Establish Quality Management System
SOP Document and Record Control
Structure systematic document control procedures for quality management system compliance and information integrity.
Summary
Your Document and Record Control SOP establishes systematic procedures for creating, reviewing, approving, distributing, and maintaining all quality management system documents and records to ensure regulatory compliance and effective information management throughout your organization.Why is SOP Document and Record Control important?
Document control exists because regulators require controlled processes to ensure that teams use current, approved procedures and that evidence of compliance is properly maintained. Without systematic document control, organizations risk using outdated procedures, losing critical records, or failing to demonstrate regulatory compliance during audits. The SOP ensures consistency and traceability by establishing clear naming conventions, approval workflows, retention requirements, and access controls. It transforms document management from an administrative burden into a strategic enabler that supports quality decision-making and regulatory confidence.Regulatory Context
Under 21 CFR Part 820 (Quality System Regulation):
- Document controls are mandatory under Section 820.40
- Must ensure current revisions are available at points of use
- Document changes must be reviewed and approved by same function that performed original review
- Records must be maintained to demonstrate conformity (820.180)
Special attention required for:
- Design History File (DHF) document control requirements (820.30(j))
- Device Master Record (DMR) control (820.181)
- Device History Record (DHR) maintenance (820.184)
- Electronic record requirements if using electronic systems (21 CFR Part 11)
Guide
Your Document and Record Control SOP establishes the foundation for all other QMS processes. Design the system to be practical and scalable while ensuring regulatory compliance.Document Classification and Naming
Establish clear document categories such as SOPs, work instructions, templates, lists, and records. Create a systematic naming convention that includes functional group, document type, unique identifier, revision number, and descriptive name. This ensures consistent identification and retrieval. Use a standardized approach likeQA-SOP-[UUID].01-Document Control to provide immediate context about document ownership, type, and version. Train all team members on the naming convention to ensure consistency across the organization.
Approval Workflows and Authority
Define approval authority based on document type and impact. Quality system documents typically require quality management approval, while technical documents may need engineering and quality review. Establish clear approval matrices that specify who must approve different document types. Implement approval workflows that ensure appropriate review without creating bottlenecks. Consider parallel approvals for documents requiring multiple reviewers. Document the rationale for approval authority assignments so auditors understand your decision-making process.Version Control and Change Management
Implement rigorous version control to prevent use of obsolete documents. Use revision numbers that clearly indicate document status and ensure only current versions are accessible at points of use. Archive previous versions while maintaining retrieval capability for regulatory purposes. Establish change control procedures that require justification for changes, impact assessment, and appropriate approvals. Minor editorial changes may require different approval than substantive procedural changes. Document the change rationale and ensure affected personnel are notified.Electronic System Implementation
If using electronic document management systems, ensure they meet regulatory requirements for electronic records. Implement access controls, audit trails, and backup procedures. Consider FDA 21 CFR Part 11 requirements if operating under FDA jurisdiction. Establish procedures for system maintenance, user access management, and data integrity verification. Include contingency plans for system failures that ensure continued access to critical documents during emergencies.Record Retention and Disposal
Establish retention periods that meet or exceed regulatory requirements. Quality records typically require retention for device lifetime plus additional years, while some records may have specific regulatory timeframes. Create retention schedules that are practical to implement and monitor. Implement secure disposal procedures for records reaching end-of-life. Ensure confidential information is properly destroyed while maintaining evidence of disposal for audit purposes. Consider legal holds that may extend retention beyond normal schedules.Example
Scenario
DeviceTech Systems implements an electronic document management system to control their quality procedures, work instructions, and technical documentation. They establish naming conventions, approval workflows, and retention schedules to ensure regulatory compliance while enabling efficient operations.Example Document Control System
Document Categories and Naming:- Quality SOPs:
QA-SOP-[UUID].01-Risk Management - Software Procedures:
SW-TCD-[UUID].01-Code Review Checklist - Training Records:
CP-RCD-[UUID].01-Employee Training Log - Technical Reports:
TD-TCD-[UUID].01-Verification Testing Report
- Quality SOPs: Quality Manager + Management Representative
- Technical Documents: Technical Lead + Quality Manager
- Training Materials: HR Manager + Quality Manager
- Work Instructions: Process Owner + Quality Representative
- Draft Creation - Author creates document in “Draft” status
- Review Cycle - Reviewers provide feedback in document review system
- Approval Process - Sequential or parallel approvals based on document type
- Release - Approved document moves to “Active” status, previous version archived
- Change Management - Changes require change request with impact assessment
- Role-based access controls limiting editing permissions
- Automated approval workflows with email notifications
- Audit trail tracking all document activities and user actions
- Automated archival of superseded versions
- Search functionality by document type, owner, or content
- Quality system documents: 10 years after archival
- Technical documentation: Device lifetime + 10 years
- Training records: Employee tenure + 7 years
- Audit records: 10 years after completion
Q&A
How should updates and changes in the EQMS documentation system be handled?
How should updates and changes in the EQMS documentation system be handled?
Updates to the EQMS documentation system should include proper change management with impact assessment, appropriate approvals, and notification to affected users. The current setup should remain compliant while changes aim at improving the process. Maintain version control and audit trails for all system changes.
How are documents considered live once approved?
How are documents considered live once approved?
Formly uses an electronic quality management system (EQMS) for document approvals. Documents are considered live once approved through the established workflow. Drafts can be created and revised multiple times without regulatory compliance issues until final approval and release.
What are the requirements for document retention periods?
What are the requirements for document retention periods?
Quality management system documents and records should be stored for at least 10 years after their archival date. Technical documentation, DHF, DHR, and QMS documents should be stored for at least the device lifetime plus additional years as specified by regulatory requirements, but not less than two years from device release.
How should external documents be controlled?
How should external documents be controlled?
External documents should be properly identified and controlled through suitable identification procedures. They must be prevented from unintended use of obsolete versions and remain legible and readily identifiable. Establish procedures for monitoring external document updates and ensuring current versions are used.
What access controls should be implemented for confidential documents?
What access controls should be implemented for confidential documents?
Implement role-based access controls that limit document access to authorized personnel only. Protect confidential health information in accordance with relevant regulatory requirements. Establish user access management procedures and regular access reviews to ensure appropriate permissions.
How should document changes be identified and tracked?
How should document changes be identified and tracked?
All document changes should be identified through version control, change summaries, and audit trails. Maintain revision histories that clearly show what changed, who made the change, when it was made, and why. Use change control procedures that require impact assessment and appropriate approvals for modifications.