What does ISO 13485 clause 7.5.9 require for traceability?

ISO 13485:2016 clause 7.5.9 requires organizations to document traceability procedures covering product identification throughout realization, status identification at each production stage, and — for implantable devices — records identifying personnel who performed inspections. The extent of traceability must meet all applicable regulatory requirements, including UDI rules in the US and EU.

Is a UDI required for ISO 13485 compliance?

UDI is not mandated by ISO 13485 itself, but clause 7.5.9 requires traceability to comply with applicable regulatory requirements. Since FDA (21 CFR Part 830) and EU MDR/IVDR both require UDI for most device classes, manufacturers selling into these markets must implement UDI as a de facto extension of their ISO 13485 traceability obligations.

What must be included in a Device History Record (DHR)?

A compliant DHR must include: dates of manufacture, quantity manufactured and released, labeling and primary identification (including UDI/lot/serial number), inspection and test results, equipment used, sterilization records (if applicable), personnel records for critical operations, nonconformance and deviation records, and incoming component lot numbers.

How long must Device History Records be retained under ISO 13485?

ISO 13485 requires records to be retained for at least the lifetime of the device or as specified by regulatory requirements — whichever is longer. In the EU under MDR, this is typically a minimum of 10–15 years. In the US under FDA QMSR, the requirement is the lifetime of the device or 2 years following commercial distribution, whichever is greater.

What is the most common traceability gap found during ISO 13485 audits?

The most common gap is a broken component-to-finished-goods chain — the manufacturer can identify the finished device lot but cannot link it to specific incoming component lots used in production. This is often caused by ERP systems that don't capture supplier lot numbers at goods receipt, or by undocumented material substitutions during production.

Traceability Requirements Under ISO 13485: UDI, Lot Numbers & DHRs

Last updated: 2026-03-29

Traceability is one of the most scrutinized areas during ISO 13485 surveillance and certification audits — and for good reason. When a device fails in the field, the ability to trace it back to a specific production lot, a specific supplier component, or a specific assembly technician can mean the difference between a targeted 500-unit recall and a catastrophic 500,000-unit recall. It can also mean the difference between a corrective action that takes two weeks and a regulatory crisis that takes two years.

After 8+ years of guiding 200+ medical device manufacturers through ISO 13485 certification and surveillance audits — with a 100% first-time audit pass rate — I've seen traceability done right and done very wrong. This pillar article breaks down every layer of the traceability requirement: what the standard actually demands, how UDI fits into the picture, how lot and serial numbers work in practice, and what a complete Device History Record (DHR) looks like.

Why Traceability Is Non-Negotiable in Medical Device Manufacturing

ISO 13485:2016 clause 7.5.9 states the core traceability requirement: organizations shall document procedures for traceability, and the extent of traceability shall be in accordance with applicable regulatory requirements. That last phrase — "applicable regulatory requirements" — is doing heavy lifting. It means your traceability system must satisfy both the ISO standard and the specific regulatory frameworks of every market you sell into.

According to the FDA, inadequate traceability and recordkeeping consistently rank among the top five reasons for Form 483 observations and Warning Letters issued to device manufacturers. A single gap in lot-number documentation can cascade into a major nonconformance during a notified body audit, threatening your CE mark, your FDA registration, and ultimately your ability to sell.

The core traceability principle under ISO 13485 is this: for any finished device, you must be able to trace forward (which customers received it) and backward (what materials, components, and processes produced it). Both directions are required, and both are tested during audits.

What ISO 13485 Clause 7.5.9 Actually Requires

Let's go directly to the text. ISO 13485:2016 clause 7.5.9 breaks traceability obligations into three tiers:

Tier 1 — Identification of Products and Components

The organization must identify the product throughout product realization — from raw materials through to finished device. This is accomplished through:

Lot numbers or batch numbers for devices manufactured in production runs
Serial numbers for individually produced or implantable devices
Component-level identification linking each lot of finished goods to the specific incoming lots of materials used

Tier 2 — Status Identification

Products must be identified with respect to monitoring and measurement requirements. In plain English: at every stage of production, it must be clear whether a device or component has passed inspection, is awaiting inspection, or has been rejected. This is typically implemented via traveler documents, status labels, or ERP/MES system flags.

Tier 3 — Traceability Records

For implantable devices, ISO 13485:2016 clause 7.5.9 is explicit: the organization shall maintain records of the identity of personnel performing any inspection or test activity. This is a heightened requirement that also feeds directly into MDR/IVDR obligations in the EU and 21 CFR Part 820 requirements in the US.

Unique Device Identification (UDI): The Regulatory Layer on Top of ISO 13485

UDI systems were designed by regulators — not standards bodies — to create a globally readable, machine-parseable identifier on every device. Understanding how UDI maps onto your ISO 13485 traceability system is critical.

What Is a UDI?

A UDI consists of two components:

Component	Description	Example
Device Identifier (DI)	Fixed portion identifying the labeler and device version/model	(01)00614141007349
Production Identifier (PI)	Variable portion capturing lot/batch number, serial number, manufacturing date, and/or expiration date	(10)LOT12345 (17)260301

The DI is submitted to a regulatory database (FDA GUDID, EU EUDAMED, etc.). The PI is printed on the label and captured in the DHR. Together, they form a complete traceable link between the physical device and its regulatory record.

UDI Regulatory Timelines and Scope

United States (FDA 21 CFR Part 830): UDI has been required for Class III devices since 2014, Class II since 2016, and Class I since 2020. Standalone software (SaMD) compliance deadlines are ongoing.
European Union (EU MDR 2017/745 and EU IVDR 2017/746): UDI implementation is phased by device class, with Class III/implantable devices fully required and Class IIa/IIb requirements enforced since May 2023. Class I devices face ongoing rollout.
Other markets: Canada (Health Canada), Australia (TGA), and Japan (PMDA) all have UDI frameworks that are largely harmonized with the IMDRF UDI Guidance.

How UDI Integrates With Your ISO 13485 QMS

Your QMS document — typically a Traceability Procedure — must explicitly map UDI data capture points into your production and labeling workflows. This means:

Label generation: Your labeling procedure must specify who generates UDI labels, which system generates them, and what verification step confirms the correct DI and PI are printed.
DHR linkage: Every DHR must capture the UDI (or at minimum the lot/serial number that reconstructs it).
GUDID/EUDAMED synchronization: A procedure must govern how and when DI records are updated whenever a change in device specification triggers a new DI.

Citation hook: ISO 13485:2016 requires traceability to be maintained in accordance with applicable regulatory requirements — meaning UDI compliance is not optional for manufacturers selling into regulated markets; it is a direct extension of clause 7.5.9 obligations.

Lot Numbers and Serial Numbers: The Operational Backbone

While UDI is the regulatory-facing identifier, lot numbers and serial numbers are the operational engine of your traceability system. Here's how they function and what your QMS must define.

Lot Numbers (Batch Numbers)

A lot number identifies a group of devices manufactured under essentially the same conditions during the same manufacturing period. Your procedure must define:

Lot formation rules: What constitutes a new lot? A new raw material lot? A shift change? A new production run?
Lot linkage: How is a finished device lot linked to the incoming component lots that were used? This is often called a "material genealogy" and is the most common traceability gap I find during pre-audit assessments.
Lot segregation: Physical or system-based controls to prevent commingling of lots during production and storage.

Serial Numbers

Serial numbers are required for implantable devices under ISO 13485 and are also triggered by many regulatory frameworks for Class III devices. A serial number is unique to a single unit. Your procedure must define:

The serial number format and who assigns it
How serial numbers are recorded in the DHR
How serial numbers are communicated to customers and distributors (for complaint handling and vigilance purposes)

Component-Level Traceability: The Hidden Requirement

Here's where many manufacturers fall short: ISO 13485 doesn't just require you to trace the finished device — it requires you to trace the components within the finished device back to their incoming lots. This means:

Incoming inspection records must capture supplier lot numbers
Bill of Materials (BOM) explosions in production records must link finished goods lots to component lots
Any deviation in component lots (e.g., material substitution due to shortage) must be documented in the DHR

Device History Records (DHR): The Complete Picture

The Device History Record is the single most important traceability document you will ever produce for a device. Under ISO 13485:2016 clause 7.5.1, the DHR must demonstrate that the device was manufactured in accordance with the Device Master Record (DMR). Think of the DMR as the recipe and the DHR as the batch record proving you followed it.

What a Complete DHR Must Contain

A compliant DHR under ISO 13485 and 21 CFR Part 820.184 (and its 2024 successor, 21 CFR Part 820 aligned with QMSR) must contain:

DHR Element	ISO 13485 Reference	US QMSR Reference
Dates of manufacture	Clause 7.5.1	21 CFR 820.70
Quantity manufactured and released	Clause 7.5.1	21 CFR 820.184
Primary identification label and labeling	Clause 7.5.1	21 CFR 820.184
Device identification (lot/serial/UDI)	Clause 7.5.9	21 CFR Part 830
Inspection and test results	Clause 8.2.6	21 CFR 820.80
Equipment used in production	Clause 6.3	21 CFR 820.70
Sterilization records (if applicable)	Clause 7.5.2	21 CFR 820.75
Personnel performing critical operations	Clause 7.5.9	21 CFR 820.70
Nonconformance and deviation records	Clause 8.3	21 CFR 820.90
Incoming component lot numbers	Clause 7.5.9	21 CFR 820.184

DHR as a Living Document

A critical point that is often misunderstood: the DHR is compiled during manufacturing, not assembled retroactively. Each step in your production workflow should generate a record that is filed into — or electronically linked to — the DHR in real time. If an auditor suspects records were backdated or reconstructed, that is a major nonconformance with potentially serious regulatory consequences.

Electronic DHRs: Opportunity and Risk

Many manufacturers are migrating from paper-based DHRs to electronic Quality Management Systems (eQMS) with integrated DHR modules. This is generally a positive move for data integrity and searchability. However, electronic DHRs must comply with:

21 CFR Part 11 (FDA electronic records rule) if you sell into the US
Annex 11 / EU GMP principles if your device intersects with pharmaceutical combination products in the EU
ISO 13485 clause 4.2.5 (control of records) regardless of market

Your validation documentation for any eQMS system that generates or stores DHRs is itself an auditable artifact.

Common Traceability Gaps That Cause Audit Failures

Based on my experience across 200+ client engagements, these are the most frequent traceability nonconformances I observe:

1. Broken Component-to-Finished-Goods Chain

The manufacturer can trace the finished device lot but cannot link it to specific incoming component lots. Often caused by informal substitutions not documented in the DHR or by ERP systems that don't capture supplier lot data at goods receipt.

2. UDI Not Captured in DHR

The UDI is printed on the label but not recorded as a data field in the DHR itself. This creates a gap when investigating complaints or executing recalls — you can't rapidly pull all DHRs for a specific DI/PI combination.

3. No Defined Lot Formation Rules

The traceability procedure doesn't define what constitutes a "lot," leading to inconsistent lot assignment across production shifts or facilities. Notified bodies will cite this as a procedural gap.

ISO 13485 clause 7.5.9 requires that records enabling traceability shall be maintained. If your distributors are re-labeling or kitting devices, your traceability chain must extend through them. This requires contractual and procedural controls — a supply chain agreement isn't enough without evidence of implementation.

5. Sterilization Record Gaps in DHRs

For sterile devices, the sterilization lot (cycle number, date, equipment, parameters, biological indicator results) is a mandatory DHR element. I've seen manufacturers omit this or file it separately without cross-referencing it in the DHR — which creates a traceability gap even when the underlying record exists.

Citation hook: The most common ISO 13485 traceability failure is not the absence of records but the absence of linkage — individual records exist in silos but cannot be rapidly connected to reconstruct the complete production history of a specific device unit or lot.

Building a Traceability System That Passes Audits: A Practical Framework

Here's the framework I use when building or auditing traceability systems for clients:

Step 1: Map Your Traceability Flow

Create a flowchart that shows every point at which a traceability identifier is generated, recorded, or transferred — from supplier lot receipt through finished goods release through distribution to the end customer. Every node on that map must correspond to a procedure and a record.

Step 2: Define Lot Formation Rules in Your Procedure

Your Traceability Procedure (or equivalent) must explicitly state what triggers a new lot number. Document this as a decision table if necessary.

Step 3: Validate Your Traceability System

Perform a traceability exercise: pick a finished device lot and try to trace backward to every incoming component lot. Then pick an incoming component lot and trace forward to every finished device lot it was used in. Document the results. This exercise is often called a "traceability drill" and should be conducted at least annually — and always before a certification or surveillance audit.

Step 4: Integrate UDI Into Label Control

Your label approval procedure must include a UDI verification step. For each new device, the DI must be submitted to the appropriate database before commercial distribution. Your procedure must define who is responsible and what the submission timeline looks like.

Step 5: Audit Your Distributors

For distributors who hold inventory or re-label, include a traceability audit as part of your supplier qualification and annual supplier re-evaluation process. Request distribution records that show how your device lots were deployed to end customers.

Citation hook: A traceability drill — systematically tracing a finished device lot backward to all component lots and forward to all customer distribution records — is the single most effective pre-audit preparedness exercise a medical device manufacturer can conduct.

Traceability Under EU MDR vs. FDA QMSR: Key Differences

Requirement	EU MDR / ISO 13485	FDA QMSR (21 CFR Part 820)
UDI database submission	EUDAMED (UDI module)	FDA GUDID
Implantable device traceability	Article 27 + Annex VI Part C	21 CFR 830 + QMSR clause 8.4
DHR retention period	Lifetime of device (min. 10–15 years)	Lifetime of device or 2 years post-distribution (whichever longer)
Distributor/authorized rep traceability obligations	Explicit under MDR Article 14	Less prescriptive; covered under supplier controls
Electronic record requirements	MDR Article 10(8) + GDPR	21 CFR Part 11

Understanding these differences is critical if you are a manufacturer selling into both the US and EU markets. Your QMS must be designed to satisfy the stricter requirement at every point — which in practice usually means defaulting to EU MDR standards for retention periods and distributor controls.

How Certify Consulting Approaches Traceability Audits

At Certify Consulting, traceability is one of the first systems I assess during a gap analysis engagement. It's a sentinel indicator: if traceability is weak, CAPA, complaint handling, and recall readiness are almost always weak too. Conversely, manufacturers with mature traceability systems tend to have mature QMS cultures across the board.

If you're preparing for an ISO 13485 certification audit, a FDA inspection, or an EU MDR notified body review, I'd strongly recommend performing a traceability drill before your auditors do. The gaps you find are fixable — but only if you find them first.

For more detail on how document control intersects with traceability records, see our guide on ISO 13485 Document Control Requirements. And if you're building your DHR process from scratch, our ISO 13485 Device History Record template resources can accelerate your implementation.

FAQ: Traceability Under ISO 13485

For more expert guidance on ISO 13485 traceability and QMS implementation, visit certify.consulting.

Last updated: 2026-03-29