The world leader in serving science

OMNIC DS & Thermo Security Administration

21 CFR Part 11 Tools for FT-IR and Raman Spectroscopy

2

OMNIC DS & Thermo Security Administration Software

What is it?• Security control software: safeguards data files, maintains audit trails,

controls access to system, and controls access to specific software functions• Allows a single set of IT policies to cover all Thermo molecular spectroscopy

instruments on a network (local or global) Who buys it?

• Required for pharmaceutical companies due to regulations• Not just at QA/QC level – but pushing upstream to R&D

• Suppliers to pharmaceutical companies starting to self-regulate• Anyone with internal data security policies.

How the customer benefits• Decreased chance of “operator error” affecting data integrity• Can enforce following SOPs• Required for 21 CFR 11 and Annex 11 compliance (operator authentication

and accountability)• Centrally manage security policies for all Thermo instruments

3

21 CFR Part 11

Part 11 of the Title 21 - Food and Drugs of the Code of Federal Regulations

Adopted into law August 20, 1997 Outlines U.S. FDA’s criteria for accepting electronic records and

signatures Developed under current Good Manufacturing Guidelines (cGMP) Addresses concerns of the FDA regarding:

• maintaining the trustworthiness, reliability, and integrity of electronic records• ensuring the equivalence of electronic and paper records and signatures

The regulation was created to prevent fraud and assure accountability in the generation, signing, and storage of electronic records

4

Key components of 21 CFR Part 11

1. Access Control (The system should restrict access in accordance with pre-configured rules that can be maintained. Any change to the rules should be recorded)

2. Audit trail (The system should be capable of recording all electronic record create, update, and delete operations. This record should be secure from unauthorized alteration)

3. Authentication (The system should provide proof of identity)

4. Digital signatures (The system must provide a method for linking electronic signatures to their respective electronic records in a way that prevents the signature from being copied, removed, or changed. Additionally, the system should be able to detect invalid or altered records)

5

Software & 21 CFR Part 11 Compliance

Predicate rules determine which records must meet requirements

• cGMP, GLP, GCP• Risk assessment to determine critical nature of records

Software by itself cannot be “21 CFR Part 11 Compliant”•The regulation is as much about how the software is used as what the software can do

However, software must have certain features to be able to meet specific 21 CFR 11 requirements

• Digital or electronic signatures• Access controls• Audit trails

And, the system owner must establish policies and procedures to achieve compliance

• Validation• Security enforcement (Log on, passwords, user-specific privileges)

6

OMNIC DS Software & Thermo Electron’s Security Administration Server

Extend OMNIC’s feature set to address key components of the 21 CFR Part 11 regulation, including:

• System access control• Ensuring proper system use• Establishing record responsibility • Maintaining system and record histories• Enforcing record integrity

7

System Access Control

Security Administration controls access to all aspects of OMNIC software

• based on existing Windows users or groups

• can be managed locally or over a network

Logon Authentication is required to run OMNIC software

• must be the same user logged on to the computer

8

Ensure Proper System Use

Security Administration sets OMNIC policies to ensure proper use

9

In addition, OMNIC DS has many other features to ensure proper system use:

Collect Status Indicator

Automatic Digital Signatures

Bench Status Indicator

Configurable Toolbar

No-Menu Operation

Live display with scan counter

Automatic Saving of Spectral Data

Macro Routines

10

Establish Record Responsibility

OMNIC DS:• ensures that only the logged on user can

sign electronic records• applies digital signatures

• automatically, per OMNIC policy settings• on request for review, approval, etc.

Signature meanings configured through Security Administration

• choose preset or user-entered reasons

Digital signatures are displayed with spectral data

Signatures also verified with the “Verify File” command from OMNIC DS

11

Maintain System and Record Histories (1)

“Thermo Electron” custom log created in Windows Event Viewer

Tracks program use and file events, even when OMNIC is not running!

12

Maintaining System and Record Histories (2)

Categories of tracking include: data collection information data description spectrometer description collection errors data processing history current digital signature status digital signature history experiment information spectral quality test results all operations are stamped with

operator, date, and time (referenced to GMT)

OMNIC automatically logs all spectral operations

This metadata is saved as part of the spectral data file. It can not be

edited and stays with the file wherever it goes!

13

Enforcing Record Integrity

OMNIC DS uses digital signatures which…• provide encryption of the signature• detect changes made to the file, which invalidate the signature• are more secure than simple electronic signatures, which don’t provide this

tamper detection Security Administration OMNIC policies ensure record integrity by…

• preventing files from being overwritten• storing spectral data files automatically, without operator intervention• enforcing storage of files to secure directories

Event Viewer audit trails….• provide a record of attempts to modify or delete data or improperly use

programs Spectral data audit trails…

• indicate if any undesired manipulation of data was applied

14

Validation: A key requirement of 21 CFR Part 11

The system owner must develop protocols for validating their system and assuring accountability for records.

Thermo Electron facilitates the validation process by:• Following our ISO-9001 certified Product Development Process with extensive

software validation Thermo Electron also offers qualification products and services:

• For spectrometers• Qualification software and binder• IQ and OQ Services

• For OMNIC DS software • IQ and OQ Procedures• Qualification Services

“…such procedures and controls shall include the following:(a) Validation of systems to ensure accuracy, reliability, consistent intended performance…”

15

Subpart A – General Provisions §11.3: Relevant Definitions

Electronic record • Any combination of text, graphics, data, audio, pictorial, or other information

representation in digital form that is created, modified, maintained, archived, retrieved, or distributed by a computer system.

Electronic signature • A computer data compilation of any symbol or series of symbols executed,

adopted, or authorized by an individual to be the legally binding equivalent of the individual’s handwritten signature.

Digital signature – (USED BY OMNIC DS TO DETECT FILE TAMPERING)• Electronic signature based upon cryptographic methods of originator

authentication, computed by using a set of rules and a set of parameters such that the identity of the signer and the integrity of the data can be verified.

Closed system – (REQUIRED BY OMNIC DS FOR 21 CFR PART 11 COMPLIANCE)• An environment in which system access is controlled by persons who are

responsible for the content of electronic records that are on the system. Open system

• An environment in which system access is controlled by persons who are not responsible for the content of electronic records that are on the system.

16

Security Administration – OMNIC Access Control

17

Security Administration – OMNIC Policies

18

Security Administration – Signature Meanings

19

OMNIC Configurations still used for toolbars and program options