Record identification, protection, retrieval, retention, and disposition controls — ISO 13485 4.2.5 baseline carries forward.
QMSR 820.35 FDA-plus layer adds UDI in complaint and service records, and retention periods tied to device lifetime — not covered by ISO 13485 alone.
UDI in complaint records and retention period adequacy — companies that set retention using ISO 13485 minimums alone are frequently out of compliance.
Maps to
QMSR / ISO 13485: §820.180 General requirements.
ISO 13485: §4.2.5 Control of records
Requirement text
Records required by the QMS shall be controlled. A documented procedure shall define controls for identification, storage, protection, retrieval, retention time, and disposition.
Why this clause exists
Records control is the foundation of auditability: every quality system requirement generates records, and those records must be retrievable, legible, and authentic to serve as evidence of conformance during regulatory inspections, customer audits, or post-market reviews. The specific retention floor under QMSR 820.35 — the expected lifetime of the device, but not less than two years from date of commercial distribution — reflects the temporal mismatch between device use and regulatory review: adverse events and liability claims often surface years after distribution, and records that have been disposed of prematurely cannot support investigation or defense. The removal of the 820.180(c) audit records exemption under QMSR means that internal audit reports, previously shielded from FDA inspection, are now fully subject to records control and agency review — a meaningful expansion of the records subject to 820.35 controls. Electronic record protection requirements — audit trail capability, protection against unauthorized access or alteration — close the gap that electronic systems otherwise introduce: a paper record's authenticity is relatively transparent, while an electronic record can be silently altered without visible evidence unless the system maintains an audit trail. The UDI-in-records requirement reflects the FDA's post-market surveillance strategy: UDI enables linkage of device-specific records across complaint files, service records, and MDR reports, supporting population-level signal detection that individual record-by-record review cannot accomplish.
What changed
QMSR section 820.35 is one of the provisions where FDA deliberately retained requirements beyond what ISO 13485 section 4.2.5 requires. While ISO 13485 section 4.2.5 establishes general controls for records (identification, storage, protection, retrieval, retention, disposition), QMSR 820.35 adds FDA-specific requirements that reflect the agency's enforcement priorities around record integrity and traceability.
The most notable QMSR-specific addition is the requirement to include the Unique Device Identifier (UDI) or equivalent device identification in complaint records and servicing records where applicable. This links the records control requirement directly to FDA's UDI system and ensures that when FDA reviews complaint or service records during an inspection, they can trace individual records to specific device production lots or individual devices. ISO 13485 has no UDI-specific requirement because UDI is an FDA regulatory construct.
Additionally, the QMSR preserves FDA's existing expectations around record retention periods that go beyond ISO 13485's general statement. FDA expects manufacturers to retain records for the expected lifetime of the device, but not less than two years from the date of commercial distribution. For many device types, this means retention periods significantly longer than what ISO 13485 alone would require. Companies that set retention periods based solely on ISO 13485 guidance may have insufficient retention for FDA compliance.
The separation of records control (820.35) from document control (820.40 / ISO 13485 4.2.4) reinforces the structural distinction described in the document control atom. Records are evidence of activities performed — they are created once and must be preserved in their original state. Documents are instructions for future activities — they are revised over time. Companies must have distinct controls for each, even if managed within the same SOP.
Common gaps (what we see in audits)
- Electronic Records Lack Protection Controls — Quality records stored in electronic systems (shared drives, cloud storage) lack adequate protections against alteration, loss, or unauthorized access. There is no audit trail, no access control, and no backup verification for electronic records.
- UDI Not Captured in Complaint and Service Records — Complaint forms and service records do not include a field for UDI or equivalent device identification. When complaints are received, the specific device lot or serial number is not systematically captured, making it impossible to trace complaints to production history.
- Retention Periods Based Only on ISO 13485 — Record retention periods are set at generic intervals (e.g., 5 years) without considering FDA's requirement for retention throughout the expected device lifetime, which for many devices is 10-20+ years. Records may be destroyed while the device is still in active clinical use.
- Missing UDI on Complaint records — Complaint files capture the model number but not the Unique Device Identifier (UDI). QMSR §820.35 explicitly requires UDI/UPC if available.
- Incomplete service record details — Service records don't document the 'nature of the service' or 'test results' in enough detail to determine if the event was a complaint. QMSR §820.35 requires this.