Good day to all and welcome back to another week of MedTech Compliance Chronicles. This week our topic is document control. It was a difficult choice to decide whether to introduce this topic or the process approach first as they, together, really set the base for everything else in a QMS. From a fundamental standpoint, you have to meet the requirements of your organization, the processes, and then you’ll need to be able to provide evidence that you have met these requirements, document control. While that’s a generalized statement that doesn’t encompass all of the advantages of formally establishing processes and a document control system, it is a good starting point to get the concept across. Your documentation will be heavily scrutinized during audits and are the primary source of evidence you will provide to demonstrate your conformity with requirements.
What is Document Control?
Document control is simply a system to ensure that all documents in your QMS, such as standard operating procedures, work instructions, product specifications, policies, training records, etc, are in a state that they can actually be used in. Depending on the type of document there may be a lot or very few specific requirements for the document. Regardless, there are several general requirements for all documentation that must be controlled. Every controlled document you have must be reviewed for adequacy and approved prior to use, available at all locations it is meant to be used at and you must have a system in place to prevent the use of obsolete documents.
These general requirements cover everything required by Title 21 part 820.40, however, ISO 13485:2016 specifies a few additional we will get into as well. A final note that is not technically required by either regulation or standard but will be expected, is that you follow good documentation practices(GDP). GDP is a whole other topic that goes a bit beyond the scope of this blog but if you are unfamiliar with it, you should definitely research it while establishing your document control system.
General Requirements
As stated prior, the requirements of specific documents vary greatly and that is why the general requirements are, well, so general. As with processes, it is in the details of the specific document that you will see how document control becomes an entire job in itself.
The requirement to review each document for adequacy prior to approval is where you will get into the specific requirements of the document. The person who reviews the document must have adequate competency to do so. Competency, as determined by ISO, is based on education, skills, training and experience or any combination thereof. In plain language, you cannot just give your documents to anyone to sign and say it is good to go. The reviewer must have real knowledge of what they are reviewing and be truly qualified to make a decision that the document is in a ready-to-use state. You may have guessed it already but the reviewer’s qualification itself must be documented, as well as their signature and the date of approval.
The next general requirement is that all documents must be available at all points of use. This is a fairly self explanatory requirement but one that is often forgotten, especially these days when most document creation is digital. Wherever a document is needed to perform some type of work it must be available at that location. While this does not need to be physical, if a computer or tablet is available at the location of use by all means use it, but if the specific process requires the use of a physical copy you must ensure that the most up-to-date copy is always printed and available. Another thing to note here is that as far as the FDA is concerned, all processes within your QMS require at least a documented procedure to be followed while performing the process so you cannot try to make any justifications that a process does not need any documentation.
The final general requirement is that obsolete documents must be prevented from use. They should, in general, be removed from points of use as well but the requirement is just that they be prevented from being used. Obsolete documents are documents which your organization used to use and now no longer does. The vast majority of obsolete documents will come in the form of old versions of updated documents. Whenever a document is updated you must do your due diligence in making sure that all old versions of it are no longer available for employees to use and also that the new version is available to use. We’ll go deeper into this in a later post on change management, for now, this is a good transition into the ISO 13485:2016 specific requirements.
Additional ISO Requirements
ISO 13485:2016 lays out a few additional requirements to document control that, really more just explicitly state implied requirements of what has already been discussed.
Since we were already on the topic of updating documents, one of the ISO specific requirements is that the current revision status of documents be identified. This is usually as simple as giving all controlled documents a number or letter that increases or goes to the next letter every time the document changes. For example you could either start all control documents as version 001 or version A and then when it changes for the first time it would be identified as version 002 or version B. This makes meeting the requirement to prevent obsolete documents from being used much easier and more practical to implement. Do be careful though, you must still either conspicuously mark the old version as obsolete or remove it, you cannot rely on employees seeing the new version number alone.
Two additional ISO specific requirements are that documents remain legible and readily identifiable and that they be prevented from deterioration or loss. Remaining legible and readily identifiable involves writing in appropriate and permanent ink, following GDP and maintaining the organization of the workplace. Preventing loss or deterioration depends on the type of document but can range from storing physical documents in fireproof and waterproof cabinets to having digital documents backed up regularly. The goal of both of these requirements is that the documents remain in usable and auditable condition for the duration of their retention periods.
The last requirement ISO calls out is that external documents be identified and their distribution controlled. While this could seem implied by the larger requirement that QMS documentation be controlled, just be aware of controlled documents of external origin. It is easy to miss updates to external documents because they are not being reviewed and approved by people in your organization and unless you are actively looking for updates, you will likely not be notified. Other than that, you should treat external controlled documents in the same manner you do with other controlled documents.
Conclusion
We have now set the basis to begin developing our QMS. You should now have a solid understanding of what document control is. You should know that a distinguishing feature of controlled documents is that they are reviewed and approved prior to use and are made available at all locations of use. Finally, you learned about some ISO specific requirements that mainly just make it easier or more practical to meet the FDA requirements like maintaining a revision history and the integrity of your documents.
A final note about all documents is that they all must be retained for certain periods of time, even obsolete versions. While the specific amount of time varies depending on the type of document and even the type of device, in general, all documents pertinent to a device’s creation must be retained at least as long as the last device made according to them. For example, if you update version A of a packaging work instruction to version B, you must keep a copy of version A for at least as long as the lifetime of the last device packaged using version A.
Now that we have set a base for building our QMS tune in next week to learn about Management Responsibility!
Comments