There is a phrase beloved by quality professionals and feared by everyone else: “If it isn’t documented, it didn’t happen.” This isn’t a philosophical position. It’s not a personality quirk. It is, in fact, the entire premise of clause 4.2.1 of ISO 13485 — and once you understand why, you will never look at a Post-it note the same way again.
Clause 4.2.1 lays out the general requirements for your QMS documentation. Think of it as the constitution for your paperwork — it doesn’t contain every law, but it establishes the framework within which all other documents must exist. Without it, you don’t have a quality system. You have a collection of well-intentioned habits and a folder on the shared drive that nobody has opened since 2019.
What §4.2.1 Actually Requires
Your documented QMS must include, at minimum:
- A quality policy and quality objectives (more on those in §5.3 and §5.4.1 — consider this a teaser)
- A quality manual (yes, still — §4.2.2 will elaborate, and yes, you still need one)
- Documented procedures required by the standard — and ISO 13485 requires quite a few of them
- Documents needed to ensure effective planning, operation, and control of your processes
- Records required by the standard (§4.2.5 will cover those in excruciating, necessary detail)
- Any additional documentation required by applicable regulatory requirements — because ISO 13485 alone is never the whole story
Notice that last point. ISO 13485 is not a ceiling; it’s a floor. If the FDA, MDR, or any other regulatory body in your target markets requires additional documentation, clause 4.2.1 reminds you that those requirements also live in your QMS. Surprise! Your documentation system is bigger than you thought.
Why This Clause Matters More Than It Sounds
Here’s a scenario: your company has an excellent, highly skilled manufacturing team. They build consistent, high-quality product. They’ve been doing it for years. They could do it in their sleep. And one day, three of them retire in the same quarter, and suddenly nobody can explain why the torque specification is what it is, or what to do when the humidity in the clean room spikes, or why that one supplier was approved and the slightly cheaper one wasn’t.
Documentation is institutional memory. It’s the answer to “but how do we actually know that?” It transforms individual expertise — which is fragile, mortal, and prone to taking other job offers — into organisational knowledge that survives personnel changes, audits, and the occasional restructuring.
More practically: without a documented system, your processes are unverifiable. An auditor cannot audit a vibe. A regulator cannot approve a tradition. A customer cannot trust “we’ve always done it this way.” Documentation is what makes your quality system real, repeatable, and defensible.
Practical Takeaway
Don’t build your documentation system around the audit. Build it around the question: “If the person who knows this left tomorrow, could someone else do it correctly?” If the answer is no, you have a documentation gap. Start there.
Also: conduct a simple inventory of what you currently have documented versus what §4.2.1 (and the rest of the standard) requires. The gap analysis doesn’t need to be fancy — a spreadsheet is fine. What you’re looking for is anything critical that exists only in someone’s head or in an email thread from 2021. Those are your risks. Document them out of existence.
Up Next
Next week, we turn our attention to §4.2.2 — the Quality Manual. Yes, it’s still required. No, it doesn’t need to be 200 pages. Yes, we will discuss why some quality manuals read like they were written to confuse auditors rather than guide employees. See you then.
This post is part of an ongoing series breaking down every clause of ISO 13485 with accuracy, mild exasperation, and the occasional moment of genuine appreciation for the standard’s better ideas. Whether you’re preparing for certification or just trying to understand what your QA team is on about, you’re in the right place.