Maps to
QMSR / ISO 13485: §820.40
ISO 13485: §4.2.4
Requirement text
Documents required by the quality management system shall be controlled. A documented procedure shall define controls for approval, review, update, identification of changes, availability, legibility, and prevention of unintended use of obsolete documents. FDA-Plus: Documents must be available at all points of use. Changes must be approved by the same function that performed the original approval unless specifically designated otherwise.
What changed
Under Part 820, section 820.40 governed "Document Controls" and covered both documents and records in a relatively undifferentiated way. Many Part 820-era companies built a single document control SOP that lumped controlled documents (SOPs, work instructions, forms) together with quality records (completed batch records, training logs, CAPA records). The QMSR's adoption of ISO 13485 introduces a critical structural split: section 4.2.4 covers control of documents (the instructions, procedures, and templates that tell people what to do), while sections 4.2.3 and 4.2.5 cover control of records (the evidence that things were done). This distinction matters because documents and records have fundamentally different lifecycle needs — documents need revision control and approval workflows, while records need integrity protection and retention management.
ISO 13485 section 4.2.4 adds several explicit requirements that Part 820 either implied or left vague. External documents of external origin that the organization determines are needed for the QMS must be identified and their distribution controlled — many Part 820 systems only controlled internally authored documents and left supplier specs, industry standards, and regulatory guidance documents uncontrolled. The requirement to ensure relevant versions of applicable documents are available at points of use is more explicitly stated, and the concept of preventing unintended use of obsolete documents goes beyond simply marking them — organizations must demonstrate a systematic method for withdrawal or identification.
The QMSR also retains some FDA-specific additions beyond ISO 13485. Changes to documents must be approved by the same function or organization that performed the original approval, unless specifically designated otherwise. This means companies need to map document ownership clearly and ensure change approval routing follows the original approval authority, which many electronic document management systems do not enforce by default.
For companies transitioning, the practical impact is moderate. Most companies already have document control procedures. The main work is: (1) separating document control from records control into distinct procedures or distinct sections, (2) adding external document control, and (3) verifying that approval routing for changes matches original approval authority.
Atomic constraints
- •A document control procedure must be documented.
- •Documents must be reviewed and approved before issue.
- •Current revision status must be identifiable.
- •Relevant versions must be available at points of use.
- •Changes must be identified, reviewed, and approved.
- •Obsolete documents must be prevented from unintended use.
- •External documents must be identified and controlled.
- •Documents must be reviewed and approved for adequacy prior to issue by authorized personnel.
- •Changes to documents must be reviewed and approved by the same function or organization that performed the original review and approval unless a different designated function is formally specified.
- •A master list or equivalent document control mechanism must be established to identify the current revision of each document and prevent use of obsolete documents.
- •External documents of external origin that are determined necessary for the planning and operation of the QMS must be identified and their distribution controlled.
- •Documents must be protected from unintended alteration, and confidentiality must be maintained where required.
Common gaps
No External Document Control
moderateThe organization controls internally authored SOPs and work instructions but has no process for identifying, distributing, and updating external documents (supplier specifications, industry standards like ISO 14971, regulatory guidance documents). When external standards are revised, there is no trigger to evaluate impact on internal procedures.
Document and Records Control Conflated
moderateA single SOP covers both document control and records management without distinguishing between the different lifecycle requirements. This leads to confusion about whether a completed form is a 'document' (subject to revision control) or a 'record' (subject to retention and integrity controls), resulting in gaps in both areas.
Obsolete Document Prevention Weakness
moderateObsolete documents are marked as 'superseded' but remain accessible in shared drives, printed binders, or electronic systems without effective barriers to use. No periodic audit confirms obsolete documents have been removed from points of use.
Uncontrolled 'Legacy' docs
moderateOld versions of SOPs are found in 'uncontrolled' binders on the shop floor. ISO 13485 §4.2.4 requires prevention of obsolete document use.
Change Approval Authority Not Mapped
minorDocument changes are approved by whoever is available or by a generic 'quality' role, rather than by the same function that originally approved the document. The QMSR requires that change approval authority match original approval authority unless formally designated otherwise.
Evidence signals
- •
FILE_EXISTS
(Document.*Control|Doc.*Register|Master.*List|SOP.*Control)
- •
CONTENT_MATCH
Does this document describe procedures for document approval, revision control, change tracking, distribution, and obsolete document management?
Audit defense
Document control for our QMS is governed by [your document ID]. All documents undergo formal review and approval before release, with revision history maintained in our master document register. Obsolete documents are archived with clear marking to prevent unintended use.