Revision-Controlled SOPs, Work Instructions, Policies, and Quality Records — with Approval Workflows, Training Acknowledgment, and Audit-Ready Evidence on AWS
Controlled documents are the foundation of quality management. Standard operating procedures, work instructions, specifications, policies, forms, templates, and quality records — these are the documents that define how the organisation operates, how products are made, how services are delivered, and how compliance is maintained. When a quality auditor asks "show me that this process is documented, that the document is current, that the right people have been trained on it, and that the previous version is still accessible" — the organisation's ability to answer determines whether the audit produces a clean report or a corrective action.
The defining characteristic of a controlled document is that it must go through a formal lifecycle: drafted, reviewed, approved, published, distributed, acknowledged, periodically reviewed, revised through the same approval process, and retired with the prior version preserved. This lifecycle is mandated by ISO 9001, ISO 13485, ISO 14001, ISO 27001, GMP/GxP regulations, FDA 21 CFR Part 11, and every other quality and regulatory framework that governs documented information.
Yet most organisations manage controlled documents through a combination of shared drives, SharePoint sites, wiki platforms, and standalone quality management software — none of which provide the full controlled document lifecycle within a governed platform that also manages quality records, training documentation, audit evidence, and corrective action records. FormKiQ provides controlled document management and quality records governance within a single platform — deployed into your own AWS account, with the revision control, approval workflows, training acknowledgment tracking, audit evidence production, and retention management that quality and regulatory frameworks require.
What Is a Controlled Document?
Not every document in an organisation is a controlled document. The distinction matters because controlled documents carry specific governance obligations that general business documents do not:
| General Business Document | Controlled Document | |
|---|---|---|
| Creation | Created by anyone; informal process | Authored by a designated owner; formal drafting process |
| Review | Optional; informal feedback | Mandatory review by defined reviewers (subject matter experts, quality, regulatory) |
| Approval | Optional or informal | Formal approval by authorised approver(s) before the document can be used |
| Publication | Saved to a shared drive or emailed | Published through a controlled process; effective date recorded; superseded version withdrawn from active use |
| Distribution | Available to anyone with folder access | Distributed to specific audiences; distribution records maintained |
| Training | Not tracked | Training and/or acknowledgment tracked per individual; evidence of training retained |
| Revision | Edited freely | Revised through the same review-and-approval process as the original; revision history maintained |
| Retirement | Deleted or forgotten | Formally retired with approval; prior versions retained for reference; retirement date and reason recorded |
| Retention | Ad hoc | Governed by retention policy; retained for defined period after retirement; producible for audit |
The Controlled Document Lifecycle
FormKiQ supports the full controlled document lifecycle as defined by ISO 9001 and related quality management standards:
| Lifecycle Stage | What Happens | FormKiQ Governance |
|---|---|---|
| Initiation | Document owner identifies the need for a new or revised controlled document | Document request workflow; metadata capture (document type, owner, department, regulatory reference, target audience) |
| Drafting | Document owner or designee creates the content | Document creation with version control from first draft; metadata schema enforcing required fields |
| Review | Designated reviewers assess the document for technical accuracy, regulatory compliance, and operational feasibility | Multi-reviewer workflow with role-based assignment; reviewer comments captured; review cycle tracking |
| Approval | Authorised approver(s) formally approve the document for use | Configurable approval workflow with eSignature; approval decision audit-logged with approver identity and timestamp |
| Effective dating | The document is assigned an effective date — the date from which it governs the process | Effective date metadata; future-dated documents held until the effective date |
| Publication | The approved document is made available for use; the prior version is superseded | Current version published and clearly identified; superseded version withdrawn from active distribution but retained in version history |
| Distribution | The document is distributed to the people it applies to | Targeted distribution by role, department, location, or function; distribution records captured |
| Training / acknowledgment | Recipients complete training on the document and/or sign an acknowledgment of receipt and understanding | Individual eSignature acknowledgment with timestamp; training completion tracking; completion dashboards with follow-up automation |
| Active use | The document governs the process; staff reference it during operations | Full-text and metadata search; current version always identifiable; access audit trail |
| Periodic review | The document is reviewed at defined intervals to confirm it remains current and accurate | Automated review reminders at configurable intervals; review workflow initiated on schedule; review outcomes documented (confirmed, revised, retired) |
| Revision | The document is updated; the revision goes through the same review-approval-publication cycle | New version created; revision follows the full lifecycle; prior version retained with complete history |
| Retirement | The document is no longer applicable; it is formally withdrawn from use | Retirement workflow with approval; retired document clearly marked as non-current; retained in archive for reference; retirement date and reason recorded |
| Retention | Retired documents retained per quality and regulatory requirements | Configurable retention from retirement date; archival to cost-optimised S3 storage; documents remain searchable and producible for audit |
Controlled Document Types
Procedural Documents
| Document Type | Description | Governance Characteristics |
|---|---|---|
| Standard operating procedures (SOPs) | Step-by-step instructions for routine operational processes | Training required for all personnel performing the procedure; periodic review (typically annual); revision triggers retraining |
| Work instructions | Detailed instructions for specific tasks — more granular than SOPs | Training required for task performers; frequently revised as processes change; linked to the parent SOP |
| Methods and protocols | Documented methods for testing, analysis, sampling, calibration, or measurement | Validation evidence required; change control for method changes; regulatory submission reference |
| Batch records and manufacturing procedures | Instructions for producing specific products or batches | Executed copies become quality records; deviations documented against the controlled version |
| Maintenance procedures | Instructions for equipment maintenance, calibration, and qualification | Linked to equipment records; maintenance completion documented against the procedure |
Forms, Templates, and Specifications
| Document Type | Description | Governance Characteristics |
|---|---|---|
| Controlled forms | Forms used to capture quality data — inspection checklists, deviation reports, CAPA forms, audit checklists | Form template is the controlled document; completed forms become quality records |
| Specifications | Product specifications, material specifications, packaging specifications, testing specifications | Revision-controlled; linked to products, materials, or processes they govern; change control for specification changes |
| Templates | Approved templates for reports, certificates, labels, or other standardised outputs | Template is the controlled document; outputs generated from the template inherit the template version reference |
| Drawings and diagrams | Engineering drawings, process flow diagrams, facility layouts, equipment diagrams | Revision-controlled with visual versioning; linked to equipment, facilities, or processes |
Reference Documents
| Document Type | Description | Governance Characteristics |
|---|---|---|
| Regulatory guidance and standards | External regulatory documents, standards, and guidance referenced by internal procedures | Tracked for updates; internal procedures linked to the specific version referenced; notification when external documents are revised |
| Safety data sheets (SDS) | Hazardous material safety information — externally authored but internally controlled | Version tracking; distribution to relevant personnel; accessible to workers and emergency responders |
| Customer requirements | Customer-specific requirements, specifications, or quality agreements | Revision tracking; linked to customer contracts and applicable procedures |
Quality Records
Quality records are distinct from controlled documents — they are the evidence that controlled documents were followed. A controlled document tells you what to do; a quality record proves you did it. FormKiQ manages quality records alongside controlled documents within the same governance framework:
| Quality Record Type | What It Evidences | FormKiQ Governance |
|---|---|---|
| Completed forms and checklists | That inspections, tests, and checks were performed as specified | Classified by form template version; linked to the controlled procedure; immutable after completion |
| Training records | That personnel were trained on applicable procedures | Training completion per individual per controlled document; acknowledgment records with timestamps |
| Calibration records | That equipment was calibrated and qualified per procedure | Linked to equipment records and calibration procedures; certificate expiry tracking |
| Deviation and nonconformance records | That deviations from controlled procedures were documented, investigated, and resolved | Deviation workflow with investigation, root cause analysis, and resolution tracking |
| CAPA records | That corrective and preventive actions were identified, implemented, and verified for effectiveness | CAPA workflow from identification through implementation and effectiveness verification; linked to the originating deviation or audit finding |
| Audit records | That internal and external audits were planned, conducted, and findings addressed | Audit programme management; finding tracking; corrective action linkage |
| Management review records | That management reviewed the QMS at planned intervals | Management review minutes with decisions and action items; attendance tracking |
| Change control records | That changes to controlled documents, processes, or systems followed the defined change control procedure | Change request, impact assessment, approval, implementation evidence, and effectiveness review |
| Supplier quality records | That suppliers were evaluated, qualified, and monitored | Supplier qualification documentation; audit reports; corrective action tracking; linked to vendor records |
| Complaint and investigation records | That customer or product complaints were documented, investigated, and resolved | Complaint intake, investigation, root cause, corrective action, response, and closure |
Training and Acknowledgment Tracking
Training is the bridge between controlled documents and operational compliance. If staff are not trained on the current version of a procedure, the document exists but the control doesn't. FormKiQ tracks training and acknowledgment at the individual-document-and-individual-person level:
| Training Capability | Description |
|---|---|
| Per-document training requirements | Each controlled document specifies whether training is required and which roles must be trained |
| Training on publication | When a new or revised controlled document is published, training workflows are automatically triggered for the applicable audience |
| Individual acknowledgment | Each person signs an individual eSignature acknowledgment specific to the document version they were trained on — with timestamp and signer identity |
| Completion tracking | Dashboards show training completion by document, department, location, and individual — with identification of personnel who are overdue |
| Automated reminders | Personnel who have not completed training receive automated reminders at configurable intervals |
| Retraining on revision | When a controlled document is revised, retraining workflows are automatically triggered — personnel acknowledge the new version |
| Training as quality record | Each signed acknowledgment is stored as a governed quality record — retained per the quality records retention policy, producible for audit |
Change Control
Change control ensures changes to controlled documents (and to the processes, systems, and equipment they govern) are evaluated, approved, and documented before implementation:
| Change Control Step | What Happens | FormKiQ Governance |
|---|---|---|
| Change request | Someone identifies a need to change a controlled document, process, or system | Change request workflow; metadata capture (what's changing, why, who requested, impact category) |
| Impact assessment | The proposed change is assessed for impact on quality, regulatory compliance, safety, and other controlled documents | Impact assessment template; multi-stakeholder review; linked to affected documents |
| Approval | The change is approved by authorised parties — document owner, quality, regulatory, management | Approval workflow with audit-logged decision; approval authority based on impact level |
| Implementation | The change is implemented — document revised, process updated, personnel retrained | Revised document follows the controlled document lifecycle; retraining triggered; implementation evidence collected |
| Effectiveness review | After implementation, the change is reviewed to confirm it achieved the intended outcome without adverse effects | Scheduled follow-up workflow; effectiveness evidence documented; linked to the original change request |
Regulatory Framework Alignment
| Framework | Controlled Document Requirements | FormKiQ Capabilities |
|---|---|---|
| ISO 9001:2015 | Clause 7.5 — documented information must be created, updated, and controlled; appropriate identification, format, review, and approval; protected, distributed, and retained | Full controlled document lifecycle; version control; approval workflows; distribution tracking; retention |
| ISO 13485:2016 | Medical device QMS documentation; document control per Clause 4.2.4; quality records per Clause 4.2.5 | Controlled document lifecycle; quality records governance; training tracking; CAPA management |
| ISO 14001:2015 | Environmental management system documented information; operational control procedures | Controlled procedure management; environmental records; training acknowledgment |
| ISO 27001:2022 | ISMS documented information per Clause 7.5; controlled policies, procedures, and records | See also ISO 27001 Document Management on AWS |
| FDA 21 CFR Part 11 | Electronic records and electronic signatures; audit trail integrity; access controls | eSignature for approvals and acknowledgments; document-level audit trail; ABAC access controls |
| FDA 21 CFR Part 820 / EU MDR | Medical device quality system regulation; design controls; production and process controls | Device master record management; design history file; production records |
| GxP (GLP, GCP, GMP) / EU GMP Annex 11 | Good practice documentation across laboratory, clinical, and manufacturing environments; electronic records and data integrity | Controlled SOPs; quality records; training evidence; deviation and CAPA management; audit trail; access controls; version control |
| ISO/IEC 17025 | Laboratory quality management — document control, records, method validation | Controlled methods and procedures; calibration records; test records; uncertainty documentation |
| AS9100 / IATF 16949 | Aerospace and automotive quality management — document control and quality records | Controlled document lifecycle; quality records; supplier quality documentation; APQP/PPAP documentation |
| GFSI schemes (BRC, SQF, FSSC 22000) / ISO 22000 | Food safety management documentation; HACCP documentation; prerequisite programme records | HACCP documentation management; food safety procedure control; supplier qualification records |
Who Uses Quality and Controlled Documents on AWS
| Industry | Controlled Document Needs | Key Drivers |
|---|---|---|
| Pharmaceutical and biotechnology | SOPs, batch records, validation protocols, regulatory submissions, clinical documentation | FDA, EMA, Health Canada, TGA GMP requirements; data integrity; regulatory inspection readiness |
| Medical devices | Design control documentation, device master records, quality system procedures, complaint handling | FDA 21 CFR Part 820, ISO 13485, EU MDR/IVDR |
| Manufacturing | Production procedures, quality inspection records, supplier qualification, change control, equipment maintenance | ISO 9001, AS9100, IATF 16949; customer quality requirements |
| Laboratories | Test methods, calibration procedures, analytical records, method validation, equipment qualification | ISO/IEC 17025, GLP; accreditation requirements |
| Healthcare | Clinical procedures, infection control protocols, credentialing documentation, incident reporting | Clinical governance, accreditation (JCI, ACHS, CQC), patient safety |
| Food and beverage | HACCP documentation, food safety procedures, supplier qualification, sanitation records | GFSI schemes (BRC, SQF, FSSC 22000), ISO 22000, HACCP |
| Chemical and petrochemical | Process safety procedures, environmental procedures, laboratory methods, safety data management | Process safety management, environmental compliance, GHS/REACH/WHMIS |
| Aerospace and defence | Configuration management, manufacturing procedures, quality records, traceability documentation | AS9100, NADCAP, defence contract quality requirements |
| Technology | Information security procedures, change management, incident response, software development procedures | ISO 27001, SOC 2, SDLC documentation |
FormKiQ Editions for Quality and Controlled Documents
| Capability | Core | Essentials | Advanced | Enterprise |
|---|---|---|---|---|
| Document Storage (S3) & API | ✓ | ✓ | ✓ | ✓ |
| Tagging, Search & Classification | ✓ | ✓ | ✓ | ✓ |
| OCR (Tesseract) | ✓ | ✓ | ✓ | ✓ |
| OCR & IDP (Textract) | ✓ | ✓ | ✓ | |
| SSO (SAML — Entra, Google, Auth0) | ✓ | ✓ | ✓ | |
| Workflows, Queues & Rulesets | ✓ | ✓ | ✓ | |
| Encryption (KMS — in-transit & at-rest) | ✓ | ✓ | ✓ | |
| Document Control & Versioning | ✓ | ✓ | ✓ | |
| Antivirus & Anti-Malware | ✓ | ✓ | ✓ | |
| AI Processing & Analysis (Bedrock) | ✓ | ✓ | ||
| Document Generation | ✓ | ✓ | ||
| eSignature (approvals & acknowledgments) | ✓ | ✓ | ||
| Document Gateway Modules | ✓ | ✓ | ||
| Enhanced Full-Text Search (OpenSearch) | ✓ | ✓ | ||
| Multi-Instance & Multi-Region Licensing | ✓ | ✓ | ||
| Vendor-Managed & Hybrid Deployment | ✓ | |||
| Custom SLAs & Compliance Consulting | ✓ | |||
| Support | Community | 2-business-day SLA | Private Slack + 40 hrs onboarding | 8-business-hour SLA + strategic support |
Deployment Models
| Model | Description | Availability |
|---|---|---|
| Customer-Managed AWS | Deploys directly into your AWS account via CloudFormation. Full control of infrastructure, networking, encryption keys, and operations. | All editions |
| Vendor-Managed | FormKiQ manages the AWS infrastructure on your behalf — deployment, updates, and operational support. | Enterprise |
| Hybrid | You retain control of specific components (encryption keys, network config) while delegating operational management to FormKiQ. | Enterprise |
Every deployment is a dedicated, isolated instance. FormKiQ does not operate a shared multi-tenant environment.
Getting Started
FormKiQ Core can be deployed to your AWS account in fifteen to twenty minutes. Quality and controlled document capabilities — including revision-controlled workflows, eSignature approvals and acknowledgments, training tracking, AI-powered classification, and quality records management — are available on FormKiQ Advanced and Enterprise.
Frequently Asked Questions
What is a controlled document?
A controlled document is a document that must go through a formal lifecycle — drafting, review, approval, publication, distribution, training, periodic review, revision, and retirement — with version control, approval evidence, and training records maintained throughout. Controlled documents include SOPs, work instructions, policies, specifications, forms, and templates. They are distinguished from general business documents by their governance requirements: every version is tracked, every approval is documented, every training event is recorded, and every change goes through a defined change control process.
How is this different from the Policy and Procedure Management page?
The Policy and Procedure Management page focuses on organisational policies — governance policies, HR policies, IT policies, compliance policies — and their distribution and acknowledgment lifecycle. This page focuses on quality and regulated controlled documents — SOPs, work instructions, specifications, batch records, quality records, training evidence, CAPA records, and audit documentation — addressing the additional requirements of quality management frameworks including quality records management, change control, deviation and CAPA tracking, and supplier quality documentation.
Does FormKiQ support FDA 21 CFR Part 11?
FormKiQ provides the technical controls that 21 CFR Part 11 requires for electronic records and electronic signatures: eSignature with signer identification and timestamp for document approvals and acknowledgments; document-level audit trails recording every creation, modification, access, and approval event; ABAC access controls enforcing role-based permissions; version control protecting the integrity of each document version; and KMS encryption protecting records at rest and in transit. All of these controls operate within the organisation's own AWS account.
How does FormKiQ handle training on controlled documents?
When a new or revised controlled document is published, training workflows are automatically triggered for the applicable audience (defined per document by role, department, or function). Each person signs an individual eSignature acknowledgment specific to the document version they were trained on. Training completion is tracked per individual per document, with dashboards showing completion status and automated reminders for overdue training. Each signed acknowledgment is stored as a governed quality record — retained per policy and producible for audit.
Can FormKiQ manage both controlled documents and quality records?
Yes. FormKiQ manages controlled documents (the procedures and instructions that define how work is done) and quality records (the evidence that work was done according to those procedures) within the same platform. Completed forms reference the controlled form template version they were generated from. Training records reference the controlled document version the person was trained on. Deviation records reference the controlled procedure that was deviated from. This linkage ensures traceability between what the organisation said it would do and what it actually did.
Does FormKiQ support ISO 9001 Clause 7.5?
ISO 9001 Clause 7.5 requires that documented information is created, updated, and controlled — with appropriate identification, format, review, approval, distribution, access, retrieval, storage, preservation, change control, retention, and disposition. FormKiQ's controlled document lifecycle provides all of these capabilities: metadata identification, configurable review and approval workflows, controlled distribution with acknowledgment, ABAC access controls, full-text search and retrieval, S3 preservation with archival tiering, version-controlled change management, and configurable retention with defensible disposition.