General Concepts

CFR21 Part 11 General Concepts

The scope of the CFR21 Part 11 regulations issued by the Food & Drag Administration (FDA), is to obtain the legal equivalence of electronic documents (digital records and electronic signatures) to that of paper records and handwritten signatures executed on paper. This is due to the increasingly frequent use of automatic systems in managing production process systems subjected to FDA federal agency approval and revision. In order for the automation and control system to be in conformity with the CCFR21 Part 11 norm. it is necessary that recorded data are traced back to the responsible operator (Electronic Signatures). Furthermore, specific precautions must be taken to prevent falsifications or tampering of data recorded electronically, or that allow easy identification in cases of inappropriate use whether intentional or accidental.

Many pharmaceutical companies wish to take advantage of the benefits derived from the use of electronic signatures. It is astonishing how much paper, that has to be stored, accumulates over the years. In addition, the use of electronic records significantly reduces the time needed to retrieve and revise these documents before releasing medicine for sale on the market.

These companies should apply for equipment that have the necessary mechanisms to protect against accidental or malicious modification of data in electronic format.

General concepts for supporting this regulation

The following concepts relating to the 21 CFR Part 11 regulation define how it would be advantageous to use Movicon.NEXT to develop FDA CFR Part 11-ready projects.

The basic concepts have been listed below to give better clarity on the understanding that the user takes full responsibility to ensure that their application developed with Movicon.NEXT conforms with the relevant requirements.

Please remember that the hardware-software application is always to be validated in its entirety and not each individual product or component. It is the user's responsibility to create projects to conform to the 21 CFR Part 11 regulation.

Management to Trace Variable Modifications

Tracing variable modifications will be managed by Movicon.NExT using the Historian (historicals and data logger), therefore you must make sure the relevant option is activated on the license.

If this option is not activated you will still have use of the Audit interface's functions without being able to execute any traces.

Different properties will be involved in order to manage the Audit Trace of variable modifications. For further information please click the link relating to the topic of interest:

Objects

Data validation is performed using the ‘Audit Trail Validator’ control object from the Movicon. NExT toolbox.

The Data Source to be verified can be specified in the control's properties.

- Audit Trail Validator

Users and Passwords

All the application commands that can be executed by operators to interact on the process must be protected by passwords.

The password management must be enabled in the project’s User Password resource’s General Properties.

Electronic Signature
Name (ID) and Password
Enable Password Management
Password Expires in Days
Force password change after first Login
Minimum Password length
Auto LogOut timeout

Tag

Movicon.NExT offers the possibility to trace all status variations and those of each variable value with significant relevance or that influence the production process. For example, an appropriate system to trace all significant process variables, such as set-points or process commands) should be ensured by using what is now as an Audit.

Movicon.NExT offers an Audit property group to allow users to define how the Audit is to be managed for each individual variable concerned.

Max Audit Age
Access Level Required to Confirm
Enter Comment On Audit
Enable Audit Trace
Force Password On Audit

Server

The audit-trail's role is to record all activities performed on variables by users during runtime. The recording of these activities is enabled by simply selecting the 'Enable Audit Trace' option in the variable properties. To validate a data set record in the database to ensure that it does not get altered externally, you will need to enable the 'Enable Data Protection' property found in the I/O Data Server's 'Settings' section. When this property is enabled, the I/O Server will startup with a certain user that is created by the Movicon Setup. This user, whose name for default is “NExT_IO_Server”, and their password will be encrypted and will be used by the system to manage recordings in the Database. It is also the only user that can validate data by using by the “Validatore Audit Trail” object from the ToolBox.

Default Audit Trace Connection
Enable Data Protection in File

In certain procedures you will need to pay attention to the user with whom the Movicon.NExT I/O server is started up with. These procedures are:

when deliberately changing the user in the Movicon.NExT server's 'Service Control Panel'.
when installing the Movicon.NExT server's service using the 'Service Control Panel' before enabling the data protection option.
when setting databases with a default connection string within which the authentication of a certain user is forced.

Historian

Enable Data File Protection

Setting the database with a custom connection string (DB Connection String property) and specifying a certain user to access the DB will prevent data from being validated.

Datalogger

Enable Data File Protection

Setting the database with a custom connection string (DB Connection String) and specifying a certain user to access the database will prevent data from being validated.

Click CFR21 Part 11 to download the document.