ISO 13485 Clause 4 — QMS + Document & Record Control

Evidence-first control map for Clause 4.1–4.2.5: QMS architecture, quality manual, medical device file, document control, and record control.

What This Page Is

This page translates ISO 13485 Clause 4 into an evidence-first control map. It focuses on what auditors actually test: executed records, controlled document states, retrievable device files, and traceable change history. It supports certification audits, surveillance audits, supplier/customer audits, and internal audit execution.

What Clause 4 Covers

Clause 4 is the QMS foundation: (1) how you define and control the system (Clause 4.1) and (2) how you control the information the system runs on (Clause 4.2). This requires a defined process architecture, controlled documentation, a maintained medical device file, and reliable document control and record control that prevent outdated instructions, missing evidence, and untraceable decisions.

How Auditors Evaluate Clause 4

Auditors rarely read SOPs end-to-end. They follow evidence chains. A change request must show impact review, approvals, training, and effectiveness. A device file must be complete and navigable. Records must be retrievable quickly with defined retention and access control. Weak Clause 4 controls make every other clause fragile.

Use This Page To

  • Identify the minimum Clause 4 controls and records needed for audit survival.
  • Run a fast evidence check (what exists, what is missing, what is unlinked).
  • Navigate to tools and systems that implement Clause 4 controls with audit-ready outputs.
Navigation
Clause 4 Evidence Table 4.1 General Requirements 4.2 Documentation Requirements 4.2.3 Medical Device File 4.2.4 Document Control 4.2.5 Record Control Clause 4 Systems & Templates FAQ Back to ISO Clause Hub

ISO 13485 Clause 4 Evidence Table (4.1–4.2.5)

Primary Targets: ISO 13485 clause 4
ISO 13485 document control (4.2.4)
ISO 13485 record control (4.2.5)
Medical device file (4.2.3)
Master document list
Clause Clause Title One-Line Operational Intent Typical Audit Evidence (Records) Jump
4.1 General requirements Define, control, and maintain the QMS processes so execution is stable, changes are controlled, and evidence is retrievable. Process map; process interaction diagram; QMS scope statement; outsourced-process controls; change impact assessments; QMS software validation evidence (if used). Open
4.2 Documentation requirements Maintain a controlled documentation set that is sufficient to operate the QMS and prove conformity. Quality manual; master document list; procedure/register indexes; controlled template library; documented information gap assessment. Open
4.2.1 General Demonstrate the required documented information exists and is aligned to actual operations. Policy acknowledgement; quality objectives register; procedure matrix; records index; “documents needed for planning/operation” rationale. Open
4.2.2 Quality manual Keep a controlled manual that defines scope/exclusions and describes process interactions. Quality manual revision history; approval record; scope/exclusion justification; process interaction diagram control. Open
4.2.3 Medical device file Maintain a navigable device-family file that references the controlled documents proving product conformity and regulatory readiness. Device file index; labeling/IFU approval trail; key specifications; manufacturing/servicing references; acceptance criteria references. Open
4.2.4 Control of documents Prevent uncontrolled or obsolete documents through review/approval, revision control, distribution control, and controlled external documents. Document change requests; approval logs; revision history; controlled distribution; obsolete archive; external document register. Open
4.2.5 Control of records Ensure records remain identifiable, secure, retrievable, and retained so audit sampling succeeds without reconstruction. Record retention schedule; record index; access control logs; backup/restore test record; record integrity/audit trail evidence. Open

Back to hub: ISO 13485 Clauses 4–8 Clause Hub

ISO 13485 Clause 4.1 — General Requirements

SEO: ISO 13485 clause 4.1

Operational Intent

Prove the QMS is a controlled system: defined processes, defined owners, controlled interfaces, and controlled changes. The test is whether the organization can demonstrate stability over time using records.

Minimum Controls That Must Exist

  • Process architecture: list of QMS processes + interactions (not a poster—an owned system)
  • Process ownership: accountable roles for each process, including outsourced processes
  • Change impact discipline: documented assessment of impact to documents, training, validation, and records
  • QMS tool control: if software is used to manage records/approvals/workflows, maintain validation evidence aligned to intended use

Audit Tests (Evidence Challenges)

  • Show the current process interaction map and evidence it is reviewed under change control.
  • Show the last 3 QMS changes and the impact assessment, approvals, and resulting updates.
  • Show how outsourced processes are controlled (supplier controls + acceptance evidence + escalation triggers).
  • Show evidence that your QMS software tool’s intended use is defined and the tool is controlled under change.

Major Nonconformity Indicators

  • Critical processes exist in reality but are absent from the defined QMS process set.
  • Changes occurred with no impact assessment and no retraining/effectiveness evidence.
  • QMS software drives approvals/records, but there is no validation or change control evidence.

ISO 13485 Clause 4.2 — Documentation Requirements

SEO: ISO 13485 clause 4.2.1

4.2.1 General

Intent: Maintain a minimum documented information set that matches operational reality and produces records that prove execution.

Evidence (records):

  • Master Document List (MDL) / document register
  • Procedure matrix (process → SOP → forms/records)
  • Controlled template library index
  • Records index (what records exist, where stored, retention owner)

Failure patterns:

  • Documents exist but the MDL is incomplete or stale.
  • Forms exist without controlled IDs and revision control.
  • Procedures describe records that are not actually generated.
SEO: ISO 13485 quality manual

4.2.2 Quality Manual

Intent: Provide controlled scope and QMS interaction visibility. The manual must be current and consistent with the real process architecture.

Evidence (records):

  • Quality manual approval + revision history
  • Scope statement + exclusion/justification record (where used)
  • Process interaction diagram under change control

Failure patterns:

  • Manual exists but scope/exclusions are inconsistent with actual operations.
  • Process interaction diagram is generic and not maintained under change control.
SEO: ISO 13485 medical device file

4.2.3 Medical Device File

Intent: Maintain a device-family file that is navigable and references the controlled documents that define the device and how it is realized.

Evidence (records):

  • Device file index (table of contents with controlled references)
  • Labeling/IFU approval trail + revision history
  • Key specifications + acceptance criteria references
  • Manufacturing/servicing references (controlled, current)

Audit tests:

  • Open the device file and retrieve specific referenced documents within 60 seconds.
  • Show how a labeling change flowed through approvals, training, and release documentation.

Failure patterns:

  • Device file is just a folder of PDFs with no index and no controlled references.
  • Labeling exists without traceable approval and effective date control.
SEO: ISO 13485 document control procedure

4.2.4 Control of Documents

Intent: Ensure only approved/current documents are used. Control changes, distribution, and external documents that affect product or QMS.

Minimum control mechanics:

  • Document lifecycle states: draft → review → approved → effective → obsolete
  • Role-based approvals (owner + quality approval where appropriate)
  • Controlled distribution / point-of-use rules
  • External document register (standards, regs, supplier specs) with review triggers

Evidence (records):

  • Document change requests with impact statements
  • Approval logs (who/when/what changed)
  • Revision history + effective date control
  • Obsolete archive control evidence

Major NC indicators:

  • Obsolete instructions found at point of use.
  • Changes made without formal approval trail.
  • External standards used operationally but not controlled.
SEO: ISO 13485 record control

4.2.5 Control of Records

Intent: Records must be identifiable, secure, retrievable, and retained. The audit test is speed and integrity: retrieve samples quickly with intact history.

Minimum control mechanics:

  • Record taxonomy and indexing (record type, ID rules, storage path)
  • Retention schedule aligned to device lifecycle and regulatory expectations
  • Access control + confidentiality rules where applicable
  • Backup/restore test evidence for electronic records

Evidence (records):

  • Record retention schedule + approvals
  • Record index / evidence index
  • Access control logs and permission reviews
  • Backup/restore test records

Major NC indicators:

  • Records cannot be retrieved promptly or are missing.
  • No defined retention rules or uncontrolled deletions/overwrites.
  • Electronic records with no integrity controls/audit trail evidence.

Clause 4 Systems & Templates (Direct Implementation)

These products map directly to Clause 4 audit exposure: document control, medical device file structure, record control, and QMS architecture.

QMS Core System (Clauses 4–6 & 8)

Core QMS architecture + evidence-first operating controls that support Clause 4 across documentation, roles, and governance.

Open Product Back to Clause Hub

Document Control System Bundle

Implements Clause 4.2.4: controlled lifecycle, approvals, change control, distribution discipline, and external document control.

Open Product Go to 4.2.4

Labelling & Medical Device File Pack

Implements Clause 4.2.3: device file indexing and labeling control with audit-ready evidence trails.

Open Product Go to 4.2.3

Records Management Training Kit

Operationalizes Clause 4.2.5: record integrity, retention discipline, indexing, and retrieval under audit conditions.

Open Product Go to 4.2.5

QMS Software Validation System (4.1.6)

For organizations using digital QMS tools: intended use definition, validation evidence, and change control alignment.

Open Product Go to 4.1

Document Control Training Kit

Training evidence for document control execution: competence + effectiveness checks tied to document changes.

Open Product Go to 4.2.4

FAQ

What is the fastest way to pass Clause 4 sampling?

Make evidence retrieval deterministic: a master document list that matches reality, a record index that maps record type to storage path/retention, and a device file index that points to controlled document IDs—not “folders of PDFs.”

What do auditors target first in document control?

They look for obsolete documents at point of use, missing approvals/effective dates, uncontrolled external documents (standards/regulatory guidance), and changes implemented without impact assessment and training evidence.

What makes record control fail under audit?

Slow retrieval, missing records, unclear retention rules, uncontrolled edits/overwrites, weak access control, and electronic record systems with no integrity/audit trail evidence.

How should the medical device file be structured?

Use a controlled index that references controlled document IDs for labeling/IFU, specifications, acceptance criteria, production/service references, and applicable procedures. Auditors expect navigation and traceability, not bulk storage.

Ultra-minimal vector infographic on white background showing a controlled document lifecycle as blank nodes connected by arrows (no embedded text), blue-grey palette, crisp lines, flat design, no shadows, no gradients, no watermark, high resolution.

Clause 4 Audit Reality: Auditors Sample Records, Not Narratives

Clause 4 failure is usually not “missing documentation.” It is uncontrolled state:

  • Outdated work instructions at point of use
  • Device file exists but is not navigable (no index, no controlled references)
  • Records exist but cannot be retrieved quickly
  • Changes happened without impact assessment, training, or effectiveness evidence

Clause 4 fixes are mechanical: define the system, control documents, control records, enforce storage paths, and prove execution through an evidence index.

Clause 4 Self-Audit Checklist

Clause 4.1 — QMS Process Architecture (Evidence Challenges)

  • Show the controlled list of QMS processes and the owner role for each.
  • Show the interaction map and evidence it is controlled under change.
  • Show the last 3 QMS changes with impact assessment and approvals.
  • Show how outsourced processes are controlled (requirements + verification + escalation triggers).

Clause 4.2.1 — Minimum Documented Information

  • Show the Master Document List (MDL) with status and revision control.
  • Show the procedure matrix that maps processes to SOPs and records.
  • Show controlled templates/forms with IDs and revision history.

Clause 4.2.2 — Quality Manual Integrity

  • Show the scope statement and any exclusion justification record.
  • Show evidence the manual reflects the actual process architecture.
  • Show the manual’s approval and revision trail.

Clause 4.2.3 — Medical Device File Retrieval Test

  • Open the device file index and retrieve referenced documents quickly.
  • Demonstrate labeling/IFU approval history and effective date control.
  • Demonstrate linkage between device file references and controlled documents.

Clause 4.2.4 — Document Control at Point of Use

  • Show current work instructions in use and prove they match approved revisions.
  • Show change request → review → approval → effective date → training trail.
  • Show obsolete documents are prevented from unintended use.
  • Show an external document register for standards/regulatory documents used operationally.

Clause 4.2.5 — Record Control (Integrity + Retrieval)

  • Show record retention schedule approvals and controlled access.
  • Show record indexing rules and retrieval performance (sample 10 records).
  • Show backup/restore test evidence for electronic record systems.

Clause 4 — Top Failure Patterns (Major NC Signals)

  • Obsolete documents found in production/service contexts.
  • Device file exists but is not indexed, not controlled, or not retrievable.
  • Records reconstructed during audit instead of retrieved from controlled storage.
  • Uncontrolled external standards/specs used operationally.

Clause 4 — Rapid Fix Sequence (Execution Order)

  1. Define process architecture + owners.
  2. Implement MDL + procedure/record matrix.
  3. Build medical device file index with controlled references.
  4. Implement document lifecycle + approvals + distribution control.
  5. Implement record taxonomy + retention + access + retrieval discipline.
  6. Validate QMS software tools where used for approvals/records/workflows.
  7. Run an internal audit retrieval test and close gaps via CAPA/change control.

Clause 4 FAQ's

What is ISO 13485 Clause 4?

Clause 4 defines the QMS foundation: how the system is structured (4.1) and how QMS documented information is controlled (4.2), including the medical device file, document control, and record control.

What evidence do auditors sample for ISO 13485 Clause 4?

Auditors sample document approvals and revision history, controlled distribution at point of use, obsolete document controls, device file indexes, and record retrieval/retention/integrity evidence.

What is ISO 13485 document control (Clause 4.2.4)?

Document control is the lifecycle that ensures only approved/current documents are used, changes are reviewed and approved, distribution is controlled, and obsolete documents are prevented from unintended use.

What is ISO 13485 record control (Clause 4.2.5)?

Record control ensures records are identifiable, secure, retrievable, and retained for defined periods, with integrity controls for electronic records and evidence of backup/restore discipline.

What is a medical device file in ISO 13485 (Clause 4.2.3)?

A medical device file is a controlled, device-family file that references the documents and records that define the device, its specifications, labeling, and the processes that produce and verify it.

What is a Master Document List (MDL) and why do auditors ask for it?

An MDL is the index of controlled documents with identifiers, revision status, owners, and effective dates. Auditors use it to test whether control is real and complete.

What is the most common Clause 4 audit failure?

Uncontrolled document state: obsolete instructions at point of use, weak approval trails, and missing distribution/withdrawal controls. The second most common is record retrieval failure.

How does Clause 4 affect ISO 13485 Clauses 7 and 8?

Clause 4 is the control layer for the documents and records that Clause 7 (product realization) and Clause 8 (measurement/CAPA) depend on. Weak Clause 4 breaks traceability, CAPA credibility, and audit closure.

Do digital QMS tools require validation for Clause 4.1?

If software is used to manage approvals, records, workflows, or quality decisions, auditors commonly expect evidence that the tool is controlled for its intended use, including change control and validation logic.

Where do I go next after Clause 4?

Use the ISO 13485 Clause Hub to navigate Clauses 5–8 and follow evidence chains across management review, internal audit, complaints, supplier control, and CAPA.

Open ISO 13485 Clauses 4–8 Clause Hub