Yokogawa Electric Corporation Copyright © Yokogawa Electric Corporation Features of Yokogawa’s CS1000/3000 DCS for Pharmaceutical Manufacturers to Comply with FDA’s 21 CFR Part 11 () Features of Yokogawa’s CS1000/3000 DCS for Pharmaceutical Manufacturers to Comply with FDA’s 21 CFR Part 11 (Electronic Records; Electronic Signatures)

Copyright © Yokogawa Electric Corporation Proprietary info goes here… Page.2 Requirements for DCS according to 21 CFR Part 11 This presentation contains : –Required specifications of computer systems from FDA (Food & Drag Association) to pharmaceutical manufacturers and system venders. –Yokogawa summarized this according to various documents (including 21 CFR Part 11) –How Yokogawa’s CS1000/3000 DCS complies, item by item against these specifications. Reference Report of by Group 1, Workgroup 4, GLP Committee, QA Workshop, Japan, “FDA’s Intentions on Electronic Signatures Stipulated by Subparts of 21 CFR Part 11” Harris, James R. (Pharmaceutical Solutions) and Ouchi, Shinichi (Taisei Corp.), “GMP News - Computer Validation for STEP UP: (3) What Are Explicit Specification Requirements and System Design Specifications?” PHARM TECH JAPAN, July 1998 issue (Vol. 14, No. 7), published by Jihou Corp.

Copyright © Yokogawa Electric Corporation Proprietary info goes here… Page.3 Contents What Is 21 CFR Part 11? Why Is 21 CFR Part 11 Required Now? –Trend of world and Japanese users What Does 21 CFR Part 11 Contain? –Interpretations of Yokogawa, objectives, outlines, and quotes –What do DCSs have to do to be compliant? –How do the CS 1000 and 3000 meet the requirements? –Road map for developing features to meet 21 CFR Part 11 What Can Existing Systems Do to Meet 21 CFR Part 11? –Tables of compliance and system upgrade scenario Consistency with Upper-level Systems –DCS connected to a reporting system and an administrative system

Copyright © Yokogawa Electric Corporation Proprietary info goes here… Page.4 What Is 21 CFR Part 11? The FDA and pharmaceutical industry have summarized the requirements to computerize the mountains of paper-based application forms and records on medical supplies. â August 1997: In response to the requirements from the pharmaceutical industry, the FDA issued regulations under the name of 21 CFR Part 11 that provide criteria for acceptance of electronic records, electronic signatures, and handwritten signatures. â Code of Federal Regulations, Article 21, Part 11 (21 CFR Part 11) enabled electronic records with electronic signatures to be regarded as equivalent to paper records. â 21 CFR Part 11 applies to all regulations on pharmaceutical related industries, including the GLP, GCP, and GMP. â 21 CFR Part 11 provides the criteria for acceptance by the FDA for storage and submission of part or all of documents and records in electronic form.

Copyright © Yokogawa Electric Corporation Proprietary info goes here… Page.5 Why Is 21 CFR Part 11 Required Now?  Export of medical supplies to the US requires compliance with 21 CFR part 11 in addition to the traditional requirements of the FDA.  FDA has authority to conduct inspections for compliance with the United States’ regulations on companies involved. Companies that do not comply with 21 CFR Part 11 cannot export their products to the US.  Hence, pharmaceutical companies and suppliers not only in the US but also Europe and Asia are rushing to meet 21 CFR Part 11.  FDA is not requesting immediate, full compliance with 21 CFR Part 11. Rather, it is rigorously checking whether each company is continuously taking measures in an appropriate direction toward compliance. Inspections by the FDA on Part 11 began from year 2000.

Copyright © Yokogawa Electric Corporation Proprietary info goes here… Page.6 How 21 CFR Part 11 impact systems... Limit system access Determine existence of altered records Computer-generated time-stamped audit trails for electronic records Operational system checks that enforce permitted sequencing steps / events Verify individuals identities Provide transaction safeguards to prevent unauthorized use of passwords / I.D. codes

Copyright © Yokogawa Electric Corporation Proprietary info goes here… Page.7 Basic requirement of 21 CFR Part 11 (1) The method to security The method to integrity The management policy for electric records and signatures To recognize that electric records and signatures can be accepted the same as paper based records 21 CFR Part 11 is categorized into three main parts

Copyright © Yokogawa Electric Corporation Proprietary info goes here… Page.8 Basic requirement of 21 CFR Part 11 (2) Access is permitted by authorized persons Authority is to be applied to the person who can access the system In the list of authorized persons, access should be done by original authorized person Data security Data security is guaranteed by access control, which is strictly applied to the individual who accesses the system. In 21 CFR Part 11, regulations are categorized into three parts for data security.

Copyright © Yokogawa Electric Corporation Proprietary info goes here… Page.9 Basic requirement of 21 CFR Part 11 (3) Electric record (CENTUM CS3000) Operation record Batch report (operation record data), alarm data, trend data, recipe data Metadata Raw data, operation audit trail, audit trail for system maintenance, system configuration files after system validation, audit trail for applications, Recipe management audit trail Data integrity Does production record in electric format provide credibility? When a question arises, the method to prove credibility is required. To prove data integrity, all operations should be recorded whether intentional or accidental.

Copyright © Yokogawa Electric Corporation Proprietary info goes here… Page.10 Basic requirement of 21 CFR Part 11 (4) Access control (Personal identification) It is necessary to protect system and data from unauthorized access. Identifying operator, chemist who creates recipe, and maintenance engineer, access control should be applied to each depending up each role. Audit trail System operation, recipe creation and maintenance operation records should be recorded automatically. (When, by whom,where, why and what was done) Instead of paper, the system must guarantee data integrity, and must protect data interpolation/addition/changes in order to manage the data in electric format. Validated computer systems in case of control systems Electric recordsElectric signature

Copyright © Yokogawa Electric Corporation Proprietary info goes here… Page.11 Basic requirement of 21 CFR Part 11 (5) After performing validation, computer systems should be used irrespective of new or existing system. The environment should be provided to use electric records at any time it requires. Computer system should be able to make audit trail independently from users automatically. System, data security and data integrity should be guaranteed through system access control. In both open and closed systems, highly reliable electric signature mechanism should be used.

Copyright © Yokogawa Electric Corporation Proprietary info goes here… Page.12 CENTUM CS 3000/1000 System Security requirements for a DCS are discussed in the following three scopes of a CENTUM CS 3000 or 1000 system. Vnet Ethernet FCS (controller) ooo HISConsole HIS PC HIS:Human interface station FCS:Field control station 1.Management during plant operation 4.Management of control recipes 2.Management of applications, e.g., sequence control programs 3.Management of master recipes Management by Operators Management by ChemistsManagement by Instrumentation Engineers

Copyright © Yokogawa Electric Corporation Proprietary info goes here… Page.13 What Does 21 CFR Part 11 Contain? Subpart A—General Provisions Subpart B—Electronic Records Subpart C—Electronic Signatures 3 Subparts:

Copyright © Yokogawa Electric Corporation Proprietary info goes here… Page.14 Subpart A - General Provisions (summarized quotes) 11.1 Scope –The regulations in this part set forth the criteria under which the agency (from August 20, 1997) considers electronic records, electronic signatures, and handwritten signatures executed to electronic records to be trustworthy, reliable, and generally equivalent to paper records and handwritten signatures executed on paper Implementation –For records submitted to the agency, persons may use electronic records in lieu of paper records or electronic signatures in lieu of traditional signatures, in whole or in part, provided that the respective requirements of the FDA are met.

Copyright © Yokogawa Electric Corporation Proprietary info goes here… Page.15 Subpart A (Definitions) 11.3 Definitions (quotes) –Biometrics means a method of verifying an individual ’ s identity based on measurement of the individual ’ s physical feature(s) or repeatable action(s) where those features and/or actions are both unique to that individual and measurable. –Closed system means an environment in which system access is controlled by persons who are responsible for the content of electronic records that are on the system. –Digital signature means an electronic signature based upon cryptographic methods of originator authentication, computed by using a set of rules and a set of parameters such that the identity of the signer and the integrity of the data can be verified.

Copyright © Yokogawa Electric Corporation Proprietary info goes here… Page.16 Subpart A (Definitions) 11.3 Definitions (quotes) –Electronic record means any combination of text, graphics, data, audio, pictorial, or other information representation in digital form that is created, modified, maintained, archived, retrieved, or distributed by a computer system. –Electronic signature means a computer data compilation of any symbol or series of symbols executed, adopted, or authorized by an individual to be the legally binding equivalent of the individual ’ s handwritten signature.

Copyright © Yokogawa Electric Corporation Proprietary info goes here… Page.17 Subpart A (Definitions) 11.3 Definitions (quotes) Handwritten signature means the scripted name or legal mark of an individual handwritten by that individual and executed or adopted with the present intention to authenticate a writing in a permanent form. The act of signing with a writing or marking instrument such as a pen or stylus is preserved. The scripted name or legal mark, while conventionally applied to paper, may also be applied to other devices that capture the name or mark. Open system means an environment in which system access is not controlled by persons who are responsible for the content of electronic records that are on the system.

Copyright © Yokogawa Electric Corporation Proprietary info goes here… Page.18 Subpart B — Electronic Records A quoted clause of 21 CFR Part 11 with Yokogawa’s interoperation Explanation of compliance of CS 1000/3000 Exact quote of the corresponding clause of 21 CFR Part 11 Configuration of This Presentation File Slide Note Supplements for an item are described on the following slides as necessary.

Copyright © Yokogawa Electric Corporation Proprietary info goes here… Page.19 Subpart B — Electronic Records §11.10 Controls of closed systems Paragraph (a) requires a control and procedure for validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records as is the case for paper-controlled systems. The CS 1000 and 3000 meet this requirement on electronic records by the following features:  Historical messages  Report output (manufacturing records in the forms of lot reports, batch reports, etc.)  Long-term trend data archive

Copyright © Yokogawa Electric Corporation Proprietary info goes here… Page.20 §11.10 Controls of closed systems Paragraph (b) requires the ability to generate accurate and complete copies of records in both human readable and electronic form suitable for inspection, review, and copying. The CS 1000 and 3000 meet this requirement by :  Historical messages can be output in an easy-to-read text format.  Reports (manufacturing records in the forms of lot reports, batch reports, etc.) can be output as comma- separated-value text files.

Copyright © Yokogawa Electric Corporation Proprietary info goes here… Page.21 §11.10 Controls of closed systems Paragraph (b) requires the ability to generate accurate and complete copies of records in both human readable and electronic form suitable for inspection, review, and copying. The CS 1000 and 3000 meet this requirement by :  Historical messages can be output in an easy-to-read text format.  Reports (manufacturing records in the forms of lot reports, batch reports, etc.) can be output as comma- separated-value text files.

Copyright © Yokogawa Electric Corporation Proprietary info goes here… Page.22 Operation Log A key word for the reference

Copyright © Yokogawa Electric Corporation Proprietary info goes here… Page.23 Password Change Log

Copyright © Yokogawa Electric Corporation Proprietary info goes here… Page.24 Batch Report

Copyright © Yokogawa Electric Corporation Proprietary info goes here… Page.25 §11.10 Controls of closed systems Paragraph (c) requires protection of records to enable their accurate and ready retrieval throughout the records retention period—requires a data conversion function to ensure such retrieval even after future changes of the systems. The CS 1000 and 3000 meet this requirement by:  Powerful search function for historical messages, allowing the messages to be searched through by the user name, batch ID, date, equipment name, function block model, message type, desired characters, etc.  Records saved in general-purpose file formats, assuring compatibility in future system upgrades Historical messages can be output in an easy-to-read text format. Reports (manufacturing records in the forms of lot reports, batch reports, etc.) can be output as comma-separated-value text files.

Copyright © Yokogawa Electric Corporation Proprietary info goes here… Page.26 Search through Operation Log

Copyright © Yokogawa Electric Corporation Proprietary info goes here… Page.27 §11.10 Controls of closed systems Paragraph (d) requires limiting system access to authorized individuals. This can be interpreted as the limitations of three types of access:  Limitation of process operation actions by operators  Limitation of software modifications by engineers  Limitation of creations and modifications of recipes by chemists See the following two slides for compliance of the CS 1000 and 3000.

Copyright © Yokogawa Electric Corporation Proprietary info goes here… Page.28 The CS 1000 and 3000 achieve limitation of process operation actions by operators by: –Security by user ID and password administration (refer to Subpart C) –Control of authentication by fingerprints –Control of privilege level based on user name –Security levels assigned to individual operation objects (function blocks and windows) –Limitation of access to all files by the “ CENTUM desktop feature ”

Copyright © Yokogawa Electric Corporation Proprietary info goes here… Page.29 The CS 1000 and 3000 achieve limitation of software modifications by engineers by: –Operations in System View (access to Builder programs) can be restricted by the security level given depending on the username and password used at logon. –At present: Relies on the security provided by the user administration features of Windows. The CS 1000 and 3000 achieve limitation of creation and modification of recipes by chemists by: –Operations in Recipe View (access to Builder programs for modifying master recipes) can be restricted by means of security provided by Windows based on the local groups. By registering each user to a local group, the privileges set for respective local groups will be given to the individual users. This allows user actions to master recipes to be restricted depending on the username.

Copyright © Yokogawa Electric Corporation Proprietary info goes here… Page.30 Dialog box for logging on to CENTUM CS 1000/3000 system A present user

Copyright © Yokogawa Electric Corporation Proprietary info goes here… Page.31 Username Authentication for Logon

Copyright © Yokogawa Electric Corporation Proprietary info goes here… Page.32 §11.10 Controls of closed systems Paragraph (d) requires the use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. The CS 1000 and 3000 meet this requirement in three aspects:  Audit trails for process operations Historical messages record the when, who, what, where, why, and how of each operator entry or action; and no means to modify or delete the data are provided. Provision of prohibiting direct access to files  Achieved by the CENTUM desktop feature. The purpose or reason of an action can be entered as an operation comment, which can be related to operation record data.

Copyright © Yokogawa Electric Corporation Proprietary info goes here… Page.33 –Audit trails for system modifications (operations of Builders) System modifications made via System View (using Builders) are recorded on the hard disk of the PC, and this record can be managed in the same way as the historical messages. –Audit trails for modifications of recipes Modifications and creations of master recipes via Recipe View are recorded on the hard disk of the PC, and this record can be managed in the same way as the historical messages.

Copyright © Yokogawa Electric Corporation Proprietary info goes here… Page.34 §11.10 Controls of closed systems Paragraph (d) requires the use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. The CS 1000 and 3000 meet this requirement in three aspects:  Plant operation by operators  System maintenance operation by system engineer  Recipe creation by recipe engineer For above operations, the following are recorded automatically  5W1H (When, by whom, what, where, why and how) are recorded automatically.  At operation, the reason of operation can be entered, and recorded as a part of operation record. Provision of prohibiting direct access to files  Achieved by the CENTUM DESKTOP feature.

Copyright © Yokogawa Electric Corporation Proprietary info goes here… Page.35 Operation records (historical message report) When what what is performed why by whom where

Copyright © Yokogawa Electric Corporation Proprietary info goes here… Page.36 CENTUM Desktop New CENTUM Desktop Feature Prevents the Windows NT (or 2000) Explorer window and files’ icons from being displayed, and also prevents a program from being run from the Start menu, on the desktop of a PC that is running HIS. The new “CENTUM desktop feature” can prohibit anybody, unless they have administrative privileges, from directly accessing files. Any icons such as my computer are not displayed

Copyright © Yokogawa Electric Corporation Proprietary info goes here… Page.37 Difference display in system maintenance operation record Difference is displayed in different color OldNew

Copyright © Yokogawa Electric Corporation Proprietary info goes here… Page.38 §11.10 Controls of closed systems Paragraph (f) requires the use of operational system checks to enforce permitted sequencing of steps and events, as appropriate. The CS 1000 and 3000 allow:  An operator to perform a series of actions in line with operator guide messages and interactive dialogues generated by sequence control functions that check the operator’s actions.  To an important faceplate operation, a check or acknowledgement by two operators can be done. It is possible to provide double check by multiple operators or acknowledgement/confirmation by the supervisor who has authority rights. And the double check or acknowledgement are recorded in the audit trail automatically

Copyright © Yokogawa Electric Corporation Proprietary info goes here… Page.39 Dialog Box for double check/approval for operation on critical function block

Copyright © Yokogawa Electric Corporation Proprietary info goes here… Page.40 §11.10 Controls of closed systems Paragraph (g) requires the use of authority checks to ensure that only authorized individuals can use the system, … or perform the operation at hand. This requirement can be interpreted such that DCSs must be capable of: –Setting different user levels. –Setting different privileges for individual user levels, for example, so that only the authorized persons are permitted to change the set points in manufacturing processes.

Copyright © Yokogawa Electric Corporation Proprietary info goes here… Page.41 The CS 1000 and 3000: –Check the combination of the user ID and password, or the fingerprint authentication result upon each user action. –Feature security based on assignment of a privilege level to each user depending on the user name. –Feature security based on assignment of security levels to individual operation objects (function blocks and windows).

Copyright © Yokogawa Electric Corporation Proprietary info goes here… Page.42 Dialog Box for Confirmation of Action: Allowing the reason to be entered

Copyright © Yokogawa Electric Corporation Proprietary info goes here… Page.43 Dialog Box Warning of an Operation Error

Copyright © Yokogawa Electric Corporation Proprietary info goes here… Page.44 HIS Security (for each HIS) Windows PID CS 3000 Project Privilege Level (for each user) Security Based on User Group (for each group) Access Level (for each window) Security Level (for each function block)

Copyright © Yokogawa Electric Corporation Proprietary info goes here… Page.45 HIS Security The ranges of operation and monitoring for each HIS can be set. –Ranges of monitoring: Specified by a plant hierarchy. –Ranges of operation and monitoring: Specified by a plant hierarchy. –Ranges of windows: Specified by window names. –Ranges of acknowledgment: Specified by a plant hierarchy. –Ranges of process message reception: Specified by a plant hierarchy. –Ranges of system alarm reception: Specified by station names. For supervision of all facilities Dedicated for facility B Dedicated for facility A HIS

Copyright © Yokogawa Electric Corporation Proprietary info goes here… Page.46 User Groups and Privilege Levels All-facility administrative group Group for facility A General operator in privilege level U1 Team leader of group in privilege level U3 Operator in all-facility administrative group (in privilege level U7) Group for facility A General operator in privilege level U1 Team leader of group in privilege level U3

Copyright © Yokogawa Electric Corporation Proprietary info goes here… Page.47 Examples of Access Control (1)  Leaving the default settings (with no security set): Example 1 OFFUSER:Privilege level S1, without password protection ONUSER:Privilege level S2, with password protection ENGUSER:Privilege level S3, with password protection PersonTitlePassword AOperatorNone BOperator None COperator None DSuperintendentONUSER EMaintenanceENGUSER Engineer Can view but cannot change Can view and change Permitted Person Setpoints Loop modes Tuning parameters Alarm ack. ABCABC DEDE

Copyright © Yokogawa Electric Corporation Proprietary info goes here… Page.48 Privileges of Window RetrievalPrivileges of Operations via Window A and B are permitted only to open windows. C is permitted not only to open windows but also to change values via windows. Examples of Access Control (2)  Setting security on windows based on the user account: Example 2 Setting privilege levels for individual usernames

Copyright © Yokogawa Electric Corporation Proprietary info goes here… Page.49 Setting the ranges of operation for each HIS Setting user group names and the ranges of monitoring and operation for each group Setting usernames, the privilege level of each user, and the user group to which each user belongs 1. Privilege Level Settings2. User Settings U1:Actions to tags whose security level is 3 or lower are allowed. U2:Actions to tags whose security level is 7 or lower are allowed. U3:Actions to all tags are allowed.  Group 1: Operates process A under Superintendent C  Group 2: Operates process B under Superintendent F  G: In charge of system maintenance  H: Responsible for both processes  At HIS0163: Only process B can be monitored and operated.  The table on the left shows the tags each person can manipulate.

Copyright © Yokogawa Electric Corporation Proprietary info goes here… Page.50 Security Levels Assigned to Individual Function Blocks, e.g., PIDs Example: Dan (in privilege level S1) can monitor but cannot manipulate the PID for reactor temperature control (in security level 6).

Copyright © Yokogawa Electric Corporation Proprietary info goes here… Page.51 Security Level Setting for a Function Block

Copyright © Yokogawa Electric Corporation Proprietary info goes here… Page.52 User Groups and Privilege Levels Setting the ranges of operation and monitoring for each user group Ranges of monitoring:Specified by a plant hierarchy. Ranges of operation & monitoring:Specified by a plant hierarchy. Ranges of windows:Specified by window names. Ranges of acknowledgment:Specified by a plant hierarchy. Ranges of process message reception:Specified by a plant hierarchy. Ranges of system alarm reception:Specified by station names. Username and password used when logging on to the CS 1000/3000 system  Determines the user group to which he/she belongs.  Determines the privilege level given. For each username, the user group to which he/she belongs and the privilege level to be given can be set. For each privilege level, the permissions for operation and monitoring of function blocks and windows can be set. Usernames:  200 for CS 3000;  100 for CS 1000 User groups:  50 for CS 3000;  15 for CS 1000 Privilege levels:  7 for CS 3000/1000

Copyright © Yokogawa Electric Corporation Proprietary info goes here… Page.53 Plant Hierarchy Plant Hierarchy in CS 3000/1000 versus ISA Physical Model and Corporate Activity Model

Copyright © Yokogawa Electric Corporation Proprietary info goes here… Page.54 Example of Plant Hierarchy in CS 3000/1000

Copyright © Yokogawa Electric Corporation Proprietary info goes here… Page.55 §11.10 Controls of closed systems Paragraph (h) requires a function of device (e.g., terminal) checks to determine, as appropriate, the validity of the source of data input or operational instruction. In the CS 1000 and 3000:  Each operator entry or action is recorded and the respective information including the name of the terminal at which it was performed is automatically attached to each record.

Copyright © Yokogawa Electric Corporation Proprietary info goes here… Page.56 Operation Records From HIS0123

Copyright © Yokogawa Electric Corporation Proprietary info goes here… Page.57 §11.10 Controls of closed systems Paragraph (i) requires persons who develop, maintain, or use electronic record/electronic signature systems to have the education, training, and experience to perform their assigned tasks. Yokogawa provides the following training courses to support users’ education and training program: Basic CS 3000 engineering System startup Logic charts SFC Batch management Fieldbus CS 1000 engineering Report creation Graphics Fieldbus Unit supervision Logic chart

Copyright © Yokogawa Electric Corporation Proprietary info goes here… Page.58 §11.10 Controls of closed systems Paragraph (i) requires persons who develop, maintain, or use electronic record/electronic signature systems to have the education, training, and experience to perform their assigned tasks. Yokogawa works with each customer in studying each user’s own education and training program.

Copyright © Yokogawa Electric Corporation Proprietary info goes here… Page.59 §11.10 Controls of closed systems paragraph (j) requires the establishment of, and adherence to, written policies that hold individuals accountable and responsible for actions initiated under their electronic signatures, in order to deter record and signature falsification. Yokogawa actively helps each customer establish each user’s policies for electronic records and signatures.

Copyright © Yokogawa Electric Corporation Proprietary info goes here… Page.60 §11.10 Controls of closed systems Paragraph (k) requires appropriate controls over systems documentation including: (1)Controls to maintain all maintenance records (2)Explicit rules for handling of audit trails that are documented in forms of both electronic and paper documents. Yokogawa actively helps each customer establish a manual for use of electronic records and signatures. (e) Audit trail It is described at the section "audit trail", and provided by builder audit trail function

Copyright © Yokogawa Electric Corporation Proprietary info goes here… Page.61 §11.30 Controls for open systems Persons who use open systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, as appropriate, the confidentiality of electronic records from the point of their creation to the point of their receipt. Such procedures and controls shall include those identified in §11.10, as appropriate, and additional measures such as document encryption and use of appropriate digital signature standards to ensure, as necessary under the circumstances, record authenticity, integrity, and confidentiality. Yokogawa proposes that the CS 1000/3000 be used as a closed system.

Copyright © Yokogawa Electric Corporation Proprietary info goes here… Page.62 §11.50 Signature manifestations (a)Signed electronic records shall contain information associated with the signing that clearly indicates all of the following: (1)The printed name of the signer; (2)The date and time when the signature was executed; and (3)The meaning (such as review, approval, responsibility, or authorship) associated with the signature. (b)The items identified in paragraphs (a)(1), (a)(2), and (a)(3) of this section shall be subject to the same controls as for electronic records and shall be included as part of any human readable form of the electronic record (such as electronic display or printout).

Copyright © Yokogawa Electric Corporation Proprietary info goes here… Page.63 The CS 1000 and 3000 meet this requirement as follows:  User ID: 16 alphanumeric characters  Name and Comment: 32 alphanumeric characters Printed in a self-documentation printout.  Password: 32 alphanumeric characters  Historical messages: The when, who, what, where, why, and how are attached to the record of each operator entry or action.  Privilege levels can be set for the individual user IDs.

Copyright © Yokogawa Electric Corporation Proprietary info goes here… Page.64 The CS 1000 and 3000 meet this requirement as follows: –User ID: 16 alphanumeric characters –Name and Comment: 32 alphanumeric characters Printed in a self-documentation printout. –Password: 32 alphanumeric characters –Historical messages: The when, who, what, where, why, and how are attached to the record of each operator entry or action. –Privilege levels can be set for the individual user IDs.

Copyright © Yokogawa Electric Corporation Proprietary info goes here… Page.65 User Registration

Copyright © Yokogawa Electric Corporation Proprietary info goes here… Page.66 §11.70 Signature/record linking Electronic signatures and handwritten signatures executed to electronic records shall be linked to their respective electronic records to ensure that the signatures cannot be excised, copied, or otherwise transferred to falsify an electronic record by ordinary means. When a record is revised, the precious data must be maintained explicitly. The CS 1000 and 3000 meet this requirement as:  No means to modify or delete historical messages are provided as aforementioned for the compliance with paragraph (e).  A provision is made to prohibit direct access to files. Windows standard operation such as copy and delete cannot be performed  By “CENTUM desktop” feature.

Copyright © Yokogawa Electric Corporation Proprietary info goes here… Page.67 > Subpart C—Electronic Signatures § General requirements (a)Each electronic signature shall be unique to one individual and not to an individual organization. (b)An organization shall control the link of an electronic signature to an individual and his/her qualifications (i.e., operational privileges). The CS 1000 and 3000 meet this requirement by:  Additions and modifications to user ID registers can only be performed by those persons who have maintenance engineer privileges.  The password for an individual’s user ID can be modified by the individual via the given terminal.

Copyright © Yokogawa Electric Corporation Proprietary info goes here… Page.68 Subpart C — Electronic Signatures § General requirements (a)Each electronic signature shall be unique to one individual and not to an individual organization. (b)An organization shall control the link of an electronic signature to an individual and his/her qualifications (i.e., operational privileges). The CS 1000 and 3000 meet this requirement by:  Additions and modifications to user ID registers can only be performed by those persons who have maintenance engineer privileges.  The password for an individual’s user ID can be modified by the individual via the given terminal.

Copyright © Yokogawa Electric Corporation Proprietary info goes here… Page.69 Subpart C — Electronic Signatures § General requirements (c)An organization using electronic signatures shall certify to the agency that the electronic signatures in their system, used on or after August 20, 1997, are intended to be the legally binding equivalent of traditional handwritten signatures, and submit the certification in paper form to the Office of Regional Operations (HFC- 100), 5600 Fishers Lane, Rockville, MD To be observed by the individual users’ firms themselves.

Copyright © Yokogawa Electric Corporation Proprietary info goes here… Page.70 § Electronic signature components and controls. (a)Electronic signatures that are not based upon biometrics shall: –(1)Employ at least two distinct identification components such as an identification code and password. (i)When an individual executes a series of signings during a single, continuous period of controlled system access, the first signing shall be executed using all electronic signature components; subsequent signings shall be executed using at least one electronic signature component that is only executable by, and designed to be used only by, the individual.(i)When an individual executes a series of signings during a single, continuous period of controlled system access, the first signing shall be executed using all electronic signature components; subsequent signings shall be executed using at least one electronic signature component that is only executable by, and designed to be used only by, the individual. (ii)When an individual executes one or more signings not performed during a single, continuous period of controlled system access, each signing shall be executed using all of the electronic signature components.(ii)When an individual executes one or more signings not performed during a single, continuous period of controlled system access, each signing shall be executed using all of the electronic signature components. –(2)Be used only by their genuine owners; and...

Copyright © Yokogawa Electric Corporation Proprietary info goes here… Page.71 The CS 1000 and 3000: –Check the user ID and password entered at user access. –Require each person to enter both a user ID and password when logging on to the CS 1000 or 3000 system for the first time. For continuous access by the same person, only the password needs to be entered.

Copyright © Yokogawa Electric Corporation Proprietary info goes here… Page.72 CENTUM CS 3000 HIS Username: Dan Password: ****** Fingerprint authentication Username: Dan plus or alphanumeric 16 characters alphanumeric 32 characters

Copyright © Yokogawa Electric Corporation Proprietary info goes here… Page.73 Dialog box for logon

Copyright © Yokogawa Electric Corporation Proprietary info goes here… Page.74 Changing the password

Copyright © Yokogawa Electric Corporation Proprietary info goes here… Page.75 Password Change Log

Copyright © Yokogawa Electric Corporation Proprietary info goes here… Page.76 Dialog box for confirmation of user action

Copyright © Yokogawa Electric Corporation Proprietary info goes here… Page.77 § Electronic signature components and controls (a)Electronic signatures that are not based upon biometrics shall: –(3)Be administered and executed to ensure that attempted use of an individual's electronic signature by anyone other than its genuine owner requires collaboration of two or more individuals.

Copyright © Yokogawa Electric Corporation Proprietary info goes here… Page.78 This assumes a case where emergency actions are required but a person appropriate for the required actions is absent. In such a case, the actions must be done by another person having a higher level of privileges. As for a DCS, measures for actions required in emergency situations such as a plant explosion need to be considered. The individual end users themselves: –Need to define a rule for operations in the event of absence of an appropriate person. The CS 1000 and 3000: –Allow, as a provisional emergency measure, anybody to perform all ranges of operations without the entry of a password and fingerprint authentication, by using a key that provides the top authority. –Can automatically record even such actions as audit trails with the username “ ENGUSER ” as the person who performed the actions.

Copyright © Yokogawa Electric Corporation Proprietary info goes here… Page.79 § Electronic signature components and controls (b) Electronic signatures based upon biometrics shall be designed to ensure that they cannot be used by anyone other than their genuine owners. The CS 1000 and 3000:  Can check the user ID and fingerprint instead of the user ID and password. This will prevent illegal access using a stolen password, and provide a solution in case a person forgets the password.  Thus allowing a more reliable check of assuring usage by the person herself/himself.

Copyright © Yokogawa Electric Corporation Proprietary info goes here… Page.80 Fingerprint Identification Unit SONY FIU D ＊ 54.0W ＊ 9.5H mm 37g

Copyright © Yokogawa Electric Corporation Proprietary info goes here… Page.81 § Controls for identification codes/passwords Persons who use electronic signatures based upon use of identification codes in combination with passwords shall employ controls to ensure their security and integrity. Such controls shall include: (a)Maintaining the uniqueness of each combined identification code and password, such that no two individuals have the same combination of identification code and password. The CS 1000 and 3000:  Check for duplication upon attempt to add or change a user ID to maintain the uniqueness of user IDs.  Permit only persons having engineer privileges to add or change user ID registers.  Audit trail is recorded automatically

Copyright © Yokogawa Electric Corporation Proprietary info goes here… Page.82 § Controls for identification codes/passwords (b)Ensuring that identification code and password issuances are periodically checked, recalled, or revised (e.g., to cover such events as password aging). The CS 1000 and 3000:  Output a system alarm to request a user ID and its password to be checked when that user ID has been used for a specified time period.

Copyright © Yokogawa Electric Corporation Proprietary info goes here… Page.83 § Controls for identification codes/passwords (c)Following loss management procedures to electronically deauthorize lost, stolen, missing, or otherwise potentially compromised tokens, cards, and other devices that bear or generate identification code or password information, and to issue temporary or permanent replacements using suitable, rigorous controls. Yokogawa works with each customer in studying the procedures and implementation.

Copyright © Yokogawa Electric Corporation Proprietary info goes here… Page.84 § Controls for identification codes/passwords (d)Use of transaction safeguards to prevent unauthorized use of passwords and/or identification codes, and to detect and report in an immediate and urgent manner any attempts at their unauthorized use to the system security unit, and, as appropriate, to organizational management. The CS 1000 and 3000:  Output a system alarm when a wrong password is entered consecutively for specified times.  Broadcast this system alarm to all terminals within the system to notify it as an illegal access attempt.  Automatically record the system alarm as an audit trail item.

Copyright © Yokogawa Electric Corporation Proprietary info goes here… Page.85 Password setting function Protection against unauthorized access Password effective period setting Detection of unauthorized Access Number of unauthorized access

Copyright © Yokogawa Electric Corporation Proprietary info goes here… Page.86 § Controls for identification codes/passwords (e)Initial and periodic testing of devices, such as tokens or cards, that bear or generate identification code or password information to ensure that they function properly and have not been altered in an unauthorized manner. Yokogawa works with each customer in studying the testing procedure and implementation.

Copyright © Yokogawa Electric Corporation Proprietary info goes here… Page.87 R3.02 (Phase 1) R3.xx (Phase 2) Present R2.20 (Phase 0) R3.xx (Phase 3) Phase 2 Functional upgrade for audit trail and difference display Phase 3: Dramatic function enhancement Road map for improving features to meet 21 CFR Part 11  Biometrics solution (fingerprint authentication)  HIS security and security on Builders  Security on changes to/creation of recipes  Audit trail management for operations via HIS  Self-documentation Phase 1  Functional upgrade for builder/security for recipe management  Functional upgrade for builder/audit trail for recipe management  Enhanced security (password check, etc.) Completion of full compliance with 21 CFR Part 11

Copyright © Yokogawa Electric Corporation Proprietary info goes here… Page.88 Considerations for a DCS Other Than Articles in 21 CFR Part 11

Copyright © Yokogawa Electric Corporation Proprietary info goes here… Page.89 Protection of System and Data A provision should be made to disable the use of data reading devices such as the floppy disk and CD-ROM drive of a PC (human interface) when necessary. — OR — Use a console HIS, and the PC hardware can be installed inside the console desk with a key-locked door. Common to System Yokogawa or each user must purchase and install a hardware guard device with a key lock such as a cover lid from a third party. The user must control the use of the key.

Copyright © Yokogawa Electric Corporation Proprietary info goes here… Page.90 The entire network for manufacturing should be made completely independent of any other corporate or external network. A CS 3000 system can run on an independent network connected to no other system, and requires isolation using a router or the like when connected to a different network. In a CS 3000, human interfaces (HISs) are inter-linked by Ethernet and controllers (FCSs) are linked by a dedicated control highway

Copyright © Yokogawa Electric Corporation Proprietary info goes here… Page.91 All hardware and software should be stored in an area that can be locked up. Yokogawa works with each customer in studying the implementation.

Copyright © Yokogawa Electric Corporation Proprietary info goes here… Page.92 Highly Reliable CS 3000 System The system must be designed to prevent loss of data in the event of a failure such as a hardware failure or power failure. Vnet FCS Master batch server Equalization Batch client HIS Ethernet Batch servers: Max. 2 stations per recipe group ooo Dual- redundant batch server Batch client Dual-redundant Vnet control bus Dual-redundant controller CPU Backup batch server

Copyright © Yokogawa Electric Corporation Proprietary info goes here… Page.93 An automatic data backup feature should be provided to prevent an operation error or careless mistake from causing loss of data. Quitting a Builder program in either System View or Recipe View saves the backup data to the specified location automatically.

Copyright © Yokogawa Electric Corporation Proprietary info goes here… Page.94 Process data needed for manufacturing records should be collected by a computer wherever possible. All process data held in a CS 3000 system can be collected by a PC running HIS, or to a different, upper- level PC connected to it via an OPC interface. Vnet Ethernet FCS Unit supervision Recipe management PC Process management HIS Process data Batch data Historical messages Trend data OPC server Process management Batch server PC Batch report OPC client

Copyright © Yokogawa Electric Corporation Proprietary info goes here… Page.95 Events occurring in the controlled plant should be viewable via a terminal at an office desk; however, for security, data entry and changes via such an office terminal must be made impossible. The Web Monitoring Package enables windows equivalent to HIS’s monitoring windows to be displayed via a WWW browser running on a PC, allowing process statuses to be monitored on a PC at a distant office. Data entry and changes cannot be performed; only monitoring is possible.

Copyright © Yokogawa Electric Corporation Proprietary info goes here… Page.96 Existing system can be upgraded to 21 CFR Part 11 compliant system by phases HMI > upgrade for operation security and audit trail FCS CPU> upgrade for builder security and audit trail FCS I/O> upgrade for completion of system migration Existing CENTUM V, CENTUM-XL, micro XL, and CENTUM CS can be upgraded into 21 CFR Part 11 compliance system in phases.

Copyright © Yokogawa Electric Corporation Proprietary info goes here… Page.97 What Can Existing Systems Do to Meet 21 CFR Part 11?

Copyright © Yokogawa Electric Corporation Proprietary info goes here… Page.98 Existing system can be upgraded to 21 CFR Part 11 compliant system in phases Ethernet COPS V CFCD2 Vnet I/O CPU HIS ABC CPU HF ‐ bus I/O CPU Step1 Ethernet COPS V CFCD2 Vnet I/O CPU HIS ABC CPU HF ‐ bus I/O CPU Step2 Ethernet Vnet I/O CPU HIS CPU I/O CPU Step3 Ethernet Vnet I/O CPU HIS CPU I/O CPU CS 3000 HMI upgrade (additional) FCS CPU upgrade (additional) All FCS CPU upgrade (additional) Operation security and audit trail Builder security and audit trail All CPUs are upgraded Completion of 21 CFR Part 11 system The system is now complete CENTUM CS3000 I/O FCS I/O upgrade (additional) Step4 Migration Type FCS

Copyright © Yokogawa Electric Corporation Proprietary info goes here… Page.99 Step1 Internet/Intranet Ethernet Generic PCs production management system COPS V CFCD2 Vnet I/O CPU HIS BCV CPU HF ‐ bus I/O CPU CS 3000 HMI upgrade (additional) Operation security and audit trail Only HMIs are upgraded to the latest CENTUM CS3000 HIS

Copyright © Yokogawa Electric Corporation Proprietary info goes here… Page.100 Step2 Ethernet COPS V CFCD2 Vnet I/O CPU HIS BCV CPU HF ‐ bus I/O CPU CS 3000 FCS CPU upgrade (additional) Builder security and audit trail Only FCS CPUs are upgraded to CENTUM CS3000 FCS CPUs Migration Type FCS All CPUs are upgraded Internet/Intranet Generic PCs production management system

Copyright © Yokogawa Electric Corporation Proprietary info goes here… Page.101 Step3 Ethernet Vnet I/O CPU HIS CPU CS 3000 All FCS CPU upgrade (additional) I/O CPU When all CPUs are upgraded, COPSV and BCV can be dismounted COPS V BCV HF ‐ bus Internet/Intranet Generic PCs production management system Migration Type FCS Corresponding completion to 21 CFR Part11

Copyright © Yokogawa Electric Corporation Proprietary info goes here… Page.102 Step4 Vnet I/O CPU HIS CPU CS 3000 I/O cards upgrade (additional) I/O cards can be upgraded without touching Signal Conditioning cards and field wiring CS 3000 FCS I/O CPU Migration is completed, and the system extends the life as complete CENTUM CS3000 Ethernet Internet/Intranet Generic PCs production management system Corresponding completion to 21 CFR Part11

Copyright © Yokogawa Electric Corporation Proprietary info goes here… Page.103 Compliance with 21CFR Part11 for Each DCS Model (1 of 2)

Copyright © Yokogawa Electric Corporation Proprietary info goes here… Page.104 Compliance with 21CFR Part11 for Each DCS Model (2 of 2)

Copyright © Yokogawa Electric Corporation Proprietary info goes here… Page.105 Consistency with Upper-level Systems Database for ID and password authentication Orders, results, conditions, etc. Logs of actions, changes, etc. MES DCS Control of formatted documents These do not exist at present. Document control Data editing and long-term storage Raw data and temporary storage of data Database for ID and password authentication Orders, results, conditions, etc. Logs of actions, changes, etc. DCS connected to a manufacturing execution system (MES) and a reporting system

Copyright © Yokogawa Electric Corporation Proprietary info goes here… Page.106 Manufacturing Management System Human Interface Stations Field Control Stations CENTUM CS 1000/3000 HIS in the field  Process data and batch result acquisition  Manufacturing orders  Manufacturing records  Inventory management Document Control System Process Data Server Process Control System  Office applications  Document control Compliant Human Interface Compliant Databases Compliant, Substantial Electronic Data Compliant Documents for System Administration System Validation Compliance with 21 CFR Part 11