GxP (FDA 21 CFR Part 11)

GxP (FDA 21 CFR Part 11) overview

The term GxP is a general abbreviation for good practice guidelines and regulations in the life sciences industry, including good clinical, laboratory, manufacturing, and other practices. There is no single regulatory entity or administration; each country has its own guidelines and regulators, although requirements are similar from country to country. For example, GxP requirements are outlined in the following regulations:

• Title 21 CFR Part 11 as enforced by the Food and Drug Administration (FDA) in the United States.
• EudraLex Volume 4 – GMP Guidelines, Annex 11 in the European Union.

Regulatory goals help ensure that businesses in regulated industries manufacture products that are safe to use and meet stringent quality standards during the production process. Computerized systems that use GxP processes require validation of adherence to GxP requirements, and are considered qualified when the system can demonstrate ability to fulfill them.

Azure and GxP (FDA 21 CFR Part 11)

Azure can help you meet your GxP requirements and regulations enforced by the FDA under 21 CFR Part 11. There is no GxP or FDA 21 CFR Part 11 certification for cloud service providers; however, Azure has undergone independent third-party audits for quality management and information security, including ISO 9001 and ISO/IEC 27001 among many others. If you are deploying applications on Azure, you should determine the GxP requirements that apply to the computerized system based on its intended use. You should then follow internal procedures governing qualification and/or validation processes to demonstrate that the GxP requirements are met.

You should review the white paper Strategies for life sciences companies using Microsoft Azure with GxP systems produced by Accenture to:

• Learn how to analyze controls required to use Azure,
• Define how Azure can meet those controls, and
• Define the levels of ownership from a life sciences company's perspective when validating and maintaining GxP systems hosted on Azure.

Among other things, the white paper shows how certain FDA regulations, such as 21 CFR Part 820 and 21 CFR Part 11, apply to Azure.

Moreover, Microsoft retained Montrium, an independent organization specializing in quality assurance and regulatory GxP compliance for the life sciences industry, to conduct the Azure GxP qualification review. If you're a regulated customer within the life sciences industry, aiming to use the Azure platform to host GxP regulated computerized systems, you should review the resulting Microsoft Azure GxP guidelines. The guidelines document identifies the responsibilities shared by Microsoft and you for meeting:

• FDA 21 CFR Part 11 regulatory requirements for electronic records and signatures
• EudraLex Volume 4 – Annex 11 for computerized systems

It describes recommended activities and controls that you can establish to qualify and maintain control over the GxP computerized systems deployed on the Azure platform. The qualification approach outlined in this document is based on industry best practices with an emphasis on the concepts presented and described within:

• The International Society for Pharmaceutical Engineering (ISPE) Good Automated Manufacturing Practices (GAMP) series of Good Practice Guides
• The Pharmaceutical Inspection Co-operation Scheme (PIC/S) PI 011-3 Good Practices for Computerised Systems in Regulated GxP Environments

Applicability

• Azure
• Azure Government

Office 365 and GxP (FDA 21 CFR Part 11)

For more information about Office 365 compliance, see Office 365 GxP documentation.

Guidance documents

• Strategies for life sciences companies using Microsoft Azure with GxP systems produced by Accenture
• Microsoft Azure GxP guidelines produced by Montrium

Frequently asked questions

Can I use Azure GxP guidelines in my organization's GxP compliance efforts?
If you're deploying applications on Azure, you should determine the GxP requirements that apply to your computerized systems based on the intended use and then follow internal procedures governing qualification and validation processes to demonstrate that you have met those requirements.

Can I use Microsoft's compliance assurances in the certification process for my organization?
Yes. The independent third-party audit reports and certificates for standards such as the ISO 27001, ISO 27018, ISO 9001, SOC 1, and SOC 2 attest to the effectiveness of Microsoft controls. You may use the audited controls described in these reports as part of your own GxP or FDA 21 CFR Part 11 qualification efforts. If you build and deploy applications subject to FDA regulation, you're responsible for ensuring that your applications meet FDA requirements.

Resources

• Azure compliance documentation
• Azure enables a world of compliance
• Microsoft 365 compliance offerings
• Compliance on the Microsoft Trust Center
• Azure for healthcare
• Azure high-performance computing for health and life sciences
• Microsoft Cloud for healthcare
• Microsoft Cloud for life sciences