Records control is how you manage quality records so they stay identifiable, protected, and retrievable for as long as you need them. ISO 9001 clause 7.5.3 requires records to be stored, protected from loss or alteration, retained on a schedule, and properly disposed.

Records control is the least exciting clause in the quality system and the one that sinks the most audits. Auditors do not usually catch you making a bad product; they catch you unable to prove you made a good one. "Show me the inspection record for lot 4471" is a simple request, and the number of plants that cannot answer it inside ten minutes is the number of plants with a records-control problem. This post covers what a record actually is, what the standard requires, and how to build a records system that survives both an audit and a real recall.

What is the difference between a record and a document?

A record is evidence that something happened; a document is an instruction for how something should happen. That one distinction organizes the whole topic. A work instruction, a drawing, a procedure, a spec, these are documents: they are alive, they get revised, and the only version that matters is the current one. An inspection result, a completed batch log, a calibration certificate, a signed traveler, these are records: they are frozen, they capture a moment, and you must never change them after the fact.

The two need opposite kinds of control, which is why the standard treats them differently. For a document you obsess over versions, making sure nobody is running last year's revision. For a record you obsess over integrity and retrieval, making sure the evidence is unaltered and findable years later. Confusing the two is common and costly: version-controlling a record invites tampering, and freezing a document leaves obsolete instructions in play. Our guide to document control covers the document side; this post is the record side. Both live under the same umbrella of documented information in ISO 9001 clause 7.

Documents versus recordsSame QMS, opposite controlsDOCUMENTSinstructions for what SHOULD happenprocedures, specs, drawingswork instructions, formsCONTROL: current versionrevise, approve, remove old copiesRECORDSevidence that it DID happeninspection results, batch logscalibration certs, travelersCONTROL: integrity + retentionprotect, retain, retrieve, never alterVersion-control a document. Freeze and retain a record. Never swap the two.
Documents are revised and the old versions retired. Records are frozen the moment they are created and protected against any later change.

What does ISO 9001 clause 7.5.3 require?

Clause 7.5.3 requires that documented information (which includes records) be controlled so it is available and suitable for use where and when it is needed, and adequately protected. For records specifically, the standard calls out a set of activities you must address:

The phrase that trips people is "protected from unintended alterations." A record is proof, and proof you can silently edit is not proof. This is why records get read-only handling, signatures, and audit trails while documents get revision numbers. In regulated industries the bar is higher still: FDA 21 CFR Part 11 sets specific requirements for electronic records and electronic signatures, including audit trails and controls that make an electronic record as trustworthy as an ink-on-paper one. See 21 CFR Part 11 for that world.

What is the lifecycle of a quality record?

Every record moves through the same stages, and records control is just managing each stage on purpose instead of by accident. Skip a stage and the gap shows up exactly when you can least afford it, usually mid-recall or mid-audit.

The lifecycle of a quality recordThe six stages of a record1 CREATE+ identify2 STORElegible, safe3 PROTECTno alteration4 RETRIEVEfind in minutes5 RETAINdefined period6 DISPOSEcontrolledA retention schedule governs stages 5 and 6. Access controls guard 3 and 4.
Identification at creation makes retrieval possible later. The retention schedule decides when a record moves from kept to gone, on purpose.

How do you build a records-control system?

You do not need heavy software to control records well; you need a schedule, consistent identification, and a place records cannot be quietly changed. Here is the order that holds up under audit.

  1. List your record types. Walk the process and name every record it generates: incoming inspection, in-process checks, final release, calibration, training, non-conformance reports corrective actions. If it is evidence, it goes on the list.
  2. Set a retention period for each. Driven by regulation, customer contract, and product life, whichever is longest. When no rule applies, base it on how long the product is in service plus a margin. Write the reason next to the period.
  3. Assign an owner and a storage location. One named owner per record type and one place it lives, physical or digital. "It's around somewhere" is not a storage location.
  4. Define identification. How each record is labeled and indexed so it can be found: lot number, date, product, station. Retrieval is only as good as identification, so this step is where a ten-minute audit answer is won or lost.
  5. Lock down integrity. Records go read-only once complete. Paper gets signatures and controlled storage; electronic records get access controls and an audit trail so changes are visible, not silent.
  6. Write the disposition rule. What happens at end of retention: shred, delete, archive. Disposition is controlled too, because destroying a record you were required to keep is its own finding.
  7. Audit the system periodically. Pick a lot at random and try to pull every record for it against the clock. If you cannot, the system has a hole; fix it before the auditor finds it. Fold this into your quality audit.

What does a retention schedule look like?

The retention schedule is the heart of records control. It is a simple table, and its value is that it makes retention a decision made once, in advance, rather than an argument every time a filing cabinet fills up. Retention periods vary widely by industry and regulation, so treat these as illustrative, not as legal minimums for your product.

Record typeTypical retention basisOwnerFormat
Final inspection / release recordsProduct life + contract termsQualityRead-only digital
Batch / production logsRegulatory + traceability needProductionDigital + signed
Calibration certificatesLife of the instrument + marginMetrologyDigital archive
Non-conformance / CAPA recordsSeveral years per QMS policyQualityRead-only digital
Training recordsEmployee tenure + marginHR / QualityDigital

Notice the retention basis column carries the reasoning, not just a number. "7 years" with no reason is a number someone will eventually shorten to save space; "product life plus contract" survives that pressure because the logic is visible. When your product goes into a long-lived assembly or a regulated food or medical supply chain, the retention basis is often driven by traceability requirements that reach years past the sale.

What do the standards require?

The requirements behind records control

  • ISO 9001:2015 clause 7.5.3 requires documented information to be controlled for availability, protection, distribution, access, storage, preservation, control of changes, retention, and disposition, and requires records kept as evidence of conformity to be protected from unintended alterations (ISO 9001:2015).
  • ISO maintains an overview of the standard's requirements for documented information and its role across the quality management system (ISO, Quality management).
  • For electronic records in FDA-regulated industries, 21 CFR Part 11 sets requirements for record integrity, audit trails, and electronic signatures so that electronic records are trustworthy and equivalent to paper (eCFR, 21 CFR Part 11).

Why do paper records fail an audit?

Paper records fail on retrieval and integrity, the two things the standard cares most about. Retrieval, because finding one lot's records in a room of binders is slow, and the auditor is watching the clock; a missing signature or an unlabeled form on the one lot they picked becomes a finding for the whole system. Integrity, because paper is easy to "correct" after the fact with no trace, which is exactly what a record must not permit. Add fading ink, coffee stains, and the box that got water-damaged in the back room, and the failure modes stack up.

None of this means paper is forbidden; plenty of plants run compliant paper records with discipline. It means paper makes the discipline expensive, because every control (legibility, protection, retrieval, integrity) is manual and fragile. The moment you have thousands of records across many lots, the manual system starts leaking, and you find out mid-recall.

How does digitizing records help?

Capturing records as structured data at the moment of work fixes the two failure modes at their root. Retrieval becomes a search instead of a hunt: pull every record for lot 4471 in seconds because each was tagged with the lot when it was created. Integrity becomes automatic: a completed electronic record is read-only with an audit trail, so "protected from unintended alteration" is the default rather than a discipline you have to enforce by hand.

That capture-at-the-source approach is what Harmony's station-level digitization is built for, no rip-and-replace: the inspection check, the batch log, the hold tag become structured, timestamped, searchable records the moment an operator creates them, alongside the QMS and ERP you already run. Retention schedules, access controls, and traceable retrieval come along for free because the record was born digital and identified. See it running in the CLS case study. Control your documents for their current version and your records for their integrity, keep a written retention schedule, and be able to pull any lot's evidence in minutes. Do that and the records clause stops being the one that sinks the audit.