Is SharePoint the Right Choice for Your Medical Device QMS?

Sharepoint-CognidoxA Quality Management System (QMS) is a requirement for medical device developers across the globe. But should you build yours with SharePoint?

Is SharePoint a good eQMS solution?

Microsoft SharePoint is a great document management product that some companies use to build their eQMS. It’s highly configurable, and there are different editions to suit companies with different budgets and at different stages of their evolution. SharePoint is included in Microsoft 365 plans which offer tiered access for SMEs, Enterprise and Frontline clients. SharePoint in its various forms provides the necessary tools for degrees of document control and collaboration. But it requires significant configuration and customisation to function as a compliant and validated eQMS in the med tech environment.  

Why do SME’s value SharePoint?

  1. Document management: SharePoint offers a secure, central location for files with version control and check-in/check-out to manage changes.
  2. Workflow automation: It allows you to automate business processes like approvals and feedback loops using tools like Power Automate.
  3. Search and discovery: A powerful search engine helps users quickly find documents, people, and information across the entire platform.
  4. Microsoft 365 integration: SharePoint works seamlessly with other Microsoft products like Teams, Word, and Power BI for enhanced collaboration.
  5. Customisation: The platform is highly configurable, allowing you to build custom sites, lists, and applications to fit your specific needs.
  6. Security and Scalability: It provides robust security controls and offers vast, scalable storage capacity, with up to 1TB of storage space per user.

The-eQMS-Buyer’s-Guide

But new security vulnerabilities have raised concerns

Recent news has highlighted that SharePoint environments have been targeted by sophisticated cyber attacks, with reports of state-backed Chinese groups exploiting vulnerabilities to gain access to sensitive data

image of BBC news about SharePoint security breaches

While Microsoft has issued security updates, the incident underscores the importance of rigorous security controls and ongoing monitoring when using SharePoint for regulated applications like a medical device QMS.

So, should you use SharePoint for your medical device eQMS?

As it is a Microsoft product, SharePoint is widely available and often floated as a suitable candidate for medical device development companies as they look to digitise their operations and build a QMS. But is the approach right for you?

Here are seven useful questions to ask yourself when contemplating whether to use SharePoint as the foundation of your medical device digital Quality Management System.

1. Have you got the time and skills to build your QMS with SharePoint?

Do you have the internal resource, time and patience to build a medical device Quality Management System from scratch? Or, to be precise, do you have the budget to employ a consultant to configure a SharePoint solution that exactly meets the requirements of ISO 13485 and FDA 21 CFR part 820?

Think about all the access hierarchies, audit trails and integrations you’ll be responsible for implementing. To do it properly, you’ll need someone with a deep knowledge of medical device regulation and a mastery of the software to build your system and migrate your documents across in an orderly way. Beyond some of the simpler configuration processes, you may need an expert in ​​Windows Server, IIS management, C# development practices and Active Directory to help you effectively create and maintain your solution.

And SharePoint consultants aren’t famous for offering a whole lot of aftercare, at least not without extra payment.

2. Does SharePoint come with the right document controls for medical device development?

Yes. And no. Document controls are central to building a medical device quality management system. They are the tools and procedures you need to identify, approve, publish, share and make obsolete documents throughout their lifecycle. If you’re using SharePoint, and have enough time and resources, you can just about build the necessary workflows to control documents in the way that works for you - and meets the regulation. But it’ll be challenging.

3. Can a SharePoint QMS handle workflows and design phase gating?

Of course. It’s a powerful piece of configurable software. But it doesn’t come with templates specific to medical device design and development, including non-conformance, complaint capture and CAPA procedures. As a result, you may struggle adapting what’s already there to fit the specific requirements. And you may also have to build a lot from scratch. From a long list of document control requirements you’ll need to:

  • Automate periodic checks of SOP documentation to ensure continuing compliance.
  • Automate approval reminders to keep documents flowing through your system.
  • Set up change control sequences.
  • Handle phase gating to meet formal, design control requirements.
  • Set up training attestation sequences and training completion matrices.

4. But what about e-signatures?

In contrast to other QMS software, there’s no built-in electronic signature approval solution with SharePoint that can meet the GXP, Annex 11 and FDA CFR 21 Part 11 regulations. You’ll be using third-party integrations and your own development skills to gain ISO certification and achieve some of the most exacting regulatory requirements. It’s a tall order to self programme a closed loop eQMS, capable of controlling passwords, authenticating identities and appending each signature’s meaning to your audit trail.

5. Can SharePoint control your versioning?

Yes. SharePoint can control your versioning. It can automatically name each iteration of a document you create using a defined format. It can help you differentiate between ‘minor’ and ‘major’ versions of each document - so you know when something is a draft and when it is the final approved version.

But proprietary document management systems specifically built for the regulated industry can do a much better job of versioning for you, straight out of the box. They can discriminate between ‘drafts’ and ‘issues’ in unmistakable ways. They can ensure only the latest versions of documents can be accessed by the wider team, but give those who need it full access to previous versions. 

They can watermark your files to ensure their current status are always clear to the reader. They can list the changes made between versions in detailed audit trails, showing who they were made by and who approved them.

6. What will it take to validate your SharePoint QMS?

Validating your homegrown, SharePoint QMS can be an extra challenge when you haven’t got the support of an experienced supplier to help you. Here’s a typical FDA warning letter from a company that used a SharePoint approach and couldn’t adequately validate the software.

7. How much will it cost?

As one user on the Elsmar Cove medical device forum says:

“SharePoint has some interesting features but there's nothing built in that would enable a 'turnkey' QMS support system.”

As mentioned, there’s a huge amount of work to do and associated costs with developing a med dev QMS with SharePoint. You’ll likely need a consultant to come in and configure the system. 

A quick Google will show you the day rate for a SharePoint consultant can be anything from £250 to £900. Meanwhile, the total cost of implementing a document control information architecture, plus data migration, can come in at £40,000 or more.  

You’ll also need to pay for enough seats in the software and, probably, a full-time staff member to troubleshoot and maintain the system once it’s up and running. Frankly, there is enough configuration to do with a proprietary med dev QMS system, never mind trying to build one from the ground up.

A word of warning

According to Microsoft’s 2024 Digital Defence Report, 70% of successful enterprise hacking attacks targeted systems that were missing available security updates. For medical device companies, where intellectual property, DHFs, CAPA logs and even patient data, are all potential targets, strong patch management and proactive security monitoring are non-negotiable.  If you’re managing your own SharePoint solution this will be another 

Is SharePoint really the answer?

Configuring a SharePoint QMS, maintaining it, and updating it over time can be an immense task that detracts from the reason you are in business in the first place — to develop and sell your product.

Why would you want to spend time and effort constructing a bespoke platform when your priority is building your business?

If you carefully select the right document management system with the right supplier you can, together, build a solution that meets your regulatory obligations while adapting to the "unique way you do things".

This might be a difficult balance to achieve, but it’s one every scaling business needs to find.

Document control for medical device developers

Blog last updated 20/08/2025

Tags: Document Management and Control

Joe Byrne

Written by Joe Byrne

Joe Byrne is the CEO of Cognidox. With a career spanning medical device start-ups and fortune 500 companies, Joe has over 25 years of experience in the medical device and high-tech product development industries. With extensive experience in scaling businesses, process improvement, quality, medical devices and product development, Joe is a regular contributor to the Cognidox DMS Insights blog where he shares expertise on scaling and streamlining the entire product development cycle, empowering enterprises to achieve governance, compliance, and rigour.

Related Posts

Why not just use Google Drive as a Document Management System?

Google Drive is a hugely popular, cloud-based program that allows you to create, edit, store, and ...

Read More
Choosing Your Document Management System: OneDrive vs. SharePoint

What is the best document management solution for you and your business, One Drive for Business or ...

Read More

Book a Demo