V5 Ultimate
Quality · The complete guide

Document control

TL;DR

The systematic process of managing documents throughout their lifecycle to ensure integrity, accuracy, and accessibility within a quality management system.

Reviewed · By V5 Ultimate compliance team· 4,188 words · ~20 min read
AI · Explain it for MY operation

How does Document control apply to your shop floor?

Pick your industry and scale — Ask V5 rewrites the definition in your context, gives a worked example, and shows what V5 does on day one.

Your scale

01The Role of Document Control in a Quality Management System (QMS)

Document control is the bedrock of a compliant and effective Quality Management System (QMS). It is not merely an administrative task but a critical quality function that ensures consistency, accountability, and traceability across all GxP operations. According to international standards like ISO 9001 and pharmaceutical quality system models like ICH Q10, a well-defined system for managing documented information is essential for demonstrating a state of control. The primary purpose of document control is to ensure that all documents are systematically reviewed, approved, distributed, and maintained, and that only the current, effective versions are available at the point of use. This prevents the use of outdated or unapproved instructions, which could lead to process deviations, product non-conformances, and regulatory action.

The function of document control extends beyond managing Standard Operating Procedures (SOPs). It integrates with and supports virtually every other element of the QMS. For example, any corrective or preventive action (CAPA) that results in a process change must be reflected in updated documents, managed through the document control system. Similarly, the change control process relies on document control to manage the revision and implementation of updated specifications, manufacturing procedures, or test methods. It provides the mechanism for documenting and communicating changes throughout the organization in a structured manner. During regulatory inspections and audits, the document control system is one of the first areas examined. Auditors will scrutinize procedures, master document lists, and revision histories to verify that the company has objective evidence of control over its processes and documentation, a key indicator of overall audit readiness.

02The Document Lifecycle: From Creation to Destruction

The management of a controlled document follows a defined lifecycle, ensuring that every stage is handled with precision and accountability. The lifecycle begins with creation, where a subject matter expert drafts a new document or proposes a revision to an existing one. This is followed by the review stage, a critical step where a cross-functional team, including representatives from relevant departments and Quality Assurance, assesses the document for technical accuracy, clarity, regulatory compliance, and operational feasibility. Once all reviewers' comments are addressed, the document moves to the approval stage. Here, designated individuals with the appropriate authority, as defined in a procedure, provide formal sign-off, often with a physical or a validated electronic signature. This approval signifies that the document is fit for its intended purpose.

After approval, the document is issued and distributed. The document control function makes the new version effective, adds it to the master list, and ensures it is available at all points of use. Crucially, this step must include the retrieval and destruction of all previous, obsolete versions to prevent their inadvertent use. The document then enters its period of active use. To ensure documents do not become outdated, they are subject to periodic review at a predefined frequency (e.g., every two years). This review confirms the document's continued relevance and accuracy. When a document is superseded or no longer needed, it is moved to an archived state. Archiving involves retaining the document in a secure, retrievable format for a period mandated by regulations. This retention is vital for historical investigation, legal purposes, and demonstrating compliance long after a product has been released. The final stage is destruction, which occurs after the required retention period has elapsed. The destruction must be irreversible and documented to close out the lifecycle.

03Key Components of a Document Control System

A robust document control system is built upon several essential components that work together to ensure document integrity and compliance. The first is a standardized document identification system. Every controlled document must have a unique identifier (e.g., SOP-QC-001), a version number (e.g., v3.0), and an effective date. This unambiguous labeling prevents confusion and ensures traceability. A Master Document List or Index is the central registry for all controlled documents. This list contains metadata for each document, including its title, unique ID, current version, effective date, and status (e.g., Active, Obsolete, In Review). It serves as the single source of truth for the status of all documentation within the QMS.

Defined workflows for review and approval are another critical component. These workflows, typically outlined in an SOP, specify the roles and responsibilities for drafting, reviewing, and approving different types of documents. They ensure that documents are vetted by the appropriate personnel before becoming effective. To maintain security and integrity, the system must incorporate strict access controls. These controls restrict actions like creating, editing, and approving documents to authorized individuals, preventing unauthorized changes. For electronic systems, a secure, computer-generated audit trail is mandatory. The audit trail must capture a time-stamped record of all actions performed on a document, including who made a change, when it was made, and what the change was. This supports the principles of data integrity by ensuring that all activities are attributable and traceable. Finally, the system must have clear procedures for document distribution and retrieval, ensuring that personnel can easily access the current versions they need while preventing access to obsolete ones.

04Regulatory Framework for Document Control

Regulatory bodies worldwide place significant emphasis on document control as a cornerstone of GMP. In the United States, the FDA's requirements are detailed across several regulations. For pharmaceuticals, 21 CFR 211 (Current Good Manufacturing Practice for Finished Pharmaceuticals) mandates the establishment of written procedures for production and process control (211.100) and detailed requirements for records and reports (211.180), including review and approval by the quality control unit. For medical devices, 21 CFR 820.40 (the Quality System Regulation) is dedicated entirely to document controls. It requires procedures to control the designation, approval, distribution, and revision of all documents, and mandates the removal of obsolete documents from all points of use.

For companies using electronic systems, 21 CFR Part 11 provides the criteria for ensuring that electronic records and signatures are trustworthy, reliable, and equivalent to paper records. In Europe, the EudraLex Volume 4 Good Manufacturing Practice (GMP) guidelines contain similar requirements. Chapter 4, "Documentation," specifies that documents must be designed, prepared, reviewed, and distributed with care, and requires clear, unambiguous content. For computerized systems used to manage these documents, EU GMP Annex 11 applies, outlining requirements for validation, data integrity, and audit trails. International standards also codify these principles. ISO 13485:2016, the QMS standard for medical devices, has specific clauses (4.2.4 and 4.2.5) for the control of documents and records that align closely with FDA requirements. Similarly, ISO 9001:2015 requires organizations to control "documented information" (Clause 7.5) to support the operation of its processes.

05Document Types Subject to Control

A common question is which documents need to be formally controlled. The general principle is that any document containing instructions, requirements, or records related to product quality, safety, and regulatory compliance must be managed within the document control system. This scope is broad and encompasses a wide variety of document types that guide and record GxP activities. The system is not just for procedures; it is for the entire body of documented information that defines the quality system and proves it is functioning as intended. Failure to control any of these document types can result in process inconsistencies, quality failures, and significant regulatory non-compliance.

Common Controlled Documents

  • **Quality System Documents:** The Quality Manual, site master files, and high-level policy documents that define the overall QMS.
  • **Procedures:** Standard Operating Procedures (SOPs), Work Instructions (WIs), and test methods that provide detailed, step-by-step instructions for performing specific tasks.
  • **Specifications:** Documents that define the requirements for raw materials, packaging components (component specs 111.70(b)), in-process materials, and finished products.
  • **Manufacturing Records:** Master Batch Records (BMR) or Master Production Records, and the executed Batch Production Records (BPR) that document the history of a specific batch.
  • **Validation Documents:** Validation master plans, protocols, and reports for processes, equipment, cleaning, and test methods, such as those for cleaning validation.
  • **QMS Records:** Forms and records related to change control, deviations, investigations, and Corrective and Preventive Actions (CAPA).
  • **Supplier Management Documents:** Quality agreements with suppliers and contract manufacturing organizations (CMO), supplier qualification reports, and audit reports.
  • **Supporting Records:** Records of calibration, maintenance, environmental monitoring, and employee training.

06Version Control and Change Management

Version control is the heart of document control, ensuring that only the single, correct version of a document is in use at any given time. Every time a document is modified, it must be assigned a new version number. A common practice is to use a major-minor numbering system (e.g., v1.0, v1.1, v2.0). Minor revisions (e.g., v1.0 to v1.1) might be for typographical corrections or clarifications that do not alter the process instructions, while major revisions (e.g., v1.1 to v2.0) are for significant changes that affect the process, requirements, or meaning. This distinction helps users quickly understand the magnitude of a change.

Changes to controlled documents cannot be made informally. They must be managed through a formal change control process. This process typically begins with a change request that details the proposed change and its justification. The request is then subjected to an impact assessment, where a cross-functional team evaluates the potential effects of the change on product quality, safety, validation status, regulatory filings, and other procedures. Based on this assessment, the change is either approved or rejected. If approved, the document is revised, and the changes are summarized in a revision history section within the document itself. The revised document then goes through the full review and approval workflow. A critical final step is ensuring that all affected personnel are trained on the new version before it becomes effective. The change control record, along with the document's audit trail, provides a complete and defensible history of the document's evolution, which is essential for demonstrating control to auditors and for investigating any process-related issues.

07Electronic Document Management Systems (EDMS)

While paper-based document control systems can be compliant, they are often inefficient, prone to error, and difficult to manage at scale. Consequently, most modern life sciences companies have transitioned to Electronic Document Management Systems (EDMS). An EDMS is a software application designed to automate and streamline the management of controlled documents throughout their lifecycle. These systems provide a centralized, secure repository for all documents, eliminating the problems of lost paperwork and scattered files. They automate review and approval workflows, routing documents to the correct personnel in the correct sequence and sending notifications to ensure timely completion. This automation drastically reduces approval cycle times and administrative overhead.

The benefits of an EDMS are significant. They offer powerful search capabilities, allowing users to find the information they need instantly. Security is enhanced through granular access controls, and distribution is simplified, ensuring that users always access the current effective version from the system. Perhaps most importantly, a well-designed EDMS automatically generates the comprehensive, uneditable audit trails required for compliance with regulations like 21 CFR Part 11. However, implementing an EDMS comes with its own compliance obligations. The system must undergo formal Computer System Validation (CSV) to prove and document that it reliably performs its intended functions. This validation, along with procedures for system administration, security, and data backup, is critical for defending the system during a regulatory inspection.

08Document Distribution, Retrieval, and Archiving

Effective distribution ensures that approved documents reach their intended audience while preventing access to outdated information. In paper-based systems, this is a labor-intensive process. The document control department prints a specific number of controlled copies, often on specially colored paper or stamped with a unique copy number. These are logged and distributed to specific locations or individuals. The most challenging part is retrieval; when a new version is issued, all old copies must be physically located, collected, and accounted for before being destroyed. Failure to retrieve an obsolete copy is a serious compliance gap, as it could be used by mistake.

Electronic systems simplify distribution and retrieval immensely. When a document becomes effective, it is published to the system, and users with appropriate permissions can access it. Obsolete versions are automatically superseded and moved to an archived state, making it impossible for a general user to access them. This 'pull' system, where users access a central repository, is inherently more secure than 'pushing' physical copies into the facility. Archiving is the process of retaining obsolete documents for a specified period. Regulatory requirements dictate these retention periods, which can be many years. For example, 21 CFR 211.180 requires that batch records be retained for at least one year after the batch's expiration date. Archived documents, whether physical or electronic, must be stored in a secure manner that protects them from damage or loss but allows for them to be retrieved if needed for an audit or investigation. A formal retention policy should define the storage location, conditions, and required duration for each type of controlled document.

09Training and Competency in Document Control

A sophisticated document control system, whether paper-based or electronic, is ineffective if personnel are not properly trained to use it. Training is a critical component of document control and a key requirement of Good Manufacturing Practices (GMP). All employees who interact with the document control system must receive training appropriate to their roles. This begins with foundational training for all GxP personnel on the basic principles of document control: why it's important, how to identify a controlled document, and their responsibility to only use current, effective versions. This ensures a baseline understanding and a culture of compliance throughout the organization.

Beyond general awareness, role-specific training is essential. Individuals who author documents need training on templates, formatting standards, and writing style guides. Personnel assigned as reviewers and approvers must understand their specific responsibilities in verifying document accuracy and compliance. Document Control Administrators require in-depth training on all aspects of the system's operation, from processing change requests to managing distribution and archiving. A crucial aspect of training is its application to document revisions. When a procedure is updated, all personnel affected by the change must be retrained on the new version before it becomes effective. This ensures that changes are implemented correctly and consistently. All training activities must be documented. These training records, which are themselves controlled documents, serve as objective evidence that the workforce is competent and qualified to perform their duties according to the established procedures within the QMS. A skills matrix can be a useful tool for tracking and managing these training requirements.

10Auditing Document Control Systems

Both internal and external auditors rigorously inspect document control systems, as they provide a clear window into the overall health of a company's QMS. An auditor's primary goal is to verify that a compliant system exists and that the organization is adhering to its own procedures. The audit typically begins with a review of the core document control SOP. The auditor will then sample various documents to test the system's effectiveness in practice. They will check the Master Document List for accuracy and completeness, comparing it against documents found at points of use.

Auditors will trace the lifecycle of several documents. They will select a recently revised SOP and ask for the associated change control record, reviewing it for proper justification, impact assessment, and approvals. They will verify that training on the new version was completed before the effective date. For electronic systems, auditors will scrutinize audit trails, looking for evidence of data integrity and proper use of electronic signatures. A key audit activity is to walk through the manufacturing floor or laboratories to see which documents are actually in use. Here, they look for uncontrolled photocopies, handwritten notes on procedures, or the presence of obsolete versions. Common findings that can lead to an FDA Form 483 or other regulatory observations include failure to follow change control procedures, inadequate review and approval of documents, and failure to remove outdated documents from circulation. Proactive internal auditing of the document control system is a best practice for maintaining a state of audit readiness and identifying and correcting issues before they are found by an external inspector.

Frequently asked questions

Q.What is the difference between document control and records management?+

Document control pertains to the management of 'living' documents that are subject to revision, such as SOPs, specifications, and master batch records. Its focus is ensuring the current version is in use. Records management pertains to the maintenance of static records that provide evidence of past events, such as completed batch records or training logs. These records are not changed, but are retained and archived for legal and compliance purposes.

Q.Why is version control so important in GMP?+

Version control is critical in GMP because it ensures that only the most current, validated, and approved instructions are used for manufacturing and quality control activities. Using an outdated version of a document could lead to process deviations, product failures, and patient safety risks. It provides a clear history of changes and is fundamental to process consistency.

Q.What are the common pitfalls of a document control system?+

Common pitfalls include an overly complex and bureaucratic change control process that hinders improvement, failure to effectively retrieve and remove obsolete documents from points of use, inadequate training leading to non-compliance, inconsistent document formatting, and, in electronic systems, incomplete or non-compliant audit trails.

Q.How long do documents and records need to be retained?+

Retention periods are dictated by specific regulations and vary by record type and jurisdiction. For example, FDA cGMP for pharmaceuticals (21 CFR 211.180) requires that production and control records be retained for at least one year after the expiration date of the associated batch, or three years after distribution for OTC products without expiration dates. Companies must establish a formal record retention policy based on all applicable requirements.

Q.What is a 'master document'?+

The master document is the single, original, approved version of a document that is maintained by the document control function. It serves as the official reference standard from which all controlled copies are made and distributed. In an electronic system, it is the official record in the repository.

Q.Can we use electronic signatures for document approval?+

Yes, electronic signatures are widely accepted for document approval, provided the electronic system complies with applicable regulations. In the US, this means meeting the requirements of [21 CFR Part 11](/glossary/21-cfr-part-11), which includes ensuring signature uniqueness, linking the signature to a specific record, and having a secure, computer-generated audit trail for all signature events.

Q.What is the role of a Document Control Administrator?+

A Document Control Administrator (or Document Controller) is responsible for the day-to-day operation of the document management system. Their duties typically include processing change requests, formatting and issuing new and revised documents, maintaining the master document list, managing document distribution and retrieval, and ensuring that all activities adhere to established procedures.

Primary sources

Further reading

Explore this topic

Document control sits inside 3 overlapping topic clusters in our glossary. Every neighbour is one click away.

MES, WMS, ERP & QMS layer
15 related entries

Where each shop-floor system fits and what it owns vs the ERP above it.

See Document control working on a real shop floor

V5 Ultimate ships with the Document control controls already wired in — audit trail, e-signatures, validation evidence. Free trial, no credit card, onboard in days, not months.