Document Control and ISO 13485:2016: Ensuring Compliance and Consistency

Posted: September 1, 2023

Document Control and ISO 13485:2016: Ensuring Compliance and Consistency

In the realm of quality management within the medical device industry, precision and compliance are non-negotiable. Enter the world of document control, a meticulous process that often goes underappreciated but is undeniably vital. With ISO 13485:2016 as our guiding star, we embark on a journey to unravel the intricacies of document control. But this isn’t just about rules and regulations; it’s a tribute to the unsung heroes of the Document Control department—Ms. B and Ms. T. Along the way, we’ll explore the core requirements of ISO 13485:2016, the benefits of effective document control, and the critical documents and records that underpin the medical device industry. Join us as we navigate the key steps in document control, uncover the consequences of inadequate practices, and ultimately, grasp the essence of maintaining compliance and consistency in this highly regulated field. So, let’s dive into the world of document control, where precision meets compliance for the betterment of patient safety and quality assurance.

Table of Contents

What is Document Control?

Document control is the meticulous process of managing documents throughout their lifecycle within an organization. It’s a cornerstone of quality management systems, ensuring that critical documents, such as policies, procedures, specifications, and records, are created, reviewed, approved, stored, and ultimately retired with precision. Think of it as the custodian of your organization’s knowledge, guiding how information flows, ensuring consistency, and safeguarding against errors.

At its core, document control seeks to answer questions like: Who can access and modify documents? How are changes initiated and approved? What’s the retention period for records? In our blog journey through ISO 13485:2016, we’ll delve into the intricacies of document control, exploring its importance, key steps, and real-world applications. 

Learn more about ISO 13485:2016 by taking our Introduction to ISO 13485:2016 eLearning Course.

The document control requirements in ISO 13485:2016 can be found primarily in clauses 4.2.4 and 4.2.5 of the standard. These clauses outline the specific requirements related to document control within the quality management system for medical devices. Here’s a breakdown of where you can find the document control requirements in ISO 13485:2016:

Ms. B and Ms. T - My Document Control Heros

In the early days of my career, fresh out of university and embarking on my journey in the world of manufacturing, I found myself in a bustling startup. Employee number fifty, to be precise. The manufacturing company was taking shape from the ground up, and there, in the heart of it all, were two remarkable women who forever left an indelible mark on my understanding of the importance of document control. They were the formidable duo, the quiet architects of order amidst the chaos – the Document Control department.

In a manufacturing site dominated by machinery, it was the meticulous management of paper, digital files, and protocols that ensured the foundations of an effective management system (QMS) were laid. The Document Control department consisted of only two members – Ms. B and Ms. T.  Their efficiency was awe-inspiring.

Our startup was a brown field site, meaning the manufacturing facility was being built from scratch. And with this, the responsibility of crafting the document control systems fell onto their capable shoulders. It was no small task. The ambit of their domain included everything from process and instrument diagrams (P&IDs) to vendor manuals, from commissioning documents to an entire suite of quality systems documents. They were building the foundation of controlled documentation systems that would define our company’s quality standards.

Their unwavering attention to detail, their meticulous organization, and their deep-rooted commitment to compliance taught me something invaluable. Beyond the mechanical hum and the hustle of production, the foundation of precision lay in the realm of documents. Ms. B and Ms. T not only laid the groundwork for our company’s document control systems but also planted a seed of understanding in me. It was they who instilled the significance of document control practices in my early professional days. Their wisdom transcended industries. It was a knowledge that guided me as I ventured into various sectors, wearing different hats.

In this blog, I pay homage to these pioneers. Ms. B and Ms. T, this is dedicated to you.  The understanding you shared has been a guiding light that illuminated not just my path but that of the many young engineering and science graduates I’ve had the privilege to mentor.

Ms. B and Ms. T not only laid the groundwork for our company's document control systems but also planted a seed of understanding in me. It was they who instilled the significance of document control practices in my early professional days.

ISO 13485:2016: Document and Record Control Requirements

Clause 4.2.4 Control of Documents:
This clause addresses the requirements for controlling documents within the quality management system. It specifies that the organization must establish and maintain procedures to control all documents required by the standard. This includes ensuring that documents are approved for adequacy before use, reviewed and updated as necessary, and identified with the latest version. Additionally, it covers the distribution of documents, preventing the use of obsolete documents, and ensuring that changes and revisions are properly recorded.

“4.2.4 Control of documents
“Documents required by the quality management system shall be controlled. Records are a special type of document and shall be controlled according to the requirements given in 4.2.5.

A documented procedure shall define the controls needed to:
a) review and approve documents for adequacy prior to issue;
b) review, update as necessary and re-approve documents;
c) ensure that the current revision status of and changes to documents are identified;
d) ensure that relevant versions of applicable documents are available at points of use;
e) ensure that documents remain legible and readily identifiable;
f) ensure that documents of external origin, determined by the organization to be necessary for the planning and operation of the quality management system, are identified and their distribution controlled;
g) prevent deterioration or loss of documents;
h) prevent the unintended use of obsolete documents and apply suitable identification to them.

The organization shall ensure that changes to documents are reviewed and approved either by the original approving function or another designated function that has access to pertinent background information upon which to base its decisions.
The organization shall define the period for which at least one copy of obsolete documents shall be retained. This period shall ensure that documents to which medical devices have been manufactured and tested are available for at least the lifetime of the medical device as defined by the organization, but not less than the retention period of any resulting record (see 4.2.5), or as specified by applicable regulatory requirements.”

ISO 13485:2016 Clause 4.2.4

Clause 4.2.5 Control of Records:
This clause focuses on the requirements for controlling records within the quality management system. It states that the organization must establish and maintain a procedure to ensure that records are established and maintained to provide evidence of conformity to requirements and of the effective operation of the quality management system. Similar to document control, this clause emphasizes the importance of identification, storage, protection, retention, and eventual disposition of records.

“4.2.5 Control of records
Records shall be maintained to provide evidence of conformity to requirements and of the effective operation of the quality management system.

The organization shall document procedures to define the controls needed for the identification, storage, security and integrity, retrieval, retention time and disposition of records.

The organization shall define and implement methods for protecting confidential health information contained in records in accordance with the applicable regulatory requirements.

Records shall remain legible, readily identifiable and retrievable. Changes to a record shall remain identifiable.

The organization shall retain the records for at least the lifetime of the medical device as defined by the organization, or as specified by applicable regulatory requirements, but not less than two years from the medical device release by the organization.”

ISO 13485:2016 Clause 4.2.5

Become an ISO 13485 internal auditor by taking our course Internal Auditor ISO 13485:2016 Training Course

Benefits of Effective Document Control Processes

There are numerous benefits of having effective document control processes in a medical device company, including:

  1. Compliance: Ensuring that your organization’s documentation aligns with ISO 13485:2016 requirements helps maintain compliance with the standard.
  2. Consistency: Document control ensures that processes are consistently followed across the organization, reducing errors and ensuring uniform quality.
  3. Efficiency: Accessible and well-organized documents facilitate efficient work processes, reducing time spent searching for information.
  4. Audit Readiness: Properly managed documents provide evidence of compliance during audits, streamlining the auditing process.
  5. Risk Mitigation: Accurate and current documents aid in identifying and mitigating risks, contributing to patient safety and product quality.
Consistency is the key

Key Documents & Vital Records in a Medical Device Company

ISO 13485:2016  places a significant emphasis on documentation, including individual documents that should be created and records that must be maintained.


There a number of essential documents that are the lifeblood of your organization’s quality management system, guiding everything from design and development to production and post-market surveillance. Here, we outline some of the key documents that ISO 13485:2016 mandates for compliance. Each one plays a vital role in maintaining the highest standards of quality, safety, and regulatory adherence in the medical device field. The following are the common documents you might find in a meial device company.

Quality Manual: An overarching document that outlines your quality management system and its structure.
Quality Policy: A statement of your company’s commitment to quality and customer satisfaction.
Procedures: Documents that detail how specific processes within your organization are conducted, such as production, risk management, and design control.
Work Instructions: Step-by-step guides on how to perform specific tasks or operations.
Specifications: Detailed descriptions of the design and manufacturing requirements for your medical devices.
Forms and Templates: Documents to capture essential information, such as inspection records, nonconformance reports, and change requests.
Training Materials: Documents outlining training programs and materials to ensure employees are properly trained.
Risk Management Plan: A document that outlines how your organization identifies and manages risks associated with your devices.
CAPA Plan: A plan for corrective and preventive actions, outlining how your organization addresses and prevents quality issues.
Supplier Evaluation and Control: Documents detailing how your organization evaluates, approves, and monitors suppliers.


Below is a list of records that medical device companies must maintain to meet ISO 13485:2016 requirements. These records are not just a paperwork exercise; they’re your evidence of compliance, your shield against risks, and your assurance of patient safety.  The following are the typical records you would find in a medical device company:

Design and Development Records: Documentation of the entire design and development process for each device.
Device Master Records (DMR): Records that specify how each medical device is produced, including drawings, specifications, and manufacturing instructions.
Device History Records (DHR): Records that show the history of the manufacturing process for each device, including production dates, materials used, and tests conducted.
Change Control Records: Documentation of any changes made to processes, products, or documents, including justifications and approvals.
Training Records: Records showing that employees have received the necessary training for their roles.
Complaint Records: Documentation of any customer complaints, investigations, and resolutions.
Audit Records: Records of internal and external audits, including findings and corrective actions.
Calibration and Maintenance Records: Records of equipment calibration and maintenance to ensure accuracy and reliability.
Risk Management Records: Documentation of risk assessments, risk control measures, and risk management decisions.
Nonconformance Records: Documentation of any deviations from specifications and the actions taken to address them.

Remember that maintaining accurate, up-to-date, and well-organized documentation and records is crucial for compliance with ISO 13485:2016. These documents and records provide a trail of evidence that your organization is following the required processes and ensuring the safety and quality of your medical devices.

Key Step in Document Control #1: Document Identification

Identify which documents are critical to your quality management system. This includes policies, procedures, and records directly related to ISO 13485:2016 compliance. In a medical device company, document identification might involve creating a clear numbering system for various documents. For instance, critical documents related to ISO 13485:2016 compliance could be assigned a unique identifier. For example, “ISO-13485-PM-001” might represent the first procedure manual document for ISO 13485 compliance. This ensures that employees can quickly identify the document’s purpose and importance.

Key Step in Document Control #2: Version Control

Establish a system to manage document versions. Utilize version numbers, dates, and clear indications of changes in each document. Imagine a situation where a medical device company is updating its standard operating procedures (SOPs). Version control ensures that employees are always using the latest, approved versions of these documents. Each document would display a version number and a date. If there’s a change, the version number increments (e.g., Version 2.0 to Version 3.0), and the date reflects the most recent update. This way, employees know they’re working with the most current instructions.

Key Step in Document Control #3: Review and Approval

Assign responsibility for reviewing and approving documents. Ensure that documents are reviewed for accuracy, relevance, and compliance with ISO 13485:2016. Let’s consider the scenario where a medical device company is introducing a new manufacturing process for a critical device component. Before it’s implemented, the process undergoes a review by a team of subject matter experts and engineers. They check it for accuracy, relevance, and compliance with ISO 13485:2016 standards. Once they’re satisfied, they approve the document for use, with their signatures or electronic approvals serving as evidence of review and approval.

Key Step in Document Control #4: Access Control

Define who can access, edit, and approve documents. Implement role-based access to prevent unauthorized changes. In a practical context, access control might involve using role-based access to documents. For instance, only authorized personnel, like quality managers or engineers, can edit and approve critical documents. Others, like operators or administrative staff, may have read-only access. This restricts unauthorized changes and ensures that only qualified individuals can modify critical documents.

Key Step in Document Control #5:Change Management

Establish a process for managing document changes. Clearly define how changes are initiated, reviewed, approved, and communicated. Let’s say a medical device company needs to update its manufacturing process due to a new regulatory requirement. They initiate a change request, detailing the reasons for the change and its impact. The document change process is well-defined, specifying who must review and approve the change, how it’s communicated to relevant employees, and when it becomes effective. This ensures that changes are made systematically and communicated clearly.

Doc ctrl change mgt.

Key Step in Document Control #6: Retention Period

A fundamental aspect of QMS procedures and records is their retention period, which denotes the duration these documents should be preserved within the organization. The specific retention times for procedures and records can vary, depending on regulatory obligations.

ISO 13485:2016 emphasizes the importance of defining the retention period for obsolete document versions, stating that “The organization shall define the period for which at least one copy of obsolete documents shall be retained. This period shall ensure that documents to which medical devices have been manufactured and tested are available for at least the lifetime of the medical device as defined by the organization, but not less than the retention period of any resulting record (see 4.2.5), or as specified by applicable regulatory requirements.”

Regarding records, ISO 13485:2016 specifies that “records shall be retained for a minimum of 2 years, independently from the lifetime of the product.” This ensures that essential records remain accessible and intact, serving as a reliable reference for compliance purposes.

A fundamental aspect of Quality Management System (QMS) procedures and records is their retention period, which denotes the duration these documents should be preserved within the organization

Get an indept knowldge of ISO 13485:2016 by taking our virtual ISO 13485:2016 course.

Consequences of Inadequate Document Control in the Medical Device Industry

Having inadequate document control procedures in a medical device company can lead to a range of serious consequences that impact both the company’s operations and the safety of the medical devices produced. Let’s explore some examples of what could happen:

Regulatory Non-Compliance: Regulatory bodies require medical device companies to maintain accurate and organized documentation to ensure patient safety and product quality. Inadequate document control procedures can lead to non-compliance with these regulations. For instance, if records of device testing, manufacturing processes, or quality checks are incomplete, missing, or improperly managed, the company could face regulatory scrutiny.

Product Defects and Recalls: Inaccurate or outdated documentation can result in the manufacturing of faulty devices. Without proper control over design specifications, production procedures, or quality requirements, the risk of producing defective devices increases. This could lead to product recalls, which are not only costly but also damaging to the company’s reputation.

Quality and Safety Compromises: Inadequate document control may result in using outdated or incorrect procedures during production. This can compromise the quality and safety of medical devices, potentially harming patients and leading to medical complications or adverse events. For instance, using an outdated manufacturing process might result in a device not meeting its intended specifications.

Disorganized Audits and Inspections: During inspections by regulatory authorities, inadequate document control practices can lead to delays and complications. Inspectors require easy access to well-organized records to evaluate the company’s compliance with regulations. If records are missing, unclear, or not readily accessible, it can trigger suspicion and further investigation.

Loss of Trust and Reputation: When a medical device company cannot demonstrate proper document control practices, it raises concerns about their commitment to quality and patient safety. This erodes trust among customers, healthcare professionals, and regulatory bodies. Negative publicity resulting from recalls or regulatory actions can severely damage the company’s reputation.

Operational Inefficiencies: Inadequate document control can result in confusion among employees. If they don’t have access to clear and updated instructions, they might make mistakes in their tasks, leading to rework, wastage of resources, and disruptions in the production process.

To avoid these issues, medical device companies must establish robust document control procedures that ensure the accurate creation, management, and retention of documentation. This involves maintaining accurate records, controlling revisions, establishing proper access controls, and regularly reviewing and updating documents as needed. Companies should take these practices seriously not only to comply with regulations but also to uphold the highest standards of patient safety and product quality


As we conclude our journey through the intricacies of document control in the context of ISO 13485:2016, it becomes abundantly clear that the meticulous management of documents and records is more than a regulatory requirement; it’s a linchpin in the realm of medical devices. It’s the promise of safety and effectiveness delivered to patients, the shield against compliance pitfalls, and the enabler of innovation and continuous improvement.

We’ve celebrated the invaluable contributions of unsung heroes like Ms. B and Ms. T, who instilled in us the importance of document control. We’ve uncovered the core requirements of ISO 13485:2016, illustrating how they shape the landscape of quality management in the medical device industry. We’ve explored the benefits of effective document control processes, emphasizing their role in ensuring compliance and consistency.

Through our journey, we’ve highlighted key documents and vital records that form the foundation of quality management. We’ve navigated the six key steps in document control, emphasizing their role in precision and reliability. We’ve also shed light on the consequences of inadequate document control practices, showcasing the stakes involved.

In the ever-evolving world of medical devices, document control remains a steadfast anchor, ensuring that every device delivered to patients is not only life-changing but also safe and dependable. 

As we part ways, remember that document control isn’t just a compliance requirement; it’s a commitment to excellence, a pledge to patient safety, and an ode to the dedicated professionals who ensure that the gears of this meticulous process turn seamlessly. So, please continue to champion document control in your organization.

Sign up to our Newsletter
Stay up to date with our latest news by subscribing to The Learning Reservoir’s newsletter! As a subscriber, you’ll receive exclusive access to our latest blog posts, expert insights, and updates on our latest courses and training programs. Plus, you’ll be the first to hear about our special offers and promotions. Don’t miss out on this valuable resource – sign up today!

    You can request the removal of your details at any time by clicking the link in the footer of the emails or by emailing us at


    Picture of Dr. Fiona Masterson

    Dr. Fiona Masterson

    With over 25 years’ experience in quality management, operations management,
    and higher education, Fiona combines technical expertise with highly engaging
    training. She has worked in fast-paced manufacturing environments including
    medical device companies, and lectures part-time in universities.

    She has Bachelor and Master of Science degrees, and a Doctorate in
    Mechanical Engineering. Fiona has published in peer reviewed journals on
    topics such as medical device and pharmaceutical regulatory affairs, on-the job
    training and innovative training technologies and strategies. .