Introduction

The 1997 FDA ruling 21 CFR Part 11 defined cri-

teria for FDA acceptance of electronic records

and electronic signatures.1 Intended to reduce

requirements for paper records, 21 CFR Part 11

precipitated sweeping changes in the pharmaceu-

tical industry. In February 2003, the FDA issued

a draft guidance document that more narrowly

defined the scope and application of 21 CFR Part

11.2 This draft document limited 21 CFR Part 11

applicability to certain records required by the

predicate rules (GLP, GMP, etc.), as well as to

electronic records generated by medium- and

high-risk systems. The latter are defined as sys-

tems that generate data relevant to product

quality, product safety, and public health. This

definition encompasses the majority of the chro-

matography data systems used in the pharma-

ceutical industry.

21 CFR Part 11 Compliance Features of the LC/MSD Trap Security Pack 1.0 Software

Technical Overview

Patrick Perkins, Frank Kuhlmann, and Bryan MillerAgilent Technologies

Agilent maintains an ongoing commitment to help

customers comply with regulatory requirements.

This has led to development of a wide range of

software and compliance services. This applica-

tion note presents compliance features available

in the security pack software for the Agilent 1100

Series LC/MSD Trap ion trap mass spectrometer.

Also discussed are Agilent compliance services

and training available for this instrument.

While compliance is ultimately the responsibility

of the laboratory, and there are aspects of compli-

ance (such as records retention, change control,

and password protection policies) that only the

laboratory can address, Agilent’s comprehensive

compliance products and services help to stream-

line the compliance process.

21 CFR Part 11 Compliance Features of the LC/MSD Trap SecurityPack 1.0 Software

2

Agilent Technologies

Requirements of 21 CFR Part 11

The regulations in 21 CFR Part 11 are designed to ensure data integrity, security and traceability.In 21 CFR Part 11, the FDA distinguishes betweenopen and closed systems and requires differentcontrols for each. The LC/MSD Trap software isdesigned for the closed systems that typify phar-maceutical firms. These are systems where thereis physical access control to the site itself, andwhere the company has a firewall in place fornetwork applications. For closed systems, the rule mandates the following:

• System validation

• Ability to create accurate and complete copiesof records

• Limited system access

• Protection of electronic records so they can beretrieved throughout the records retention period

• Audit trails

• Operational system checks to ensure that stepsare followed in the correct order

• Authority checks

• Device or terminal checks

• Training

• Written policies that hold persons responsiblefor actions with their electronic signatures

• Controls over system documentation

The LC/MSD Trap Security Pack 1.0 Software,along with Agilent’s extensive compliance services,helps users meet many of these requirements.

System validation

System validation ensures accuracy and reliabilityof analytical systems. To this end, Agilent main-tains a highly-trained service organization to per-form installation qualification and operationalqualification for the LC/MSD Trap. Installationqualification (IQ) ensures that all components ofthe system are received and properly installed.

Operational qualification/performance verification(OQ/PV) ensures that the system meets specifiedperformance criteria through analysis of specificsamples under documented conditions.

Performance qualification (PQ) is an ongoing vali-dation program that laboratories use to prove thatan instrument performs according to a specifica-tion appropriate for its routine use. A good PQprogram helps laboratories to address smallinstrument problems before they become majorissues. Agilent-certified engineers are trained toperform preventive maintenance, which supportsa laboratory’s ongoing performance qualificationefforts and can be combined with PQ to minimizedowntime.

For proper system validation, it is also importantthat the system vendor develops the product usinga validated lifecycle with appropriate controls.Agilent develops its hardware and software prod-ucts according to a well-defined product develop-ment lifecycle, to ensure a consistent level ofproduct quality and conformity with regulations.

Complete copies

To meet 21 CFR Part 11 requirements, the systemmust allow the creation of “accurate and completecopies of records in both human-readable andelectronic form.” The LC/MSD Trap achieves thisvia storage of the metadata and audit logs requiredto reconstruct the events which lead to the reportedresults. Data can be copied to CD or DVD usingstandard copy utilities. Audit trails can be printed,either directly as text files, or after import intospreadsheet programs. Data and results can alsobe printed.

Limited system access and password protection

21 CFR Part 11 mandates that access to systemsbe limited to authorized individuals. The LC/MSDTrap security pack software addresses this aspectof the rule by requiring that each user log on witha valid password. The software includes a User-Management Administration Tool that makes iteasy for a system administrator to set up opera-tors, their passwords, and their rights (see Figure 1).

3

21 CFR Part 11 Compliance Features of the LC/MSD Trap SecurityPack 1.0 Software

pack software ensures that this is the case bypreventing even the system administrators fromknowing other users’ passwords. While the systemadministrator assigns the initial user password,the user must change it at first logon.

21 CFR Part 11 also requires that to preventunauthorized access, the software applicationmust timeout after a period of inactivity. Asshown in Figure 2, the system administrator cancustomize the timeout setting. He can also cus-tomize other aspects of the password policy, suchas password length and expiration.

The system administrator assigns each user toone or more user groups. The user groups deter-mine the user’s rights, so that some users canhave a wide range of access and control, whileothers can be limited to only the minimum func-tions they require. For convenience, the softwareincludes preconfigured user groups for adminis-trators, operators, project managers, scientists,and service personnel. New groups can be createdby cloning established groups, or by startingcompletely fresh.

An important requirement of 21 CFR Part 11 isthat only the users themselves know their indi-vidual passwords. The LC/MSD Trap security

Agilent Technologies

Figure 1. Easy setup of operators, passwords, and rights

Set up operators

Set rights for eachuser group

Assign operatorsto specific groups

Set up customgroups

Set up passwordpolicy and timeouts

Agilent Technologies

4

21 CFR Part 11 Compliance Features of the LC/MSD Trap SecurityPack 1.0 Software

When laboratories have multiple LC/MSD Trapsystems, the system manager can install the User-Management Administration Tool on a centralserver. This server can also be one of the LC/MSDTrap control PCs. The server allows user adminis-tration to be managed efficiently for the entirelaboratory using a single central PC.

Protection of electronic records

21 CFR Part 11 requires that electronic records(data) be protected so that they can be accessedthroughout the records retention period. Thereare features within the software to guard against

Figure 2. Customizable pass-word policies

overwriting data. The LC/MSD Trap security packsoftware also employs data versioning so thatprocessed data is never overwritten; rather, mul-tiple copies are maintained as part of a “resulthistory.” As shown in Figure 3, this history can beconveniently opened using a menu item in Data-Analysis. Individual processed results and pro-cessing parameters can be reloaded and easilyexamined by the user or FDA inspectors. Thecapability to delete results is controlled as a sepa-rate user privilege that can be withheld from allusers, and the deletion process is recorded andmaintained in the results history.

5

Agilent Technologies 21 CFR Part 11 Compliance Features of the LC/MSD Trap SecurityPack 1.0 Software

The user and system audit trails are accessed via the other two buttons shown at the top of Fig-ure 4. The user audit trail gives information on whologged on, at what time, and from which client PC.This audit trail records logon attempts that failedbecause the user name and/or password wereentered incorrectly. The system audit trail recordswhen the LC/MSD Trap software was started, bywhom, and which version of software was used. It also records which methods were loaded, bywhom, and when.

Audit trails

Audit trails track how data records are changed,for example, during the course of results review.The LC/MSD Trap security pack software trackssystem events and user actions in computer-gener-ated, time-stamped, secure, user-independent,human-readable audit trails, as shown in Figure 4.Audit trails track all operations for the system,methods, and analyses. The audit trails for dataand methods are accessed via the ElectronicRecord button shown at the top of Figure 4.

Figure 3. Easy access to Result History

6

Agilent Technologies 21 CFR Part 11 Compliance Features of the LC/MSD Trap SecurityPack 1.0 Software

Operational system checks

Operational system checks ensure that processesare followed in the correct order. The LC/MSDTrap software achieves this by requiring that stepsbe accomplished in a logical order. For example, to prevent untracked changes to methods, acquisi-tion start will always trigger retrieval of the storedmethod (method of record).

Authority checks

The LC/MSD Trap security pack software performsauthority checks to ensure that only authorizedindividuals use the system, alter a record, or elec-tronically sign a record. The software accomplish-es this by requiring all users to log on with theiruser name and password both initially and aftertimeouts. If a user attempts to perform a functionfor which he lacks the right, the software alertshim and the command fails to execute.

Training

The FDA rule requires training for those whodevelop, use, and maintain electronic records.Agilent offers both basic and advanced trainingfor LC and LC/MSD Trap users. Comprehensivesoftware familiarization exercises and exampledata are included with the LC/MSD Trap. A soft-ware tutorial that covers data acquisition, dataanalysis, and automation is available for free onthe Agilent website. In addition, Agilent offerscompliance-related courses on instrument qualifi-cation and method validation. Free e-seminars areavailable on specific compliance and application-based topics.

Figure 4. Audit trail for DataAnalysis

7

Agilent Technologies 21 CFR Part 11 Compliance Features of the LC/MSD Trap SecurityPack 1.0 Software

Electronic signatures

The LC/MSD Trap security pack software enablesuse of electronic signatures. In compliance withthe FDA rule, these electronic signatures use twodistinct identification codes—a user ID and a pass-word. (See Figure 5.) Both must be reentered eachtime a record is signed. As an added safeguardagainst password “guessing,” the administratorcan set password aging policies, can force pass-word changes at any time, and can automaticallylock users out if they enter their password incor-rectly too many times.

Tools are provided to make it straightforward toload and sign processed results that have beenpreviously saved. Both DataAnalysis and Quant-Analysis maintain a Result History. For Data-Analysis, the Result History pertains to each

Figure 5. Electronicsignature requiresboth operator nameand password

individual data file, while for QuantAnalysis theResult History pertains to each quantitation set.An example is shown in the background of Fig-ure 5. These histories allow one to rapidly load,examine, and sign previous versions of theprocessed results, along with the full set ofprocessing parameters.

Conclusions

While the scope of 21 CFR Part 11 has beennarrowed, most analytical instruments used inregulated industries still need to comply with this FDA rule. The LC/MSD Trap Security Pack1.0 Software provides customers with criticalcompliance tools. Agilent compliance services and Agilent training complete the total compli-ance solution for this instrument.

Agilent Technologies 21 CFR Part 11 Compliance Features of the LC/MSD Trap SecurityPack 1.0 Software

www.agilent.com/chem

© Agilent Technologies, Inc. 2004

Information, descriptions and specifications in this publication aresubject to change without notice. Agilent Technologies shall not be liablefor errors contained herein or for incidental or consequential damages inconnection with the furnishing, performance or use of this material.

Printed in the U.S.A. February 25, 20045989-0624EN

References

1. “21 CFR Part 11. Electronic Records; Elec-tronic Signatures; Final Rule Electronic Sub-missions; Establishment of Public Docket;Notice,” Department of Health and HumanServices, Food and Drug Administration,Federal Register, March 20, 1997.

2. “Guidance for Industry Part 11, ElectronicRecords; Electronic Signatures—Scope andApplication,” Department of Health andHuman Services, Food and Drug Administra-tion, February, 2003.

Authors

Patrick Perkins, Frank Kuhlmann, and BryanMiller are scientists at Agilent Technologies inSanta Clara, California U.S.A.