Technical Information Yokogawa's Approach to meeting FDA

TechnicalInformation

CENTUM CS 1000/CS 3000 Yokogawa's Approach to meeting FDA 21 CFR Part 11

TI 33Q01A61-01E

TI 33Q01A61-01E©Copyright Feb. 2002(YK)3rd Edition Sep. 2003(YK)

Blank Page

i

TI 33Q01A61-01E

IntroductionElectronic records and signatures are increasingly important to the process control and automation industry to capitalize on the increasing efficiency, reduced cost, and simplified storage associated with elimination of paper documents. U.S. Federal Regulations that govern access, storage, security, etc. associated with electronic records and electronic signatures are defined in the Code of Federal Regulations, Title 21, Volume 1, Part 11 (abbreviated CFR21P11). Yokogawa Electric Company provides solutions for various industries. Regarding to pharmaceutics industry, Yokogawa has dedicated packages for production management of medicine factories in its product line up. Using these packages together with Yokogawa’s control system, a comprehensive FDA 21CFR Part 11 compliant plant control system can be built up.

This document is the main material about Yokogawa’s comprehensive 21CFR Part 11 compliant control system and about the applications of the system. The explanation in this document focuses on the control schemes corresponding to the 21CFR Part 11 provisions.

In order to implement the 21 CFR Part 11 compliant control system, it is necessary to understand the meanings of the 21 CFR Part 11 regulations.In the 21 CFR Part 11 compliant control system, various applications corresponding to the 21 CFR Part 11 provisions are provided with the instruction manuals of the standard operation procedure on how to utilize the applications. Thus, read and understand these documents are important for the personals involved in the applications of Yokogawa’s 21 CFR Part 11 compliant control system.

All Rights Reserved Copyright © 2002, Yokogawa Electric Corporation Sep. 30, 2003-00

ii

TI 33Q01A61-01E

ScopeIn chapter 1, CS 1000/CS 3000 system configuration that conforms to CFR21P11 and the related software packages are described.

IIn chapter 2, the applications in CENTUM CS 1000/CS 3000 that are corresponding to 21 CFR Part 11 provisions are listed.If an item is marked with [Y], it means Yokogawa has provided a corresponding application to support that provision. If an item is marked with [U], it means the user must properly utilize and manage the CS 1000/CS 3000 application to conform to the provision.However, even for the item marked with [Y], the user also needs to prepare a standard operation procedure (SOP) so as to properly utilize the application to conform to the corresponding regulation.

In chapter 3, how to build up a 21 CFR Part 11 compliant CS 1000/CS 3000 control system and the required application packages are explained.

In chapter 4, how to handle the date and time adjustment in CENTUM CS 1000/CS 3000 control systems is explained since the consistency of date and time is critical for the audit trails regulated by 21 CFR Part 11.

IMPORTANT21 CFR Part 11 is a regulation stipulated by FDA of US government.In this document, the phrases “21 CFR Part 11 compliant” and “conform to 21 CFR Part 11 provisions” are used. However, the compliance and conformity are based on Yokogawa’s understanding towards the 21 CFR Part 11. It is the users’ responsibility to determine if to accept Yokogawa’s systems as the compliant and conformed.Thus, users of Yokogawa’s control system need to fully understand the 21 CFR Part 11 regulations and the corresponding applications in CENTUM CS 1000/CS 3000 control systems, and need to create a standard operation procedure based on users policy to apply and implement with the control system.

Sep. 30, 2003-00

Toc-1

TI 33Q01A61-01E

CENTUM CS 1000/CS 3000 Yokogawa's Approach to meeting FDA 21 CFR Part 11

Sep. 30, 2003-00

CONTENTS1. CENTUM CS 1000/CS 3000 Basic System Configuration in Compliance

with FDA 21 CFR Part 11 .......................................................................... 1-11.1 Standard CS 3000 functionality Architecture Conforms to

21 CFR Part 11 ...................................................................................................1-11.2 Architecture of Enhanced Capability for archiving the

Long Term Operation Result Data ...................................................................1-2

2. CENTUM CS 1000/CS 3000 21 CFR Part 11 Compliance Summary Table ......................................................................................... 2-1Part 11 ELECTRONIC RECORDS; ELECTRONIC SIGNATURES

General Provisions (Subpart A) ..........................................................................2-2

11.1 Scope ................................................................................................2-3

11.2 Implementation. .................................................................................2-4

11.3 Definitions ..........................................................................................2-4

Electronic Records (Subpart B) ..........................................................................2-5

11.10 Controls for closed systems. ..............................................................2-5

11.30 Controls for open systems. ................................................................2-8

11.50 Signature manifestations. ..................................................................2-8

11.70 Signature/record linking. ....................................................................2-9

Electronic Signatures (Subpart C) ....................................................................2-10

11.100 General requirements. .....................................................................2-10

11.200 Electronic signature components and controls. ...............................2-10

11.300 Controls for identification codes/passwords. ...................................2-12

Authority: Secs. 201-903 of the Federal Food,Drug, and Cosmetic Act (21 U.S.C. 321-393); sec. 351 of the Public Health Service Act (42 U.S.C. 262).

TI 33Q01A61-01E 3rd Edition

Toc-2

TI 33Q01A61-01E

3. Guidance on Conforming CENTUM CS 1000/CS 3000 to 21 CFR Part 11 .......................................................................................... 3-13.1 Access Restrictions .........................................................................................3-13.2 Audit Trails .........................................................................................................3-93.3 Report Package PHS6530/LHS6530 .............................................................3-12

4. Time Management of CENTUM CS 1000/CS 3000 ................................ 4-14.1 Time Management of A CENTUM CS 1000/CS 3000 Domain ....................... 4-1

4.1.1 Time Stamp of Audit Trail Record ......................................................4-1

4.1.2 Time Synchronization Scheme ..........................................................4-2

4.1.3 System Clock and VEHICLE Clock ................................................... 4-3

4.1.4 Cautions .............................................................................................4-3

4.1.5 Time Synchronization of Others ........................................................ 4-4

4.2 Time Synchronization Across Domains ......................................................... 4-54.2.1 Time Notification ................................................................................4-5

4.2.2 Time Synchronization Between Domains .......................................... 4-5

4.2.3 BCV Settings ......................................................................................4-5

4.3 Time Related Notices ........................................................................................4-64.3.1 Summer Time .....................................................................................4-6

4.3.2 Accuracy of VEHICLE Clock .............................................................4-6

4.3.3 Time Synchronization with Exaquantum ........................................... 4-7

4.3.4 Time Synchronization with External Clock ........................................ 4-8

Sep. 30, 2003-00

1. CENTUM CS 1000/CS 3000 Basic System Configuration 1-1

TI 33Q01A61-01E

1. CENTUM CS 1000/CS 3000 Basic System Configuration in Compliance with FDA 21 CFR Part 11

1.1 Standard CS 3000 functionality Architecture Conforms to 21 CFR Part 11

In CS 3000, the users to access the system are classified into the following four user groups (A to D). System Administrator manages the audit trails of user management.

A Operator: With user rights for operation.

B Operator: With user rights of reporting (printing a report; creating a report).

C Instrumentation Engineer: With user rights of maintaining system builders.

D Recipe Engineer: With user rights of creating master recipes.

System Administrator: With user rights of access management, audit policy change, system error handling and all the authorized operations to the system administrator of the local computer.

A: Audit Operator Events (Operation Events)

B: Audit Operator Events (Report and Print Events) (*1)

C: Audit Instrumentation Engineer Events

Site HIS

Access Control Audit Trail

System Builders

PC

FCS

HIS

Ethernet

V net


Access ControlAudit Trail

Access ControlAudit Trail


*1: To be released in R3.03

Audit traildata server

D: Audit Recipe Engineer Events

Recipe Builders

Report

• Save Data• Search Data• Report Search Result

F010001.ai

Audit Trails of the Whole System and All Events

System Administrator Audit Trail Database of user groups (A to D)

HIS: Human Interface StationFCS: Field Control Station

Figure Standard CS 3000 Functionality Architecture Conforms to 21 CFR Part 11

Note: Do not install engineering builder to HIS. Problems may happen to activate the screen lock which will be hereinafter described.

Sep. 30, 2003-00

1. CENTUM CS 1000/CS 3000 Basic System Configuration 1-2

TI 33Q01A61-01E

1.2 Architecture of Enhanced Capability for archiving the Long Term Operation Result Data

CENTUM CS 3000 has various capabilities that conform to the stipulations of CFR21P11. If the CENTUM CS 3000 is connected to “Exaquantum/Batch which is PIMS (PIMS: Plant Information Management System),” (*1) long term trend save, long-term production logging, batch cycle improvement and various advanced analyses, advanced batch control systems configuration can be realized.Exaquantum/Batch is a package of highly compatible with CENTUM CS 1000/CS 3000 control system and can be simply connected to the system. Using Exaquantum/Batch, the large quantity of long-term data can be stored in high reliable relational database (RDB).

Audit Operator Events

Audit Recipe Engineer Events

Recipe Management (*1)

System Builders PCFCS

Audit Instrumentation Engineer Events

System Administrator Audit all audit trail data of CS 3000

Audit Trail Database of HISAudit Trail Database of System BuildersAudit Trail Database of Recipe Builders (*1)

• Save Data• Search Data• Report Search Result (Printout, Print to PDF files)

HIS

Ethernet

V net

HIS: Human Interface StationFCS: Field Control Station

HISIn the field

Audit trail data server Report

Batch Trend (*1)Save Operation Result DataArchive Control RecipeBatch AnalysisWeb Client, etc.

Conforms to 21 CFR Part 11

Conforms to 21 CFR Part 11

CENTUM CS 3000

Batch PIMS Exaquantum/Batch

F010002.ai

*1: Available when using CS Batch 3000

Figure Architecture of Enhanced Capability for archiving the Long Term Operation Result Data

Sep. 30, 2003-00

2. CS 1000/CS 3000 Solutions 2-1

TI 33Q01A61-01E

2. CENTUM CS 1000/CS 3000 21 CFR Part 11 Compliance Summary Table

Part 11 ELECTRONIC RECORDS; ELECTRONIC SIGNATURES

Subpart A General Provisions11.1 Scope 11.2 Implementation.11.3 Definitions

Subpart B Electronic Records11.10 Controls for closed systems.11.30 Controls for open systems.11.50 Signature manifestations.11.70 Signature/record linking.

Subpart C Electronic Signatures11.100 General requirements.11.200 Electronic signature components and controls.11.300 Controls for identification codes/passwords.

Authority: Secs. 201-903 of the Federal Food,Drug, and Cosmetic Act (21 U.S.C. 321-393); sec. 351 of the Public Health Service Act (42 U.S.C. 262).

May 24, 2002-00


TI 33Q01A61-01E

General Provisions (Subpart A)Subpart A of CFR21P11 defines the scope, implementation, and definitions of Part 11. These sections are provided mainly for information and understanding of the regulations provided in Subparts B (Electronic Records) and C (Electronic Signatures). CFR21P11 applies to all computer systems that store or handle electronic information required for either retention for, or submittal to, the Food and Drug Administration (FDA). These regulations apply to the CS 1000/ CS 3000 Human Machine Interfaces (including standard HIS stations, Recipe Development Stations, Engineering/Builder Stations, and Remote Reporting Stations). CS 1000/ CS 3000 Human Machine Interfaces (HMI) are commercially available personal computers / workstations with Microsoft Windows operating systems and off-the-shelf Yokogawa CS 1000/ CS 3000 software applications.These systems assemble data, alarms, messages, and other electronic information in a secure environment and are considered to be the point of creation of the electronic records. The CS 1000/ CS 3000 distributed control system is configured and maintained in an environment controlled by the end user. Access to the CS 1000/ CS 3000 HMI is limited to authorized personnel with predefined privileges. These individuals have authorization to control the associated part(s) of the manufacturing process. In accordance with the definition in 11.3 (b) (4), CS 1000/ CS 3000 is therefore a closed system for purposed of limiting access and maintaining integrity of electronic records.The electronic signature provided in CENTUM CS 1000/CS 3000 system cannot be used as the signature with legal responsibility, it is only an attachment of the electronic record. (*1)

For the electronic signatures of logging reports, such as daily reports or batch reports, the signature features of Acrobat can be used.In the following table, the provisions of Subpart C are described in regarding to the personal authentications.*1: Electronic Signature Electronic signatures with legal responsibility: The signatures used in a report for approval or authorship and so on. Attachment of electronic record: The signatures attached to the electronic records for identifying the personals that have ever

accessed the records.

Sep. 30, 2003-00


TI 33Q01A61-01E

Listing of Titles and General Provisions (Subpart A)

TITLE 21 FOOD AND DRUGS

PART 11 ELECTRONIC RECORDS; ELECTRONIC SIGNATURES

Subpart A--General Provisions

Sec. 11.1 Scope. 11.2 Implementation. 11.3 Definitions.

Subpart B--Electronic Records

11.10 Controls for closed systems. 11.30 Controls for open systems. 11.50 Signature manifestations. 11.70 Signature/record linking.

Subpart C--Electronic Signatures

11.100 General requirements. 11.200 Electronic signature components and controls. 11.300 Controls for identification codes/passwords.

Authority: 21 U.S.C. 321-393; 42 U.S.C. 262.

Source: 62 FR 13464, Mar. 20, 1997, unless otherwise noted.

Subpart A General Provisions

§11.1 Scope.

(a)

The regulations in this part set forth the criteria under which the agency considers electronic records, electronic signatures, and handwritten signatures executed to electronic records to be trustworthy, reliable, and generally equivalent to paper records and handwritten signatures executed on paper.

(b)

This part applies to records in electronic form that are created, modified, maintained, archived, retrieved, or transmitted, under any records requirements set forth in agency regulations. This part also applies to electronic records submitted to the agency under requirements of the Federal Food, Drug, and Cosmetic Act and the Public Health Service Act, even if such records are not specifically identified in agency regulations. However, this part does not apply to paper records that are, or have been, transmitted by electronic means.

(c)

Where electronic signatures and their associated electronic records meet the requirements of this part, the agency will consider the electronic signatures to be equivalent to full handwritten signatures, initials, and other general signings as required by agency regulations, unless specifically excepted by regulation(s) effective on or after August 20, 1997.

Sep. 30, 2003-00


TI 33Q01A61-01E

Listing of Titles and General Provisions (Subpart A)

(d) Electronic records that meet the requirements of this part may be used in lieu of paper records, in accordance with §11.2, unless paper records are specifically required.

(e) Computer systems (including hardware and software), controls, and attendant documentation maintained under this part shall be readily available for, and subject to, FDA inspection.

§11.2 Implementation.

(a) For records required to be maintained but not submitted to the agency, persons may use electronic records in lieu of paper records or electronic signatures in lieu of traditional signatures, in whole or in part, provided that the requirements of this part are met.

(b) For records submitted to the agency, persons may use electronic records in lieu of paper records or electronic signatures in lieu of traditional signatures, in whole or in part, provided that:

(1) The requirements of this part are met; and

(2)

The document or parts of a document to be submitted have been identified in public docket No. 92S–0251 as being the type of submission the agency accepts in electronic form. This docket will identify specifically what types of documents or parts of documents are acceptable for submission in electronic form without paper records and the agency receiving unit(s) (e.g., specific center, office, division, branch) to which such submissions may be made. Documents to agency receiving unit(s) not specified in the public docket will not be considered as official if they are submitted in electronic form; paper forms of such documents will be considered as official and must accompany any electronic records. Persons are expected to consult with the intended agency receiving unit for details on how (e.g., method of transmission, media, file formats, and technical protocols) and whether to proceed with the electronic submission.

§11.3 Definitions.

(a) The definitions and interpretations of terms contained in section 201 of the act apply to those terms when used in this part.

(b) The following definitions of terms also apply to this part: (1) Act means the Federal Food, Drug, and Cosmetic Act (secs. 201–903 (21 U.S.C. 321–393)). (2) Agency means the Food and Drug Administration.

(3) Biometrics means a method of verifying an individual’s identity based on measurement of the individual’s physical feature(s) or repeatable action(s) where those features and/or actions are both unique to that individual and measurable.

(4) Closed system means an environment in which system access is controlled by persons who are responsible for the content of electronic records that are on the system.

(5) Digital signature means an electronic signature based upon cryptographic methods of originator authentication, computed by using a set of rules and a set of parameters such that the identity of the signer and the integrity of the data can be verified.

(6) Electronic record means any combination of text, graphics, data, audio, pictorial, or other information representation in digital form that is created, modified, maintained, archived, retrieved, or distributed by a computer system.

(7) Electronic signature means a computer data compilation of any symbol or series of symbols executed, adopted, or authorized by an individual to be the legally binding equivalent of the individual’s handwritten signature.

(8)

Handwritten signature means the scripted name or legal mark of an individual handwritten by that individual and executed or adopted with the present intention to authenticate a writing in a permanent form. The act of signing with a writing or marking instrument such as a pen or stylus is preserved. The scripted name or legal mark, while conventionally applied to paper, may also be applied to other devices that capture the name or mark.

(9) Open system means an environment in which system access is not controlled by persons who are responsible for the content of electronic records that are on the system.

Sep. 30, 2003-00


TI 33Q01A61-01E

Electronic Records (Subpart B)The CS 1000/CS 3000 family of distributed control systems is capable of generating a variety of electronic records for process historical reports, operator logs, trends, audit trails (configuration management), and more.

Listing and Analysis of Subpart B CS 1000/CS 3000 Solutions

Subpart B Electronic Records

§11.10 Controls for closed systems. Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine. Such procedures and controls shall include the following:

CS 1000/CS 3000 are closed systems for purposed of limiting access and maintaining integrity of electronic records. Secure methods for operator and engineer access to the four major operations (Process Operation, Builder Maintenance, Process Data Reporting (R3.03), and Master Recipe Maintenance) are designed in accordance with CFR21P11. The HIS user groups, Operator, Reporter, Instrumentation Engineer and Recipe Engineer are all referred to as engineering groups. The users of the groups are all referred to as operators.

(a) Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records.

T Validation of CS 1000/CS 3000 systems is performed in accordance with the end user’s master validation plan. All process operations are recorded automatically by the system Audit Trail. Moreover, if required all operations performed for Process Data Reporting, Builder Maintenance and Master Recipe Maintenance are also automatically recorded by the system Audit Trail function.

(b) The ability to generate accurate and complete copies of records in both human readable and electronic form suitable for inspection, review, and copying by the agency. Persons should contact the agency if there are any questions regarding the ability of the agency to perform such review and copying of the electronic records.

T In consideration of the requirement for portability, security, and traceability, electronic records can be output into widely used file format, suitable for long term storage and for reviewing and evaluating by the FDA. Specific examples include: - Audit Trail: PDF - Trend Data: CSV - Reports: CSV, XLS, PDF - Master Recipe: PDF (using self-documentation

Package) Using Exaquantum ,Yokogawa PIMS (Plant Information Management System), the control recipes and various production result data can be stored in RDB, These data can be exported to various type of files.

T: Yokogawa DCS supports the required functionality. User must create a SOP for utilizing the functionality.

Sep. 30, 2003-00


TI 33Q01A61-01E


(c) Protection of records to enable their accurate and ready retrieval throughout the records retention period.

T Audit Trail is provided with a viewer to provide the ability to correctly and rapidly search for required records. With this viewer, electronic records can be efficiently searched according to their date, personnel, batch ID, equipment, message type, and so on. Moreover, the result of the search and the search condition (meta-data) can be output into a read-only PDF file. When saving the data of audit trail, the free space of the hard disk is checked. Moreover, CPU usage, communication capacity, memory usage can also be checked by the DCS system.

(d) Limiting system access to authorized individuals.

T System access limitations are provided for: - System Administration - Process Data Reporting - Process Operation and Monitoring System - Maintenance (Builder) - Recipe Generation (Master Recipe

Maintenance) Personnel Authentication is performed using User ID and Password. Authentication is required at login, and can also be required each time when starting certain process operations. The individual to be authenticated can be assigned privilege levels based on assigned authority. If no user is designated to login, OFFUSER (initial user) will be the login user. The OFFUSER has an operation right limited to the plant safety operations such as emergency shutdown and privilege of plant monitoring. The operations performed by OFFUSER are also logged by audit trail and stamped with the user ID. Moreover, direct file access from Windows Desktop is also restricted by CENTUM Desktop functions. In CENTUM Desktop environment, the files displayed in Windows Explorer, manipulating the files in CD-ROM or floppy disks are restricted.

(e) Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Record changes shall not obscure previously recorded information. Such audit trail documentation shall be retained for a period at least as long as that required for the subject electronic records and shall be available for agency review and copying.

T Only the users with the privilege of administrator can perform the operator registration. Operations performed by the operators are all recorded as Audit Trail records with the information of Who, When, Where, What, Why, and How (5W1H). The Audit Trail records can be sorted and then output into a PDF file. The time stamped to the audit trail record is automatically synchronized with the time in all terminal HISs of the CENTUM CS 1000/CS 3000 system (in the cycle of 10 seconds).


Sep. 30, 2003-00


TI 33Q01A61-01E


(f) Use of operational system checks to enforce permitted sequencing of steps and events, as appropriate.

T Standard sequence functions provided in the CS 1000/CS 3000 systems can be configured to enforce permitted sequencing of steps and events as needed. The following sequence functions can be used to enforce the permitted operation steps:

SFC Sequence Table Logic Chart SEBOL

The following human machine interfaces require passwords and confirmation operations so as to meet the security requirements.

User Security HIS Operation and Monitoring

(g) Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand.

T An authorized engineer on the builder must register the operator. Operating privileges for authenticated personnel are classified up to seven levels of hierarchy such as “Read-Only”, “Read/Write”, and so on. Moreover, the operating privileges can be assigned to each group based on operation target (e.g. panels, function blocks, messages, Control Recipe, etc.) and console.

Restrictions on each operator console (HIS): The operation windows, function blocks and messages handled on each operator console can be classified. Restrictions on each operation group: The operation windows, function blocks and messages handled on each operation group can be classified.

(h) Use of device (e.g., terminal) checks to determine, as appropriate, the validity of the source of data input or operational instruction.

T Since the I/O devices (I/O modules) of DCS are all addressed, so that the route of the input data can be identified from the address of the connected I/O module. All the operations performed on the operator consoles are stamped with the consoles’ IDs for the audit trail records.

(i) Determination that persons who develop, maintain, or use electronic record/electronic signature systems have the education, training, and experience to perform their assigned tasks.

P A proper education program according to the work assignment of each individual is required. The execution of the education program should be recorded. Yokogawa offers standard and custom training classes on the development, maintenance, and use of CS 1000/ CS 3000 system features. The engineering works of CENTUM CS 3000 should be performed by the personals that have had the proper trainings stipulated by the company rules.

(j) The establishment of, and adherence to, written policies that hold individuals accountable and responsible for actions initiated under their electronic signatures, in order to deter record and signature falsification.

P

T: Yokogawa DCS supports the required functionality. User must create a SOP for utilizing the functionality.P: User must have an efficient management to observe the SOP.

Sep. 30, 2003-00


TI 33Q01A61-01E


(k) Use of appropriate controls over systems documentation including:

(1) Adequate controls over the distribution of, access to, and use of documentation for system operation and maintenance.

P Users should establish a documentation management system.

(2) Revision and change control procedures to maintain an audit trail that documents time-sequenced development and modification of systems documentation.

T+P Actual document control is established by the end user’s management system. CENTUM CS 1000/CS 3000 has self-documentation capability to support the document revisions in accordance with the system modifications. CENTUM CS 1000/CS 3000 self-documentation can add a revision number for audit trail purpose when outputting to paper document or to PDF file.

§11.30 Controls for open systems. Persons who use open systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, as appropriate, the confidentiality of electronic records from the point of their creation to the point of their receipt. Such procedures and controls shall include those identified in §11.10, as appropriate, and additional measures such as document encryption and use of appropriate digital signature standards to ensure, as necessary under the circumstances, record authenticity, integrity, and confidentiality.

Not applicable to closed systems.

§11.50 Signature manifestations. (a) Signed electronic records shall contain

information associated with the signing that clearly indicates all of the following:

(1) The printed name of the signer; T The user name is authenticated at real time by checking the login name (User-In dialog box) against the registered user names in the Security Builder. Moreover, the name can also be put in the remarks column of the audit trail. Each audit trail record is stamped with the operator ID, and the full names corresponding to the IDs can be output to a PDF file (by self-docum entation).

(2) The date and time when the signature was executed; and

T Each record in Audit Trail is time-stamped with year, month, day, hour, minute, and second.

(3) The meaning (such as review, approval, responsibility, or authorship) associated with the signature.

T Each record in Audit Trail can be remarked in the “Reason” field.


Sep. 30, 2003-00


TI 33Q01A61-01E


(b) The items identified in paragraphs (a)(1), (a)(2), and (a)(3) of this section shall be subject to the same controls as for electronic records and shall be included as part of any human readable form of the electronic record (such as electronic display or printout).

T The audit trails can be listed on display, and can be output into a PDF file.

§11.70 Signature/record linking. Electronic signatures and handwritten signatures executed to electronic records shall be linked to their respective electronic records to ensure that the signatures cannot be excised, copied, or otherwise transferred to falsify an electronic record by ordinary means.

T User ID’s are automatically included in the Audit Trail by the CS 1000/CS 3000 system within the relevant electronic records as they are generated. Each audit trail record is stamped with the operator ID, and the full names corresponding to the IDs can be output to a PDF file (by self-documentation). Audit Trail files are generated as write-protected system files.


Sep. 30, 2003-00

2. CS 1000/CS 3000 Solutions 2-10

TI 33Q01A61-01E

Electronic Signatures (Subpart C)Electronic signatures are established to eliminate the need to print electronic records that are otherwise secure and compliant with regulations in Subpart B, solely for the purpose of uniquely identifying the individual that creates, manages, reviews, or approves content. CS 1000/CS 3000 systems employ User ID (user name) and password combinations as electronic signatures associated with individual electronic records. Standard on all CS 1000/CS 3000 systems are levels of user identification with password protection and configurable levels of secure access. Options are also available for identification through use of biometrics (e.g. finger printing).

Listing and Analysis of Subpart C CS 1000/CS 3000 Solutions

Subpart C Electronic Signatures

§11.100 General requirements. (a) Each electronic signature shall be unique to

one individual and shall not be reused by, or reassigned to, anyone else.

T The computer administrator checks the identical user name when registering a new user account. Each individual can have his own password, which is protected from everyone including the computer administrator but the individual himself.

The registered user IDs are under the permanent control. Once a registered ID becomes invalid for a certain reason (retire or transfer), the ID cannot be used again.

(b) Before an organization establishes, assigns, certifies, or otherwise sanctions an individual’s electronic signature, or any element of such electronic signature, the organization shall verify the identity of the individual.

P

(c) Persons using electronic signatures shall, prior to or at the time of such use, certify to the agency that the electronic signatures in their system, used on or after August 20, 1997, are intended to be the legally binding equivalent of traditional handwritten signatures.

P

(1) The certification shall be submitted in paper form and signed with a traditional handwritten signature, to the Office of Regional Operations (HFC–100), 5600 Fishers Lane, Rockville, MD 20857.

P

(2) Persons using electronic signatures shall, upon agency request, provide additional certification or testimony that a specific electronic signature is the legally binding equivalent of the signer’s handwritten signature.

P

§11.200 Electronic signature components and controls.

(a) Electronic signatures that are not based upon biometrics shall:


Sep. 30, 2003-00

2. CS 1000/CS 3000 Solutions 2-11

TI 33Q01A61-01E


(1) Employ at least two distinct identification components such as an identification code and password.

T Authentication is performed to the two components, User ID and Password. User ID: A unique string of up to 16 alphanumeric characters assigned by the system administrator Password: A user-defined string of up to 32 alphanumeric characters

(i) When an individual executes a series of signings during a single, continuous period of controlled system access, the first signing shall be executed using all electronic signature components; subsequent signings shall be executed using at least one electronic signature component that is only executable by, and designed to be used only by, the individual.

T At the first login to the system, both User ID and password need to be put in the User-In dialog box for authentication. For the succeeding operations, only password needs to be entered for authentication. If the login user does not operate for a certain length of time, the user will be automatically logged out. However, the user can use his user ID and password to login again (Automatic Logout).

(ii) When an individual executes one or more signings not performed during a single, continuous period of controlled system access, each signing shall be executed using all of the electronic signature components.

T If the user is logged out either manually or automatically, further operations cannot be performed until the user login again. Both User ID and password are required to be put in the User-In dialog box for authentication again.

(2) Be used only by their genuine owners; and

T The password of a user is set at the first time when the user login with his user ID. The password should not be disclosed to anyone even the system administrator but the user himself.

(3) Be administered and executed to ensure that attempted use of an individual’s electronic signature by anyone other than its genuine owner requires collaboration of two or more individuals.

Using an individual electronic signature by anyone other than its genuine owner requires an OnBehalf signature, and the OnBehal users management should be established. (For an example, the OnBehalf signature should be performed with the collaboration of the OnBehalf user and system administrator.) A user should have a password in CENTUM CS 1000/CS 3000 system that cannot be easily guessed or parsed by others. In case emergency actions are required and the person assigned for the required actions is absent, another person having the same or higher privileges is able to take the actions on behalf. Using a mode-switching key (physically a metal key), an operator can switch into a special user “Engineer” who has a higher privilege to perform almost all operations. Nevertheless, all the operations performed by “Engineer” is logged and recorded by audit trail. Since the computer cannot identify the particular individual that performed the operations under the account of “Engineer,” it is necessary to have a security policy on the management of the mode-switching key.

(b) Electronic signatures based upon biometrics shall be designed to ensure that they cannot be used by anyone other than their genuine owners.

T Fingerprint identification unit is also provided as an option for authentication.


Sep. 30, 2003-00

2. CS 1000/CS 3000 Solutions 2-12

TI 33Q01A61-01E


§11.300 Controls for identification codes/passwords. Persons who use electronic signatures based upon use of identification codes in combination with passwords shall employ controls to ensure their security and integrity. Such controls shall include:

(a) Maintaining the uniqueness of each combined identification code and password, such that no two individuals have the same combination of identification code and password.

T When registering a new user ID, the system administrator checks for the identical IDs so as to guarantee all the IDs are unique. Each individual can have his own password, which is protected from everyone including the computer administrator but the individual himself. All user IDs are under the permanent control. Once a registered ID becomes invalid for a certain reason (retirement or transfer), the ID cannot be used again.

(b) Ensuring that identification code and password issuances are periodically checked, recalled, or revised (e.g., to cover such events as password aging).

T Password validity (valid password is user definable) is checked by the system. When the expiration date is past, the system prompts for updating the password.

(c) Following loss management procedures to electronically deauthorize lost, stolen, missing, or otherwise potentially compromised tokens, cards, and other devices that bear or generate identification code or password information, and to issue temporary or permanent replacements using suitable, rigorous controls.

T When a specific User ID becomes invalid (due to compromised password, retirement, or other), the User ID is marked invalid by the authorized administrator. Invalid ID’s are not deleted, but are maintained by the system to prevent future reuse.

(d) Use of transaction safeguards to prevent unauthorized use of passwords and/or identification codes, and to detect and report in an immediate and urgent manner any attempts at their unauthorized use to the system security unit, and, as appropriate, to organizational management.

T When a user logon failed continuously, an authentication failure alarm message is broadcasted to all terminals (HISs) and the event is recorded by audit trail. Moreover, the user ID will be lockout (User Lockout feature). With optional packages, the alarm message can also be sent to PDA or mobile phone at real time.

(e) Initial and periodic testing of devices, such as tokens or cards, that bear or generate identification code or password information to ensure that they function properly and have not been altered in an unauthorized manner.

P Security settings can be checked and confirmed during the computer validation, initially and periodically as needed.


Sep. 30, 2003-00

3. Guidance on Conforming CENTUM CS 1000/CS 3000 to 21 CFR Part 11 3-1

TI 33Q01A61-01E

3. Guidance on Conforming CENTUM CS 1000/CS 3000 to 21 CFR Part 11

CENTUM CS 1000/CS 3000 classifies the users into four groups: Operator, Instrumentation Engineer, Recipe Engineer and Reporter. All the operations performed by the users of these user groups are subject to the audit trails regulated in 21 CFR Part 11. The user rights and the audit trails applied to the users of Operator group (hereinafter referred to as HIS user group) and the users of other groups (hereinafter referred to as engineer groups) are different. In this chapter, the user rights and the audit trails applied to users, how to implement and what to take care of during implementation are explained in detail.

The option packages for FDA 21 CFR Part 11 compliance are shown in the table below:

Option Package HIS User Group User Rights/Audit Trails

Engineer User Group (System Builders, Recipe Builders, Report Builders)

User Rights/Audit Trails FDA 21 CFR Part 11 Compliant Package (PHS5170/LHS5170) - (*1)

Consolidate Historical Messaging Package (FDA 21 CFR Part 11 Compliant) (*3)

(*2) -

*1: To restrict users access capabilities on HIS, the standard security settings can be used, this option package is not required for this purpose.

*2: If Exaquantum/Batch is used as the server for managing the audit trails, this option package is not required. *3: With Long-Term Data Archive package (PHS6510/LHS6510). The trend data, closing data, historical messages in the HIS can be

stored. But extracting data from the stored files to create reports or PDF files is not supported.

3.1 Access Restrictions

Access Restriction SettingsThe following table lists the functions set by the system administrator. The table includes the required items in the LHS1100 Standard Operation and Monitoring Function and LHS6530 Report Package. In addition, access-control requirement functions are classified into the following four:

A: User ID registration management – handling of user IDs and passwords

B: Access control – setting conditions for accessing the system

C: Password policy – Password setting conditions, etc.

D: Windows direct access – PC desktop environment

Sep. 30, 2003-00


TI 33Q01A61-01E

User group HIS group Engineering group

(system builder, recipe builder, report builder) (*1)

Set location Security builder (*2)

HIS utility (each HIS)

Access control utility (each PC)

Optional packages required Not required (included in standard applications)

LHS5170 packages for FDA 21CFR Part 11

Function

A User ID registration and deletion X (*3) X Authorization setting for each user ID X (*3) X Password management (Local control/Common control) X

B

Automatic user logoff /automatic screen lock X X Check illegal logon attempts X (*3) X User lockout (*4) X X User ID release during lockout (*4) X X Password resetting (*4) X X Reconfirmation with double authentication X (*3) Biometric authentication (fingerprint authentication) X Optional

C Check expiration date of passwords X (*3) X Check obsolete passwords (*4) X X Check password-length (*4) X X

D Automatic logon Windows X (*3) X CENTUM desktop X (*3) X

*1: Report packages (PHS6530/LHS6530) are separately needed to perform report functions.*2: Registration and authorization of the engineer are needed as well as the system administrator authorization (PC administrator authorization)

to operate the security builder.*3: The System administrator authorization is needed in revision R3.04 or later.*4: This is a new function of R3.04.

Sep. 30, 2003-00


TI 33Q01A61-01E

Overview

Registering and Removing User IDEach person permitted to use the system must be registered (ID, name and group). The user IDs of the retired or transferred persons are removed and permanently stored as the obsolete IDs. The user account with an obsolete ID (or identical of the obsolete ID) (*1) will not able to logon the system forever.*1: The maximum number of obsolete user IDs is 10,000. When the number of obsolete IDs reaches 10,000, no more user account

can be removed.

User Account Description Max. No of Valid Users (Groups)

HIS Users CS 1000 Up to 16 alphanumeric

characters (Should not be identical with other user ID nor the obsolete ID)

Up to 32 alphanumeric characters (The name of the personal)

100 (not including obsolete users)

CS 3000 250 (not including obsolete users)

HIS User Groups

CS 1000 Up to 8 alphanumeric characters


15

CS 3000 50

User Account Description Max. No of Valid Users (Groups)

Engineers

CS 1000 Up to 16 alphanumeric characters (Should not be identical with other user ID nor the obsolete ID)


-CS 3000

Engineer User Groups

CS 1000 Up to 8 alphanumeric characters

Up to 32 alphanumeric characters -

CS 3000

Note: For the operations that an specific user account is not required for identifying each individual operator, DEFGRP, NONEGRP is provided as the default user group, and OFFUSER, ONUSER, ENGUSER are provided as the default users name.

User Rights of Each AccountUser rights can be assigned to each registered user account. The detail settings are as follows:[HIS User Groups]The user rights and user group privileges for HIS user groups are set as follows:

Privilege Monitoring Operation Maintenance S1 Y N N S2 Y Y N S3 Y Y Y

Y: Enable N: DisableNote: The user rights defined for each privilege from S1 to S3 cannot be changed.

Sep. 30, 2003-00


TI 33Q01A61-01E

In order to meet the requirements for operating various types of plants, with HIS security builder, the user-defined privileges U1 to U7 can be added. The following user rights can be assigned to each privilege.

• Window monitoring rights

• Window operation rights

• Whether to display the Tuning and Faceplate windows of a function block

• Whether to allow writing to data items in a function block

• Operation mark security levels

• Operation mark install/remove attributes

• Password control mode (Choose between Common and Local)

Operation-Window Monitoring Window OperationUser GroupValid User Tag view Item Operation Operator ActionNo. S1 S2 S3 U1 U2 U3 U4 U5 U6 U7

Y Y Y Y Y Y Y Y Y YN Y Y Y Y Y Y Y Y YN N Y Y Y Y Y Y Y YN N N N N N N N N NN Y Y Y Y Y Y Y Y YN N Y Y Y Y Y Y Y YN N N N N N N N N NN N N N N N N N N N

12345678

Fixed User-defined privilege level (can be changed)

F030001.aiWindow access level

Figure Security Builder - Window Operation Tab

[Engineer User Group] (System Builders, Recipe Builders and Report Builders)

Engineer User Group User Rights Recipe Engineer READ, WRITE, DELETE, DOWNLOAD, ENGINEERING Instrumentation Engineer (System Builders) READ, WRITE, CREATE

Table Default Values of Rights

User group Right Report definition file Report printout image file

Manager group Create For all files For all file Write For all files For all file

Operator group Create None None Write None For all files

Sep. 30, 2003-00


TI 33Q01A61-01E

Password Control Mode (Choose between Common and Local)The passwords registered in HISs can be controlled in two ways: Common and Local. Common means the passwords of all HISs are under the same administration while Local means the passwords of each HIS is controlled separately. The merits and demerits of the two control modes are:

• Local Each person can set his user account on each HIS. The same user can use different passwords on different HISs so that the risk of leaking passwords is reduced.

• Common Each person only needs to set his password to one HIS in the system, the password will equalized to all other HISs connected in the system. If a system consists of a couple of dozens HISs, using Common mode will be convenient. However, user cannot pick up one or tow HISs in a system to use Local mode if the system is using Common mode.

Automatic Logout/Screen Lock[HIS User Group: Automatic User Logout]If an operator leaves his seat after login, and there is no operation performed on the operator console for a specified time, automatic logout will start, the previous operation windows will be cleared, the user will become OFFUSER (initial user).OFFUSER only has monitoring privilege and minimum operation rights, however, the operations related to the plant safety such as emergency shutdown are permitted.Moreover, the operations performed by OFFUSER are also subject to audit trails.

• Default: 0 Minute (disables Automatic Logout)

• Setting: 1 to 59 minutes (wait time)

[Engineer User Group (System Builders, Recipe Builders and Report Builders) : Screen Lock]If an engineer leaves his seat after login, and there is no operation performed on the engineering station for a specified time, automatic screen lock will start, the previous operation windows and status will be locked. The same password of the login password is required to release the locked screen.OFFUSER only has monitoring privilege and minimum operation rights, however, the operations related to the plant safety such as emergency shutdown are permitted.Moreover, the operations performed by OFFUSER are also subject to audit trails.

• Default: 0 Minute (disables Screen Lock).

• Setting: 1 to 59 minutes (wait time)

Account LockoutIf a user account failed to provided correct password thus failed to pass the authentication for the specified times, the logon attempts will be treated as intrusion, a real time alarm will be broadcasted to all HISs and the operations are recorded in audit trails. At the same time, the user account will lockout; the user cannot use the account to logon unless the system administrator releases the lockout after checking the possible intrusions.

Sep. 30, 2003-00


TI 33Q01A61-01E

[HIS User Groups]• Default: 0 Time (disables intrusion detector)

• Setting: 1 to 10 Times (triggers intrusion alarm and account lockout)

F030002.ai

Security Policy Setting

OK Cancel

Password required for confirmation

Limits the window call at user out state

Send a notification after 5 invalid logon attempts. (0: No notification)

Lockout repeatedly denied account

Prompt for changing password 60 days. (0: No prompt)

Minimum password length 6

Do not use previous password

Figure Security Policy Setting Dialog Box

[Engineer User Groups (System Builders, Recipe Builders and Report Builders)]• Default: 0 Time (disables intrusion detector)

• Setting: 1 to 10 Times (triggers intrusion alarm and account lockout)

Choose an existing fileEngineers’ Account Files

General Electronic RecordAccess Control

F030003.ai

Access Control Utilities

ApplyCancelOK

Edit...Change...

Times

Refer to:

Password

The password can not be set.:

Use semi-colon (;) to delimit entries.

Other ParametersNotice Consecutive Authentication Failures: 0

HIS0164

DaysValid period: 0

Computer Name of Notification OPC Server:

Enable Account Lockout

Do not use previous password

CharactersMinimum Password Length: 1

Figure Access Control Tab of Access Control Utilities

Note: If the HIS computer’s names, in which install the Exaopc package (NTPF100), are registered, when authentication failure occurs, the system alarm will be broadcasted to all HISs.

However, it needs one HIS which installs the Exaopc at least, and it is able to communicate via Ethernet with PC, which carries engineering function, recipe management, and access control for report function. Moreover it needs to be registered at the project belong in the HIS which should be notified of the system alarm.

Sep. 30, 2003-00


TI 33Q01A61-01E

Prevent Using Previous PasswordWhen a password reaches its age, a new password needs to be set and must be different from the previous password.Enforcement of the password change to the four user groups, Operator, Instrumentation Engineer, Recipe Engineer and Reporter User groups can be enable or disabled.Default: Disabled (The previous password can be used again)(See “Figure Access Control Tab of Access Control Utilities”)

Minimum Password LengthThe minimum number of password characters can be set. Thus a password with fewer characters will not be accepted by the system.[HIS User Group]Minimum Password Length: 0 to 32 (Integer; 0: No minimum length)(See “Figure Access Control Tab of Access Control Utilities”)

[Engineer User Groups (System Builders, Recipe Builders and Report Builders)]Minimum Password Length: 1 to 32 (Integer; Default: 1 (At least a single-character password is required) (See “Figure Access Control Tab of Access Control Utilities”)

Reset PasswordIf a password for an account is forgotten, system administrator can reset the password of the account. When the password is reset, the user account can be login by everyone, so that it is necessary for the user to enter a new password right after the password is reset. For security reason, great cautions must be taken when resetting passwords of accounts.

Confirm with Double AuthenticationsFor the critical operations such as manipulating the important function block on HIS, in addition to the current user and his password, another user, either a colleague operator or a supervisor, and his password are also required. The user for double authentication can be any user other than the default users (ENGUSER, ONUSER, OFFUSER) and the current user.

F030004.ai

PIC100 Outside the Set Range OK ?Reactor Steam Pressure

Name1:

Password:

Reason :

TANAKA

For Summer Operations

********

SUZUKI

Confirmation

********

Name2:

Password:

Reason:

Sep. 30, 2003-00


TI 33Q01A61-01E

Maximum Password AgeA password needs to be changed after a certain period so as to improve the security capability. When Maximum Password Age is set to an account, when the password closer to its maximum age, a message is sent to the user to prompt for password change.The message prompting for password change is sent to the user 14 days before the password reaches its age.However, when password reaches its maximum age, the account will not become an obsolete account.Default: 0 Day (0 means no limit); Setting Range: 0 to 1000 Days(See “Figure Access Control Tab of Access Control Utilities”)

CENTUM Desktop EnvironmentTo prevent the operators using the Windows Explorer to directly access the system files from Windows Desktop environment, CENTUM Desktop environment is provided. With CENTUM Desktop, not only the system security is enhanced but also the accidental mistakes such as deleting useful files are prevented.

CENTUM Desktop has the following features:• Hide Explorer

• Hide all the icons on the desktop

• No menu pop out by right click the mouse

• Cannot open CD-ROM directly

• Using [Ctrl] + [Alt] + [Del] keys cannot not pop out the Windows Security dialog box. Thus [Lock Computer], [Shut Down], [Change Password] and [Task Manager] cannot be used.

• On [Start] menu, YOKOGAWA CENTUM is the only program menu. [Programs],[Documents], [Settings], [Search], [Help and Support] and [Run] are not displayed.

Start

Programs

HIS Utility

Online Manual

Recipe View

Access Control Utilities

Consolidated Historical Viewer

System View

Logsave

Command Prompt

Projectsave

F030009.ai

YOKOGAWA CENTUM

Maintenance

No items on the display

Only CENTUM-relatedmenu

Figure CENTUM Desktop

Automatic LogonWhen turn on the power switch of the PC, the PC can automatically logon to CENTUM environment. With the CENTUM desktop environment, user will be prevented from accessing files through Windows Explorer directly.

Sep. 30, 2003-00


TI 33Q01A61-01E

3.2 Audit TrailsOverview of Audit Trails

The operations performed by HIS user group members and the engineer group members (such as the operations of maintenance on builders, recipe maintenance and report generation) are subject to audit trails. And the audit trails are stored as electronic records.The audit trails contain “who, when, where, what and why” information of the operations.However, the operations performed by system administrators are not subject to audit trails.With the privilege of administrators, the stored electronic records of the audit trails can be converted into generic file format, or can be used to create reports or archived into external media.

HIS User Group User Rights/Audit Trails

Engineer User Group (System Builders, Recipe Builders

Report Builders) User Rights/Audit Trails

Option Package Consolidate Historical Message (FDA 21 CFR Part 11 Compliant)

(PHS4200/LHS4200)

FDA 21 CFR Part 11 Compliant Package (PHS5170/LHS5170)

Function Operation Log Audit trails of Alarm & message Acknowledgement operations -

Convert to Generic File Format Search Audit Trails & Report Generation

*1: Administrators privilege is required for this operation.

Sep. 30, 2003-00


TI 33Q01A61-01E

Main FeaturesWhen using the main features, the following cautions need to be taken into account.

Audit Trails of Operations[HIS User Group]The historical messages in each HIS are recorded in the hard disk of the HIS with FIFO rotary mode. Audit trails, alarm and event messages are stored in a PC assigned for storing audit trail records, and the records are under the comprehensive management.The PC for storing audit trail records should be a dedicated PC other than HIS. In order to prevent the data loss from disk crash, it is necessary to have redundant storage schemes and disk backup schedules.Note: Archive from the historical message files are performed at 0:05 am.

FCS

HIS

External Storage

PC for storingaudit trails

HIS

Ethernet

V net

F030005.ai

HistoricalMessage

Files

Consolidate HistoricalMessage Package

HistoricalMessage

Files

ComprehensiveManagement

[Engineer User Groups]The audit trails of the operations on the builders (System Builders, Recipe Builders and Report Builders) are fetched to the assigned folders at the real times of downloading the builder contents to the target devices. It is recommended to use a dedicated PC other than the PC for engineering builders to save the logs (of fetching files at the real times of downloading to target devices). If the hard disk encounters insufficient disk space problem, downloading will not success. In this case, a message from system administrator prompting for backup may arrive. The user should follow the instruction in the message and perform the backup manually.In order to prevent the data loss from disk crash, it is necessary to have redundant storage schemes and disk backup schedules.Note: The full disk capacity of the PC for storing audit trails can be used. Disk check is performed every time right before downloading

or right after saving the modifications to the files. If the disk free space is less than the specified threshold value, a warning message will be displayed in a dialog box.

Sep. 30, 2003-00


TI 33Q01A61-01E

Audit Trails of Acknowledgement Operations (HIS User Group Only)The acknowledgement (ACK) operations of alarm and operation guide messages performed on HIS are recorded in the historical message file.

Convert to Generic File FormatThe stored files can be converted into PDF files with a generic file format. It is easier to submit to the administration or used as reference when the system is changed in the future.Note: AdobeAcrobat5.0 and AdobeDistiller5.0 are required.

Search Audit Trails and Create ReportThe saved audit trails can be searched with the specified categories (Date, ID and so on), the search results can be exported to a PDF file in the format of reports. The report file consists of cover page and the record pages, they are all converted into the same PDF file.

Audit TrailLog

0002

Audit TrailLog

0001Cover

A PDF File

F030006.ai

Figure Report File Schemes

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

Title changeable

Created By;Approved By

Comments

F030007.ai

��

��

��

��

��

��

Figure Cover Page Layout Figure A Record Page

Sep. 30, 2003-00


TI 33Q01A61-01E

3.3 Report Package PHS6530/LHS6530With Report Package (PHS6530/LHS6530), the data collected in HIS such as process data, trend data and closing data can be fetched by Microsoft Excel spread sheet and export as reports. Using the report package in the environment where the FDA 21 CFR Part 11 compliant package (PHS5170/LHS5170), the report generation, modification and export are all under the access control and subject to audit trails. How to use the report package (PHS6530/LHS6530) in compliance with FDA 21 CFR Part 11 regulations are explained as follows:

Export Report FilesThe report can be exported into EXCEL, PDF and CSV format files when printing. One format or all the three formats can be selected from the above three options. The format should be chosen in accordance with the usage of the files and the features of the files.EXCEL Format: The data in the EXCEL file can be conveniently added or modified.PDF Format: The data in the PDF cannot be modified so as to prevent from forgery.CSV Format: The data in multiple files can be crossly referenced for indexing.

For PDF files, data can only be searched inside each individual file. For CSV files, multiple files can be merged into one file so that data can be searched across the multiple files. It is recommended to use a combination of PDF files and CSV files.

Electronic Signatures of Electronic Records The digital signature capability of Adobe Acrobat products can be used for the PDF files are the electronic signatures of the electronic records. Thus can be used as the management of customer.

Add or Modify Data in Exported FilesWhen the report files exported by Batch Report or other automatic export tasks need to be modified, it is necessary to start the report builder and use Audit Trail Viewer to open the report file, after adding or modifying data and saving the file, then use Print to export the file again.

F030008.ai

Audit Trail PC

Ethernet

HIS

• Process Data• Trend Data• Closing Data• Tag Information• Historical Data• Batch Data

• Report Definition• Report Print• Audit Trail ManagementThe PC Installed with

Report Package

• PDF• XLS• CSV

• Records of Audit trailsDatabase of modified Files• Exported Report FilesSave Report Definition Files

• Save the Audit Trails about Modification of Exported Report Files

Report

Audit TrailLog Data

Modification Records

Databese

Note: If multiple PCs are installed with Report Package (PHS6530/LHS6530), the FDA 21 CFR Part 11 compliant package (PHS5170/LHS5170) should be installed separately to all the PCs together with the Report Package.

Figure Example of System Configuration

Sep. 30, 2003-00


TI 33Q01A61-01E

Type of ReportReport package supports the following types of report.

Table Type of ReportType Service Data

Hourly Report Print out the process report of every hours Hourly closing data and trend data

Shift Report Print out the process report of every shifts (8 hours) Closing data

Daily Report Print out the process report of every day Hourly closing data or daily closing data.

Weekly Report Print out the process report of every week Daily closing data

Monthly Report Print out the process report of every month Daily closing data or monthly closing data.

Yearly Report Print out the process report of every year Monthly closing data Snapshot Report or On demand report

Print out the instantaneous process variables on demand at any time

Snapshot of the process variables

Alarm Report Print out the alarm messages related to the designated time period or designated function block Alarm event message

Batch Report Print out the messages during the batch operation and the result of the batch process

Closing data at the timing of batch end

Sep. 30, 2003-00

4. Time Management of CENTUM CS 1000/CS 3000 4-1

TI 33Q01A61-01E

4. Time Management of CENTUM CS 1000/CS 3000

4.1 Time Management of A CENTUM CS 1000/CS 3000 Domain

4.1.1 Time Stamp of Audit Trail RecordThe time stamp attached to each record of the audit trails must be reliable. CENTUM CS 1000/CS 3000 has a standard feature to periodically synchronize the times of all the stations in a domain on the V net. Since the PC for audit trails is not connected to V net, so that the standard time synchronization is not applied to this PC. Nevertheless, the time stamp of each audit trail record is stamped on HISs, which are the stations in the time synchronization scheme, so that the time stamps of the audit trails are guaranteed from the reliable time sources.

Sep. 30, 2003-00


TI 33Q01A61-01E

4.1.2 Time Synchronization SchemeCENTUM has a capability to synchronize the time of stations within a domain. The time synchronization scheme of CENTUM CS 1000/CS 3000 is illustrated in the following figure.Besides the system clocks, the stations on V net also have VEHICLE clocks which is a V net firmware clock. All the VEHICLE clocks in the same domain are managed together so as to keep the same clock time.In one domain, a time master station exists. Since the time master station is automatically assigned, user does not need to know the whereabouts of the time master station. The reference time is broadcasted from the time master station periodically on the network (per 10 seconds). All the VEHICLE clocks in other stations will correct the time based on the reference time sent from the time master.

F040001.ai

SystemClock

Time SynchronizationService

Time Notification

SystemClock

VEHICLEClock

VEHICLEClock

SystemClock

VEHICLEClock

TimeSynchronization

Recipe ManagementPC

Audit trail data server

HIS(Time Master)ENG

SystemClock

VEHICLEClock

FCS

HIS

Ethernet

Vnet

Vnet

Synchronized time stamped on the audittrail record

BCV

Figure Time Synchronization Scheme

TIPWhen a station receives the time synchronization signal, the station adjusts its VEHICLE clock in accordance with the discrepancy scale.

Sep. 30, 2003-00


TI 33Q01A61-01E

1) Smoothly SynchronizeWhen a station receives the time synchronization signal and the time discrepancy is less than one second, the clock will not be adjusted sharply at once but smoothly tuned only for 0.005ms (0.05%) at 10ms interval.

2) Drastically SynchronizeWhen a station receives the time synchronization signal and the time discrepancy is greater than one second, the clock will be adjusted drastically to the reference time.

4.1.3 System Clock and VEHICLE ClockFor the stations in a domain, the time of the VEHICLE clock takes higher priority. All stations check the discrepancies of the system clocks and VEHICLE clocks, and adjust the clock in accordance with the time of VEHICLE clocks.

4.1.4 CautionsIn a control system, the first HIS that completed startup will automatically become the time master station. If a VEHICLE clock in a HIS is manually adjusted, this HIS will become the time master station.In any case, if the time master station fail, another HIS will automatically take over. User does not need to know which one had become the time master station.

The time of VEHICLE clock in a HIS is the reference time of the HIS. Using the Control panel to change the system time will be meaningless. It is necessary to adjust the VEHICLE time on the HIS Setup window.

Sep. 30, 2003-00


TI 33Q01A61-01E

4.1.5 Time Synchronization of OthersIn a system that compliant to FDA 21 CFR Part 11 regulations, besides the HIS stations, there are other stations such as the PC of engineering builders which is connected to V net, and the PC with recipe builders, report package or consolidated historical package which are not connected to V net.However, for the audit trails, the system clocks in these stations also need to be synchronized. The synchronization methods are described in the table below.

Function Installed in HIS Installed Separately

V net Connected

Engineering Builders (System Builders)

Adjust Automatically (Synchronized with VEHICLE Clock)

Adjust Manually; or Use time synchronization option program

V net Not Connected

Recipe Builders

Adjust Automatically (Synchronized with VEHICLE Clock) Adjust Manually

Report PackageConsolidate Historical Message

In general, cannot be installed in HIS Adjust Manually

1) Time Synchronization of Engineering BuildersThe standard package of engineering builders does not contain the option program for time synchronization with VEHICLE clock of V net. Though VEHICLE clock in the PC is synchronized with other stations on the same V net, the system clock of the PC that can be monitored on GUI does not synchronize with the VEHICLE clock. An option program is required for time synchronization between engineering station and operator consoles. If users need to install the option program, it is necessary to contact Yokogawa sales agents.

2) Time Synchronization of the Stations Not Connected on V NetTime synchronization of the stations not connected on V net cannot be performed automatically. Thus manually adjust the system clock on the following PCs becomes necessary.

• PC Installed with Recipe Builders The audit trails of the recipe builders are attached with the time stamps of the system clock in the local PC.

• PC Installed with Report Package The time stamps of the reports are the time of the system clock in the local PC.

• PC Installed with Consolidate Historical Message Package The time stamps of the processes such as printing out are the time of the system clock in the local PC.

Sep. 30, 2003-00


TI 33Q01A61-01E

4.2 Time Synchronization Across DomainsIn a CENTUM CS 1000/CS 3000 control system that contains multiple domains, the bus converter (BCV) placed to link the domains has time synchronization capability to synchronize the clocks of the multiple domains. The time synchronization performed by BCV consists of the two actions, time notification and time synchronization.

4.2.1 Time NotificationBCV passes the time adjustment from one domain to the other. When a clock of a HIS in a domain is adjusted on HIS clock dialog box, BCV will notify the new time to all the other domains.

4.2.2 Time Synchronization Between DomainsBCV periodically scans the time differences between the linked domains per two minutes. The time of one domain is used as reference time, when the time difference of the other domain is greater than 5 seconds and prolonged for consecutive two scans, BCV synchronizes the clocks of the domains in according to the reference time.

F040002.ai

HIS

HIS

V net

V net

Reference Time

Adjusted Time

Time NotificationBCV

HIS

HIS

V net

V net

Reference Time

Adjusted Time

Time SynchronizationBCV

2) Time Synchronization1) Time Notification

Figure BCV Time Synchronization Scheme

4.2.3 BCV SettingsWith two option boxes on BCV builder, which domain’s time is reference time and which direction the time notification to be performed can be defined for 4 patterns of BCV behavior.

Pattern 1 No option is checked No time synchronization between domains.

Pattern 2 [Transfer Lower] is checked Upper domain has reference time. Lower domain clock should be adjusted.

Pattern 3 [Transfer Upper] is checked Lower domain has reference time. Upper domain clock should adjusted.

Pattern 4

Both [Transfer Upper] and [Transfer Lower] are checked Time notification is sent in both directions when either an upper domain clock or lower domain clock is manually adjusted. However, upper domain time is the reference time for time synchronization.

Sep. 30, 2003-00


TI 33Q01A61-01E

4.3 Time Related Notices4.3.1 Summer Time

Summer time is only the appearance of the displayed time; the data inside of CENTUM are not affected by summer time.However, the schedulers are based on the system clock. When time becomes summer time, the system clock jumps forward for one hour, vice versa, when summer time ends, the system clock jumps backward for one hour. If a task is scheduled to start at the jumped hour, the task may not be started when the system clock jumps forward or the task may start twice the system clock jumps backward. However, if refrain setting the scheduler time in the jumping hours (1:00 am to 3:00 am), the problem can be avoided.

4.3.2 Accuracy of VEHICLE ClockThe accuracy of VEHICLE clock is ±120 seconds/month.

Sep. 30, 2003-00


TI 33Q01A61-01E

4.3.3 Time Synchronization with ExaquantumAn Exaopc station has the same type of VEHICLE clock and time synchronization program as a HIS so that the clock of Exaopc station is also synchronized. An Exaquantum station can synchronize its clock with either HIS or Exaopc station. Thus the time synchronization covers the whole project including Exaquantum station. The timing for time synchronization between Exaquantum station HIS or Exaopc station is set on Exaquantum. The default setting is per 10 minutes.Inside of Exaquantum, the internal data use UTC(Coordinated Universal Time), so that the data are not affected by summer time.

F040003.ai

System Clock

VEHICLEClock

System Clock

VEHICLEClock

Exaquantum

Time Synchronization Service

Time synchronization between Exaquantum and Exaopc

Time Notification

HIS (Time Master)Exaopc

System Clock

VEHICLEClock

FCS

Ethernet

V net


Sep. 30, 2003-00


TI 33Q01A61-01E

4.3.4 Time Synchronization with External ClockAs described in the previous sections, the time synchronization within a domain of V net is based on the reference time of the time master station. However, the time synchronization can be performed in accordance with an external reference time.The external reference time can be performed either on HIS or FCS. When using HIS to get an external time signal, an option program is required.

1) Using FCS to Get External Time SignalLink an external time signal to FCS, and the FCS sends an M3% message to HIS. A program in HIS may adjust the HIS clock in accordance with the time signal.

F040004.ai

System Clock

VEHICLEClock

System Clock

Option Program

VEHICLEClock


%M3 Message

Time Synchronization Service(System Clock to VEHICLE Clock)

Time Notification

HIS

HIS (Time Master)

System Clock

VEHICLEClock

FCS

V net

ExternalClock

Contact Input

Sep. 30, 2003-00


TI 33Q01A61-01E

2) Using HIS to Get External Time SignalLink an external time signal to HIS, a program in HIS may adjust the HIS clock in accordance with the time signal.

F040005.ai

System Clock

VEHICLEClock

System Clock

Option Program

VEHICLEClock


Time Synchronization Service(System Clock to VEHICLE Clock)

Time Notification

HIS

HIS (Time Master)

System Clock

VEHICLEClock

FCS

V net

External Clock

Contact Input

Sep. 30, 2003-00

i

TI 33Q01A61-01E

Revision Information Title: CENTUM CS 1000/CS 3000 Yokogawa's Approach to meeting FDA 21 CFR Part 11 Manual No.: TI 33Q01A61-01E

Feb. 2002/1st EditionNewly publishedMay 2002/2nd EditionOverall revisionSep. 2003/3rd EditionOverall revision

Sep. 30, 2003-00

Written by Yokogawa Electric Corporation

Published by Yokogawa Electric Corporation 2-9-32 Nakacho, Musashino-shi, Tokyo 180-8750, JAPAN

Printed by KOHOKU PUBLISHING & PRINTING INC.

Subject to change without notice.