Document Control for Medical Devices: Complete Guide to FDA, ISO 13485, and EU MDR Requirements
The complete guide to document control for medical device companies — ISO 13485 clause 4.2 requirements, FDA 21 CFR 820.40, document lifecycle management, eQMS implementation, change control, version control, and common audit findings.
What Is Document Control and Why It Matters
Document control is the systematic process of managing the creation, review, approval, distribution, revision, and obsolescence of documents within a quality management system. In the medical device industry, it is not a bureaucratic exercise — it is a regulatory requirement that directly affects patient safety.
Every medical device quality system depends on documents to define what should be done, how it should be done, and how to verify it was done correctly. Standard operating procedures (SOPs) tell employees how to perform manufacturing steps. Specifications define what the device should look like and how it should perform. Work instructions provide step-by-step guidance for inspection, testing, and assembly. Design history files document that the device was developed according to regulatory requirements. If any of these documents are wrong, outdated, missing, or uncontrolled, the consequences range from manufacturing errors to patient injuries.
Document control is consistently one of the first areas reviewed during FDA inspections and ISO 13485 certification audits. Weaknesses in document control frequently result in audit findings, and they often cascade into other areas — if you cannot demonstrate that your procedures were current and approved when they were used, every activity performed under those procedures becomes suspect.
Document control vs. document management: These are not the same thing. Document management is about organizing and storing files — making them easy to find and access. Document control is about ensuring regulatory compliance, traceability, and integrity. A document management system organizes your files. A document control system enforces your quality system.
Regulatory Basis for Document Control
FDA 21 CFR 820.40 (Legacy QSR) and the QMSR
Under the legacy Quality System Regulation (21 CFR Part 820, Subpart D), document control requirements were codified in 21 CFR 820.40. The regulation required manufacturers to establish and maintain procedures to control all documents required by the quality system. Key requirements included:
- Document approval: Documents must be reviewed and approved for adequacy by designated individuals before issuance
- Document availability: Current versions of documents must be available at all locations where operations essential to the effective functioning of the quality system are performed
- Change control: Changes to documents must be reviewed, approved, and documented. Changes must be identified in the document or in appropriate attachments
- Obsolete document removal: Documents that have become obsolete must be promptly removed from all points of use to prevent unintended use
Effective February 2, 2026, the FDA transitioned from the legacy QSR to the Quality Management System Regulation (QMSR), which incorporates ISO 13485:2016 by reference. Under the QMSR, document control requirements now map to ISO 13485:2016 clauses 4.2.3 (Document control) and 4.2.4 (Control of records), with additional FDA-specific requirements retained in the regulation.
ISO 13485:2016 Clause 4.2 (Document Requirements)
ISO 13485 addresses document control within Clause 4.2, which covers the full scope of documentation requirements for a medical device quality management system:
Clause 4.2.1 — General
The quality management system documentation must include:
- Documented statements of quality policy and quality objectives
- A quality manual
- Documented procedures required by the standard
- Documents needed by the organization to ensure the effective planning, operation, and control of its processes
- Records required by the standard
The documentation scope must be appropriate to the size and type of the organization and the complexity of its processes.
Clause 4.2.2 — Quality Manual
The organization must establish and maintain a quality manual that includes:
- The scope of the quality management system, including details of and justification for any exclusion or non-application
- The documented procedures established for the quality management system, or reference to them
- A description of the interaction between the processes of the quality management system
Clause 4.2.3 — Medical Device File
For each medical device type or medical device family, the organization must establish and maintain a file containing or referencing documents that demonstrate conformity to requirements. This file must include:
- Product specification and intended use
- Product specifications including drawings, components, formulations, formulations, and software
- Manufacturing process specifications
- Inspection and testing procedures
- Measuring and monitoring procedures
- Packaging and labeling specifications
- Handling, storage, distribution, and traceability requirements
- Installation and servicing procedures (where applicable)
Clause 4.2.4 — Document Control
The document control procedure must address:
- Review and approval of documents prior to issue by authorized personnel
- Periodic review and updating of documents
- Ensuring that changes and current document revision status are identified
- Ensuring that relevant versions of applicable documents are available at points of use
- Ensuring that documents remain legible and readily identifiable
- Ensuring that documents of external origin are identified and their distribution controlled
- Prevention of unintended use of obsolete documents, and application of suitable identification to them if they are retained for any purpose
Clause 4.2.5 — Control of Records
Records must be maintained to provide evidence of conformity to requirements and of the effective operation of the quality management system. Records must remain legible, readily identifiable, and retrievable. A documented procedure must define the controls needed for the identification, storage, protection and backup, retrieval, retention time, and disposition of records.
Documents vs. records: A document tells you what to do. A record tells you what was done. Documents are versioned — they change over time as procedures evolve. Records are fixed — they capture the state of something at a point in time and are not versioned. An SOP is a document. A completed inspection form is a record. Both require controls, but the nature of those controls differs.
EU MDR Document Requirements
The EU Medical Device Regulation (MDR 2017/745) adds additional documentation requirements:
- Technical documentation per Annex II and III
- Unique Device Identification (UDI) records
- Periodic Safety Update Reports (PSUR)
- Post-market surveillance plans and reports
- Clinical evaluation reports and clinical investigation plans
- Vigilance reporting records (serious incidents, field safety corrective actions)
- Labeling and instructions for use
Each of these document types must be maintained under a controlled document system that ensures traceability, version control, and availability for review by competent authorities and notified bodies.
The Document Lifecycle
Document control is not a one-time activity — it is a continuous lifecycle that begins when a document is created and does not end until the document is retired and archived.
Phase 1: Creation
Every controlled document begins with a defined purpose. Before writing begins:
- Identify the need for the document (regulatory requirement, process improvement, audit finding)
- Assign a document owner responsible for its accuracy and maintenance
- Determine the document type (SOP, work instruction, specification, form, policy)
- Use standardized templates to ensure consistency across the organization
- Assign a unique document identifier using the organization's numbering convention
Phase 2: Review and Approval
Before any document can be issued for use, it must be reviewed and approved:
- Technical review: Subject matter experts verify that the content is technically accurate
- Quality review: The quality team verifies that the document meets regulatory requirements and aligns with the quality system
- Approval: Designated approvers (typically department heads and quality management) sign off on the document
- Electronic signatures: In eQMS systems, approvals must comply with 21 CFR Part 11 requirements (timestamps, user identification, meaning of the signature)
Common mistake: Approving documents without meaningful review. If the approval is a rubber stamp, it provides no value and creates liability. Each approver should be able to defend why they approved the document.
Phase 3: Distribution and Availability
Once approved, the document must be available at all points of use:
- Electronic systems: The current version should be automatically available to all users who need it
- Paper systems: Controlled copies must be distributed to designated locations, and old versions must be collected and destroyed
- External documents: Documents from suppliers, standards organizations, and regulatory bodies must be identified and their distribution controlled
The goal is simple: no employee should ever use an outdated or unapproved document to perform their work.
Phase 4: Revision
Documents must be reviewed periodically and updated when necessary:
- Scheduled reviews: Most organizations review controlled documents annually or biennially
- Triggered reviews: Changes in regulations, processes, products, or audit findings may require immediate revision
- Change identification: Every change must be documented — what changed, why, who approved it, and when
- Impact assessment: Changes must be assessed for their impact on other documents, processes, and products
- Re-approval: Revised documents must go through the same review and approval workflow as new documents
Phase 5: Obsolescence and Archival
When a document is no longer needed:
- Removal from active use: The document must be removed from all points of use
- Clear identification: If retained for historical or legal purposes, the document must be clearly marked as obsolete
- Archival: The document and its complete revision history must be stored securely for the required retention period
- Retrieval capability: Archived documents must be retrievable for audits, inspections, and legal proceedings
Types of Controlled Documents in Medical Device Companies
| Document Type | Purpose | Typical Owner | Examples |
|---|---|---|---|
| Quality Manual | Defines QMS scope and process interactions | Quality Director | Quality Manual, Quality Policy |
| Procedures (SOPs) | Define how processes are performed | Process owners | CAPA procedure, Complaint handling procedure |
| Work Instructions | Provide step-by-step task guidance | Department managers | Assembly instructions, Inspection methods |
| Specifications | Define product requirements | Engineering/R&D | Material specs, Dimensional drawings, Software requirements |
| Forms and Templates | Capture records consistently | Process owners | NCR form, Audit checklist, Training record |
| Policies | Define organizational principles | Senior management | Data integrity policy, Supplier management policy |
| Technical Files | Demonstrate regulatory conformity | Regulatory affairs | EU MDR Technical File, FDA 510(k) submission |
| Design History File | Document design control compliance | R&D/Engineering | Design inputs, outputs, V&V records |
| Device Master Record | Define how the device is manufactured | Engineering/Operations | Formulations, processes, packaging specs |
| Device History Record | Evidence of conformity for each batch | Production | Batch records, inspection results |
| External Standards | Referenced regulatory and industry standards | Quality/Regulatory | ISO standards, FDA guidance documents, ASTM standards |
Document Numbering and Naming Conventions
A consistent numbering system is essential for preventing confusion and ensuring traceability. While there is no single required numbering scheme, the following principles apply:
Numbering Structure
A typical document numbering structure includes:
- Prefix: Identifies the document type (e.g., SOP for Standard Operating Procedure, WI for Work Instruction, SPEC for Specification, POL for Policy)
- Section identifier: Identifies the QMS section or department (e.g., QA for Quality Assurance, ENGR for Engineering, REG for Regulatory)
- Sequential number: A unique sequential number within the section
- Version/revision: The current revision identifier (e.g., Rev 01, Rev 02, or A, B, C)
Example: SOP-QA-012 Rev 03 = Standard Operating Procedure, Quality Assurance section, document 12, revision 3.
Naming Conventions
Document titles should be:
- Descriptive and unique (no two documents should have the same title)
- Consistent in format across the organization
- Searchable (consider how the document will be found in the system)
- Free of abbreviations that might be ambiguous
Electronic Document Control and eQMS
Most medical device companies now use electronic quality management systems (eQMS) for document control. An eQMS does not just digitize document control — it standardizes and enforces it across the entire organization.
Essential eQMS Features for Document Control
| Feature | Purpose | Regulatory Basis |
|---|---|---|
| Role-based access control | Users access only documents relevant to their role | ISO 13485 4.2.4, Part 11 11.10(d) |
| Electronic signatures | Legally compliant approvals with timestamps and identification | Part 11 11.50 |
| Automated workflows | Route documents through review and approval steps | ISO 13485 4.2.4 |
| Version control | Maintain complete revision history | ISO 13485 4.2.4 |
| Audit trails | Time-stamped record of all document actions | Part 11 11.10(e) |
| Change control integration | Link document changes to CAPA, audit findings, and change orders | ISO 13485 7.3.9 |
| Automated notifications | Alert users to pending reviews and approvals | Best practice |
| Retention management | Enforce retention periods and archival schedules | ISO 13485 4.2.5 |
| Full-text search | Find documents quickly during audits and inspections | Best practice |
eQMS Validation Requirements
Under the QMSR (via ISO 13485:2016 clause 4.1.6), organizations must validate software used in the quality management system before initial use and after changes. For an eQMS used for document control, this means:
- Validation must demonstrate that the system correctly implements document control procedures
- Validation must cover access controls, approval workflows, version control, audit trails, and record retention
- Validation records must be maintained and available for inspection
- Changes to the system (upgrades, patches, configuration changes) must go through change control and may require revalidation
If the eQMS handles electronic records subject to FDA regulations, it must also comply with 21 CFR Part 11 requirements for audit trails, electronic signatures, and access controls.
Change Control for Documents
Every change to a controlled document must go through a formal change control process. This is one of the most critical aspects of document control and a frequent source of audit findings.
When Document Changes Are Needed
- Regulatory changes (new or revised standards, FDA guidance, EU MDR updates)
- Product changes (design modifications, new materials, process changes)
- Audit findings (corrective actions that require procedure updates)
- Process improvements (lean initiatives, efficiency improvements)
- Organizational changes (new departments, restructured roles)
- Error corrections (typos, inaccuracies discovered during use)
The Change Control Process
- Change request: A formal request identifies the document, the proposed change, and the justification
- Impact assessment: Evaluate the effect of the change on related documents, products, processes, training, and regulatory submissions
- Review and approval: The change must be reviewed and approved by the same (or equivalent) authorities who approved the original document
- Implementation: The change is incorporated into the document, and the new version is distributed
- Training: Affected personnel must be trained on the changes before they are expected to follow the new procedure
- Obsolete document removal: Previous versions must be removed from all points of use
- Effectiveness check: For significant changes, verify that the change achieved its intended purpose
Change Control Documentation
Every change must be documented with:
- What changed (specific description of the modification)
- Why it changed (justification and regulatory reference if applicable)
- Who approved it (signatures with dates)
- When it was effective (implementation date)
- What documents, products, or processes were affected (impact assessment)
- What training was performed (training records)
Document Control in Practice: Common Challenges
Challenge 1: Multiple Document Versions
In organizations without a centralized eQMS, documents are often stored in multiple locations — shared drives, email attachments, local hard drives, and paper copies. This leads to:
- Different versions of the same document in use simultaneously
- Employees unknowingly following outdated procedures
- Difficulty determining which version was in effect at a specific point in time
Solution: Implement a single, authoritative document repository (eQMS) where the current version is always the only version available at points of use.
Challenge 2: Approval Without Meaningful Review
When document approval becomes a formality rather than a substantive review:
- Errors and omissions go undetected
- Documents may not align with actual practice
- The approval record provides false assurance
Solution: Define specific review criteria for each document type. Require each approver to document their review findings, not just sign off.
Challenge 3: Inadequate Change Control
Common failures include:
- Making changes to documents without going through formal change control
- Failing to assess the impact of changes on related documents and products
- Not retraining personnel after document changes
- Not removing obsolete versions from use
Solution: Implement automated change control workflows that enforce review, approval, training, and distribution requirements before a change can take effect.
Challenge 4: Document-Record Confusion
Organizations frequently struggle with the distinction between documents and records:
- Treating records as documents (applying version control to completed forms)
- Treating documents as records (failing to version procedures that should be updated)
- Mixing document and record repositories
Solution: Clearly classify every item in the quality system as either a document or a record. Maintain separate procedures for document control and record control, even if both are managed in the same eQMS.
Challenge 5: External Document Control
Organizations often fail to control external documents — standards, supplier documents, regulatory guidance, and customer specifications. These documents:
- May change without the organization's knowledge
- May be referenced in procedures without specifying the applicable version
- May be distributed without tracking who has access
Solution: Maintain a register of all external documents used in the quality system. Assign an owner to monitor for updates. Reference specific versions in controlled documents. Remove and replace external documents when new versions are published.
Common Document Control Audit Findings
Based on ISO 13485 certification audits and FDA inspections, the following are the most frequently cited document control nonconformities:
1. Missing Approval Records
Inability to demonstrate that documents were properly reviewed and approved before use. This includes:
- No evidence of who reviewed and approved the document
- Approval dates after the document was already in use
- Approvers who lacked the authority or expertise to approve the document
2. Incomplete Audit Trails
Lack of visibility into who made changes to documents, when they were made, and what was modified. This is particularly common in:
- Paper-based systems where change history is difficult to maintain
- Hybrid systems where some changes are tracked electronically and others are not
- Systems where audit trails can be modified or disabled by administrators
3. Uncontrolled Obsolete Documents
Outdated documents still accessible or in active use:
- Paper copies of previous versions not collected and destroyed
- Electronic copies stored in personal folders or shared drives
- Documents marked "superseded" but still referenced in current procedures
4. Documents Not Available at Points of Use
Current versions of documents not accessible where they are needed:
- Procedures stored in the quality office but not on the manufacturing floor
- Electronic documents not accessible to employees without computer access
- Documents that require network access but are unavailable during network outages
5. Inadequate Periodic Review
Documents not reviewed on schedule:
- Procedures that have not been reviewed in years
- No evidence of periodic review as required by the document control procedure
- Reviews that consist of a signature only, without evidence of substantive evaluation
6. Uncontrolled External Documents
External documents not managed through the document control system:
- References to standards without version numbers
- Supplier documents used without verification of current status
- No procedure for monitoring external document changes
Document Control Under the QMSR: What Changed
The transition from the legacy QSR to the QMSR (effective February 2, 2026) brought several changes to how the FDA approaches document control:
| Aspect | Legacy QSR (820.40) | QMSR (ISO 13485:2016) |
|---|---|---|
| Approach | Prescriptive requirements | Flexible implementation within ISO 13485 framework |
| Document types | Specifically listed (procedures, specifications, drawings) | Broad requirement for all QMS documents |
| Quality manual | Not explicitly required | Required (clause 4.2.2) |
| Medical device file | Not a defined concept | Required per device type or family (clause 4.2.3) |
| Record retention | At least 2 years or device lifetime | As defined by the organization consistent with regulatory requirements |
| Inspection scope | Management review and quality audits were exempt from FDA inspection | FDA can now inspect management review, quality audits, and supplier audits |
The QMSR gives FDA inspectors broader access to quality system documentation, including management review records and internal audit reports that were previously exempt from inspection. This makes robust document control even more critical.
Document Control Implementation Checklist
Document Creation
- Standardized templates exist for all document types
- Each document has a unique identifier and naming convention
- Document owners are assigned and documented
- Documents are classified as documents or records
Review and Approval
- Review criteria are defined for each document type
- Approvers are designated and authorized
- Approvals are documented with signatures and dates
- Electronic signatures comply with 21 CFR Part 11 (if applicable)
Distribution and Availability
- Current versions are available at all points of use
- Distribution is tracked and documented
- Employees know where to find current documents
- Paper and electronic distribution are both controlled
Change Control
- All changes go through formal change control
- Impact assessments are performed for significant changes
- Changes are documented with what, why, who, and when
- Affected personnel are trained on changes before implementation
- Obsolete versions are removed from all points of use
Archival and Retention
- Retention periods are defined for all document types
- Archived documents are stored securely and retrievable
- Obsolete documents are clearly marked and access-restricted
- Retention periods comply with FDA, ISO 13485, and EU MDR requirements
System Validation
- eQMS is validated before initial use (ISO 13485 clause 4.1.6)
- Validation covers all critical document control functions
- Changes to the eQMS go through change control
- Part 11 requirements are met for electronic records and signatures
Cost of ISO 13485 Certification and Document Control Implementation
Implementing a compliant document control system involves several cost components:
| Cost Component | Range | Notes |
|---|---|---|
| ISO 13485 initial certification | $5,000–$75,000 | Depends on organization size; includes audit and certification body fees |
| Consulting fees | $10,000–$65,000 | For gap analysis, implementation support, and procedure development |
| eQMS software | $500–$5,000/month | SaaS pricing varies by vendor, users, and modules |
| eQMS implementation | $10,000–$100,000+ | Configuration, data migration, training |
| eQMS validation | $5,000–$200,000+ | Vendor-provided validation ($5K–$50K) vs. custom ($75K–$200K+) |
| Annual revalidation | $5,000–$25,000 | Ongoing validation maintenance |
| Staff training | $2,000–$20,000 | Initial and ongoing training on document control procedures |
For a small medical device company with fewer than 10 employees, initial ISO 13485 audit costs with an accredited body might total approximately $5,000. For small to medium-sized companies, the total cost of initial certification — including consulting — generally ranges from $30,000 to $75,000.
The investment in robust document control pays for itself through:
- Fewer audit findings and reduced remediation costs
- Faster regulatory submissions through organized documentation
- Reduced risk of product quality issues from outdated procedures
- More efficient operations through standardized processes
Frequently Asked Questions
How long must quality system documents be retained?
Under the QMSR (via ISO 13485:2016 clause 4.2.5), retention periods are defined by the organization but must be consistent with regulatory requirements. The legacy QSR required a minimum of 2 years from the date of release or the expected life of the device, whichever was longer. Many organizations continue to use this as a baseline while also complying with EU MDR requirements, which may specify different retention periods.
Do I need a quality manual?
Under the QMSR, yes. ISO 13485:2016 clause 4.2.2 requires a quality manual that defines the scope of the QMS, describes or references documented procedures, and describes the interaction between QMS processes. This is a change from the legacy QSR, which did not explicitly require a quality manual.
What is the difference between DHF, DMR, and DHR?
- Design History File (DHF): Contains all records demonstrating that the device was designed according to design control requirements. It is created during product development.
- Device Master Record (DMR): Defines how the device should be manufactured, including specifications, processes, labeling, and packaging. It is the "recipe" for the device.
- Device History Record (DHR): Provides evidence that each manufactured device (or batch) meets the specifications outlined in the DMR. It is the "proof" for each production run.
Under the QMSR, the terms DHF, DMR, and DHR are no longer defined in the regulation, but companies may continue to use them provided they meet the underlying ISO 13485 requirements.
Can I use SharePoint for document control?
You can, but it requires significant configuration and validation to meet regulatory requirements. SharePoint's native features (version history, check-in/check-out, permissions) provide a starting point, but you will need to implement additional controls for approval workflows, electronic signatures, audit trail review, change control, and retention management. Most organizations find that a purpose-built eQMS provides better regulatory compliance with less configuration effort.
How often should documents be reviewed?
Most organizations review controlled documents annually or every two years. However, the frequency should be based on risk — documents related to high-risk processes or products may need more frequent review, while stable, low-risk procedures may be reviewed less frequently. The key requirement is that your document control procedure defines the review frequency and that you follow it consistently.