How to set up document control for ISO 13485

Document control is the backbone of ISO 13485. Clause 4.2.4 doesn't just suggest you control your documents — it requires a documented procedure that covers creation, review, approval, distribution, and obsolescence. If your document control process is weak, everything else in your QMS is built on sand.

The good news: setting up proper document control isn't complicated. It's just methodical. Here's how to do it from scratch.

Step 1: Define your document types

Before creating anything, decide what types of documents your QMS will include. Most medical device companies need at least:

• • Quality Manual — your top-level QMS description
• • Standard Operating Procedures (SOPs) — how processes work
• • Work Instructions (WIs) — step-by-step task guides
• • Forms and Templates — blank forms used to create records
• • Quality Records — completed forms, evidence of activities performed
• • External Documents — standards, regulations, customer specs

Map each type to the ISO 13485 clauses it supports. This makes audits dramatically easier because you can trace any clause back to specific documents.

Step 2: Establish a numbering convention

Every controlled document needs a unique identifier. Keep it simple. A common scheme:

[TYPE]-[SEQUENCE] (e.g., SOP-001, WI-042, FRM-015)

Some teams add department or category codes (e.g., SOP-QA-001 for quality assurance SOPs). This is fine for larger organizations but can be overkill for a team under 50 people. Pick a scheme and stick with it — consistency matters more than cleverness.

Version numbering should also be defined upfront. A simple approach: Rev A, Rev B for drafts; Rev 1, Rev 2 for released versions. Or just use integers: 0.1, 0.2 for drafts, 1.0, 2.0 for approved versions.

Step 3: Write your Document Control SOP

This is the most important document in your QMS — the procedure that governs all other documents. It should define:

• • Who can create documents — typically any team member can draft, but quality reviews
• • Review and approval workflow — who reviews, who gives final approval (usually quality or management)
• • How changes are handled — change requests, revision history, re-approval requirements
• • Distribution and access — how people get current versions, how you prevent use of obsolete docs
• • Retention and obsolescence — how long you keep records, what happens to superseded versions
• • External document control — how you track standards and regulations you reference

This SOP is itself a controlled document, so it should follow its own rules. Yes, it's a bit meta. That's normal.

Step 4: Set up your review and approval workflow

ISO 13485 requires that documents are reviewed and approved by authorized personnel before release. At minimum, you need:

• • Author — creates or revises the document
• • Reviewer — checks for technical accuracy (often a subject matter expert)
• • Approver — authorizes the document for use (usually quality manager or management representative)

Each role should sign (physically or electronically) with their name, date, and role. If you're using electronic signatures, make sure they meet 21 CFR Part 11 requirements if you sell in the US.

A tool like ArvoDocs automates this workflow — documents move through draft → review → approval → effective states, with notifications and e-signatures built in. If you're doing it manually, create a cover sheet or approval form that travels with each document.

Step 5: Create a master document list

You need a single source of truth that lists every controlled document, its current revision, effective date, and owner. This is your master document list (sometimes called a document register or document index).

Auditors will ask for this. It's one of the first things they review because it gives them a map of your entire QMS. Keep it current — an outdated master list is almost as bad as not having one.

In a QMS platform, this list is generated automatically. If you're using a manual system, assign someone to update it every time a document is created, revised, or obsoleted.

Step 6: Handle obsolete documents

When a document is superseded, you can't just delete it. ISO 13485 requires that obsolete documents are retained (you may need them for investigations or historical reference) but prevented from unintended use. Common approaches:

• • Move obsolete documents to a separate "archive" folder with restricted access
• • Stamp them "OBSOLETE" clearly on every page
• • In electronic systems, change the status so they're clearly distinguished from current versions

Step 7: Train your team

Your document control procedure only works if people follow it. Train everyone who creates, reviews, or uses controlled documents. Keep records of the training (this itself is a quality record under ISO 13485, clause 6.2).

A common audit finding: the document control SOP exists, but half the team has never read it. Don't let that be you.

Start simple, scale later

You don't need 200 SOPs on day one. Start with the essentials: document control, CAPA, management review, internal audit, and your core design and manufacturing procedures. You can always add documents as your QMS matures.

The goal is a system that's actually used — not a library that exists only to satisfy auditors. If your team finds the document control process burdensome, simplify it. The best QMS is the one people actually follow.

Need a head start? ArvoDocs comes with document control workflows pre-configured for ISO 13485. Sign up, create your first SOP, and have a working system before lunch.

Frequently asked questions