As medical device companies scale, externally published documents - such as IFUs, eIFUs, certificates, and datasheets - often drift outside formal QMS control. Superseded versions remain accessible, traceability is lost, and organisations struggle to prove what was publicly available at a given time, creating regulatory and commercial risk.
Controlled public publishing extends document control beyond the organisation, ensuring only approved, current versions are externally accessible, with full traceability. This keeps customer- and regulator-facing information accurate, compliant, and aligned with the quality system as complexity grows.
For many medical device manufacturers, publishing documents externally doesn’t begin as a formal process.
A datasheet is added to the website.
A certificate is emailed to a customer.
An updated instruction is shared through a distributor or portal.
Each step is reasonable in isolation. But as product portfolios expand and regulatory expectations increase, these publishing activities multiply, often across different teams, systems, and regions. Documents that were tightly controlled internally - with defined lifecycles and approval states - can quickly become harder to govern once they are shared externally.
Instructions for Use (IFUs) - including electronic Instructions for Use (eIFUs) - certificates, and technical datasheets frequently follow different paths once they leave the organisation. Website updates, customer requests, and partner distribution introduce manual steps and informal checks that sit outside the core quality system.
Over time, this creates a disconnect: externally available documents are business-critical and regulated, yet no longer subject to the same level of control as internal records.
Controlled public publishing addresses this challenge by extending established document control principles beyond the organisation, ensuring that externally available documents are approved, current, and controlled.
Public document control most commonly applies to a small but critical set of documents that are shared beyond the organisation and relied upon by customers, partners, and regulators.
These documents are regulated, safety-critical, and highly visible to both authorities and end users. They are frequently revised in response to design changes, regulatory updates, or post-market feedback. Once published externally, it’s essential to ensure that only the current, approved version is accessible and that superseded versions are reliably withdrawn.
Certificates are typically product-specific and often time- or batch-bound. While they are usually generated under controlled internal processes, control can be lost once they are issued externally. Maintaining context around validity, revision status, and traceability is particularly important, especially during audits or customer investigations.
Datasheets are customer-facing, commercially sensitive, and frequently updated as products evolve. They are often reused by sales teams, distributors, and partners, increasing the risk that outdated versions remain in circulation. Without structured control over external availability, customers may rely on outdated information about the product.
This includes collateral and technical information shared with distributors, OEMs, and partners across different regions and channels. These documents carry risk if released too early, left live for too long, or reused beyond their intended scope. Consistent control helps ensure that externally shared material reflects what is actually approved for sale and use.
These documents are rarely mishandled deliberately. Loss of control usually happens gradually, as responsibility for publishing becomes distributed across teams, systems, and geographies. What begins as a practical workaround becomes the default process.
The result is that publishing appears functional on the surface, but control has quietly eroded beneath the surface.
Below are five clear signs that public publishing may be slipping out of control within an organisation.
A simple question often exposes this quickly:
Which version - and approval state - of this document could customers, distributors, or regulators access on a specific date?
If answering that requires reconstructing events from emails, folders, or individual recollection, publishing control has already weakened.
Externally published eIFUs, datasheets, and certificates become part of the organisation’s quality and commercial record, and may be reviewed during audits, investigations, or customer enquiries. When public availability cannot be demonstrated with evidence, intent is no longer sufficient.
Datasheets and eIFUs are revised regularly to reflect design changes, updated performance data, or regulatory updates. Internally, revision control is usually well managed.
Externally, older versions often persist, remaining available on websites, stored in partner or distributor portals, or bookmarked by customers.
This can result in multiple versions being accessible at the same time, with no clear indication of which is the current one. Leaving obsolete documents publicly available increases the risk that customers will rely on outdated or incorrect information.
Certificates such as Certificates of Conformance or Analysis typically begin under controlled internal processes. The loss of control often occurs at the point of external release.
Once certificates are emailed or downloaded:
Without structured control over external access, certificates can quickly lose the context that gives them meaning and compliance value.
Documents with higher regulatory and patient-safety implications - particularly eIFUs - are often managed with additional manual steps: checklists, procedures, and named individuals responsible for release.
These approaches can work at low volume, but they don’t scale well. When publishing control depends on vigilance rather than system-enforced rules, gaps inevitably appear.
The most telling sign is when externally published documents are managed separately from the organisation’s established document control processes.
Common symptoms include:
When external publishing is not governed by the same approval, versioning, and lifecycle rules as internal documentation, it effectively becomes a parallel system. And this is where risk accumulates unnoticed.
These issues persist because external publishing is rarely designed as part of the document control system. It evolves separately - through websites, shared folders, portals, and email - until it effectively operates as a parallel process.
Controlled public publishing resolves this by treating external access as an extension of document control rather than a separate activity.
Instead of relying on procedures or manual checks, system-enforced controls determine whether a document can be accessed publicly. Only formally approved versions are available. When approval status changes, public access updates automatically.
This means documents can be published, replaced, or withdrawn without breaking traceability. The record of what was available - and when - remains intact.
Different documents require different access models. Some must be openly available to users or regulators. Others require restricted or traceable distribution. A controlled framework supports both without duplicating files or fragmenting the audit trail.
Under MDR, manufacturers are required to ensure that labelling, IFUs, and other product information are controlled, approved, and kept up to date as part of the quality management system. Meeting these obligations consistently is difficult when publishing depends on manual website updates or unmanaged file sharing.
By structurally linking public access to document control, organisations ensure that externally available information remains accurate, current, and governed, even as complexity increases.
Controlled public publishing enables approved documents to be accessed externally through secure links or QR codes, while remaining fully governed within the quality system.
For example:
The result is simple for the user and controlled for the organisation. External audiences reach the correct information, while version history, approval state, and withdrawal remain fully traceable.
External document publishing rarely becomes a problem overnight. It evolves gradually as products multiply, teams expand, and more information is shared beyond the organisation.
For medical device manufacturers, the challenge is not whether documents are controlled internally. It’s whether that same control extends to what customers, partners, and regulators can access externally. Datasheets, certificates, and IFUs (including eIFUs) all carry regulatory and commercial weight once they are published.
Bringing external publishing under document control provides confidence that externally available information is accurate, current, and aligned with approved records, even as organisations scale.
Learn more about how Cognidox supports controlled public publishing for medical device manufacturers here.
Not necessarily. Under regulations such as EU MDR and ISO 13485, documents like IFUs must remain controlled within the QMS. Manual website uploads or shared folders can break version control and traceability, making it difficult to prove what was publicly available at a given time.
Superseded IFUs, datasheets, or certificates can lead to customers relying on outdated or incorrect information. This increases regulatory exposure, audit findings, and potential liability, particularly where safety or performance claims are involved.
Controlled public publishing ensures that only formally approved, current documents are accessible externally. When a document is revised or withdrawn, public access can be updated in line with approval status, preserving traceability. This removes reliance on manual checks and keeps externally available information aligned with your QMS.