April 21, 2023
External Documents Kept on an Externally-Controlled Server
I know of no regulations or standards specifically demanding an “internal” copy of standards or country regulations. Instead, the logistics of this are generally left to our discretion. I elaborate further below.
Let’s start with ISO 13485 / EN ISO 13485 (as amended and as applicable; hereinafter “ISO 13485”), as that standard is a very common protocol for many medical device quality management systems. Therein, clause 4.2.4 second paragraph indent (f) requires (my paraphrase and emphasis added) that we ensure documents of external origin are identified and their distribution controlled. This doesn’t prescribe the format/logistics (e.g., internal repository vs. external repository; hard copy vs. digital, etc.) of such documents. Although ISO/TC 210’s guidance about these documents provides an example that is the usual in-house maintenance paradigm, it doesn’t in my opinion overrule ISO 13485’s intended flexibility for document control. Specifically, ISO 13485 states that, “…It is not the intent of this International Standard to imply the need for uniformity in the structure of different quality management systems…[or] uniformity of documentation…” [emphasis added].
Similarly, the U.S, FDA’s medical device quality system regulation (originally fashioned after ISO precedent, and now in the process of “converging” with ISO 13485) contains the same intended type of flexibility.
So ultimately, whether such documents live in an internal repository or an external repository, either approach can be acceptable as long as the basic fundamentals of document control are adhered to. For example for practical intents and purposes, the document control SOP needs to contain the appropriate provisions for control of documents of external origin kept in an externally-controlled repository. That procedure needs to control key things like:
Deliberated identification of which external documents (title and version) have been deemed necessary by the organization.
Assuring that only the authorized versions will be used.
Assuring proper consideration and integration of updated external documents/versions.
Assuring that unauthorized versions of external documents are not used.