Choose an article below to learn how to qualify an FTIR spectrometer and to understand how the OMNIC Paradigm Software can help you comply with 21 CFR Part 11 regulations.
This document explains how the following Thermo Scientific™ software can help you comply with the regulations in 21 CFR Part 111 for electronic records and electronic signatures.
Table 1. Thermo Scientific software applications that offer 21 CFR Part 11 compliance
|Application name||Application name|
|OMNIC™ Paradigm||OMNIC™ xi|
|OMNIC™ for DISPERSIVE RAMAN™||RESULT™|
1 21 CFR Part 11 Electronic Records; Electronic Signatures; Final Rule,” Federal Register 62, no. 54 (1997): 13430-13556. World Wide Web http:/www.fda.gov.
Part 11 of the 21 CFR (Title 21 – Food and Drugs of the Code of Federal Regulations) is a document issued by the United States Food and Drug Administration (FDA) that outlines the FDA criteria for accepting electronic records and signatures. The regulations in the final version of 21 CFR Part 11 became effective on August 20, 1997. All industries, companies and organizations regulated by the FDA that utilize electronic records must follow these regulations.
In 1991 the FDA met with representatives from the pharmaceutical industry to determine how to accommodate an electronic record system, under the guidelines of current Good Manufacturing Practice (cGMP), that would create a “paperless” record system. The primary concerns of the FDA were maintaining the trustworthiness, reliability, and integrity of the electronic records and ensuring that electronic records were equivalent to paper records. The 21 CFR Part 11 regulation was created to prevent fraud in the generation and signing of electronic records.
Understanding the following terms is essential for the successful implementation of the regulations in 21 CFR Part 11. These definitions taken directly from 21 CFR Part 11 will be the starting point for our discussion of Thermo Scientific’s software compliance with the regulation.
Closed system—An environment in which system access is controlled by persons who are responsible for the content of electronic records that are on the system.
Open system—An environment in which system access is not controlled by persons who are responsible for the content of electronic records that are on the system.
Digital signature (DS)—Electronic signature based upon cryptographic methods of originator authentication, computed by using a set of rules and a set of parameters such that the identity of the signer and the integrity of the data can be verified.
Electronic record—Any combination of text, graphics, data, audio, pictorial, or other information representation in digital form that is created, modified, maintained, archived, retrieved, or distributed by a computer system.
Electronic signature—A computer data compilation of any symbol or series of symbols executed, adopted, or authorized by an individual to be the legally binding equivalent of the individual’s handwritten signature.
Software application template files—May include parameter files, quant methods and macros.
Every Thermo Scientific security software package is designed under the strict guidelines of Thermo Fisher Scientific’s ISO 9001 certified product development process at our development and manufacturing site in Madison, Wisconsin. Trained members from different functional departments at our facility adhere to quality guidelines covering all aspects of development. Each software development project begins with specifications created with our customers’ needs in mind. The software designs are based on object-oriented and modular architecture. Software development practices follow our Product Development Process, which includes procedures for change control, source-code control systems, and defect management. Complete user documentation is created for every project. Intensive verification and regression testing of the software is performed according to the project test plan.The qualification package can be used to verify the consistency and accuracy of the spectrophotometer’s operation compared with specified limits.
When the software application is installed, the following tools will help you achieve compliance with 21 CFR Part 11 in a laboratory setting:
Note Macros, configurations and experiment files do not apply to the OMNIC Paradigm, INSIGHT, RESULT, or OMNIC Specta software applications.
Windows security is embedded in the software structure and is set up through the Windows security features. You can control access to an instrument by using those features in conjunction with software access privileges. The Windows login and password are used to authenticate users when an electronic record is created. Those responsible for maintaining system records must take measures to ensure the software operates in a closed system.
The following sections explain how you can use the software tools listed above to help you meet each requirement of the 21 CFR Part 11 regulation. Certain sections of the regulation are solely the responsibility of the owner of the system; we cannot directly provide tools for compliance with those specific sections. It is important to note that compliance with 21 CFR Part 11 extends beyond software implementation and will require laboratory and computer procedures that control all phases of electronic record creation and management.
Note In this document, specific requirements from the 21 CFR Part 11 Electronic Records/Electronic Signature rule are shown in italics with quotation marks. Our capability to meet these requirements is shown in plain text after the statement of the requirement.
This section covers Subparts B and C of 21 CFR Part 11.
Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot repudiate the signed record as not genuine. Such procedures and controls shall include the following:”
The system owner must develop a protocol for validating the system. We offer a suite of products and services for the qualification of your laboratory. These offerings provide you with the tools, documentation and certification services that make system qualification efforts progress smoothly.
The ability to detect invalid or altered records is controlled by using the digital signature option in the software. With digital signatures, result data, application template files and qualification test files can be digitally signed, ensuring the validity of the record. By checking for the presence of a correct digital signature, the software can detect invalid or altered records.
When data is collected, detailed information about the experiment, instrument and accessory is stored in a non-editable, file-embedded spectral history. If and when the data is post-processed in any manner, details about the processing operation are noted in the data’s history. Information about system user and digital signatures is also stored. You can view and print the data files and their history at any time, if desired. The system owner is responsible for which format will be used to save data.
OMNIC Paradigm software also provides a record of detailed information to be stored in a database. The database includes all data record information listed above, and data records and history can be viewed and printed at any time using the Audit Manager software.
You can store data created by the software directly to a secure server. The system owner or IT group must determine how the files will be archived and who has access to these records. OMNIC Paradigm software offers data storage directly to a database on a secure server. All other applications offer secure data file storage directly to a secure server.
Using Windows secure logins are required for controlling access to the system. The software must be installed on computers that have the supported Windows operating system, Windows users and groups can be configured to have access to the software through the Security Administration program.
The login feature of Windows software allows system administrators to restrict system access to only authorized users. To gain access to the software, users must log into Windows software with their user name and password. The Windows password must be reentered when launching the software. To ensure full security, the user shall be given a unique user name and a private password.
The system administrator can configure users’ profiles to restrict their software access to only the programs they need. A Windows system must be configured with a secure file system in order to grant individual read, write and delete access to users. The Security Administration software is used to set access privileges to data records, features, security policies and signature meanings. Control of file operations on the computer that are conducted external to the software application is the responsibility of the system owner.
When data is collected, detailed information about the date and time, operator, experiment, instrument and accessory are stored in a non-editable, file- or database-embedded spectral history. (In addition to the spectral history, OMNIC Paradigm software also stores this information in its database.) Test files are used to perform instrument qualification. These test files contain the sequence of events for the qualification and are signed at the factory.
The history provides an internal recording of all data manipulations for any given data file after it is created. In addition, the Thermo Scientific Audit Log Service logs all Thermo Fisher Scientific (TFS) file operations, both within and outside of the software applications. Thus, the Security Suite will log any attempt to create, modify or delete any TFS records on the system.
The software can enforce step sequencing and events for all aspects of data collection, processing and archiving. Sequenced step files can be created in the software. These files can specify and sequence the complete process: collection of parameters, data collection, final formats, post-processing operations, and archiving of data. The software can be configured so that users can access only specific files.
The Windows user access privileges are extended into the application and Security Administration software. Membership in the system group can control the extent of software access of each user. The system administrator or IT group must establish access failure criteria, and it is the responsibility of the Windows administrator to set these security features to ensure only authorized individuals have access to the system. If the sequence in a test file has been altered, the software notifies the user, the signature is invalidated, and the test will not run.
The system administrator or IT group must establish access failure criteria, and it is the responsibility of the Windows administrator to set these security features to ensure that only authorized individuals have access to the system and files on the system.
The system firmware and software application template files determine the validity of the input or operational instruction of the instrument. The system firmware is an IQ-qualified standard component of the instrument and can only be updated by a trained and certified Thermo Scientific service representative. Changes to the software application template files are controlled by user-access policies set up by the system administrator. Administrators can save the software application template files in a secure Windows file system to prevent unauthorized users from changing the operation parameters of the system.
We train our system developers and maintain training records according to our internal training procedure. A training matrix is maintained along with individual training records for each developer. Thermo Fisher Scientific is ISO 9001 certified and follows these guidelines when developing all products.
Our service representatives must be trained in order to maintain and service our instruments and software. Service representatives receive training on the qualification and security software and must be recertified every two years. A training matrix is also maintained for our service representatives.
It is the responsibility of the system owner to determine that persons who develop, maintain, or use electronic record/electronic signature systems at your site have the education, training and experience to perform their assigned task.
To deter falsification or fraud, the system owner must establish written policies that hold individuals accountable for actions initiated under electronic signatures.
The software is supplied with documentation for the operation and maintenance of the our instruments and software. You can use the information in the documentation to create Standard Operating Procedures (SOPs). It is the responsibility of the system owner to control the system documentation.
Our documentation contain version information that can be incorporated into the system owner’s documentation control system. You can obtain information about software and firmware version numbers by choosing “About” in the Help menu. The system owner must implement a change control protocol for system documentation.
“Persons who use open systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, as appropriate, the confidentiality of electronic records from the point of their creation to the point of their receipt. Such procedures and controls shall include those identified in 11.10, as appropriate, and additional measures such as document encryption and use of appropriate digital signature standards to ensure, as necessary under the circumstances, record authenticity, integrity, and confidentiality.”
The software implementation requires the use of a closed system since we do not employ data encryption on our data files. Windows security is embedded in the software structure, and security is set up through the Windows security feature. The Windows login and password, in conjunction with the password reverification required when a user starts the software, provide a way to control access to the software and an instrument. By following the guidelines in this document, you can achieve compliance with 21 CFR Part 11 as it pertains to a closed system.
Although data encryption is not used, the system administrator may choose to store the data on a secure server (recommended) such that only authorized users may access data according to their privileges. These privileges must be controlled by a unique user name and password combination.
If compliance is desired in an open system, those responsible for maintaining system records must take adequate measures to ensure that the software complies.
All digital signatures produced by the software contain the information specified by the regulations, in addition to the signature.
Since digital signatures implemented in the software are embedded within the electronic record, these signatures are subject to the same controls as the electronic record. The signature is included as part of the human readable and printed form of the electronic record.
“Electronic signatures and handwritten signatures executed to electronic records shall be linked to their respective electronic records to ensure that the signatures cannot be excised, copied, or otherwise transferred to falsify an electronic record by ordinary means.”
The digital signature is stored in the same data file or report that is signed. Because the signature is stored in the same file as the electronic record, all digital signatures produced in the software are directly linked to the electronic record. A check of the electronic record can reveal an invalid electronic record.
The system owner’s policy for assigning Windows user IDs and passwords must comply with this requirement, which can be accomplished by assigning a unique user name to each individual and by not reusing or reassigning any user names. If the user names are unique for all individuals with access to the system, the digital signature produced by the software will be unique.
The system owner must take appropriate measures to ensure the identity of all individuals who may be involved in applying electronic signatures to records.
In order to have an electronic signature, the organization using the signature must make it legally binding by submitting a letter and a form to the FDA.
Digital signatures used by the software are based on the user’s log in ID and Windows password. Windows software is used to generate the digital signature in the software, and the combination of the signature components is unique for each user, as long as the requirements in 11.100 (a) are met. All signings in the software require entering the password of the person who is logged in to the Windows session at the time of system use. The system owner and administration must implement a protocol for using electronic signatures as described in requirements (2) and (3) are met.
This requirement does not apply to our software because we use digital signatures based on the combination of a user name and password, instead of biometrics.
“Persons who use electronic signatures based upon use of identification codes in combination with passwords shall employ controls to ensure their security and integrity. Such controls shall include:
The system administrator or IT group must ensure that the combination of ID code and password is unique for each individual. This can be easily accomplished by issuing each user a unique login identification.
Windows security features simplify the process of periodic checking, recalling and revising of log-ins and passwords. Transaction safeguards to prevent unauthorized access to the system are also available in the Windows operating system.
Limiting the number of failed login attempts and creating a password for an aging procedure is a common safeguard to limit and log the number of failed login attempts. Consult your Windows documentation for more information about activating system safeguards. The system administrator must establish a procedure for checking ID codes and passwords and loss management.
Because our software does not use cards or tokens to generate identification codes, this requirement does not apply.
This document was created based on Thermo Fisher Scientific’s interpretation of the regulations and through consultation with experts in the field. The software with the digital signature option can be used together with proper procedures and controls instituted by our customers, in accordance with an FDA compliant process.
For more information about the requirements of 21 CFR Part 11, go to www.fda.gov.
We are dedicated to working with our customers to help meet their regulatory needs wherever possible. For more information contact: www.thermofisher.com
Your Thermo Scientific™ Nicolet™ Summit FTIR Spectrometer comes with standard tests and test samples that can be used to verify its operation. We refer to this process as “instrument qualification” and, whether performed formally or informally, it is often an important requirement for instrument installations.
Instrument qualification demonstrates the spectrometer is “fit for purpose,” properly maintained, and calibrated to national or international standards and published test limits. In the end, it ensures the integrity of any data you acquire with the spectrometer.
If you purchased a “qualified” installation, we perform initial qualification at the factory and ship the printed qualification test results with the spectrometer. A certified service person installs the spectrometer at the customer-designated location, reruns the factory qualification tests and certifies the installation. The service person provides a signed log of the installation steps, certificates of authentication for the test standards, qualification test results and other documentation. If you purchased re-certification, the service person returns regularly to repeat the qualification and re-certify the instrument.
The OMNIC Paradigm software includes the factory qualification test in addition to standard industry-wide qualification tests you most likely recognize (for example, European Pharmacopoeia, Japanese Pharmacopoeia, etc.). Any required qualification reference standards are supplied inside the instrument and controlled by the OMNIC Paradigm software.
Whether or not you purchased formal qualification and recertification, you can easily run the qualification tests yourself. We recommend that you store the test results in a common location so they can be used to verify and track instrument performance over time. Qualification test results can also be viewed at any time in the OMNIC Paradigm software.
After the spectrometer is installed, we recommend that you select and run one of the standard qualification tests provided with OMNIC Paradigm software and repeat that test periodically, as needed, to verify spectrometer operation. You should always repeat qualification immediately after the following circumstances:
Note Users working in a regulated environment typically also requalify after a software upgrade.
OMNIC Paradigm software includes the following performance and qualification tests. All of these tests are based on internationally recognized methods for testing FTIR spectrometer performance.
Table 1. Performance and Qualification Tests Included with OMNIC Paradigm Software
|Abbreviated test name||Full test name and source|
|PHEUR (or Ph. Eur.)||Nicolet FTIR-PHEUR Qualification|
European Pharmacopoeia, Ninth Edition, General Chapter 2.2.24, Absorption Spectrophotometry, Infrared (wavenumber accuracy and optical resolution tests)
|USP||Nicolet FTIR-USP Qualification|
US Pharmacopoeia, 41 <854> Mid-Infrared Spectroscopy (wavenumber accuracy test)
|JP||Nicolet FTIR-JP Qualification|
Japanese Pharmacopoeia, Seventeenth Edition, 2.25 Infrared Spectrophotometry/General Tests (wavenumber accuracy, optical resolution, and repeatability tests)
|CP||Nicolet FTIR-CP Qualification|
Chinese Pharmacopoeia, 2015 Edition, 0402 Infrared Spectrophotometry (wavenumber accuracy and optical resolution tests)
|ASTM||Nicolet FTIR-ASTM Test|
International Annual Book of Standards, Section 3, Metals Tests and Analytical Procedures, Volume 3.06, E1421-99 Standard Practice for Describing and Measuring Performance of Fourier Transform Mid-Infrared (FT-MIR) Spectrometers (energy ratio and noise level tests)
Table 1. Performance and Qualification Tests Included with OMNIC Paradigm Software
|Abbreviated test name||Full test name and source|
|Nicolet FTIR Factory||Nicolet FTIR-Factory Qualification|
Thermo Scientific factory qualification for FTIR spectrometers (combines the PHEUR, USP, JP and CP tests listed above with our own performance verification tests listed below)
|Nicolet FTIR PV||Nicolet FTIR-PV Test|
Performance Verification test for Nicolet Series FTIR spectrometers. Runs the following tests to verify instrument performance and prints a standard test report:
Energy ratio: Detects changes in energy distribution in the single beam spectrum. Used to verify performance of the source, as well as instrument alignment and optical integrity over time. Based on ASTM E1421-99, Level One test for energy ratio with an additional ratio of 2,000 cm-1/1,000 cm-1.
Noise level: Measures the instrument’s noise level for transmission analysis. Based on ASTM E1421-99 Level One test for noise level.
|Algorithms Test||Algorithms Test|
Qualification test for the quantification algorithms used by OMNIC Paradigm software
Table 2. Qualification Standards Used for Nicolet Series FTIR Spectrometers
|1.5 mil polystyrene||NISTa -certified 1.5 mil polystyrene standard mounted inside the spectrometer and controlled by OMNIC Paradigm software|
|3.0 mil polystyrene||NIST-certified 3.0 mil polystyrene card-mounted (external) standard (used in the ASTM tests only)|
a National Institute of Standards and Technology
Use the OMNIC Paradigm software that came with your spectrometer to run performance and qualification tests. Before you run one of these tests, make sure the spectrometer has been powered on for at least 1 hour.
The provided performance and qualification workflows are shown below. You may need to scroll through the list to locate them.
The workflow opens in the Play Workflow window.
Click the arrow button to continue and follow any on-screen instructions to complete the workflow.
When the workflow is completed, the results are displayed in a standard report. Here is an example:
The report is saved automatically in the OMNIC Paradigm database, along with the acquired spectra. Use the Print button if you need to print the report.
If one or more tests in the report show a “Fail” result, consult the troubleshooting information on our website or contact your local technical support representative for help in solving the problem. Once the problem has been solved, rerun the qualification test.
The performance and qualification test results include the test type, operator name, date, serial number of the spectrometer and any sampling accessory used, along with descriptions of the individual tests, their high and low limits, the measured results and whether the results are within the specified limits (Pass if “yes” or Fail if “no”).
The report is saved automatically along with the acquired spectra. We recommend that you save each test report and store it in a known location, along with any previously run reports for this spectrometer.
Qualification test spectra are tagged with the following information:
Table 3. Search Tags used for OQ Spectra
|Test name||Associated search tag|
|Nicolet FTIR-PHEUR Qualification||“PHEUR”|
(displays all spectra created with the European Pharmacopoeia workflow)
|Nicolet FTIR-USP Qualification||“USP”|
(displays all spectra created with the US Pharmacopoeia workflow)
|Nicolet FTIR-JP Qualification||“JP”|
(displays all spectra created with the Japanese Pharmacopoeia workflow)
|Nicolet FTIR-CP Qualification||“CP”|
(displays all spectra created with the Chinese Pharmacopoeia workflow)
|Nicolet FTIR-ASTM Test||“ASTM”|
(displays all spectra created with the ASTM workflow)
|Nicolet FTIR-Factory Qualification||“Factory”|
(displays all spectra created with the Nicolet FTIR Factory workflow)
|Nicolet FTIR-PV Test||“PV”|
(displays all spectra created with the Nicolet FTIR PV workflow)
(displays all spectra created with the Algorithms workflow)
To locate and open individual spectra, use the date selection box in the middle pane to locate the spectra, or enter a tag from the table above in the Search box. Double-click a spectrum in the list to open it.
To ensure the security and integrity of your data and to help your lab comply with 21 CFR Part 11 or other regulations, pair the OMNIC™ Paradigm software with Thermo Scientific Security Suite software.
Security Suite is a comprehensive data security toolset, allowing you to perform the following tasks:
You can purchase Security Suite software to manage a single system or to manage multiple instruments distributed on a network. After installation, configuring the OMNIC Paradigm application for security takes only moments.
For a discussion of how Security Suite software can help you comply with 21 CFR Part 11, see 21 CFR Part 11 Compliance.