Although this process can be extremely complicated and interlaced in large corporations, the requirements for Document Control are actually quite simple.
Let’s give a look at them:
ISO 13485:2016 – it’s all in two paragraphs, §4.2.4 and §4.2.5:
(a) Documents must be approved, i.e. have signatures (electronic or handwritten);
(b) If reviewed or modified, they must be re-approved;
(c) Each document must have a revision and the revision must be clearly displayed on it;
(d) Each document should be clearly identified as draft (not released), released or obsolete (other states are possible, these are the minimum requirements);
(e) Documents must be available to people who use them;
(f) Documents must remain legible;
(g) The company must prevent documents form being lost or damaged;
(h) Obsolete documents cannot be used;
(i) External document (e.g. standards, regulations) must be controlled;
(j) Changes must be approved by the same function (e.g. R&D) or equivalent;
(k) Documents must be retained for the life of the device, but not less than records generated by these documents; (e.g.: SOP-AA-bbb gives guidance on how to fill in FORM-cccc; FORM-cccc was used to document the test of product X; thus SOP-AA-bbb cannot be destroyed until the end of life of product X (but it can be Retired / Obsolete))
(l) Records (e.g. filled in forms, results, etc.) follow the same principles;
(m) Records must be retained for the life of the device, but not less than 2 years;
(n) There must be procedures that control these requirements and documents.
The solution can be very simple:
I. Use a paper based process where approvals are handwritten signatures. If a document is reviewed, re-approve it in the same way and by the same function/role.
II. Documents should have a revision number and status (Drafts, Approved/Released and Obsolete) identified and written on them.
III. Documents are stored in appropriate binders, in a place that is not subject to extreme environmental conditions. These binders should be accessible by everyone.
IV. When a new version of a document is released, remove the previous one from the “Released” binder and store it in a safe place with other “Obsolete”/”Retired” documents, where access is controlled (e.g. in a locked drawer) – illustrated above as the crossed out eye symbol. DO NOT destroy old revisions.
V. Put the “External standards” into an identifiable location (another binder or drawer or online provider). You are required to have a copy of each of the latest applicable standards that you claim you comply with (e.g. 13485, 14971, 60601, etc.). New versions of standards have a deadline they must be implemented by – usually a few years from their publication date, after which you have to be compliant with the latest version of the standard (and have it available).
VI. From time to time review the “Approved”/”Released” documents to make sure they are still legible and undamaged.
VII. Create a procedure (“Document Control SOP“) that documents the above steps.
NOTE: the use of binders is optional, any identifiable location (e.g. a drawer, a shelf) is acceptable.