Skip to content
CROSSWALK

QMSR / ISO 13485 §820.35

Maps to

QMSR / ISO 13485: §820.35

ISO 13485: §4.2.5

Requirement text

Records required by the QMS shall be controlled. A documented procedure shall define controls for identification, storage, protection, retrieval, retention time, and disposition.

What changed

QMSR section 820.35 is one of the provisions where FDA deliberately retained requirements beyond what ISO 13485 section 4.2.5 requires. While ISO 13485 section 4.2.5 establishes general controls for records (identification, storage, protection, retrieval, retention, disposition), QMSR 820.35 adds FDA-specific requirements that reflect the agency's enforcement priorities around record integrity and traceability.

The most notable QMSR-specific addition is the requirement to include the Unique Device Identifier (UDI) or equivalent device identification in complaint records and servicing records where applicable. This links the records control requirement directly to FDA's UDI system and ensures that when FDA reviews complaint or service records during an inspection, they can trace individual records to specific device production lots or individual devices. ISO 13485 has no UDI-specific requirement because UDI is an FDA regulatory construct.

Additionally, the QMSR preserves FDA's existing expectations around record retention periods that go beyond ISO 13485's general statement. FDA expects manufacturers to retain records for the expected lifetime of the device, but not less than two years from the date of commercial distribution. For many device types, this means retention periods significantly longer than what ISO 13485 alone would require. Companies that set retention periods based solely on ISO 13485 guidance may have insufficient retention for FDA compliance.

The separation of records control (820.35) from document control (820.40 / ISO 13485 4.2.4) reinforces the structural distinction described in the document control atom. Records are evidence of activities performed — they are created once and must be preserved in their original state. Documents are instructions for future activities — they are revised over time. Companies must have distinct controls for each, even if managed within the same SOP.

Atomic constraints

  • Record retention policy must be documented
  • Retention periods must be defined
  • Records must be retrievable
  • UDI must be included in complaint and service records where applicable
  • A documented procedure must define controls for identification, storage, protection, retrieval, retention time, and disposition of all QMS records.
  • Records must be maintained for the expected lifetime of the device, but not less than two years from the date of commercial distribution, per QMSR 820.35.
  • Records must be legible, stored in an environment that minimizes deterioration, and protected against damage and loss.
  • Records stored in electronic form must be protected against unauthorized access or alteration, with audit trail capability sufficient to detect and trace changes.
  • Quality records — including the Design History File, Device Master Record, Device History Records, CAPA records, and complaint files — must be established and maintained as distinct, controlled record types.
  • Service records must include the date of service activity, the device owner, servicing performed, and the name of the individual performing service, and must identify whether the event constitutes a complaint.

Common gaps

Electronic Records Lack Protection Controls

major

Quality records stored in electronic systems (shared drives, cloud storage) lack adequate protections against alteration, loss, or unauthorized access. There is no audit trail, no access control, and no backup verification for electronic records.

UDI Not Captured in Complaint and Service Records

moderate

Complaint forms and service records do not include a field for UDI or equivalent device identification. When complaints are received, the specific device lot or serial number is not systematically captured, making it impossible to trace complaints to production history.

Retention Periods Based Only on ISO 13485

moderate

Record retention periods are set at generic intervals (e.g., 5 years) without considering FDA's requirement for retention throughout the expected device lifetime, which for many devices is 10-20+ years. Records may be destroyed while the device is still in active clinical use.

Missing UDI on Complaint records

moderate

Complaint files capture the model number but not the Unique Device Identifier (UDI). QMSR §820.35 explicitly requires UDI/UPC if available.

Incomplete service record details

moderate

Service records don't document the 'nature of the service' or 'test results' in enough detail to determine if the event was a complaint. QMSR §820.35 requires this.

Evidence signals

  • FILE_EXISTS

    (Record.*Retention|Record.*Control|Record.*Management)

  • CONTENT_MATCH

    Does this document describe record retention policies, retrieval procedures, or UDI requirements in records?

Audit defense

Record control for our QMS is defined in [your document ID]. Retention periods are specified for each record type, records are retrievable within defined timeframes, and UDI is included in complaint and service records as required by QMSR 820.35.

Related clauses

Control of Records

Review your documents against this clause →

Further reading

Free compliance review. Pay only for the detailed report.

No credit card. No sales call. No consultants required.

Start My Free Review →

Read-only access. Your documents stay in your Drive.