Does a website needs to comply with Part 11?

#1
Hello All,

Company X produces medical devices and puts them on sale to consumers via their own website. The website holds both product graphics and information for consumer. The information i.e. Graphics and Text (Literature) is Created, Modified and Approved in other systems , but is only uploaded on this website for viewing/download by the consumers.

As I read the definition of Electronic Record by FDA its states: Any combination of text, graphics, data, audio, pictorial, or other information representation in digital form that is created, modified, maintained, archived, retrieved, or distributed by a computer system used to demonstrate compliance with FDA regulations.

Since the website is used to distribute information, does it falls under the compliance of Part11 for electronic record.

Also the website is hosted at AWS (cloud), will it be considered as Open System or Closed System?

Thanks
Zeeshan
 

yodon

Staff member
Super Moderator
#2
Is the distributed material required by regulation?

In my opinion, if something is in the cloud, it's an open system. You don't have complete control over access.
 
#3
Hi,

The content is marketing literature. I do know FDA classifies it as 'Labelling'
While the material is created, modified and approved elsewhere its uploaded on website for consumers to use/download.

Thanks
Zee
 

yodon

Staff member
Super Moderator
#4
If the marketing literature contains claims then, yes, it is labeling. Control should be pretty straight-forward by maintaining a document ID and revision and posting only immutable format (PDF... I know, I know, PDFs can be manipulated so you may need to put a few other controls on top).

I think there are levels of security with AWS so you may want to look into that to see what's most appropriate.
 
#5
How about audit trail? We would still need that Id imagine and so do these need to be created off the system or procedural controls (SOP) can be acceptable?
 

yodon

Staff member
Super Moderator
#6
You indicated you managed the changes outside of the cloud server so there shouldn't be any "touching" of the material once posted and thus I wouldn't see a need for audit trail. All the changes you make 'locally' would be done under standard design change control.
 

Top Bottom