REGULATORY IMPACT ASSESSMENT o

Document N
TITLE client-SP2013-RIA-01
Regulatory Impact Assessment for Electronic Records Management in Revision: 00
SharePoint 2013

Approval Signatures
By signing this document, the Approvers acknowledge that they have read and approve the contents of this
document.

Role Name & Title Signature Date

<Name>
Process Owner
<Business Title>

<Name>
System Owner
<Business Title>

Quality <Name>
Assurance <Business Title>

Document Revision History

Revisions to this document are logged in the Document Revision History table. Revisions to approved controlled
documents require new approval signatures.

o
Revision N Description of Change Author Date

00 New Document. <Insert Author Name> <Insert Date>

Confidential Page 1 of 11
 REGULATORY IMPACT ASSESSMENT o
Document N
TITLE client-SP2013-RIA-01
Regulatory Impact Assessment for Electronic Records Management in Revision: 00
SharePoint 2013

Table of Contents
1.0 Introduction ......................................................................................................................................................3
1.1 Purpose ........................................................................................................................................................3
1.2 Scope ............................................................................................................................................................3
2.0 System Overview ..............................................................................................................................................3
2.1 System Category (according to GAMP) ........................................................................................................3
2.2 Intended Use ................................................................................................................................................3
3.0 Glossary ............................................................................................................................................................4
4.0 References ........................................................................................................................................................4
5.0 Computer System Validation Questions ...........................................................................................................5
6.0 Applicable Regulations .....................................................................................................................................5
7.0 Conformance with Applicable Regulations.......................................................................................................6
8.0 Procedural Controls ........................................................................................................................................11

Confidential Page 2 of 11
 REGULATORY IMPACT ASSESSMENT o
Document N
TITLE client-SP2013-RIA-01
Regulatory Impact Assessment for Electronic Records Management in Revision: 00
SharePoint 2013

1.0 Introduction
1.1 Purpose
The purpose of this document is to assess the regulatory impact of using the Microsoft SharePoint 2013
(herein after referred to as “SharePoint 2013” or “the system”) application to generate and/or manage
electronic records and to identify the areas of the system that must be validated in order to demonstrate
compliance with applicable regulations.
1.2 Scope
The scope of this regulatory impact assessment is restricted to the “out-of-the-box” SharePoint 2013
functionality and does not cover any customization or third-party applications (such as applications for
executing electronic signatures). The scope of the regulatory impact assessment is limited to US FDA 21 CFR
Part 11 Subpart B – Electronic Records regulations only. SharePoint 2013 can be configured to meet various
business process needs; however, this assessment only covers the limited use of the system as defined in
Section 2.2.

2.0 System Overview

SharePoint 2013 is a browser-based collaboration and document management platform from Microsoft with a
built-in workflow engine and can be configured to meet various business requirements, including electronic
document management and records management.
2.1 System Category (according to GAMP)
SharePoint 2013 is a configurable application and is considered to be a Category 4 type system as defined in
GAMP® 5.
2.2 Intended Use
Within the scope of this assessment the SharePoint 2013 application is intended to be used for the
management of electronic records (documents and data) within the context of a regulated environment.
Within SharePoint 2013, electronic records are considered to be:
• Documents required to be maintained by predicate rule
• Data (e.g. column values in a SharePoint list or library) required to be maintained by predicate rule
• Audit Trails generated for electronic records which are created and/or managed in a SharePoint list or
library
Additional regulatory impact assessments should be performed as the use of the SharePoint 2013
application is extended to cover other business process needs.

Confidential Page 3 of 11

TITLE
Regulatory Impact Assessment for Electronic Records Management in SharePoint 2013
Regulations
(e) Use of secure, computer-generated time-
stamped audit trails to independently record the
date and time of operator entries and actions that
create, modify, or delete electronic records. Record
changes shall not obscure previously recorded
information. Such audit trail documentation shall
be retained for a period at least as long as that
required for the subject electronic records and shall
be available for agency review and copying.
(f) Use of operational system checks to enforce
permitted sequencing of steps and events as
appropriate.
Confidential
o
REGULATORY IMPACT ASSESSMENT Document N
client-SP2013-RIA-01
Revision: 00
How the Requirement is met: Risk Mitigation
This regulatory requirement will be met through both procedural and SOP(s) addressing:
technical controls. • Backup and
Technical Controls Restoration
• The SharePoint 2013 auditing feature can be enabled to capture audit • Record
trails for documents as well as for non-document list items, such as task Retention and
lists, issues lists, discussion groups, and calendars. The feature provides Archiving
an audit log that records events, such as when content is created,
viewed, modified, and deleted and includes the user name of the user Document No.
who performed the associated action and the time and date when the client-SP2013-REQ-01
event occurred.
• Audit trails are stored as read-only and are stored in a secure database.
These audit trails remain linked to its respective record throughout its
life cycle.
• Audit trail information can be exported from the system and viewed in
Microsoft Office Excel.
• SharePoint 2013 can also be configured to preserve document and item
versioning, with a secure version history that includes a complete copy of
the previous and new record to assure the integrity of electronic records.
Procedural Controls
• An SOP which governs records retention and archiving policies should be
put in place in order to define how audit trails will be protected
throughout their lifecycle.
Operational checks are normally present in process control computer systems N/A
to ensure that operations (such as manufacturing production steps and
signings to indicate initiation or completion of those steps) are not executed
outside of the predefined order established by the operating organization.
Within the context of electronic records management system, the use of
operational checks is not applicable. SharePoint 2013 can be configured to
use workflows, which can control the permitted sequencing of steps and
events; however this is not within the scope of this current assessment. Any
workflows added to the system should be independently assessed for
regulatory impact through a regulatory impact assessment.
Page 8 of 11