In a previous article, we explained how to effectively control the documents of the corporate Quality Management System; however, equal importance must be given to records.
The data recording system is designed to collect the results of all activities performed, all inspections conducted, and the outcomes achieved, providing evidence of compliance with applicable technical and/or regulatory requirements and the effective functioning of the Quality Management System.
Among the records, we can include, for example:
- production batch records
- maintenance or service reports
- warehouse picking lists
- transport documents
- supply specifications or Quality Agreements
- distribution contracts
- training reports
- Internal audit plans and reports, whether from second or third parties, as well as any checklists used
- Evidence of complaint management
What does the ISO 13485 standard—the gold standard for Quality Management Systems in the medical field—establish regarding the control of records?
Documented Procedures for Record Management
The organization must document procedures to define the necessary controls to ensure adequate identification and proper filing of records, as well as to guarantee their appropriate retention, security, and integrity. These procedures must also define the period during which the organization ensures the retention of records and the method for their disposal.
The procedures should also establish responsibilities for the completion, approval, and filing of all records.
Proper Completion of Records
It is advisable to train all personnel in the organization on the proper completion of records: all fields should be filled out clearly, neatly, and in legible handwriting, without leaving blank spaces.
If a field of the record is not to be completed, it must be clearly identified (for example, by marking it as N.A. – Not Applicable, or with a slash /) and, if applicable, accompanied by the reason why the operator deemed it non-fillable.
Changes to Records
Changes made to records must always remain identifiable: the use of erasable pencils and erasers or correction fluid (or tape) should not be permitted. If a portion of text needs to be deleted, it should simply be struck through to accurately identify the original content in all cases.
Additionally, it is good practice to identify the author of the modification to maintain adequate traceability of responsibilities/authorities.
Management of Confidential Information
The organization must define and implement adequate methods to protect and safeguard confidential information (not only from clients but also from employees, suppliers, and other external stakeholders) contained in the records, in accordance with applicable regulatory requirements.
It may be useful to sign specific NDAs (Non-Disclosure Agreements) with stakeholders, defining what is meant by confidential information and how the company intends to manage, treat, and, if necessary, under what specific conditions this information may be communicated and/or disclosed externally.
Particular attention must be paid to clinical data and, more generally, to all sensitive data of patients and users processed by the organization in the context of clinical investigations.
Retention of Records
The organization must establish the period during which records of the Quality Management System must be retained.
The ISO 13485 standard states that all records must be maintained for at least the life of the medical device for which the organization is the manufacturer—but for no less than two years from its release—while also considering the provisions of EU Regulation 2017/745 and subsequent amendments regarding medical devices (MDR) and/or other applicable legal requirements.
During this entire period, the original copies of all records must remain legible, easily identifiable, and accessible.
For this reason, it is good practice to prefer electronic storage over paper storage. If it is not possible to complete all records electronically, they can be completed by hand and subsequently scanned and stored digitally. If the organization has an electronic archive containing all records, it is also advisable to schedule periodic backups, thereby reducing the risk of deterioration or loss that paper documents are more prone to.
Conclusions
The control of records is therefore a critical activity for organizations, as they are the only documents capable of providing evidence of compliance with requirements and the effective functioning of the Quality Management System.
The procedures and operational practices for managing records must be clearly defined and without neglecting any detail.
