Xcalibur Data System

On August 20 of 1997, the United States Food and Drug Administration (FDA) issued a document known as Rule 21 CFR Part 11. This was requested and developed with input from the pharmaceutical industry and outlines the FDA criteria for accepting electronic records and signatures. All companies and industries who submit or utilize electronic records and/or signatures regulated by the FDA must comply with this federal regulation.

21 CFR Part 11 Compliance

1. Understanding 21 CFR Part 11

The 21 CFR Part 11 regulation was created to maintain the trustworthiness, reliability, and integrity of electronic records, and to ensure that the authenticity of electronic records would be equivalent to paper records when submitted. Therefore, it includes acceptance criteria for both electronic records and electronic signatures. It does not intend or mandate that these replace paper records, but rather provides guidelines in the event that they are used. The following denitions will be used throughout this document and are dened as stated in Rule 21 CFR Part 11: Electronic Record: Any combination of text, graphics, data, audio, pictorial, or other information representation in digital form that is created, modied, maintained, archived, retrieved, or distributed by a computer system. Electronic Signature: A computer data compilation of any symbol or series of symbols executed, adopted, or authorized by an individual to be the legally binding equivalent of the individuals handwritten signature. Closed System: An environment in which system access is controlled by persons who are responsible for the content of the electronic records that are on the system. Digital Signature: An electronic signature based upon cryptographic methods of originator authentication, computed by using a set of rules and a set of parameters such that the identity of the signer and the integrity of the data can be veried. Biometrics: A method of verifying an individuals identity based on measurement of the individuals physical feature(s) or repeatable action(s) where those features and/or actions are both unique to that individual and measurable.

Xcalibur Data System

2. The Xcalibur Data System

The Xcalibur data system provides instrument control and data analysis for the entire family of Thermo Electron mass spectrometers and related instruments. The easy-to-use interface enables quick and efcient acquisition, data processing and results delivery. Xcaliburs wide range of functionality and ability to integrate third-party control provides the tools to perform a broad range of applications. This document explains how Thermos Xcalibur data system can help you achieve 21 CFR Part 11 compliance. The timeline for achieving compliance and the details on how various aspects of compliance will be achieved are all documented in the following sections.

2.1 Thermo Electrons 21 CFR Part 11 Compliance Statement About Xcalibur

By the denition supplied by the FDA, Xcalibur software falls within the denition of a closed system . Xcalibur is currently partially compliant with 21 CFR Part 11, but can not be congured to meet all the requirements until version 2.0. It should be noted that LCQUAN 2.0 will support compliance with the provisions of 21 CFR Part 11 and will run on both Xcalibur 1.3 and 1.4. Xcalibur 1.3 and 1.4 by themselves can not be used to achieve compliance to the regulation. Xcalibur 2.0 will be one of several tools that can be used to achieve compliance with the 21 CFR Part 11 rule. The customers internal Standard Operating Procedures (SOPs) contain many of the tools necessary to demonstrate to the FDA that electronic records and signatures can be generated and controlled according to the FDA provisions of 21 CFR Part 11. This includes but is not limited to, password user id protocol and long-term archiving. This fully-compliant enabled version of Xcalibur will be available in the rst quarter of 2005. Each requirement is further described and detailed in Section 2.2.

2.2 Details of 21 CFR Part 11 Compliance Coverage

Rule 21 CFR Part 11 is broken into three subparts. Subpart A provides the general provisions of the regulation. Using the denition supplied by the regulation in Subpart A, the Xcalibur data system falls within the scope of a closed system. Subpart B covers the electronic records portion of the regulation. A closed system such as Xcalibur therefore falls under Section 11.10 of Subpart B. Subpart C covers the electronic signature portion of the rule and is also applicable to Xcalibur. The following table lists the various sections found in Subparts B and C of the regulation, and how Xcalibur 2.0 will address these parts.

21 CFR Part 11 Compliance

Rule ID
11.10 (a)

Text of 21 CFR Part 11

Validation of systems to ensure accuracy, reliability, consistent intended performance and the ability to discern invalid records

Rule Apply?
N/A

Xcalibur 2.0
It will be the responsibility of the end user to validate the system. Thermo Electron is able to assist by supplying validation materials. Invalid records will be discerned through the use of the CRC feature of a le. Unexpected changes to records (outside of our applications) will be detected by checksum mechanisms. Altered records will be detected through use of the CRC feature of a le. Unexpected changes to records (outside of our applications) will be detected by checksum mechanisms. Xcalibur records will be displayed using the applications supplied in the software. Xcalibur records and audit trails will be printed using standard reports or customized reports.

LCQUAN 2.0 (with Xcalibur 1.3 and 1.4)

Same

Yes

Same

and the ability to discern altered records

Yes

Same

11.10 (b)

The ability to generate accurate and complete copies of records in both human readable and electronic form suitable for inspections, review, and copying by the agency Protection of records to enable their accurate and ready retrieval throughout the records retention period

Yes

Same

11.10 (c)

Yes

It will be the responsibility of the end user to establish standard operating procedures (SOPs) ensuring the proper security and archiving of electronic records. Xcalibur will utilize a secure permissions folder that prevents deletion or modication of records. Xcalibur software development will ensure that electronic records from previous versions of software are compatible with the latest version of Xcalibur.

Same

11.10 (d)

Limiting system access to authorized individuals

Yes

Xcalibur 2.0 will operate on the Microsoft Windows XP operating system and will use the Authorization tool to set permissions for run access to the application. It will be the responsibility of the end user to establish SOPs governing the issuance and security of account names and passwords.

Same except that LCQUAN 2.0 will run on the Windows 2000 operating system.

11.10 (e)

Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records

Yes

Xcalibur records will contain audit trails that are generated independently of the user. The audit trails will capture the operator user name, date, time, what application is being used, what has been changed, which version of the software is being used, and who is allowed to change it. The audit trail will not be overwritten but updated to include the parameter that has changed, the previous value and the new value. Xcalibur audit trails will be a separate electronic record and exist as long as the electronic record exists. The retention of records will depend on the end user. Nothing in Xcalibur will prevent the retention of the record.

The version of the software will not be captured. LCQUAN will have no facilities to delete les, therefore we will not monitor deletion. Same

Record changes shall not obscure previously recorded information

Yes

Such audit trail documentation shall be retained for a period at least as long as that required for the subject electronic records

Yes

Same

continue

Xcalibur Data System

Rule ID
11.10 (e)

Text of 21 CFR Part 11

and shall be available for agency review and copying

Rule Apply?
Yes

Xcalibur 2.0
Xcalibur audit trail information will be displayed, copied and printed.

LCQUAN 2.0 (with Xcalibur 1.3 and 1.4)

Audit trail information will be printed. This information can also be copied but the copy will be an orphan. No workbook will use the copy. Internal checks will be enforced to assure that required sequence will be followed. Authorization tool used in conjunction with Windows security.

11.10 (f)

Use of operational system checks to enforce permitted sequencing of steps and events, as appropriate

Yes

In those instances where Xcalibur has a critical workow, internal checks will be enforced via the Authorization tool.

11.10 (g)

Use of authority checks to ensure only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand Use of device (e.g., terminal) checks to determine, as appropriate, the validity of the source of data input or operational instruction Determination that persons who develop, maintain, or use electronic record/electronic signature systems have the education, training, and experience to perform their assigned task

Yes

Xcalibur will operate on the Windows XP platform. Windows XP requires a user account name and login to access the operating system. It will be the responsibility of the end user to establish SOPs setting forth the guidelines for accessing the system.

11.10 (h)

No

Where this condition exists, all appropriate checks will be performed.

Same

11.10 (i)

Yes

Thermo Electron will ensure that those who develop and maintain our 21 CFR Part 11 software have the education, training, and experience necessary. It will be the responsibility of the end user to establish the policies and SOPs required to ensure their personnel meet the requirement of this sub-section.

Same

11.10 (j)

The establishment of, and adherence to, written policies that hold individuals accountable and responsible for actions initiated under their electronic signatures, in order to deter record and signature falsication Use of appropriate controls over systems documentation including: (1) Adequate controls over the distribution of, access to, and use of documentation for system operation and maintenance (2) Revision and change control procedures to maintain an audit trail that documents time-sequenced development and modication of systems documentation

N/A

It will be the responsibility of the end user to establish the policies and SOPs required to meet the requirement of this sub-section.

Same

11.10 (k)

N/A

It will be the responsibility of the end user to establish the policies and SOPs required to meet the requirement of this sub-section.

Same

Yes

The Xcalibur manuals supplied to the customer will be under revision and change control procedures. The online Help supplied in Xcalibur are electronic records that currently are not expected to contain an audit trail feature.

Same

21 CFR Part 11 Compliance

Rule ID
11.30

Text of 21 CFR Part 11

Controls for Open Systems

Rule Apply?
N/A

Xcalibur 2.0
Xcalibur is a closed system. Therefore, controls for open systems are not discussed in this document. Authorization tool will allow the administrator to require signing for key operations.

LCQUAN 2.0 (with Xcalibur 1.3 and 1.4)

Same

11.50 (a)

Signed electronic records shall contain information associated with the signing that clearly indicates all of the following: (1) The printed name of the signer; (2) The date and time when the signature was executed; and (3) The meaning (such as review, approval, responsibility, or authorship) associated with the signature

Yes

Same

11.50 (b)

The items identied in paragraphs a-1, a-2, and a-3 of this section shall be subject to the same controls as for electronic records, and shall be included as part of any human readable form of the electronic record (such as electronic display or printout) Signature/record linking Electronic signatures and handwritten signatures executed to electronic records shall be linked to their respective electronic records to ensure that the signatures cannot be excised, copied, or otherwise transferred to falsify an electronic record by ordinary means Each electronic signature shall be unique to one individual and shall not be reused by, or reassigned to, anyone else Before an organization establishes, assigns, certies, or otherwise sanctions an individuals electronic signature, or any element of such electronic signature, the organization shall verify the identity of the individual Persons using electronic signatures shall, prior to or at the time of such use, certify to the agency that the electronic signatures in their system, used on or after August 20, 1997, are intended to be the legally binding equivalent of traditional handwritten signatures.

Yes

Xcalibur will keep as part of the electronic record the signature, date and time, and meaning.

Same

11.70

Yes

Xcalibur will support electronic signatures. Handwritten signatures are not captured electronically in Xcalibur and therefore cannot be linked.

Handwritten signatures will not be linked to electronic records.

11.100 (a)

Yes

Xcalibur, through Windows XP, will require a user id and password. With the appropriate policies and SOPs, the end user will be able to use the user id as a valid electronic signature. It will be the responsibility of the end user to establish policies to meet the requirement of this sub-section.

Same

11.100 (b)

N/A

Same

11.100 (c)

N/A

It will be the responsibility of the end user to establish policies and submit the appropriate documentation.

Same

continue

Xcalibur Data System

Rule ID
11.100 (c)

Text of 21 CFR Part 11

(1) The certication shall be submitted in paper form and signed with a traditional handwritten signature, to the Ofce of Regional Operations (HFC-100), 5600 Fishers Lane, Rockville, MD 20857 (2) Persons using electronic signatures shall, upon agency request, provide additional certication or testimony that a specic electronic signature is the legally binding equivalent of the signers handwritten signature

Rule Apply?
N/A

Xcalibur 2.0
It will be the responsibility of the end user to establish policies and submit the appropriate documentation.

LCQUAN 2.0 (with Xcalibur 1.3 and 1.4)

Same

N/A

This will be the responsibility of the end user.

Same

11.200 (a)

Electronic signatures that are not based upon biometrics shall: (1) Employ at least two distinct identication components such as an identication code and password (i) When an individual executes a series of signings during a single, continuous period of controlled system access, the rst signing shall be executed using all electronic signature components; subsequent signings shall be executed using at least one electronic signature component that is only executable by, and designed to be used only by, the individual (ii) When an individual executes one or more signings not performed during a single, continuous period of controlled system access, each signing shall be executed using all of the electronic signature components

Yes

Xcalibur, through Windows XP, will require a user id and password. It is the responsibility of the end user to establish policies to ensure that the end user will be able to use the user id as a valid electronic signature.

Same

Yes

Xcalibur, through Windows XP, will require a user id and password for the rst sign-in. The second and subsequent sign-ins will require a password only.

Same

N/A

Windows XP will be used to lock a non-continuous session. This can be done either manually or by the use of the password enabled screen saver. To unlock the session will require both the user id and password.

Same

(2) Be used only by their genuine owners; and

N/A

It will be the responsibility of the end user to establish policies to meet the requirements of this sub-section. It will be the responsibility of the end user to establish policies to meet the requirements of this sub-section.

Same

(3) Be administered and executed to ensure that attempted use of an individuals electronic signature by anyone other than its genuine owner requires collaboration of two or more individuals

N/A

Same

21 CFR Part 11 Compliance

Rule ID
11.200 (b)

Text of 21 CFR Part 11

Electronic signatures based upon biometrics shall be designed to ensure that they cannot be used by anyone other than their genuine owners Persons who use electronic signatures based upon use of identication codes in combination with passwords shall employ controls to ensure their security and integrity. Such controls shall include: (a) Maintaining the uniqueness of each combined identication code and password, such that no two individuals have the same combination of identication code and password

Rule Apply?
N/A

Xcalibur 2.0
Xcalibur will not support electronic signatures based upon biometrics.

LCQUAN 2.0 (with Xcalibur 1.3 and 1.4)

Same

11.300 (a)

Yes

Windows XP will require the entry of a user id and password to log into the operating system. It will be the responsibility of the end user to establish policies that preclude two individuals from having the same user id and password.

Same

11.300 (b)

Ensuring that identication code and password issuances are periodically checked or revised

N/A

It will be the responsibility of the end user to establish policies to meet the requirements of this sub-section. Windows XP will allow the password to be set to expire at regular intervals, thereby requiring the user to enter a new password. It will be the responsibility of the end user to establish policies to meet the requirements of this sub-section. It will be the responsibility of the end user to establish policies and SOPs to meet the requirements of this sub-section.

Same

Yes

Same

11.300 (c)

Following loss management procedures to electronically deauthorize lost, stolen, missing, or otherwise potentially compromised tokens, cards, and other devices that bear or generate identication code or password information, and to issue temporary or permanent replacements using suitable, rigorous controls Use of transaction safeguards to prevent unauthorized use of passwords and/or identication codes, and to detect and report in an immediate and urgent manner any attempts at their unauthorized use to the system security unit, and, as appropriate, to organizational management Initial and periodic testing of devices, such as tokens or cards, that bear or generate identication code or password information to ensure that they function properly and have not been altered in an unauthorized manner

N/A

Same

11.300 (d)

Yes

It will be the responsibility of the end user to establish policies to meet the requirements of this sub-section. Windows XP is capable of being set up to log failed attempts to log into the operating system.

For steps requiring authorization, failed attempts will be logged in the Authorization tools audit log.

11.300 (e)

N/A

It will be the responsibility of the end user to establish policies to meet the requirements of this sub-section.

Same

Xcalibur Data System 21 CFR Part 11 Compliance

2.3 Compliance Document Disclaimer
This document has been prepared and provided to you in order that you may evaluate and understand Thermos position on supplying you with resources to support 21 CFR Part 11 compliance. As either an existing or potential customer, we at Thermo want to help you understand and address the needs of your company in implementing and abiding by the FDA regulations. This document does not recommend how to implement the regulations. It is meant to provide you with information that you can use in complying with the regulations in your laboratory environment. Our customers are ultimately and solely responsible for ensuring they meet compliance guidelines, however, we take seriously our role to provide you with the information and tools to do this efciently and effectively. By providing you with our 21 CFR Part 11 Compliance Statement contained herein, Thermo has made reasonable efforts to provide complete and accurate information regarding compliance of our products. You should be aware that regulations, interpretations of these regulations, and enforcement of these regulations are continually evolving, and therefore we cannot guarantee that the information contained within this document is complete, current, or necessarily applies to every possible situation. For third-party products, whether obtained directly from us or another distributor, we recommend that you consult directly with that third-party vendor concerning their adherence to 21 CFR Part 11 compliance. In cases where we pass along third-party compliance statements, we accept no responsibility for the verication of accuracy or completeness. Thermo Electron Corporation, its employees, or its agents or representatives in connection with the information in this documents in no event shall be liable for indirect, special, consequential or incidental damages, including but not limited to loss of revenue, loss of prots, or loss of good will, regardless of whether we (a) have been informed of the possibility of such damages, or (b) are negligent. Thermos obligations and responsibilities regarding our products are governed solely by the agreements under which they are sold or licensed. Nothing in this statement is intended to modify rights or obligations under any agreements or to create any new rights or obligations between us and our customers. International Offices Australia
Tel. +61 2 8844 9500

Austria
Tel. +43 1 333 50340

Belgium
Tel. +32 2 482 30 30

Canada
Tel. +1 800 532 4752

China
Tel. +86 10 5850 3588

France
Tel. +33 1 60 92 48 00

Germany
Tel. +49 6103 4080

India
Tel. +91 22 2778 1101

Italy
Tel. +39 02 950 591

Japan
Tel. +81 45 453 9100

Latin America
Tel. +1 512 251 1503

Netherlands
Tel. +31 76 587 98 88

Nordic
Tel. +46 8 556 468 00

South Africa
Tel. +27 11 570 1840

Spain
Tel. +34 91 657 4930

Switzerland
Tel. +41 61 48784 00

UK
Tel. +44 1442 233555

USA
Tel. +1 800 532 4752

The information in this publication is provided for reference only. All information contained in this publication is believed to be correct and complete. Thermo Electron shall not be liable for errors contained herein nor for incidental or consequential damages in connection with the furnishing, performance, or use of this material. Customers are ultimately responsible for validation of their systems. All product specications, as well as the information contained in this publication, are subject to change without notice.
www.thermo.com/ms-software
WP61398_E 03/05S

2005 Thermo Electron Corporation. All rights reserved. Microsoft and Windows are registered trademarks of Microsoft Corporation. All other trademarks are the property of Thermo Electron Corporation and its subsidiaries. We make no warranties, expressed or implied, in this product summary, and information is subject to change without notice. Printed in the USA.