Quality Management Systems (QMS) rely on a solid document control system to work effectively, and there are many excellent purpose made systems out there (e.g. eQMS SaaS products). However, when your business is still young or your first product is still an idea or early prototype, eQMS systems may be much more than you need manking and therefore an uneccesary cost.
Effective document control just needs discipline around filing and clear authorisations. Remember, quality management has been around for decades and were run very effectively on paper before eQMS every existed.
This post provides a guide to some of the basic things that you can do to configure an instance of Microsoft Sharepoint to be a simple but effective document control system. This is not a complete list of the things you can do with Sharepoint, it is a complex and powerful product, but it will get you started. This is also not intended to teach you how to configure or administer Sharepoint, but it is a simple list that many tech saavy people will be able to work through.
Why SharePoint?
There are a few reasons that Sharepoint is a good place to build a simple document control system.
May small businesses already have it.
Because it is part of the M365 suite we find that many start-ups and small businesses already have a Sharepoint instance. So generally there is no additional costs to a cash strapped start-up.
It is capable of good document control without much work.
The list of steps we recommend below are basic, but still get you a solid document control system. Because Sharepoint is already designed for control of business documents, you just have to configure it, rather than force it to do things it’s not really designed for.
No plugins required
Because Sharepoint is designed for commercial use and document management, it has all the capability we need for effective, but simple, document control. Some of the alternatives we mention througout this post require plugins to make them effective and reduce administration.
You can stick with it to the end – if you choose.
Plenty of larger and successful businesses run their quality management systems using Sharepoint. As long as you build good document control process around it, Sharepoint can easily take you right through regulatory approval and beyond. You will be able to use Sharepoint until you a ready to transition to a purpose-built eQMS, or stay with it indefinitely.
You can go much further.
Sharepoint is very powerful in the hands of an expert and can also be seriously programmed and customised. If you are an expert you can go even further and build your own bespoke eQMS system – just be aware that bespoke electronic document management systems need validation.
Why not something that isn’t Sharepoint?
Generally, there is no reason here. We have built similarly simple and effective document control for clients using DropBox and Confluence. They are also relatively simple to setup for good document control, we just tend to find that more businesses already have M365 and we like to keep things simple where we can. Introducing new products and training people can create uneccessary complexity for cash-strapped start-ups. Quality systems are complex enough without that.
However, if you already have a product with similar capabilities to Sharepoint you will likely be able to configure it in a similar way. Have a look at the steps below for Sharepoint and see if you can apply the underlying principles to your preferred SaaS filing system.
On Google Drive
We don’t recommend using Google Drive for document control. It is not really designed for document management, its empasise is on collaboration and ease of sharing, and we have seen it go wrong too many times. It can be made to work, but we generally think that it takes more administrative effort and discipline that it is worth. When clients only have Drive, we encourage them to purchase Sharepoint, Confluence or an eQMS.
Let’s get to it
Redundant backup
Record retention is required by medical device regulations in many jurisdictions, and it just makes good sense to protect critical business assets. Many people will see that Microsoft provides 90 days recovery for Sharepoint and use that as their backup. This is a mistake.
The 90 day recovery is a nice feature if you happen to loose or damage a file and you know about it. What about files that you don’t know have been lost or deleted – after 90 days they are gone. Also, how do you get your access to you data during a Microsoft outage or if your Sharepoint instance is damaged, lost or stolen?
Fortunately there are many 3rd party options for creating a redundant and archival backup of your M365 instance, including all of your Sharepoint files. Do some investigation and set one up before you loose critical design documents or records that you are required to have by law.
Create a separate space for the QMS documents
Don’t hold your QMS documents and records in the general company Sharepoint site. Doing this makes it more difficult to separate and control documents and can make them prone to accidental loss or damage. Futhermore, it is much easier to set permissions and document control procedures on your QMS documents if you have them in their own Sharepoint site. It’s fine to work on drafts over on the general Sharepoint or Onedrive, but setup a separate site for approved documents.
Read-only
QMS documents and records should be read-only to most people. Generally, only the quality manager, and their deputy, needs write access. Everyone else should not be able to edit documents that are published or records that have been finalised. Edit access increases the risk of accidental loss or corruption.
Depending upon how you setup workflows, you may give people access to edit the properties of a document if they are approvers, but still not let them edit the document itself. This is getting a bit advanced for this guidance, talk to a Sharepoint expert to learn more.
If you have a small team and only one quality person. Have a second person who can has edit access for when the quality manager is away - but do it with separate credentials (see below).
Restricting permissions on a Sharepoint folder is straightforward.
Read-only includes the boss
Some many companies give their executive write access to everything. This is poor practice for many reasons. In the case of QMS documents, it’s not a CEO’s job to administer the documentation. Also, the CEO (and other senior management) is unlikely to be trained in how to administer the QMS or, if they are, are unlikely to be doing it often. This means they are more likely to make mistakes that loose or damage critical documents.
Apply the principle of least privilege – everyone only has the permissions that they need to do their job.
Enable version control and approval
Version control is a key principle that underlies good document control. Sharepoint has this built in, but you need to turn it on. This make version control very easy because it is automatically managed every time someone edits a document. Note that you should keep all published versions of documents, but how long you retain drafts is up to you.
You can go a step further and configure version control so that read-only users can only see approved documents. This may or may not help, depending upon how your approval workflow operates.
Sharepoint's versioning settings are in the library settings for your document library.
Setup an approval workflow
An effective document control procedure needs clear traceability for who reviewed and approved documents and records. This just means that for any published QMS document, including records, you can provide evidence for who wrote it, reviewed it and approved it. However, these people also need to be competent and authorised to do this. For example, many companies will require that engineering work be signed off by an engineer, and that clinical decisions are made by a registered health professional.
Layout who will be authorised to write, review and approve different types of documents and records, and write it down as part of the document control procedures (e.g. a delegation register). Then you can configure your Sharepoint folders and permissions to fit the documented procedures.
Auditable e-signatures
There is nothing wrong with signing documents with a pen. However, if you are using electronic document management, a method of e-signing documents is likely to be more appealing. Importantly, a picture of a signature pasted into a document is not auditible. It is not traceable and is repudiable. You need a system that can objectively demonstrate that an authorised person reviewed or approved a document.
There are plenty of digital signature systems out there that you can use. You may already be using one for your commercial contracts and other business documents. Building a traceable digital signature into your document control procedure will satisfy the traceability requirements of standards and regulations.
Sharepoint can be configured to create these records. As long as people are required to sign in with their own credentials, then you can setup a Sharepoint approval processes that creates the traceability you need for the purposes of an internal document control system. You can also control who can check documents in and out using permissions.
Dual credentials for admins and quality team
You will have admins and quality team users who have admin credentials. However, in a small business these people often also have other roles. It can be good practice to give people with dual roles multiple credentials to improve security and reduce the risk of accidental damage to files. Ideally, an admin or quality manager will only login in with their admin/quality privileges when they are doing admin or quality things, and the rest of the time use a general access account like everyone else. This is easy to setup, reduces the risk of accidental loss or damage to files, and does not require additional M365 licenses. To create a set of login credentials that does not require a M365 license, create an ‘unlicensed’ user.
On validation
Finally, we need to say someting about validation. You may be told that if you 'build your own eQMS' that you have to validate it. This is correct. However, there is a difference between building an eQMS and using an electronic filing system. Most of the configuration above is setuping up Sharepoint to be a filing system that works with a good set of document control procedures.
As with all things quality management, you meassure that everything works as you intend. However, as with all validation, you need only validate against your own requirements, in this case the things that you are expecting Sharepoint to do. If you keep it simple, there will be little or no validation required. If you start implementing Power Automation or similar, then detailed validaiton may be needed.
Also, validation is not as scary as everyone thinks, and if you are designing or manufacturing medical devices you will quickly be an expert at it.
Finishing throughts
Document control systems for quality management do not need to be complex, difficult or expensive. They just need to meet the requirements of standards and regulations, which are usually quite flexible. You can get simple but effective document control software setup with sensible configuration of commercial grade document storages. This not only saves you money when you are small and cash-strapped, but get yous started in quality manager early, which is always cheaper than starting late.