SOP Document and Record Control
Summary
Your Document and Record Control SOP establishes systematic procedures for creating, reviewing, approving, distributing, and maintaining all quality management system documents and records to ensure regulatory compliance and effective information management throughout your organization.
Why is SOP Document and Record Control important?
Document control exists because regulators require controlled processes to ensure that teams use current, approved procedures and that evidence of compliance is properly maintained. Without systematic document control, organizations risk using outdated procedures, losing critical records, or failing to demonstrate regulatory compliance during audits.
The SOP ensures consistency and traceability by establishing clear naming conventions, approval workflows, retention requirements, and access controls. It transforms document management from an administrative burden into a strategic enabler that supports quality decision-making and regulatory confidence.
Regulatory Context
Under 21 CFR Part 820 (Quality System Regulation):
- Document controls are mandatory under Section 820.40
- Must ensure current revisions are available at points of use
- Document changes must be reviewed and approved by same function that performed original review
- Records must be maintained to demonstrate conformity (820.180)
Special attention required for:
- Design History File (DHF) document control requirements (820.30(j))
- Device Master Record (DMR) control (820.181)
- Device History Record (DHR) maintenance (820.184)
- Electronic record requirements if using electronic systems (21 CFR Part 11)
Under 21 CFR Part 820 (Quality System Regulation):
- Document controls are mandatory under Section 820.40
- Must ensure current revisions are available at points of use
- Document changes must be reviewed and approved by same function that performed original review
- Records must be maintained to demonstrate conformity (820.180)
Special attention required for:
- Design History File (DHF) document control requirements (820.30(j))
- Device Master Record (DMR) control (820.181)
- Device History Record (DHR) maintenance (820.184)
- Electronic record requirements if using electronic systems (21 CFR Part 11)
Under EU MDR 2017/745:
- Document control required as part of quality management system (Article 10(9))
- Must comply with EN ISO 13485:2016 Sections 4.2.4 and 4.2.5
- Technical documentation must be maintained and updated (Article 11)
- Records must be available for notified body assessment
Special attention required for:
- Technical file maintenance and updates (Annex II)
- Post-market surveillance documentation (Articles 83-86)
- Clinical evaluation documentation control (Article 61)
- UDI database information maintenance (Article 27)
Guide
Your Document and Record Control SOP establishes the foundation for all other QMS processes. Design the system to be practical and scalable while ensuring regulatory compliance.
Document Classification and Naming
Establish clear document categories such as SOPs, work instructions, templates, lists, and records. Create a systematic naming convention that includes functional group, document type, unique identifier, revision number, and descriptive name. This ensures consistent identification and retrieval.
Use a standardized approach like QA-SOP-[UUID].01-Document Control to provide immediate context about document ownership, type, and version. Train all team members on the naming convention to ensure consistency across the organization.
Approval Workflows and Authority
Define approval authority based on document type and impact. Quality system documents typically require quality management approval, while technical documents may need engineering and quality review. Establish clear approval matrices that specify who must approve different document types.
Implement approval workflows that ensure appropriate review without creating bottlenecks. Consider parallel approvals for documents requiring multiple reviewers. Document the rationale for approval authority assignments so auditors understand your decision-making process.
Version Control and Change Management
Implement rigorous version control to prevent use of obsolete documents. Use revision numbers that clearly indicate document status and ensure only current versions are accessible at points of use. Archive previous versions while maintaining retrieval capability for regulatory purposes.
Establish change control procedures that require justification for changes, impact assessment, and appropriate approvals. Minor editorial changes may require different approval than substantive procedural changes. Document the change rationale and ensure affected personnel are notified.
Electronic System Implementation
If using electronic document management systems, ensure they meet regulatory requirements for electronic records. Implement access controls, audit trails, and backup procedures. Consider FDA 21 CFR Part 11 requirements if operating under FDA jurisdiction.
Establish procedures for system maintenance, user access management, and data integrity verification. Include contingency plans for system failures that ensure continued access to critical documents during emergencies.
Record Retention and Disposal
Establish retention periods that meet or exceed regulatory requirements. Quality records typically require retention for device lifetime plus additional years, while some records may have specific regulatory timeframes. Create retention schedules that are practical to implement and monitor.
Implement secure disposal procedures for records reaching end-of-life. Ensure confidential information is properly destroyed while maintaining evidence of disposal for audit purposes. Consider legal holds that may extend retention beyond normal schedules.
Example
Scenario
DeviceTech Systems implements an electronic document management system to control their quality procedures, work instructions, and technical documentation. They establish naming conventions, approval workflows, and retention schedules to ensure regulatory compliance while enabling efficient operations.
Example Document Control System
Document Categories and Naming:
- Quality SOPs:
QA-SOP-[UUID].01-Risk Management - Software Procedures:
SW-TCD-[UUID].01-Code Review Checklist - Training Records:
CP-RCD-[UUID].01-Employee Training Log - Technical Reports:
TD-TCD-[UUID].01-Verification Testing Report
Approval Matrix:
- Quality SOPs: Quality Manager + Management Representative
- Technical Documents: Technical Lead + Quality Manager
- Training Materials: HR Manager + Quality Manager
- Work Instructions: Process Owner + Quality Representative
Version Control Process:
- Draft Creation - Author creates document in “Draft” status
- Review Cycle - Reviewers provide feedback in document review system
- Approval Process - Sequential or parallel approvals based on document type
- Release - Approved document moves to “Active” status, previous version archived
- Change Management - Changes require change request with impact assessment
Electronic System Features:
- Role-based access controls limiting editing permissions
- Automated approval workflows with email notifications
- Audit trail tracking all document activities and user actions
- Automated archival of superseded versions
- Search functionality by document type, owner, or content
Retention Schedule:
- Quality system documents: 10 years after archival
- Technical documentation: Device lifetime + 10 years
- Training records: Employee tenure + 7 years
- Audit records: 10 years after completion