Glossary Term

Document Control

The regulated process for creating, reviewing, approving, distributing, revising, and retiring controlled GxP documents.

Complere Reference Team Glossary termQuality ManagementReference Last reviewed May 26, 2026

Controlled documents are the operating instructions for a regulated organization. Weak document control is among the most frequently cited deficiency patterns in FDA and EU GMP inspections.

Controlled document lifecycle in Complere

On this page

Definition
Why It Matters
Regulatory Context
In Practice
Key Controls
Complere Approach
Related Terms

What document control means

Document control is the regulated process for managing the lifecycle of quality documents (SOPs, policies, specifications, work instructions, forms) from initial drafting through periodic review, revision, distribution, and eventual retirement. It ensures only approved, current versions are in use at the point of operation, that obsolete versions are removed from active use but retained for inspection, and that every change is traceable through a controlled audit trail.

It's distinct from general-purpose document management. A document management system stores and serves files. A controlled document system adds the regulated elements: revision control, approval workflow with attribution, distribution to point of use, training-on-change, and inspection-ready history.

Controlled documents are the operating instructions for a regulated organization. They define how batches are made, how laboratory tests are run, how deviations are investigated, how training is delivered, and how the quality system itself operates.

Document control vs document management

If your file repository lacks revision control, controlled approval signatures, distribution-to-point-of-use tracking, training-on-change linkage, and immutable audit trail, you have document management, not document control. The gap matters at inspection.

Why document control is the foundation of every GxP inspection

Inspectors evaluate document control before they evaluate the activities the documents govern. If the SOPs aren't under control, the activities they describe aren't under control either, regardless of how well those activities appear to be performed.

Document control deficiencies are among the most consistent finding patterns in FDA 483s and EU GMP inspections. Recurring patterns: outdated SOPs in use at the point of operation, SOPs revised without corresponding training records, missing or backdated approval signatures, obsolete versions retained inconsistently. These findings often precede deeper quality findings because a broken document control system tends to produce broken operations downstream.

Inspector note: When I open an inspection, I typically ask for three SOPs at random and trace each through the document control system. I want to see the current effective version at the point of use, the most recent training records for personnel who use it, the revision history including superseded versions, and the approval signatures with dates that align with the activity I'm about to inspect. If any of these is incomplete, the document control program isn't delivering its function.

Where document control is required and how regulators describe it

Document control requirements appear in virtually every GxP regulation and quality standard:

21 CFR §211.180 — general requirements for records; retention periods for drug manufacturing records
21 CFR §211.186 — master production and control records; required content and approval
21 CFR §211.194 — laboratory records; required content and review
21 CFR Part 820 — QMSR (effective February 2, 2026): incorporates ISO 13485:2016 §4.2.4 (Control of documents) and §4.2.5 (Control of records) by reference. Under the former QSR (in force through February 1, 2026), §820.40 was the document-controls clause and §820.180 carried general device-record retention requirements.
21 CFR Part 11 — electronic records and signatures
EU GMP Chapter 4 — Documentation §§4.1-4.32 — comprehensive coverage
EU GMP Annex 11 §10 — periodic evaluation of computerised systems including controlled documentation
ICH Q10 §3.2.1 — process performance and product quality monitoring
ISO 13485 §4.2.4 — control of documents; approval, review and update, identification of changes and revision status, availability at points of use, legibility, identification of obsolete documents
ISO 9001:2015 §7.5.3 — control of documented information
WHO GMP TRS 957, Annex 2 — documentation principles for pharmaceutical products

The controlled document lifecycle

A complete controlled document moves through six recurring stages, each producing controlled evidence:

Authoring. Draft created from a controlled template; author identified; draft status tracked.
Review. Qualified reviewers (SME, QA, regulatory) evaluate technical accuracy, regulatory alignment, consistency; comments captured; reviewer signatures with date and meaning.
Approval. Approval routing per the document control SOP; each approver's identity, signature, date, meaning captured per Part 11 §11.50; document moves to effective only after all required approvals.
Distribution and effective date. Controlled distribution to point of use; effective date set; previous version moved to obsolete; users notified; training-on-change tasks generated.
Periodic review. Scheduled re-confirmation (typically 2-3 years, risk-based); either re-approved unchanged or routed for revision.
Revision or retirement. Revision moves through same review/approval/distribution stages; superseded version retained per predicate-rule retention; retirement removes from active use but retained.

What strong document control programs share

Programs that hold up at inspection share a set of recurring controls:

The 'outdated SOP at the bench' finding

An inspector who walks the floor and finds a printed SOP at a workstation that's one revision behind the system of record has identified two problems in one: a distribution failure and a control failure. The latter is the more serious.

Template-driven authoring — controlled doc types from approved templates; no ad-hoc creation
Single source of truth — one effective version at a time; printed copies controlled or stamped uncontrolled
Approval signatures captured with attribution + meaning + date — per Part 11 §11.50
Effective date enforced — users can't follow a future-dated revision
Distribution-to-point-of-use tracked — system records access to current version
Training-on-change linked — revision approval auto-generates training tasks; effective date can be gated on training completion
Periodic review on schedule — risk-based; overdue tracked and escalated
Obsolete versions retained and segregated — for predicate-rule period; marked obsolete; not retrievable for active use
Audit trail per document — every action captured per §11.10(e)
Locked editing — concurrent edit prevention
Cross-reference integrity — references in related documents flagged when source is revised

How Complere supports document control

Controlled documents are the operating instructions for your quality system, and when an inspector walks the floor, they're the first thing held up against what your team is actually doing. Complere gives your team one place to author, review, approve, distribute, periodically review, revise, and retire controlled documents — with the audit trail an inspector expects already in place, the same way, across every document type your team handles.

Your authors don't start from a blank page. They start from controlled templates that already carry the required sections, the approval routing, and the signature meanings you've defined. New documents inherit the rules instead of recreating them, and the templates themselves are versioned and controlled, so the rules change with discipline rather than by side-channel edit.

Approvals happen by role, not by inbox-tag. Your team defines who signs what, in what order, with what meaning (review, approval, responsibility, authorship), and the system holds the document in draft until the right signatures land in the right order. Each signature shows who signed, when, and what they were signing for. Concurrent-edit protection means two authors can't quietly overwrite each other's draft. When the document is approved, the new effective version replaces the previous one, the previous one becomes obsolete but stays retrievable, and personnel who use the document get training tasks automatically — your team can require those tasks to complete before the new version goes effective for high-risk changes.

Every action a user takes on a document — draft, edit, review, approve, view, print, download — is captured with who did it and when, in a per-document history your team can hand to an inspector unedited. Site-specific fields (document numbers, business-unit codes, regulatory references) can be added without engineering involvement. Periodic-review schedules are tracked and surfaced before they go overdue, so the periodic-review finding inspectors look for stays off your 483.

The Vendor Validation Package that ships with Complere includes Documents-module evidence — URS, IQ/OQ/PQ, and a traceability matrix — so your team's starting point for validating the document control system is already built rather than something you assemble from scratch.

What stays with your team: deciding which documents need to be controlled in the first place, defining your approval routing, setting your periodic-review cadence, and reading what the document control program is telling you about discipline across your sites. Complere handles the lifecycle; the document control program around it stays your team's.

Frequently asked questions

Common questions about Document Control sourced from regulatory references and inspection patterns.

What is document control in a GxP quality system?

Document control is the regulated process for managing the lifecycle of quality documents — SOPs, policies, specifications, work instructions, forms, master batch records — from initial drafting through review, approval, distribution to point of use, periodic review, revision, and retirement. It's required across the major GxP frameworks: EU GMP Chapter 4, 21 CFR §§211.180/§211.186, and 21 CFR Part 820 (QMSR, incorporating ISO 13485:2016 §4.2.4 by reference; former QSR §820.40) each carry explicit document control expectations.

What's the difference between document control and document management?

A document management system stores, indexes, and serves files. A controlled document system adds the regulated elements on top: revision control, approval workflow with attribution and signature meaning, distribution-to-point-of-use tracking, training-on-change linkage, retention of obsolete versions, and an immutable audit trail. If those elements aren't present, the system is document management, not document control — and the gap is visible at inspection.

Which documents need to be controlled?

Anything that defines how a regulated activity is performed or how a regulated product is specified: SOPs, work instructions, specifications, master batch records, master production and control records, validation protocols, quality manuals, policies, forms whose content drives a decision. The scoping rule: if the document affects a GxP outcome and someone follows it, it's controlled. The decision of which documents to control belongs to the firm's quality system; predicate rules describe the obligation but rarely enumerate the list.

How long must controlled documents be retained?

Per the predicate rule. For drug manufacturing records under 21 CFR §211.180(a), at least one year past the batch expiration date (or one year past distribution for non-expiration OTC products). For device records under the QMSR (21 CFR Part 820, incorporating ISO 13485:2016 §4.2.5 by reference; former QSR §820.180), the longer of the expected device lifetime or two years from the date of release for distribution. EU GMP Chapter 4 §§4.10–4.12 carries parallel retention expectations. Obsolete versions are kept retrievable for the same period as the underlying record they governed.

Who approves controlled documents?

Per the firm's document control SOP, with the depth of approval matched to risk and document type. Typically a department head or process owner plus QA, with technical reviewers (engineering, regulatory) added where the content warrants. The QMSR (former QSR §820.40(b)) and EU GMP Chapter 4 reinforce a key constraint: a document change is reviewed by the same function that performed the original review and approval, unless specifically designated otherwise. Approval rights and signature meaning need to be defined in the SOP, not invented at the moment of signing.

What are the most common document control 483 findings?

Outdated SOPs in use at the point of operation; revisions issued without corresponding training-on-change records; approval signatures missing or backdated; obsolete versions retained inconsistently or not at all; periodic review overdue or absent; and cross-references in related documents that still point at superseded versions. The pattern is the same in EU GMP deficiencies under Chapter 4.

How often do controlled documents need periodic review?

Risk-based, typically every two to three years for routine SOPs and more frequently for high-risk procedures. EU GMP Chapter 4 and ISO 13485 §4.2.4 both expect a defined periodic-review cadence. The discipline isn't only the review itself — it's the documented evidence of the review, signed by qualified personnel, with the result either re-approved unchanged or routed for revision.

How does document control link to training?

A revision approval generates training tasks for personnel who use the document, and for high-risk changes the effective date can be gated on training completion so the new version doesn't go live until the affected staff are trained. This linkage is one of the most-inspected aspects of document control: a revised SOP with no training-on-change record is a recurring 483 pattern, particularly when the revision is material.

Continue Exploring

Explore related topics, modules, and compliance resources for a deeper understanding of your quality system.