Approval, revision control, distribution, and obsolete-document prevention — 820.40 document control structure carried forward.
Documents and records must be structurally separated; external documents (standards, supplier specs) must now be controlled and distributed.
External document control and change-approval authority mapping — ISO 14971:2007 references in a current SOP trigger findings.
Maps to
QMSR / ISO 13485: §820.40 Document controls.
ISO 13485: §4.2.4 Control of documents
Requirement text
Documents required by the quality management system shall be controlled. A documented procedure shall define controls for approval, review, update, identification of changes, availability, legibility, and prevention of unintended use of obsolete documents. FDA-Plus: Documents must be available at all points of use. Changes must be approved by the same function that performed the original approval unless specifically designated otherwise.
Why this clause exists
Document control failures are among the most frequently cited QMS deficiencies in FDA Form 483 observations — not because manufacturers fail to write procedures, but because the procedural infrastructure breaks down during routine updates: obsolete versions remain accessible at the point of use, changes are approved by personnel who did not perform the original function review, or external standards incorporated by reference are not identified as controlled documents and drift out of currency. Regulators recognized early in the Part 820 framework that a QMS without disciplined document control is structurally unstable: even technically correct procedures become unreliable when the version reaching the operator cannot be confirmed as current. QMSR's incorporation of ISO 13485:2016 § 4.2.4 preserves this infrastructure requirement verbatim, adding the FDA-Plus clarification that documents must be physically or electronically available at all points of use — not merely available in a central repository. The same-function approval rule prevents an administrative erosion pattern where change approval drifts toward personnel with lower functional authority than those who established the requirement, weakening the substantive review that approval is intended to guarantee. A master list or equivalent mechanism is not a bureaucratic artifact; it is the control mechanism that makes the rest of the QMS navigable: any procedure that cannot be quickly confirmed as current revision creates audit liability and the possibility that operators act on superseded guidance.
What changed
§820.40 — Part 820 (legacy)
"Each manufacturer shall establish and maintain procedures to control all documents that are required by this part. The procedures shall provide for the following: Document approval and distribution. Each manufacturer shall designate an individual(s) to review for adequacy and approve prior to issuance all documents established to meet the requirements of this part. The approval, including the date and signature of the individual(s) approving the document, shall be documented. Documents established to meet the requirements of this part shall be available at all locations for which they are designated, used, or otherwise necessary, and all obsolete documents shall be promptly removed from all points of use or otherwise prevented from unintended use. Document changes. Changes to documents shall be reviewed and approved by an individual(s) in the same function or organization that performed the original review and approval, unless specifically designated otherwise. Approved changes shall be communicated to the appropriate personnel in a timely manner. Each manufacturer shall maintain records of changes to documents. Change records shall include a description of the change, identification of the affected documents, the signature of the approving individual(s), the approval date, and when the change becomes effective."
§4.2.4 — ISO 13485:2016 (current)
"Documents required by the quality management system shall be controlled. Records are a special type of document and shall be controlled according to the requirements given in 4.2.5. A documented procedure shall define the controls needed to: a) review and approve documents for adequacy prior to issue; b) review, update as necessary and re-approve documents; c) ensure that the current revision status of and changes to documents are identified; d) ensure that relevant versions of applicable documents are available at points of use; e) ensure that documents remain legible and readily identifiable; f) ensure that documents of external origin, determined by the organization to be necessary for the planning and operation of the quality management system, are identified and their distribution controlled; g) prevent deterioration or loss of documents; h) prevent the unintended use of obsolete documents and apply suitable identification to them. The organization shall ensure that changes to documents are reviewed and approved either by the original approving function or another designated function that has access to pertinent background information upon which to base its decisions. The organization shall define the period for which at least one copy of obsolete documents shall be retained. This period shall ensure that documents to which medical devices have been manufactured and tested are available for at least the lifetime of the medical device as defined by the organization, but not less than the retention period of any resulting record (see 4.2.5), or as specified by applicable regulatory requirements."
Δ Adds controls for external-origin documents, document deterioration/loss prevention, and an explicit obsolete-document retention period tied to device lifetime — none of which Part 820 addressed.
Common gaps (what we see in audits)
- No External Document Control — The organization controls internally authored SOPs and work instructions but has no process for identifying, distributing, and updating external documents (supplier specifications, industry standards like ISO 14971, regulatory guidance documents). When external standards are revised, there is no trigger to evaluate impact on internal procedures.
- Document and Records Control Conflated — A single SOP covers both document control and records management without distinguishing between the different lifecycle requirements. This leads to confusion about whether a completed form is a 'document' (subject to revision control) or a 'record' (subject to retention and integrity controls), resulting in gaps in both areas.
- Obsolete Document Prevention Weakness — Obsolete documents are marked as 'superseded' but remain accessible in shared drives, printed binders, or electronic systems without effective barriers to use. No periodic audit confirms obsolete documents have been removed from points of use.
- Uncontrolled 'Legacy' docs — Old versions of SOPs are found in 'uncontrolled' binders on the shop floor. ISO 13485 §4.2.4 requires prevention of obsolete document use.
- Change Approval Authority Not Mapped — Document changes are approved by whoever is available or by a generic 'quality' role, rather than by the same function that originally approved the document. The QMSR requires that change approval authority match original approval authority unless formally designated otherwise.