It’s impossible to have a well-running ISO 13485 QMS without a good document control procedure. Not only will it leave your QMS open to undesired changes and gaps, but it can also lead to confusion and costly mistakes.
Document control is also the area of a QMS where it is easiest to get findings during an ISO 13485 audit. Why? Because your document control procedure is reviewed during every part of the audit. While complaints, CAPAs, and other sections are reviewed once, your document control is reviewed with every area of your QMS.
This article will go through the ins and outs of the document control requirements from ISO 13485 section 4.2.4. It will also provide practical advice for what the standard is requesting, and how you can implement a document control procedure that meets regulatory requirements while serving the function of the company.
Table of Contents
What types of documents need to be controlled for ISO 13485?
A medical device company requires many different types of documents. Not only are there all of the documents needed to maintain a medical device QMS, but there are also employee records, accounting statements, and promotional materials. There are also informal documents like posts about employee birthdays and achievements.
With so many different types of documents existing, it can be difficult to know what types of documents need to be controlled. However, your document control procedure must include the scope of what documents require control so that you are not controlling every email that goes through your facility, or missing control from crucial documents.
The types of documents being controlled will also vary greatly depending on the medical device being produced. For example, there are no part prints if the medical device is software. So, be sure to consider the specific nature of your company before determining what documents require control.
Let’s review some of the common types of documents that will almost always be included in an ISO 13485 document control system.
- Quality Policy, Manual, and Objectives
- Quality Procedures including validation procedures
- Device Master Records/Medical Device Files
- Work Instructions
- Forms and templates
- Specifications
- Drawings
These are all documents that are needed for the QMS to function properly. If there is any chance that a document may be presented during an audit, this is a good indication that it should be controlled. For example, while employee disciplinary actions would not be discussed and do not need to be controlled, forms for employee training definitely need to be controlled.
Another thing to keep in mind is that if the process for controlling documents is straightforward, then employees are more likely to follow the process. This means that the document control procedure has a greater chance of being compliant. One way to simplify an ISO 13485 document control process is through the use of an eQMS or digital document software.
Just a warning, auditors’ interpretation of what documents require control can greatly vary. For example, during an audit at a company I was working for, an auditor stated that a poster depicting how to wash your hands should be controlled since it was related to infrastructure. While I’ve provided some of the more common types of documents it can be difficult to meet all auditors’ ideas of the standard.
What about records?
As ISO 13485 states, records are a special type of document and shall be controlled according to the requirements given in 4.2.5. As records fall under a different section of ISO, we will cover them in a different post to give as much clarity as possible.
Line-by-line breakdown of the ISO 13485 (4.2.4) document control requirements
Now that we know what types of QMS documents require control, let’s look through ISO 13485 section 4.2.4 line-by-line to cover all of the requirements.
Reviewing and approving new documents
The first requirement is that new documents are reviewed and approved before they are used. This means that employees cannot create documents on their own and then issue them to the QMS without any further review. It also means that someone with the proper literacy and experience needs to review the document to confirm that the document will function as intended.
As far as approval goes, many companies issue new documents by following their document change control process, which we will cover in the next section. Overall, documents need to be seen and approved by more than one individual before they are introduced into the Quality Management System.
Change control for documents
Once a document is included in the QMS, it needs to be reviewed and approved if any changes are made. Some companies choose to follow their normal change control process if they are going to make any changes to QMS documents. Other companies choose to have a different process in place for documents to be reviewed and approved.
Later on in 4.2.4, ISO 13485 states that document changes need to be reviewed and approved either by the original approving function or another designated function that has access to pertinent background information upon which to base its decisions.
This provides the necessary approvals needed for a document. It means that if a document is created by an engineer, production manager, and QA, it cannot be reviewed and approved by QA alone. This makes sense since QA may not have the proper knowledge of the process to understand the impact of the changes.
There is also a warning tied to this clause. If you have a ton of different people approve a document it will be much harder to reapprove documents when they need to be updated. It is best to include only employees with the proper knowledge of the process when you are creating and updating documents.
Try to avoid having everyone on the top management team approve a document, as you will have to do a wild goose chase every time you need the document approved. It’s also a good idea to have a broad descriptor of the approving function so that you can still get documents approved if someone takes an extended vacation.
You can also choose to have one person responsible for the release of a document, as long as the document has been reviewed by the appropriate people.
Document revisions and history
This is a fairly simple requirement that is met by following Good Documentation Practices (GDP). The industry standard is that documents have a stated revision which can be found on the document, usually in the header. The revision can be a letter, number, or combination of both. But, it should be clear which version of the document is being used.
The revision history of the document is typically found at the end of the document. Whenever a new revision of a document is created, you should summarize what changes were made to the document in the revision history table. This can be carried forward so that there is a full history of the changes made to a document. Some companies also choose to highlight or otherwise differentiate the most recent changes made to documents for greater visibility.
Availability of documents
If a work instruction is required on the floor to manufacture a device, would it make sense for the document to be in a filing cabinet at the other end of the warehouse? All documents should be available to the employees who are going to be using the document. This is most true for work instructions, forms, drawings, and other process-related documents.
The requirements can also be easily met by using a computer-based document control system. That way, as long as computers are available for use then the required documents can be available at the points of use.
If you are using a paper-based document management system, you will have to have physical copies of documents available at the point of use. These copies will also need to be tracked when a new revision of a document is made.
Document legibility and identifiability (document numbering)
This line includes two different requirements. The first is that the document remains legible. This could mean formatting a document so that it is easy to read and understand if the document is on the computer. It could also mean that a physical copy of a document does not get damaged and covered in grease.
The second part of the requirement is that documents are identifiable. This requirement is typically met by having a clear and unique document title, as well as a unique document number. It helps if document titles are clear and straightforward so that it is easy to search for the appropriate document.
While document numbering is not specifically required in ISO 13485, it is the solution most companies have found to make sure it is easy to identify documents and tell them apart. The document numbering system can be a “smart” numbering system that includes different references to parts, divisions, or departments. Or, the document number can be randomly generated, which is much easier to do with an electronic document control system.
Documents of external origin
Many different types of documents of external origin may need to be induced in a company’s QMS. For example, a contract manufacturing company may be building a medical device to a customer’s specifications. Or, a company needs information provided by a machine supplier to have the machine properly function.
I have also seen companies include FDA regulations and ISO standards as part of their documents of external origin.
Whatever documents of external origin are necessary for your company should be included in the document control system. They also need to be controlled and updated if a new version of the document is provided, such as the medical device company changing specifications in the contract manufacturing example.
Safekeeping of documents
Your document control system should be set up so that documents do not get lost or damaged. If the document control system is electronic, this means creating backups of the document files so that they are not accidentally deleted.
If the document control system is paper-based, then you must ensure that documents are not lost during normal use. There should also be accident prevention measures in place, such as storing documents in fireproof cabinets so that they are not damaged during a fire.
Your need to safeguard documents will depend on the document control system that is set up, as well as the environment in which you are using the documents.
Handling obsolete documents
The final requirement from this section is to ensure obsolete versions of documents are identifiable and do not get used. Once a document is obsoleted, it should be removed from the point of use, and normal access to the document should be eliminated. It should also be marked as obsolete either physically with a stamp or electronically through controls that state the status of the document.
Document Retention
The final aspect of the ISO 13485 document control requirements is the requirements related to document retention. This is another area of the requirements that will vary greatly depending on the type of document control system that your company is using.
If a company is using an electronic document control system, it can be cheap and easy to store documents indefinitely. However, if a company is using a paper-based system, document retention can quickly become a burden.
The standard first states that at least one copy of obsolete documents should be retained. You should be able to reference the obsolete version of a document to review the changes that were made, and the version may be relevant if processes occurred while that version was released.
How long should the obsoleted document be retained? ISO 13485 specifies that it should be “at least the lifetime of the medical device as defined by the organization but not less than the retention period of any resulting record or as specified by applicable regulatory requirements“.
This means that if there is a work instruction for the assembly of a medical device, the applicable version of the work instruction should be retained for at least the lifetime of the medical device.
As far as regulatory requirements go, FDA 21 CFR Part 820.180, for example, includes that it should be at least the lifetime of the medical device, but no “less than two years from the date of release for commercial distribution“.
As far as document retention goes, later is always going to be better. A company will not get in trouble for keeping obsolete documents well past the lifetime of a medical device (as long as this does not violate their procedures”. But they could face issues if they get rid of documents too soon.
Again, if your company is using an electronic document management system, I would recommend retaining all documents indefinitely. It is cheap and avoids the issue of deciding when to get rid of obsolete documents.
However, if your company is using a paper-based document management system, you should look at all regulations that apply to your device, and then add some extra time for how long documents will be retained. It is better to be safe than sorry when it comes to document retention.
Wrapping Up
Document control is a fundamental aspect of having a compliant ISO 13485 QMS, or really any QMS for that matter. It is impossible to have good and consistent processes in place if documents are not controlled and can be changed by anyone. Hopefully, this article helped you understand what ISO 13485 requires for a medical device document control procedure.
If you have any questions or comments about document control, please leave a comment below. Also, if you found this article helpful, check out our ISO 13485 page for other ISO 13485 guides and sign up for our newsletter below.