Creation, review, approval, distribution. Every document control audit failure traces to one of these four pillars. Here's how to build all four correctly — including the obsolete document step everyone skips.
Document control is not a system. It is a discipline built on four activities that must all work reliably: creating documents correctly, reviewing them adequately, approving them appropriately, and distributing them so operators use the current version.
Organizations that fail document control audits almost always fail one or more of these four activities specifically. Understanding which pillar is weak tells you where to focus improvement effort.
A document enters the control system at creation. The quality of that entry determines how much work the rest of the system must do.
Documents created with ambiguous language, missing specifications, or inconsistent formatting create ongoing problems for reviewers, operators, and document controllers. Every ambiguity that passes through creation becomes a question in the field, a deviation in the process, or a finding in an audit.
Document creation standards should define minimum content requirements: what information must be present for each document type, what level of specificity is required for procedural steps, what formatting conventions apply, and who is authorized to author each type of document.
The most valuable creation standard is specificity: every procedure step that includes a parameter must include the specific value, the unit, and the tolerance. "Torque to spec" is not a compliant procedural step. "Torque to 45 plus or minus 2 N-m" is.
The most common creation failure is not missing information — it is ambiguous information that looks complete. A step that says "install per drawing" appears to have a reference. Whether that reference is sufficient depends on whether an operator at the workstation can execute the step without locating the drawing. If they cannot, the step is inadequately documented.
Review is where content errors are supposed to be caught. In practice, review is often the weakest pillar — not because reviewers lack expertise, but because the review process lacks structure.
An unstructured review produces inconsistent results. One reviewer catches ambiguous language. Another approves without reading carefully. A third returns the document with stylistic suggestions but misses a missing specification.
Structured review means a defined checklist. The checklist should include: are all specifications present and specific? Does the procedure reflect the current drawing revision? Are all safety warnings present and correctly classified? Does the procedure reflect how the process is actually performed? Has an operator reviewed it for clarity?
This last item — operator review — is the step most often omitted from engineering-led document review processes. An operator who reviews a procedure before release will identify ambiguities that the engineer missed because the engineer already knows the answer. The operator does not.
Approval is a gate, not a rubber stamp. The approval signature means that someone with appropriate authority has confirmed the document is ready for release and that the process it describes is authorized to be performed.
Common approval failures:
The most problematic approval failure from an audit perspective is finding procedures in active use that have no evidence of approval — no signature, no approval block, no workflow record. These documents look controlled but are not. They generate findings regardless of content quality, because the finding is about the control process, not the content.
Distribution is where good documents go bad. A procedure can be technically correct, thoroughly reviewed, and properly approved — and still cause nonconformances if operators work from an earlier revision.
Effective distribution requires two things: ensuring current documents reach the point of use, and ensuring superseded documents are removed from use at the same time.
Most organizations are better at the first than the second. They release new revisions. They may distribute them to appropriate workstations. But they do not verify that the old revision was removed before the new one was placed, and they have no mechanism for confirming that uncontrolled copies — in binders, on shared drives, in personal files — are not still in use.
Point-of-use verification is the practice of confirming, at the workstation, that the procedure being used is current. For paper systems, a master revision list posted where operators can check it satisfies this requirement at minimal cost. For electronic systems, operators must access documents through a controlled system that only serves current revisions.
The most common major finding in manufacturing quality audits. The procedure says one thing. The process does another. The gap is usually a small engineering change that updated the drawing but not the work instruction, or an informal process improvement that never made it into the formal document.
The fix requires a systematic review cycle — procedures reviewed on a defined interval against current drawings and specifications — rather than reactive updates triggered only by obvious changes.
Organizations release new revisions without systematically removing old ones. Operators work from superseded documents. This pattern appears in the audit record as "document found in use does not reflect current approved revision" — a citation that generates corrective actions with short completion deadlines.
Shared drives are not document control systems. If operators can modify procedure files, save new versions, or access superseded revisions, the integrity of documented information is not maintained regardless of what the document control procedure says.
Electronic document management has real advantages: version enforcement, audit trails, searchability, and controlled distribution that prevents unauthorized copies. For facilities with large procedure libraries, multiple production areas, and complex revision histories, electronic systems are clearly superior.
Electronic systems also have practical failure modes. Systems go offline. Tablets at workstations need charging. Operators who are accustomed to physical procedures may print electronic ones anyway — recreating the uncontrolled copy problem the system was meant to solve. And electronic systems that create friction are worked around.
Paper-based systems can be made to work with disciplined process execution. The four pillars apply regardless of medium. A well-run paper document control system that consistently executes all four pillars beats a poorly run electronic system that has gaps in any one of them.
An auditor reviewing your document control procedure is looking for two things: evidence that the procedure is complete and evidence that it is followed.
A procedure that describes every required activity in detail but shows no evidence of consistent execution generates a finding. A procedure that is simple, clear, and consistently executed does not.
Principles that make a document control procedure audit-ready:
Describe what actually happens. A procedure that prescribes a fourteen-step review process that no one follows is worse than a six-step process that is consistently used. Write the procedure for the system you operate, not the system you aspire to.
Define responsibility explicitly. Every step in the process should have a named role. "Someone reviews the document" is not a controlled process. "The document owner and one independent reviewer from the relevant process team review the document" is.
Include timelines. How quickly must superseded documents be removed? How soon after approval must documents reach active workstations? Defined timelines create accountability and give auditors evidence of process performance.
Address exceptions. What happens when a procedure needs urgent revision and the standard review timeline cannot be met? An undocumented exception process used in practice is a finding even if the outcome was correct.
Every document control procedure includes a section on obsolete document handling. Almost every manufacturing organization has obsolete documents in active use somewhere.
The gap between policy and practice on obsolete documents is persistent because obsolescence handling is the step that happens after release. The release of a new revision generates action. Removing the old revision requires a separate, intentional act that is easy to defer.
Systematic obsolete document control requires building removal into the release process as a required step, not an optional follow-on. A new revision is not considered released until the completion of removal activities for the superseded version is verified and documented. These are two required steps in the same process — not two separate processes.
Coplain helps you create and maintain controlled work instructions that stay current without the overhead. Built for ISO, AS9100, and FDA environments. Free trial at coplain.com.
Coplain turns any work instruction into a print-ready, audit-proof job aid in minutes.
Try Coplain free →