Medical Devices: Document Control Requirements (US and EU)

If your company develops medical devices, you must adhere to strict document control requirements.

Regulatory bodies legislate the document control requirements for each marketplace.

In this article, we give an overview of the medical devices document control requirements in the United States (US) and the European Union (EU).

Purpose of document control for medical device developers

Document control minimizes the risk of product failure, expensive product recalls and, most importantly, harm to patients.

Seamless document control – as opposed to document management – is essential for producing safe and effective medical devices. It brings order to lengthy and complex development projects.

Document control is the backbone of an effective quality management system and ensures medical device developers have full control over the entire document lifecycle. It’s central to meeting regulations, gaining the required standards and remaining compliant.

Document control software installs processes and procedures that ensure documents are created, approved, distributed and archived in a systematic way that adheres to quality standards.

Outline of regulations requiring document control

Document control requirements in the medical devices regulatory landscape are exacting to ensure the safety of end-users. Required document controls insist on accountability and traceability.

It’s important to understand that standards and regulations are different. If an organization fails to meet a standard, it will not qualify to sell in that market. If it fails to comply with regulations, the organization is not allowed to sell the product, and could face financial and legal penalties.

Here, we identify the relevant part(s) of legislation and summarize the document control requirements for medical device developers in the US and EU.

FDA QSR document control requirements

The US Food and Drug Administration Quality System Regulation (FDA QSR) sets requirements for document control, but those requirements are not a “standard”. The document control regulations in the FDA QSR require medical device companies to:

designate a responsible person to review and approve documents
ensure the availability of current documents
prevent the unintended use of obsolete documents
keep records of document changes
conduct re-approvals whenever a document is changed.

ISO 13458 and document control

ISO 13485: 2016 is the leading international standard for medical device quality management systems. The most relevant document standards come from it.

There’s significant overlap with the FDA’s QSR. Compliance with one will closely set you up for compliance with the other.

The ISO 13485 guidelines call for rigorous record-keeping. Section 4.2.4 calls for document control that extends document maintenance throughout the lifecycle of the device. Additional documentation details are described throughout ISO 13485.

Medical device companies that want to sell products throughout the EU must comply with the document control standards of ISO 13485: 2016, which include provisions for:

identifying the appropriate individual(s) to review procedures for adequacy
document review and approvals that include date and signature
reviewing, updating and re-approving documents
recording the current revision status and changes to documents
ensuring that relevant versions of applicable documents are available at points of use
ensuring that documents are legible and identifiable
controlling the distribution and identification of necessary documents of external origin
preventing the deterioration or loss of documents
preventing the unintended use of obsolete documents.

MDSAP requirements

The Medical Device Single Audit Program (MDSAP) is a new regulatory strategy within the world of medical device regulation. MDSAP aims to allow medical device companies to sell products in multiple international markets based on the results of a single audit.

Collaborating countries include Australia, Brazil, Canada, Japan, and the United States.

The MDSAP requirements are drawn from the requirements of ISO 13485: 2016. The current document control standards of the MDSAP list the following requirements:

approve documents for adequacy prior to use
review and update as necessary and re-approve documents
ensure that changes and the current revision status of documents are identified
ensure that relevant versions of applicable documents are available at points of use
ensure that documents remain legible and readily identifiable
ensure that documents of external origin determined to be necessary for the planning and operation of the QMS are identified and their distribution controlled
prevent the unintended use of obsolete documents, and apply suitable identification to them if they are retained for any purpose.

EU MDR and document control

There are a host of changes relevant to document control in Europe’s new Medical Device Regulation (EU MDR). The focus is on document control throughout the total lifecycle of a medical device, including post-market surveillance.

The associated requirements necessitate a document control system that can produce items like:

periodic safety update reports (PSURs)
document storage retention
post-market surveillance reports.

PSURs are pharmacovigilance documents that a company must submit to the regulatory agency regularly to disclose the worldwide safety experience of a product.

Post-market surveillance reports are for medical devices that are already on the market. A report summarizes the results of all post-market surveillance data, including any corrective actions.

Article 25 of the regulation presents major changes. MDR designates the “economic operator” status to distributors, importers, and EU-authorized representatives, each with its own documentation standards.

EU IVDR requirements

Any business marketing in vitro diagnostic medical devices to European Union territories must meet the requirements of the In Vitro Diagnostic Regulation (EU IVDR), which came into effect in May 2022.

To comply with IVDR, your company must have an effective quality management system with documented, standardized processes and procedures.

Your QMS should be underpinned by strong document and change control. It must ensure the correct references are made within your document stack, consider all the locations where your documents are available, and get a robust process in place for reviewing, approving, updating and re-approving documents as needed.

All audit activity must be documented, audit-trailed and linked to corresponding action workflows.

Document control software for medical device companies

isoTracker offers modular, cloud-based quality management software, including a document control module.

Our document control software provides automated version control and approval workflows, fine-grained document access control, review reminders, archiving and a full audit history.

This module makes it easy for medical device companies to adhere to document control requirements because it allows all employees to access and work on a document without the risk of duplication or accidentally working on the wrong version.

Key features that make it valuable to medical device developers include: