The world leader in serving science OMNIC DS & Thermo Security Administration 21 CFR Part 11 Tools for FT-IR and Raman Spectroscopy

2 OMNIC DS & Thermo Security Administration Software  What is it? Security control software: safeguards data files, maintains audit trails, controls access to system, and controls access to specific software functions Allows a single set of IT policies to cover all Thermo molecular spectroscopy instruments on a network (local or global)  Who buys it? Required for pharmaceutical companies due to regulations Not just at QA/QC level – but pushing upstream to R&D Suppliers to pharmaceutical companies starting to self-regulate Anyone with internal data security policies.  How the customer benefits Decreased chance of “operator error” affecting data integrity Can enforce following SOPs Required for 21 CFR 11 and Annex 11 compliance (operator authentication and accountability) Centrally manage security policies for all Thermo instruments

3 21 CFR Part 11  Part 11 of the Title 21 - Food and Drugs of the Code of Federal Regulations  Adopted into law August 20, 1997  Outlines U.S. FDA’s criteria for accepting electronic records and signatures  Developed under current Good Manufacturing Guidelines (cGMP)  Addresses concerns of the FDA regarding: maintaining the trustworthiness, reliability, and integrity of electronic records ensuring the equivalence of electronic and paper records and signatures  The regulation was created to prevent fraud and assure accountability in the generation, signing, and storage of electronic records

4 Key components of 21 CFR Part 11  1. Access Control (The system should restrict access in accordance with pre-configured rules that can be maintained. Any change to the rules should be recorded)  2. Audit trail (The system should be capable of recording all electronic record create, update, and delete operations. This record should be secure from unauthorized alteration)  3. Authentication (The system should provide proof of identity)  4. Digital signatures (The system must provide a method for linking electronic signatures to their respective electronic records in a way that prevents the signature from being copied, removed, or changed. Additionally, the system should be able to detect invalid or altered records)

5 Software & 21 CFR Part 11 Compliance  Predicate rules determine which records must meet requirements cGMP, GLP, GCP Risk assessment to determine critical nature of records  Software by itself cannot be “21 CFR Part 11 Compliant” The regulation is as much about how the software is used as what the software can do  However, software must have certain features to be able to meet specific 21 CFR 11 requirements Digital or electronic signatures Access controls Audit trails  And, the system owner must establish policies and procedures to achieve compliance Validation Security enforcement (Log on, passwords, user-specific privileges)

6 OMNIC DS Software & Thermo Electron’s Security Administration Server  Extend OMNIC’s feature set to address key components of the 21 CFR Part 11 regulation, including: System access control Ensuring proper system use Establishing record responsibility Maintaining system and record histories Enforcing record integrity

7 System Access Control  Security Administration controls access to all aspects of OMNIC software based on existing Windows users or groups can be managed locally or over a network  Logon Authentication is required to run OMNIC software must be the same user logged on to the computer

8 Ensure Proper System Use  Security Administration sets OMNIC policies to ensure proper use

9 In addition, OMNIC DS has many other features to ensure proper system use: Collect Status Indicator Automatic Digital Signatures Bench Status Indicator Configurable Toolbar No-Menu Operation Live display with scan counter Automatic Saving of Spectral Data Macro Routines

10 Establish Record Responsibility  OMNIC DS: ensures that only the logged on user can sign electronic records applies digital signatures automatically, per OMNIC policy settings on request for review, approval, etc.  Signature meanings configured through Security Administration choose preset or user-entered reasons  Digital signatures are displayed with spectral data  Signatures also verified with the “Verify File” command from OMNIC DS

11 Maintain System and Record Histories (1) “Thermo Electron” custom log created in Windows Event Viewer Tracks program use and file events, even when OMNIC is not running!

12 Maintaining System and Record Histories (2) Categories of tracking include:  data collection information  data description  spectrometer description  collection errors  data processing history  current digital signature status  digital signature history  experiment information  spectral quality test results  all operations are stamped with operator, date, and time (referenced to GMT) OMNIC automatically logs all spectral operations This metadata is saved as part of the spectral data file. It can not be edited and stays with the file wherever it goes!

13 Enforcing Record Integrity  OMNIC DS uses digital signatures which… provide encryption of the signature detect changes made to the file, which invalidate the signature are more secure than simple electronic signatures, which don’t provide this tamper detection  Security Administration OMNIC policies ensure record integrity by… preventing files from being overwritten storing spectral data files automatically, without operator intervention enforcing storage of files to secure directories  Event Viewer audit trails…. provide a record of attempts to modify or delete data or improperly use programs  Spectral data audit trails… indicate if any undesired manipulation of data was applied

14 Validation: A key requirement of 21 CFR Part 11  The system owner must develop protocols for validating their system and assuring accountability for records.  Thermo Electron facilitates the validation process by: Following our ISO-9001 certified Product Development Process with extensive software validation  Thermo Electron also offers qualification products and services: For spectrometers Qualification software and binder IQ and OQ Services For OMNIC DS software IQ and OQ Procedures Qualification Services “… such procedures and controls shall include the following: (a) Validation of systems to ensure accuracy, reliability, consistent intended performance …”

15 Subpart A – General Provisions § 11.3: Relevant Definitions  Electronic record Any combination of text, graphics, data, audio, pictorial, or other information representation in digital form that is created, modified, maintained, archived, retrieved, or distributed by a computer system.  Electronic signature A computer data compilation of any symbol or series of symbols executed, adopted, or authorized by an individual to be the legally binding equivalent of the individual’s handwritten signature.  Digital signature – (USED BY OMNIC DS TO DETECT FILE TAMPERING) Electronic signature based upon cryptographic methods of originator authentication, computed by using a set of rules and a set of parameters such that the identity of the signer and the integrity of the data can be verified.  Closed system – (REQUIRED BY OMNIC DS FOR 21 CFR PART 11 COMPLIANCE) An environment in which system access is controlled by persons who are responsible for the content of electronic records that are on the system.  Open system An environment in which system access is controlled by persons who are not responsible for the content of electronic records that are on the system.

16 Security Administration – OMNIC Access Control

17 Security Administration – OMNIC Policies

18 Security Administration – Signature Meanings

19 OMNIC Configurations still used for toolbars and program options