Chapter 6: Retention Schedules: How Long to Keep Records Across 10 ISO Standards
Record retention under ISO management-system standards is driven by the longest applicable requirement: the standard's clause 7.5, the customer's contract, the regulator's rule, and any litigation or product-liability hold. Typical retention ranges: 3 years for general QMS records (ISO 9001), 7 years for medical device records (ISO 13485 + FDA QSR), 10+ years for aerospace records (AS9100 customer requirements often dictate), and lifetime-of-the-product for 13485 design history files. Manufacturers should retain to the longest single requirement, not split records by clause.
The mistake most quality teams make is treating retention as a clause-7.5 question. The standard sets a floor; customers, regulators, and product-liability law set the ceiling. A weld inspection record on an aerospace fastener is technically a "quality record" under AS9100 clause 7.5, but the customer flowdown from a prime contractor may demand 30 years of traceability, and the FAA may require it to remain available for the operational life of the airframe. Retain to the highest bar, document the basis, and apply the same retention period to every copy of the record regardless of where it is stored.
Retention requirements by ISO standard (master table)
The table below summarizes the documented-information clause and the typical retention floor for each of the 10 standards covered in this guide. The "minimum retention" column represents the period most accredited auditors expect to see when no customer or regulator override is in play. Real-world retention is almost always longer.
| Standard | Clause reference | Minimum retention (no override) | Notes |
|---|---|---|---|
| ISO 9001:2015 | 7.5.3 | 3 years | Standard does not specify; 3 years is industry norm. Customer CSRs frequently extend to 7-10. |
| ISO 14001:2015 | 7.5.3 | 5 years | Environmental permits and waste manifests often dictate 5-7 years; check provincial/state rules. |
| ISO 45001:2018 | 7.5.3 | 5-30 years | Incident records 5 years; occupational exposure records (hearing, chemical) 30 years per OSHA/CCOHS. |
| ISO 13485:2016 | 4.2.5 | Lifetime of device + 2 years (min 7) | Design History File must remain for the lifetime of the device, never less than 2 years after release. |
| ISO 22000:2018 | 7.5.3 | 2x shelf life or 5 years | FDA FSMA and CFIA dictate; whichever is longer applies. |
| IATF 16949:2016 | 7.5.3.2 | Length of production + service + 1 calendar year | Explicitly defined in the standard; production parts retain longer. |
| AS9100D:2016 | 7.5.3.1 | Per customer contract (10+ typical) | Standard requires retention "as defined by the organization or customer"; primes often demand 10-30 years. |
| FSSC 22000 v6 | 7.5 | 2x shelf life minimum | Scheme adds traceability records 2 years beyond shelf life; longer for infant formula and high-risk categories. |
| ISO/IEC 17025:2017 | 8.4 | 5 years (calibration), permanent (method validation) | Test reports and raw data minimum 5 years; method validation records retained as long as the method is in use. |
| ISO 22301:2019 | 7.5.3 | 3 years | BCMS records align with QMS; exercise reports and incident logs typically 3-5 years. |
A retention schedule that simply transcribes this table will fail an audit the first time a customer flowdown shows up unindexed. The schedule must list the basis for each period (clause, customer contract number, regulation citation) so an accredited auditor can verify why a record is being kept for that long.
When customer and regulator overrides the standard
The standard's retention floor is rarely the controlling number. Five overrides routinely raise the bar:
Automotive customer-specific requirements (CSRs). General Motors' supplier quality manual requires production part records be retained for 15 calendar years after the last vehicle is built. Ford's Q1 manual specifies similar terms, with PPAP records retained for the life of the part plus one year. Stellantis CSRs vary by plant but commonly require 10-year retention. An IATF 16949 supplier shipping to all three primes must retain to the longest of the three contracts, not the IATF baseline.
FDA 21 CFR Part 820 and the Quality System Regulation. Medical device manufacturers selling into the United States retain Device Master Records (DMR) and Device History Records (DHR) for a period equivalent to the design and expected life of the device, but never less than 2 years from the date of release. For implantables and Class III devices, "expected life" routinely exceeds 25 years. Health Canada's Medical Devices Regulations (SOR/98-282) parallel this with distribution records held for the life of the device.
Aerospace flowdowns and ITAR. AS9100 itself defers retention to the customer. A Tier 1 aerospace prime such as Boeing or Lockheed Martin will commonly require 10-30 year retention on first-article inspection reports, certificates of conformity, and material traceability. Defence work covered by ITAR (International Traffic in Arms Regulations) carries a separate 5-year minimum on export records, and these must be stored separately from commercial records to satisfy controlled-access requirements. Suppliers in the aerospace and defence sector commonly run two parallel retention regimes.
Food regulator rules. The FDA Food Safety Modernization Act (FSMA) requires traceability records be retained for 2 years; CFIA's Safe Food for Canadians Regulations match this, with longer terms for infant formula and low-acid canned food. FSSC 22000 certified sites in those categories often retain 7-10 years on lot-level records.
Litigation hold and product liability. Once a manufacturer is on notice of a claim, all records related to the claim must be preserved regardless of the retention schedule. A 3-year QMS record subject to a litigation hold becomes a permanent record until the hold is lifted. Records-management procedures must include a hold mechanism that suspends scheduled destruction.
Records versus documents — different retention rules
The two terms are often used interchangeably; under ISO they are not. A document is a controlled instruction (procedure, work instruction, drawing) that tells someone what to do. A record is evidence that something was done (inspection result, training sign-off, calibration certificate). They retain on different clocks.
| Item type | Examples | Retention basis | Typical period |
|---|---|---|---|
| Active document | Current procedure rev D | Until superseded | Indefinite while in use |
| Obsolete document | Procedure rev A, B, C | Until product lifetime ends + statute of limitations | 7-30 years (industry-dependent) |
| Quality record | Inspection report, training log | Standard clause + customer + regulator | 3-30+ years |
| Design record | DHF, design review minutes | Lifetime of product + 2 years minimum | 25+ years for implantables |
| Calibration record | Cert of calibration, gauge R&R | Length of equipment use + 5 years | 10-15 years typical |
| Supplier record | Approved supplier list, audit reports | Length of supplier relationship + 3 years | 10+ years |
The trap is destroying obsolete documents on a short clock when a product-liability defence depends on showing what the procedure said in 2014. Aerospace and medical device manufacturers retain every revision of every controlled document for the lifetime of the affected product. Automotive suppliers retain at least to the IATF rule of "production plus service plus one year." General manufacturing under ISO 9001 alone can defensibly retain superseded documents for 7 years, but most quality-savvy operations push that to 10.
Need guidance on your certification journey?
Our consultants have prepared more than 250 manufacturers globally — from growing businesses to large enterprises — for successful certification. Get a free, no-obligation consultation tailored to your industry.
Common retention mistakes that fail audits
Accredited auditors flag retention findings on roughly one in three certification audits. The patterns repeat across industries:
Retention without documented basis. A schedule that says "10 years" with no clause, contract, or regulation cited is not defensible. When the auditor asks "why 10 years?", the answer must be a specific reference. Schedules that read "to be safe" or "company policy" fail.
IT-driven destruction. A 90-day email retention policy applied to a Quality inbox that contains supplier non-conformance correspondence will destroy 7-year QMS records on a 90-day clock. Records management policy must override IT policy on systems holding controlled records, not the other way around.
Mixed-media confusion. A design history file split across paper drawings, a SharePoint folder, an FTP archive of CAD files, and a personal Outlook PST is one record on four clocks. When the SharePoint admin migrates to a new tenant and drops the legacy folder, the DHF is incomplete and the 7-year minimum becomes a finding. Single source of truth is the only defensible answer.
Third-party storage with no chain of custody. A box of paper records sent to off-site storage 12 years ago, with no retrieval test in the interim, is a finding waiting to happen. Annual sampling — pull three random boxes, verify retrieval within 24 hours, document the test — is the audit-passing pattern.
Over-retention without basis. Keeping everything forever is not the safe choice. Records that exceed the documented schedule become discoverable in litigation that the manufacturer would not otherwise face. The schedule should specify destruction, and destruction should occur on schedule with a destruction log. Retention "just in case" is a liability.
Unaligned retention across sites. A multi-site manufacturer with one site retaining 7 years and another retaining 3 years on the same record type cannot defend the difference to an auditor or a customer. Corporate retention schedules must apply uniformly, with site-specific extensions documented.
Failure to retain process-validation evidence. ISO 13485 and AS9100 require validation of special processes (welding, sterilization, heat treatment). The validation evidence — not just the procedure — must be retained for the life of the process. Many manufacturers retain the procedure but lose the original validation runs and cannot reconstruct the validation when challenged.
Designing a retention schedule that satisfies all standards
The schedule itself is a controlled document and must move through the same review and approval workflow as any other procedure. A defensible build follows seven steps:
- Inventory every record type. List every record produced in every process. A typical mid-size manufacturer surfaces 80-150 distinct record types.
- Map each record to every applicable requirement. A weld inspection record on an automotive aerospace dual-use shop maps to IATF 16949 7.5.3.2, AS9100 7.5.3.1, customer CSRs from each prime, and any regulator rules.
- Set retention to the longest applicable requirement. Never split a record into "the IATF copy" and "the AS9100 copy." One record, one retention period, set to the highest bar.
- Cite the basis for each period. Clause, contract number, regulation citation. The schedule must answer "why this long?" without the records manager being in the room.
- Define the destruction trigger and method. Some records destroy on a date; some destroy on an event ("end of production plus one year"). Method must be appropriate for the medium — shred for paper, secure-erase for digital.
- Build a litigation-hold suspension mechanism. Legal counsel must be able to freeze a record category in one click when notice of claim arrives.
- Test retrieval annually. Sample 5-10 records across age bands; verify retrieval within the SLA documented in the schedule.
A worked example for a contract manufacturer holding ISO 9001, IATF 16949, and AS9100 certifications:
| Record category | Retention period | Basis | Destruction method |
|---|---|---|---|
| Customer order and contract | Production end + 15 years | GM CSR; AS9100 prime contract clause 12 | Shred / secure-erase |
| First-article inspection report | Life of part + 30 years | Boeing flowdown D6-1276 | Shred / secure-erase |
| PPAP submission package | Production end + 1 year | IATF 16949 7.5.3.2 | Shred / secure-erase |
| Internal audit report | 5 years | ISO 9001 7.5.3 + customer norm | Secure-erase |
| Management review minutes | 7 years | ISO 9001 7.5.3 + corporate policy | Secure-erase |
| Calibration certificate | Life of equipment + 5 years | ISO/IEC 17025 8.4 + IATF 7.1.5.2.1 | Secure-erase |
| Training record | Length of employment + 7 years | ISO 9001 7.2 + provincial labour code | Secure-erase |
| Supplier corrective action | Supplier termination + 3 years | IATF 16949 8.4 + AS9100 8.4 | Secure-erase |
| Non-conformance and CAPA | Production end + 10 years | Customer CSR norm | Secure-erase |
| Document obsolete revision | Life of product + 10 years | Product liability statute | Secure-erase |
The schedule lives as a controlled document inside the QMS, reviewed annually, updated when a new customer contract or regulation lands, and audited like any other procedure.
A retention schedule built this way scales from a single ISO 9001 site to a 10-standard global program without rewriting the rules. Because PinnacleQMS ties retention metadata to every record at the moment of creation — clause, customer contract, regulator citation, hold flag — destruction never happens on an IT clock and over-retention is visible in real time. Manufacturers running paper or shared-drive systems can replicate the same logic; the discipline is the same. To map current retention practice against the 10-standard requirements above, contact the PinnacleQMS team for a retention-schedule review against the specific customer and regulator obligations the operation faces. The implementation process starts with this gap analysis and produces a single defensible schedule before any new control is built.
Chapter 5: External Document Control: Standards, Customer Specs, Regulatory Codes
ISO 9001:2015 clause 7.5.3.2 requires manufacturers to identify and control documents of external origin — ISO standards, customer specifications, regulatory co
Chapter 7: Paper, Network Drive, SharePoint, or QMS Platform: Choosing the Right Document Control System
The right document control system depends on three variables: number of controlled documents, number of users requiring access, and the regulatory burden of the
Request a Consultation
Fill in your details and we'll get back to you.
