Managing Medical Device Records for ISO 13485 (4.2.5)

Do you want to know what medical device companies produce the most? You might think it’s medical devices, but that’s not the case. It’s actually records

Each manufacturing batch, audit, complaint, training session, and more creates records. The output of nearly every process is at least one, sometimes many, records. And there are specific requirements around how those records must be identified, stored, retrieved, and retained.

If it’s not documented, it didn’t happen. Let’s go through the requirements to understand everything an organization must do to ensure they are meeting the record-keeping requirements of ISO 13485 section 4.2.5.

What are records?

Records are a special type of document that are generated as the output of processes. They can be initiated from:

  • Design and development of medical devices/products
  • Manufacturing processes
  • Manufacturing batches of medical devices/products
  • Distribution of products
  • Quality Management System (QMS) Records

Almost every process within an ISO 13485 QMS will generate a record. Some records may be as minor as a sign-off on a PO, all the way up to a 20-page audit report. Companies should save as much information and outputs as possible to demonstrate the effectiveness of the QMS.

Unlike other documents, the nature and raw data of a record can vary wildly depending on the medium. While, even digitally, most Quality documents are a type of Word or PDF file, records can have many types of data entry. For example, they may be automated or be entered directly into different types of software or spreadsheets. 

All of this information is considered a record. Many times, it is helpful to have software that can present the raw record in a PDF or similar summary. This is useful during audits and regulatory inspections. 

When you transfer raw data into a different record or summary, you should maintain a copy of the original data. Both of these can be included as one record, or they should be linked.

What are the ISO 13485 Requirements for Records?

The requirements for records share many similarities with the requirements for document control, however, there are some meaningful differences between the two, especially digital records. 

For example, all documents are required to be reviewed and approved. Some records may be automatically generated, and it would not make sense for them to be approved. Other records that are entered digitally will maintain timestamps and identification of which user generated the information. 

As we work through the other requirements, you can see more of the other differences with records:

  • Identification: Records can have a document number for identification; however, many times they are labeled with a case or ID number. For example, a nonconformance may be labeled as NCR-0179. This ID/case number can be referenced in other documents or records. 
  • Storage: While documents need to be stored, it is inevitable that there are many times more records than documents. This can make their storage a challenge. If they are stored electronically, they may be kept in a different area than regular documents. Sometimes documents and procedures are stored electronically, but their corresponding records are stored in large file cabinets.

Additionally, paper records are sometimes transferred to digital records. If this is the case, the company should ensure that all of the information in the original document is transferred. They will also have to determine if they are able to obsolete or dispose of the original copy. 

  • Security and Integrity: Companies should ensure that records cannot be altered or changed outside of documented mechanisms. It’s also useful to limit access to certain records. This can be done digitally or through locked filing cabinets for paper records. If records are being stored digitally, companies should determine their backup and cybersecurity needs to ensure records are kept safe.
  • Retrieval: There are many times when a company will need to access a record. Some examples include audits and regulatory inspections, as well as CAPA and other root cause investigations. The company needs to have a clear method of ensuring that the correct individuals can access documents in a timely manner.

Organizations need to document all of the requirements related to records (identification, storage method and location, security, and retrieval). This can be documented in a control of records procedure, in the procedure or work instruction for which the record is an output, or some combination of the two.

Records Retention and Disposal

The timeline for retention of records depends on the type of record and the specific medical device.

Records for Batches of Devices

For records related to the manufacturing and distribution of a specific medical device or batch of medical devices, ISO 13485 states that:

The organization shall retain the records for at least the lifetime of the medical device as defined by the organization, or as specified by applicable regulatory requirements, but not less than two years from the medical devices release by the organization.

Note: for EU MDR/IVDR, the minimum retention time is 10 years.

The lifetime of a medical device can either be multiple decades or under two years for certain products (some people are surprised that the lifetime of a device can be under two years, but this is common for certain types of devices that expire).

Organizations need to determine the specific lifetime of their devices based on shelf-life, expiration date, degradation of packaging materials, expiration related to stability, servicing requirements, and more. The lifetime of a device should be recorded in the appropriate Medical Device File.

Records for Manufacturing/Design Processes

The next type of record is those related to the design and manufacturing process of the devices, including validation reports and design control records (design inputs, outputs, verification, validation). These documents need to be retained for at least the lifetime of the device based on the last device manufactured or sold.

QMS Records

The final type of records is those that are generated from QMS processes. These can include Management Review minutes, internal audits, evaluation and monitoring of suppliers, etc. Here, it is up to the organization to determine the retention period of the records based on the specific process and risks. However, a company never wants to be unable to access a record when requested by an auditor or regulatory body.

Carrying over what I said in our document control guide, a company is unlikely to face consequences for retaining a record later than is required. Especially if the records are stored digitally, it is a good practice to maintain records indefinitely. Digital records past the lifetime of the device can be transferred to a different system for storage, as long as they can still be accessed when necessary.

If organizations are going to dispose of records, they need to document the manner of the disposal. For paper records, this could include in-house shredding or the contracting of a paper shredding supplier. Digital records could be deleted manually or automatically through an algorithm.

In their procedure, organizations should state the retention period of different records, as well as the mechanism for the retention and disposal of records.

Confidential Health Information

Another requirement of ISO 13485 section 4.2.5 is that medical device organizations must ensure that they are protecting confidential health information in accordance with regulatory requirements.

Medical device companies receive health information in a variety of ways. Many different medical devices and IVDs contain electronic data related to patients, with this data sometimes being stored in a cloud or accessible during servicing. Organizations might also receive health information from customer complaints, during clinical trials/studies, and when creating a custom medical device.

All of this data and health information must have an extra layer of security for how it is received and maintained. Companies should be certain that all relevant information is protected according to the relevant regulatory requirements, such as HIPPA in the United States.

Changes to Records

There are two main times when a record would need to be changed.

The first is during the data entry process when a mistake is made. When documents are changed this way, companies need to maintain the original entry if possible.

For paper records, the best practice is to have a strikethrough of the mistake, as well as the date and initials of the person performing the correction. For digital records, the system should automatically capture any changes made to the record, as well as the date, time, and user who made the changes.

The second type of change is much rarer and is done after a record has been completed/finalized. 

For paper records, the mechanism of changing may be the same as above, however, there should be a comment or description of why the change was made. 

For digital records, the company can use its document change control procedure to create a new revision of the record with updated information. The original version of the record should be maintained, and the reason for the change should be included.

Good Practices for Records

Following Good Documentation Practices (GDP) can be very helpful for proper record-keeping. Note that while many of these are not listed in ISO 13485 or FDA requirements, not following them can result in audit findings and FDA Form 483s. 

  • Pages should be numbered for completeness and to prevent changes.
  • Headers or other identifying information should be carried over to each page of a record.
  • Signatures should be accompanied by a printed name and date.
  • Hand-written signatures should always be done with ink (not a pencil).
  • All entry areas and checkboxes should be completed when filling out a form. If that field does not have any data, “N/A” can be entered into that area.
  • Records and data cannot be “pre-dated” or “post-dated”. This is a common mistake when a form is printed to be signed. However, all dates need to be made at the same time as the signatures. 
  • Another person’s signature or initials should not be used on a form.
  • For an electronic signature to be valid, it must comply with the requirements of 21 CFR Part 11.
  • It can be a good idea to have a second person verify critical data for accuracy and completeness. The identification and date of the second review should be recorded.

If a company is planning on having many records filled out on paper, it’s a good idea to ensure that all relevant employees are trained on GDPs. Otherwise, Quality will have to spend more time verifying records to ensure information is entered correctly.

Digital Records

Digital records are much more convenient than paper records, from both a usability and retrieval standpoint. However, there are some considerations that should be made for digital records.

There are certain regulatory requirements that surround digital records. One easy example is that records for devices sold in the US must be compliant with 21 CFR Part 11. Another is the cybersecurity requirements in ISO 27001.

For storage, companies need to factor in the lifespan of the relevant software. While this is becoming less common with cloud storage, there are older software systems where the records are not easily exportable, and the software is no longer being updated. This means that any issue could lead to a loss of records.

From a security standpoint, records should be protected from unauthorized access and entries coming from inside and outside the organization. Records can either be stored in such a way that they cannot be amended once filed, or access to records can be controlled digitally. Cybersecurity measures can protect from access outside of the organization.

Any software that will be used for creating or storing records must be validated. This is to ensure that the software meets the above requirements and complies with ISO 13485 section 4.1.6.

Paper-Based Records

While paper-based records are much more cumbersome than digital records, there are some advantages. For example, the systems do not need validation, there are fewer regulatory requirements, and they are cheaper in the short term.

However, besides the drawbacks to efficiency, there are other considerations for paper documents.

Paper documents require much more work around GDP. Entries cannot be limited or automated in forms, all handwriting must be clear, and there are specific requirements surrounding signatures. Information entered into paper records must also be accompanied by a signature and date. This means that a larger number of employees need to be trained in record-keeping processes.

Paper documents must also be maintained securely. It is typical for paper records to be stored in lockable fireproof cabinets to prevent the loss of records in an emergency. Companies need to be careful and maintain responsibility for all copies of paper documents.

Wrapping Up

Sometimes, when you are working in the medical device industry, it can feel like everything you do is related to records. And that’s not far from the case! By following the information laid out in this article, you can help your company meet the control of records requirements of ISO 13485.

If you have any questions or comments about medical device records, please leave a comment below. Also, if you found this article helpful, check out our ISO 13485 page and sign up for our newsletter below.

Leave a Comment