Criteria for categorization and examples for open systems vs closed systems in cGMPs

  • User & Data authentication controls

    Votes: 0 0.0%
  • Others or None of above

    Votes: 0 0.0%

  • Total voters


Quite Involved in Discussions
my query is,
1) what are examples of open & closed systems in typical pharma cGMP environment?
2) does the network controls differentiate a system from being open vs closed (viz., a system which is accessible only on intranet vs one accessible over internet)
user/data authentication.or.encryption process?
combination of network controls +user/data authentication.or.encryption process?

3) the point is we have a system which is solely accessible over intranet, vs a system accessible over internet. (both of them have pertinent e-signature features of id+password); now the confusion is how to treat above two systems?

as per 21 CFR Part 11...
(9) Open system means an environment in which system access is not controlled by persons who are responsible for the content of electronic records that are on the system.

(4) Closed system means an environment in which system access is controlled by persons who are responsible for the content of electronic records that are on the system.

Sec. 11.30 Controls for open systems. Persons who use open systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, as appropriate, the confidentiality of electronic records from the point of their creation to the point of their receipt. Such procedures and controls shall include those identified in 11.10, as appropriate, and additional measures such as document encryption and use of appropriate digital signature standards to ensure, as necessary under the circumstances, record authenticity, integrity, and confidentiality.

Sec. 11.10 Controls for closed systems. Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine. Such procedures and controls shall include the following:
(a) Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records.
(b) The ability to generate accurate and complete copies of records in both human readable and electronic form suitable for inspection, review, and copying by the agency. Persons should contact the agency if there are any questions regarding the ability of the agency to perform such review and copying of the electronic records.
(c) Protection of records to enable their accurate and ready retrieval throughout the records retention period.
(d) Limiting system access to authorized individuals.
(e) Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Record changes shall not obscure previously recorded information. Such audit trail documentation shall be retained for a period at least as long as that required for the subject electronic records and shall be available for agency review and copying.
(f) Use of operational system checks to enforce permitted sequencing of steps and events, as appropriate.
(g) Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand.
(h) Use of device (e.g., terminal) checks to determine, as appropriate, the validity of the source of data input or operational instruction.
(i) Determination that persons who develop, maintain, or use electronic record/electronic signature systems have the education, training, and experience to perform their assigned tasks.
(j) The establishment of, and adherence to, written policies that hold individuals accountable and responsible for actions initiated under their electronic signatures, in order to deter record and signature falsification.
(k) Use of appropriate controls over systems documentation including:
(1) Adequate controls over the distribution of, access to, and use of documentation for system operation and maintenance.
(2) Revision and change control procedures to maintain an audit trail that documents time-sequenced development and modification of systems documentation.


Forum Moderator
Staff member
Well, I'll give it a whirl...

My take is that the FDA recognizes that it's quite typical for records to be gathered electronically and stored on systems or otherwise transmitted over systems where some or all of the pieces aren't in control of the company gathering for and responsible for those records.

So let's say your manufacturing system is all quite self-contained at the plant. Records may be gathered at individual workstations but they are stored on a server completely inside the plant and the server is completely under control of the company. The company defines how access is granted, security levels, etc. That would be a closed system.

Pretty much everything else, IMO, will be open. Examples include a leased (even dedicated) server, transmitting the records over the internet to another site, etc.

So it's really, to me, a matter of who potentially has access to the data / records. (If you're transmitting over the internet, the transmission could be detected / intercepted).

The difference in controls between open and closed is just the additional level of protection(s) employed; e.g., encryption.

So no, authentication / encryption doesn't DEFINE open -v- closed. You can implement those on a closed system if you're so inclined.

If you have "internet" in the description of your system, my take would be that it's an open system. Then it boils down to risk as to how much additional control you deploy to protect the data / ensure its integrity.


Quite Involved in Discussions
Managing 21 CFR Part 11 Compliance: Using Checksums on Opens Systems

The system is designed so that when the .xml file is exported a checksum is run
on the .xml file. In this example, the checksum is a .sha1 file. The user then places the .xml and .sha1 files on a secure network drive at the sponsor site. A parsing tool then checks the .sha1 file to ensure that the .xml file has not
been modified during the transmission. The parsing tool then converts data from the .xml file into a .csv file. When the .csv file is outputted from the parsing tool, it generates a checksum for the .csv file (a new .sha1 file)
Approval Processes, Security and 21 CFR Part 11

multiple passwords
PKI Authentication
Biometric ID
Biometric PKI ubiquity

Types of Systems under Part 11 - Open Systems