Document Control Compliance in QA

Document control compliance governs how quality-critical documents are created, reviewed, approved, distributed, revised, and retired within an organization's quality management system. Failures in document control are among the most frequently cited nonconformances during regulatory audits across manufacturing, healthcare, aerospace, and software sectors. The frameworks that define compliant document control — including ISO 9001:2015, FDA 21 CFR Part 820, and AS9100D — share a common structural logic even as their specific requirements differ by industry.

Definition and scope

Document control, within the context of quality assurance, refers to the formal management of documents that affect product quality, process integrity, or regulatory conformance. This includes work instructions, standard operating procedures (SOPs), specifications, quality plans, forms, and external documents incorporated by reference.

ISO 9001:2015, Clause 7.5 establishes the foundational requirement: documented information must be available, suitable for use, and adequately protected from loss of integrity. The scope extends beyond paper records to include electronic files, controlled databases, and configuration-managed software documentation.

The regulatory reach of document control is wide. In pharmaceutical and medical device manufacturing, FDA 21 CFR Part 820.40 requires that each manufacturer establish and maintain procedures to control all documents. The FAA and defense contractors operating under AS9100D face additional requirements tied to configuration management and design data traceability. Across these regimes, the scope of "controlled document" is defined by the organization's own quality management documentation requirements, not solely by external mandate.

How it works

A compliant document control system operates through a defined lifecycle with discrete control points at each stage.

  1. Document creation and authorship — A qualified author drafts the document using an approved template. The authorship role and template requirements are typically defined in the organization's quality manual.
  2. Review — Domain specialists and process owners review the draft for technical accuracy and process alignment. Review records must be retained.
  3. Approval — A designated authority — typically a quality manager, department head, or controlled authority role — formally approves the document before release. ISO 9001:2015 Clause 7.5.2(b) explicitly requires approval for adequacy prior to issue.
  4. Distribution and access control — The document management system ensures only the current approved version is accessible at the point of use. Obsolete versions must be removed from active use or clearly marked as superseded.
  5. Revision and change control — Any modification triggers a formal change control cycle, including re-review, re-approval, and notification to affected personnel. Revision history must be maintained.
  6. Retention and disposition — Documents must be retained for defined periods consistent with regulatory requirements. FDA 21 CFR Part 820.180 specifies a minimum 2-year retention period for device history records, measured from the date of manufacture.

Electronic document management systems (EDMS) automate enforcement of these steps but do not eliminate the need for procedural governance. The system configuration itself becomes a controlled artifact subject to validation under 21 CFR Part 11 when electronic signatures and audit trails are used.

Common scenarios

Document control compliance failures appear in predictable patterns across audit findings. The four scenarios below represent the most operationally significant:

Unauthorized revisions — Personnel modify work instructions or forms without initiating a formal change request. This is a classic ISO 9001 nonconformance and frequently appears in FDA Warning Letters as an indicator of systemic quality system breakdown.

Version control failures — Multiple versions of the same document exist in active use simultaneously, often due to local storage of printed copies or unsynchronized shared drives. This directly violates the "single point of truth" principle embedded in Clause 7.5.3 of ISO 9001:2015.

Missing or incomplete review records — Documents are approved without documented evidence of review, leaving audit trails incomplete. In regulated industries, an undocumented review is treated as a review that did not occur.

External document management gaps — Customer specifications, regulatory standards, and supplier drawings used in production processes are not formally incorporated into the document control system. ISO 9001:2015 Clause 7.5.3(a) requires that externally-originated documented information be identified and controlled alongside internal documents.

Nonconformance reporting processes in compliant organizations capture these failures and route them into formal corrective action workflows rather than allowing informal resolution.

Decision boundaries

Document control compliance requires organizations to distinguish between document types and apply appropriate control levels. Three classification boundaries are operationally significant:

Controlled vs. uncontrolled documents — A controlled document is subject to the full document lifecycle described above. An uncontrolled copy (e.g., a reference copy issued for training use only) must be explicitly marked as such and excluded from active process use. Treating an uncontrolled copy as authoritative is a nonconformance under both ISO 9001 and FDA frameworks.

Records vs. documents — Documents describe what should be done; records provide evidence that it was done. ISO 9001:2015 uses the term "documented information" to encompass both, but the control requirements differ: documents require version control and approval, while records require integrity protection and defined retention periods. Conflating these two categories is a persistent source of audit findings, and the distinction is elaborated further in quality assurance definitions.

Mandatory vs. discretionary documentation — ISO 9001:2015 mandates documented information in 23 specific clauses but explicitly permits organizations to determine the extent of additional documentation needed (Clause 7.5.1, Note 1). FDA 21 CFR Part 820, by contrast, prescribes specific document types including device master records, device history records, and quality system records. Organizations operating under both frameworks must map their document control architecture to satisfy the more prescriptive of the two requirements at each control point.

The quality assurance regulatory framework governing a given organization determines which mandatory document types apply and at what retention threshold compliance obligations are met.

References

Read Next

Quality Assurance: Documentation Requirements ANA › Life Services Authority › Compliance: Standards Quality Assurance: Documentation Requirements Quality assurance... Quality Assurance: Quality Manual Requirements ANA › Life Services Authority › Compliance: Standards Quality Assurance: Quality Manual Requirements A quality manual... Quality Assurance: Change Control Documentation ANA › Life Services Authority › Compliance: Standards Quality Assurance: Change Control Documentation Change control...