Explained: Control of Document and Records of ISO 13485
If you are reading the ISO 13485:2016 standard, you probably got to the conclusion that documentation and recording is absolutely necessary part of a Quality Management System. But documentation and records are not enough.
How to – Control of Documents
Standard obliges MedDev organizations to control the documents. A documented procedure shall define the controls needed to:
a) review and approve documents for adequacy prior to the issue
b) review, update, and re-approve documents
c) ensure that the current revision status of and changes to documents are identified
d) ensure that relevant versions of applicable documents are available at points of use
e) ensure that documents remain legible and readily identifiable
f) ensure that documents of external origin are identified and their distribution controlled
g) prevent descent or loss of documents
h) prevent the unintended use of outdated documents and apply suitable identification to them
Medical device organization must ensure that all changes done to documents are reviewed and approved. They also have to define the period for which at least one copy of outdated documents will be retained.
Point is that documents, as per which medical devices have been manufactured and tested, are available for at least the lifetime of the medical device. A period that is defined by the organization, but not less than the retention period of any resulting record or as specified by applicable regulatory requirements.
How to – Control of Records
Just imagine that the records are a special type of documents. They are a type of proof.
They provide evidence of conformity to requirements and of the effective operation of the Quality Management System.
Med Dev organization has to document procedures to define the controls needed for the identification, security, and integrity, retrieval, storage, retention time and disposition of records.
Standard requires from organization to define and implement methods for protecting confidential health information contained in records.
The records are intended to be maintained in an organization for at least the lifetime of the medical device as defined by the organization, or as specified by applicable regulatory requirements, but not less than two years from the medical device release by the organization.