On Thursday, April 23, 2015, we delivered a webinar on 21 CFR Part 11, based on a recent blog series. During the Q&A session at the end, someone asked the following question:
When Argus is hosted by Perficient, is it considered an open or closed system for the company that contracted Perficient to host?
Open vs. Closed is one of the trickiest parts of the regulations, especially because the definitions provided by the FDA in Part 11 are different from those understood by the IT industry at large. The FDA’s definitions focus on whether the same people who are responsible for the contents of a system also control the access to that system. If the same people are in control, the system is considered Closed. If different people are in control, the system is considered Open.
In Perficient’s interpretation of these definitions, we consider “qualified vendors” to be extensions of client organizations, as opposed to separate entities. Therefore, when a signed agreement is in place between a client and qualified vendor, our answer to this question is “Closed.”
Although Perficient may administer user accounts and permissions in the systems we host, access to a hosted system is still “controlled” by the company that is responsible for the system’s contents by way of the approved hosting service agreement between Perficient and the company. Even so, if a hosted system is accessed outside of a secure network, we employ additional measures, such as controlling access through https and using secure encrypted protocols (SSL/TLS, etc.), to further ensure the security of the system.
If you have any comments or follow-up questions on this topic, we’d love to hear from you. To see what other questions were asked during the webinar, click here.
