GxP (FDA 21 CFR Part 11)

GxP (FDA 21 CFR Part 11) overview

The term GxP is a general abbreviation for good practice guidelines and regulations in the life sciences industry, including good clinical, laboratory, manufacturing, and other practices. There is no single regulatory entity or administration; each country has its own guidelines and regulators, although requirements are similar from country to country. For example, GxP requirements are outlined in the following regulations:

Regulatory goals help ensure that businesses in regulated industries manufacture products that are safe to use and meet stringent quality standards during the production process. Computerized systems that use GxP processes require validation of adherence to GxP requirements, and are considered qualified when the system can demonstrate ability to fulfill them.

Azure and GxP (FDA 21 CFR Part 11)

Azure can help you meet your GxP requirements and regulations enforced by the FDA under 21 CFR Part 11. There is no GxP or FDA 21 CFR Part 11 certification for cloud service providers; however, Azure has undergone independent third-party audits for quality management and information security, including ISO 9001 and ISO/IEC 27001 among many others. If you are deploying applications on Azure, you should determine the GxP requirements that apply to the computerized system based on its intended use. You should then follow internal procedures governing qualification and/or validation processes to demonstrate that the GxP requirements are met.

Microsoft retained Montrium, an independent organization specializing in quality assurance and regulatory GxP compliance for the life sciences industry, to conduct the Azure GxP qualification review. If you're a regulated customer within the life sciences industry, aiming to use the Azure platform to host GxP regulated computerized systems, you should review the resulting Microsoft Azure GxP guidelines. The guidelines document identifies the responsibilities shared by Microsoft and you for meeting:

  • FDA 21 CFR Part 11 regulatory requirements for electronic records and signatures
  • EudraLex Volume 4 – Annex 11 for computerized systems

It describes recommended activities and controls that you can establish to qualify and maintain control over the GxP computerized systems deployed on the Azure platform. The qualification approach outlined in this document is based on industry best practices with an emphasis on the concepts presented and described within:

Dynamics 365 and Power Platform support for GxP (FDA 21 CFR Part 11)

While considering the use of cloud services to host GxP content, it's important for life sciences organizations to assess the adequacy of the cloud service provider’s processes and controls that help ensure the confidentiality, integrity, and availability of data that's stored in the cloud. When stored in Microsoft Dynamics 365 and Power Platform, your customer data benefits from multiple layers of security and governance technologies, operational practices, and compliance policies to enforce data privacy and integrity at specific levels. To help demonstrate how you can develop and operate GxP applications on Microsoft Dynamics 365 and Power Platform with confidence and remain compliant while using Microsoft cloud services, Microsoft published the following document:

This guidance document highlights the extensive controls implemented as part of Dynamics 365 and Power Platform’s internal development of security and quality practices. These practices help ensure that Dynamics 365 and Power Platform meet their specifications and are maintained in a state of control. Dynamics 365 and Power Platform procedural and technical controls are regularly audited and verified for effectiveness by independent third-party assessors.

Applicability

  • Azure
  • Azure Government

Office 365 and GxP (FDA 21 CFR Part 11)

For more information about Office 365 compliance, see Office 365 GxP documentation.

Guidance documents

Frequently asked questions

Can I use Microsoft GxP guidelines in my organization's GxP compliance efforts?
If you're deploying applications on Azure or storing data in Dynamics 365 and Power Platform, you should determine the GxP requirements that apply to your computerized systems based on the intended use and then follow internal procedures governing qualification and validation processes to demonstrate that you have met those requirements.

Can I use Microsoft's compliance assurances in the certification process for my organization?
Yes. The independent third-party audit reports and certificates for standards such as the ISO 27001, ISO 27018, ISO 9001, SOC 1, and SOC 2 attest to the effectiveness of Microsoft controls. You may use the audited controls described in these reports as part of your own GxP or FDA 21 CFR Part 11 qualification efforts. If you build and deploy applications subject to FDA regulation, you're responsible for ensuring that your applications meet FDA requirements.

Resources