Good Clinical, Laboratory, and Manufacturing Practices (GxP)
Article
About GxP
The term GxP is a general abbreviation for 'good practice' guidelines and regulations. The 'x' represents a particular field—clinical (GCP), manufacturing (GMP), distribution (GDP), laboratory (GLP), agriculture (GAP), and so on. There is no single regulatory entity or administration; each country has its own guidelines and regulators, although requirements are similar from country to country. GxP regulations include those requirements outlined in the US Food and Drug Administration (FDA) CFR Title 21 Part 11 and EudraLex Volume 4—GMP Guidelines, Annex 11 in the European Union (EU).
Regulatory goals aim to make sure that businesses in regulated industries manufacture products that are safe to use and meet stringent quality standards during the production process. Computerized systems that use GxP processes require validation of adherence to GxP requirements and are considered qualified when the system can demonstrate its ability to fulfill them.
Microsoft and GxP
Microsoft can help organizations that deal with regulated aspects of the research, clinical study, maintenance, manufacturing, and distribution of life science products and services meet their requirements under Good Clinical, Laboratory, and Manufacturing Practices (GxP). These include regulations enforced by the US Food and Drug Administration (FDA) under CFR Title 21 Part 11 for the security of computer systems and the reliability and trustworthiness of electronic records, as well as EudraLex, Volume 4, Annex 11, recognized guidelines for computerized systems in the EU.
There is no GxP certification for cloud service providers; however:
Microsoft Azure and Microsoft Office 365 have undergone many independent audits for quality management and information security, including ISO 9001 (QMS) and ISO/IEC 27001 (ISMS). This review includes regular audits of Microsoft procedural and technical controls, verified for effectiveness.
The Microsoft qualification approach is also based on industry best practices, including the Good Automated Manufacturing Practices (GAMP) series of Good Practices Guides (from the International Society for Pharmaceutical Engineering (ISPE)), and Good Practices for Computerized Systems in Regulated GxP Environments (from the Pharmaceutical Inspection Cooperation Scheme (PIC/S) PI 011-3).
Although these standards and best practices do not specifically focus on GxP regulatory compliance, their purpose and objectives are similar and help ensure the confidentiality, integrity, and availability of data stored in Microsoft cloud services.
Microsoft retained Montrium, an independent organization specializing in quality assurance and regulatory GxP compliance for the life sciences industry, to conduct the GxP qualification review for Microsoft. The resulting Qualification Guidelines for Office 365 are intended for life sciences organizations that plan to use these cloud services to host and support GxP-regulated computerized systems. The guidelines identify the responsibility shared by Microsoft and its customers for meeting GxP requirements, as well as recommend activities and controls that customers using in-scope Microsoft cloud services can establish to maintain control over GxP computerized systems. See GxP (FDA 21 CFR Part 11) for more information about GxP in Azure.
Life sciences organizations building GxP solutions on Azure and Office 365 can take advantage of the cloud's efficiencies while also protecting patient safety, product quality, and data integrity. Customers also benefit from multiple layers of security and governance technologies, operational practices, and compliance policies that enforce data privacy and integrity at specific levels.
FDA CFR Title 21 Part 11 Guides: Get help establishing an Office 365 qualification strategy that complies with FDA guidelines for electronic records.
Frequently asked questions
Can I use Microsoft GxP compliance in my organization's GxP compliance efforts?
Customers deploying applications on Azure should determine the GxP requirements that apply to their computerized systems based on the intended use and then follow internal procedures governing qualification and validation processes to demonstrate that they have met those requirements.