未分類

Understanding Open Systems in 21 CFR Part 11

Understanding Open Systems in 21 CFR Part 11

Introduction

In the regulation 21 CFR Part 11 “Electronic Records; Electronic Signatures” enforced by the FDA (U.S. Food and Drug Administration) in August 1997, a clear distinction is made between closed systems and open systems. This regulation established the criteria under which electronic records and electronic signatures could be considered equivalent to paper records and handwritten signatures.

Defining Closed Systems and Open Systems

A closed system refers to an environment in which system access is controlled by persons who are responsible for the content of electronic records that are on the system (21 CFR 11.3(b)(4)). This typically includes systems within an organization’s controlled network boundaries, such as Local Area Networks (LANs) and intranets. Only authorized personnel can access these systems, and their actions are monitored and recorded through audit trails.

On the other hand, an open system is defined as an environment in which system access is not controlled by persons responsible for the content of electronic records that are on the system (21 CFR 11.3(b)(9)). This refers to situations where electronic records are transmitted or maintained over networks that the organization cannot fully control, such as the internet.

The Nature of Open Systems

It is important to understand that “open systems” do not exist as permanent installations in the way that closed systems do. Rather, an open system scenario arises when closed systems connect to each other via the internet or other uncontrolled networks. The key characteristic is the temporary loss of control during data transmission.

Consider practical examples: when you book airline tickets or purchase train tickets online, or when you shop on platforms such as Amazon or Rakuten, you are participating in open system transactions. During these transactions, sensitive information—such as credit card numbers, personal identification, and payment credentials—is transmitted over the internet, which constitutes an uncontrolled network environment.

Security Risks in Open Systems

The internet environment presents three fundamental security risks that organizations must address:

  1. Eavesdropping (Interception): Unauthorized parties may intercept data during transmission
  2. Tampering (Data Modification): Attackers may alter data while it is in transit
  3. Spoofing (Impersonation): Malicious actors may impersonate legitimate parties in the communication

These risks create the potential for serious security breaches. For instance, credit card numbers, personal identification numbers (PINs), and other confidential information could be intercepted and misused by unauthorized parties.

Part 11 Requirements for Open Systems

To address these inherent risks, 21 CFR Part 11.30 specifies that persons who use open systems to create, modify, maintain, or transmit electronic records must implement additional controls beyond those required for closed systems. Specifically, the regulation requires the use of document encryption and digital signatures to ensure the authenticity, integrity, and confidentiality of electronic records transmitted over open networks.

These security measures may sound technically complex, but the implementation is more straightforward than it might appear. At the time Part 11 was issued in 1997, the technology to meet these requirements already existed in the form of SSL (Secure Sockets Layer).

SSL/TLS: The Technology Foundation

SSL, and its successor protocol TLS (Transport Layer Security), provide the cryptographic foundation for secure internet communications. These protocols automatically employ both encryption and digital signature technologies to protect data in transit, often without users being explicitly aware of these security measures working in the background.

The Evolution from SSL to TLS

It is important to note the historical progression of these security protocols:

  • SSL 1.0 (1994): Never publicly released due to security flaws
  • SSL 2.0 (1995): Had significant vulnerabilities and was quickly superseded
  • SSL 3.0 (1996): The first widely deployed version, but later found to be vulnerable to attacks such as POODLE (2014)
  • TLS 1.0 (1999): Succeeded SSL 3.0 with improved security
  • TLS 1.1 (2006): Enhanced security features
  • TLS 1.2 (2008): Introduced AEAD (Authenticated Encryption with Associated Data) cipher suites
  • TLS 1.3 (2018): Current standard with significant security improvements, removing support for weak algorithms

Today, SSL versions are considered obsolete and insecure. Modern systems use TLS 1.2 or TLS 1.3. The term “SSL” persists in common usage (such as “SSL certificate”) but technically refers to TLS protocols. As of 2025, TLS 1.3 is the recommended standard, with 70.1% of surveyed websites supporting it, while 99.9% still support TLS 1.2 for backward compatibility.

Current Status and Best Practices

The use of TLS (commonly still referred to as SSL) has become universal and mandatory for secure web communications. Modern browsers automatically establish encrypted connections when accessing HTTPS websites, indicated by the padlock icon in the address bar. This has become standard practice across the internet, with major browsers flagging non-HTTPS sites as “not secure.”

In the context of 21 CFR Part 11 compliance, organizations should:

  • Ensure all systems use TLS 1.2 or higher (TLS 1.3 is recommended)
  • Disable deprecated protocols (SSL 3.0, TLS 1.0, TLS 1.1)
  • Implement certificate validation and proper certificate management
  • Use strong cipher suites and avoid weak cryptographic algorithms
  • Maintain current security patches and updates

Understanding Digital Signatures vs. Electronic Signatures

A critical distinction exists between digital signatures and electronic signatures, and this difference is particularly important for Part 11 compliance:

Digital Signatures are a specific technology based on public key cryptography (asymmetric encryption). They use mathematical algorithms to create a unique cryptographic signature that:

  • Verifies the identity of the signer through their private key
  • Ensures data integrity by detecting any modifications to the signed data
  • Provides non-repudiation, meaning the signer cannot deny having signed the document
  • Relies on cryptographic methods such as RSA, ECDSA (Elliptic Curve Digital Signature Algorithm), or EdDSA (Edwards-curve Digital Signature Algorithm)

Electronic Signatures (as defined in Part 11) are a broader concept referring to any electronic method of indicating that a person has reviewed and approved electronic content. This can include:

  • Typed names with authentication
  • Biometric identifiers
  • Digital signature technology
  • Other methods that meet Part 11 requirements for uniqueness, security, and accountability

Part 11 requires that electronic signatures used in open systems must employ digital signatures or other secure methods to ensure they cannot be easily excised, copied, or transferred to falsify records.

Cloud Computing and System Classification

With the rise of cloud computing, the distinction between open and closed systems has gained new relevance. Cloud-based applications, even those operated by trusted providers, are generally classified as open systems under Part 11 because:

  1. The pharmaceutical or medical device company does not directly control system access
  2. The cloud provider manages the infrastructure and access controls
  3. Compliance verification must be conducted through contracts and audits rather than direct control

This classification applies even to private cloud deployments in many cases, depending on the specific implementation and control boundaries. Companies using cloud-based systems must ensure that:

  • Service Level Agreements (SLAs) address Part 11 requirements
  • The cloud provider implements appropriate security controls
  • Data encryption is used both in transit and at rest
  • Audit trails are comprehensive and accessible
  • Regular compliance audits are conducted

The Prescient Nature of Part 11

Part 11 was crafted with remarkable foresight to anticipate future technological developments. Although the regulation was published in 1997—nearly 28 years ago—most of its requirements have evolved from forward-thinking mandates into standard industry practices.

The regulation established fundamental principles of:

  • System validation and accuracy
  • Access control and user authentication
  • Audit trail generation
  • Data integrity and authenticity
  • Secure electronic signatures

These concepts, which seemed advanced in 1997, now form the foundation of modern information security and data governance practices. The FDA intentionally designed Part 11 to be technology-neutral, focusing on outcomes (security, integrity, authenticity) rather than prescribing specific technologies, allowing the regulation to remain relevant as technology evolves.

FDA Guidance Evolution and Enforcement Discretion

It is important to note that FDA has refined its approach to Part 11 enforcement over the years. In September 2003, FDA issued guidance titled “Part 11, Electronic Records; Electronic Signatures — Scope and Application,” which clarified that:

  1. Narrow Scope: Part 11 applies to records required under predicate rules (other FDA regulations such as 21 CFR Parts 58, 211, 820) that are maintained in electronic format instead of paper
  2. Enforcement Discretion: FDA exercises enforcement discretion regarding specific Part 11 requirements (particularly validation requirements in §11.10(a) and §11.30), provided that organizations comply with all applicable predicate rule requirements
  3. Legacy Systems: Systems operational before August 20, 1997, may be exempt from certain Part 11 requirements if they meet predicate rules and are documented as fit for intended use
  4. Risk-Based Approach: Organizations should implement controls proportionate to the risk and impact on data integrity

Recent Regulatory Developments

As of 2025, the regulatory landscape continues to evolve:

Computer Software Assurance (CSA)

In September 2022, FDA issued draft guidance on Computer Software Assurance (CSA), representing a paradigm shift from traditional Computer System Validation (CSV) approaches. CSA emphasizes:

  • Risk-based testing focused on high-risk areas
  • Critical thinking over exhaustive documentation
  • Reduced validation burden while maintaining quality
  • Agile and iterative development methodologies

Post-Quantum Cryptography (PQC)

With the advent of quantum computing threats, cryptographic standards are evolving. In August 2024, NIST published three Post-Quantum Cryptography standards for digital signatures and key encapsulation. Organizations should:

  • Monitor quantum computing developments
  • Plan for eventual migration to PQC algorithms
  • Ensure system architectures support cryptographic agility
  • Consider hybrid approaches during the transition period

Data Integrity Focus

FDA continues to emphasize data integrity through initiatives such as:

  • The ALCOA+ principles (Attributable, Legible, Contemporaneous, Original, Accurate, plus Complete, Consistent, Enduring, Available)
  • Warning letters and enforcement actions focused on data integrity failures
  • International harmonization efforts through PIC/S and WHO guidance

Comparison: Closed vs. Open Systems Requirements

AspectClosed System (21 CFR 11.10)Open System (21 CFR 11.30)
System Access ControlControlled by record ownersNot controlled by record owners
Authentication RequirementsUser identification and authenticationSame, plus additional security
Data Integrity ControlsAudit trails, validationSame as closed system
Additional Security MeasuresNot requiredDocument encryption and digital signatures required
Typical ExamplesLaboratory instruments on LAN, internal QMS, local databasesCloud applications, email communications, web portals, data transmitted over internet
Risk LevelLower (internal control)Higher (external threats)
Compliance ComplexityModerateHigher due to additional controls

Practical Implications for Life Sciences Organizations

For pharmaceutical, biotechnology, and medical device companies implementing Part 11 compliant systems, the following considerations are essential:

System Design and Validation

  1. Early Classification: Determine whether systems operate as closed or open during the design phase
  2. Architecture Decisions: Consider the compliance implications of cloud vs. on-premise deployments
  3. Vendor Selection: Evaluate whether vendors understand and support Part 11 requirements
  4. Validation Planning: Develop comprehensive validation plans addressing system-specific risks

Ongoing Compliance

  1. Change Control: Implement robust change control procedures to maintain validated state
  2. Audit Trail Review: Regularly review audit trails for unusual activities
  3. Access Management: Maintain current user access lists and promptly remove terminated users
  4. Training: Ensure personnel understand their responsibilities under Part 11
  5. Periodic Review: Conduct regular assessments of system compliance

Documentation Requirements

  1. Security Plans: Document security measures for open systems
  2. Standard Operating Procedures (SOPs): Maintain current SOPs covering electronic records and signatures
  3. Validation Documentation: Preserve installation qualification (IQ), operational qualification (OQ), and performance qualification (PQ) records
  4. Incident Reports: Document and investigate any data integrity incidents

Conclusion

Part 11’s requirements for open systems—particularly the mandate for encryption and digital signatures—were established with remarkable prescience in 1997. What began as a forward-thinking regulatory requirement has evolved into a fundamental aspect of internet security that we now take for granted. The widespread adoption of TLS (the successor to SSL) for securing online transactions demonstrates how Part 11 anticipated the needs of the digital age.

As we move forward, organizations must remain vigilant about:

  • Maintaining current security protocols (TLS 1.2 minimum, TLS 1.3 recommended)
  • Properly classifying systems as open or closed
  • Implementing appropriate additional controls for open systems
  • Understanding the distinction between digital signatures (a specific cryptographic technology) and electronic signatures (a broader regulatory concept)
  • Staying informed about emerging threats such as quantum computing
  • Adapting to evolving FDA guidance while maintaining core data integrity principles

For beginners entering the field of regulatory compliance, Part 11 provides an excellent framework for understanding how regulations can balance innovation with safety and data integrity. For experienced professionals, it serves as a reminder that well-designed regulations can withstand the test of time by focusing on fundamental principles rather than specific technologies.

The ongoing relevance of Part 11, nearly three decades after its implementation, testifies to the wisdom of building regulations on foundational security principles. As organizations continue their digital transformation journeys—embracing cloud computing, artificial intelligence, and other emerging technologies—the core requirements of Part 11 remain as critical as ever for ensuring the trustworthiness, reliability, and integrity of electronic records in regulated industries.

Note: This article provides educational information about 21 CFR Part 11 requirements and should not be construed as legal or regulatory advice. Organizations should consult with regulatory compliance experts and legal counsel for specific guidance on their compliance obligations.

Part 11: History, Current Trends, and Evolving Regulatory Landscape Previous post Long-Term Preservation of Electronic Records: Challenges and Solutions for 21 CFR Part 11 Compliance Next post

Related post

Comment

There are no comment yet.