21 CFR part 11 compliance: Electronic Records and Signatures

Peak Spectroscopy is compliant with the CFR - Code of Federal Regulations Title 21 part 11. This regulation concerns the creation and maintenance of electronic records so that the records can be trusted to be reliable. This is mostly a concern to companies that fall under FDA requirements.

These software features are necessary:

  • User Administration. Users must have unique password-protected logins in the software itself.
  • Document control. This means electronic signatures of documents.
  • Audit Trails. All changes to data files, databases, and methods (PLS, QC, etc) are recorded in a permanent audit trail.
  • Tamper detection. Any attempt to alter a controlled document must be detected.

21 CFR Part 11 add-on package for Peak Spectroscopy

21 CFR Part 11 compliance is an add-on package for Peak Spectroscopy. To get a trial version, please email peaks@tds.net.

Compliance Statement

The compliance statement for Peak Spectroscopy can be downloaded here: Operant_21CFR_Part_11_Compliance_Statement.pdf

User Administration

The User Administration is performed through a separate program, named "userAdmin.exe". This add-on program is a separate download.

The userAdmin documentation can be downloaded here: userAdmin.pdf

The userAdmin program meets these requirements:

  1. The System must require a user ID and password combination to log on.
  2. The System must require the user ID and password combination to be unique.
  3. The System must allow the ability to require a password change on log-in.
  4. The System must provide a configurable minimum password length (at least 6 characters).
  5. The System must provide the ability to lockout users after a selectable number of incorrect password attempts (minimum of three attempts).
  6. The System must provide a configurable inactivity time-out.
  7. The system time-out must require the user to log in again in order to access the application.
  8. User passwords must not be viewable on-screen when being entered by the user.
  9. The passwords must expire after a administrator-configurable number of days.
  10. System must prevent the reuse of at least the last five passwords when the password is being changed.
  11. Passwords must be encrypted so that the System administrator cannot read the password content.
  12. System must provide access roles that allow for administrators with all system access, administrators with limited permissions, and general users with limited permissions.
  13. Only administrators are allowed to create, modify or disable users, groups and roles.
  14. Only administrators are allowed to configure the system.

Audit Trail Functionality

  1. The audit trail must include a secure date/time stamp associated with the creation, modification or deletion of data.
  2. The audit trail must capture the date and time the action was performed.
  3. The audit trail must be designed such that a reviewer can trace all changes to a record from its current state back to the original created value(s).
  4. The audit trail function must be automatic (i.e. independent of the user) and computer generated.
  5. The audit trail must be designed such that it does not overwrite or delete data.
  6. The audit trail must be unable to be turned off.
  7. The audit trail must be designed such that it is protected from accidental or intentional modification or deletion.
  8. The audit trail must be viewable electronically in human readable format.
  9. The audit trail should be printable.
  10. The audit trail must capture who performed the action
  11. The audit trail must capture old value and new value (explicit or through file version linkages).
  12. The audit trail must capture insert, delete, or modify actions