Document Control

What Is Document Control?

Document control is a practice used to ensure that documents created within an organization are reviewed, distributed, tracked, and destroyed in a consistent, organized, and verifiable manner. With document controls, provenance is tracked along with every other interaction, such as who viewed or edited the document throughout its lifecycle.

Organizations that operate in regulated industries are the primary users of document controls. For instance, document controls are a must for those that are required by law to retain records to prove compliance to their regulators (e.g., Food and Drug Administration (FDA), Environmental Protection Agency (EPA), Occupational Safety and Health Administration (OSHA). 

In addition, document control helps securely manage documents end-to-end. Document control also helps meet record-keep requirements for voluntary standards, such as those associated with the International Organization for Standardization, or ISO, and contractual obligations, such as those related to pharmaceutical testing and production, engineering, and manufacturing.

Not all documents need to be controlled. A few considerations to help determine if document controls are necessary are: 

• Does the document address or relate to any record-keeping requirements?
• Does the document define customer and/or product requirements?
• Does the document guide the production of products?
• Does the document guide the verification, inspection, or testing of products?
• Is the document used for controlling processes?
• Is the document used for decision-making?

A set of procedures for document controls should be developed and aligned with the relevant record-keeping requirements. The five key steps in setting up procedures for document controls are:

1. Creation of the document
Establishes the people and departments responsible for creating documents along with specifications as to how the documents should be created, including the details about formatting, file naming, version history, and other technical requirements (e.g., metadata).

2. Review and approval of the document
Explains how a newly created document should be reviewed, by whom, and who is responsible for final approval. The approval process and recording of any changes before the document is finalized should also be included.  

3. Revisions to the document
The process for making updates or edits to a document once it has been finalized should also be determined. Emphasis should be placed on who has the authority to request then initiate revisions, who will do the revisions, and who will approve the document. 

How the document is annotated to make it clear that it is not the original should also be addressed. The original document should be destroyed or archived when an updated document has been approved.

4. Publishing the document
Once complete, processes need to direct how the document is published, where it should be stored, who has access to it, and what security is required to protect it.

5. Obsoleting the document
When a document has been replaced with a newer version or is no longer needed, it should be removed from accessibility by either destroying it or archiving it. Determining which obsoleting technique is best and how to execute it should be clearly articulated. 

Document Control Examples

At a high level, the types of documents that require control are:

• Audio and video recordings
• Blank forms
• Checklists
• Drawings, diagrams, and sketches
• Electronic documentation
• Flow diagrams
• Paint swatches for color matching
• Photos
• Product samples and defect samples

Specific examples of the kinds of records subject to document controls are:

• Actions taken
• Analysis, reviews, evaluations, and validations
• Assets
• Authorizations
• Contracts
• Decisions made
• Employee notices
• Financial records
• Goals and expectations
• Inspection reports
• Inventories
• Monitoring and measuring
• Negotiations
• Notifications
• Position descriptions and qualifications
• Processes
• Property management
• Specifications and revisions
• Terminology
• Training material

Life Sciences Document Controls Regulations Examples

Examples of document controls specific to the life sciences industry include the following.

Food and Drug Administration Code of Federal Regulations Title 21 Part 820 Section 40 (FDA 21 

Each manufacturer shall establish and maintain procedures to control all documents that are required by this part. The procedures shall provide for the following:

• Document approval and distribution
  Each manufacturer shall designate an individual(s) to review for adequacy and approve prior to issuance of all documents established to meet the requirements of this part. The approval, including the date and signature of the individual(s) approving the document, shall be documented. Documents established to meet the requirements of this part shall be available at all locations for which they are designated, used, or otherwise necessary, and all obsolete documents shall be promptly removed from all points of use or otherwise prevented from unintended use.
  
• Document changes
  Changes to documents shall be reviewed and approved by an individual(s) in the same function or organization that performed the original review and approval unless specifically designated otherwise. Approved changes shall be communicated to the appropriate personnel in a timely manner. Each manufacturer shall maintain records of changes to documents. Change records shall include a description of the change, identification of the affected documents, the signature of the approving individual(s), the approval date, and when the change becomes effective.

FDA 21 CFR Part 11
Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine. Such procedures and controls shall include the following:

• Adequate controls over the distribution of, access to, and use of documentation for system operation and maintenance
• Revision and change control procedures to maintain an audit trail that documents time-sequenced development and modification of systems documentation

ISO 13485:2016 Sections 4.2.4 Control of Documents

Documents required by the quality management system shall be controlled. Records are a special type of document and shall be controlled according to the requirements given in 4.2.5.
A documented procedure shall define the controls needed to:

1. Review and approve documents for adequacy prior to issue

2. Review, update as necessary, and re-approve documents

3. Ensure that the current revision status of and changes to documents are identified

4. Ensure that relevant versions of applicable documents are available at points of use

5. Ensure that documents remain legible and readily identifiable

6. Ensure that documents of external origin, determined by the organization to be necessary for the planning and operation of the quality management system, are identified and their distribution controlled

7. Prevent deterioration or loss of documents

8. Prevent the unintended use of obsolete documents and apply suitable identification to them

The organization shall ensure that changes to documents are reviewed and approved either by the original approving function or another designated function that has access to pertinent background information upon which to base its decisions.

The organization shall define the period for which at least one copy of obsolete documents shall be retained. This period shall ensure that documents to which medical devices have been manufactured and tested are available for at least the lifetime of the medical device as defined by the organization, but not less than the retention period of any resulting record (see 4.2.5), or as specified by applicable regulatory requirements.

ISO 13485:2016 Sections 4.2.5 Control of Records

Records shall be maintained to provide evidence of conformity to requirements and of the effective operation of the quality management system.

The organization shall document procedures to define the controls needed for the identification, storage, security and integrity, retrieval, retention time, and disposition of records.

The organization shall define and implement methods for protecting confidential health information contained in records in accordance with the applicable regulatory requirements.

Records shall remain legible, readily identifiable, and retrievable. Changes to a record shall remain identifiable.

The organization shall retain the records for at least the lifetime of the medical device as defined by the organization, or as specified by applicable regulatory requirements, but not less than two years from the medical device’s release by the organization.

What Is a Document Control System?

A document control system is a set of processes and rules for classifying, organizing, and managing an organization’s documents and records from the time they are created to when they are destroyed or permanently archived. 

Most document control systems revolve around electronic information. These systems manage document controls and provide automation capabilities and reports required for compliance and other audits. 

Basic steps to take when starting with a system for document controls are:

• Identify documents and workflows
• Determine ownership 
• Define quality standards
• Ensure that proper security and access controls are in place
• Establish conventions for naming and classifying documents
• Create protocols for revision  
• Set up processes to archive or destroy documents that are no longer needed

Why Document Control Is Important

10 reasons why document controls are important are:

1. Accessibility
Document controls help keep information organized in a consistent manner, making it easily accessible to authorized users.  

2. Better access control
Document controls support the management of access to sensitive documents and prevent data leaks, accidental data exposure, and unauthorized access to sensitive data.

3. Compliance
Most organizations must comply with a variety of rules and regulations that require record-keeping and the ability to produce documentation supporting compliance. Document controls ensure that this information is readily available when needed with all of the documentation needed to meet requirements. 

4. Consistency
With efficient document control, standards are established, and processes for enforcement are set up to ensure that information is kept up to date with consistent file and folder naming structures to make it easy to find.

5. Disaster recovery
With procedures that include secure storage of data, document controls ensure that copies are stored offsite, thus making them readily available in the event of a disaster.  

6. Efficiency
With document control, files are organized and tracked to ensure that relevant documents are placed in the correct locations, saving time spent searching for information and preventing cumbersome remediation efforts when documents are accidentally disclosed. It also manages content through workflows and systems.  

7. Quality
Document controls include version control processes to manage access, track revisions, prevent changes by unauthorized users, and ensure that the most up-to-date version of all documents is published and older versions obsolete.

8. Security
Document controls include security measures to prevent unauthorized handling of sensitive information and protect against cyberattacks. 

9. Support for collaboration
With document controls, access to information is streamlined and allows multiple users to access and share data.   

10. Transparency of information
Document controls enable authorized users to quickly access information by making it easy for users to find and retrieve active and archived documents.

Maintain Document Control

The best document controls are of no use if they are not followed and maintained. Most organizations designate a person or a team to oversee the execution and maintenance of document controls. The results of maintaining document controls are clean records for compliance requirements that are easy to find and up to date. This improves overall workflows and increases productivity. 

Part of maintaining document controls is ensuring that everyone involved understands the rules and follows them. Ten steps for maintaining document controls are:  

1. Identify and name the process

2. Define the process’s scope  

3. Describe the limits of the process  

4. Identify the process inputs and outputs

5. Engage stakeholders in the development of the process

6. Arrange the process in sequential steps—numbering them if possible

7. Create a flowchart for the process to visualize it

8. Establish when exceptions to the normal process flow can be made   

9. Include control points and measurements

 Automating Document Control

Human error is, by far, the biggest risk in maintaining document controls, regardless of the size of the program. Automated systems for document controls not only reduce errors, but also speed up the process. 

Document control software automates policies and procedures, enforces document access security, captures activity related to documents throughout its lifecycle, and provides reporting for compliance and other requirements. Following are a few examples of what automated document controls can do.

Once the sample size variables have been determined, the sample size can be calculated. The steps to calculate the sample size are as follows.

Document Creation and Routing

Automated document controls can help differentiate and classify documents (e.g., policy documents, design specifications). Based on their classification, documents can be automatically routed for approval, published in the appropriate places (e.g., posted to a website, sent to an auditor), and saved.

They are then allocated their workflow, routing, review, and approval. Therefore, the document is reviewed and approved by the right people.

Document Version Control

When revisions are required, automation can manage and document the request process. This not only ensures that changes are made according to established procedures (e.g., reviews, archiving), but also that each step is recorded.

Notifications

Automated document control workflows ensure that the appropriate people know when they are required to take action. If they do not respond, follow-up messages can be sent, and the project lead can be alerted.

Document Backup and Disaster Recovery

With automated document controls, data backups can be scheduled to update any data backup systems that are in place, including both internal file storage and cloud file storage. 

Document Controls for Productivity, Protection, and Power

Having document controls is not only essential from a legal perspective, but it is also beneficial. Organization is a proven way to easily increase productivity. Having control over documents, especially those with sensitive information, is the only way to effectively manage data security. Put all of this together, and it is clear why document controls are a powerful tool for any organization.

Egnyte has experts ready to answer your questions. For more than a decade, Egnyte has helped more than 16,000 customers with millions of customers worldwide.

Last Updated: 12th May, 2022

Get started with Egnyte.

Request Demo