--- title: Record Control Under MDR: What to Keep, How Long, and How ISO 13485 Structures It description: Records under EN ISO 13485 clause 4.2.5 must be identifiable, retrievable, legible, and retained for defined periods. Here is what that means for a startup. authors: Tibor Zechmeister, Felix Lenhard category: Quality Management Under MDR primary_keyword: record control MDR canonical_url: https://zechmeister-solutions.com/en/blog/record-control-mdr source: zechmeister-solutions.com license: All rights reserved. Content may be cited with attribution and a link to the canonical URL. --- # Record Control Under MDR: What to Keep, How Long, and How ISO 13485 Structures It *By Tibor Zechmeister (EU MDR Expert, Notified Body Lead Auditor) and Felix Lenhard.* > **Record control under MDR is the QMS process that ensures the evidence your processes produce is identifiable, legible, retrievable, protected, and retained for a defined period. EN ISO 13485:2016+A11:2021 clause 4.2.5 sets out the specific requirements. MDR Article 10(8) sets the minimum retention period: technical documentation and the EU declaration of conformity must be kept available to competent authorities for at least ten years after the last device has been placed on the market, and at least fifteen years for implantable devices. Article 10(9) makes the QMS itself a legal obligation. A lean startup record control system assigns owners, a retention schedule, a storage location, and a retrieval test.** **By Tibor Zechmeister and Felix Lenhard. Last updated 10 April 2026.** --- ## TL;DR - Records are the evidence a QMS process produced something — filled-in design review forms, CAPA reports, training logs, test results, management review minutes. EN ISO 13485:2016+A11:2021 clause 4.2.5 governs how they are controlled. - Clause 4.2.5 requires records to be kept to provide evidence of conformity and of effective QMS operation, and to remain legible, readily identifiable, and retrievable. A documented procedure must define the controls for identification, storage, security, integrity, retrieval, retention time, and disposition. - MDR Article 10(8) sets the legal minimum retention period: at least ten years after the last device has been placed on the market for most devices, and at least fifteen years for implantable devices. - Records (clause 4.2.5) are a distinct class from controlled documents (clause 4.2.4). Documents govern processes. Records prove the process ran. Treating them as the same thing produces audit findings. - The practical test of a record control system is not whether the records exist. It is whether you can retrieve any specific record, intact and legible, within the time an auditor is willing to wait. --- ## Why record control matters before your first audit An auditor asked a founder a simple question during a Stage 1 assessment: "Can you show me the training record for the engineer who signed off on the last software release?" The founder knew the engineer had been trained. The training had happened. There was a slide deck somewhere. There had been a conversation. But the record — the dated, signed, retrievable piece of evidence — was not in the QMS folder. It was in someone's email thread from eight months ago, and nobody could find the message. That is what record control is for. Not the training itself. The evidence that training happened, in a form that survives staff turnover, laptop crashes, and the three minutes an auditor will give you to find it. Record control is the second half of the QMS backbone. Document control (clause 4.2.4) says which procedure governs the process. Record control (clause 4.2.5) says here is the proof the process ran the way the procedure required. Without the proof, the procedure is a claim. With the proof, the QMS works. ## What EN ISO 13485:2016+A11:2021 clause 4.2.5 actually requires EN ISO 13485:2016+A11:2021 is the harmonised standard for medical device QMS and the tool used to meet MDR Article 10(9). Clause 4.2.5 is the records clause, and it lays out a specific set of requirements for how records must be handled throughout their lifecycle. Records must be maintained to provide evidence of conformity to requirements and of the effective operation of the QMS. They must remain legible, readily identifiable, and retrievable. The organisation must document a procedure that defines the controls needed for the identification, storage, security and integrity, retrieval, retention time, and disposition of records. The organisation must protect confidential health information contained in records in accordance with applicable regulatory requirements. Records must be retained for at least the lifetime of the medical device as defined by the organisation, or as specified by applicable regulatory requirements, but in any case for not less than two years from the medical device release by the organisation. Every part of that sentence is doing work. "Legible" means a handwritten form that has faded, a PDF that can no longer be opened, or a database record in a format no current tool can read is not a compliant record. "Readily identifiable" means you can find it by device, by process, by date, by subject — not by guessing which folder someone dropped it in. "Retrievable" means retrievable now, by the person on shift today, not retrievable in theory by the person who filed it. The clause also connects explicitly to confidential health information. If any of your QMS records contain patient or user health data — clinical investigation records, complaint files, usability validation sessions — the protection obligations of the applicable data protection law apply on top of clause 4.2.5. ## What counts as a record A record is the evidence a controlled process produced. If a procedure says "the design review is held and the outcome documented," the signed minutes of the design review are the record. If a procedure says "the batch is released after QC testing," the QC test results and the release signature are the records. If a procedure says "complaints are logged and assessed within five working days," the complaint log entry, the assessment note, and the timestamps are the records. In a typical startup QMS, the core record classes include management review minutes, internal audit reports, CAPA files, complaint records, design review records, design history (inputs, outputs, verification, validation, transfer), risk management file contents, supplier evaluation records, training records and competence evidence, calibration and equipment records, production and process validation records, release records, PMS data and PMS reports, clinical evaluation records, vigilance reporting records, and the declaration of conformity with supporting technical documentation. Three tests help the team decide whether something is a record. First, is it the output of a QMS process, not the procedure that governs the process? The procedure is a document (clause 4.2.4). The output is a record (clause 4.2.5). Second, does it provide evidence that could be used to demonstrate conformity — either to an auditor, a competent authority, or a court? If yes, it is a record, and it must be controlled as one. Third, is it something the company needs to be able to reconstruct what happened and who decided what? If yes, it is a record, whether anyone calls it that or not. The mistake is classifying working notes, half-finished spreadsheets, and email threads as "not records" because nobody formally blessed them. If the team used them to make a decision about a regulated process, the auditor can and will treat them as records. Either bring them into the system or do not use them that way. ## Retention periods — what the standard says and what the MDR says Retention is the area where record control gets legally sharp, because two different rules stack. EN ISO 13485:2016+A11:2021 clause 4.2.5 sets a baseline: records must be retained at least for the lifetime of the medical device as defined by the organisation, or as specified by applicable regulatory requirements, but not less than two years from the device release. Two years is a floor, not a target. The organisation defines the device lifetime, and "lifetime" here is the period during which the device is expected to remain safe and to perform as intended. The MDR then sets the legally binding minimum, which is longer than the ISO baseline for almost every real case. That is the number that matters. ## MDR Article 10(8) — the legal minimum retention for technical documentation and the DoC MDR Article 10(8) requires manufacturers to keep the technical documentation, the EU declaration of conformity, and, where applicable, a copy of any relevant certificate issued in accordance with Article 56 (including any amendments and supplements), available for the competent authorities for a period of at least ten years after the last device covered by the EU declaration of conformity has been placed on the market. For implantable devices, the period is at least fifteen years after the last device has been placed on the market. (Regulation (EU) 2017/745, Article 10, paragraph 8.) Read the clock carefully. The retention period does not start when the device is designed, or when it is certified, or when the first unit ships. It starts when the last unit covered by the declaration of conformity is placed on the market. If a startup places Class IIa devices on the market continuously for seven years and then discontinues the product, the ten-year clock starts at the date the last unit was placed on the market, which means the records must be kept for seventeen years from the first unit. For an implantable device with the same commercial profile, twenty-two years. This has concrete implications for how a startup sets up storage. A filesystem or tool that will plausibly still exist and still be readable in fifteen or twenty years is a different choice from the cheapest cloud option that happens to be convenient this quarter. Record control is a multi-decade commitment from the day the first device ships. Article 10(8) specifies the technical documentation and the declaration of conformity. Other records — QMS process records, design history content that is not part of technical documentation, training records, CAPA files — are governed by clause 4.2.5 of the harmonised standard and by any other applicable law (data protection, commercial law, tax law, sector-specific national rules). The retention period the organisation sets for each record class must meet the longest applicable obligation, not the shortest. Article 10(9) is the underlying QMS obligation: every manufacturer must establish, document, implement, maintain, keep up to date, and continually improve a QMS proportionate to the risk class and type of device. Record control is one of the processes that QMS must include, and the document control procedure required by clause 4.2.4 and the record control procedure required by clause 4.2.5 are both QMS-governed processes in their own right. ## Storage, access, and integrity Clause 4.2.5 requires records to be protected for security and integrity, to remain legible, and to be retrievable. Those three requirements drive four practical decisions. First, location. Records live in a defined location per record class, stated in the record control procedure. "Wherever the owner saved it" is not a location. An auditor must be able to navigate from the record class to the storage location without asking a question. Second, access control. Who can create, read, change, and delete records is defined. For most QMS records, the creator can create, the owner can update (with version control or an amendment trail if an update is ever needed), defined roles can read, and nobody can delete without a documented disposition step. Records should be write-once once finalised. Amendments are recorded as amendments, not as overwrites. Third, backup and integrity. Records must survive the loss of any single device, laptop, or cloud tenant. For a small startup this usually means an automatic backup of the QMS storage, a periodic verified restore test, and a retention policy on the backup itself that matches the retention of the original. A backup that cannot be restored is not a backup. Fourth, format longevity. Records stored in proprietary formats tied to a specific vendor lock the company into a multi-decade relationship with that vendor. For records governed by fifteen-year retention obligations, the safer default is an open, long-lived format (PDF/A for signed documents, CSV or plain text for data, a format the team would still trust in 2045). Where an eQMS tool holds records in its own database, the contractual exit and export terms of that tool are part of record control. The practical retrieval test is the one auditors actually use: name a record class, ask for a specific instance, and time how long it takes to produce it intact and legible. Under sixty seconds is good. Under five minutes is acceptable. Twenty minutes and a stressed founder searching three folders is a finding. ## Common mistakes Five patterns account for most record control non-conformities in small MedTech teams. First, **confusing documents and records.** A filled-in design review form is a record, not a document. A blank form template is a document. Teams that put both under the same control regime either over-control the records (forcing approval workflows on every filled-in form) or under-control the documents (treating procedures as ad hoc files). Second, **no retention schedule.** The organisation never decided how long each record class is kept, so in practice records are kept forever on disk and nowhere on the retention plan. This fails clause 4.2.5 because "disposition" is part of the required controls, not an afterthought. Third, **records in personal accounts.** Training acknowledgements in a founder's email, supplier evaluations in an engineer's Dropbox, meeting minutes in a QA contractor's personal Google Drive. When the person leaves, the records leave with them. Every record must live in an organisation-controlled location from creation. Fourth, **signatures that do not survive.** A PDF signed in a trial version of a tool that no longer exists. A screenshotted e-signature with no cryptographic trail. A "signed" record that is in fact an unsigned draft that the approver once verbally agreed with. The signature must be as durable as the record. Fifth, **no retrieval test.** The team believes the records are fine because they have never tried to retrieve one under pressure. The first retrieval test should be the internal audit, not the Notified Body visit. ## The Subtract to Ship angle Record control is another place where the [Subtract to Ship framework](/blog/subtract-to-ship-framework-mdr) cuts waste without cutting compliance. The default failure mode is the opposite of document control — it is not over-building. It is under-investing in something that looks boring until it matters. The Subtract to Ship version of record control is a single record control procedure, two or three pages, that lists the record classes the company actually produces, assigns an owner to each, states the storage location, states the retention period (meeting the longest applicable obligation for each class, including MDR Article 10(8) for technical documentation and the DoC), defines the disposition step, and names the retrieval test. Every record class traces to a QMS process that traces to MDR Article 10(9) or another specific MDR requirement. Record classes that do not correspond to any real process are cut. Record classes the Regulation requires but nobody has built are added before they are needed, not after. What gets cut: elaborate records taxonomy copied from a large pharma QMS, "master record indexes" that nobody updates, approval workflows on filled-in forms, paper-plus-digital dual storage that doubles the failure surface. What stays: the clause 4.2.5 requirements, every one of them, plus the Article 10(8) retention minimums, enforced through a system the team actually uses. ## Reality Check — Where do you stand? 1. Can you, right now, name every record class your QMS produces and point to where each one is stored? 2. Do you have a written retention schedule that meets MDR Article 10(8) for technical documentation and the declaration of conformity (at least ten years after the last device is placed on the market, at least fifteen years for implantables)? 3. If an auditor asked for the last training record, the last CAPA file, and the last management review minutes, could you produce all three, intact and legible, in under five minutes? 4. Are your records stored in a format and a location that you trust to still be readable in fifteen years? 5. Do you distinguish records (clause 4.2.5) from controlled documents (clause 4.2.4) in your procedures and your storage, or are the two collapsed into one folder? 6. Has any member of the team ever tried a cold retrieval test on a record they did not personally create? 7. If the founder who currently knows where everything is left the company tomorrow, would the records still be retrievable by the people who remain? ## Frequently Asked Questions **What does ISO 13485 clause 4.2.5 require for record control?** Clause 4.2.5 of EN ISO 13485:2016+A11:2021 requires records to be maintained to provide evidence of conformity and of effective QMS operation, to remain legible, readily identifiable, and retrievable, and to be controlled by a documented procedure covering identification, storage, security and integrity, retrieval, retention time, and disposition. Records must be retained for at least the lifetime of the device as defined by the organisation or as required by applicable regulation, and not less than two years from release. **How long must I keep technical documentation and the declaration of conformity under MDR?** MDR Article 10(8) requires manufacturers to keep the technical documentation, the EU declaration of conformity, and relevant certificates available to competent authorities for at least ten years after the last device has been placed on the market, and at least fifteen years for implantable devices. The clock starts when the last unit is placed on the market, not at first shipment. **Are records the same as controlled documents under ISO 13485?** No. Clause 4.2.4 controls documents — the procedures, work instructions, specifications, and plans that govern how processes are run. Clause 4.2.5 controls records — the evidence those processes produced when they ran. Documents are approved, versioned, and superseded. Records are created, stored, retained, and disposed of on a defined schedule. The lifecycles are different and the controls are different. **Can I store QMS records in a standard cloud drive like Google Drive or SharePoint?** Yes, if the implementation meets clause 4.2.5. That means a defined location per record class, access control that protects integrity, automatic backups with tested restore, a retention schedule that meets MDR Article 10(8) for the relevant record classes, and a format that will still be readable at the end of the retention period. The tool is not the compliance. The procedure and the discipline around the tool are. **What happens to records when we stop selling a device?** The MDR Article 10(8) retention clock starts when the last device covered by the declaration of conformity is placed on the market. From that date, technical documentation and the DoC must be retained for at least ten more years, or fifteen for implantables. Other QMS records are retained per the organisation's schedule and any applicable law. Disposition (secure destruction or archival) happens only after the longest applicable obligation expires, and the disposition itself is recorded. ## Related reading - [What Is a Quality Management System for Medical Devices?](/blog/what-is-quality-management-system-medical-devices) — the hub post for the QMS cluster and the clause-by-MDR-article orientation this post sits inside. - [MDR Article 10(9) and Annex IX QMS Requirements in Detail](/blog/mdr-article-10-9-annex-ix-qms-requirements) — the legal basis for the QMS that record control serves. - [How to Build a Lean QMS for Your MedTech Startup](/blog/build-lean-qms-mdr-startup) — the operational playbook for the QMS that produces these records. - [The Minimum Viable QMS for Early-Stage MedTech](/blog/minimum-viable-qms) — what the smallest legitimate QMS actually contains. - [Document Control Under MDR: A Practical ISO 13485-Based System for Small Teams](/blog/document-control-startup) — the clause 4.2.4 companion post on controlling the documents that these records evidence. - [Data Integrity in Medical Device Records](/blog/data-integrity-medical-device-records) — the deeper dive on the integrity requirements of clause 4.2.5. - [The Subtract to Ship Framework for MDR](/blog/subtract-to-ship-framework-mdr) — the methodology behind the lean record control system described here. ## Sources 1. Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices, Article 10, paragraph 8 (retention of technical documentation, EU declaration of conformity, and relevant certificates — at least ten years after the last device has been placed on the market, at least fifteen years for implantable devices) and Article 10, paragraph 9 (quality management system obligation). Official Journal L 117, 5.5.2017. 2. EN ISO 13485:2016+A11:2021 — Medical devices — Quality management systems — Requirements for regulatory purposes. Clause 4.2.5 (control of records), with clause 4.2.4 (control of documents) as the companion control for governing documents. --- *This post is part of the Quality Management Under MDR series in the Subtract to Ship: MDR blog. Authored by Tibor Zechmeister and Felix Lenhard. If your record control exists in theory but has never been tested under retrieval pressure, Zechmeister Strategic Solutions works with founders on QMS systems that survive the first real audit and the fifteen years after it.* --- *This post is part of the [Quality Management Under MDR](https://zechmeister-solutions.com/en/blog/category/quality-management) cluster in the [Subtract to Ship: MDR Blog](https://zechmeister-solutions.com/en/blog). For EU MDR certification consulting, see [zechmeister-solutions.com](https://zechmeister-solutions.com).*