Device History Record (DHR) content requirements and scattered Part 820 records controls — substance largely preserved under ISO 13485 4.2.5 and QMSR 820.35.
Single unified records management procedure required; Medical Device File (4.2.3) and records control (4.2.5) must be structurally distinct from each other.
Unified records procedure coverage and demonstrated record retrievability — organizations without an overarching records SOP fail the ISO 13485 structural test.
Maps to
QMSR / ISO 13485: §820.180 General requirements.
ISO 13485: §4.2.5 Control of records
FDA QMSR (2026): §820.35 Control of records., §820.10 (incorporates ISO 13485 § 4.2.5)
Requirement text
Records shall be maintained to provide evidence of conformity to requirements and of the effective operation of the quality management system.
Why this clause exists
This atom captures the ISO 13485:2016 § 4.2.5 foundation requirement for records control as a distinct layer from the QMSR 820.35 FDA-specific overlay addressed in REQ-QMSR-820.35 — the two provisions are complementary, with ISO 13485 establishing the principle and QMSR adding FDA-specific retention minimums, UDI requirements, and service record content. The requirement that records provide evidence of conformity to requirements and of effective QMS operation defines their purpose: they are not filing artifacts but the evidentiary foundation on which compliance claims rest. Without legible, retrievable, and durable records, conformance to every other QMS requirement is unverifiable — a CAPA that was thoroughly executed but whose records have deteriorated, been lost, or cannot be retrieved within a reasonable time at inspection effectively did not happen from a regulatory perspective. Storage conditions and protection requirements are not generic good-practice: the expected device lifetime for implantable devices can exceed two decades, meaning records that are stored in conditions that allow deterioration will have degraded long before the retention period expires. The legibility requirement throughout the retention period is equally active: a record that was legible when created but is faded, corroded, or stored in a deprecated format at year ten is noncompliant even though the record physically exists.
What changed
§820.184 — Part 820 (legacy)
"Each manufacturer shall maintain device history records (DHR's). Each manufacturer shall establish and maintain procedures to ensure that DHR's for each batch, lot, or unit are maintained to demonstrate that the device is manufactured in accordance with the DMR and the requirements of this part. The DHR shall include, or refer to the location of, the following information: The dates of manufacture; The quantity manufactured; The quantity released for distribution; The acceptance records which demonstrate the device is manufactured in accordance with the DMR; The primary identification label and labeling used for each production unit; and Any unique device identifier (UDI) or universal product code (UPC), and any other device identification(s) and control number(s) used."
§4.2.5 — ISO 13485:2016 (current)
"Records shall be maintained to provide evidence of conformity to requirements and of the effective operation of the quality management system. The organization shall document procedures to define the controls needed for the identification, storage, security and integrity, retrieval, retention time and disposition of records. The organization shall define and implement methods for protecting confidential health information contained in records in accordance with the applicable regulatory requirements. Records shall remain legible, readily identifiable and retrievable. Changes to a record shall remain identifiable. The organization shall retain the records for at least the lifetime of the medical device as defined by the organization, or as specified by applicable regulatory requirements, but not less than two years from the medical device release by the organization."
Δ ISO 13485's records control clause adds security/integrity controls, confidential health information protection, and a requirement that record changes remain identifiable — none present in the DHR requirements.
Common gaps (what we see in audits)
- No Unified Records Management Procedure — Records requirements are embedded within individual SOPs (training SOP says 'maintain training records,' CAPA SOP says 'maintain CAPA records') but there is no overarching procedure defining how records are identified, stored, protected, retrieved, retained, and disposed of across the entire QMS.
- Medical Device File Concept Not Implemented — The organization maintains a Device History Record (production batch records) per Part 820.184 but does not have a Medical Device File per ISO 13485 4.2.3 that compiles or references all documents for a device type — design specifications, verification/validation records, labeling, risk management file, and production process descriptions.
- Record Retrieval Not Demonstrated — Records exist but cannot be reliably retrieved within a reasonable timeframe. Paper records are filed inconsistently, electronic records are spread across multiple systems without a search mechanism, and there is no defined retrieval process or target retrieval time.
- Records not 'Readily Retrievable' — Records are stored in a 'remote warehouse' or 'offline drive' that takes 24+ hours to retrieve. ISO 13485 §4.2.5 requires them to be 'readily retrievable' (usually within 1-2 hours for an audit).
- Missing retention rationale — The QMS states 'Retain for 5 years' but doesn't define the 'Lifetime of the device' as a baseline. ISO 13485 §4.2.5 requires the retention period to be linked to the device lifetime.