SharePoint Validation: Quality and Compliance Portals

I am often asked the question… “can SharePoint be validated?”  The short answer is YES but it often requires customization to achieve deliver compliance objectives.  The longer response requires further examination as to why people ask the question and the nature of SharePoint as a content management system.  With the release of Office 365® reaching over 100 million active users per month and more companies moving toward the cloud, we are witnessing the maturation of SharePoint for both regulated and non-regulated content management.

SharePoint has undergone many changes over the past decade that have increased its adoption within the life sciences industry.  New features of SharePoint from Microsoft and its robust technology partner community include, but are not limited to:

  • Synchronization with OneDrive For Business®
  • New SharePoint Communication Sites With Pre-Built Layouts
  • Integration of SharePoint and Microsoft Team
  • New Integration with DocuSign® For Electronic Signatures
  • Enhanced Integration For Graphical Workflows From Nintex®
  • SharePoint-aware PowerApps and Flow
  • Updated Page Layouts and Web Part Enhancements
  • Improved SharePoint Administration
  • Enhanced Document Version Control

Within the life sciences community, the resistance to SharePoint focused on security and the lack of “out-of-the-box” features for life sciences validation.  What are some of the key application that life sciences companies require from a regulatory SharePoint enterprise content management system?  A partial list of document and records management features such as:

  • Intelligent Document Creation Tools
  • Automated Document Change Control
  • Configurable Document Types With Pre-Assigned Document Workflows (based on the type of document, workflows are automatically launched)
  • 21 CFR PART 11 support (electronic or digital signatures, audit trails, et al)
  • Ability to print a Signature Page with Each Signed Document
  • Ability to Establish Pre-defined Automated Document Lifecycle Workflows
  • Support for and designation of Controlled and Uncontrolled Content
  • Controlled Document Management Features Should include Configurable watermarks and overlays
  • Markup tools for document review
  • Ability to classify documents for records management capabilities
  • Ability to assign/tag documents with metadata
  • Content Rendering (when documents are checked in, they are automatically rendered in PDF format for document review.)
  • Custom Document Numbering (the ability to automatically assign alphanumeric document numbers to content)
  • Enforcement of the use of Standard Document Templates Codified Within SOPs
  • Version tracking with major and minor version control, version history
  • Ability to support regulatory submissions and publishing (this is a big one)
  • System MUST BE VALIDATABLE

As you can see from the partial list above, there are many features required by regulatory companies that are not standard in SharePoint out of the box.  However, SharePoint offers rich capabilities and features that have significantly enhanced the ability to deliver such as solution with the features listed above with minimal effort.

As a former Documentum and Qumas executive, I know first hand the challenges of developing such as system from scratch as my former employers did.  However, leveraging the power of SharePoint, OnShore Technology Group’s ValidationMaster™ Quality and Risk Management portal for example, is SharePoint-based and includes all of the features listed above.  The level of effort required to deliver such as solution was substantially lower due to the SharePoint application framework and development tools.

The ability to manage regulatory submissions and publishing is one of the features for which SharePoint may be more challenged.  In the Documentum world, there was such a thing as a “Virtual Document”.  A Virtual Document was a document that contained components or child documents.  A Virtual Document may represent a section of a regulatory dossier where the header represented the section of the dossier and there may be several child documents that are individual documents in that section.  Documentum was an object-oriented system and thus allowed the ability to have a single document comprised of multiple ACTUAL documents with early and late binding ability.  Since each component of a Virtual Document is its own document that can be checked in/check out and routed individually from other components, it makes them ideal for regulatory submission management which has very specific guidelines for publishing and pagination.   I have not seen a parallel yet for this in SharePoint.

Document management systems use to cost millions of dollars for acquisition, implementation and deployment.  These systems are now somewhat “commoditized” and the price points are significantly lower.  Many life sciences companies are using SharePoint for non-regulated documentation.  However, an increasing number of them are abandoning their higher cost rivals and moving to SharePoint as the foundation for controlled and uncontrolled documentation.  SharePoint can be in a hosted Office 365 environment or established in an on-premise environment.  Check out my cloud validation posts for more information on validating SharePoint and other applications in a cloud environment.  Either way, the system can and should be validated if used for regulatory content management.

It is recommended that you establish a clear set of user requirements for SharePoint.  SharePoint has powerful capabilities much beyond those articulated in this blog post.  There are many SharePoint partners that deliver effective, ready-to-use integrations with SharePoint such as Nintex® and DocuSign®.   Use these partner solutions to help minimize the validation effort.

If you have not already done so, it is worth a second look for regulated content depending on your application.  One thing is for sure, the day of the multi-million dollar content management solution is over for most companies.

Can Cloud Applications Be Validated?

Cloud applications are being deployed within life sciences Enterprises at a rapid pace. Microsoft office 365, Microsoft dynamics 365 and the cost benefit of deployment of other such applications are driving the adoption of cloud applications for regulated systems. The question that is always asked is can cloud systems be validated? The reason for the inquiry is due to the fact that many understand how clouds are deployed and maintained over time. In an effort to keep pace with system performance, security and other related controls in the cloud, cloud providers often update their environments to keep pace. The constant updating of the cloud environment makes it challenging from a systems validation perspective.  Maintaining the validated state in a cloud environment is often challenging due to this fact.

So can cloud applications be validated and what are the unique processes that must be changed to accommodate cloud validation?  The short answer is yes, cloud applications can be validated. However, there are changes required to the validation strategy to ensure that the system meets its intended use and the validated state is maintained over time.

ALL CLOUD PROVIDERS ARE NOT CREATED EQUAL

When choosing a cloud provider, it is helpful to understand that all cloud providers are not created equal. To my mind they are divided into two distinct camps: (1) those who understand regulated environments and (2) those who do not understand regulated environments. The first order of business for establishing a validated system in the cloud is to select your cloud providers carefully. I usually like to look at cloud providers who have experience in regulated environments. This goes for any application that you’re using in a highly regulated environment. It is super important that your vendor understand the regulatory requirements that you have to comply with and that in their service they build in best practices to help you comply. This will go a long way during the supplier audit process to confirm that you’ve done your proper due diligence on your cloud provider.

UNDERSTANDING RESPONSIBILITIES IN A CLOUD ENVIRONMENT

It is important to understand responsibilities in a cloud environment.  With packaged software applications, you have complete control over the environment.  With the various cloud service models, responsibilities vary depending on the model used as shown below.  For Infrastructure-as-a-Service, you manage the applications, data, runtime, middle ware and operating system.  While the vendor manages virtualization, servers, storage, and networking.  Please keep in mind that the principles of validation endure in the cloud.  You, not the vendor, are ultimately responsible for the environment and its management.  Therefore, you need to choose your cloud vendor wisely.

cloud services

You can see with Platform-as-a-Service (PaaS) and Software-as-a-Service (SaaS), you have less responsibility for the management of the system.  In the SaaS model, you do not control the application or infrastructure.  The vendor manages the application and it underlying architecture.

The strategy for validation changes based on the cloud model deployed.

The strategy for validation changes based on the cloud model deployed.

CONTINUOUS TESTING IN THE CLOUD

Previously four on premise systems, the validation engineer in consultation with the IT team determined how often validated systems environments were reviewed and updated. If the validation engineer did not want to apply a patch or an update, they simply left the system alone. Many validation engineers due to the labor involved in updating and documenting a validated system would often leave the system in a state where no changes, patches, or updates were applied. In today’s systems due to the threats from cyber security and frequent changes to browser applications, it is not possible to leave a system unpatched. To do so may leave your validated systems environment more exposed to security threats.

Therefore, when validating in the cloud you must employ a continuous testing strategy. When I say that to validation engineers they often cringe thinking of continuously having the test a validated systems environment. This is easier than you may think if you’re using automated tools for testing. Continuous testing is simply a validation testing strategy where on a designated schedule defined by the validation engineer, a system is routinely tested to ensure that patches, and routine updates do not impact the validated state. Continuous testing is facilitated best through automation. When developing a reusable test script Library, you can easily conduct an impact analysis and determine which tests need to be rerun. Regression testing is made easy through validation test script automation. Therefore, it is strongly recommended that if you deploy systems in a cloud environment that you employ an enterprise validation management system that includes automated testing such as ValidationMaster™.

Cloud applications can be validated.  The strategy changes based on the cloud model selected.  Choose your partners carefully.  They assume an important role in the management of critical system assets.

It is not a question of if a cloud application can be validated, it is a question of the deployment model you choose and the validation strategy that will govern deployment. Regulators are not averse to you using the cloud – its all about managing control and risk.

 

Cloud Validation Strategies

If you were to ask me 10 years ago how many of my life sciences clients were deploying systems in the cloud environment I would’ve said may be perhaps one or two. If you ask me today how many of my clients are deploying cloud’s technologies I would say most all of them in one way or another.  The adoption of cloud technologies within life sciences companies is expanding at a rapid pace.

From a validation perspective, this trend has profound consequences.  Here are some key concerns and questions to be answered for any cloud deployment.

  1. How do you validate systems in a cloud environment?
  2. What types of governance do you need to deploy applications in a cloud environment?
  3. How do you manage change in a cloud environment?
  4. How do you maintain the validated state in the cloud?
  5. How can you ensure data integrity in the cloud?
  6. How do you manage cybersecurity in a cloud environment?

The answers to these questions are obvious and routine to validation engineers managing systems in an on-premise environment where the control of the environment is managed by the internal IT team.  They have control over changes, patches, system updates, and other factors that may impact the overall validated state.  In a cloud environment, the software, platform and infrastructure is delivered as a SERVICE.  By leveraging the cloud, life sciences companies are effectively outsourcing the management and operation of a portion of their IT infrastructure to the cloud provider.  However, compliance oversight and responsibility for your validated system cannot be delegated to the cloud provider.  Therefore, these services must have a level of control sufficient to support a validated systems environment.

For years, life sciences companies have been accustomed to governing their own systems environments.  They control how often systems are updated, when patches are applied, when system resources will be updated, etc.  In a cloud environment, control is in the hands of the cloud service provider.  Therefore, who you choose as your cloud provider matters.

So what should your strategy be to manage cloud-based systems?

  • Choose Your Cloud Provider Wisely – All cloud providers are not created equally.  The Cloud Security Alliance (https://cloudsecurityalliance.org/ ) is an excellent starting point for understanding cloud controls.  The Cloud Controls Matrix (CCM) is an Excel spreadsheet that allows you to assess a vendors readiness for the cloud.  You can download it free of charge from the CSA.
  • Establish Governance For The Cloud – You must have an SOP for the management and deployment of the cloud and ensure that this process is closely followed.  You also need an SOP for cyber security to provide a process for protecting validated systems against cyber threats.
  • Leverage Cloud Supplier Audit Reports For Validation – All cloud providers must adhere to standards for their environments.  Typically, they gain 3rd party certification and submit to Service Organization Control (SOC) independent audits.  It is recommended that you capture the SOC 1/2/3 and SSAE 16 reports.  You also want to understand any certifications that your cloud provider has.  I would archive their certifications and SOC reports with the validation package as part of my due diligence for the supplier audit.
  • Embrace Lean Validation Principles and Best Practices – eliminating waste and improving efficiency is essential in any validated systems environment.  Lean validation is derived from the principles of lean manufacturing.  Automation is a MUST.  You need to embrace lean principles for greater efficiency and compliance.
  • Automate Your Validation Processes – Automation and Lean validation go hand in hand.  The testing process is the most laborious process.  We recommend using a system like ValidationMaster™ to automate requirements management, test management and execution, incident management, risk management, validation quality management, agile validation project management, and validation content management. ValidationMaster™ is designed to power lean validation processes and includes built-in best practices to support this process.
  • Use a Risk-Based Approach To Validation – all validation exercises are not created equal.  The level of validation due diligence required for your project should be based on risk – regulatory, technical and business risks.  Conduct a risk assessment for all cloud-based systems.
  • Adopt Continuous Testing Best Practices – the cloud is under continuous change which seems in and of itself counter-intuitive to the validation process.  Continuous testing can be onerous if your testing process is MANUAL.  However, if you adopt lean, automated testing processes regression testing is easy.  You can establish a routine schedule for testing and if your cloud provider delivers a dashboard that tells you when patches/updates/features have been applied and the nature of them, you can select your regression testing plan based on a risk and impact assessment.

 

Cloud environments can be validated!  A clear, practical approach that embraces lean validation and continuous testing is key.  Cloud governance to ensure data integrity and sustained compliance is key.

Cloud technologies are here to stay.  Regulators don’t object to the use of the cloud, they want to know how you are managing it and ensuring the integrity of the data.  They also want you to confirm that you are maintaining the validated state in the cloud.  The principles of validation endure in the cloud.  Just because you are in a cloud environment does not mean validation principles no longer apply.  Consider the impact of cybersecurity in your cloud environment and adopt continuous testing strategies to ensure sustained compliance.