RE: Closed and Open Systems (was Re: SUS Server)
From: Brian W. Spolarich (bspolarich@nephrostherapeutics.com)
Date: 04/08/03
- Previous message: Shaji Sethu: "Federated Security Applications and Implications."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 8 Apr 2003 14:21:41 -0400 From: "Brian W. Spolarich" <bspolarich@nephrostherapeutics.com> To: "Hibbs, Ted" <THibbs@5prime.com>, <focus-ms@securityfocus.com>
While all of this is true, the question of "closed systems" versus "open systems" doesn't really address the question of application validation vis a vis system patches and updates.
Regardless of how you define your system (open or closed), if the applications or processes you're conducting using those systems fall under regulatory scope, you need to have evidence that you're keeping careful controls and change management processes and documentation around changes to those systems, including operating system patches and any other software installations. The question of electronic signatures as discussed in 21 CFR Part 11 applies to electronic records of any sort, particularly those involved in the manufacture, distribution, quality, safety, etc. of those products regulated by the FDA.
In addition, here is some diversity of opinion among those in the community of people who need to pay attention to these regulations as to what "open" versus "closed" systems are. Some folks seem to think open systems includes any system which is delivered end-to-end over one or more components that are not directly controlled and managed by the regulated organization. This would include anything that happens over the Internet (arguably). Other folks tend to be a bit more pragmatic about such matters and treat the pipe as a pipe.
I don't think the FDA has issued warning letters specifically about such issues, and I don't recall seeing any definitive guidance on this particular question. My point here is that if you are entering the brave world of systems validation for FDA regulatory compliance you need to think through the issues carefully, document everything you do, and make sure that you have a good, well-reasoned argument regarding the choices you have made. Your FDA inspector or examiner may ultimately disagree with you and recommend that you change your practices, but that's far different from not having considered them at all. With the addition of many new inspectors at the FDA they may start paying attention to the IT side of things in more detail.
If you're new to this stuff I would recommend the Institite of Validation Technology (IVT) publications and conferences. I found their training conferences very useful and well-organized. You can find them on the web at http://www.ivthome.com/. You can see warning letters issued by the FDA at http://www.fdawarningletter.com/.
Best regards,
-bws
-----Original Message-----
From: Hibbs, Ted [mailto:THibbs@5prime.com]
Sent: Tue 4/8/2003 1:38 PM
To: focus-ms@securityfocus.com
Cc:
Subject: RE: SUS server
I just gotta jump in on this since we are working to get under 21 CFR
Part 11
Hold on, here comes two paragraphs of the legal stuff... ;^(
The regulation states, "Persons who use closed systems to create,
modify, maintain, or transmit electronic records shall employ procedures
and controls designed to ensure the authenticity, integrity, and, where
appropriate, the confidentiality of electronic records, ... Such
procedures and controls shall include the following:... (a) Validation
of systems to ensure accuracy, reliability, consistent intended
performance, and the ability to discern invalid or altered records....
(d) Limiting system access to authorized individuals." A Closed System
is defined as, "Closed System means an environment in which system
access is controlled by persons who are responsible for the content of
electronic records that are on the system." I can agree that, if 2K SP3
licensing grants M$ access to the machine, the machine cannot be
considered a closed system under this part of the rule.
However, there are also provisions for an "Open System" under this rule.
An "Open System means an environment in which system access is not
controlled by persons who are responsible for the content of electronic
records that are on the system." In an Open System, "Persons who use
open systems to create, modify, maintain, or transmit electronic records
shall employ procedures designed to ensure the authenticity, integrety,
and, as appropriate, the confidentiality of electronic records from the
point of their ceration to the point of their receipt. ...additional
measures such as document encryption and use of appropriate digital
signature standards to ensure ... Authentickty, integrety, and
confidentiality." So there are options to keep the system under 21 CFR
Part 11 and still grant access to the system. The rule appears to
address databases more than complete systems, but their wording cannot
limit the access to just the databases.
So as I see it, you have two options: Keep the system as a closed
system by closing the link between your system and M$ either logically
as in routing tables and firewalls, or physically as in no wire from
your closed system to any external system. Or define the system as an
open system and employ encryption and digital signatures so that anyone
who can get into the system cannot read or modify the encrypted files.
Mind you, I don't have access to the most current FDA rulings on this,
but will attempt to get additional information as to whether they have
addressed this question.
Ted
- Previous message: Shaji Sethu: "Federated Security Applications and Implications."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
