The situation before
Italfarmaco operates manufacturing sites, R&D facilities, and commercial offices across Italy, Spain, Portugal, and several other European markets. Across these sites, the organization maintains roughly 2,000 active SOPs covering manufacturing processes, laboratory procedures, quality-control protocols, and commercial operations. Every SOP that touches a product in scope for 21 CFR Part 11 has to meet the audit-trail, electronic-signature, and controlled-document expectations that regulation specifies.
Before the consolidation, SOPs lived in site-specific SharePoint libraries. The content was governed to varying degrees — the larger manufacturing sites had mature document-control practices; smaller sites had less rigor. When an inspector or an internal QA auditor asked about an SOP from a specific site, the path to evidence was different site-to-site. This variability wasn’t a problem when each site operated independently; it became a problem as the organization consolidated quality operations under a unified QA function.
The QA team’s goal wasn’t to standardize clinical content — different sites legitimately have different procedures — but to standardize the governance layer: the way approvals happen, the way evidence is captured, the way versions are preserved.
Why pharma-specific governance matters
Pharmaceutical manufacturing operates under 21 CFR Part 11 for product lines exported to the US, GxP expectations across EU markets, and tight intersecting requirements from EMA, FDA, and national regulators. The specific clauses most relevant to document management:
- §11.10(e) — computer-generated, time-stamped audit trails for electronic records
- §11.50 — signature manifestations including printed name, date, and meaning of signature
- §11.70 — signatures cannot be excised, copied, or transferred from the records they’re attached to
Italfarmaco’s QA team was already running a 21 CFR Part 11 compliance program. What they needed was a document-management platform that provided the capabilities these clauses specify, without creating additional validation scope that would complicate their program.
What Italfarmaco adopted
The implementation took approximately four months from kickoff to first-wave go-live, with subsequent waves expanding coverage over six months. Technical architecture stayed inside Italfarmaco’s existing Microsoft 365 tenant — SharePoint Online as the substrate, intranet.ai’s active-lifecycle layer providing the governance.
Core operational patterns:
- Sequential approval with five fixed approver roles configured at the document-type level. QA Manager is a pre-flow approver on every SOP. Regulatory Affairs is a fixed mid-flow step on SOPs touching products in regulatory scope. Department Head and Head of Manufacturing roles complete the flow for manufacturing-related SOPs. Medical Director signs clinical-trial-related procedures specifically.
- PAdES signing (advanced level) via DocuSign on regulatory submission documents and on SOPs where a cryptographically bound signature is part of the customer’s 21 CFR Part 11 evidence package. Routine internal SOPs rely on standard approval with audit-log evidence, which the QA team determined sufficient for their program.
- Audit log on every document, Entra-attributed. No shared service accounts — each QA team member authenticates with their own Entra identity, so every approval event is individually attributable.
- Expiration reminders driven by document type. Most SOPs on an annual cadence; SOPs tied to specific product approvals on cadences matching the product’s regulatory lifecycle.
- Versioning — minor versions during drafting, major versions at approval-flow completion. Full history preserved. This supports the Part 11 “what did this procedure say at time T” retrieval requirement.
How Italfarmaco thinks about the validation boundary
This is the point the QA team emphasized most in our conversations, and it matches how we position the product for all Tier B regimes. The product provides capabilities. The customer’s QA team owns the validation.
Concretely: Italfarmaco runs IQ/OQ/PQ validation on their SharePoint tenant and on the active-lifecycle layer as deployed in their environment. They maintain their own validation master plan, their own risk assessment, their own GxP-computerized-system validation documentation. We provide the product’s change-control information and release notes as reference material. But the “this system is validated for our Part 11 program” assertion is theirs to make about their deployed instance.
This separation matters because it matches the actual responsibility allocation in pharma-GxP contexts. A vendor claiming “Part 11 validated product” oversimplifies what validation means in GxP. The validation boundary is at the deployed system, not at the product release. Italfarmaco’s QA team owns the deployed system; our product’s capabilities are an input to their validation posture, not a substitute for it.
What changed operationally
SOP consolidation. Two thousand procedures, previously scattered across site-specific libraries with varying governance maturity, now live in a single library with unified governance. Different sites retain their clinical content; the governance layer is common.
Mandatory approver coverage. The fixed-approver configuration means QA sign-off on every SOP is structurally guaranteed, not dependent on whether the authoring site remembers. Audits previously surfaced a small percentage of SOPs missing QA approval; that rate is now zero because the flow requires QA as a pre-flow step.
Retrieval speed. Audit retrievals that used to require coordination across sites now happen from a single library. The Quality Manager at HQ can produce evidence for any site’s SOPs without site-specific intervention.
Dashboard visibility. The Power BI dashboard shows approval throughput, cycle time, rejection rate, and review-cadence adherence across sites. QA leadership uses this as part of the quarterly management review. Outliers — SOPs stuck in approval, departments missing cadence — surface for targeted attention.
The DocuSign decision
Italfarmaco chose to use PAdES advanced signatures for specific high-stakes documents: regulatory submissions, investigational-product-release records, sponsor-side clinical-trial approvals. For the bulk of internal SOPs, standard approval with audit-log evidence is sufficient — the QA team concluded that cryptographic signing on every SOP would add cost and ceremony without meaningful additional compliance value for their program.
This is the pattern we recommend for most pharma customers. PAdES signing is valuable where it’s needed; it’s overkill everywhere else. The mistake to avoid is defaulting to cryptographic signing on every approval — that decision adds cost without proportionate compliance benefit.
What we’d point other pharma organizations to
If you operate in a similar profile — multi-site pharma, ~1,000+ SOPs, 21 CFR Part 11 program run by your own QA team, GxP expectations across EU markets — the Italfarmaco pattern generalizes reasonably well. The specific approver configuration will reflect your organizational structure. The document-type inventory will reflect your product portfolio. But the architecture (governed library on M365, sequential approval with fixed QA roles, PAdES only where it matters, full audit trail with Entra attribution) is the model.
For validated pharma workflows where the document-management platform itself must be a vendor-validated Part 11 qualified system — typically higher-stakes manufacturing and clinical-trial contexts — MasterControl or equivalent remains the better answer. Italfarmaco runs both: the intranet.ai layer for the ~2,000 SOPs where standard Part 11 capabilities plus customer-owned validation is sufficient, and a specialized validated system for the subset where vendor-validated platform documentation is genuinely required. The hybrid is common; we don’t compete with MasterControl for the latter scope.
A thirty-minute conversation maps your profile against the Italfarmaco pattern and identifies which capabilities fit and where the boundaries lie.
