GxP Compliance with Microsoft Power Platform and Dynamics 365—From Theory to Practice

Moving from the theory of Good Practice (GxP) to implementing it in the cloud with Power Platform is not trivial, but it is not rocket science either.

Organizations can adopt Power Platform as an enabler in their GxP efforts and be confident in their ability to demonstrate adherence to the regulatory goals and requirements of their particular field. Regulatory goals aim to ensure that businesses in regulated industries manufacture products that are safe to use and meet stringent quality standards during the production process. Computerized systems that use GxP processes require validation of adherence to GxP requirements. Businesses and the FDA consider computerized systems qualified when the business can demonstrate the systems can fulfill all the relevant and applicable GxP requirements.

Businesses achieve GxP qualification by using the following steps: 1) Platform Qualification, 2) Documentation of Qualification, 3) Power Platform Landing Zone Build/Verify, 4) Governance Policy Design and Document, 5) Design SOP for Verification, 6) Application Verification and Validation, 7) Pilot, 8) Build new app with SOP or Validate Existing app. These can broadly fall into three categories of activities: quality management, risk management, and validation.

1. Platform Qualification-—Microsoft enterprise cloud services undergo regular independent third-party audits and have earned certification under numerous standards. These regular audits and certifications purpose and objectives are similar in nature to those of CFR Title 21 Part 11 and help demonstrate due diligence in platform selection.
2. Documentation of Qualification—Cross-walking existing Microsoft-provided documentation from the Microsoft Service Trust Portal to the specifics of a GxP effort is the starting place. Reuse existing documentation before creating anything new and speed the time to qualification!
3. Power Platform Landing Zone Build and Verify—A secure-by-default location within which to host GxP applications and processes is a necessary precondition to achieving qualification. Defining the nature of the security provided by the landing zone, building it, and validating its as-built status is as-intended are critical to achieving qualification.
4. Governance Policy Design and Documentation—Documenting business policies, processes, and procedures are critical to achieve as well as evidence that the organization lives up to what it has written are key and continuous requirements. Importantly, these policies and decisions start in the business operations community and fall to the technology community to support. Of course, balancing the business operational imperatives with security imperatives is the job of the leadership starting at the C-Suite and working downwards.
5. Design SOP for Verification—Whatever standard operating procedures the business adopts, they must be verifiable—that is they must be specific enough to allow staff to adhere to them and low-enough variability to earn the moniker of SOP. Too broad of language, or ‘guidance’ rather than prescriptive language invites unpredictability.
6. Application Verification and Validations—Applications must not only adhere to their design (verification) but to their intended purpose (validation). The first is almost always an engineer or developer focused activity. The second is almost always the user of the application or the user of the product(s) generated by the application. Skipping either is an invitation for high risk to the organization.
7. Pilot—Of course, putting all the above into practice is easier written than done. Testing out the functioning of each step and their integrations, albeit on a non-critical activity, generates confidence that the entirety of the activity generates the intended outcome(s).
8. Build new app with SOP—The supporting infrastructure and processes are complete and there is reasonable confidence that they contribute to the desired results. Its time to move past pilots and to the operationalization of Power Platform and Dynamics 365 in support of the business!

The above is necessarily brief. For those interested in a more thorough discussion of the entire subject, and each of the steps shown above, Planet invites you to download and read its white paper entitled, Achieving GxP Compliance with Microsoft Power Platform and Dynamics 365 or reach out via email to [email protected].