Quality Control Recordkeeping Requirements

Quality control recordkeeping requirements govern how organizations create, maintain, store, and retrieve documented evidence of their quality activities — from raw material inspection through finished product release. These obligations appear across federal regulatory frameworks, ISO standards, and industry-specific codes, making them foundational to quality control compliance requirements in virtually every manufacturing and service sector. Failure to meet recordkeeping mandates is one of the most frequently cited audit findings, triggering enforcement actions, product holds, and loss of certification. This page covers the definition and scope of QC recordkeeping, the operational mechanics of a compliant recordkeeping system, the most common scenarios where requirements arise, and the boundaries that separate adequate from deficient practice.

Definition and scope

QC recordkeeping requirements are the formal obligations — set by statute, regulation, or voluntary standard — to document quality-related activities with sufficient detail that any authorized reviewer can reconstruct what was done, by whom, with what equipment, and with what outcome. Under 21 CFR Part 820 (FDA Quality System Regulation, now harmonized with ISO 13485 for medical devices), records must be legible, readily retrievable, and retained for a defined period — at minimum 2 years beyond the expected device life or the date of manufacture, whichever is greater (FDA, 21 CFR §820.180).

Scope extends across three broad record categories:

1. Device History Records (DHRs) / Batch Production Records — evidence that each production unit was manufactured per its Device Master Record or Master Batch Record.
2. Quality System Records — policies, procedures, training logs, calibration records, and audit findings that demonstrate the QMS is operational.
3. Complaint and Nonconformance Records — documentation of failures, investigations, and dispositions, which feed into corrective and preventive action compliance obligations.

In food manufacturing, 21 CFR Part 117 (FDA FSMA Preventive Controls) requires records to be retained for a minimum of 2 years. For aerospace suppliers, AS9100 Rev D (SAE International) requires organizations to define retention periods based on contractual, regulatory, and liability considerations — no single universal number applies.

ISO 9001:2015, published by the International Organization for Standardization, distinguishes between documents (information to be maintained) and records (information to be retained), a classification boundary with direct audit implications.

How it works

A compliant QC recordkeeping system operates through five discrete phases:

1. Record Generation — Quality events trigger mandatory documentation at the point of occurrence. Inspection results, equipment readings, and operator sign-offs are captured in real time. Backdating or retroactive entry is a recognized falsification risk and a basis for FDA Warning Letters.
2. Record Identification and Indexing — Each record receives a unique identifier, revision status where applicable, and linkage to the specific lot, batch, or unit it covers. Traceability requirements in quality control depend on this indexing layer.
3. Access Control and Storage — Records must be stored in conditions that prevent deterioration, unauthorized alteration, or loss. Electronic records held under 21 CFR Part 11 require audit trails, user authentication, and authority checks for any modification.
4. Retention Scheduling — Retention periods are mapped by record type against the longest applicable requirement: statutory minimums, standard requirements, and contractual obligations. For OSHA-regulated exposure records under 29 CFR §1910.1020, the retention period is 30 years post-employment — far longer than most QC cycles.
5. Retrieval and Disposition — Records must be retrievable within a defined timeframe during audits or regulatory inspections. At expiration of the retention period, records undergo controlled disposition — destruction or archival — documented in a disposition log.

Common scenarios

Pharmaceutical and medical device manufacturing — FDA inspectors cite missing or incomplete DHRs as a top-483 observation category. A 2022 analysis by FDA's Office of Regulatory Affairs identified incomplete production records among the 5 most frequent GMP deficiencies cited during drug inspections (FDA CDER Annual Report, 2022).

Food processing under FSMA — Preventive controls records must document monitoring activities for each control measure at the frequency specified in the food safety plan. A facility with a 4-hour temperature monitoring interval must retain a record for every 4-hour checkpoint — gaps in sequence are treated as gaps in control.

Aerospace and defense — AS9100 Rev D requires records supporting first-article inspection, nonconformance disposition, and supplier qualification to be retained per the control plan, with some programs requiring 10-year minimums by contract.

ISO 9001-certified manufacturers — Clause 7.5 of ISO 9001:2015 mandates retention of documented information as evidence of conformity. Certification bodies assess record completeness and accessibility during surveillance audits; deficiencies can result in major nonconformances that suspend certification.

Decision boundaries

The central distinction in QC recordkeeping is mandatory versus discretionary retention. Mandatory retention is fixed by a named regulation, standard clause, or contract term. Discretionary retention covers records not explicitly required but used to demonstrate due diligence; these carry no defined minimum but should be governed by a written retention schedule.

A second boundary separates controlled documents from quality records. Under ISO 9001:2015, a controlled document (e.g., a current inspection procedure) is maintained and subject to revision control. A quality record (e.g., the completed inspection form from a specific lot) is retained as immutable evidence — it cannot be revised, only superseded by a corrective entry with the original preserved.

A third boundary governs electronic versus paper records. Paper records require physical protection and manual access controls. Electronic records subject to 21 CFR Part 11 require validated systems, audit trails capturing every entry and modification with time-stamp and user identity, and controls against unauthorized deletion. Hybrid systems — paper source data entered into electronic systems — require verification protocols to ensure transcription accuracy.

Recordkeeping gaps discovered during internal audits (see internal audit requirements for quality control) trigger corrective action obligations under the same QMS the records are meant to support — making record integrity a self-reinforcing compliance loop.

References

• FDA 21 CFR Part 820 — Quality System Regulation (eCFR)
• FDA 21 CFR Part 117 — FSMA Preventive Controls for Human Food (eCFR)
• FDA 21 CFR Part 11 — Electronic Records; Electronic Signatures (eCFR)
• OSHA 29 CFR §1910.1020 — Access to Employee Exposure and Medical Records
• ISO 9001:2015 — Quality Management Systems: Requirements (ISO.org)
• FDA CDER Annual Report 2022
• SAE International — AS9100 Rev D Quality Management Systems for Aviation, Space, and Defense