SharePoint Validation: Quality and Compliance Portals

I am often asked the question… “can SharePoint be validated?”  The short answer is YES but it often requires customization to achieve deliver compliance objectives.  The longer response requires further examination as to why people ask the question and the nature of SharePoint as a content management system.  With the release of Office 365® reaching over 100 million active users per month and more companies moving toward the cloud, we are witnessing the maturation of SharePoint for both regulated and non-regulated content management.

SharePoint has undergone many changes over the past decade that have increased its adoption within the life sciences industry.  New features of SharePoint from Microsoft and its robust technology partner community include, but are not limited to:

  • Synchronization with OneDrive For Business®
  • New SharePoint Communication Sites With Pre-Built Layouts
  • Integration of SharePoint and Microsoft Team
  • New Integration with DocuSign® For Electronic Signatures
  • Enhanced Integration For Graphical Workflows From Nintex®
  • SharePoint-aware PowerApps and Flow
  • Updated Page Layouts and Web Part Enhancements
  • Improved SharePoint Administration
  • Enhanced Document Version Control

Within the life sciences community, the resistance to SharePoint focused on security and the lack of “out-of-the-box” features for life sciences validation.  What are some of the key application that life sciences companies require from a regulatory SharePoint enterprise content management system?  A partial list of document and records management features such as:

  • Intelligent Document Creation Tools
  • Automated Document Change Control
  • Configurable Document Types With Pre-Assigned Document Workflows (based on the type of document, workflows are automatically launched)
  • 21 CFR PART 11 support (electronic or digital signatures, audit trails, et al)
  • Ability to print a Signature Page with Each Signed Document
  • Ability to Establish Pre-defined Automated Document Lifecycle Workflows
  • Support for and designation of Controlled and Uncontrolled Content
  • Controlled Document Management Features Should include Configurable watermarks and overlays
  • Markup tools for document review
  • Ability to classify documents for records management capabilities
  • Ability to assign/tag documents with metadata
  • Content Rendering (when documents are checked in, they are automatically rendered in PDF format for document review.)
  • Custom Document Numbering (the ability to automatically assign alphanumeric document numbers to content)
  • Enforcement of the use of Standard Document Templates Codified Within SOPs
  • Version tracking with major and minor version control, version history
  • Ability to support regulatory submissions and publishing (this is a big one)

As you can see from the partial list above, there are many features required by regulatory companies that are not standard in SharePoint out of the box.  However, SharePoint offers rich capabilities and features that have significantly enhanced the ability to deliver such as solution with the features listed above with minimal effort.

As a former Documentum and Qumas executive, I know first hand the challenges of developing such as system from scratch as my former employers did.  However, leveraging the power of SharePoint, OnShore Technology Group’s ValidationMaster™ Quality and Risk Management portal for example, is SharePoint-based and includes all of the features listed above.  The level of effort required to deliver such as solution was substantially lower due to the SharePoint application framework and development tools.

The ability to manage regulatory submissions and publishing is one of the features for which SharePoint may be more challenged.  In the Documentum world, there was such a thing as a “Virtual Document”.  A Virtual Document was a document that contained components or child documents.  A Virtual Document may represent a section of a regulatory dossier where the header represented the section of the dossier and there may be several child documents that are individual documents in that section.  Documentum was an object-oriented system and thus allowed the ability to have a single document comprised of multiple ACTUAL documents with early and late binding ability.  Since each component of a Virtual Document is its own document that can be checked in/check out and routed individually from other components, it makes them ideal for regulatory submission management which has very specific guidelines for publishing and pagination.   I have not seen a parallel yet for this in SharePoint.

Document management systems use to cost millions of dollars for acquisition, implementation and deployment.  These systems are now somewhat “commoditized” and the price points are significantly lower.  Many life sciences companies are using SharePoint for non-regulated documentation.  However, an increasing number of them are abandoning their higher cost rivals and moving to SharePoint as the foundation for controlled and uncontrolled documentation.  SharePoint can be in a hosted Office 365 environment or established in an on-premise environment.  Check out my cloud validation posts for more information on validating SharePoint and other applications in a cloud environment.  Either way, the system can and should be validated if used for regulatory content management.

It is recommended that you establish a clear set of user requirements for SharePoint.  SharePoint has powerful capabilities much beyond those articulated in this blog post.  There are many SharePoint partners that deliver effective, ready-to-use integrations with SharePoint such as Nintex® and DocuSign®.   Use these partner solutions to help minimize the validation effort.

If you have not already done so, it is worth a second look for regulated content depending on your application.  One thing is for sure, the day of the multi-million dollar content management solution is over for most companies.

Electronics Records Management For Validated Systems

The 21 CFR Part 11 Electronic Records; Electronic signature final rule has been effective since August 1998.  While much attention has been given to the electronic signature technical controls included within the final rule, less attention has been focused on the electronic records component.  Before we continue with this discussion, it is important to establish common ground as to what is an electronic record.  According to Part 11, “… an Electronic Record is any information (text, graphics, data, audio, pictorial) created, modified, maintained, archived, retrieved, distributed, or reported in electronic form within a computer system…”  As you may have gleaned from the definition, this is anything that is on your computer/desktop/servers.  All systems subject to 21 CFR Part 11 must be VALIDATED.  The application scope of systems subject to 21 CFR Part 11 in life sciences companies are highlighted in the figure below.


As you can see, all types of systems from document management, ERP, CRM, LIMS, MES, QMS, as well as electronic records management systems themselves are subject to this regulation.  The purpose of this blog post is to discuss why records management is an important topic for life sciences companies to consider and how do we validate such systems.


There is much discussion in the news today about the new EU General Data Protection Regulation also known as “GDPR”.  This regulation focuses on data protection of information that can uniquely identify individuals as well as how to  manage and protect this personal data while respecting individual choice—no matter where data is sent, processed, or stored.  This is a game-changer since the failure to manage such information now comes with stiff financial penalities up to 4% of turnover for serious violations.

Predicate rules require the retention of certain records over time.  Sarbanes-Oxley also imposes the need to have a defined records management policy in place to prevent the destruction of records related to investigations or other government inquiries.  When looking at the EU GDPR and other regulations, it is important to understand and review the principles of electronic records management.  Records management deals with the following:

  • Indexing
  • Classification
  • Long/Short Term Archival  
  • Storage
  • Control
  • Move/Transfer
  • Hold (legal/regulatory)
  • Delete/Destroy

The typical lifecycle of a record is shown in the figure below. At the time records are created, they are classified and indexed.  They are promoted through a lifecycle workflow until the record is expired or ultimately destroyed.  There is a lot of overlap between electronic records management systems and document/content management systems.  They have often the same features/functionality but records management systems have distinct capabilities to manage electronic records.

record lifecycle

Life sciences companies must establish a taxonomy and retention policies for the management and control of electronic records. In order to achieve compliance with existing predicate rule requirements, life sciences organizations must establish policies and procedures governing electronic records and ensure that all requisite documentation is retained as long as required by the applicable retention schedule as mandated by predicate rule requirements.

Life sciences companies must come to grips with the realities of electronic records management in cloud and on-premise environments.  Issues with respect to data integrity, consistency and transparency are crucial.  These systems must be validated to confirm that the systems can sustain electronic records over time.