Regulatory Open Forum

This message was posted by a user wishing to remain anonymous

The medical device startup I work with has one regulated product and three products in feasibility studies being readied for FDA submission.  They are preparing to contract with a Microsoft 365 "subcontractor" to manage all of our company's electronic systems including business management; manufacturing; and regulatory/quality/clinical trials.  Is a  Microsoft system subcontractor grandfathered in as an acceptable and safe system to meet our regulatory requirements for company computer systems, electronic records, and electronic signatures specific to 21 CFR Part 11?  Any suggestions and information would be most helpful.

Anon,

I am not sure any system is "safe" - it really depends on what the system is being used for and in what applications.  As you mention in business management, this is probably fine as many companies use Microsoft 365/Sharepoint to store their files and setting up the proper access rights and controls.  Manufacturing and Regulatory/Clinical similar approach.  Be careful when talking about "grandfathering" because this is a really slippery slope to go down, because how does an organisation know what was done before.  You probably would need to seek some further expert advice, because addressing your questions is quite broad and would entail many areas of process validation, IT management, and record management.

------------------------------
Richard Vincins ASQ-CQA, MTOPRA, RAC
Vice President Global Regulatory Affairs
------------------------------

Original Message:
Sent: 25-Aug-2023 13:08
From: Anonymous Member
Subject: Is Microsoft 365 safe for fully remote medical device startup

This message was posted by a user wishing to remain anonymous

The medical device startup I work with has one regulated product and three products in feasibility studies being readied for FDA submission.  They are preparing to contract with a Microsoft 365 "subcontractor" to manage all of our company's electronic systems including business management; manufacturing; and regulatory/quality/clinical trials.  Is a  Microsoft system subcontractor grandfathered in as an acceptable and safe system to meet our regulatory requirements for company computer systems, electronic records, and electronic signatures specific to 21 CFR Part 11?  Any suggestions and information would be most helpful.

Anon,

It also seems like part of the customer's supplier qualification process would need to assess whether the "subcontractor" can meet the customer's requirements related to a validated computer system(s).  Specifically, any hardware or software used to automate any part of the device production process or any part of the quality system which must be validated for its intended use. This requirement applies to any hardware or software used to automate device design, testing, component acceptance, manufacturing, labeling, packaging, distribution, complaint handling, or to automate any other aspect of the quality system. In addition, computer systems used to create, modify, and maintain electronic records and to manage electronic signatures are also subject to the validation requirements.  

IMHO,

will

------------------------------
William Coulston PMP, MS, RAC
Director of Quality & Regulatory Affairs
San Antonio TX
United States
------------------------------

Original Message:
Sent: 27-Aug-2023 10:56
From: Richard Vincins
Subject: Is Microsoft 365 safe for fully remote medical device startup

Anon,

I am not sure any system is "safe" - it really depends on what the system is being used for and in what applications.  As you mention in business management, this is probably fine as many companies use Microsoft 365/Sharepoint to store their files and setting up the proper access rights and controls.  Manufacturing and Regulatory/Clinical similar approach.  Be careful when talking about "grandfathering" because this is a really slippery slope to go down, because how does an organisation know what was done before.  You probably would need to seek some further expert advice, because addressing your questions is quite broad and would entail many areas of process validation, IT management, and record management.

------------------------------
Richard Vincins ASQ-CQA, MTOPRA, RAC
Vice President Global Regulatory Affairs

Original Message:
Sent: 25-Aug-2023 13:08
From: Anonymous Member
Subject: Is Microsoft 365 safe for fully remote medical device startup

This message was posted by a user wishing to remain anonymous

The medical device startup I work with has one regulated product and three products in feasibility studies being readied for FDA submission.  They are preparing to contract with a Microsoft 365 "subcontractor" to manage all of our company's electronic systems including business management; manufacturing; and regulatory/quality/clinical trials.  Is a  Microsoft system subcontractor grandfathered in as an acceptable and safe system to meet our regulatory requirements for company computer systems, electronic records, and electronic signatures specific to 21 CFR Part 11?  Any suggestions and information would be most helpful.

Like any system, there are pros and cons! I suggest no system can be treated as perfectly safe. I would encourage you to do a proper risk assessment of the security and sustainability implications for your business. In particular, those concerned with only using a single vendor (irrespective of the dominant position and universality of that file formats. I have some concerns about Microsoft 365, but if I knew sufficient detail about all enterprise systems, I am sure I would have concerns about them too. I would encourage you to consider the possibility of what you do, if your Microsoft 365 suddenly becomes unavailable to you for whatever reason. Are your files backed up? Are they in a format in which they can be opened with other software? Is that other software independent from "the cloud", so that you could still use it even if there was a major Internet outage? I feel the issues of cyber security and sustainability (continuity of supply) are perhaps more important than electronic signature compliance.

On part 11, I would basically say my experience is it is all down to the decisions made at the time of local deployment, i.e. how it's set up by your subcontractor. You  need to critique their plans. My view is any software system can be satisfactory or can be flawed - the difference probably comes down to the deployment by you/your subcontractor in your particular business. BUT, never put all your eggs in one basket ... the perfect future-proof basket has yet to be made!

------------------------------
Neil Armstrong FRAPS
MeddiQuest
Peterborough UK
Waterford Ireland
------------------------------

Original Message:
Sent: 25-Aug-2023 13:08
From: Anonymous Member
Subject: Is Microsoft 365 safe for fully remote medical device startup

This message was posted by a user wishing to remain anonymous

The medical device startup I work with has one regulated product and three products in feasibility studies being readied for FDA submission.  They are preparing to contract with a Microsoft 365 "subcontractor" to manage all of our company's electronic systems including business management; manufacturing; and regulatory/quality/clinical trials.  Is a  Microsoft system subcontractor grandfathered in as an acceptable and safe system to meet our regulatory requirements for company computer systems, electronic records, and electronic signatures specific to 21 CFR Part 11?  Any suggestions and information would be most helpful.

I recommend checking out Regdocs365- it is an entirely validated cloud system designed for life sciences start ups.  The originators got fed up with start ups paying pfizer prices for validated systems and basically created it all in a "box", right sized- and priced- for start ups.  I'm not associated with that company but always mention them when the subject comes up because no one seems to know they exist.  It's a shame.  Antionette Azevedo, an extremely knowledgeable regops expert, having been involved in submissions and validated environments since before the eCTD became a thing, is one of the designers.  There's not a regops problem she hasn't seen or solved many times before-  https://www.regdocs365.com/

good luck

------------------------------
sheila mahoney
Babylon NY
United States
------------------------------

Original Message:
Sent: 25-Aug-2023 13:08
From: Anonymous Member
Subject: Is Microsoft 365 safe for fully remote medical device startup

This message was posted by a user wishing to remain anonymous

The medical device startup I work with has one regulated product and three products in feasibility studies being readied for FDA submission.  They are preparing to contract with a Microsoft 365 "subcontractor" to manage all of our company's electronic systems including business management; manufacturing; and regulatory/quality/clinical trials.  Is a  Microsoft system subcontractor grandfathered in as an acceptable and safe system to meet our regulatory requirements for company computer systems, electronic records, and electronic signatures specific to 21 CFR Part 11?  Any suggestions and information would be most helpful.