Picture this: your auditor asks to see the current version of your device assembly procedure. Someone prints it out from a folder on their desktop. Someone else walks over and says, “Oh, we updated that in August.” The first person says, “This IS the updated one.” A third person appears from the back of the room holding a binder. Nobody makes eye contact. The auditor writes something down.
This is what life looks like without effective document control. And §4.2.4 of ISO 13485:2016 exists specifically to prevent this particular flavor of organizational chaos.
What §4.2.4 Actually Requires
The section is clear: you must establish a documented procedure — yes, a document that controls how you control your documents; welcome to QMS life — that covers the following:
- Approval before use. Documents must be reviewed and approved for adequacy before they go into circulation. “I wrote it and it seems fine” is not an approval process.
- Review, update, and re-approval. When documents change, the changes must be reviewed and approved. You need to be able to identify the current revision status and the nature of any changes made.
- Availability at the point of use. The right version of the right document must be available where and when people actually need it. A procedure stored only on the quality manager’s laptop is not “available at the point of use” on the production floor.
- Legibility and retrievability. Documents must remain readable and findable. A procedure scanned sideways into a PDF at 72 DPI and saved as “final_FINAL_v3_USE THIS.pdf” in a folder no one can locate is not controlled documentation.
- External documents. Documents that come from outside your organization — customer specifications, applicable standards, regulatory guidance, supplier drawings — must be identified and their distribution controlled. You can’t assume the version of IEC 60601-1 sitting on a shelf from 2005 is still the one you should be designing to.
- Prevention of unintended use of obsolete documents. When a document is superseded, you must prevent people from accidentally using the old version. Whether that’s removing them from circulation, clearly marking them as obsolete, or locking them in an archive with a big virtual “DO NOT USE” sign — you have to actively manage it.
What Changed from ISO 13485:2003 to ISO 13485:2016
Here’s something worth noting: when ISO 9001 was revised in 2015, it dropped the requirement for a stand-alone documented procedure for document control. The medical device world did not follow suit. ISO 13485:2016 kept the explicit requirement for a documented procedure. This was intentional. Documents in a medical device QMS directly affect whether a device is built correctly and whether patients are protected. The stakes are higher, so the formality remains.
The 2016 revision also sharpened the language around external documents. The 2003 version mentioned them, but 2016 makes it explicit that external documents must be identified and their distribution actively controlled. This matters because the world of medical device development is full of external documents: customer requirements, test standards, regulatory guidance, supplier specifications, and harmonized standards that get updated without fanfare. If you’re designing to a standard that has since been revised, that’s a problem — and it’s a document control problem.
The 2016 version is also more explicit about legibility and retrievability — documents must not just exist but be findable and readable in a practical sense. And the language around preventing the unintended use of obsolete documents was tightened: not only do you need to identify them, you need to take active steps to prevent them from being used.
What This Looks Like in Real Life
The most common document control failures are not complex. They’re almost always one of these:
- Multiple versions in circulation. Someone has a printed copy. Someone has the “current” version saved locally. The official version is on the server. They don’t all match. Cue the auditor writing something down.
- No approval trail. A procedure exists, it’s being used, but there’s no evidence that anyone formally reviewed and approved it. “We all knew it was right” is not documented approval.
- Obsolete documents not controlled. The old version of a work instruction is still accessible in the shared drive, unmarked and indistinguishable from the current one. This is especially dangerous for manufacturing procedures, where someone following an outdated document could produce a nonconforming device.
- External documents not tracked. No one has checked whether the version of the standard referenced in your design controls is still current. Spoiler: it probably isn’t.
- Point of use means nothing. Procedures are locked in a server that operators can’t access from the production floor. The “controlled” document might as well be on the moon for all the good it does during assembly.
Getting document control right doesn’t require an expensive software system (though one can help). It requires a clear process, consistent application, and someone who actually checks that it’s working. Your document control procedure should answer: How are documents created and approved? How are changes made and tracked? How do people find the current version? What happens to old versions? How are external documents managed? If you can answer all of those clearly and point to evidence that it’s actually happening, you’re in good shape.
The Bottom Line
Document control is one of those QMS requirements that feels like administrative overhead right up until it saves you from a serious problem — a nonconforming product, a major audit finding, a device built to the wrong specification. §4.2.4 isn’t asking for perfection. It’s asking for a system where the right people have the right documents at the right time, and where “which version is current?” has a definitive answer that doesn’t require a group negotiation.
Get your documents under control before your auditor makes it a finding. It’s much less fun to fix under pressure.