Using Office 365 for managing GxP processes is increasingly sought after by the life science community. In our recent webinar, 55% of attendees shared that they plan to manage regulated GxP content in Office 365 and SharePoint Online, and 24% already had the system in place.
Before the rise of cloud-based technologies, on-premise systems were not frequently updated, and there was a resistance to making changes as the validation effort was significant. And when changes like updates and patches were made, they were more substantial in scope and therefore riskier. With cloud-based services like Office 365, patches are regularly made by the Microsoft team to prevent risks of data breaches and create a more optimized user experience.
With continuous updates coming to an increasingly mobile workforce, your cloud-based content management system can perform at its absolute best. But for even the most experienced validation professional, the thought of maintaining ongoing proof of validation for changing systems can be daunting. In this article, we break down what continuous validation means in the context of Office 365 and what you can do to ensure continuous validation as an Office 365 customer.
What is continuous validation?
Given the evolving nature of the Office 365 platform, and it’s highly configurable and customizable features, continuous validation is crucial to keep up with changes and configure them for any GxP process.
Continuous validation is:
- Knowing the state of the system (its current configuration) and ensuring alignment with specifications and user requirements (at all times)
- Performing continuous regression testing, with emphasis on higher risk areas of the system (e.g., audit trail capabilities and access control and data protection)
- Being proactive concerning upcoming changes from the cloud service provider
- Having critical processes in place for system governance using Microsoft’s planned changes to perform an Impact Assessment and determine whether or not the changes affect intended use, or if there are new features to leverage.
Keeping your system secure and functioning in its intended use is better than keeping it static, and for that, we need continuous validation.
Microsoft’s responsibility as the cloud service provider is to perform verifications as part of their SDLC process. However, given the fact that we’re using Office 365 and or SharePoint Online in a GxP process, certain elements need to be tested to make sure we’re complying with GxP regulations. This is explained in further detail in the Montrium-authored Microsoft Office 365 GxP Guidelines.
Key steps involved when implementing a continuous validation program
During our last webinar on continuous validation, 58% of participants shared that they were still considering implementing a continuous validation program. To help those looking to get started, we’ve laid out the six key steps included in most continuous validation programs at GxP regulated organizations using Microsoft cloud services.
1. Establish governance processes
Start with a Release Analysis. This will identify who is responsible for reviewing the Product Roadmap and Message Center, and who needs to be informed of upcoming changes.
Then, identify what actions need to be taken if an incident or system failure occurs (Incident Management). Finally, record what to do when configuration changes or new feature activation is requested by the end-users (Change Management). 
2. Determine intended use and map out GxP business process
Test and validate the features that you are using in a GxP context and map out where user actions are occurring. In this mapping, each step of the records management process is detailed and linked to the functions of the system that will support those user activities. This is summarized in what we call a process modelling diagram.
3. Identify key features and configuration settings to be tested
Your new system must be configured in a way that reflects your current business and operational processes. For example, in Office 365, you can customize audit settings, time zone, and data residency settings, activated features, security groups, custom permission levels, site structure definition (lists, libraries, content types), and list versioning settings.
4. Define test framework and automated test scripts
We can use PowerShell to extract the current configuration of key system settings and compare them with specifications. This can be done at various levels, including the Tenant level, SharePoint Admin level, Site Collection level, and List/Library level.
Once this is completed, a Robot Framework/Selenium can mimic user activities to verify GxP business process requirements and verify against user acceptance criteria.
5. Provision a test environment that is representative of production
Within Microsoft, there are various release rings that they provide. Before rolling out a release to customers, it is rolled out internally. Once released to the public, it can be done as a targeted release, and then as a worldwide standard release. A targeted release means it can be used in collaboration with a development/test tenant to test new functionality before it gets rolled out to their entire organization.
6. Execute tests on trigger events
Tests may be triggered when user-driven configuration changes or a new feature is activated to show that the system is performing as it was before. Tests may also follow a periodic or pre-defined schedule. And, tests may be triggered with any vendor-driven system updates.
The tools at your disposal to support continuous validation
As a customer of Microsoft, you are not alone in undergoing continuous validation, as there are various tools at your disposal to help your continuous validation effort. We have used and now recommend implementing these tools to support your continuous or ongoing validation program.
Product updates on the Office 365 Message Center notify you of changes categorized according to their potential impact. You may be notified and advised to plan for change so that you can prevent or fix any issues before they occur. Here, you will also see new features that may be interesting for you to leverage. This comes with a date when that change will be applied and when you should be acting.
The Office 365 Roadmap shares changes that are currently in development or that are actively being rolled out based on the targeted release program, as well as changes that already launched. You can filter this roadmap to see features coming out in Q3, or just the month of May, for example.
Automated provisioning and monitoring tools such as PowerShell, SharePoint REST Services, and the Office 365 Desired State Configuration (DSC) help manage the actual configuration of the sites you have within SharePoint. A PowerShell PNP Provisioning Template is an XML document that holds all the key configuration parameters for a site collection. These templates can be changed with certain parameters based on your specific needs, such as security settings and capturing certain events within the audit log that pertain to the changes of records.
If you’re looking to have more hands-on involvement in the design of your Office 365 environment, test Management and automation tools such as Azure DevOps are useful for managing requirements, features, configurations. Tests can be automated and launched from this platform.
The Takeaway
Continuous validation is a key factor in the success of your new technology investment. With ongoing configuration, testing, and governance, your Office 365 system will operate consistently to meet regulatory requirements.
Montrium’s experienced Professional Services Group specializes in computer system validation, cloud strategy and compliance, quality assurance, and digital transformation within the context of the life sciences. We work with Microsoft as a Gold Partner and have developed several whitepapers, including the Office 365 GxP Guidelines that detail how to manage Office 365 and Microsoft Azure products - targeted for organizations working in the context of GxP processes. 
