Open vs Closed Systems - Criteria for Categorization in cGMP Environment

Criteria for categorization and examples for open systems vs closed systems in cGMPs

  • Others or None of above

    Votes: 0 0.0%

  • Total voters


Trusted Information Resource
my query is,
1) what are examples of open & closed systems in typical pharma cGMP environment?
2) does the network controls differentiate a system from being open vs closed (viz., a system which is accessible only on intranet vs one accessible over internet)
user/data authentication.or.encryption process?
combination of network controls +user/data authentication.or.encryption process?

3) the point is we have a system which is solely accessible over intranet, vs a system accessible over internet. (both of them have pertinent e-signature features of id+password); now the confusion is how to treat above two systems?

as per 21 CFR Part 11...
(9) Open system means an environment in which system access is not controlled by persons who are responsible for the content of electronic records that are on the system.

(4) Closed system means an environment in which system access is controlled by persons who are responsible for the content of electronic records that are on the system.

Sec. 11.30 Controls for open systems. Persons who use open systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, as appropriate, the confidentiality of electronic records from the point of their creation to the point of their receipt. Such procedures and controls shall include those identified in 11.10, as appropriate, and additional measures such as document encryption and use of appropriate digital signature standards to ensure, as necessary under the circumstances, record authenticity, integrity, and confidentiality.

Sec. 11.10 Controls for closed systems. Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine. Such procedures and controls shall include the following:
(a) Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records.
(b) The ability to generate accurate and complete copies of records in both human readable and electronic form suitable for inspection, review, and copying by the agency. Persons should contact the agency if there are any questions regarding the ability of the agency to perform such review and copying of the electronic records.
(c) Protection of records to enable their accurate and ready retrieval throughout the records retention period.
(d) Limiting system access to authorized individuals.
(e) Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Record changes shall not obscure previously recorded information. Such audit trail documentation shall be retained for a period at least as long as that required for the subject electronic records and shall be available for agency review and copying.
(f) Use of operational system checks to enforce permitted sequencing of steps and events, as appropriate.
(g) Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand.
(h) Use of device (e.g., terminal) checks to determine, as appropriate, the validity of the source of data input or operational instruction.
(i) Determination that persons who develop, maintain, or use electronic record/electronic signature systems have the education, training, and experience to perform their assigned tasks.
(j) The establishment of, and adherence to, written policies that hold individuals accountable and responsible for actions initiated under their electronic signatures, in order to deter record and signature falsification.
(k) Use of appropriate controls over systems documentation including:
(1) Adequate controls over the distribution of, access to, and use of documentation for system operation and maintenance.
(2) Revision and change control procedures to maintain an audit trail that documents time-sequenced development and modification of systems documentation.


Super Moderator
Well, I'll give it a whirl...

My take is that the FDA recognizes that it's quite typical for records to be gathered electronically and stored on systems or otherwise transmitted over systems where some or all of the pieces aren't in control of the company gathering for and responsible for those records.

So let's say your manufacturing system is all quite self-contained at the plant. Records may be gathered at individual workstations but they are stored on a server completely inside the plant and the server is completely under control of the company. The company defines how access is granted, security levels, etc. That would be a closed system.

Pretty much everything else, IMO, will be open. Examples include a leased (even dedicated) server, transmitting the records over the internet to another site, etc.

So it's really, to me, a matter of who potentially has access to the data / records. (If you're transmitting over the internet, the transmission could be detected / intercepted).

The difference in controls between open and closed is just the additional level of protection(s) employed; e.g., encryption.

So no, authentication / encryption doesn't DEFINE open -v- closed. You can implement those on a closed system if you're so inclined.

If you have "internet" in the description of your system, my take would be that it's an open system. Then it boils down to risk as to how much additional control you deploy to protect the data / ensure its integrity.


Trusted Information Resource
Managing 21 CFR Part 11 Compliance: Using Checksums on Opens Systems

The system is designed so that when the .xml file is exported a checksum is run
on the .xml file. In this example, the checksum is a .sha1 file. The user then places the .xml and .sha1 files on a secure network drive at the sponsor site. A parsing tool then checks the .sha1 file to ensure that the .xml file has not
been modified during the transmission. The parsing tool then converts data from the .xml file into a .csv file. When the .csv file is outputted from the parsing tool, it generates a checksum for the .csv file (a new .sha1 file)

Approval Processes, Security and 21 CFR Part 11

multiple passwords
PKI Authentication
Biometric ID
Biometric PKI ubiquity

Types of Systems under Part 11 - Open Systems


  • Types of Systems under Part 11 - Open Systems.pdf
    75.2 KB · Views: 715
  • PharmaSUG-2013-MS06-Managing 21 CFR Part 11 Compliance - using check sums on open systems.pdf
    125 KB · Views: 429
  • Approval Processes, Security and 21 CFR Part 11.pdf
    71.6 KB · Views: 441


I am also very curious about the definition of open systems.;
My opinion is the WLAN system shuold be open system even with VPN . However the LAN system will be closed system.
The attached files could be helpful


  • How-does-Compliance-with-21-CFR-Part-11-Ensure-Data-Integrity-Subject-safety-in-Clinical-Resea...pdf
    995 KB · Views: 469
Thread starter Similar threads Forum Replies Date
A Can change control can be closed if the CAPA is still open? Nonconformance and Corrective Action 3
Sidney Vianna Food & Beverage Safety Lead Auditor Open Position - USA Job Openings, Consulting and Employment Opportunities 0
D SINGLE FAULT CONDITION, short circuit and open circuit of any component (IEC 60601-1 3.1) IEC 60601 - Medical Electrical Equipment Safety Standards Series 9
L Open Positions During AS9100 Audit AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 3
M Definition Open Audit - What does an Open Audit mean? Definitions, Acronyms, Abbreviations and Interpretations Listed Alphabetically 3
O Inventory control ideas - I have an open stock room with a "sign out" book Manufacturing and Related Processes 9
M Informational Paper on open access – EU postmarket surveillance plans for medical devices Medical Device and FDA Regulations and Standards News 1
V Handling open points in design reviews 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 4
M Informational Medtech Europe – Open letter to the European Commission on the implementation and readiness status of the new Medical Device Regulation (MDR) Medical Device and FDA Regulations and Standards News 0
H Enclosed vs. Open-Frame Power Supplies - Overdoing it? IEC 60601 - Medical Electrical Equipment Safety Standards Series 1
Q Open Medical Device Recall: Are there consequences? Other US Medical Device Regulations 1
Richard Regalado BS 65000 - Guidance on Organizational Resilience is open for comments Business Continuity & Resiliency Planning (BCRP) 1
S Already Existing Customer Open-PO (Purchase Order) Review ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 10
R Damage when Border Agents open Shipments Supplier Quality Assurance and other Supplier Issues 8
K Ideas for an Open Source Calibration Database Software Calibration and Metrology Software and Hardware 3
drgnrider Records control on a shared, open, network Records and Data - Quality, Legal and Other Evidence 15
D Open database for incidents and recalls of comparable medical devices EU Medical Device Regulations 7
E Open Sourced Surgical Tray Sterilization Database and Software wanted Medical Information Technology, Medical Software and Health Informatics 2
V How long can a development stage incident be open? Pharmaceuticals (21 CFR Part 210, 21 CFR Part 211 and related Regulations) 4
W Supply Voltage Condition for Transformer O/L and S/C (open & short circuit) testing IEC 60601 - Medical Electrical Equipment Safety Standards Series 4
J Question about GM special requirement - Open Major Nonconformances IATF 16949 - Automotive Quality Systems Standard 2
AnaMariaVR2 How Open Innovation is Solving Some of NASA?s Trickiest Problems World News 0
V Alternative to Microsoft Office - Open Office vs. Google Docs After Work and Weekend Discussion Topics 26
Richard Regalado DRAFT ISO/IEC 27001:201? ISMS Requirements (Open for Comments!) IEC 27001 - Information Security Management Systems (ISMS) 0
A Want to Know How to open a Certification Body in India ASQ, ANAB, UKAS, IAF, IRCA, Exemplar Global and Related Organizations 4
A PFMEA a 'Live' Document and should always have Open Actions FMEA and Control Plans 15
L Open letter to inform our Vendors we are setting up an Integrated (QHSE) System Miscellaneous Environmental Standards and EMS Related Discussions 5
J Can a Major Nonconformance be Open but 100% Resolved? IATF 16949 - Automotive Quality Systems Standard 6
K Open Source Software - OpenOffice vs. LibreOffice After Work and Weekend Discussion Topics 1
AnaMariaVR2 Linked Open Data The Reading Room 2
G What should be in the Quality Open Items Register Document Control Systems, Procedures, Forms and Templates 5
Marc Google Wave going Open Source After Work and Weekend Discussion Topics 1
D Legal complications when using open source, freeware, shareware, etc. IEC 27001 - Information Security Management Systems (ISMS) 4
M Medical Device Testing Based in Manchester? Consultant to open Technical File EU Medical Device Regulations 4
A Open CARs (Corrective Action Requests) and 8D Processes Nonconformance and Corrective Action 27
W pH and Conductivity Open Bottle Shelf Life Calibration Frequency (Interval) 8
Michael Malis For Internal Audit findings, would you open a CAPA for every observation? Internal Auditing 31
D Facebook - No one can open my pictures After Work and Weekend Discussion Topics 3
Pancho Open Space meetings -- another great tool for collaboration Imported Legacy Blogs 2
W Requirements for using Open Source Software in Medical Devices - IVD Medical Device IEC 62304 - Medical Device Software Life Cycle Processes 10
R Induction Coil Open Circuit Failure Root Cause Problem Solving, Root Cause Fault and Failure Analysis 15
D Does anyone have experience using open source software for PDM? ISO 13485:2016 - Medical Device Quality Management Systems 1
H Cost of Quality Can Open Management's Eyes Quality Tools, Improvement and Analysis 15
A Open Customer Complaint issue Customer Complaints 6
Q CAPA (Corrective and Preventive Actions) - Open for how long in Medical Device field? Nonconformance and Corrective Action 4
9 Another Touch on Management Commitment - Open Corrective Actions Quality Manager and Management Related Issues 6
S OPL (Open Point List) in audit - Incoming inspection result Inspection, Prints (Drawings), Testing, Sampling and Related Topics 15
Stijloor Open a Savings Account at Wachovia... Funny Stuff - Jokes and Humour 2
ScottK As an ISO9001 auditor what would you say about this of this (open SCAR situation): ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 3
B UK standards body taken to court over OOXML (Microsoft's Open office XML) Other ISO and International Standards and European Regulations 6

Similar threads

Top Bottom