ISO/IEC 17025 Document Control: A Practical Guide for Testing Labs

Document control is one of the most frequently cited areas in NATA and NABL assessments — not because it's technically complex, but because most labs underestimate how much ongoing discipline it requires when managed manually. ISO/IEC 17025 Clause 8.3 sets out what "controlled" means: documents must be uniquely identified, reviewed and approved before use, protected from unintended alteration, and obsolete versions must be withdrawn. Each of those requirements is straightforward individually. Together, they create an ongoing administrative load that paper-based and email-based systems handle badly.

What ISO/IEC 17025 Clause 8.3 Actually Requires

The standard requires that the laboratory control all documents that form part of its management system. This includes:

• Test procedures and methods (both internal and external standards referenced)
• Standard Operating Procedures (SOPs) for technical and quality activities
• The Quality Manual and any quality policy documents
• Work instructions, forms, and checklists used in testing activities
• External documents (national standards, customer specifications) referenced in procedures

For each of these, Clause 8.3 requires the laboratory to have a process for: approving documents before first use, reviewing and re-approving when updated, identifying changes and current revision status, ensuring only current versions are available at points of use, and preventing unintended use of obsolete documents.

Where Document Control Breaks Down

The shared drive problem

Most labs store their procedures on a shared network drive or cloud folder. The problem is version control: when someone updates a procedure and saves it with a new date, there's no formal process to ensure the old version is removed, that affected staff are notified of the change, and that they've acknowledged reading it. The old version may still be open on someone's desktop. A printed copy from three months ago may still be at the bench.

The email approval chain

Routing documents for approval via email creates approval records — sort of. The email thread confirms that someone reviewed the document. It doesn't confirm which version was reviewed, whether the reviewer's comments were incorporated, or when the document was formally released. Rebuilding that audit trail under assessment pressure, across months of email history, is painful.

External standards revision tracking

Your procedures reference external standards — AS, ASTM, ISO, EN. When those standards are updated, your procedures may need to be updated too. Most labs have no systematic process to check whether the external standards they reference have been revised. A procedure referencing a withdrawn standard is a finding.

Building a Compliant Document Control System

Unique identification and version numbering

Every controlled document should have a unique identifier (document number) and a revision number or date. The identifier stays constant; the revision number increments with each approved change. This makes it immediately clear which version of a document someone is looking at, and whether it's current.

Formal approval workflow

Document approval should follow a defined workflow: author creates or amends the document → technical reviewer checks content → quality manager or authorized person approves → document is released and previous version is archived. This workflow should leave a clear record at each step: who reviewed, who approved, and when.

Controlled distribution and acknowledgement

When a document is released or updated, the relevant staff should be notified and required to acknowledge that they've read the new version. This acknowledgement record is what an assessor needs to confirm that your team is working to current procedures — not the ones printed two years ago.

Obsolete document management

Obsolete versions should be archived (not deleted — you may need them for historical reference) and clearly marked as obsolete so they can't be accidentally used. In a digital system, this happens automatically when a new version is approved. In a shared drive, it requires manual discipline that is regularly forgotten. Failure here is consistently one of the top 5 non-conformances found in lab assessments.

The Case for a Digital Document Management System

The reason purpose-built laboratory management software handles document control better than a shared drive isn't complexity — it's automation. When approval workflows are built into the system:

• Documents can only be released after the defined approval steps are completed
• Previous versions are automatically archived when a new version is approved
• Staff are notified automatically and acknowledgement is tracked
• The assessor can pull the complete history of any document — all versions, all approval records, all acknowledgements — in seconds

The administrative burden of document control doesn't disappear, but it becomes a managed process rather than a manual one that falls apart under the pressure of day-to-day laboratory operations. This is one of the first processes labs should automate as part of a broader QMS automation strategy.

Common Document Control Findings (and How to Avoid Them)

• Outdated procedure in use — Fix: digital controlled distribution with automatic obsolete archiving
• No approval record for a current document — Fix: formal approval workflow with system-recorded sign-off
• Staff using a procedure they haven't acknowledged reading — Fix: acknowledgement tracking in your document system
• External standard referenced that has been superseded — Fix: annual review of external standards referenced in procedures, documented in management review
• Document revision history incomplete — Fix: record amendment reason and summary of changes in each document revision