QMS Document Management: Connecting Documents, Training, and Quality Events

SharePoint controls documents. eLeaP controls quality.

Document Control Software for QMS: Why Regulated Industries Cannot Use SharePoint and What to Use Instead

At some point in most regulated-industry quality system evaluations, someone suggests SharePoint. It is already licensed. The IT team knows it. It stores files and supports version history. The suggestion is understandable and consistently wrong for the same set of reasons.

Regulated-industry document control is not a file management problem. It is a quality system problem with specific regulatory requirements: controlled access by role, electronic signatures that meet 21 CFR Part 11, automated training triggers on every document revision, an audit trail that connects document versions to the quality events they govern, and evidence that every employee who performed a regulated task was trained on the document version in effect at the time. SharePoint satisfies none of these requirements natively. Generic EDMS platforms like Cognidox satisfy some of them without the quality system integration that makes the others possible.

eLeaP’s document control software is built for quality management systems in regulated industries. This page covers why generic platforms fail, what the full controlled document lifecycle requires, how version control connects to training records in eLeaP’s integrated system, and why that connection is the most inspection-critical capability in a QMS document control platform.

Why SharePoint Fails Regulated-Industry Document Control

SharePoint is a collaboration and file management platform. In that role, it is competent. In the role of QMS document control for a regulated manufacturer, pharmaceutical company, or medical device maker, it fails on the requirements that actually matter to a regulatory investigator.

No Controlled Access by Role

Regulated document control requires that document access be controlled by role and that only authorised personnel can view, edit, or approve documents appropriate to their function. SharePoint’s permission model is folder-based and manually maintained. It has no concept of a quality role, a document type, or an approval authority level. Maintaining role-appropriate access in SharePoint across a workforce that changes roles, joins, and departs requires continuous manual administration. In practice, access drift is the norm: employees retain access to document libraries they should no longer see, and access gaps are discovered during audits rather than prevented by the system.

No Electronic Signatures That Meet 21 CFR Part 11

21 CFR Part 11 requires that electronic signatures used in records subject to FDA regulations be unique to one individual, require at a minimum two distinct identification components such as an identification code and password, and be linked to their respective electronic records. SharePoint does not provide electronic signatures in the Part 11 sense. Document approvals in SharePoint are workflow notifications — a person clicks to acknowledge, but the action is not bound to a verified identity check, is not linked to the document record in a tamper-evident way, and does not capture the meaning of the signature. An FDA investigator reviewing a SharePoint-managed document approval trail will not accept it as a 21 CFR Part 11-compliant electronic signature.

No Automated Training Triggers on Document Revision

When a controlled document is revised and approved, every employee whose job function requires training on that document must be reassigned for training on the new version. In SharePoint, there is no connection between the document management layer and any training system. The training reassignment depends entirely on a person — typically the document owner or training administrator — noticing that the revision occurred and manually enrolling affected employees in a training event. This manual handoff is where document-training traceability breaks down, and where a Form 483 observation on training record currency originates.

No Audit Trail That Connects Documents to Quality Events

Regulated document control requires an audit trail that shows not only who accessed and modified a document but also how document revisions connect to the quality events that triggered them: the deviation that identified a procedure gap, the CAPA that required a process change, the change control that authorised a method update. SharePoint’s audit log captures file access and modification events. It has no concept of a CAPA record, a deviation, or a change control. The connection between a document revision and its originating quality event exists nowhere in the SharePoint environment — and that connection is what a regulatory inspector asks for when they want to understand why a procedure changed.

Why a Standalone EDMS Is Not Enough: The Cognidox Limitation

Purpose-built electronic document management systems like Cognidox address some of the gaps that SharePoint leaves open. Cognidox provides structured approval workflows, version control, and access management that are more suitable for regulated environments than a generic collaboration platform. It holds positions in the document control software search cluster, which reflects genuine demand for its core capabilities.

The limitation of a standalone EDMS is that document management is not a self-contained quality function. It is the connective tissue of the quality system — the layer through which SOPs govern nonconformance investigations, change controls govern document revisions, and CAPAs govern procedural corrections. An EDMS that manages documents well but does not connect those documents to CAPA records, deviation records, change control records, and training records delivers document management without quality system integration.

A quality professional using a standalone EDMS alongside a separate CAPA system, a separate training platform, and a separate change control system spends significant time on manual record reconciliation that an integrated system handles automatically. More importantly, the manual reconciliation introduces gaps that are not visible until an auditor asks for the connection. When an investigator asks which CAPA led to a revision of a specific SOP, the answer should come from the quality system in seconds. In a disconnected architecture, it comes from a person who has to search across multiple systems and hope the manual link was documented.

The Controlled Document Lifecycle in eLeaP: From Draft to Superseded

The complete controlled document lifecycle in a regulated quality system has seven stages. Each stage has specific requirements that the document control system must enforce, not just accommodate.

Stage 1: Authoring

The document author creates a draft within eLeaP using either the system’s built-in editor or by uploading a file from an approved template. The draft is in a controlled authoring state — visible to the author and designated reviewers but not accessible to the broader organisation. The document record captures the document number, the document type, the applicable regulatory framework, and the change reason that initiated the revision. If the revision originates from a CAPA or a change control, the originating record links to the document at the authoring stage.

Stage 2: Review and Comment

The draft routes to designated reviewers according to the configured review workflow for the document type. Reviewers access the draft in the system, provide comments directly in the document record, and indicate whether the draft is acceptable for approval routing or requires revision. All comments and revision decisions are captured in the document record’s activity log with reviewer identity, timestamp, and comment content. The author can view all reviewer comments in a consolidated view before addressing them and advancing the document to the approval stage.

Stage 3: Approval with 21 CFR Part 11 Electronic Signatures

The document routes to each approver in the configured approval sequence. Each approver signs electronically using a two-factor authentication process that satisfies 21 CFR Part 11: the approver’s unique identifier and a confirmation password entry at the time of signing. The electronic signature record captures the signer’s identity, the date and time of the signature, and the meaning of the signature — reviewed and approved, for example, rather than a generic acknowledgment. The signature is bound to the document record in a tamper-evident way: any subsequent modification to the document after signature invalidates the signature record and requires re-approval.

Stage 4: Publication and Controlled Distribution

When the final approver signs, the document moves to effective status on the configured effective date. At that point, access is controlled by the distribution list associated with the document type and the role-based access configuration. Personnel whose roles require access to the document can view the current effective version. Personnel outside the authorised distribution cannot access the document. There is no need for manual folder permission administration — access is governed by the role and document type configuration maintained in the system.

Stage 5: Automatic Training Assignment

On the effective date, eLeaP’s integrated LMS identifies every role assigned to the document in the training matrix and creates training assignments for every employee currently in those roles. The training assignment carries the document version number, the effective date, and the training due date calculated from the configurable retraining window. Training completion records link to the specific document version. This happens automatically, without any action by the document owner or training administrator, on every revision of every controlled document in the system.

Stage 6: Supersession and Archival

When a new version of a document becomes effective, the prior version is automatically superseded. The superseded version is removed from the active document library and moved to the controlled archive. It is no longer accessible through the standard document navigation but remains retrievable by authorised personnel through the document history view. The supersession is documented in the audit trail with the date, the new version number, and the identity of the approver who authorised the new version. If an FDA investigator asks for the version of a specific procedure that was in effect on a specific production date, the archived version is retrievable in seconds.

Stage 7: Periodic Review

Controlled documents require periodic review to confirm they remain current, accurate, and appropriate. eLeaP generates periodic review notifications at the configured review interval for each document type — annually for most GMP procedures, more frequently for procedures in areas of active quality improvement activity. The periodic review record captures whether the document was confirmed current without change, or whether a revision was initiated as a result of the review. Documents that pass their periodic review date without a completed review generate escalation notifications to the document owner and quality management.

Version Control and Training Records: The Inspection-Critical Connection

Regulatory auditors examining a quality system ask a specific question about training records: Was the employee trained on the version of the procedure that was in effect at the time they performed the regulated task? This is not a question about whether training occurred. It is a question about version currency — and it is the question that exposes document-training silos.

In a disconnected system, the training record shows that an employee completed training on a procedure. It does not show which version. The document management system shows the current version and the revision history. Connecting those two data points requires knowing when the training occurred, finding the document version that was effective on that date, and manually confirming the match. Under inspection pressure, this reconciliation is error-prone and time-consuming. Under routine conditions, it is rarely performed at all.

In eLeaP, the training completion record carries the document version number as a native field. There is no reconciliation required because the connection was made at the moment of training assignment — the assignment was created for the specific document version, and the completion record inherited that version reference. An FDA investigator asking whether an employee was trained on the version of a procedure in effect on a specific date receives a single-query response from the system: the employee’s training record for that document, showing the version, the completion date, and the assessment result.

A Form 483 observation on training record currency — one of the most common observations in pharmaceutical and medical device inspections — is structurally prevented by this architecture. The observation arises when training records cannot demonstrate version currency. In eLeaP, version currency is not demonstrated after the fact. It is embedded in the training record at the time of completion.

The QMS and LMS Connection in Practice: A Validated Cleaning Procedure Revision

The strongest demonstration of the document control and training connection is a concrete example. A validated cleaning procedure governing equipment cleaning between product campaigns requires revision. The revision is triggered by a CAPA that identified an inadequate cleaning step as a potential contamination risk during a routine process review.

In eLeaP, the sequence is as follows. The CAPA record initiates the document revision. The cleaning procedure enters the authoring stage with the CAPA record linked as the change reason. The revised procedure routes through review and approval, with the CAPA owner included as a required reviewer to confirm that the revision addresses the identified gap. Each approver signs electronically with Part 11-compliant credentials. The approval is complete.

Before the revised procedure is released as effective, eLeaP identifies all production operator roles assigned to the cleaning procedure in the training matrix. Training assignments are automatically created for every operator in those roles, with a due date set to allow training completion before the new procedure goes live. Operators receive system notifications of the pending training requirement. Supervisors see the pending assignments in their team training dashboard.

Operators complete the training within the system. Assessment results are recorded. The training completion record for each operator carries the new procedure version number. When the last required training completion is confirmed, the system releases the revised procedure to effective status. The prior version is superseded and archived. The CAPA record updates with the document revision number and the training completion confirmation as evidence supporting the corrective action closure.

The entire sequence — from CAPA initiation through document revision through training completion through procedure release — is traceable in a single connected record chain. If the same cleaning procedure is inspected twelve months later, the inspector can view the CAPA that triggered the revision, the approval record for the revision, the training records showing every operator was trained before the new version went live, and the procedure currently in effect — in one session, from one system.

Evaluating Document Control Software for Regulated Industries: Five Questions That Matter

The document control software evaluation for a regulated organisation should go beyond workflow configuration and approval routing. The questions below test the integration depth that regulated document control actually requires.

eLeaP’s answers to all five questions are yes, and each is demonstrable in a scoped platform walkthrough. AssurX and Cognidox hold positions in this keyword cluster, but neither platform demonstrates the document-to-training version linkage or the quality event connection that regulated manufacturers require at the depth eLeaP delivers. Request a scoped document control demo at eleapsoftware.com.

Related resources: