and independent permissions to prevent deletion of records. Versioning can also be added to ensure that changes to a document’s metadata are versioned.
SharePoint also has the ability to provide electronic signatures as well. One way is by choosing the collect signature workflow to route documents or implement tasks. There are also add-ins for SharePoint such as Adobe Sign, DocuSign or ShareKnowledge for training compliance programs.
2. Standard Operating Procedures
As with all regulated industries, the companies that operate within them use Standard Operating Procedures, or else SOP’s, to govern and describe how they are to do things. Currently, in accordance with Part 11, there are around 9 IT SOP’s needed to address the IT Infrastructure requirements.
- System maintenance.
- Physical security.
- Logical security.
- Incident and problem management.
- System change control.
- Configuration management.
- Disaster recovery.
- Electronic signature policy.
- Backup and restoration.
Just like peanut butter and jelly, corporations that adhere to strict government regulations will almost always have an in-depth training program in place. SharePoint offers a complete system that can manage even the toughest compliance requirements within highly regulated industries.
SOP management in SharePoint offers a centralized area to store vital documentation which closes any compliance loopholes. Key benefits include:
- Minimizing errors by filing all SOPs under one roof to safeguard that only the most up-to-date version is available.
- Never losing a record with SOPs stored in a centralized Policy Management System.
Reduce email clutter and avoid confusion by sending links to SharePoint files instead of attachments, so all parties are reading from the correct version of the SOP document. - Finding an SOP quickly with SharePoint’s advanced metadata search capabilities.
Noticing every detail is imperative when it comes to compliance. A business that gets in trouble by regulators will have a little less to worry about when their SOP’s are managed in SharePoint. This is a result of thorough workflows, versioning and audits that ensure companies can pull whatever file they need, when they need it. Key benefits include:
- You have the opportunity to satisfy auditors and compliance officers with a single, easy to search database of policies and procedures. Meet regulations with all versions and records in one place.
- You always have a clear picture of how your documents evolved with versioning in SharePoint.
- You can use workflows that make collaboration easy as pie. They can be utilized for new SOPs, versions, revisions, updates and retirement of the document.
- You are able to mmaintain control with permissioned views of SOP documents.
3. System Validation
When implementing an electronic system for use in regulated activities, you have to ensure that you document that the electronic system is fit for its intended use. In other words, demonstrate that your system does what it should do. You must also have controls in place that allow you to identify when the system doesn’t function as per its intended use. Here you should be utilizing your SOP’s and industry best practices (such as outlined in GAMP 5) to facilitate the validation process.
With SharePoint, this task is very simple. Just follow the steps below.
- Decide if your SharePoint instance actually needs to be validated.
A question to ask yourself first and foremost is whether you intend to use it to manage electronic records. If you records are still mostly paper-based, then you don’t need to validate it at all. If the records you have are apart from the non-regulated documents, then it may be possible to only have to validate certain sections of the system. - Put a plan together.
Validating SharePoint could take longer than you think, but with the right resources and proper planning, you could close out the project in little time. - Get your infrastructure ready.
Design your infrastructure, so that it supports the SharePoint architecture that suits your business needs. Consider storage and performance requirements. - Prepare your procedures.
You need proper procedures, such as change control, security, data backup and recovery, and so on, to ensure your system is maintained under a state of control. Your system cannot be considered validated without the proper procedures in place. - Train the right people.
Train your system administrator(s). They need to maintain the system’s state of control and must be aware of user access management procedures and change management policies. Train your validation team. Make sure that people, involved in system verification activitie,s are aware of validation policies and good documentation practices. - Prepare the required documentation.
Requirements, specifications, test protocols – all are needed. Consider leveraging the knowledge of consultants who have worked with SharePoint before. One working session with Subject MatterExperts can boost the learning curve of your in-house resources dramatically. And this will accelerate document preparation and improve document quality.
The risks, associated with a compliance breach, can wreak havoc on a company’s reputation, as well as hit them in the pocket book. An article published by the Brandon Hall Group found that even though companies ranked compliance as extremely important, less than 50 percent felt prepared for a compliance audit. SharePoint solves all of these issues for those companies that must adhere to FDA regulations like CFR 21, Part 11. With features such as document management, workflows and auditing, as well as an airtight system validation and standard operating procedures, SharePoint is a natural fit when faced with tight regulations by the government.
