Document control

Document control is the process that makes a document into a controlled document — meaning the organisation can prove, at any moment, who wrote it, who reviewed it, who approved it, what version is currently effective, who has been trained on it, where the obsolete versions went, and what history of changes lies behind the current text. Anything less is just a Word file.

It is the backbone process every other regulated process stands on. CAPA needs a controlled SOP that defines how a CAPA is run. Change control needs controlled forms and risk-assessment templates. Validation needs controlled protocols. Training needs controlled materials. Production needs the current Master Manufacturing Record. Without document control, none of those processes can be defended at audit because there is no answer to the inspector's first question: 'is this the current version?'

Document-control failures show up in roughly one in every three FDA Warning Letters issued to drug, device and food manufacturers. The recurring patterns: operators working to obsolete SOPs, signature records that cannot be tied to the document version that was in effect at the time, training records that lag the document revision, and 'current' SOPs that have not actually been reviewed within the SOP's own stated periodic-review window. Each of those is a citation in its own right, and each undermines the credibility of every other quality record the inspector then looks at.

There is also a positive case. A well-run document-control system is the single biggest accelerant for any regulated organisation, because almost every operational improvement — a CAPA fix, a process optimisation, a yield gain, a supplier qualification, a new product launch — has to land as a controlled-document update. Cycle time from idea to operator-trained-on-the-floor is, in a regulated environment, primarily a document-control cycle time.

Document control is required in essentially the same shape by every regulatory regime that governs regulated manufacturing.

The FDA QMSR transition (Final Rule published 31 Jan 2024, effective 2 Feb 2026) aligns 21 CFR 820 more closely with ISO 13485 — but the document-control substance is unchanged. Every regulated organisation still needs a defensible documents lifecycle.

Scope is the most common mistake. Document control is often thought of as 'SOPs and forms'. In a defensible QMS it covers:

• Quality Manual (or its modern equivalent — the QMS architecture document).
• Standard Operating Procedures (SOPs) and work instructions.
• Forms, checklists and templates that capture quality records.
• Master Manufacturing Records / Master Batch Records / Device Master Records.
• Specifications — raw material, component, in-process, finished product, packaging.
• Analytical methods, sampling plans and cleaning verification methods.
• Validation Master Plan, validation protocols (URS, FS, DS, IQ, OQ, PQ, PPQ) and reports.
• Training materials and competency assessments.
• Risk-assessment templates and registers (FMEA, HACCP, risk-management file).
• Supplier files: questionnaires, audit reports, Quality Agreements, certificates of analysis templates.
• Labels and label artwork — including translations and regional variants.
• Calibration master schedules and calibration certificates.
• Equipment master records and preventive-maintenance procedures.
• Computerised-system documentation: user requirements, design specifications, configuration, validation summary, periodic review.
• External documents that drive internal decisions — pharmacopoeial monographs, ISO standards, regulatory guidance — referenced and version-controlled even though they are owned by a third party.

A simple test: if making a decision, performing a task or releasing a product depends on the content of a document, that document is a quality record and must be controlled. Spreadsheets used in QC calculations are a notorious blind spot — they meet that test and are routinely cited in 483 observations when left uncontrolled.

Every controlled document moves through the same lifecycle. The stages are common across pharma, device, food and dietary-supplement regimes; only the terminology and signature mechanics vary.

1. Draft — an author drafts a new document or revision. The system locks the document number and assigns a draft version (often v0.x or vN.0-draft).
2. Review — affected functions review and comment. Reviewer roles are defined by document type (a production SOP needs production, engineering, QA; a lab method needs QC, QA, regulatory).
3. Approval — approvers sign the document electronically (or, where wet-ink is still required, on a controlled hardcopy). At minimum, the function that owns the document and an independent QA reviewer sign. Master Production Records require the two-person check per 21 CFR 211.186.
4. Effective date — the document becomes effective on a defined date. The effective date is the later of: the system release date, the date training has been delivered to all affected roles, and the date any pre-requisite re-validation is signed off.
5. Distribution / availability — the current version is available at point of use. Obsolete versions are removed from circulation. In electronic systems, distribution is automatic — the current version is the only one a user sees.
6. Training — every role tagged against the document must acknowledge and, where required, demonstrate competency on the new version before performing affected work.
7. Periodic review — every document has a stated review interval (typically 2 years for SOPs, 3-5 years for specifications, annually for high-risk procedures). Reviews are themselves controlled events with documented evidence.
8. Revision — when a change is needed, a new revision opens. The previous version is superseded but retained as an archived record. Revision history is preserved for the document's lifetime.
9. Obsolescence — when a document is no longer needed, it is formally obsoleted. The record itself is retained according to the retention SOP (typically lifetime of product plus N years); copies in circulation are recalled.

A well-structured document hierarchy makes inspections quick and onboarding cheap. The classic three-tier (sometimes four-tier) pyramid:

Document numbering should be stable, meaningful and unique. The most common patterns:

• Function-prefix + sequential number — e.g. QA-001, PRD-014, LAB-072. Easy to read; weak across sites.
• Site + function + sequential — e.g. SITE2-QA-001. Solves the multi-site problem; longer to type.
• Document-type + sequential — e.g. SOP-0001, FRM-0012, MTH-0034. Easy to filter by type.
• Hybrid — function + type + sequential — e.g. QA-SOP-0001, LAB-MTH-0072. The most flexible at scale.

The numbering scheme should be documented in a controlled SOP (a 'documenting the documents' SOP), and the system should auto-suggest the next available number on document creation to prevent collisions and gaps. V5's hybrid auto-suggest model lets owners override the suggested number when a meaningful name is preferred (e.g. for a flagship document like the QM-001 quality manual).

An SOP that has been issued but not trained on is, operationally, the same as not having an SOP. Every mature document-control system therefore wires document approval directly into training delivery, and training delivery into operator authorisation.

The minimum defensible chain is:

1. Each controlled document has a defined audience — which roles need to read and acknowledge it, and which roles need to demonstrate competency on it.
2. When a new version is approved, training tasks are auto-generated against every operator in those roles.
3. Training tasks have a due date relative to the effective date (most commonly the same day; some organisations allow up to 30 days for low-criticality documents).
4. Operators acknowledge the document via e-signature; competency assessments are completed where required.
5. The kiosk / shop-floor application checks, at the moment an operator tries to start a task, that the operator's training is current on the SOP that governs the task. If not, the task is hard-blocked.

Hard-blocking is the only defence against the most common operator-training citation: 'records show operator X performed task Y on date Z, but operator X had not been trained on the current revision of SOP Y at that time'. With a hard-block in place, that scenario is mechanically impossible.

Electronic document-control systems must meet the same requirements as paper systems, plus the additional electronic-records / electronic-signatures requirements of 21 CFR Part 11 and EU GMP Annex 11. The non-negotiables:

• Unique user identity — every action is tied to one identified person; shared logins are prohibited.
• Role-based access — users can only perform actions their role authorises (author, reviewer, approver, viewer).
• Electronic signatures — meeting Part 11 §11.50 / §11.70 / §11.100 (manifestations, linking, certification).
• Audit trail — every create, edit, review, approval, distribution, training acknowledgement and obsolescence event is logged with timestamp, user identity and reason. Audit trail is immutable.
• Time-zone discipline — timestamps are stored in UTC and displayed with explicit time-zone context. Servers are time-synchronised to an authoritative source.
• Backup and restore — backups are taken, tested and documented. A documented restore procedure exists and is exercised periodically.
• Periodic review of the audit trail — risk-based, but at minimum the document-control administrator reviews unusual activity (after-hours edits, mass deletions) on a documented cadence.

ALCOA+ principles apply to every controlled document: Attributable, Legible, Contemporaneous, Original, Accurate — plus Complete, Consistent, Enduring and Available. A document-control system that breaks any one of these on upgrade (typically Enduring or Available) is itself a data-integrity event.

Two categories of documents create the most confusion: documents we send to suppliers (Quality Agreements, supplier questionnaires, audit reports we issue) and documents suppliers send to us (CoAs, ISO certificates, supplier change notifications). Both need to be under control, but the workflow is different from internal SOPs.

A unified documents table — one source of truth with an 'audience' field (internal / supplier / both) — keeps the lifecycle consistent while letting the supplier portal show suppliers only their own documents. Supplier-issued documents (incoming CoAs, ISO certificates) live in a separate supplier-documents table because their lifecycle (received, verified, expired) is different from ours and the version control is owned by the supplier, not us.

Every controlled document needs a defined periodic-review interval, and the system must enforce it. The principle is simple: a document that has not been reviewed against the current process, regulations and risks for years is not really controlled — it is just old.

Common intervals:

The periodic-review record itself is a controlled record. It documents who reviewed, what they reviewed against (current regulations, current process, recent CAPAs/deviations related to the document), the conclusion (no change / minor revision / major revision) and the next review date.

Reading three years of FDA Warning Letters surfaces the same document-control failures repeatedly:

• Obsolete documents still in use — old SOPs found in production binders, or operators bookmarking obsolete versions in the file share.
• Training lag — current SOP is effective, but several operators have not yet acknowledged it; production continues anyway.
• Missing periodic reviews — SOPs marked 'review every 2 years' that were last reviewed 4 years ago.
• Mismatched paper and electronic — the electronic system shows v4 as current, but production has a printed v3 in the binder.
• Uncontrolled spreadsheets used in QC calculations or release decisions.
• Approval signatures that cannot be tied to the document version that was in effect at the time — usually the result of a poorly-implemented e-signature where the version is not embedded in the signed payload.
• Audit-trail gaps after a system upgrade — historical edits no longer accessible or no longer attributable.
• External standards (USP, ISO, pharmacopoeial monographs) used as reference but not version-controlled — the lab is still using a superseded monograph.
• Labels and translations managed outside the document-control system, leading to label mismatches that trigger recalls.

Each of these is preventable with workflow discipline plus a system that enforces the right behaviours by default. Manual document control across more than ~50 SOPs almost always degrades into the patterns above.

A management-review-grade document-control programme tracks at least six metrics, trended monthly:

• Number of controlled documents by tier and by document type — the size of the controlled estate.
• Number of documents overdue for periodic review — the most diagnostic single metric; should trend toward zero.
• Average days from draft to effective — cycle-time indicator.
• Training completion rate on the current version of each document — should be ≥ 95% within the training window.
• Number of operator authorisation blocks raised by the kiosk against expired training — indicates onboarding and re-training gaps.
• Number of document-control-related CAPAs and deviations opened — high count indicates systemic gaps in the lifecycle.

V5's document control is built around three principles: one source of truth, hard enforcement at the point of work, and explicit linkage between documents, training, change control and the kiosk.

• Single documents table — SOPs, work instructions, forms, master records, supplier-facing documents, Quality Agreements and training materials all live in one table with consistent lifecycle, role-based access and audit trail. Separate supplier-documents tables hold incoming third-party documents whose lifecycle the supplier owns.
• Hybrid numbering — auto-suggests the next available number per category, with override for meaningful names. Numbering scheme is itself a controlled SOP.
• Lifecycle states are first-class: draft → review → approved → effective → superseded → obsolete. Each transition is e-signed and audit-trailed.
• Two-person e-signature is enforced for Master Manufacturing Record approvals (per 21 CFR 211.186) and configurable for any other document type.
• Training is wired to documents through role-based assignment. New revision = auto-generated training tasks against every operator in affected roles. Training tasks have configurable due dates relative to the effective date.
• Kiosk hard-block — any work step against an SOP the operator has not acknowledged on the current effective version is blocked. The block surfaces the gap and the one-click route to acknowledgement.
• Periodic-review enforcement — every document carries a next-review-due date. Approaching due dates trigger reminders; overdue documents appear on the QA dashboard and in management review.
• Approved-formula / approved-MMR immutability — once approved, the master record cannot be edited. Any change creates a new version that itself requires two-person e-signature; the version diff is preserved for audit.
• Audit trail is immutable and survives application upgrades. Upgrade-time data migrations are change-controlled and produce pre/post integrity reports.
• Distribution is automatic in electronic form — the kiosk and the platform show only the current effective version. Hardcopy distribution, where used, is logged and recalled on revision.
• Audience flag (internal / supplier / both) controls visibility on the supplier portal, so suppliers see only their own documents and Quality Agreements.