21 CFR Part 11 user guide for the Spraytec '97 RTSizer software

User guide describing the features provided in the Spraytec '97 RTSizer software to aid technical compliance to 21 CFR Part 11.

Abstract

This document provides details on how to use the 21 CFR Part 11 features provided for the Malvern Spraytec laser diffraction system.

In order to allow physical control over access to the more sensitive features of the software, such as the security system, this information is not incorporated in the online help or the printed manuals

Requirements

The intended readership is the system administrator. This is defined as the person responsible for the security and 21 CFR compliance of the instrument. Some knowledge of the Windows™ operating system is assumed and some familiarity with the instrument software is also assumed.

It is assumed that the software has been installed in accordance with the guidance provided by the Software Update Notification document contained on the software CD-ROM and that the 21CFR11 feature key (Part Number CPS0028) has been installed using the Tools-Install Feature Key menu option within the RTSizer software. The features described here relate to RTSizer software v5.60, although most of the advice is applicable to v5.4x and v5.5x as well. Details of software updates can be found in the Software Update Notification document.

ER/ES Configuration

The configuration settings of the Electronic Records and Electronic signatures can be found under the Tools-ER/ES Settings menu options. This allows users to configure the options shown in Figure 1.

Figure 1: Configure ER/ES Options Screen
mrk535 fig1

PDF file output directory

The PDF file output directory is the location where reports generated at the end of a measurement will be stored. It is recommended that these reports be held on a centralized file server in order to comply with the 21 CFR Part 11 regulations about data preservation. Administrators can also select whether users can edit the filename of the PDF file when a report is produced or whether this should be automatically specified by the date and time of the measurements included in the report. Automatic specification of the file name is the default option.

Enable continuous use check

In order to ensure that the person operating the system is the person identified by the access control system, it is possible to configure the software to monitor the system usage. If the software remains idle for longer than a period specified, the user will be logged out. To enable this feature, check the option on the Configure ER/ES options screen and configure the Timeout period.

Note: If a continuous-mode measurement is being performed it will remain active when the user is logged out due to lack of activity. The user will have to login again to stop the measurement.

Show Last Username at Logon

It is possible to configure the security system such that the last username is recalled by the system when a logon is attempted. As default this is disabled in order to retain the confidentiality of the username as well as the password for each user.

Specify the Audit Trail file output directory

The Audit Trail file output directory is the location where the Audit Trail files will be stored. It is recommended that these reports be held on a centralized file server in order to comply with the 21 CFR Part 11 regulations relating to data preservation.

Specify the Audit Trail file interval

It is possible to control the approximate size of an audit trail file by specifying how often a new file is created. The period depends upon the usage of the system and the typical number of auditable events that occur in a day. This can only be assessed by the user from experience of using the system. Typical practice is to start a new audit file weekly and observe the number of events audited over that period.

After the specified period has passed, the application will automatically begin a new audit trail file. The new file name will be recorded in the previous file in order to maintain a continuous audit trail.

Security Configuration

The configuration for the security system can be found under the Tools-Security-Configure Security menu option (Figure 2). The security system is similar to the Windows™ operating system security and should be familiar to most advanced users.

Figure 2: Security Configuration Screen
mrk535 fig2

Security Configuration View

The security configuration view provides a list of the users configured within the security system (top pane) and the groups to which users can be assigned (bottom pane). The Username and Full Name of each user is supplied along with a brief description of the role that user has. For each group, a group description is specified in order allow Administrators to assess the capabilities of each group.

Setting up Groups

The Group Setup process defines a set of access rights that may be granted to member users. An access right allows or prohibits use of a specific feature of the software. The access rights available within the Spraytec software are detailed in Appendix 1.

New groups are specified using the User-New Group menu option. Existing groups can be configured by double-clicking on the group name within the Security Configuration window. Both actions cause the Group Properties dialogue box to appear (Figure 3). Within this the following can be configured:

Figure 3: Group Properties
mrk535 fig3
  • The Group Name: An alias for the group. This is usually a descriptive name for either a level of access or a job function. Commonly defined groups are Operators, Supervisors and Administrators.
  • A Description: A more detailed description of the group's capabilities.
  • Group Members: The users who are members of the group and have the access permissions that the group allows. Users can be added to a group either as part of the user creation process or by clicking on the Add button.
  • Group Permissions: The list of access permissions conferred by membership of a group. Any user who is a member of the group will be granted access to a software feature if the relevant permission is checked.

Setting up Users

Once suitable groups have been defined, the next step is to add the users to the system. New users are specified using the User-New User menu option. Existing users can be configured by double-clicking on the user name within the Security Configuration window. Both actions cause the User Properties dialogue box to appear (Figure 4). Within this the following can be configured:

Figure 4: User Properties
mrk535 fig4
  • Username: Each user must have a unique user identifier. Any local SOP for security configuration should be followed but a typical practice is to use the initials and surname of a user as the user identifier.
  • Full Name: This is the full name of the individual and will appear on any reports in order to identify the individual who made a measurement.
  • Description: This is typically the user's job title or function.
  • Password: The password field is where you enter the password. For security reasons, the password is not displayed. It will also be noted that the number of asterisks may not necessarily map exactly to the password length. A typical practice to preserve the security of user's passwords when setting up a new user is for the administrator to agree a temporary password with the user, (this must not be the user's final password), and check the option to force the user to change this password at the next logon.
  • User must change password at next logon: If this field is checked, users will be asked to change their passwords the next time that they log on to the system. This allows the administrator to set temporary passwords for new users or users who have forgotten their passwords.
  • User cannot change password: If this box is checked, the user will not be able to change the password unless it is the first time that a user has logged in and the system expects the user to change the password at the next logon. This box should only be checked in special circumstances such as for an administrator account to be used in emergencies.
  • Password never expires: Checking this box prevents the password expiration setting from applying to this user. This box should only be checked in special circumstances such as for an administrator account to be used in emergencies.
  • Account disabled: Checking this box prevents the user from logging in to the system. This box should be checked when a user leaves the company or is no longer allowed access to the Spraytec system. Under 21 CFR Part 11, user's information must be retained for the full period of record retention. This option allows access to be prevented without removing the user details from the system. If the username in the Security Configuration screen (figure 2) has an icon with a cross through it, that user's access capability has been disabled.
  • Account locked out: This box will be enabled and checked if a user has been denied access by the security system. The administrator is able to allow access again by clearing this check box. Lockout will typically happen when users forget their passwords and have made more than the allowed limit of logon attempts (Figure 6). It may also be an indication of an attempt to logon by an unauthorized user.

Adding users to groups

Users can be added to groups in one of two ways.

In the User Properties window (Figure 4), pressing the Groups… button will list the groups available for the user to join (Figure 5). Selecting a group from the right-hand list and pressing the Add button will include the user in the selected group. Selecting a group from the left hand list and clicking the Remove button will remove a user from a given group. Where users are members of more than one group it should be noted that if a permission is granted in one group it will override any denial of the same permission in another group. In this way, users have the sum of all the permissions in the groups they belong to.

Figure 5 - Group Membership selection.
mrk535 fig5

It is also possible to add users to groups from the Group Properties screen (Figure 3) using the Add and Remove buttons. Clicking Add will cause the User Selection dialogue to appear. This will enable users to be multiply selected and added to the group. Removal of a user from a group is achieved by selected the user within the Members section of Group Properties window and then clicking the Remove button.

Note: It is important to ensure that every user is a member of at least one group in order to allow them access to the Spraytec system's capabilities.

Security Settings

The security settings are accessed from the Options menu of the security screen (figure 6). From within this menu, the password storage and account lockout features of the security system can be configured. The security system can also be activated. This is described below.

Figure 6 - Security Settings.
mrk535 fig6

Password Age

It is possible to force users to change their passwords after a period of time has elapsed. Once the password has expired, users will be prompted to confirm their existing passwords and then specify a new one. In conjunction with the password uniqueness option, this can force users to regularly review their passwords.

This facility should be used with caution. If users are forced to change their passwords too frequently, it is common for them to forget them or worse to write them down, thereby defeating the original purpose of the security system.

Password Size

It is possible to specify the minimum length for a password. As a rule of thumb, the shorter a password is, the easier it is to guess. However, if it is too long, users will not be able to remember their passwords. 6 characters is generally a good compromise.

Password Uniqueness

The system is able to remember a user's last n passwords. Each time a user is required to change passwords, the new password can be checked against this history to ensure that fresh passwords are used.

It is recommended that if this feature is used, the size of the password history should be between 3 and 6 passwords. Any fewer and users will not have to review their passwords. More will force users to choose unfamiliar passwords and will increase the possibility of passwords being written down.

Account lockout

The software is set up to monitor each user's attempts to log in. If the user fails to enter the correct user identifier and password combination, the software will record this. The system can then be configured to deny future access to the software if too many unsuccessful attempts have been made to access the user's account.

It is possible to specify the number of unsuccessful attempts allowed before users are locked out. This count will be reset after a specified period of time to allow for genuine users forgetting their passwords. If users exceed the allowed number of attempts, the software can either lock them out of the system for the specified period or require the intervention of another user with Administrator privileges to unlock their accounts.

If the username has an icon with a padlock next to it within the Security Configuration screen (figure 2), that user is locked out and the administrator should establish the reason for this before unlocking the account to re-admit a bona-fide user.

Enabling the Security System

By default, the security system is disabled in order to allow free access to the software. The administrator of the system should configure the users and groups before enabling the security system.

Once the users and groups are configured, the security system can be enabled using the check box at the bottom of the Security Settings screen (figure 6). This is accessed from the Options menu within the Security Configure window (Figure 2).

Enabling the security system is an irreversible process when the software has been set-up in 21 CFR 11 mode. This prevents the system security being switched off again and therefore prevents possible unauthorized access to the system.

Audit Trails

The Spraytec RTSizer software records key system events in the system audit trail. This audit trail provides a record of the software opening and closing, security events such as logging in and out of the system, and file events such as creation, deletion and editing of measurement records. The audit trail can be viewed using the Tools-Security-Audit Trail menu option, displaying the Audit trail View shown in figure 7. This displays all of the events stored in the current audit trail file, including the time that the event occurred, the ID of the user involved in each event and a brief description.

Figure 7: Audit trail View.
mrk535 fig7

Viewing and Exporting Audit Trails

Audit trails can be viewed and exported using the File menu within the audit trail view.

Use the File‑Open menu to view audit trail files other than the currently active.

Use the File‑Export menu option to export the audit trail file contents to an ASCII file for review and printing.

Making an Audit Trail Entry

It is possible for users to enter comments into the audit trail apart from those automatically produced for key system events. This is done using the Tools-Security-Add Audit Trail Entry menu option.

Electronic Signature Support

The Spraytec RTSizer does not directly support electronic signatures. The application will integrate with the Adobe Acrobat © package and allow reports to be created as Portable Document Format (otherwise known as PDF) files using the File-Print to PDF menu option. These report files are held in the Acrobat Results folder specified in the ER/ES Settings (Figure 1). The file name for these report pages will depend on the type of printout being produced. However, it will contain the *.pcl or *.dat measurement file name along with the date and time range covered by the data stored in the file. The username, time and date of printing and the 21CFR11 mode status (either enabled or disabled) is displayed in the footer of each report page.

Once reports have been generated, the Adobe Acrobat package can be used to electronically sign them using either the Adobe Self-Sign technology or a third party digital signature solution such as VeriSign™. The Adobe Acrobat Self-Sign solution is fully compliant with 21 CFR Part 11. The Adobe Knowledge base document 323231 details the compliance. It can be found at http://www.adobe.com/support/techdocs/1a546.htm (If the document is not displayed, use the number 323231 as the search clue on the Adobe web site to find it).

Figure 8: Signed Spraytec report within Adobe Acrobat ®. The signature history is given on the lefty hand side of the screen.
mrk535 fig8

Appendix 1 - Security Permissions

The Key security permission which can be set for different Groups within the Spraytec software are details below.

Permission

Description

Access the Calibration and Imaging Window

Allows users to create new optical models. This feature should be restricted to advanced users.

Access the Reference Noise Window

Allows users to measure the electronic background. This feature is required for routine measurements.

Access the System Controller Window

Allow users to configure the address for the Spraytec data acquisition card.

Create a Particle Size Distribution window

Allow users to create *.dat files for single points on the measurement time history. This should be enabled for those users making routine measurements.

Delete time History Records

Allow users to delete records from the active time history file. This feature should be restricted to advanced users.

Edit Background and Noise Measurement Duration

Allows users to set the noise and background measurement times. This feature should be restricted to advanced users.

Edit Flash Mode Measurement Settings

Allows users to set up flash mode measurements. This should only be enabled for those users required to develop methods. Disabling this option will only allow users to load previously defined methods.

Edit maximum time history database size

Allows the maximum size of a *.pcl file to be defined. This option is always disabled in 21CFR11 mode.

Edit Process Variable Definitions

Allows users to edit the PCV variable definitions. These are the 6 parameters that are calculated for each point in the time history and can be exported. This feature should only be enabled for those users required to develop methods. Disabling this option will only allow users to load previously defined PCV definition sets.

Edit Reduction Control Settings

Allows users to edit the data acceptance criteria and select previously calculated optical models. This should only be enabled for those users required to develop methods. Disabling this option will only allow users to load previously defined Reduction Control Settings files.

Edit Security Settings

Allows users to configure the security system. This should only be enabled for system administrators.

Edit Tag Notes

Allows users to enter measurement details in the Tag dialogue box. This should be enabled for those users making routine measurements.

Edit ER/ES Settings

Allows users to configure the ER/ES system settings. This should only be enabled for system administrators.

Edit the "Standard Average" setting

Allows users to specify whether "Standard Averages" are reported rather than concentration-weighted averages. This should only be enabled for those users required to develop methods.

Edit time-History display settings

Allows users to specify the time history display, including settings such as the axis ranges and plot colors.

Edit Time History Update Period

Allows users to change the measurement-reporting rate for continuous-mode measurements. This should only be enabled for those users required to develop methods.

Edit Time History or PSD measurements

Allow users to edit records in order to change the measurement details and analysis settings. This feature should be restricted to advanced users.

Make a Background Measurement

Allows users to measure the background light scattering pattern prior to making a measurement. This feature is required for routine measurements.

Make Continuous-mode Measurements

Allows users to measurement continuous sprays. Access to this option will depend on the application being developed.

Make a Flash-mode Measurement

Allows users to measurement pulsed sprays. Access to this option will depend on the application being developed.

View Audit trail

Allows users to view audit trails. This feature should be restricted to advanced users or system administrators.

Inicio de sesión

¿Olvidó su contraseña?
Not registered yet? Create an account