QMS Document Control Software: FDA, ISO 13485, and eQMS Requirements

What Is QMS Document Control Software?

In regulated life sciences, document control is not only file storage. It is a governed process that ensures personnel use the current approved version of a controlled document and that changes are reviewed, approved, traceable, and retrievable.

Common controlled documents include:

• Quality manual or quality system documentation
• SOPs and work instructions
• Policies and forms
• Specifications
• Test methods
• Validation protocols and reports
• Manufacturing and packaging instructions
• Device drawings and design documentation
• Labeling and packaging control documents
• Supplier quality documents
• CAPA, deviation, complaint, and change control records

The system should answer a simple inspection question: who approved this document, what version was effective at the time, who was trained on it, what changed, and where is the record?

Why Document Control Matters for Regulatory Teams

Document control sits between quality operations and regulatory submissions.

When document control is weak, teams spend submission timelines reconciling versions, chasing approvals, and deciding which record is authoritative.

FDA QMSR and ISO 13485 Document Control for Medical Devices

FDA's QMSR became effective on February 2, 2026. FDA states that the rule amends device CGMP requirements in 21 CFR Part 820 and incorporates ISO 13485:2016 by reference.

For medical device manufacturers, this means document control software should support a quality management system that aligns with ISO 13485 and the additional applicable FDA requirements in Part 820.

Important QMSR points for document control:

• 21 CFR 820.10 requires manufacturers subject to Part 820 to document a quality management system that complies with applicable ISO 13485 requirements and other applicable Part 820 requirements.
• 21 CFR 820.35 adds FDA control-of-records requirements on top of ISO 13485 Clause 4.2.5.
• FDA's QMSR FAQ states that after the QMSR effective date, FDA may inspect records that were previously exempt from review under the old QS Regulation, including management review, quality audit, and supplier audit reports.

This changes the document-control conversation for device companies. The eQMS must support controlled documents, controlled records, inspection retrieval, and traceability across the quality system.

Pharma GMP Document Control Under 21 CFR Part 211

Pharmaceutical GMP rules do not require a specific eQMS product, but they require written procedures and records throughout manufacturing, laboratory, packaging, labeling, holding, distribution, and quality operations.

Examples from 21 CFR Part 211 include:

For pharma teams, document control software should prevent uncontrolled SOPs, outdated specifications, undocumented changes, missing approvals, and poor retrieval during inspections.

Part 11 Considerations for eQMS Document Control

21 CFR Part 11 applies when regulated records are maintained electronically instead of paper, or when electronic records are submitted to FDA under applicable requirements. FDA's Part 11 regulation describes criteria for electronic records and electronic signatures to be considered trustworthy, reliable, and generally equivalent to paper records and handwritten signatures.

For eQMS document control, relevant Part 11 controls often include:

• System validation
• Accurate and complete copies of records
• Record protection and retrieval through retention periods
• Access controls
• Secure, computer-generated, time-stamped audit trails
• Operational and authority checks
• Training and qualification of users
• Electronic signature manifestations
• Signature-to-record linking
• Controls for user IDs and passwords

The regulated company remains responsible for validating the system for its intended use and defining which records are subject to predicate rules.

The Full Document Lifecycle an eQMS Should Control

Many document control projects fail because the team only designs the approval step. In practice, document control starts before the first approver opens a draft and continues after the document is retired.

A regulated document lifecycle should define:

1. Document request and classification
2. Draft ownership
3. Required reviewers and approvers
4. Quality unit approval rules
5. Effective date logic
6. Training impact assessment
7. Controlled release and distribution
8. Periodic review
9. Revision initiation and change rationale
10. Obsolescence and archival controls
11. Retention and inspection copy generation

The strongest eQMS implementations make these lifecycle states explicit. A user should not need to infer whether a document is draft, approved, effective, superseded, obsolete, or archived. That status should be visible, controlled by permissions, and reflected in search results and exports.

Training linkage is especially important. If a procedure changes but training is not triggered, the system may show a clean approval history while the operation is still using old instructions. That is a quality risk, not only an administration issue. The same is true for forms and templates: if a form template changes, teams need to know which completed records used the prior version and whether the change affects open investigations, batches, complaints, audits, or submissions.

For medical device companies, document lifecycle control also intersects with design controls, risk management, supplier quality, complaint handling, and eSTAR evidence. For pharmaceutical companies, it intersects with master production records, laboratory methods, specifications, validation packages, batch records, and quality unit review. A good document control system does not have to be an all-in-one enterprise platform, but it must preserve the context that makes the record defensible.

Implementation Model for Regulated Document Control

The practical implementation sequence should start with record scope, not vendor configuration. Before building workflows, identify which document types are controlled, which are GMP or QMSR records, which may be Part 11 records, and which are only administrative or business documents.

Use a simple classification model:

After classification, define ownership. Document owners should understand the content. Quality should own the control process. Regulatory should be involved when a document affects a submission, market authorization, labeling commitment, registration, or health authority response. This prevents the common failure where a quality document changes correctly inside the eQMS but nobody evaluates whether the change affects a filing.

The implementation should also define how emergency changes work. Some teams need an urgent procedure update after a deviation, supplier issue, inspection observation, or production interruption. Emergency workflows can be legitimate, but they still need approval meaning, temporary control, retrospective review, training impact, and a path back into normal change control.

What QMS Document Control Software Should Include

The best systems connect document control to change control, training, CAPA, deviations, complaints, supplier quality, audits, and submissions.

Evidence to Ask for During Vendor Evaluation

Do not evaluate QMS document control software only by watching a clean demo workflow. Ask the vendor to show evidence that the workflow can survive real regulated use.

Useful vendor evaluation requests include:

• Show how the system prevents use of obsolete documents.
• Show how effective dates work when training must be completed before release.
• Show how a prior version is retrieved without changing the current effective version.
• Show the audit trail for a document title change, approver change, rejection, and final approval.
• Show the signature manifestation on an exported approved document.
• Show how document change reason and change history appear to an inspector.
• Show how a controlled form template is linked to completed records.
• Show how permissions prevent unauthorized document approval or release.
• Show how records can be exported if the company leaves the platform.
• Show how SaaS release notes are assessed against validated workflows.

The answers should be specific. A claim that the system is "Part 11 compliant" is not enough because Part 11 compliance depends on intended use, configuration, procedures, training, and customer operation. Vendor controls can support compliance, but they do not replace the company's validation and governance.

For small biotech and medtech teams, the right question is often not "which product has the most modules?" The better question is "which product gives us defensible control over the records that matter for our next milestone?" A preclinical biotech preparing for an IND may need controlled SOPs, vendor qualifications, CMC source documents, and validation evidence. A device company preparing a 510(k) may need design records, risk files, verification evidence, labeling, complaints, CAPA, and supplier records. The document control model should match the operating risk.

Common Document Control Failure Modes

The same document control problems appear repeatedly in audits and remediation projects:

These are not cosmetic issues. They affect whether the company can prove that work was performed under current approved instructions and that later summaries are based on controlled source evidence.

Document Control and Submission Readiness

Document control is not usually described as a regulatory submission function, but it directly affects submission readiness.

Examples:

• A Module 3 specification in an eCTD submission should match the controlled quality specification.
• A validation report cited in a submission should be the approved final version.
• A CAPA or deviation record supporting a quality narrative should have complete approvals and traceability.
• A device eSTAR submission may depend on controlled design, risk, labeling, and verification documents.
• A labeling change may trigger regulatory assessment, training, and controlled distribution.

When quality documents are not controlled, submission teams inherit ambiguity. That ambiguity becomes late-stage rework.

The highest-risk handoff is the summary-to-source handoff. Regulatory submissions often contain summaries: process descriptions, control strategy narratives, validation summaries, analytical method summaries, design summaries, risk-control summaries, or responses to agency questions. Those summaries need to map back to controlled documents. If the controlled document changed after the summary was drafted, the team needs to know whether the submission text still reflects the current approved source.

This is where QMS document control, RIM, and submission publishing overlap. The QMS controls the source evidence. RIM tracks registrations, commitments, and submission plans. Publishing tools assemble the dossier. None of those functions works well if the authoritative controlled document is unclear.

How Assyro Supports eQMS and Regulatory Document Readiness

Document control is upstream of submission readiness. The point is not only storing SOPs. The point is proving that controlled documents, records, changes, and evidence all support the regulatory story.

Assyro can connect controlled document evidence to Regulatory Gap Analysis, eCTD Validation, eCTD Authoring, and medical device regulatory submission software. The value is finding document gaps and inconsistencies before they become inspection findings, FDA questions, or submission delays.

References

This guide reflects FDA QMSR, 21 CFR Part 820, 21 CFR Part 211, and 21 CFR Part 11 information current as of May 2026. Confirm current regulations, applicable ISO 13485 requirements, and product-specific obligations before implementing an eQMS workflow.