A guide to document control for medical device developers


Are you ‘just managing’ your documents or are you in control?

As medical device projects become more complex and critical audits loom, a lack of document control can threaten your future success.

Companies who are using paper-based systems or managing their documents with a mix of Google Docs, DropBox and DocuSign can find themselves unable to keep pace with the demands of ISO 13485:2016 and FDA compliance.

This page explains the difference between document management and document control - and why it matters to the pace and success of your medical device development project.

We explore:

  • Why managing projects with Google Drive, DropBox and email is risking the future of your projects and products
  • Why you need control over your entire document lifecycle
  • Why document controls are central to gaining ISO 13485 and FDA compliance
  • Why digital document controls are vital to producing safe and effective medical device products
  • What tools you need for seamless document control
  • How a Document Control System can be right-sized to your needs

It’s a guide to what a scaling medical device company needs to know to improve their digital controls, meet the regulation, gain the required standards - and remain compliant - as they bring safe and effective products to market.


Take away our guide to digital document control for medical device developers.


Introduction to document control for med dev developers

What is document control for medical device developers?

Document controls bring order to complex medical device projects. They are the processes and procedures that ensure documents in a company are created, approved, distributed, and archived in a systematic way throughout their lifecycle.  Document controls are central to the quality management standard ISO 13485:2016, as well FDA 21 CFR Part 820 and the MHRA GxP. They are key to minimising the risk of product failure and harm to patients.

Are you ‘just managing’ your documents, or are you in control?

File sharing platforms like Google Drive and DropBox are all firms in some sectors need to manage their business documents. They let them collaborate across devices, sharing new ideas and comments on files with selected colleagues and third parties.

Other companies need more. They need to structure their filing to prevent overwriting and improve search. They need robust storage, versioning and indexing solutions to help manage their business effectively.

If you’re working in the medical device industry: you need more

Medical device developers need the most robust digital tools in place to keep their complex projects on track. They need to ensure documents can be kept secure, formally reviewed, approved and released to prevent dangerous lapses and mistakes in process. They need to ensure procedures are followed, while recording evidence that products have been built to required safety standards. They need to make the full records of their development processes available to auditors on demand.

They don’t just need to manage their documents - they need to control them.

It’s helpful to think of this like a pyramid, a hierarchy of information management needs, with the med dev sector needing access to the highest levels of control to deliver required quality outcomes.

Document management vs document control?

What’s the difference between document management and document control?

Document management is about storing, sharing, and tracking documents to improve the efficiency of your operations. But document control is about marshalling the flow of knowledge and data in your organisation through workflows. It’s about automating and streamlining the way you handle critical information, to minimise the risk of product failure and harm to patients.

Why medical device companies need to be at the top of the information management pyramid

The stakes are high in medical device development

A typical med device product now takes between 3 and 7 years to come to market.
Failing audits can result in delays to launch, recall of products, costly reworking of procedures and heavy fines for noncompliance. The financial cost of quality failure in med dev has been estimated by McKinsey at $2.5 billion - $5 billion annually.

Document control can be a life and death matter

But the potential human cost of medical device failure can be even more devastating, as your customers can be seriously injured, or even die, as a result of malfunctioning products.

The ISO standard and FDA regulation, therefore, focuses on the way requirements are met, outputs are continually validated against inputs, and risk is managed throughout the product lifecycle.

Accountability and traceability loom large in the med dev regulatory landscape.

Required document controls are exacting in the standards and regulation to ensure the ultimate safety of end-users..

There are more mandated processes and procedures for you to define and follow than in other quality standards such as ISO 9001;2015. These include:

  • Risk management
  • Change control
  • Design controls
  • Customer complaint procedures
  • CAPA reporting
  • Post-market surveillance 

Documentation is critical to FDA and ISO 13485 compliance

“In my career, working with big corporates developing new medical devices, I’ve seen how a fragmented approach to quality can result in documentation that’s an absolute mess. I’ve seen companies battling with vast and complicated eQMS, which had grown out of control over time. Anyone who has been part of an organisation that’s not controlled its documents from early on knows the struggle involved in retrospectively trying to ‘make it compliant’.

Shaun Knight, Callaly

For medical device developers documentation should define and control the entire way they work.

They are the plans and specifications that show the business how they build their devices and how they must function when they are built to be safe and effective. They are the written processes and procedures that detail ‘how you do things’ to control the risk of non-conformances and meet regulatory requirements.

They are the evidence that prove to auditors that products have been built correctly and exactly to the required specifications. They are the evidence that quality issues have been investigated and resolved to protect patients from future harm.

Documentation defines and demonstrates  how your business always meets required quality standards throughout the development and production cycle - so they must be properly protected and controlled.

To do this you’ll need digital tools with capabilities that far outstrip those offered by generic software solutions supplied by Google or Microsoft.

Can you use Google Drive to build a QMS?

In the last few years, enterprise solutions created by Google, Microsoft One Drive, DropBox and Box have started offering packages with many more document management features included.

They’re offering more sophisticated version control capabilities to keep track of changing documentation, tools for limited workflow automation, digital signature integration, as well as collaboration tools that have always excelled at. In doing so they’re becoming more than simply file-sharing platforms and becoming better at document management.

But they’re still falling short on delivering the granular control throughout the document lifecycle that is required for an effective med dev Quality Management System.

What is document lifecycle management and why does it matter?

The document lifecycle is the stages that a document goes through from when it is created, to when it is archived or deleted at the end of its useful life.

If you’re using a paper-based filing system or a mix of digital platforms to drive your med dev project, omissions and mistakes can easily go unspotted and uncorrected over time. This, in turn, can lead to serious quality and compliance issues later on.

But if you have control over the entire lifecycle within an Electronic Document Management System (eDMS) you can automate the flow of information and data, closing process gaps - ensuring quality and consistency in the way you develop your products.

An eDMS retains the integrity of the data and knowledge vital for the production of safe and effective products even as your documents change and evolve.

The right eDMS is vital to help you build an ISO 13485 compliant Quality Management System and meet the demands of the FDA .


Are you in control of your document lifecycle?

What are the document control requirements in ISO 13485:2016 and FDA 21 Part 820?

Document control in ISO 13485

ISO 13485 requires you to control documents and records to ensure you are building safe and effective products. Implemented correctly they are intended to give you complete traceability of your decision making processes from the start to finish of your medical device development project.

What’s the difference between records and documents?

All records are documents, but not all documents are records. As ISO state:

"Records are documented information that is “retained” and documents are documented information that is “maintained”. A form is a document, when the form is filled out it becomes a record.” Documents can be revised and changed, whereas records don‘t (and must not) change."

In this typical structure of a medical device QMS each layer of documentation stored in the QMS guides the consistent production of the ones beneath. The quality policy and manual defines roles and responsibilities and directs the production of your SOPs (standard operating procedures). This, in turn, ensures the consistent production of plans, specifications and engineering change requests. Records like your Design History File (DHF) and Device History Record (DHR) record evidence that you have executed your design and development process as intended.

qms documentation for ISO 13485

Effective control and distribution of documentation at every level of the hierarchy ensures that consistency and quality cascades downwards throughout the product lifecycle, even as the volume of documents you are generating increases.

With the required automated document controls in place you can ensure the integrity of all these documents and records are consistently maintained throughout the lifecycle.

ISO 13485 specifies how you must control documents

ISO 13485 specifies how you must control records

  • Review and approve documents for adequacy prior to issue;
  • Review, update as necessary and reapprove documents;
  • Ensure that the current revision status of and changes to documents are identified;
  • Ensure that relevant versions of applicable documents are available at points of use;
  • Ensure that documents remain legible and readily identifiable;
  • Ensure that documents of external origin, determined by the organization to be necessary for the planning and operation of the quality management system, are identified and their distribution controlled;
  • Prevent deterioration or loss of documents;
  • Prevent the unintended use of obsolete documents and apply suitable identification them
  • Records shall be maintained to provide evidence of conformity to requirements and of the effective operation of the quality management system.
  • The organization shall document procedures to define the controls needed for the identification, storage, security and integrity, retrieval, retention time and disposition of records. The organization shall define and implement methods for protecting confidential health information contained in records in accordance with the applicable regulatory requirements.
  • Records shall remain legible, readily identifiable and retrievable. Changes to a record shall remain identifiable.
  • The organization shall retain the records for at least the lifetime of the medical device as defined by the organization, or as specified by applicable regulatory requirements, but not less than two years from the medical device release by the organization.

Document control in 21 CFR Part 820

The FDA specify similar document controls in their regulation, as well.


820.40a outlines the following QMS requirements for document approval and distribution:

  • Each manufacturer shall designate an individual(s) to review for adequacy and approve prior to issuance all documents established to meet the requirements of this part.
  • The approval, including the date and signature of the individual(s) are approving the document, shall be documented.
  • Documents established to meet the requirements of this part shall be available at all locations for which they are designated, used, or otherwise necessary, and all obsolete documents shall be promptly removed from all points of use or otherwise prevented from unintended use.

Meanwhile, 820.40b concentrates on the detail of required document change control.

  • Changes to documents shall be reviewed and approved by an individual(s) in the same function or organization that performed the original review and approval, unless specifically designated otherwise.
  • Approved changes shall be communicated to the appropriate personnel in a timely manner.
  • Each manufacturer shall maintain records of changes to documents.
  • Change records shall include a description of the change, identification of the affected  documents, the signature of the approving individual(s), the approval date, and when the change becomes effective.

See why growing medical device companies choose Cognidox to develop, launch, and manage their products.

Book a demo and we’ll walk you through the system in a live, one-to-one session.


Document Control through e-signatures in FDA CFR 21 Part 11

Medical device development requires a whole different level of document approval and change control than other quality standards like ISO 9001:2016.

Developers need a cast iron way to prove who has signed off on what documents and when, and make every decision in a development process trackable and traceable.

Because of this, FDA CFR 21 Part 11 specifies exactly how electronic signatures need to be configured and deployed by medical device developers to guarantee the security and the effectiveness of your document controls.

The FDA require you to protect e-signatures from falsification and misuse, by ensuring:

  • Only administrators can control the use of e-signatures in the system
  • E-signatures remain unique to individuals
  • E-signatures are password protected (with passwords changed frequently)
  • Authentication takes place when they are used
  • An approval can always be linked to a specific individual
  • Documents show the printed name of the signatory
  • Documents always show the date and time a signature was applied
  • Documents show the meaning of the approval - i.e. what the signatory intended
  • The signing event is added to the documents’ secure audit trail
  • The signature cannot be removed once it is applied

    These requirements for document control via e-signatures help to manage the integrity of the information within your quality management system.

    They ensure documents can be:

  • Approved and reapproved by appropriate people when required
  • Protected from unauthorised change throughout their lifecycle
  • Have a full audit trail proving who approved each iteration of a document and when

    What's inside FDA 21 CFR Part 11?  Here's our checklist for e-signature  compliance

Why you need document control software now

Automation with the right document control software can help you marshall your processes to deliver safe and effective medical device products in the required way. They can cut the risk of omissions, delays and mistakes, making auditing a more efficient and painless process.

Right now, the required pace and complexity of medical device development projects makes it a an absolute necessity. Faster innovation in the sector is being driven by urgent challenges like Covid-19 and a rapidly ageing population - while strides in new technology like SaMD and IOT are making development, validation and testing much more complex and time-consuming.

Paper-based systems are groaning under the strain - and Google Docs just can’t deliver the level of required control you need.

So, what are the key features you should look for in eDMS software

to give you maximum velocity and control?

11 must-have features of medical device document control software

1. Security

The tools for managing a digital hierarchy of access control is critical to ensuring that everyone in your organisation has secure and rapid access to the material they need to do their job.

You need the right people to be able to find and share data easily, but you also need to keep sensitive medical data secure. An electronic document management system built to the standards of ISO 27001 should give you confidence that you can prevent lapses and leaks that lead to extra work and fines.

2. Flexible workflows

One size fits all workflows won’t work for a scaling med dev business. Document control software gives you complete control over workflows for different document types so you’re always working in a way that suits you.

It helps to have templates for mandated SOPs such as complaint management, nonconformance reporting and CAPA - but you still need the ability to configure them to match the way you want to work. Flexibility with workflows is critical if you don’t want to be unnecessarily tied into a vendors’ way of doing things.

3. Intelligent review and approval tools

Intelligent rules for required review and approval makes information flow through at the right time to the right people. This is important in med dev where a huge amount of mission critical data is shared daily between teams. Great document control software makes this process as Lean and slick as possible through:

  • Conditional routing options
  • Parallel routing options to send documents to a group or named individuals all at once
  • Reminders to notify users about upcoming and overdue document approvals
  • Automation of periodic review of key documentation (SOPs etc)

The right solution will ensure your people and their teams are alerted when they need to act. It will automate review processes and offer e-signature approvals to eliminate the long waits for multiple sign-offs that can haunt a manual process.

The right electronic review and approval tools will help you strip back unnecessary communications and the background noise that can distract a team from getting work done.

4. Control over metadata

Metadata helps you categorise, search, filter and report on documents more effectively. The right solution will let you add metadata as needed, creating unique fields, categories and keywords to your system, linking documents, speeding up search and audit, ensuring vital knowledge and data does not get lost or ignored. In a powerful document control system meta-data can even be used to trigger process workflows helping you customise your solution in ways that always answer your specific project needs.

5. Seamless knowledge sharing

Document controls help you build a hub of organisational knowledge that everyone in your business can refer to for guidance and training. The right solution helps you make all training and process documentation available in the most suitable format for its purpose (from written documents, photos, videos, to flow diagrams). Document controls ensure this material is always usable, up-to-date and available whenever and wherever it is needed.

6. Document phase-gating for design controls

Medical device developers need to phase gate their design process for ISO 13485 and FDA Part 820 compliance. This means marshaling lots of complex documentation to support cycles of planning, execution and review; continually validating deliverables against designs and user requirements.

‘Document holders’ should be used to assemble required documentation for each phase of a development process (including user specs, engineering designs, validation matrices), triggering approval sequences when the right documents are in place and completed. When approval is given from all stakeholders, documents can then be formally published and the next phase of the project started.

Automating design controls and creating vital STOP/GO moments in your process, optimise your use of resource, minimise validation errors, and ensure your whole team is always focusing their effort where it’s needed most.

7. Robust version control and obsolescence processes

These processes should drive consistency, efficiency and control to ensure the ease of navigation in your system and reduce mistakes. A great piece of document control software ensures:

  • There is only one master version of every document visible in your system at any time
  • New documents replace old ones and previous documents are held until they are superseded
  • Current issues, obsolete and superseded versions of documents are clearly labelled and water marked in your system.
  • Documentation no longer required can be is archived correctly for retrieval as required by the regulation

8. Change control tools

Document change control prevents scope creep, unauthorised work, and dangerous mistakes. The right automated process helps you ensure change requests go through required sequences of scrutiny by key stakeholders before they are accepted.

The nature of these changes and who approved them will then be instantly recorded as part of your audit trail. When changes are made they can be automatically reviewed by key stakeholders at a later date, to ensure they have had their intended effect.

9. Forms should come as standard

A great document control system should let you set up forms to automate mandatory SOPs such as CAPA, Change Control, training attestation, complaints and calibration. These forms should be templated, but flexible enough for you to edit, creating your own drop-down menus, labels, free form boxes etc, so you’re capturing the information you need to drive your unique process as efficiently as possible.

10. E-signatures built-in

FDA 21 CFR part 11 and MHRA’s GXP require changes and approvals to quality documentation in a digital system to be signed off with e-signatures. These e-signatures should be:

  • Controlled by administrators to ensure they cannot be misused or falsified
  • Unique to individuals
  • Authenticated in certain ways every time they are used

Records of sign-off, including the date and time of approval, as well as the identity of the signatory, should be automatically added to documents in their audit trail.

The right document control software shouldn’t rely on expensive third-party digital signature integrations but should have a compliant solution built-in.

11. Traceability

With the right document controls in place, you should have complete accountability and traceability throughout your product development process. You should be able to see the details of every change made to every quality document in unalterable audit trails.

In medical device development this is essential so that the source of non-conformities in products can be rapidly traced and corrected.

As medical device scandals such as PIP and Theranos continue to break and force changes in legislation - companies need to ensure they have complete transparency around process, clinical evidence and compliance. Not only is this a requirement for regulators but it will reassure investors that your innovations are safe and efficacious.

Download the eBook: Building a Design History File with Cognidox

But can your document control procedures be right-sized to your needs?

What’s the best way to control your documents?

For businesses in some sectors, it is enough to have the most basic controls of their documentation. The ability to share files quickly for internal and external collaboration is a priority, together with a way to track changes and restrict access as required.

But medical developers who are scaling need more. They need the digital solutions that can help them comply with ISO 13485 and FDA 21 CFR part 11 - but in the most effective and efficient way possible.

There are different options for medical device developers who need to bring their development process under control in the required way. But which ones will help you bring the appropriate level of control and compliance to your business? And which ones could you leave overwhelmed by unnecessary bureaucracy, or worse, ill-equipped for the challenges ahead?

Medical device QMS - what are your options?

Use Google Drive, Box or DropBox?

Using a mix of the workflow tools in the enterprise versions of Google Docs, DropBox integrated with email and something like DocuSign for approvals, may seem like a cheap and straightforward way to organise your system.

When it comes to organising multiple approvals and managing phase gating scenarios you’ll struggle to get the level of granular control you’ll need.

Without a ‘single source of truth’, a single platform in which you can create workflows and keep records of all your activity, you’ll also struggle to demonstrate to auditors that you are building your products in the required way.

Buy a dedicated heavy duty eQMS?

“The risk with many eQMS is that they are over complicated and difficult to customize. Medical device eQMS often come with one size fits all templates, which demand developers work in particular ways that often aren’t even demanded by the regulation".

Shaun Knights, Callaly

Faced with the need to build an ISO 13485 compliant QMS other development companies are tempted by the ‘heavy-duty’ eQMS options on offer.

These might be the kind of solutions deployed by large corporations with global operations. If you choose these systems they may require you to work in certain ways, to build SOPs, CAPA and nonconformance processes that can be far in excess of what is actually required by the regulation.

And as one of our clients wrote recently in a LinkedIn article, that way madness can lie:

"By having procedures which require well beyond the given regulation, you are not only ‘over-processing’ and doing more work than is necessary, but you have given yourself a higher risk of non-compliance due to the size of your documented process. It’s unrealistic to believe that every employee in every site will be following every paragraph of your 60+ page procedures and that is how nonconformances arise."

These ‘one size fits all’ quality management systems can be highly restrictive for companies who have already developed processes and procedures that exactly suit their unique project and the way they want to work.

Choose a LEAN eDMS

A LEAN eDMS can offer a digital framework for an ISO 13485 compliant Quality Management System that can help bring order to a complex and potentially risk-laden project.

They can cut out the wasted time of a manual review and approval process, help you strip out unnecessary bureaucracy from the way you work, while keeping you laser-focused on producing the documentation you need to drive your product forward.

They will help you impose the controls that will support the way you want and need to work - leading to safe, effective products and stress-free audits:

  • Store and index all your documentation in one place
  • Support every format of document (CAD files, videos, MS office)
  • Define your Standard Operating Procedures (SOPs) in the way that works for you
  • Have only one master version of each document visible at any time
  • Control access hierarchies/edit rights across your system
  • Automatically create compliant audit trails for every document
  • Impose your required engineering change control process
  • Impose design controls through phase-gating tools
  • Integrate FDA 21 CFR part 11 compliant signatures

A LEAN eDMS will give you access to the document control levers you need to create a compliant medical device Quality Management System, without forcing you to work in ways that will slow you down.

“In Cognidox we found a system that was as Lean as we needed it to be. It came with all the controls we needed, including phase gating for design controls and integrated electronic signatures compliant with FDA 21 CFR part 11. But it was also flexible. It was a digital framework for an FDA/ISO compliant eQMS that we could configure to reflect the way we wanted to work.”

Shaun Knights, Callaly

Read more about Document Control in the medical sector:

Understanding FDA 21 CFR Part 11: A Guide for Life Science Developers

WTH is FDA 21 CFR Part 11? That’s a question many life science developers wanting to access the US market ...

10 Steps for Seamless EQMS Data Migration

Transferring data to a new electronic Quality Management System (eQMS) can seem like a daunting prospect. ...

What happened at CogniCon24?

On the 16th of May, Cognidox welcomed nearly 100 attendees from across the high-tech, medical device, and ...

5 Steps to a Robust Corrective Action Process

It’s the job of your corrective action process to identify and eliminate the systemic issues that will ...