Documents and Records: Understanding the Distinction
In the medical device industry, there has long been a discussion about whether records should be classified as documents or as a separate category. The underlying issue stems from a fundamental question in quality management system (QMS) implementation: which items should be managed as “documents” and which as “records”? This distinction has profound practical implications for regulatory compliance and operational excellence.
ISO 13485:2016 clarified this ambiguity by establishing that “documents” (Document) include both “documents” and “records” (Record) as related but distinct concepts. However, section 4.2.4 on “Document Control” explicitly states: “although records are a type of document, they shall be managed in accordance with the requirements specified in 4.2.5.” This clarification reveals a critical truth: while records fall within the broader concept of documents, the management methods applied to documents and records must be fundamentally different. This distinction is not merely semantic; it reflects a strategic understanding essential to effective QMS implementation.
Conceptual Differences Between Documents and Records
In regulatory requirements and international standards, the term “document” refers to the framework of the quality management system itself—the rules, procedures, standards, policies, and specifications that an organization establishes to maintain and ensure quality. These documents are intentionally created by the organization and serve as the authoritative instructions that the organization must follow to ensure product quality.
In contrast, “records” are the output or evidence generated through the actual operation of the QMS. For example, a manufacturing procedure document is a “document,” while the manufacturing log, inspection results, and traceability information recorded during the execution of that procedure are “records.” A manufacturing instruction document is a “document,” but the record of what was actually manufactured, on which date, by whom, and with what test results, constitutes “records.”
Yet in practice, many medical device companies manage records as part of their QMS documentation, which is not appropriate. Records are not a system or framework in themselves; rather, they are evidence of having executed that system. Conflating the two undermines the foundational philosophy of quality management and creates operational confusion. Organizations that make this distinction correctly gain clarity in their QMS architecture and improve the effectiveness of their regulatory compliance efforts.
Requirements for Document Control
ISO 13485:2016 section 4.2.4, “Document Control,” specifies the following requirements:
Requirement 1: Review and Approval Prior to Release
“Documents shall be reviewed and approved for adequacy before release.” This mandates that review and approval are prerequisites for document release. Every newly created or substantially revised document must undergo rigorous review before official release. This review must assess technical content, accuracy, appropriateness, and feasibility, and must be conducted by individuals with documented authority to approve. This gatekeeping process is essential to ensure document quality and reliability.
Requirement 2: Periodic Review and Updating
“Documents shall be reviewed and updated as necessary and re-approved.” The word “review” in this context means “revision” or “reconsideration.” Documents must be periodically revisited and revised as needed. This is necessary to accommodate changes in regulatory requirements, technological advances, organizational policy shifts, and accumulated operational experience. For example, when the EU MDR or PMDA requirements change, all affected documents must be reviewed and revised accordingly. Similarly, when an organization implements new manufacturing technologies or discovers non-conformances through post-market surveillance, relevant documents must be updated to reflect these learnings.
Requirement 3: Identification of Current Revision and Change Identification
“Adequate document control shall ensure that documents are reviewed, approved, and that their current revision status is identified.” When multiple revisions exist, the current approved version must be clearly distinguishable from superseded versions. In practice, this typically means allowing access only to the current version, with older versions archived and marked as obsolete. Simultaneously, the differences between the current and previous versions should be documented, often through revision history tables or revision marks that highlight what changed. This enables users to quickly understand what changed and why, supporting compliance with the updated requirements.
Beyond these three explicit requirements, document control must ensure proper document distribution. This means delivering documents to all functions and individuals who need them, and maintaining records of who received which versions and when. Additionally, organizations must have procedures to ensure that superseded or obsolete documents are not used in error. This is particularly critical for electronic document management systems, which should provide version control features, access rights management, and automatic change logging.
Requirements for Record Control
In contrast, ISO 13485:2016 section 4.2.5, “Records,” specifies the following requirements:
Fundamental Requirement: Creation and Maintenance of Evidence
“Records shall be established and maintained to provide evidence of conformity to requirements and of the effective operation of the quality management system.” As noted earlier, records are the evidence generated through actual QMS implementation. Every critical activity an organization performs—manufacturing process control, product safety verification, regulatory compliance—must be objectively documented and evidenced through records. These records become the primary focus during regulatory inspections and audits, serving as proof of an organization’s commitment to quality.
Critically, records do not require the review and approval mandated for documents. A record, once created according to defined procedures, possesses inherent credibility. However, organizations must prospectively define within their QMS which records require review and approval (if any) and which do not. This risk-based determination is crucial.
For example, manufacturing logs, batch records, and inspection reports are likely to require review and approval, as they may be referenced during regulatory submissions or market surveillance investigations. Conversely, routine meeting minutes might not require formal approval. However, records documenting design reviews, risk analyses, or clinical decisions—activities directly affecting product safety, effectiveness, or performance—likely require documented review and approval. The determination hinges on a fundamental question: does this record contain information that could be material to a regulatory investigation or market recall decision? If yes, it warrants controlled management including review and approval.
Requirement: Change Identification
“Records shall be protected from being damaged, deteriorated, or lost. Records shall be stored and preserved in such a way as to permit easy retrieval and to protect them from damage or deterioration.” Additionally, “records shall be legible, readily identifiable, and retrievable” and, critically, any changes to records “shall be identifiable.”
Unlike documents, which are revised and updated as part of normal operations, changes to records risk becoming alterations or falsifications. Records of medical device quality are of paramount importance, and unrestricted modification is not acceptable. Therefore, changes to records are permitted only when supported by documented justification. When modification occurs, the reason for the change, the person making the change, the date of the change, and ideally the nature of what was changed, must all be clearly identifiable.
For electronic records, the audit trail is the mechanism by which this traceability is achieved. FDA 21 CFR Part 11, EU GxP Annex 11, and ICH guidelines on electronic records and electronic signatures all emphasize audit trail completeness and integrity as foundational requirements. These regulatory expectations mandate that electronic record management systems automatically capture who changed what, when, and ideally why. For paper records, best practices involve using indelible strikethrough, initialing changes, dating modifications, and maintaining the original information in a way that permits verification of what originally existed.
Comparative Management Framework for Documents and Records
The following table summarizes the key distinctions between document control and record management as defined in ISO 13485:2016:
| Management Element | Documents | Records |
| Definition | QMS procedures, policies, standards, specifications | Evidence of QMS operation, execution results |
| Nature | Normative, preventive, prescriptive | Evidential, historical, demonstrative |
| Pre-Release Review and Approval | Mandatory | Not mandatory (unless product quality-critical) |
| Periodic Review | Mandatory | Not required |
| Version Management | Mandatory (clear current version identification, change history documentation) | Not required (but if changes are made, those changes must be identifiable) |
| Modification | Revisions approved through formal review process | Only with documented justification; change must be identifiable |
| Change Documentation | Revision history showing differences between versions | Modification details including reason, author, date |
| Retention Period | Period necessary for QMS effectiveness | Period specified by regulations, product life, statute of limitations |
Conclusion
Distinguishing between documents and records is not merely a matter of terminology or categorization. Rather, it reflects a fundamental understanding of how quality management systems function and how regulatory compliance is achieved. Documents represent the organization’s intentional design—the framework of rules and procedures that govern operations. Records represent the evidence of how those rules were actually followed and what results were achieved.
In the evolving global regulatory landscape—encompassing EU MDR, PMDA requirements, IEC 62304, and other international standards—the distinction between documents and records is consistently reinforced as essential. These regulatory frameworks recognize that appropriate control of documents and records is foundational to demonstrating QMS effectiveness and product safety.
For medical device organizations seeking to maintain sustainable competitive advantage and earn the trust of both regulators and the market, understanding and correctly implementing the distinction between documents and records is not optional. It is a core competency that directly impacts regulatory acceptance, operational efficiency, and ultimately, patient safety. Organizations that invest in this conceptual clarity and embed it into their operational QMS will find themselves better positioned for regulatory success in an increasingly complex global environment.
Comment