Quality Assurance: Record Retention Standards

Record retention in quality assurance defines how long organizations must preserve documented evidence of processes, inspections, audits, corrective actions, and conformance decisions. Minimum retention periods are established by federal statute, sector-specific regulation, and international standards frameworks — not by organizational preference. Failure to maintain required records exposes organizations to regulatory enforcement, audit findings, and loss of certification status.

Definition and Scope

Quality assurance record retention refers to the structured preservation of documented quality evidence for defined minimum time periods, in specified formats, with controlled access and integrity protections. The scope extends across every record category that demonstrates conformance: calibration logs, nonconformance reports, supplier qualification files, training records, internal audit results, and management review outputs.

The governing framework varies by industry. ISO 9001:2015, published by the International Organization for Standardization, requires organizations to retain documented information as evidence of conformity but delegates specific retention durations to the organization's own risk-based determination unless superseded by statutory or customer requirements. Sector overlays impose fixed periods. The U.S. Food and Drug Administration's 21 CFR Part 820 — the Quality System Regulation for medical devices — requires device history records and complaint files to be retained for the expected life of the device or 2 years from release date, whichever is longer. The FDA's 21 CFR Part 211 for pharmaceutical current Good Manufacturing Practice sets a minimum 1-year post-expiry retention for batch production and control records.

For a broader structural view of how retention requirements fit within the overall compliance architecture, see Quality Assurance: Documentation Requirements.

How It Works

Record retention operates through four discrete phases:

  1. Record identification and classification — Each record type is assigned to a category (quality, regulatory, contractual, internal) and mapped to its applicable retention trigger. The trigger may be the record creation date, the product release date, the end of a contract period, or the date of a regulatory submission.

  2. Retention schedule establishment — A retention schedule consolidates all applicable minimum periods from statutes, standards, and customer contracts. Where multiple requirements apply to the same record, the longest period governs. For aerospace and defense suppliers governed by AS9100 Rev D, customer-flow-down clauses frequently extend retention beyond the standard's baseline.

  3. Storage and integrity controls — Records must be legible, retrievable, and protected against deterioration or unauthorized alteration. Electronic systems used for regulated records in FDA-covered industries must comply with 21 CFR Part 11, which governs audit trails, access controls, and electronic signature validity.

  4. Disposition and destruction authorization — At the close of the retention period, records may only be destroyed through an authorized disposition process documented in the quality management system. Premature destruction constitutes a nonconformance; destruction without authorization in regulated sectors may constitute a regulatory violation.

Common Scenarios

Manufacturing — medical devices: A contract manufacturer producing Class II devices under 21 CFR Part 820 maintains device history records, complaint files, and corrective and preventive action (CAPA) documentation for a minimum of 2 years post-device release, with many quality systems extending this to 10 years to align with EU MDR 2017/745 requirements for simultaneous CE marking.

Pharmaceutical — batch records: Under 21 CFR Part 211.180, batch production and laboratory control records must be retained for at least 1 year after the expiration date of the batch, or for 3 years after the batch distribution date if the product has no expiration date.

Aerospace — AS9100 suppliers: First article inspection reports, supplier approval records, and test data are routinely subject to 10-year or life-of-program retention periods, determined by prime contractor flow-down requirements under Defense Federal Acquisition Regulation Supplement (DFARS) clauses.

Software and IT systems: Organizations certified under ISO/IEC 27001 maintain audit logs and access control records for minimum periods defined by their Statement of Applicability and applicable national data protection law.

Decision Boundaries

Determining the correct retention period requires resolving conflicts between overlapping authorities. The hierarchy follows a clear order of precedence:

The distinction between a quality record (evidence of conformance) and a quality document (instruction or procedure) is operationally significant: documents are version-controlled and superseded; records are immutable evidence. Quality Assurance: Regulatory Framework details how these categories interact with audit and enforcement cycles.

Organizations operating across multiple jurisdictions must account for the most stringent applicable requirement in each record category — a principle sometimes called the "maximum retention rule" in quality management literature.

References

Read Next

Quality Assurance: Documentation Requirements Documentation requirements vary across industries — from FDA-regulated medical device manufacturing under 21 CFR Part 820 to... Quality Assurance: US Regulatory Framework Enforcement authority is distributed across more than a dozen federal agencies, each operating under distinct statutory mandates. Quality Assurance: Standards Overview This reference covers the structural landscape of QA standards — the bodies that issue them, how compliance mechanisms...