Regulatory & Compliance QMSDocumentsControl

Quality Documentation Manager

Document control system management for medical device QMS.

$skillfish add ~skills/quality-documentation-manager

Real Examples Get Started Models & Context Good to Know

Real Conversations

See how the Quality Documentation Manager skill responds to actual requests. These are representative examples of what your AI agent will produce.

You

We're building our QMS for ISO 13485 certification. We have about 40 SOPs, work instructions, and forms to manage. We're a 25-person startup. We don't have a QMS software budget yet — we're using SharePoint. How do I set up document control that will satisfy an auditor?

Agent

Document Control System — SharePoint for ISO 13485

SharePoint can satisfy ISO 13485 §4.2.3 (control of documents) if configured correctly.

Folder structure:

QMS Documents (SharePoint site)
├── 01 Quality Manual
├── 02 SOPs/
│   ├── Management (QP-MGT-xxx)
│   ├── Design Control (QP-DES-xxx)
│   ├── Production (QP-PRD-xxx)
│   ├── Complaints & CAPA (QP-QA-xxx)
│   └── Support Processes (QP-SUP-xxx)
├── 03 Work Instructions (WI-xxx)
├── 04 Forms & Templates (FRM-xxx)
├── 05 External Documents (standards, regulations)
└── ARCHIVE (for obsolete documents — read-only)

Document numbering convention: [Type]-[Area]-[Number]-[Version] Example: QP-QA-001-v2.0

Version control in SharePoint:

Enable major versioning on all document libraries
Set: Require check-out before editing → Yes
Version history must be preserved — do NOT delete old versions
Use a Document Header on every controlled document:

Document No: QP-QA-001    Version: 2.0
Title: Complaint Handling Procedure
Author: [Name]    Review date: [Date]
Approved by: [QMR name]    Approval date: [Date]
Summary of changes: Section 4.3 updated per MDR Art. 87 timelines

Approval workflow (Power Automate — free tier):

Author drafts document → checks in → triggers approval flow
QMR receives email approval request → approves in SharePoint
On approval: document moves to published folder; previous version auto-moves to ARCHIVE

What auditors check for ISO 13485 §4.2.3:

Documents reviewed and approved before issue
Current revision status is identifiable
Relevant versions available at point of use
Obsolete documents prevented from unintended use (ARCHIVE = read-only)
External documents (ISO standards, MDR text) identified and distribution controlled

Training records: When a document is updated, create a linked list entry: document version → staff names → acknowledgment date.

Want me to generate the Document Control SOP (QP-SUP-001) and the master document register template?

You

We had a CAPA that required updates to 6 documents: our complaint handling SOP, 2 work instructions, and 3 forms. How do I manage the document change control process to make sure everything is updated, approved, and staff are trained before the documents go live?

Agent

Document Change Control — CAPA-Driven Update (6 Documents)

This is a multi-document change event. The key risk is partial implementation — some documents updated but not all, or staff trained on some but not others. Here's how to manage it as a single controlled change:

Step 1: Open a Document Change Request (DCR) Create one DCR covering all 6 documents:

DCR-2025-047
Reason for change: CAPA-2025-012 (complaint handling nonconformance)
Documents affected:
  - QP-QA-001 v2.0 → v3.0 (Complaint Handling SOP)
  - WI-QA-007 v1.2 → v2.0 (Complaint Triage Work Instruction)
  - WI-QA-008 v1.0 → v1.1 (Escalation Work Instruction)
  - FRM-QA-015 v1.0 → v2.0 (Complaint Intake Form)
  - FRM-QA-016 v1.0 → v1.1 (Investigation Report Form)
  - FRM-QA-019 v2.1 → v2.2 (CAPA Effectiveness Checklist)
Initiated by: [Name]  Date: [Date]  Linked CAPA: CAPA-2025-012

Step 2: Draft and review all 6 documents in parallel

Mark all drafts with "DRAFT" watermark — not controlled until approved
Each document reviewed by the process owner (not the author)
All 6 must be approved together or in a defined sequence (forms can follow SOPs)

Step 3: Impact assessment before approval For each document, confirm:

Does this change affect device safety or performance? → If yes, may require design control review
Does this change affect regulatory submissions? → If yes, notify RA
What training is required, and for which staff?

Step 4: Approval and release

QMR signs off on all 6 documents
Release date: all 6 become effective on the same date — prevents staff following mixed versions
Previous versions immediately moved to ARCHIVE, access restricted

Step 5: Training before go-live Training matrix for these documents:

Document	Who must be trained	Training method	Completion required by
QP-QA-001 (SOP)	All QA + Customer Success staff (8 people)	Read + sign-off	Release date
WI-QA-007, WI-QA-008	QA team only (4 people)	Demonstrated competency	Release date
FRM-QA-015, 016, 019	All QA staff	Read + sign-off	Release date

Do not release documents until all required training is completed and recorded.

Step 6: CAPA linkage Update CAPA-2025-012 record:

Document change action: CLOSED — all 6 documents released as DCR-2025-047
Training action: CLOSED — training matrix complete [date]
Effectiveness check: Scheduled for [90 days post-release]

Auditor evidence pack:

DCR record linking all 6 documents
Approval records with dates
Training matrix with signatures
Document register showing new version numbers and effective dates

Want me to generate the Document Change Request form template and the training sign-off matrix?

Get Started

How to install and use this skill in your preferred environment.

Skills are designed for AI coding agents (Claude Code, Cursor, Windsurf) and IDE-based workflows where the agent can read files, run scripts, and act on your codebase. Web-based AI can use the knowledge and frameworks, but won't have tool access.

Models & Context

Which AI models and context windows work best with this skill.

Recommended Models

Best

Claude Opus 4 Claude Sonnet 4 GPT-4.1 Gemini 2.5 Pro Grok 3 Kimi K2

Good

Claude Haiku 4.5 GPT-4.1 mini Gemini 2.5 Flash Grok 3 mini

Larger models produce more detailed, production-ready outputs.

Context Window

This skill's SKILL.md is typically 3–10 KB — fits in any modern context window.

8K Skill only

32K+ Skill + conversation

100K+ Skill + references + codebase

All current frontier models (Claude, GPT, Gemini) support 100K+ context. Use the full window for complex multi-service work.

Pro tips for best results

1

Be specific

Include numbers — users, budget, RPS — so the skill can size the architecture.

2

Share constraints

Compliance needs, team size, and existing stack all improve the output.

3

Iterate

Start with a high-level design, then ask follow-ups for IaC, cost analysis, or security review.

4

Combine skills

Pair with companion skills below for end-to-end coverage.

Good to Know

Advanced guide and reference material for Quality Documentation Manager. Background, edge cases, and patterns worth understanding.

Contents

ISO 13485:2016 §4.2 Document Control Requirements

Section 4.2.3 defines what a controlled document system must do. The standard is explicit — these are auditable requirements, not guidelines:

Documents must be reviewed and approved for adequacy before issue
Changes and current revision status must be identifiable (typically via a revision history table on the document itself)
Relevant versions of applicable documents must be available at points of use — not just filed in a central location
Obsolete documents must be prevented from unintended use, with retained obsolete documents clearly identified
Documents of external origin (ISO standards, regulatory text, customer specifications) must be identified and distribution controlled

"Controlled copy" definition: A controlled copy is a document instance that is covered by the document control system — meaning it receives updates when the master is revised and is retrievable when the document is obsoleted. Printed controlled copies require a mechanism to prevent ongoing use of outdated prints; most auditors expect either a "uncontrolled if printed" watermark on electronic documents or a controlled print register for paper-distributed copies.

Review frequency: ISO 13485 does not specify a review interval. Most QMS procedures define annual review as standard, with additional triggered review after nonconformances, regulatory changes, or process modifications. The review must be documented — a calendar reminder is not evidence.

Document Hierarchy

The four-tier quality document model separates intent from execution:

Tier	Document type	Answers	Auditor focus
1	Quality Manual	What is our QMS and its scope?	Scope definition, policy commitment, process interactions
2	Procedures (SOPs)	Who does what, when, and why?	Process ownership, sequence, interfaces, references
3	Work Instructions	How is a specific task performed, step by step?	Task-level detail, safety, acceptance criteria
4	Records / Forms	What did we actually do?	Objective evidence of execution

Why conflating tiers causes audit findings: A procedure that contains step-by-step operator instructions will require re-approval every time an operator's technique changes — elevating a routine operational update into a formal document change event. Conversely, a work instruction that contains scope and policy language creates ambiguity about which document governs in case of conflict. Keep tiers distinct: procedures reference work instructions; work instructions reference forms; none of them replicate content from the tier above.

Effective Date Synchronization

When a procedure is revised, every work instruction and form it references must be reviewed and either confirmed as still current or revised concurrently. All affected documents in a change set should carry the same effective date.

How misalignment creates a nonconformance: If Complaint Handling SOP v3.0 (effective 1 March) references Complaint Intake Form FRM-QA-015 v2.0, but the current approved form is v2.1 (effective 15 February), the SOP is referencing an obsolete document from the moment it is issued. An auditor will cite this as a failure of document control under §4.2.3.

Practical mitigation: Use a Document Change Request (DCR) that requires the initiator to list all documents that cross-reference the changed document. The document controller reviews the list before approving release. This creates a traceability chain from the DCR through all affected documents.

Common Audit Findings in Document Control

1. Obsolete documents accessible to users. The most cited finding globally. Obsolete revisions left in shared drives, email attachments, or local desktop folders. Mitigation: enforce a single source of truth; archive immediately on release of new version; audit shared drives quarterly.

2. No evidence of periodic review. Document headers show "Review date: annually" but no review records exist. A reviewed-and-unchanged document must still produce a record showing who reviewed it, when, and what conclusion was reached.

3. Approved-by signatures undated. An approval signature without a date cannot demonstrate that the document was approved before it was issued or used. Electronic QMS systems that timestamp approvals automatically eliminate this finding.

4. Revision history missing rationale. "Updated section 4.3" is not sufficient. Auditors expect a brief description of what changed and why — especially when the change is CAPA-driven. The rationale links the document system to the corrective action system.

5. Training records not linked to document changes. Releasing a new document version without evidence that affected personnel were trained on the changes is a §6.2 finding (competence), often raised in conjunction with the document control finding.

Electronic QMS Considerations

21 CFR Part 11 applicability: If your device is subject to FDA oversight and you use electronic records and electronic signatures to satisfy FDA record-keeping requirements, Part 11 applies. Key requirements: audit trail that records who made each entry and change, with date and time; the ability to reconstruct prior record states; electronic signatures that are attributable to an individual and cannot be repudiated.

What Part 11 does not require: A validated QMS software product is not mandatory. A configured SharePoint instance with documented validation testing, access controls, audit logging, and a system administrator procedure can satisfy Part 11. The burden is on the organization to document the validation.

Audit trail minimum requirements: Every controlled document must have a record of: who created it, who approved it, when each action occurred, and what changed in each revision. Systems that allow post-hoc editing of records without leaving a trace are non-compliant.

Electronic signature validity: Under Part 11, an electronic signature must be linked to the record it signs, executed only by the signature's owner, and accompanied by the meaning of the signature (e.g., "Approved," "Reviewed"). A checkbox or free-text name field does not constitute an electronic signature.

Ready to try Quality Documentation Manager?

Install the skill and start getting expert-level guidance in your workflow — any agent, any IDE.