What ISO 13485 Clause 4.2 really requires

Clause 4.2 is not just “have procedures.” It requires your QMS documentation to include documented quality policy and quality objectives, a quality manual, documented procedures and records required by the standard, other documents needed for effective planning and control, and documentation required by applicable regulations. It also requires a quality manual, one or more medical device files, document control, and record control. 

That means auditors are not only asking whether a procedure exists. They are asking whether the right documents exist, whether the current revision is controlled, whether obsolete documents are prevented from unintended use, whether records are secure and retrievable, whether confidential information is protected, and whether the documentation structure makes sense for the type of company and devices you manage. 

This page should rank and convert because it speaks directly to real buyer pain: messy document systems, weak quality manuals, incomplete medical device files, and audit findings caused by poor document discipline.

See Our Services

The 5 documentation pillars inside Clause 4.2

  • QMS documentation

    Your system must include the documented policies, objectives, procedures, records, and other documents needed to operate and control the QMS effectively.

  • Quality manual

    The quality manual must define scope, exclusions or non-applications, reference the QMS procedures, and describe how the QMS processes interact.

  • Medical device file

    For each device type or family, you need one or more files containing or referencing the documents that demonstrate conformity and regulatory compliance.

  • Control of documents

    You must control approval, revision status, updates, point-of-use availability, legibility, external documents, obsolete documents, and retention of old versions.

  • Control of records

    You must control identification, storage, security, integrity, retrieval, retention time, disposition, change traceability, and protection of confidential health information.

Why companies get hit on Clause 4.2

Most companies do not fail Clause 4.2 because they have no documents. They fail because they have too many uncontrolled ones.

Common problems include:

  • people using outdated forms from shared folders
  • no clear master list or document index
  • SOPs approved once and never reviewed again
  • training records against the wrong revision
  • external standards and regulatory references not controlled
  • medical device files missing core content
  • obsolete documents left in circulation
  • records saved, but not easily retrievable during audit
  • no defined retention logic for records and obsolete documents
  • confidential information handled casually inside QMS records

This clause is one of the best conversion points on your site because the problem is easy for the buyer to recognize and expensive for them to ignore.

Start with a Gap Assessment

Clause 4.2 implementation roadmap

A clean document system is not about writing more SOPs. It is about building documentation architecture that people can use, auditors can follow, and your business can maintain without constant confusion.

Step 1

Define the documentation hierarchy

Set the structure first: quality manual, procedures, forms, work instructions, records, logs, templates, and external documents. If the hierarchy is unclear, document control becomes reactive and messy.

Step 2

Build document control rules that people can actually follow

Approval, review, revision history, change control, distribution, access, archival, and obsolete document control need to be simple enough for real teams to use consistently.

Step 3

Separate documents from records properly

Procedures tell people what to do. Records prove what happened. Mixing the two creates audit friction, training errors, and retrieval problems.

Step 4

Establish the medical device file logic

For each device type or family, your file structure should make intended use, specifications, labelling, manufacturing references, monitoring references, installation needs, and servicing references easy to locate.

Step 5

Lock down retention and retrieval

If records cannot be retrieved fast, trusted, or tied to the right revision and period, the system will look weak in front of auditors even when the work was done properly.

Audit-ready evidence checklist

  • Quality policy and quality objectives
  • Quality manual with scope and process interaction
  • Controlled document procedure
  • Controlled record procedure
  • Master document list or equivalent index
  • Revision history and approval evidence
  • External document control method
  • Obsolete document retention logic
  • Medical device file structure for each device type or family
  • Record retention and retrieval rules
  • Protection of confidential health information
Need the full document control system?

This is the best fit if your procedures, forms, records, logs, and revision controls are not operating as one controlled system.

View Document Control System Bundle
Need medical device file structure too?

Use this if your document control issue also includes labelling, intended use documentation, or file completeness for specific devices.

View Labelling & Medical Device File Pack
Need a broader QMS foundation?

Fix the wider system if document control is only one part of a bigger QMS weakness.

View QMS Core Bundle
Speak to ISO Cloud Consulting See Services

Clause 4.2.2: Your quality manual should explain the system, not decorate it

A weak quality manual is one of the fastest ways to make a QMS look generic. Under Clause 4.2.2, the quality manual must define the scope of the QMS, explain any exclusions or non-applications, reference the documented procedures, and describe the interaction between QMS processes. It also needs to outline the structure of the documentation used in the QMS. 

That means your quality manual should work as a system map, not a marketing summary. It should help a regulator, auditor, consultant, or internal team member understand how the system is structured and where evidence lives.

View QMS Core Systems

Clause 4.2.3: The medical device file is where documentation gets product-specific

This is where many companies underestimate the clause. Clause 4.2.3 requires one or more files for each medical device type or family containing or referencing documents that show conformity to ISO 13485 and applicable regulatory requirements. The file content includes at least general device description and intended use, labelling, product specifications, manufacturing or handling references, measuring and monitoring references, and, where relevant, installation and servicing references. 

This is why Clause 4.2 is not only about generic QMS documents. It also reaches into product-specific documentation and how that evidence is structured.

View Medical Device File SolutionsView Labelling & Medical Device File Pack

Clause 4.2.4 and 4.2.5: Document control and record control are not the same thing

A document is controlled so people know what they should use. A record is controlled so you can prove what happened.

Clause 4.2.4 focuses on document approval, review, updating, revision status, point-of-use availability, legibility, external documents, prevention of deterioration or loss, and prevention of unintended use of obsolete documents. Clause 4.2.5 focuses on identification, storage, security, integrity, retrieval, retention time, disposition, change traceability, and protection of confidential health information inside records. It also sets the baseline retention expectation: at least the lifetime of the device as defined by the organization, or regulatory requirements, but not less than two years from release. 

This distinction is where a lot of teams clean up years of confusion.

Get the Document Control BundleGrab the Free Master Document List

Best-fit solutions for Clause 4.2

  • Document Control System Bundle

    Best fit if your issue is revision control, document hierarchy, approval flow, master list discipline, obsolete document control, and record structure.

    View Product 

  • Labelling & Medical Device File Pack

    Best fit if your documentation gap includes device-level file structure, intended use, labelling, and product-specific evidence.

    View Product 

  • QMS Core Bundle

    Best fit if Clause 4.2 problems are part of a broader QMS architecture issue across Clauses 4 to 6 and 8.

    View Product 

Clause 4.2 FAQ

What does ISO 13485 Clause 4.2 require?

Clause 4.2 requires documented QMS information including quality policy and objectives, a quality manual, required procedures and records, other necessary QMS documents, regulatory documentation, medical device files, document control, and record control.

Do I still need a quality manual under ISO 13485?

Yes. Clause 4.2.2 explicitly requires a quality manual, including QMS scope, justified exclusions or non-applications, references to QMS procedures, and a description of process interaction.

What is a medical device file under ISO 13485?

It is a device-type or device-family file containing or referencing documents that demonstrate conformity to ISO 13485 and applicable regulatory requirements. It is not just one product datasheet.

Is a master document list required by the standard?

The standard does not force that exact title, but most companies need a master document list or equivalent controlled index to manage revision status, document location, approval, and availability effectively.

What is the difference between a document and a record?

A document tells people what to do or what applies. A record proves what was done, what happened, or what decision was made. Both are controlled, but in different ways.

Do external standards and regulations need document control?

Yes. Clause 4.2.4 requires external-origin documents necessary for planning and operation of the QMS to be identified and their distribution controlled.

How long do I need to keep obsolete documents?

You must keep at least one copy of obsolete documents for a defined period long enough to ensure documents tied to manufactured and tested devices remain available for at least the lifetime of the device, and not less than the retention period of resulting records unless regulations require more.

How long do I need to keep records under ISO 13485?

Records must be retained for at least the lifetime of the medical device as defined by the organization, or as required by regulation, but not less than two years from product release.

Does Clause 4.2 include protection of confidential health information?

Yes. Clause 4.2.5 specifically requires methods to protect confidential health information contained in records in accordance with applicable regulatory requirements.

1 1

If Clause 4.2 is weak, your QMS looks harder to trust everywhere else. This is the strongest direct-fit product for a documentation requirements page.

Document Control System Bundle

$399.00 USD
$399.00 USD
Sale Sold out
View full details

Clause 4.2 is where document chaos gets exposed

Get this right and your quality manual, procedures, forms, records, training evidence, device files, and audit trails start working together. Get it wrong and every audit feels harder than it should.

View Services View Pricing Proof and Capabilities Read FAQs
Document Control, Records & Training

For document hierarchy, revision control, training systems, logs, forms, and operational discipline.

Browse collection
Labelling, Traceability & Medical Device File

For product-specific file structure, labelling controls, and documentation linked to device conformity.

Browse collection
Free ISO 13485 Resources

For entry-point tools like master lists, gap checks, and free resources that help you start cleaning up the system.

Browse collection