Quality Assurance Recordkeeping Compliance

Quality assurance recordkeeping compliance governs how organizations create, maintain, control, and retain documented evidence of their quality processes, inspections, test results, and corrective actions. Regulatory frameworks across industries — from FDA-regulated medical devices to AS9100-governed aerospace manufacturing — impose specific requirements on record format, storage duration, and retrieval capability. Failures in recordkeeping compliance are among the most frequently cited findings in FDA Form 483 inspections and ISO audit nonconformances. Understanding the scope, mechanics, and decision boundaries of these requirements is essential for any organization operating under a formal quality management system.

Definition and scope

Quality assurance records are any documented evidence demonstrating that a product, process, or service meets defined requirements. This category encompasses inspection records, test data, calibration logs, batch records, nonconformance reports, corrective and preventive action (CAPA) documentation, supplier qualification records, and training records tied to quality-critical roles.

The regulatory scope varies by industry sector:

FDA 21 CFR Part 820 (Quality System Regulation for medical devices) requires that quality records be legible, stored to minimize deterioration, and retained for the expected life of the device or 2 years from the date of release for commercial distribution, whichever is greater (FDA, 21 CFR §820.180).
ISO 9001:2015, published by the International Organization for Standardization, distinguishes between "documents" (information to be maintained) and "records" (evidence to be retained), with retention periods left to organizational determination based on context (ISO 9001:2015, clause 7.5).
FDA 21 CFR Part 211 (Current Good Manufacturing Practice for finished pharmaceuticals) specifies a minimum 1-year post-expiry or 3-year post-batch-distribution retention period for production and control records, whichever is longer (FDA, 21 CFR §211.180).
AS9100 Rev D, governing aerospace quality management, requires retention periods that satisfy customer and regulatory requirements and explicitly addresses obsolescence of records media.

The scope also extends to electronic records. FDA 21 CFR Part 11 establishes controls for electronic records and electronic signatures used in place of paper records, covering audit trails, access controls, and record integrity requirements (FDA, 21 CFR Part 11).

How it works

Recordkeeping compliance operates through a structured lifecycle. The following phases apply across most regulated frameworks:

Record creation — Records are generated at the point of activity: an inspector completes a test form, a batch record is filled during production, or a nonconformance is logged in a tracking system. Records must be contemporaneous and attributable to the individual who performed the activity.
Document control integration — Quality records fall under the broader document control compliance framework. Controlled forms, templates, and electronic system configurations govern what data is captured and in what format.
Review and approval — Designated quality personnel review records for completeness and accuracy before acceptance. Incomplete or illegible records are treated as nonconforming documents under most systems.
Storage and access control — Records are stored in environments that protect against deterioration, unauthorized alteration, or loss. Electronic systems must enforce role-based access. Physical records require controlled storage conditions (temperature, humidity, fire protection for critical records).
Retention period management — Retention schedules are established per regulatory requirement or, where no regulation specifies, per organizational risk assessment. A retention matrix typically cross-references record type, applicable regulation, and minimum retention period.
Retrieval and traceability — Records must be retrievable within a defined timeframe upon regulatory request or internal audit. FDA inspectors may request specific batch records during a facility inspection with minimal advance notice.
Disposition — At the end of a retention period, records are either archived (for extended traceability) or destroyed according to a documented disposition procedure that creates a destruction log as its own record.

Common scenarios

Medical device manufacturers face the most prescriptive requirements. A device history record (DHR), required under 21 CFR §820.184, must contain the production dates, quantity manufactured, quantity released for distribution, acceptance records, and labeling used for each production unit. A missing or incomplete DHR is a direct basis for a Form 483 observation or a Warning Letter.

Pharmaceutical batch record review requires 100% review of executed batch records before product release under 21 CFR Part 211. This differs from ISO 9001-governed environments, where sampling-based record review may be acceptable. The distinction matters: pharmaceutical recordkeeping is prescriptive by statute; ISO 9001 recordkeeping is framework-based and risk-proportionate.

Aerospace suppliers working under AS9100 or IATF 16949 compliance must maintain first article inspection records, material certifications, and process qualification data for the life of the program plus a defined post-program period specified by customer contract. Defense contractor records may also be subject to DCSA (Defense Counterintelligence and Security Agency) retention requirements extending to 10 years or longer.

Laboratories accredited under ISO/IEC 17025:2017 must retain technical records — including original observations, derived data, and calibration records — for a minimum period defined by contractual, regulatory, or accreditation body requirements, with the standard itself requiring sufficient detail to repeat the test under as-close-as-possible conditions.

Decision boundaries

The primary classification boundary in recordkeeping compliance is prescriptive statutory requirements vs. framework-based requirements. Statutory requirements (FDA 21 CFR Parts 11, 211, 820) define minimum retention periods, formats, and controls by rule. Framework-based requirements (ISO 9001, AS9100) define structural obligations but delegate specific parameters to organizational determination, bounded by risk assessment and customer requirements.

A second boundary separates quality records from quality documents. Under ISO 9001:2015 clause 7.5, a document is maintained (controlled for currency); a record is retained (preserved as evidence). Applying document control procedures — version control, change approval — to records is an error that creates compliance risk by implying records are subject to revision when they must be immutable. This distinction is directly addressed in CAPA compliance requirements, where CAPA records must be preserved as completed evidence, not updated forms.

A third boundary governs electronic vs. paper records. Paper records are acceptable under all major frameworks but create retrieval and deterioration risks. Electronic records require Part 11 compliance in FDA-regulated environments, which adds audit trail, system validation, and access control obligations not applicable to paper. Hybrid systems — where paper originals are scanned and stored electronically — require documented procedures establishing that the electronic copy is the controlled record of reference.

Organizations subject to risk-based compliance QA approaches should map recordkeeping requirements by risk tier: critical product safety records (e.g., sterilization validation, final inspection for life-sustaining devices) warrant the most rigorous controls, longest retention periods, and redundant storage, while administrative quality records may carry proportionally lower controls consistent with their risk contribution.

References

Explore This Site

Services & Options Compliance: Standards Overview Regulations & Safety Regulatory References Tools & Calculators Contractor License Fee Calculator