You’ve got the documents. You control them. You know which version is current. You’ve got procedures that explain how you manage your documentation system. Good. You’ve done your job on the document side of things.
Now here’s the uncomfortable truth: documents are not records.
A document is a type of information resource created or received by an organization. A record is that document after it’s been used — after it contains evidence of what actually happened. Your SOP for managing the supplier audit process is a document. The completed supplier audit report, signed and dated, is a record. One is a template. One is proof.
And Section 4.2.5 is entirely about what you do with the proof.
What §4.2.5 Actually Requires
The standard is deceptively short on this one: “The organization shall establish and maintain the procedures necessary for… records to be identified and controlled… so as to prevent deterioration and loss.”
What that really means is this:
- Identification. You have to know which records you’ve got. Not vaguely. Not “it’s in that folder.” You need to be able to find any specific record when you need it — and the FDA or a notified body needs to be able to find it during an audit.
- Storage. Your records can’t deteriorate. That means climate-controlled file rooms for paper, proper version control for digital files, appropriate backup and retention systems, and anything else required to keep those records readable and intact for however long you’re required to keep them.
- Protection. Records must be protected from unauthorized access, alteration, or deletion. This matters enormously for regulated businesses. A competitor cannot access your design validation studies. An employee cannot retroactively change a complaint investigation report. Your IT team cannot “accidentally” delete validation data.
- Retrieval. You must be able to retrieve records when you need them — during an audit, during a complaint investigation, during a market withdrawal, whenever. If retrieving a specific record requires an archaeological expedition through your filing system, you’re not compliant.
- Retention. You must keep records for the retention period specified by your procedures and regulatory requirements. For medical devices, this often means the entire service life of the device plus several years. No exceptions. “We threw it away because we needed the space” is not a defensible strategy.
- Disposal. When the retention period ends, you need a documented way to dispose of records. For confidential information (complaint details, supplier information, design rationale), that usually means secure destruction. For routine records, you may simply archive them. But it has to be controlled and documented.
What Changed from ISO 13485:2003 to ISO 13485:2016
In the 2003 version, records management was less formalized in the structure of the standard. The 2016 update elevated it and clarified the requirements significantly:
- Explicit separation of documents and records. The 2003 version didn’t make this distinction as clear. The 2016 version splits them into separate sections (4.2.4 for documents, 4.2.5 for records) to make it absolutely clear that these are different things with different control requirements.
- Emphasis on records management system. The 2016 version emphasizes that you need a system for managing records, not just a collection of files. This means procedures, defined roles, clear retention periods, and documented disposal methods.
- Explicit mention of deterioration and loss prevention. The 2016 standard is explicit about preventing deterioration and loss — which includes concerns about digital decay, file format obsolescence, and media failure. If you’re storing records on a CD from 2010, you’d better have a plan for what happens when that media fails.
- Stronger link to other sections. The 2016 version integrates records management more tightly with other sections of the standard, particularly around traceability, complaint handling, and audit trails. Your records system isn’t isolated; it’s part of the larger QMS.
What This Looks Like in Real Life
Paper records: You have a filing system with defined categories. Supervisors are responsible for ensuring completed records are filed promptly and correctly. You have a central location where authorized personnel can retrieve records. Climate control prevents moisture and temperature swings. You’ve destroyed records older than your retention period. You can hand an auditor a specific complaint investigation file and they can find it in less than five minutes.
Digital records: Your software system (or your procedures, if you’re using shared drives) has clear naming conventions and folder structures. Access is restricted to authorized personnel. You have backups. You have tested those backups. Old versions are archived, not deleted. You can retrieve a specific design input spreadsheet from 2019 and you can prove no one has altered it since it was finalized. You have a plan for what happens when the software vendor goes out of business or the file format becomes obsolete.
Mixed systems: You have procedures that explain which records are kept in paper, which in digital format, and how each is managed. Cross-references work. If a complaint file references a design change record, you can find both. Training covers how records are filed and who has responsibility for what. Auditors can verify compliance by sampling records and confirming they’re all where they should be, unaltered, and properly stored.
What auditors actually look for: They’ll ask for specific records and see if you can find them. They’ll check your procedures against what’s actually happening. They’ll look for evidence of records that should exist but don’t. They’ll verify retention periods are documented. They’ll test access controls — can someone without authorization see confidential files? They’ll look at storage conditions. They’ll verify you’ve actually destroyed old records as documented.
If you can’t produce records when asked, that’s a major finding. If records appear to have been altered, that’s a major finding. If you don’t have procedures for records management, that’s a major finding. If your procedures say one thing and your actual practice says another, that’s a major finding.
The Real Reason This Matters
Records are your proof. When something goes wrong — a product failure, a complaint, a regulatory question — the first thing an investigator will ask is: “Show me your records.” If you don’t have them, you can’t prove what you did. If they’re incomplete or altered, you can’t prove what you did. If you can’t find them, you can’t prove what you did.
Patient safety depends on the assumption that you kept complete, accurate records of what you did and why you did it. Your records are the chain of evidence that your product was designed safely, manufactured safely, and delivered safely. Treat them accordingly.
Establish your records system before you need it. Train everyone on it. Stick to it. And then, when an auditor walks in the door, you can hand them exactly what they ask for. That’s when you know your records management system is working.