Quality Assurance: Documentation Requirements

Quality assurance documentation encompasses the structured body of records, procedures, specifications, and logs that organizations maintain to demonstrate conformance with quality standards and regulatory requirements. Documentation requirements vary across industries — from FDA-regulated medical device manufacturing under 21 CFR Part 820 to aerospace supply chains governed by AS9100 — but share a common structural logic: evidence that processes were defined, executed, and monitored as specified. Gaps in documentation are among the most frequently cited findings in third-party audits and regulatory inspections, making this area one of the highest-stakes operational domains in any quality management system.

Definition and scope

Quality assurance documentation refers to the complete set of written, electronic, or otherwise recorded materials that define how quality-related activities are planned, performed, controlled, and verified within an organization. The scope extends from high-level policy documents — such as the quality manual — down to transactional records like inspection logs, calibration certificates, and nonconformance reports.

ISO 9001:2015, published by the International Organization for Standardization, uses the term "documented information" rather than the legacy category split of "documents and records," reflecting that modern quality management systems treat all maintained information as subject to the same control discipline. Clause 7.5 of ISO 9001:2015 establishes the baseline requirement: organizations must determine what documented information is necessary for the effectiveness of the quality management system, retain it in a manner that ensures retrievability, and protect it from unintended alteration or loss.

In regulated industries, documentation scope is defined externally. The U.S. Food and Drug Administration's 21 CFR Part 820 — the Quality System Regulation for medical devices — mandates specific document categories including device master records, device history records, and quality system records. The FDA's updated Quality Management System Regulation, effective February 2026 and aligned with ISO 13485:2016, preserves these categories while harmonizing terminology with international standards (FDA QSR Final Rule, 21 CFR Part 820, 2022).

Core mechanics or structure

Quality documentation systems are structured in tiers, commonly represented as a four-level hierarchy:

  1. Level 1 — Quality Policy and Manual: Defines organizational quality commitments and the scope of the quality management system.
  2. Level 2 — Procedures: Describes how major processes are carried out, who is responsible, and what inputs and outputs are expected.
  3. Level 3 — Work Instructions: Provides task-level detail for executing specific operations, typically used at the point of work.
  4. Level 4 — Records and Forms: Captures evidence that work was performed, including inspection results, calibration logs, training records, and corrective action documentation.

Each tier feeds the one above it as evidence of execution. Procedures without corresponding records provide no audit trail; records without governing procedures have no baseline against which nonconformance can be assessed.

Document control — the mechanism governing creation, review, approval, distribution, revision, and disposition of documents — is a foundational requirement across ISO 9001:2015 (§7.5.3), AS9100 Rev D (the aerospace quality standard published by SAE International), and IATF 16949:2016 (automotive quality standard maintained by the International Automotive Task Force). All three standards require that documents be approved prior to issue, that current revisions be available at point of use, and that obsolete documents be removed or controlled to prevent unintended use.

Causal relationships or drivers

Documentation requirements exist because process variability, human error, and regulatory accountability demands cannot be managed through informal memory or tacit knowledge alone. Three primary drivers shape documentation scope and depth:

Regulatory obligation is the dominant driver in FDA-regulated industries, nuclear energy (governed by 10 CFR Part 50 under the Nuclear Regulatory Commission), and aviation (FAA Part 21 and Part 145 under 14 CFR). In these sectors, documentation is not optional — missing records are treated as evidence of noncompliance regardless of whether the underlying activity was performed correctly.

Audit and certification requirements drive documentation in organizations pursuing third-party certification. ISO 9001 registrars, AS9100 certification bodies, and CMMI appraisers assess documented information as direct evidence of process maturity. An organization cannot achieve CMMI Level 3 (Defined) status without demonstrating that processes are documented and tailored from organizational standards.

Operational continuity and risk management form the third driver. Process documentation reduces dependency on individual employees, supports training, enables consistent supplier oversight, and provides the evidence base for root cause analysis when failures occur. The relationship is direct: organizations with incomplete documentation cannot reliably identify where a process deviated from intent.

Classification boundaries

Quality documents fall into two legally and operationally distinct categories:

Controlled Documents (Instructions): Specifications, procedures, work instructions, engineering drawings, and forms. These are living documents subject to revision control. Their purpose is to define what should happen. Version history must be maintained, and prior versions must be retained per defined retention schedules.

Quality Records (Evidence): Completed inspection forms, test reports, calibration certificates, audit reports, training records, and nonconformance logs. Records document what did happen. Unlike controlled documents, records are not revised — they are retained as-is. Alterations to quality records without authorization constitute a regulatory violation in FDA-regulated environments (21 CFR Part 211.68 for pharmaceuticals; 21 CFR Part 820 for devices).

Record retention periods are dictated by regulation or contract. FDA 21 CFR Part 820.180 requires device history records to be retained for the expected life of the device, or 2 years from the date of release for commercial distribution, whichever is longer. AS9100 Rev D requires organizations to define their own retention periods based on customer and regulatory requirements.

Tradeoffs and tensions

Comprehensiveness vs. usability: Documentation systems that attempt to capture every activity in exhaustive detail create compliance fatigue and are frequently abandoned in practice. ISO 9001:2015 deliberately reduced prescriptive document requirements compared to the 2008 version precisely because over-documentation was identified as a barrier to effective quality management (ISO/TC 176 rationale documentation).

Standardization vs. flexibility: Highly standardized documentation supports auditability but constrains process improvement. Organizations operating under change control frameworks must balance the speed of process updates against the administrative burden of revising, approving, and distributing new document versions.

Electronic vs. paper systems: Electronic document management systems (EDMS) improve retrieval speed and version control enforcement but introduce validation obligations in regulated industries. FDA's 21 CFR Part 11 requires that electronic records and signatures meet specific technical and procedural controls — a compliance domain that carries its own audit surface.

Retention cost vs. regulatory risk: Long retention periods generate storage costs and data management obligations. Premature destruction of records carries regulatory penalties in FDA, FAA, and NRC-regulated contexts that significantly outweigh storage costs.

Common misconceptions

"ISO 9001 requires a quality manual." ISO 9001:2015 removed the mandatory quality manual requirement present in the 2008 version. Organizations may maintain one, but it is not obligatory. What is required is documented information sufficient to support the operation of the quality management system (§7.5.1).

"More documentation always means better quality." Volume of documentation does not correlate with process effectiveness. Unused or ignored procedures accumulate as compliance theater. The operative requirement is that documented information is accurate, current, and actually consulted.

"Records can be corrected if an error is discovered." In regulated environments, corrections to quality records must follow defined procedures — typically a single-line strike-through preserving the original entry, with the corrector's initials, date, and reason. Obliterating original entries or making undisclosed alterations violates data integrity requirements under FDA 21 CFR Part 820 and ALCOA+ principles (Attributable, Legible, Contemporaneous, Original, Accurate — plus Complete, Consistent, Enduring, Available).

"Document control only applies to manufacturing." Document control requirements apply across service industries, software development (see ISO/IEC 90003 for software quality guidance), healthcare, and any sector where certification or regulatory compliance is required.

Checklist or steps (non-advisory)

The following sequence reflects the standard phases of a document control lifecycle as described in ISO 9001:2015 §7.5 and AS9100 Rev D:

  1. Identify need — Determine whether the activity, process, or requirement necessitates documented information, and whether a controlled document or a record is the appropriate form.
  2. Draft — Prepare the document using the organization's defined format and template standards.
  3. Review — Subject the draft to technical review by qualified personnel with knowledge of the process being documented.
  4. Approve — Obtain authorization from the designated approving authority before issue. Approval authority should be defined in the document control procedure.
  5. Assign identifier and revision — Apply a unique document number, revision level, and effective date.
  6. Distribute and make accessible — Publish to the document management system and confirm availability at points of use. Withdraw or clearly mark superseded versions.
  7. Train affected personnel — Confirm that personnel who must use the document have received and understood current content; retain training records.
  8. Monitor and review — Establish periodic review cycles (commonly annual for critical procedures) to confirm continued accuracy.
  9. Revise or retire — Process changes through the change control procedure; retain superseded versions per defined retention schedules.
  10. Dispose — At end of retention period, follow the defined disposition procedure and record the destruction or archival action.

Reference table or matrix

Document Type Classification Revision Controlled? Retention Governed By Primary Standard References
Quality Manual Controlled Document Yes Org policy / customer requirement ISO 9001:2015 §7.5; AS9100 Rev D
Standard Operating Procedure (SOP) Controlled Document Yes Org policy / regulatory requirement ISO 9001:2015 §7.5; 21 CFR Part 820
Work Instruction Controlled Document Yes Org policy ISO 9001:2015 §7.5; IATF 16949:2016
Inspection Record Quality Record No (retained as-is) Regulatory minimum + customer contract 21 CFR Part 820.180; AS9100 Rev D
Calibration Certificate Quality Record No Equipment life + regulatory minimum ISO/IEC 17025:2017; 21 CFR Part 820
Nonconformance Report Quality Record No Regulatory minimum (2 years+ for FDA) 21 CFR Part 820; ISO 9001:2015 §10.2
Corrective Action Record Quality Record No Regulatory minimum ISO 9001:2015 §10.2; AS9100 Rev D §10.2
Training Record Quality Record No Employment period + defined minimum 21 CFR Part 820.25; ISO 9001:2015 §7.2
Audit Report Quality Record No Org policy / accreditation body requirement ISO 9001:2015 §9.2; AS9100 Rev D §9.2
Device History Record (DHR) Quality Record No Life of device or 2 years post-release 21 CFR Part 820.184

References

Read Next

Quality Assurance: Quality Manual Requirements ISO 9001:2015, published by the International Organization for Standardization, defines the minimum content expectations for... Quality Assurance: CMMI Framework Overview Administered by the CMMI Institute, the framework applies across software development, systems engineering, services, and... Quality Assurance: Root Cause Analysis Standards This page covers the definition, scope, operational mechanisms, typical application scenarios, and the decision logic...