LCquan 2.5.6 Configuring for Compliance with 21 CFR Part 11

LCquan 2.5.6 Configuring for Compliance with 21 CFR Part 11
Xcalibur
LCquan
Configuring LCquan for Compliance with
21 CFR Part 11
Administrator Guide
XCALI-97168 Revision D
August 2007
© 2007 Thermo Fisher Scientific Inc. All rights reserved.
Microsoft, Access, Excel, Notepad, and Windows are registered trademarks of Microsoft Corporation.
Adobe and Acrobat are registered trademarks of Adobe Systems Incorporated. Oracle is a registered trademark
of Oracle Corporation.
All other trademarks are the property of Thermo Fisher Scientific Inc. and its subsidiaries.
Thermo Fisher Scientific Inc. provides this document to its customers with a product purchase to use in the
product operation. This document is copyright protected and any reproduction of the whole or any part of this
document is strictly prohibited, except with the written authorization of Thermo Fisher Scientific Inc.
The contents of this document are subject to change without notice. All technical information in this
document is for reference purposes only. System configurations and specifications in this document supersede
all previous information received by the purchaser.
Thermo Fisher Scientific Inc. makes no representations that this document is complete, accurate or errorfree and assumes no responsibility and will not be liable for any errors, omissions, damage or loss that might
result from any use of this document, even if the information in the document is followed properly.
This document is not part of any sales contract between Thermo Fisher Scientific Inc. and a purchaser. This
document shall in no way govern or modify any Terms and Conditions of Sale, which Terms and Conditions of
Sale shall govern all conflicting information between the two documents.
Release history: Revision A - March 2006, Revision B - February 2007, Revision C - April 2007,
Revision D - August 2007
Minimum software requirements: LCquan 2.5.6; Xcalibur 2.0.7; TSQ Quantum 1.4; LC Devices 2.0.2;
Thermo PAL 1.0; Microsoft Windows XP Professional SP 2; Microsoft Office 2003 or 2007
For Research Use Only. Not regulated for medical or veterinary diagnostic use by U.S. Federal Drug
Administration or other competent authorities.
C
Contents
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii
About This Guide. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii
Related Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii
Special Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .viii
Contacting Us . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .viii
Thermo Scientific
Chapter 1
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1
Major Requirements of 21 CFR Part 11 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Prevention of Data Falsification. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Data Reconstruction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
System Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Compliance with 21 CFR Part 11 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Configuring Software Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Security Features Within the Software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Prerequisites To Configuring the System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Determining How Users Perform Sample Acquisition. . . . . . . . . . . . . . . . . . . 5
Understanding LCquan Folder Structure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Understanding and Planning Secure User Groups . . . . . . . . . . . . . . . . . . . . . . 8
Understanding the Administrator Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Chapter 2
Using the Database Configuration Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15
Using Microsoft and Oracle Databases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Configuring Your Auditing Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Chapter 3
Establishing Secure File Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19
Applying the Security Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Verifying the Properties of the Finnigan Security Server . . . . . . . . . . . . . . . . . . 28
Verifying the Properties of the Finnigan Database Service . . . . . . . . . . . . . . . . . 31
Configuring Security Settings for Folders and Files . . . . . . . . . . . . . . . . . . . . . . 33
Configuring Security Settings for the Root Folder . . . . . . . . . . . . . . . . . . . . . 34
Configuring Settings for the Security Folder . . . . . . . . . . . . . . . . . . . . . . . . . 42
Configuring Security Settings for the Database Registry Key . . . . . . . . . . . . . . . 44
Specifying the Way Users Log On and Off . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Turning Off Fast User Switching for Local Workstations . . . . . . . . . . . . . . . 47
Sequential User Logon and Automatic Logoff . . . . . . . . . . . . . . . . . . . . . . . . 48
Removing and Archiving Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
LCquan Administrator Guide for 21 CFR Part 11
iii
Contents
Chapter 4
Defining Secure User Groups and Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . .51
Using the Authorization Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Setting Up Secure User Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Defining User Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Editing User Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Setting Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Changing the Permission Level of a Feature . . . . . . . . . . . . . . . . . . . . . . . . . 56
Setting All Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Inheriting Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Exporting and Importing Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Defining the List of Secure Folders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Requiring User Comments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Setting Up Secure Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
About the Secure Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Setting Up a Secure Template Folder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Configuring Secure Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Viewing the Authorization Manager History Log . . . . . . . . . . . . . . . . . . . . . . . 63
Printing the Security Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Saving the Security Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Chapter 5
Auditing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65
Accessing the Auditing Databases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Accessing the Global Auditing Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Accessing an LCquan Workbook Database . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Viewing the Audit Viewer Pages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Filtering the Audit Viewer Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Sorting the Audit Viewer Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Printing the Audit Viewer Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Printing the Audit Trail for the Global Auditing Database . . . . . . . . . . . . . . 71
Printing the Audit Trail for an LCquan Workbook Database . . . . . . . . . . . . 71
Appendix A Permission Level Settings in LCquan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .73
Permission Level Settings that You Must Set to Disallow . . . . . . . . . . . . . . . . . 73
Permission Level Settings and Interactions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Appendix B Installing an Oracle Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .79
Installing the Oracle Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Installing the Oracle Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Appendix C IT Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .103
Updating the Registry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
Avoid Antivirus Scanning During Data Acquisition . . . . . . . . . . . . . . . . . . 104
Do Not Delete the Xcalibur System Account . . . . . . . . . . . . . . . . . . . . . . . 104
Ensure that a Firewall Exception Exists for the Instrument . . . . . . . . . . . . . 104
iv
LCquan Administrator Guide for 21 CFR Part 11
Thermo Scientific
Contents
Appendix D Watson Interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .105
Recommended Settings for Excel. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Rounding the Decimal Places . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Setting the Excel Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
About the Watson Digital Interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Thermo Scientific
LCquan Administrator Guide for 21 CFR Part 11
v
P
Preface
About This Guide
The LCquan™ 2.5.6 software is part of the Xcalibur® mass spectrometry data system. This
administrator guide describes how to configure the Xcalibur and LCquan software to help
you comply with the Electronic Records and Electronic Signatures Rule, published by the
United States Food and Drug Administration as 21 CFR Part 11. The intended audience
includes both the laboratory administrator and a local IT professional, who has administrative
privileges for the system.
IMPORTANT Some of the instructions in this guide assume an understanding of the
Microsoft® Windows® security features and settings. Thermo Fisher Scientific strongly
recommends that you enlist the local IT professional to perform these tasks.
Related Documentation
The following LCquan manuals are available on the LCquan software CD as PDF files:
• LCquan Administrator Guide describes how to configure the software for compliance with
21 CFR Part 11.
• LCquan Getting Productive Guide describes how to use LCquan to perform quantitative
analysis of compounds.
If you are using a Watson LIMS, refer to Installing and Using the Peak View Gateway Between
Watson and LCquan.
Y To view the installed LCquan manuals
Go to Start > Programs > Xcalibur > Manuals > LCquan.
The Help contains an LCquan tutorial that provides an overview of how to use LCquan with
an example data set.
Y To open the LCquan Help
From the LCquan window, choose Help > LCquan Help. To locate a particular topic, use
the Help Contents, Index, or Search panes.
Thermo Scientific
LCquan Administrator Guide for 21 CFR Part 11
vii
Preface
Special Notices
Make sure you follow the precautionary statements presented in this guide. The special
notices include the following:
IMPORTANT Highlights information necessary to prevent damage to software, loss of
data, or invalid test results; or might contain information that is critical for optimal
performance of the system.
Note Highlights information of general interest.
Tip Helpful information that can make a task easier.
Contacting Us
There are several ways to contact Thermo Fisher Scientific.
Y To contact Technical Support
Phone
Fax
E-mail
Knowledge base
800-685-9535
561-688-8736
[email protected]
www.thermokb.com
Find software updates and utilities to download at www.mssupport.thermo.com.
Y To contact Customer Service for ordering information
Phone
Fax
Web site
800-532-4752
561-688-8731
www.thermo.com/finnigan
Y To suggest changes to documentation or to Help
• Fill out a reader survey online at www.thermo.com/lcms-techpubs.
• Send an e-mail message to the Technical Publications Editor at
[email protected]
viii
LCquan Administrator Guide for 21 CFR Part 11
Thermo Scientific
1
Introduction
This chapter briefly describes the major requirements for the Electronic Records and
Electronic Signatures Rule, published by the United States Food and Drug Administration as
21 CFR Part 11.1 This chapter also provides an overview of the tasks required to configure
Xcalibur and LCquan to help ensure technical compliance with 21 CFR Part 11.
Note that 21 CFR Part 11 requires both technical and procedural compliance. To achieve
technical compliance, you must use software that contains the required security features and
functions. To accomplish procedural compliance, you must establish standard operating
procedures and policies that define how to use processes and systems in a manner that
complies with 21 CFR Part 11.
Contents
• Major Requirements of 21 CFR Part 11
• Compliance with 21 CFR Part 11
• Understanding LCquan Folder Structure
• Prerequisites To Configuring the System
• Understanding the Administrator Tasks
Major Requirements of 21 CFR Part 11
In August 1997, the United States Food and Drug Administration published a rule for
electronic records and electronic signatures under the current good manufacturing practice
(cGMP) regulations in the Code of Federal Regulations (21 CFR Part 11). The rule provides
criteria under which electronic records and electronic signatures can be considered equivalent
to paper records and handwritten signatures. It also permits the widest possible use of
electronic technology.
1Code
of Federal Regulations, Title 21, Food and Drugs, Part 11 “Electronic Records: Electronic Signature
Final Rule,” Federal Register 62 (54) 1997, 13429-13466. The final rule is also available electronically at
http://www.fda.gov/ora/compliance_ref/part11/.
Thermo Scientific
LCquan Administrator Guide for 21 CFR Part 11
1
1
Introduction
Major Requirements of 21 CFR Part 11
To comply with 21 CFR Part 11, the laboratory administrator must implement rules to
ensure that proper methods, procedures, and controls are in place. These rules address the
following issues:
• Prevention of Data Falsification
• Data Reconstruction
• System Security
Prevention of Data Falsification
You can falsify electronic data in several ways:
• Modify it directly.
• Modify it indirectly by deleting records.
• Modify it indirectly by using readily available tools.
To prevent falsification, you must implement a number of controls. These controls can be
procedural in nature or can be functionally implemented within the system generating the
electronic records. Normally, a combination of both methods is required to achieve
compliance.
To help prevent data falsification, Xcalibur software uses audit trails and system security.
Data Reconstruction
Although it is important to demonstrate that data has not been falsified, it is just as important
to show how it has been generated. Raw data cannot be reconstructed; however, it is possible
to regenerate all other records derived from the original raw data files.
An efficient and comprehensive audit trail ensures that all electronic records generated from
the raw data can be regenerated. To do this, audit trail entries must be made for all events and
actions required to regenerate the records. In addition, new audit trail entries must be added
only to existing records; they must not overwrite or obstruct other records. Finally, the user
must not have any control of the audit trail records, nor be able to modify the configuration
of the audit trail. The audit trails created by Xcalibur software meet these requirements.
2
LCquan Administrator Guide for 21 CFR Part 11
Thermo Scientific
1 Introduction
Compliance with 21 CFR Part 11
System Security
Most organizations implement strict security procedures for their computer networks to
prevent unauthorized access to data. In this context, unauthorized access means:
• Access by an individual (external or internal to the organization) who has not been
granted the authority to use, manipulate, or interact with the system.
• Access through the use of the identity of another individual—for example, by using a
colleague’s user name and password.
The 21 CFR Part 11 rule defines a number of controls to ensure that only the individuals
who have some level of responsibility towards the system that generates electronic records can
access them. The rule includes both procedural controls and functionality controls.
Xcalibur implements some of these controls directly and relies on the security functions in the
Microsoft Windows XP Professional operating system for other controls, for example:
• Secure file operations are controlled by the Finnigan Security Server.
• User access is restricted by the administrator through the Xcalibur Authorization
Manager (an administrative utility), which relies on Windows XP Professional user
groups.
• Software feature access is controlled by the administrator through the Xcalibur
Authorization Manager.
• User authentication is handled by the Windows XP Professional security functions.
• Electronic record security is maintained by the Windows XP Professional security
functions, and in particular the NTFS permission rights.
Compliance with 21 CFR Part 11
Security features and functions added to certain Xcalibur software applications enable users of
these applications to comply with 21 CFR Part 11. To fully implement these security
features, the laboratory administrator should work with the IT professional to configure the
software properly.
Configuring Software Applications
Configuring software for compliance with 21 CFR Part 11 requires two steps:
• Protecting Records
• Setting Up User Access Controls
Thermo Scientific
LCquan Administrator Guide for 21 CFR Part 11
3
1
Introduction
Compliance with 21 CFR Part 11
Protecting Records
To establish secure file operations, the laboratory administrator must restrict access
permissions for specific folders and files. The permissions must be set so that only an
administrator can delete or alter records. The use of protected folders and files ensures that
unauthorized users cannot obscure previous records by using a utility such as Microsoft
Windows Explorer.
Setting Up User Access Controls
To control user access, the laboratory administrator must define secure user groups, and then
grant access permissions for each group. The administrator can restrict defined groups of users
from performing various functions within the application software. This restriction can range
from complete prohibition, through several levels of password-required access, to no
restrictions. You set user access controls through the Xcalibur Authorization Manager.
After the security settings are defined for at least one group, users not in a secure group are
denied access to the application.
IMPORTANT If no secure groups are defined, then all features of the software are
accessible by all users.
Security Features Within the Software
After the appropriate file protections and user access controls are in place, the software
application employs several built-in features to ensure the security of the data and to meet
21 CFR Part 11 requirements.
The software application performs Cyclic Redundancy Checks (CRCs) to protect against
malicious changes to data files. A CRC can detect file corruption and attempted changes to
data files outside the application. The CRC calculates checksums for sets of data, using
mathematical formulas, and embeds the value within the file. Each time the file is opened, the
checksums are recalculated and compared with the stored values. When data are modified or
processed within the application, new checksums are calculated and stored.
In addition, the software application includes a file tracking system that maintains a database
of the files created in or used by the application. When an existing project is opened, the
software application displays a warning if files within that project have been moved or
modified (as determined from the CRC value).
A comprehensive audit trail ensures that all electronic records generated from the raw data
can be regenerated. The audit trail comprises three parts: the history log, the event log, and
the file tracking log. The history log contains information about every parameter change a
user has made within an LCquan workbook. The event log contains information about all the
events that have occurred within the application, such as the creation of a workbook or the
execution of a command that is under authorization control. The file tracking log tracks
changes made to files contained within an LCquan workbook.
4
LCquan Administrator Guide for 21 CFR Part 11
Thermo Scientific
1 Introduction
Prerequisites To Configuring the System
Prerequisites To Configuring the System
As the laboratory administrator, you must plan how the laboratory will function before
performing the procedures in this guide. At a minimum, you must address the following:
• “Determining How Users Perform Sample Acquisition” on page 5
• “Understanding LCquan Folder Structure” on page 7
• “Understanding and Planning Secure User Groups” on page 8
Determining How Users Perform Sample Acquisition
Figure 1 illustrates the following three options for how users can perform sample acquisitions
and where the LCquan system can store the acquired sample data:
• Scenario a—Acquired sample data stored on standalone workstation (local users)
• Scenario b—Acquired sample data stored on workstation that is on a network (domain
users)
• Scenario c—Acquired sample data stored on network server (domain users)
A scenario b or c configuration can be integrated with a laboratory information management
system (LIMS), such as the Watson LIMS. If you are using a Watson LIMS, refer to Installing
and Using the Peak View Gateway Between Watson and LCquan.
For scenario c, LCquan supports the Citrix Presentation Server™ environment for LCquan
workstations that are for data review only. Citrix can provide application virtualization to
manage the LCquan software configuration and maintenance. An instance of LCquan
running on a Citrix server cannot be used for acquisition. The IT professional is responsible
for installing LCquan on the Citrix server.
Thermo Scientific
LCquan Administrator Guide for 21 CFR Part 11
5
1
Introduction
Prerequisites To Configuring the System
Figure 1.
Options for LCquan sample acquisition
a. Acquisition to a standalone LCquan system
Local acquisition
Local user
Standalone workstation
LCMS system
Workstation
(LCquan data storage)
b. Acquisition to a standalone LCquan system on a network
Server
LCMS system
Local acquisition
Domain users
Networked workstation but data stored locally
(LIMS option)
Workstation
(LCquan data storage)
c. Acquisition to a network server
Network acquisition
Domain users
Networked workstations
(LIMS option and Citrix option)
Workstation
Server
(LCquan data storage)
Workstation
LCMS system
6
Workstation
LCquan Administrator Guide for 21 CFR Part 11
Thermo Scientific
1 Introduction
Prerequisites To Configuring the System
Understanding LCquan Folder Structure
The LCquan folder structure includes the following:
• Security folder—Contains the configuration files. The Xcalibur Authorization Manager
retrieves the controlled feature information from the configuration files in the Security
folder. The file path for the security folder is as follows:
\Xcalibur\system\security
• Root folder or folders—Contain the LCquan projects.
−
If the acquired data is stored locally (Figure 1, scenario a), you can use the default
folder, \Xcalibur\QuanRoot, or you can create your own LCquan root folder.
−
If the acquired data is stored on a network server, you must designate a folder on the
network server as the LCquan root folder.
For each new project, LCquan creates the following hierarchical folder structure (Figure 2)
within the designated root folder:
• Study folder—Top-level folder within the root folder. Each study folder contains one or
more workbook folders. The study folder can contain any number of workbook folders,
but each workbook must have a unique name.
• Workbook folder—Contains all the information that LCquan uses for an individual
quantitative analysis project. The workbook folder contains the LCquan file (.lqn file),
the instrument method file (.meth file), and an audit database (.mdb). The workbook
folder also contains the following folders:
−
Exports folder—Stores copies of all files that are exported from LCquan, such as
report files.
−
Imports folder—Stores a copy of legacy files that you import into the workbook,
such as instrument method file, processing method file, or sequence files.
−
Rawfiles folder—Contains acquired data files (.raw files), as well as any imported
raw data files.
−
Temp folder—Contains temporary files used by LCquan.
Figure 2.
Thermo Scientific
LCquan folder structure for a quantitative analysis project
LCquan Administrator Guide for 21 CFR Part 11
7
1
Introduction
Prerequisites To Configuring the System
Understanding and Planning Secure User Groups
LCquan requires both the security features of the Microsoft Windows XP operating system
and the Xcalibur Authorization Manager to define the LCquan secure user groups and
permissions. Typically, the IT professional is responsible for establishing the Microsoft
Windows user accounts and user groups. The laboratory administrator is responsible for
setting up the permission levels in Authorization Manager, and private groups if necessary.
• Microsoft Windows user groups
−
Domain user accounts and user groups (Figure 1, scenarios b and c) must be created
and managed by the IT professional.
−
Standalone workstation user accounts and user groups (Figure 1, scenario a) can be
created by the IT professional or laboratory administrator.
IMPORTANT Each Microsoft Windows user account must be associated with a
user ID, a password, and a full description. These items are required for the system to
store the auditing information in the designated database.
• Authorization Manager private groups—A group can be either a pre-existing Microsoft
Windows user group or a private group that you configure within Authorization
Manager.
−
Networked workstation (Figure 1, scenarios b and c)—A user must be a member of a
domain user group before the laboratory administrator can add the user to a private
group. If an intended user is not a user on the domain, the IT professional must
create a user account for the user.
−
Standalone workstation (Figure 1, scenario a)—A user must have a logon account for
the workstation before the laboratory administrator can add the user to a private
group. The IT professional or laboratory administrator must create a user account for
each intended user.
The laboratory administrator must make the following decisions before asking the IT
professional to configure Microsoft Windows user groups for domain users, or before
configuring private groups in Authorization Manager:
• Types of user roles, for example, administrator, supervisor, scientist, technician, auditor,
and quality assurance
• Individuals assigned to each user role and their projects
• Permissions for a given user role, such as authority to create methods and acquire data,
signature authority, or read-only access to workbooks
For example, a laboratory might have standard operating procedures that prohibit
technicians from performing certain operations with the software. But the same
laboratory might not have any restrictions on the software operations that the scientists
can perform. In this case, the laboratory administrator must create at least two user
groups—one for scientists and one for technicians.
8
LCquan Administrator Guide for 21 CFR Part 11
Thermo Scientific
1 Introduction
Prerequisites To Configuring the System
See Figure 3. Note that a user can belong to more than one user group.
Figure 3.
LCquan system users and user groups example
LCquan users and groups
LCquan studies
Study A
1
2
3
4
LCquan
workbooks
5
Study B
LC/MS system
1
2
6
7
3
Study C
Workstation
Server
Note: Users 1, 2, and 3 belong to more that one user group.
Thermo Scientific
LCquan Administrator Guide for 21 CFR Part 11
9
1
Introduction
Understanding the Administrator Tasks
Understanding the Administrator Tasks
The laboratory administrator should work with the IT professional to configure the system
for compliance with 21 CFR Part 11. Table 1 is a checklist of the tasks for both the
IT professional and the laboratory administrator roles. Figure 4 and Figure 5 show how the
tasks can vary for different laboratory configurations.
IMPORTANT Thermo Fisher Scientific strongly recommends that the local
IT administrator configure the Microsoft Windows security features and settings.
Make sure you complete the procedures that are outlined in Table 1 and that are described in
detail in the following chapters. Otherwise, the software might not fully comply with
21 CFR Part 11 requirements.
Table 1. Checklist of tasks for configuring Xcalibur software applications to comply with 21 CFR Part 11
Task
10
Refer To Topic
Role
1. Install Xcalibur and LCquan on the
designated workstations.
Installation instructions packaged
with the software CDs
IT professional
or laboratory
administrator
2. Run the database configuration
application.
“Using the Database Configuration
Manager” on page 15
IT professional
(Oracle®
database) or
laboratory
administrator
3. Apply the security template.
“Applying the Security Template”
on page 19 and
“IT Considerations” on page 103
IT professional
4. Ensure that the Finnigan Security Server
is configured and running properly.
“Verifying the Properties of the
Finnigan Security Server” on
page 28
IT professional
or laboratory
administrator
5. Determine which folder to use as the
LCquan secure root folder and identify
the secure user groups.
“Understanding LCquan Folder
Structure” on page 7 and
“Understanding and Planning
Secure User Groups” on page 8
Laboratory
administrator
LCquan Administrator Guide for 21 CFR Part 11
Completed?
Thermo Scientific
1 Introduction
Understanding the Administrator Tasks
Table 1. Checklist of tasks for configuring Xcalibur software applications to comply with 21 CFR Part 11, continued
Task
Refer To Topic
Role
“Configuring Security Settings for
Folders and Files” on page 33
IT professional
7. Configure sequential user logon and
automatic logoff.
“Specifying the Way Users Log
On and Off ” on page 47
IT professional
or laboratory
administrator
8. Configure Authorization Manager settings
for LCquan:
“Using the Authorization
Manager” on page 51
Laboratory
administrator
a. Define LCquan user groups.
“Setting Up Secure User Groups”
on page 53
Laboratory
administrator
b. Set permission levels for software
features for each LCquan user group.
“Setting Permissions” on page 55,
“Setting Up Secure Reports” on
page 61, and “Permission Level
Settings in LCquan” on page 73
Laboratory
administrator
c. If users are permitted to change the
secure root folder, define the list of
secure folders.
“Defining the List of Secure
Folders” on page 59
Laboratory
administrator
d. Specify whether users are required to
make comments.
“Requiring User Comments” on
page 60
Laboratory
administrator
e. Save the configuration settings.
“Saving the Security Settings” on
page 64
Laboratory
administrator
6. Configure Microsoft Windows security
settings:
• Set up users and groups.
• Specify the password lockout
parameters for failed logon attempts.
Refer to your company's guidelines.
Completed?
(Laboratory
administrator
can also
restrict access
to the secure
root folder.)
• Restrict access to the secure root
folder. Ensure users have permissions
to write to the secure root folder.
Thermo Scientific
LCquan Administrator Guide for 21 CFR Part 11
11
1
Introduction
Understanding the Administrator Tasks
Figure 4.
Domain users—configuration tasks of the laboratory administrator and IT professional
Laboratory Administrator Tasks
IT Professional Tasks
Plan user roles, permissions, and projects.
Decide how users perform sample acquisition
and where data is stored.
Citrix
server?
Yes
Install LCquan on the Citrix workstation.
Refer to the Citrix Presentation Server documentation.
No
Is system
part of LIMS?
Yes
Configure the LIMS. Refer to the LIMS documentation.
For the Watson LIMS, refer to Installing and Using the
Peak View Gateway Between Watson and LCquan.
No
Configure the database (Microsoft Access™ or Oracle).
Configure the Microsoft Windows security settings for
domain users and groups.
- Apply the security template.
- Ensure the Finnigan Security Service is set up and
running properly.
- Specify how users log on and off.
Identify list of secure folders.
Configure Authorization Manager:
- Identify LCquan user groups.
- Set permissions for each software feature.
- Specify if user comments are required.
12
LCquan Administrator Guide for 21 CFR Part 11
Configure the LCquan secure root folder:
- Create the folder: If data storage is on a network, create
folder on network drive. If data storage is on a domain
LCquan workstation, create folder on the workstation.
- Restrict access and ensure LCquan users and groups have
proper folder permissions (read/write).
Thermo Scientific
1 Introduction
Understanding the Administrator Tasks
Figure 5.
Local users on a standalone workstation—Configuration tasks of the laboratory administrator and IT professional
Laboratory Administrator Tasks
IT Professional Tasks
Plan user roles, permissions, and projects.
Decide how users perform sample acquisition
and where data is stored.
Configure the database (Microsoft Access or Oracle).
Configure the Microsoft Windows security settings for
domain users and groups.
Configure the LCquan secure root folder on
the workstation.
- Identify a folder to use as the LCquan
secure root folder
(by default, \Xcalibur\QuanRoot).
- Restrict access and ensure LCquan users
and groups have proper folder permissions
(read, write).
- Apply the security template.
- Ensure the Finnigan Security Service is set up and
running properly.
- Specify how users log on and off.
Configure Authorization Manager:
- Identify LCquan user groups.
- Set permissions for each software feature.
- Specify if user comments are required.
Thermo Scientific
LCquan Administrator Guide for 21 CFR Part 11
13
2
Using the Database Configuration Manager
This chapter describes how to use the Database Configuration Manager to configure your
compliance database. The compliance database keeps a record of auditable events and changes
made to files created by or managed by Xcalibur. Until you run the Database Configuration
Manager, all applications run without auditing, and the system is not in compliance with
21 CFR Part 11.
Contents
• Using Microsoft and Oracle Databases
• Configuring Your Auditing Database
Using Microsoft and Oracle Databases
LCquan uses a Microsoft Access database to store each LCquan workbook audit trail. To store
the Xcalibur Global audit trail, you can use either of the following:
• Oracle database on a network workstation or server (remote system)
• Microsoft Access database on a standalone or networked workstation or server
Note If you have already run the Database Configuration Manager program as part of
configuring Xcalibur 2.0 for 21 CFR Part 11 compliance, you do not need to run the
program again.
If the Watson LIMS is part of the workflow, refer to the Watson documentation for database
setup instructions that are specific to the Watson LIMS.
To use an Oracle database, make sure that you complete the following tasks:
1. If the site does not have an Oracle server, install an Oracle database on an accessible
remote server. See “Installing the Oracle Server” on page 80, or consult your Oracle
database administrator for more information.
2. Install the Oracle client software on your local system. See “Installing the Oracle Client”
on page 93, or consult your Oracle database administrator for more information.
3. Make sure that you know the User Name, Password, and Oracle Net Service Name of
your Oracle database. Obtain this information from your Oracle database administrator.
Thermo Scientific
LCquan Administrator Guide for 21 CFR Part 11
15
2
Using the Database Configuration Manager
Configuring Your Auditing Database
IMPORTANT Ensure that no other Xcalibur applications are running at the same time as
the Database Configuration manager. Auditing of Xcalibur applications cannot take place
while running the Database Configuration manager.
Configuring Your Auditing Database
This section describes how to use the Database Configuration manager to configure your
auditing database.
Y To configure your auditing database
1. From the Windows XP taskbar, choose
Start > All Programs > Xcalibur > Database Configuration. The Auditing Database
Configuration Manager dialog box appears. See Figure 6.
2. In the Select Database Type group box, select the database type:
• If you are using a Microsoft Access database, select the Microsoft Access option
button, and go to step 4.
• If you are using an Oracle database, select the Oracle on Network Server option
button, and go to step 3.
3. If you are using an Oracle database, specify the Oracle database parameters:
a. In the User Name text box, enter the database user name.
b. In the Password text box, enter the database password.
c. In the Oracle Net Service Name list, select the Oracle Net Service Name for your
database.
Note Be sure to use the Oracle user name and password provided by your Oracle
database administrator.
16
LCquan Administrator Guide for 21 CFR Part 11
Thermo Scientific
2
Figure 6.
Using the Database Configuration Manager
Configuring Your Auditing Database
Auditing Database Configuration Manager dialog box
4. Click Next. The DatabaseConfigManager dialog box appears. See Figure 7.
Figure 7.
DatabaseConfigManager dialog box
5. Verify that the settings in the DatabaseConfigManager dialog box are correct, and then
click OK. The appearance of the Auditing Database Configuration Manager dialog
box should be similar to that shown in Figure 8.
Thermo Scientific
LCquan Administrator Guide for 21 CFR Part 11
17
2
Using the Database Configuration Manager
Configuring Your Auditing Database
Figure 8.
Auditing Database Configuration Manager dialog box showing restart settings
6. Select a restart option:
• To restart the computer automatically, select Restart Computer Now.
• To restart the computer manually at a later time, select I Will Restart Later.
Note The changes made in the Database Manager take effect after restarting the
computer.
7. Click Finish to save your settings and close the Auditing Database Configuration
Manager dialog box.
18
LCquan Administrator Guide for 21 CFR Part 11
Thermo Scientific
3
Establishing Secure File Operations
The 21 CFR Part 11 rule requires that previously recorded information cannot be obscured
by record changes. This rule also requires that records be protected to enable their accurate
and ready retrieval.
To comply with these requirements, you must store all electronic records in protected folders,
and you must establish standard operating procedures for precise and systematic record
archiving.
Contents
• Applying the Security Template
• Verifying the Properties of the Finnigan Security Server
• Verifying the Properties of the Finnigan Database Service
• Configuring Security Settings for Folders and Files
• Configuring Security Settings for the Database Registry Key
• Specifying the Way Users Log On and Off
• Removing and Archiving Files
For information on setting up secure reporting using XReport templates, see “Setting Up
Secure Reports” on page 61.
Applying the Security Template
The security template is a preconfigured set of security and permission settings for a Microsoft
Windows XP computer. By applying the security template to a Windows XP computer, you
change the status of normal users to enhanced users so that they can access the registry and
run Xcalibur. Without the security template, all normal users would be unable to run
Xcalibur.
We recommend applying this security template to all Windows XP computers in a
21 CFR Part 11-compliant environment.
Thermo Scientific
LCquan Administrator Guide for 21 CFR Part 11
19
3
Establishing Secure File Operations
Applying the Security Template
Y To apply the security template to a Windows XP computer
1. Log on to the computer as an administrator.
2. From the Windows XP taskbar, choose Start > Run. The Windows Run dialog box
appears. See Figure 9.
Figure 9.
Windows Run dialog box
3. In the Windows Run dialog box, in the Open box, type mmc, and then click OK. The
Windows Console menu appears. See Figure 10.
Figure 10. Windows Console menu
4. In the Windows Console menu, choose File > Add/Remove Snap-In. The
Add/Remove Snap-in dialog box appears. See Figure 11.
20
LCquan Administrator Guide for 21 CFR Part 11
Thermo Scientific
3
Establishing Secure File Operations
Applying the Security Template
Figure 11. Add/Remove Snap-in dialog box
5. In the bottom left corner of the Add/Remove Snap-in dialog box, click Add. The
Add Standalone Snap-in dialog box appears. See Figure 12.
Thermo Scientific
LCquan Administrator Guide for 21 CFR Part 11
21
3
Establishing Secure File Operations
Applying the Security Template
Figure 12. Add Standalone Snap-in dialog box
6. In the Add Standalone Snap-in dialog box, choose the Security Configuration
and Analysis option. See Figure 12.
7. Click Add, and then click Close. The Add/Remove Snap-in dialog box appears. See
Figure 13.
22
LCquan Administrator Guide for 21 CFR Part 11
Thermo Scientific
3
Establishing Secure File Operations
Applying the Security Template
Figure 13. Add/Remove Snap-in dialog box, displaying the Security Configuration and
Analysis option
8. In the Add/Remove Snap-in dialog box, select Security Configuration and Analysis,
and then click OK to return to the Console Root window. See Figure 14.
Thermo Scientific
LCquan Administrator Guide for 21 CFR Part 11
23
3
Establishing Secure File Operations
Applying the Security Template
Figure 14. Console Root window, with Security Configuration and Analysis option
9. In the console tree of the Console Root window, double-click
Security Configuration and Analysis. The Security Configuration and Analysis
information appears in the right side of the Console window. See Figure 15.
Figure 15. Console Root\Security Configuration and Analysis window
10. In the Console tree on the left side of the Console window, right-click
Security Configuration and Analysis, and then choose Open Database from the
shortcut menu. The Open database dialog box appears. See Figure 16.
24
LCquan Administrator Guide for 21 CFR Part 11
Thermo Scientific
3
Establishing Secure File Operations
Applying the Security Template
Figure 16. Open database dialog box
11. In the File name box, type a name for the security database (the security database is
temporary), and then click Open. The Import Template dialog box appears. See
Figure 17.
Figure 17. Import Template dialog box
12. In the Import Template dialog box, click the compatws.inf template, and then
click Open. The Console Root\Security Configuration and Analysis window appears.
See Figure 18.
Thermo Scientific
LCquan Administrator Guide for 21 CFR Part 11
25
3
Establishing Secure File Operations
Applying the Security Template
Note The compatws.inf template is for low-level security settings for Microsoft
Windows XP Professional.
Figure 18. Console Root\Security Configuration and Analysis window
13. In the console tree, right-click the Security Configuration and Analysis option, and
then choose Configure Computer Now from the shortcut menu. The
Configure System dialog box appears. See Figure 19.
Figure 19. Configure System dialog box
14. In the Configure System dialog box, click Browse. Select the directory in which you
want to save the error log file, and then click OK. The Configuring Computer Security
status box appears and displays the progress. See Figure 20.
26
LCquan Administrator Guide for 21 CFR Part 11
Thermo Scientific
3
Establishing Secure File Operations
Applying the Security Template
Figure 20. Configuring Computer Security status box
Your system settings are now configured to those recommended by the template.
15. Choose File > Exit to close the Console menu. The Microsoft Management Console
window appears. See Figure 21.
Figure 21. Microsoft Management Console window
16. In the Microsoft Management Console window, click Yes to save the Console settings.
The Console settings are saved, and the Security settings are added to the computer.
Thermo Scientific
LCquan Administrator Guide for 21 CFR Part 11
27
3
Establishing Secure File Operations
Verifying the Properties of the Finnigan Security Server
Verifying the Properties of the Finnigan Security Server
The Finnigan Security Server has two main functions:
• User authentication. If you select authentication for certain events using the
Authorization Manager, then the Security Server verifies user names and passwords
whenever they are entered.
• Secure file operations. You can set the Security Server to take ownership of the data
folders and files. This security measure prevents users from deleting data they own.
When the system administrator installs the application, the Security Server is installed and
started. It is configured to start automatically every time the computer is restarted.
IMPORTANT You must prevent unauthorized users from stopping the Security Server.
If the Security Server is stopped, the security features in the software application do not
function properly.
As long as the user who installed the application software and the Security Server had
administrative rights, only an administrator is able to stop the server.
Y To verify that the properties of the Security Server are set correctly
1. Open the Windows Services feature as follows:
a. From the Windows XP taskbar, choose Start > Control Panel.
b. Double-click Administrative Tools.
c. Double-click Services.
2. Right-click Finnigan Security Server, and then choose Properties from the shortcut
menu. The Finnigan Security Server Properties dialog box appears (Figure 22).
3. On the General page, set Startup type to Automatic.
4. Ensure that the Service status reads Started.
28
LCquan Administrator Guide for 21 CFR Part 11
Thermo Scientific
3 Establishing Secure File Operations
Verifying the Properties of the Finnigan Security Server
Figure 22. Finnigan Security Server Properties dialog box – General page
Thermo Scientific
LCquan Administrator Guide for 21 CFR Part 11
29
3
Establishing Secure File Operations
Verifying the Properties of the Finnigan Security Server
5. Click the Log On tab to display the Log On page. See Figure 23.
Figure 23. Finnigan Security Server Properties dialog box—Log On page
6. Under Log on as, select the Local System account option.
7. Select the Allow service to interact with desktop check box.
8. Click OK to close the dialog box.
9. Close the Services window, and then close the Administrative Tools window.
You have now confirmed that the Security Server is set up properly.
30
LCquan Administrator Guide for 21 CFR Part 11
Thermo Scientific
3 Establishing Secure File Operations
Verifying the Properties of the Finnigan Database Service
Verifying the Properties of the Finnigan Database Service
The Finnigan Database Service allows Xcalibur applications to access the auditing database
and make auditing entries.
You must verify that the properties of the Database Service are set correctly.
Y To verify properties of the Database Service
1. Open the Windows Services feature as follows:
a. From the Windows XP taskbar, choose Start > Control Panel.
b. Double-click Administrative Tools.
c. Double-click Services.
2. Verify properties for the Finnigan Database Service as follows:
a. Right-click Finnigan Database Service, and then choose Properties from the
shortcut menu to open the Finnigan Database Service Properties dialog box. See
Figure 24.
b. On the General page, ensure that Startup type is set to Automatic.
c. Ensure that the Service status reads Started.
Thermo Scientific
LCquan Administrator Guide for 21 CFR Part 11
31
3
Establishing Secure File Operations
Verifying the Properties of the Finnigan Database Service
Figure 24. Finnigan Database Service Properties dialog box – General page
d. Click the Log On tab to display the Log On page. See Figure 25.
e. Ensure that the Log on as: Local System account option is selected.
f.
Ensure that the Allow service to interact with desktop check box is cleared.
g. Click OK to close the dialog box.
3. Close the Services window and then close the Administrative Tools window.
32
LCquan Administrator Guide for 21 CFR Part 11
Thermo Scientific
3 Establishing Secure File Operations
Configuring Security Settings for Folders and Files
Figure 25. Finnigan Database Service Properties dialog box – Log On page
You have now confirmed that the services are set up properly.
Configuring Security Settings for Folders and Files
To ensure the security of your data, you must restrict access to the following folders and the
files contained within them:
• Root folder or folders—Contain the LCquan projects. See “Understanding LCquan
Folder Structure” on page 7. Non-administrators must not be allowed to delete files
within the root folder.
• Security folder—Contains the configuration files. Because the Authorization Manager
reads the controlled feature information from the configuration files, you must prohibit
non-administrators from accessing these files. The security folder is located in the
following folder:
\Xcalibur\system
Thermo Scientific
LCquan Administrator Guide for 21 CFR Part 11
33
3
Establishing Secure File Operations
Configuring Security Settings for Folders and Files
With the NTFS file system (an advanced file system used within the Windows XP operating
system), you can set the access permissions for folders and files for specific user groups. When
you set up permissions, you specify the level of access for user groups. For example, you can
do the following:
• Allow members of one user group to read the contents of a file
• Allow members of another user group to make changes to the file
• Prevent members of all other user groups from accessing the file
Folder permissions are inherited by new subfolders and files. Existing subfolders and files can
be made to inherit new permissions applied to the parent folder by using the Properties dialog
box for the folder. (See “Preparing a Root Folder” on page 35.)
After appropriate permissions are set, an unauthorized user cannot maliciously or accidentally
alter previously recorded information through such utilities as the Windows Explorer.
This section contains the following topics:
• Configuring Security Settings for the Root Folder
• Configuring Settings for the Security Folder
Configuring Security Settings for the Root Folder
You must create a root folder or folders for your data, and then configure the proper security
settings for each folder. To do this, you use the Security page of the Properties dialog box to
add users and groups, and then set the permissions for each.
In the procedures that follow, you add an administrative user (or administrative group) and
the group Everyone to the Security page Group Or User Names list. You then grant the
administrator full access to the folder and you grant limited access to everyone else.
Tip To further restrict access to folders and files, you can grant access to only specific user
groups. To do this, first set up appropriate user groups, as described in Chapter 4,
“Defining Secure User Groups and Permissions.” Then perform the procedures that
follow, using your specific user groups instead of the group Everyone.
Continue with the following topics:
• Preparing a Root Folder
• Adding Microsoft Windows Users and Groups
• Removing Unnecessary Users
• Setting Permissions
34
LCquan Administrator Guide for 21 CFR Part 11
Thermo Scientific
3 Establishing Secure File Operations
Configuring Security Settings for Folders and Files
Preparing a Root Folder
To prepare a root folder, you must first turn off Use Simple File Sharing in folders. You can
then create a root folder in which to store all your projects.
Y To turn off Use Simple File Sharing
1. Log on to the system as a user with administrative privileges.
2. From the Windows XP taskbar, choose
Start > All Programs > Accessories > Windows Explorer to open Windows Explorer.
3. Choose Tools > Folder Options to open the Folder Options dialog box, then click the
View tab.
4. In the Advanced Settings box, scroll to the bottom of the list.
5. Clear the Use Simple File Sharing check box. See Figure 26.
Figure 26. Folder Options dialog box
Clear this check box.
6. Click OK to save the change and close the Folder Options dialog box.
Thermo Scientific
LCquan Administrator Guide for 21 CFR Part 11
35
3
Establishing Secure File Operations
Configuring Security Settings for Folders and Files
Y To create or locate a folder to use as the root folder in which all projects will be
stored
1. Create or use any folder (except the Xcalibur folder).
For example, you can use the QuanRoot folder (located in the Xcalibur folder) as the root
folder for LCquan projects. This folder is created on your system when you load LCquan.
IMPORTANT Do not use the Xcalibur folder as your root folder. If you change the
permission settings for this folder, Xcalibur applications will not run correctly.
Instead, create a new folder, or use another existing folder as your root folder.
2. Right-click the folder, and then choose Properties from the shortcut menu. The
Properties dialog box for the folder appears.
3. Click the Security tab to display the Security page. See Figure 27.
Figure 27. Study Properties dialog box – Security page
36
LCquan Administrator Guide for 21 CFR Part 11
Thermo Scientific
3 Establishing Secure File Operations
Configuring Security Settings for Folders and Files
IMPORTANT When you create a new root folder, the permissions from the parent
folder automatically propagate to the new folder, indicated by:
• The check boxes in the Permissions list are shaded.
• In the Advanced Security Settings dialog box, the Inherit From Parent The
Permission Entries That Apply To Child Objects check box is selected.
IMPORTANT Normally, you do not want to allow your secure root folder to inherit
permissions from the parent folder. You prevent this inheritance by clearing the
Inherit From Parent The Permission Entries That Apply To Child Objects check box
in the next steps. You then correct the permissions in the topic “Setting Permissions”
on page 41.
4. Click Advanced to open the Advanced Security Settings for Study dialog box for the
folder. See Figure 28.
Figure 28. Advanced Security Settings for Study dialog box
Clear this
check box.
Thermo Scientific
LCquan Administrator Guide for 21 CFR Part 11
37
3
Establishing Secure File Operations
Configuring Security Settings for Folders and Files
5. Clear the Inherit from parent the permission entries that apply to child objects
check box. The Security dialog box appears. See Figure 29.
Figure 29. Security dialog box
6. Click Copy to copy the inherited permissions to the new folder. Click OK to close the
Advanced Security Settings dialog box.
You will correct the permission settings later.
Note After you clear the Inherit from parent the permission entries that apply to
child objects check box and copy the inherited permissions to the new folder, the
new root folder no longer inherits permissions from the parent folder. So, if someone
changes the permission settings of the parent folder, the permission settings of the
new root folder do not change. However, any subfolders created under the new root
folder still inherit the permissions from the root folder.
7. In the Properties dialog box, examine the Group or user names list, and note which
groups or users appear in the list. You want only the group Everyone and the name of the
administrator (or the name of the administrator group) to appear in this list.
• If either is missing from the list, go to the topic “Adding Microsoft Windows Users
and Groups” on page 39.
• If both appear in the list, and additional groups or users also appear in the list, go to
“Removing Unnecessary Users” on page 40.
• If both appear in the list, and no additional groups or users appear in the list, go to
“Setting Permissions” on page 41.
38
LCquan Administrator Guide for 21 CFR Part 11
Thermo Scientific
3 Establishing Secure File Operations
Configuring Security Settings for Folders and Files
Adding Microsoft Windows Users and Groups
In preparation for setting permission levels for the folder, you might need to add users and
groups to the Group or user names list on the Security page.
IMPORTANT Each Microsoft Windows user account must be associated with a user ID,
password, and a full description. These items are required for the system to store the
auditing information in the designated database.
Y To add users and groups
1. In the Properties dialog box – Security page, click Add. The Select Users, Computers,
or Groups dialog box appears. See Figure 30.
Figure 30. Select Users, Computers, or Groups dialog box
For example, users
and administrator
Network name
(if domain users on network)
or
workstation name
(if local users on standalone
workstation)
2. Ensure that the Select this object type box contains the object types that you require
(Users, Groups, and/or Built-in security principals).
To change the list of objects, click Object Types. In the Object Types dialog box, edit
the list of objects and click OK.
3. Ensure that the From this location box lists the root location that contains your users
and groups.
To change the location, click Locations. In the Locations dialog box, specify a new
location, and click OK.
4. In the Enter the object names to select box, type the names of the users or groups that
you want to add:
• If the group Everyone was missing from the Group or user names list on the
Security page, type Everyone.
• If the user name of the administrator (or the name of the administrator group) was
missing from the Group or user names list on the Security page, type the
appropriate user name or group name.
Tip You can enter multiple object names at the same time by separating the
names with a semicolon.
Thermo Scientific
LCquan Administrator Guide for 21 CFR Part 11
39
3
Establishing Secure File Operations
Configuring Security Settings for Folders and Files
5. Click Check Names to search for the specified users or groups. All similar or matching
object names that were found appear underlined in the Enter the object names to select
box. See Figure 31.
6. In the Enter the object names to select box, ensure that only the correct object name (or
names) appear, and then click OK.
Figure 31. Select Users or Groups dialog box, showing the group Everyone
7. In the Properties dialog box, click the Security tab. Ensure that only the following
entries appear in the Group or user names list (Figure 32):
• Administrators (administrator name)
• Everyone
If no additional groups or users appear, go to “Setting Permissions” on page 41.
If additional groups or users appear, you must remove them. Go to
Removing Unnecessary Users.
Removing Unnecessary Users
You must remove unnecessary users or groups from the Group or user names list on the
Security page.
Y To remove the names
In the Group or user names list, select the name of the unnecessary user or group, and then
click Remove.
Repeat this step to remove any other unnecessary users or groups.
40
LCquan Administrator Guide for 21 CFR Part 11
Thermo Scientific
3 Establishing Secure File Operations
Configuring Security Settings for Folders and Files
Setting Permissions
After the correct users and groups are in the Group or user names list on the Security page
of the Properties dialog box, you must set the permissions.
Y To set the permissions
1. In the Group or user names list, select the administrator (or the administrator group).
2. In the Permissions list, select the Allow check box for the Full Control option. All the
other check boxes in the Allow column are automatically selected. See Figure 32.
IMPORTANT Groups or users who are granted Full Control for a folder can delete
files and subfolders within that folder, regardless of the permissions protecting
the files and subfolders.
Figure 32. Security page, showing the administrator permissions
Ensure that only
these two entries
appear.
3. In the Group or user names list, select Everyone.
Thermo Scientific
LCquan Administrator Guide for 21 CFR Part 11
41
3
Establishing Secure File Operations
Configuring Security Settings for Folders and Files
4. In the Permissions list, select the Allow check box for each of the following:
• Read & Execute
• List Folder Contents
• Read
• Write
5. Clear the Allow check box for all other actions in the list.
Note Setting these permissions ensures that none of the files in the folder can be
deleted by using Windows Explorer.
6. Ensure that the inheritance setting is correct as follows:
a. Click Advanced. The Advanced Security Settings dialog box appears.
b. Ensure that the Inherit from parent the permission entries that apply
to child objects check box is cleared.
c. Click OK.
7. In the Properties dialog box, click OK.
You have configured the security settings for the root folder. You are now ready to configure
the security settings for the Security folder.
Configuring Settings for the Security Folder
The procedure for configuring the security folder is similar to that for configuring the root
folder. However, for the security folder you must grant full access rights only to the
administrator, and read-only access rights to everyone else.
See “Configuring Security Settings for the Root Folder” on page 34 for additional
information on any step.
Y To configure the security folder
1. Use Windows Explorer to locate the Security folder. The folder path is as follows:
\Xcalibur\system\security
2. Right-click the Security folder, and then choose Properties from the shortcut menu to
open the Properties dialog box.
3. Click the Security tab to display the Security page.
4. Click Advanced to open the Advanced Security Settings dialog box for the security
folder.
5. Clear the Inherit from parent the permission entries that apply to child objects
check box. When the Security dialog box appears, click Copy.
42
LCquan Administrator Guide for 21 CFR Part 11
Thermo Scientific
3 Establishing Secure File Operations
Configuring Security Settings for Folders and Files
6. Click OK to close the Advanced Security Settings dialog box.
7. Ensure that the Group or user names list contains only the name of the Administrator
(or the Administrator group) and the group Everyone.
• If the Administrator (or the Administrator group) does not appear in the list, add it.
• If the group Everyone does not appear in the list, add it.
• If any other users or groups appear in the list, remove them.
8. Set the permissions for the folder as follows:
a. In the Group or user names list, select Administrator.
b. In the Permissions list, select the Allow check box for the Full Control option.
(All the other Allow check boxes are selected automatically.)
c. In the Group or user names list, select Everyone.
d. In the Permissions list, select the Allow check box for the Read option, and clear the
Allow check box for all the other options.
e. In the Advanced Security Settings dialog box, ensure that the Inherit from parent
the permission entries that apply to child objects check box is cleared.
f.
Click OK to close the Advanced Security Settings dialog box.
9. Click OK to close the Properties dialog box and to save the permission assignments.
You have configured the security settings for the Security folder.
Thermo Scientific
LCquan Administrator Guide for 21 CFR Part 11
43
3
Establishing Secure File Operations
Configuring Security Settings for the Database Registry Key
Configuring Security Settings for the Database Registry Key
When the administrator runs the Database Configuration tool for the first time, the tool
creates a Windows XP registry key that stores information about the database. To ensure the
security of the auditing database, the security settings for this registry key must be set so that
only the workstation administrator can make changes to the key.
Y To configure the security settings for the database registry key
1. From the Windows XP taskbar, choose Start > Run to open the Run dialog box.
2. Type regedit, and then click OK. The Registry Editor dialog box appears. See
Figure 33.
Figure 33. Registry Editor dialog box, showing CFR_Database key selected
3. In the left pane of the Registry Editor dialog box, locate the folder
My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Finnigan
\Xcalibur\CFR_Database.
4. Right-click the CFR_Database folder, and then choose Permissions from the shortcut
menu to open the Permissions dialog box for this registry key.
5. Click Advanced to open the Advanced Security Settings dialog box. See Figure 34.
44
LCquan Administrator Guide for 21 CFR Part 11
Thermo Scientific
3 Establishing Secure File Operations
Configuring Security Settings for the Database Registry Key
Figure 34. Advanced Security Settings dialog box
6. Clear the Inherit from parent the permission entries that apply to child objects
check box. The Security dialog box appears. See Figure 35.
Figure 35. Security dialog box
7. Click Copy to copy the inherited permissions to the CFR_Database registry key.
Click OK to close the Advanced Security Settings dialog box.
Thermo Scientific
LCquan Administrator Guide for 21 CFR Part 11
45
3
Establishing Secure File Operations
Configuring Security Settings for the Database Registry Key
8. In the Properties dialog box, examine the Group or user names list, and note what
groups or users appear in the list. You want only the name of the administrator (or the
administrator group) and the group Everyone to appear in this list.
• If the administrator (or the administrator group) does not appear in the list, then
add it. (See “Adding Microsoft Windows Users and Groups” on page 39.)
• If the group Everyone does not appear in the list, then add it. (See “Adding Microsoft
Windows Users and Groups” on page 39.)
• If other users or groups appear in the list, then remove them. (See
“Removing Unnecessary Users” on page 40.)
9. Set the permissions for the registry key:
a. In the Group or user names list, select the administrator (or the administrator
group).
b. In the Permissions list, select the Allow check box for the Full Control option.
The Read check box in the Allow column is automatically selected. See Figure 36.
c. In the Group or user names list, select Everyone.
d. In the Permissions list, select the Allow check box for the Read option. Clear the
Allow check box for all other actions in the list.
10. Click OK.
11. Choose File > Exit to close the Registry Editor.
46
LCquan Administrator Guide for 21 CFR Part 11
Thermo Scientific
3
Establishing Secure File Operations
Specifying the Way Users Log On and Off
Figure 36. Permissions for CFR_Database dialog box
Specifying the Way Users Log On and Off
This section describes the following:
• Turning Off Fast User Switching for Local Workstations
• Sequential User Logon and Automatic Logoff
Turning Off Fast User Switching for Local Workstations
On computers that are not members of a network domain, the Windows XP Professional
operating system allows you to switch between users without actually logging off from the
computer. This feature, called Fast User Switching, can be turned off so that the current user
must log off before another user logs on.
To maintain secure file operations, turn off Fast User Switching on computers that are not
members of a network domain.
Thermo Scientific
LCquan Administrator Guide for 21 CFR Part 11
47
3
Establishing Secure File Operations
Specifying the Way Users Log On and Off
Y To turn off Fast User Switching
Note Fast User Switching is not available on computers that are members of a network
domain.
1. From the Windows XP taskbar, choose Start > Control Panel to open the
Control Panel.
2. Double-click User Accounts.
3. Under Pick A Task, click Change The Way Users Log On And Off to open the
Select Logon And Logoff Options page.
4. Clear the Use Fast User Switching check box.
IMPORTANT Thermo Fisher Scientific recommends that you also clear the Use
Welcome Screen check box.
5. Click Apply Options.
6. Close the User Accounts page.
7. Close the Control Panel.
When a user logs off, the computer automatically shuts down any programs that are running.
Sequential User Logon and Automatic Logoff
IMPORTANT For compliance with 21 CFR Part 11, Thermo Fisher Scientific
recommends the use of sequential user logon and automatic logoff. If Sequential User
Logon is NOT enabled, you must ensure that the Automatic Logoff feature also is NOT
enabled. Failing to turn off Automatic Logoff when Sequential User Logon is off could
result in incomplete data acquisitions.
The Sequential User Logon feature allows a user to log on to a workstation, start data
acquisition, and then log off while the system continues to acquire the data. A subsequent user
can log on to the workstation and then can queue acquisition sequences and process data
while the acquisition that the first user started continues.
You set up the sequential user logon feature through Xcalibur Instrument Configuration by
selecting Enable Multi-user Login when you configure each device. You can only select that
option if all the configured devices support sequential user logon.
48
LCquan Administrator Guide for 21 CFR Part 11
Thermo Scientific
3
Establishing Secure File Operations
Removing and Archiving Files
Y To enable or disable Automatic Logoff
1. Choose Start > All Programs > Xcalibur > AutoLogoff. The AutoLogoff dialog box
appears (Figure 37).
Note By default, Automatic Logoff is disabled (the Enable check box is cleared.
Figure 37. Automatic Logoff Setup dialog box
2. Do one of the following:
• To turn on the feature, select the Enable check box. Type a value (1–1000) in the
Auto logoff time (minutes) box to specify how long the system waits before logging
off the current user.
• To turn off the feature, clear the Enable check box.
3. Click OK.
Note If the Windows XP screen saver is set to display on the computer at an earlier time
than the Auto Logoff time, the automatic logoff still occurs at the specified time, even
though the user cannot see evidence of the logoff because the screen saver is active.
Removing and Archiving Files
To fully comply with 21 CFR Part 11, you must have proper procedures in place for
long-term archiving and retrieving of electronic records—including raw data, processed data,
and metadata. Additionally, you must have a procedure for ensuring that retrieved records can
be read. Generally, this requires you to convert records to a new format, or to keep and
maintain the tools for reading the records in their current format.
To archive files, use third-party software designed for this purpose. In addition, you must
develop and implement standard operating procedures for archiving files, and security
procedures to protect the archived data.
Thermo Scientific
LCquan Administrator Guide for 21 CFR Part 11
49
4
Defining Secure User Groups and Permissions
As the laboratory administrator, you control access to LCquan and certain LCquan features
by defining secure user groups and then granting these groups appropriate permission levels.
Every member of a secure user group has the same permissions. Only those users in a
designated secure user group can perform authorized actions. All others are prohibited access.
This chapter describes how to use the Xcalibur Authorization Manager to configure the secure
groups and set permissions for the controlled features in LCquan.
Contents
• Using the Authorization Manager
• Setting Up Secure User Groups
• Setting Permissions
• Defining the List of Secure Folders
• Requiring User Comments
• Setting Up Secure Reports
• Viewing the Authorization Manager History Log
• Printing the Security Settings
• Saving the Security Settings
Using the Authorization Manager
With Authorization Manager, plus the security features of the Windows XP operating system,
you define user groups and set permission levels for these groups. The Authorization Manager
ensures that only individuals who have some level of responsibility for the records can access
them.
You use the Authorization Manager for the following:
• “Setting Up Secure User Groups” on page 53
• “Setting Permissions” on page 55 (for the controlled features in LCquan)
Thermo Scientific
LCquan Administrator Guide for 21 CFR Part 11
51
4
Defining Secure User Groups and Permissions
Using the Authorization Manager
• “Defining the List of Secure Folders” on page 59
• “Setting Up Secure Reports” on page 61
Y To start the Authorization Manager
From the Windows XP taskbar, choose Start > All Programs > Xcalibur >
Authorization Manager. The Authorization Manager window appears. See Figure 38.
Figure 38. Authorization Manager window
52
LCquan Administrator Guide for 21 CFR Part 11
Thermo Scientific
4
Defining Secure User Groups and Permissions
Setting Up Secure User Groups
Setting Up Secure User Groups
To set up the secure user groups in Authorization Manager, you can use either pre-existing
Microsoft Windows user groups, or you can create your own private groups in Authorization
Manager.
There is no limit to the number of user groups you can define. For simplicity, if all users are
to have the same privileges, you can define a single user group.
IMPORTANT You must define secure user groups; otherwise, the LCquan system is
not secure. If no secure groups are defined, all features of the software are accessible by all
users.
A single user can belong to more than one user group. If the groups have different permission
levels, then the most lenient permission level applies to the user.
Defining User Groups
Y To define user groups
1. In the Authorization Manager window (Figure 38), select the appropriate
Available Groups option to specify the type of user group:
• To use pre-existing Windows XP logon groups, select the Domain/Workstation
option. Contact your domain administrator to create or change logon groups.
Continue with step 2.
• To use (or create) a local user group, select the Private option. The administrator of
the system can create private groups.
Skip to step 3.
2. To define secure domain/workstation logon groups, select a group in the
Available Groups list, and then click the right arrow
button. The group appears in
the Secure Groups list.
Repeat this step to define more secure groups. If you are finished creating groups, go to
“Editing User Groups” on page 54.
3. To define secure private groups, do the following:
Note Private groups are necessary only if the required groups are not available as
Windows XP logon groups.
a. In the Secure Groups area, click Create. The Create Private Group dialog box
appears. See Figure 39.
b. In the Group Name box, type a name for the group.
Thermo Scientific
LCquan Administrator Guide for 21 CFR Part 11
53
4
Defining Secure User Groups and Permissions
Setting Up Secure User Groups
c. In the System Group list, select a domain. The domain user accounts are displayed
in the Users in system group list.
d. In the Users in system group list, select a user account, and then click Add. The user
account appears in the Users in private group list.
e. To add users in other domains to the private group, repeat steps c and d. Click OK.
The new private group appears in the Secure Groups list.
f.
To create additional private groups, repeat steps a through e.
Figure 39. Create Private Group dialog box
Editing User Groups
After you define a secure user group, you can view and (for private groups only) edit the
members of the group.
Y To view and edit the members of a group
In the Secure Groups list (Figure 38), right-click the user group and then choose Members
from the shortcut menu.
• If the group is a private group, the Edit User List Of Private Group dialog box appears.
To add or remove names from the user group, use the Add or Delete button.
• If the group is a domain/workstation logon group, the Users In Group dialog box
appears. Because membership in these groups is controlled by the domain administrator,
the lists in the Users In Group dialog box are read-only. See your domain administrator
to make changes to domain/workstation logon groups.
54
LCquan Administrator Guide for 21 CFR Part 11
Thermo Scientific
4
Defining Secure User Groups and Permissions
Setting Permissions
Setting Permissions
For each secure user group, you can set the permission levels for certain features in the
software. You set permissions in the Permission Level group box of the Authorization
Manager window.
Table 2 lists the available permission levels. All new secure user groups, whether
domain/workstation groups or private groups, have all features set to Disallow.
Table 2. Permission levels and descriptions
Permission Level
Description
Disallowed
Not permitted. You can specify whether the user interface control
for the disallowed operation is hidden or grayed out.
Signature List
The names and passwords of everyone on the required signature
list must be entered to perform the authorized action.
In the Signature List Groups area, you specify the groups whose
signatures are required. A representative from each group on the
required signature list must enter the user ID and password before
the action is authorized.
A user who belongs to more than one group on the required
signature list can sign on behalf of each group by entering his or
her user ID and password for each group.
Supervisor Password
The supervisor name and password must be entered to perform
the action. Anyone who has permission to perform the Allowed or
Password Required actions can sign as a supervisor.
Password Required
The user must enter a password before continuing to perform the
authorized action.
Allowed
No restrictions.
You can set permission levels by:
• Changing the Permission Level of a Feature
• Setting All Permissions
• Inheriting Permissions
• Exporting and Importing Permissions
Note See Appendix A, “Permission Level Settings in LCquan.” for a list of the permission
level settings required for your particular application to ensure compliance with
21 CFR Part 11.
Thermo Scientific
LCquan Administrator Guide for 21 CFR Part 11
55
4
Defining Secure User Groups and Permissions
Setting Permissions
Changing the Permission Level of a Feature
This section provides a general procedure for changing the permission level for most features.
To change the permissions for the LCquan Secure XReport Templates feature, see “Setting
Up Secure Reports” on page 61.
Y To change the permission level of a feature
1. In the Authorization Manager window, select a user group from the Secure Groups
list.
2. In the controlled features list on the lower left of the Authorization Manager window,
select the name of your software application.
3. Click Expand Tree to show the entire list of controlled features for the application.
4. From the list, select a feature, and then select one of the following Permission Level
options:
• Disallowed
• Signature List
• Supervisor Password
• Password Required
• Allowed
Note You can set permissions only for individual features, not subgroups. When you
select a feature, the Permission Level options for that feature are available.
Tip You can right-click a feature, and then select the permission level from the
shortcut menu.
5. If you selected Permission Level: Disallowed, select one of the following to specify how
the user interface control for the disallowed state will appear:
• To hide the unavailable control completely, select the Disallowed State: Hidden
option.
• To make the unavailable control appear grayed, select the Disallowed State: Grayed
option.
56
LCquan Administrator Guide for 21 CFR Part 11
Thermo Scientific
4
Defining Secure User Groups and Permissions
Setting Permissions
6. If you selected Permission Level: Signature List, use the
Signature List Groups—Available Groups area to define the signature list groups as
follows:
Note When a user uses a feature with a permission level of Signature List, a series of
password dialog boxes appear, one for each signature (name and password of a
member of the designated group).
The order of the groups in the Signature List Groups: Available Groups list defines
the order in which the password dialog boxes appear.
a. In the Available Groups list, select a user group, and then click the right arrow
button. The group appears in the Signatures Req’d list.
b. Repeat step a to add other groups to the signatures required list.
c. To require that the current user of the software be placed on the signature list, select
the Current User Must Sign check box.
d. To rearrange the order of the groups in the signatures required list, select a group,
and then click the Move Group buttons: Up or Down.
7. If you want the users to enter a comment when they perform an action, select the
Comment check box in the Other Requirements area. (This option is available for all
permission settings except Disallowed.)
When a comment is entered, it appears in the audit log for the software.
8. Set the permission levels for any or all remaining features as follows:
• To set the permission level of an individual feature, repeat steps 4 to 7.
• To set the permission levels of the other features in the currently selected application
to the same permission level you just set, select the This Application option, and
then click Set To Same.
• If you want to set the permission levels of all the features in all the applications to the
same permission level you just set, select the All Applications option, and then click
Set To Same.
The Permission Level setting, the Disallow State setting (if applicable), and the
Comment setting are copied to all the other features.
9. To set the permission levels for other user groups in the Secure Groups list, repeat
steps 1 through 8.
Note Permission level settings are retained if you move a user group out of the Secure
Groups list and into the Available Groups list. If you move the group back into the
Secure Groups list, the permission settings remain intact; however, if you delete a user
group from the Secure Groups list, then all permission settings are lost.
Thermo Scientific
LCquan Administrator Guide for 21 CFR Part 11
57
4
Defining Secure User Groups and Permissions
Setting Permissions
Setting All Permissions
You can set every feature to the same permission level in one of two ways.
Y To set features to the same permission level
• After you set the permission level for one feature, click the All Applications button,
and then click Set To Same.
• Alternatively, right-click the user group name in the Secure Groups list, and then choose
Globally Set To > [Permission Level] from the shortcut menu.
Inheriting Permissions
You can copy a complete set of permission levels from one secure user group to another secure
user group.
Y To copy permission levels from one secure user group to another secure user group
1. In the Secure Groups list, select the user group to receive the set of permission levels.
2. Right-click the selected group, and then choose Inherit From from the shortcut menu.
The Choose Secure Group dialog box appears and displays a list of the secure groups
(minus the currently selected group).
3. Select the group from which to copy the permission levels, and then click OK.
Both user groups now have the same set of permission levels.
Exporting and Importing Permissions
You can import the permission list that contains the user groups and permissions from
another computer. Doing this saves time if you have more than one computer in your lab and
you want to allow users access to all computers. Instead of setting up identical user groups on
each computer, you can copy the permission list from a computer that has the user groups
and access permissions that you require.
Note To maintain the security of the permission list, you must export it to a secure
location. The Security folder (with proper security settings) on the current computer is an
ideal location.
58
LCquan Administrator Guide for 21 CFR Part 11
Thermo Scientific
4
Defining Secure User Groups and Permissions
Defining the List of Secure Folders
Y To export and import the permission list
1. On the system where the correct users and permission levels are set, start the
Authorization Manager.
2. In the Authorization Manager window, click Export. The Save As dialog box appears.
3. Save the permission list in the security folder as a file with the file extension .eperm.
(The path for the security folder is \Xcalibur\system\security. The default file name is
permissions.eperm.)
4. Copy the file into the Security folder on the new system.
5. On the new system, start the Authorization Manager, and then click Import in the
Authorization Manager window. The Open dialog box appears.
6. Locate the permission list file (.eperm file) and click Open. The user groups and
permission levels appear in the Authorization Manager.
7. Confirm that the user groups and permissions are correct, and click OK to save the
settings and close the Authorization Manager.
Defining the List of Secure Folders
To comply with the requirements of 21 CFR Part 11, all electronic records must be in
protected folders. Therefore, you must ensure the LCquan root folder is protected, and you
must not permit users to change the root folder to a folder that is not protected.
IMPORTANT If you have not configured the security settings to protect your root folders,
do so before setting the root folder feature permissions. See Chapter 3, “Establishing
Secure File Operations.”
The Authorization Manager list of controlled features includes the following two features for
each application:
• Allow Arbitrary Selection of Root Folder—Allows users to change the root folder to
any folder that they choose. You must ensure that the feature
Allow Arbitrary Selection of Root Folder is set to Disallowed.
• Allow Change of Root Folder—Allows users to change the root folder to another secure
folder. You can set the feature Allow Change of Root Folder to any permission level. If
you set the permission level to anything other than Disallowed, you must define a list of
secure folders from which the user can select a new root folder.
Tip To display these two features in the Authorization Manager window (Figure 38),
double-click LCquan in the controlled features list, and then double-click Root Folder.
Thermo Scientific
LCquan Administrator Guide for 21 CFR Part 11
59
4
Defining Secure User Groups and Permissions
Requiring User Comments
Y To define the list of secure folders
1. In the Secure Folders group box, click Add. The Browse For Folder dialog box appears.
2. Select the secure folder that you want to add to the secure folders list, and then click OK
to close the dialog box. The folder appears in the list in the Secure Folders group box.
3. Repeat steps 1 and 2 for every folder that you want to add to the secure folders list.
After the permission levels and the secure folder list have been set up properly, a user cannot
change the root folder to a folder that is not secure. The user must select the new folder from
the secure folder list from within the application. In addition, the secure folder list
information is saved as part of the configuration file, in a protected folder. See “Saving the
Security Settings” on page 64 for more information.
Requiring User Comments
See “Changing the Permission Level of a Feature“, step 8 on page 57 for details on how to
require users to enter comments when they perform a controlled action. When a comment is
entered, it appears in the audit log for the software application. (This option is available for
all permission settings except Disallowed.)
Y To restrict users comments to a predetermined list of comments
1. Select the Predefined Comments check box in the Global Security Feature menu, and
then click Edit. The Edit Comment List dialog box appears.
2. Click Add New Comment. The New Comment dialog box appears.
3. Enter the comment in the New Comment dialog box.
4. Click OK. The new comment appears in the Comment list.
5. Repeat steps 2 through 4 for each new comment that you want to enter.
The Comment list displays the predefined comments in the order in which you entered
them. You can rearrange the order of the comments by clicking Move Up or
Move Down. And you can delete a comment by clicking Remove Comment.
6. When you are finished, click OK.
60
LCquan Administrator Guide for 21 CFR Part 11
Thermo Scientific
4
Defining Secure User Groups and Permissions
Setting Up Secure Reports
Setting Up Secure Reports
You can limit a user group’s authorization for creating LCquan quantitation reports to the
secure XReport templates that you specify. After you configure the secure XReport templates
feature, the user groups with this permission level can use only the templates from the
specified secure template folder. Only saving is allowed and the file format is limited to PDF
files. In the LCquan Review Reports view, the options to print reports and create new
XReport templates are not available.
About the Secure Reports
Users create secure reports when they use the secure XReport templates in the secure
templates folder. The secure reports have the following characteristics:
• The only option available for creating a secure report is to save the report as a PDF file.
The PDF file document properties allow only printing.
The software changes any other pre-existing report formats in the given workbook to
PDF and tracks the change in the audit trail.
• A watermark design appears on the background of each page of a secure report.
• A unique serial number appends to the footer of each page:
workbookName_timestamp_n
where n is a counter for the number of reports printed from a workbook.
The serial number increments for every report generated from a given LCquan
workbook. If user groups with different security privileges create reports from the
same workbook, both the secure and non-secure reports are included in the total count
of reports when assigning the serial number.
Setting Up a Secure Template Folder
Secure XReport templates are the templates that are available in the designated secure
template folder. You can specify only one secure template folder. Templates that are not in
the secure template folder are not available to the user, even if the templates were available
previously in the given workbook.
Use the following guidelines when setting up a secure template folder:
• To prevent users from adding any unapproved templates to the folder, assign read-only
access to the folder.
• In the case of a locked workbook, make sure to designate the folder that already contains
the templates for the locked workbook.
• Make sure the secure template folder contains only the approved XReport template files
(.xrt).
Thermo Scientific
LCquan Administrator Guide for 21 CFR Part 11
61
4
Defining Secure User Groups and Permissions
Setting Up Secure Reports
Configuring Secure Reports
Y To configure secure reports
1. In the Authorization Manager window (Figure 40), select a user group from the
Secure Groups area.
2. In the list of controlled features (bottom left side), select LCquan, and then click
Expand Tree.
3. In the Quantitate Section, select Secure XReport Template.
4. In the Permission Level area, select Allowed.
5. In the Secure Template Folder area, click Browse.
6. In the Browse for Folder dialog box, select the folder that contains the secure templates,
and then click OK.
Figure 40. Configuring secure reports in the Authorization Manager
Select a user group.
Select Secure XReport Template,
and then choose Allowed.
62
LCquan Administrator Guide for 21 CFR Part 11
Click Browse, and then select the
secure XReport templates folder.
Thermo Scientific
4
Defining Secure User Groups and Permissions
Viewing the Authorization Manager History Log
7. To also prevent users from opening XReport outside of LCquan, proceed as follows:
a. In the list of controlled features in the Authorization Manager window, select
XReport, and then click Expand Tree.
b. Select Run Application > Operator User Allowed.
c. In the Permission Level area, select Disallowed or a permission level other than
Allowed, depending on the access that you want to authorize.
Viewing the Authorization Manager History Log
The Authorization Manager automatically maintains a history log to record all changes made
to the security settings. The following events are logged:
• The creation of a private group
• The addition or deletion of members from a group
• A change in group permissions
• A switch between private and domain / workstation groups
• The manipulation of the signature list
Y To display the history log
In the Authorization Manager, click History Log. The Audit Viewer window appears.
Each entry in the history log contains the time and date, the user ID and full name, and a
description of the event. You can sort and filter the entries in the history log by field (for
example, you can sort and filter by date and time). You can also print the log.
Printing the Security Settings
You can print a report of the security settings for each secure user group. The report contains
a listing of the members of the group, the controlled feature information for each application,
and the names of any secure folders for each application.
Y To print the security settings
1. In the Authorization Manager window, click Print. The Print dialog box appears.
2. Select the print options, and then click OK.
Thermo Scientific
LCquan Administrator Guide for 21 CFR Part 11
63
4
Defining Secure User Groups and Permissions
Saving the Security Settings
Saving the Security Settings
After you have defined your user groups, set the appropriate permission levels, and
specified the type of application auditing, click OK to save your settings and exit the
Authorization Manager.
The controlled feature information is saved in a configuration file in the following folder:
\Xcalibur\system\security
You must properly set the security for this folder to prohibit access by non-administrators. If
you have not already done this, see Chapter 3, “Establishing Secure File Operations.”
64
LCquan Administrator Guide for 21 CFR Part 11
Thermo Scientific
5
Auditing
This chapter describes how to use the Audit Viewer utility for auditing functions. You can
display all auditable events and changes made to files created or managed by LCquan, view a
history of what has been done during data acquisition and data processing to produce results,
and get information about all events that have occurred within LCquan.
Contents
• Accessing the Auditing Databases
• Viewing the Audit Viewer Pages
• Filtering the Audit Viewer Entries
• Sorting the Audit Viewer Entries
• Printing the Audit Viewer Entries
Accessing the Auditing Databases
LCquan writes to the Global Auditing database and maintains the LCquan workbook
databases to ensure compliance with 21 CFR Part 11. The Global Auditing database stores
LCquan start and stop events. All other LCquan events are stored in the LCquan workbook
databases.
IMPORTANT You must configure the database in the Auditing Database Configuration
Manager before you can access the Global Auditing database. See “Using the Database
Configuration Manager” on page 15.
IMPORTANT Each Microsoft Windows user account must be associated with a user ID,
password, and a full description. These items are required for the system to store the
auditing information in the designated database.
You can access either of the following types of databases using Audit Viewer:
• Global Auditing database, which keeps a log of auditable events for all the
Xcalibur-related data files and applications it recognizes. The Xcalibur-related data files
include the raw files that you acquire in LCquan.
Thermo Scientific
LCquan Administrator Guide for 21 CFR Part 11
65
5
Auditing
Accessing the Auditing Databases
• LCquan workbook database, which keeps a log of auditable events associated with the
current workbook, including the entries that have not been saved to the database. Each
workbook database also includes a log about the raw files that are acquired as part of
the workbook.
Accessing the Global Auditing Database
You can access the Global Auditing database when you start Audit Viewer from the
Windows desktop.
Y To start Audit Viewer from your Windows taskbar
Choose Start > All Programs > Xcalibur > Audit Viewer. The Audit Viewer window
appears.
Figure 41. Audit Viewer window displaying entries for the Global Auditing database
66
LCquan Administrator Guide for 21 CFR Part 11
Thermo Scientific
5 Auditing
Accessing the Auditing Databases
Accessing an LCquan Workbook Database
Each LCquan workbook has its own database. When you start Audit Viewer from an LCquan
workbook, Audit Viewer displays the saved and unsaved entries for the current workbook.
The unsaved entries are highlighted in yellow in the Audit Viewer window.
Note The Audit Viewer entries can also include unsaved changes from another workbook
if the changes are still in memory.
Y To access the auditing database for a workbook
1. Open the LCquan workbook.
2. In the LCquan Workbook window, choose File > Audit Trail. The Audit Viewer
window appears and displays the entries for the open workbook (Figure 42). Yellow
highlights indicate any unsaved entries.
To access the auditing database for a different workbook, repeat steps 1 and 2. A second
instance of Audit View starts and displays the entries for that workbook.
Figure 42. The Audit Viewer window for an LCquan workbook
Thermo Scientific
LCquan Administrator Guide for 21 CFR Part 11
67
5
Auditing
Viewing the Audit Viewer Pages
Viewing the Audit Viewer Pages
The Audit Viewer window contains the following pages, each of which has a different
function:
• All page (Figure 42) provides a summary of all entries for the current database.
To display the Audit Viewer page associated with an entry on the All page, double-click
the entry on the All page.
• History page provides a chronological listing of all the changes made to method files and
result lists.
• Event page lists all user-initiated auditable software events. All events that are subject to
authorization control are auditable.
• File Tracking page provides the following type of information:
−
Global Auditing database: Lists the changes that are made by any program to the
Xcalibur-created files.
−
LCquan workbook database: Lists the changes made within LCquan to any
LCquan-owned files in the workbook, including the workbook file (.lqn), processing
method (.pmd), instrument method (.meth), sequence (.sld), and any imported
sample data files (.raw). The File Tracking page does not include the data files (.raw)
acquired from within the LCquan workbook, which are tracked in the Global
Auditing database.
If any of the workbook files are modified outside of LCquan, LCquan displays a
file-tracking error message.
Note Entries are not saved to the database until you save the workbook. Unsaved entries
are highlighted in yellow in the Audit Viewer.
68
LCquan Administrator Guide for 21 CFR Part 11
Thermo Scientific
5 Auditing
Filtering the Audit Viewer Entries
Filtering the Audit Viewer Entries
By applying a filter, you can display a subset of the entries in the Audit Viewer window. You
can set up two types of filters: filters that are based on dates and filters that are not based on
dates (non-date filters). You can use a combination of the two types of filters.
Y To set up a non-date filter
1. In the Audit Viewer window, click Filter. The Filter Entries dialog box appears.
Figure 43. Filter Entries dialog box
2. In the Add Non-Date Filter group box, select AND or OR from the first list.
3. In the list to the right, select a column on which to filter.
4. In the equals box, enter the text string that you want the filter to match, and then click
Add. The filter statement appears in the box.
5. To add additional filters, repeat steps 2 to 4.
6. When you have defined all your filters, click OK. The Audit Viewer window displays the
results.
Note The non-date filter accepts partial matches. For example, if you have a user
name of john.doe, then a filter string of john or doe would match entries for that
user name.
Y To set up a date filter
1. Under Add Date Filter, enter the beginning date and time in the From box.
2. Enter the ending date and time in the To box.
3. Click Add, and then click OK to apply the filter. The Audit Viewer window displays the
results.
Thermo Scientific
LCquan Administrator Guide for 21 CFR Part 11
69
5
Auditing
Sorting the Audit Viewer Entries
Y To remove a filter
1. In the Filter Entries dialog box, select the filter statement.
2. Click Remove Filter.
3. Click OK. The Audit Viewer window displays the results.
Sorting the Audit Viewer Entries
You can sort the entries by the column headings in each of the Audit Viewer pages.
Y To sort the entries on an Audit Viewer page
1. In the Audit Viewer window, click the tab of the page you want to view.
2. Click Sort. The Sort Entries dialog box appears.
Figure 44. Sort Entries dialog box using all three sort fields
3. In the 1st Sort Field list, select the column heading, and then select Ascending or
Descending.
Repeat this step for the 2nd Sort Field and 3rd Sort Field.
4. Click OK. The Audit Viewer page displays the entries in the specified sorting order.
70
LCquan Administrator Guide for 21 CFR Part 11
Thermo Scientific
5 Auditing
Printing the Audit Viewer Entries
Printing the Audit Viewer Entries
The printing options vary depending on whether you are printing the audit trail for the
Global Auditing Database or a workbook database.
Printing the Audit Trail for the Global Auditing Database
Y To print the audit trail for the Global Auditing database
1. From the Windows desktop, choose Start > All Programs > Xcalibur > Audit Viewer.
2. In the Audit Viewer window, click the tab of the page you want to print.
3. Click Print.
4. In the Print Options dialog box, select the printing options, and then click OK.
Printing the Audit Trail for an LCquan Workbook Database
You can print the entries only when all displayed records in the Audit Viewer page are saved.
Y To print the audit trail for an LCquan workbook database
1. In the LCquan Workbook window, choose File > Audit Trail.
If the workbook does not contain any unsaved entries, go to step 3.
If the workbook contains unsaved entries, a View Audit Trail message appears and asks if
you want to save the workbook before continuing.
2. In the View Audit Trail dialog box, click Yes to save the workbook entries. The software
logs the automatic save in the audit trail, and then starts Audit Viewer.
Alternatively, click No to start Audit Viewer without saving the workbook.
Note If you select the Don't tell me about this again check box, the software
automatically applies the last requested behavior (Save or Not Save) each time you
start Audit Viewer when the LCquan workbook contains unsaved entries. To restore
the message, choose Options > Enable Warnings.
3. In the Audit Viewer window, click the tab of the page that you want to print.
4. Make sure the displayed page contains only saved entries. Yellow highlights appear on the
rows of any unsaved entries.
If you have a mix of saved and unsaved entries, you can do one of the following:
• In the LCquan Workbook window, choose File > Save to save the LCquan
workbook. In the Audit Viewer window, click Refresh.
Thermo Scientific
LCquan Administrator Guide for 21 CFR Part 11
71
5
Auditing
Printing the Audit Viewer Entries
• In the Audit Viewer window, click Filter, and then add filter rules so that only the
saved records appear on the page you want to print. See “Filtering the Audit Viewer
Entries” on page 69 for details.
5. Click Print.
6. In the Print Options dialog box, select the printing options, and then click OK.
72
LCquan Administrator Guide for 21 CFR Part 11
Thermo Scientific
A
Permission Level Settings in LCquan
This appendix discusses the different LCquan permission levels and how they interact,
including which features must be set to Disallow to comply with 21 CFR Part 11.
Contents
• Permission Level Settings that You Must Set to Disallow
• Permission Level Settings and Interactions
Permission Level Settings that You Must Set to Disallow
To ensure compliance with 21 CFR Part 11, you must set the permission level to Disallow for
the following features of LCquan:
• Allow Arbitrary Selection of Root Folder
You can find this feature in the Authorization Manager console tree. (See Figure 45.)
Look for the Root folder under the LCquan folder.
• Allow Opening of Workbooks with File Tracking Errors
You can find this feature in the Authorization Manager console tree. (See Figure 45.)
Look for the File Tracking folder under the LCquan folder.
Set the permission levels for the other features to best suit your needs. See “Permission Level
Settings and Interactions” on page 75 for a list of the controlled LCquan features.
Thermo Scientific
LCquan Administrator Guide for 21 CFR Part 11
73
A
Permission Level Settings in LCquan
Permission Level Settings that You Must Set to Disallow
Figure 45. Authorization Manager window displaying the LCquan feature options
74
LCquan Administrator Guide for 21 CFR Part 11
Thermo Scientific
A
Permission Level Settings in LCquan
Permission Level Settings and Interactions
Permission Level Settings and Interactions
Note that certain permission level settings override other settings. In addition, some features
are unavailable, regardless of their permission level settings, if a workbook is locked or has
been opened in review mode.
Table 3 lists the LCquan features that you can configure in the Authorization Manager.
Table 3. LCquan features and information about permission level settings (Sheet 1 of 4)
LCquan Feature
Description
Run Application
Operator Use Allowed
If you set this feature to Disallow, then the user cannot open the software
application. Therefore, the permission level settings for the other features are
irrelevant.
If a user whose permission is set to Disallow tries to access LCquan, an entry is
made in the Global Auditing Database history log.
Root Folder
Allow Change of Root Folder
If you permit this feature (set it to Signature List, Supervisor Password,
Password Required, or Allow), then you must define a list of secure folders from
which the user can select a new root folder.
Allow Arbitrary Selection of
Root Folder
You must set this permission to Disallow to ensure compliance with
21 CFR Part 11.
File Tracking
Allow Opening of Workbooks
with Filetracking Errors
You must set this permission to Disallow to ensure compliance with
21 CFR Part 11.
Allow Opening of Workbooks
Already Marked as Opened
If this permission is set to Allow, the user can open workbooks that are flagged by
LCquan as opened.
When a user opens an LCquan workbook, LCquan flags the workbook as opened
in order to prevent the workbook from being opened by multiple instances of
LCquan. If the LCquan application is forced to close abnormally, the flag might
not be removed, even though the workbook is no longer open. To open the
workbook, set this permission to Allow. The next time the workbook is closed, the
open flag is removed.
Thermo Scientific
LCquan Administrator Guide for 21 CFR Part 11
75
A
Permission Level Settings in LCquan
Permission Level Settings and Interactions
Table 3. LCquan features and information about permission level settings (Sheet 2 of 4)
LCquan Feature
Description
File
Save
If you set this permission to Disallow, the user can lock the workbook only if it has
not been changed. If it has been changed, the user cannot lock the workbook.
Save As
If you set this permission to Disallow, the user cannot use the Save As command.
Create New Workbook
(No special information or interactions.)
Create Locked Version of
Workbook
If you set this permission to Disallow, the option to lock a workbook is not
available.
Section Configuration
Show Instrument Setup Section If you set this permission to Disallow, the user cannot display the Instrument Setup
Section and cannot make changes to the Instrument Methods.
Show Acquisition Section
If you set this permission to Disallow, the user cannot create or modify an
acquisition sequence. The user also cannot acquire data.
Show Explore Section
If you set this permission to Disallow, the user cannot explore new quantitation
methods.
Show Quantitate Section
If you set this permission to Disallow, the user cannot:
• Create or change a processing method
• Create or modify processing sequences
• Survey and review all the results
• Create reports from this section and process the data to produce quantitative
results
Grid Column Settings
Allow Changes to Column
setup info
If you set this permission to Disallow, the user cannot change the number and
arrangements of columns in the Results grid.
Acquisition Section
76
Start Acquisition Dialog
If you set this permission to Disallow, the user cannot open the Run Sequence
dialog box from the Acquisition view.
Allow Changes to Selected
Sample Info in Acquisition
Sequence
If you set this permission to Disallow, the user cannot make changes to the sample
information, such as sample name, vial position, and so on, in the acquisition
sequence.
Allow Changes to Column
Labels in Acquisition Sequence
If you set this permission to Disallow, the user cannot make changes to the column
labels in the acquisition sequence.
LCquan Administrator Guide for 21 CFR Part 11
Thermo Scientific
A
Permission Level Settings in LCquan
Permission Level Settings and Interactions
Table 3. LCquan features and information about permission level settings (Sheet 3 of 4)
LCquan Feature
Description
Acquisition Run Dialog
OK Button
If you set this permission to Disallow, the user can view the Run Sequence dialog
box, but cannot start a data acquisition, because the OK button is unavailable in the
Run Sequence dialog box.
Explore Section
Allow Import of Peak Lists
If you set this permission to Disallow, the user cannot import a Peak Name List.
Allow Export of Peak Lists
If you set this permission to Disallow, the user cannot export a Peak Name List.
Quantitate Section
Allow Changes to Selected
Sample Info in Processing
Sequence
If you set this permission to Disallow, the user cannot make changes to the sample
information, such as sample name, vial position, and so on, in the processing
sequence.
Allow Changes to Column
Labels in Processing Sequence
If you set this permission to Disallow, the user cannot change the column labels in
the processing sequence.
Allow Changes to Column
Labels in Results
If you set this permission to Disallow, the user cannot change the column labels in
the Survey or Review All pages of the LCquan Quantitate section.
Prompt User for Comments
after Manual Integration
If you set this permission to Allow the user must enter a comment before
proceeding with a manual integration. Whenever the user performs a manual
integration, the Chromatogram Comment dialog box appears, and prompts the
user for a comment before proceeding.
Allow Results Export
If you set this permission to Disallow, the user cannot export results.
Allow Manual Integration
If you set this permission to Disallow, the user cannot manually adjust the peak
integration.
Allow User Integration
If you set this permission to Disallow, the user cannot adjust the peak integration
settings for an individual peak.
Allow Calibration Settings to
Be Changed
If you set this permission to Disallow, the user cannot change the Calibration
settings of a particular component.
Create Reports
If you set this permission to Allow, the user can create two types of reports:
• Microsoft Excel® Workbook with data and results
• XReport report
Remove Signature Line From
Excel Report
Thermo Scientific
(Required for the Watson file interface) An Allow setting removes the signature line
from the exported quantitation reports so that the Watson system can import the
exported Excel spreadsheet via the file interface. See “Recommended Settings for
Excel” on page 105.
LCquan Administrator Guide for 21 CFR Part 11
77
A
Permission Level Settings in LCquan
Permission Level Settings and Interactions
Table 3. LCquan features and information about permission level settings (Sheet 4 of 4)
LCquan Feature
Description
Secure XReport Template
An Allow setting prevents the user from creating quantitation reports with XReport
other than reports that use the secure XReport templates. After you specify a secure
template folder, users can save secure reports only as PDF files using the templates
from the specified folder. For details, see “Setting Up Secure Reports” on page 61.
Allow Watson File Interface
Excel Format Reports
(Recommended for the Watson file interface) An Allow setting fixes the format of
the Acq Date column entries in the exported quantitation reports so that the
Watson file system can import the acquisition date and time correctly. See
“Recommended Settings for Excel” on page 105.
Allow Excel Rounding
An Allow setting restricts the number of decimal places in the exported Excel
reports. The values for Area, Height, Response, ISTD Area, ISTD Height, and
ISTD Response are restricted to zero decimals. All other values are limited to three
decimals.
The Allow setting changes the behavior in the LCquan Column Arrangement
dialog box for Excel reports, preventing the user from changing the precision. Any
previous value settings are overridden with a restricted number of decimals and the
values are not editable. The Allow setting does not affect the behavior of the
LCquan grid views, the exported results, or the reports generated using XReport.
Important Before the Excel rounding feature takes effect for the Watson digital
interface, you must start and exit LCquan once. See “Recommended Settings for
Excel” on page 105.
78
LCquan Administrator Guide for 21 CFR Part 11
Thermo Scientific
B
Installing an Oracle Database
This appendix describes the procedure Thermo Fisher Scientific, Inc uses to install the
Oracle Server and Client software. Consult your Oracle database administrator for advice
and instructions on how to install this software for your application.
The installation information in this chapter supplements the documentation provided by
Oracle and does not replace it. Refer to your Oracle documentation for installation and
configuration details.
Note The procedures contained in this chapter describe the installation of the Oracle9i
Database. The installation procedures for other versions or releases of the database can
differ from those described here.
Contents
• Installing the Oracle Server
• Installing the Oracle Client
Thermo Scientific
LCquan Administrator Guide for 21 CFR Part 11
79
B
Installing an Oracle Database
Installing the Oracle Server
Installing the Oracle Server
Y To install the Oracle Server
1. Insert the Oracle Database compact disc. The Autorun installation program starts
automatically. See Figure 46. If the installation program does not start automatically,
locate and double-click the setup.exe file.
Figure 46. Oracle9i Server – Autorun installation program
2. In the installation program, click Install/Deinstall Products. The Oracle Universal
Installer: Welcome page appears. See Figure 47.
Note Do not install Oracle software into an existing Oracle home that contains
another installation of Oracle software. Remove any previous versions before
installing a new version. If you have data in the other database, back up your data
and then migrate it to the new database during or after the installation, by using the
Oracle Data Migration Assistant. Refer to the Oracle documentation for more
information.
3. If you must remove a previous version of Oracle software before proceeding with this
installation, click Deinstall Products to open the Inventory dialog box. Select the
previous version from the list and click Remove.
80
LCquan Administrator Guide for 21 CFR Part 11
Thermo Scientific
B
Installing an Oracle Database
Installing the Oracle Server
Figure 47. Oracle Universal Installer: Welcome page
4. In the Welcome page, click Next. The File Locations page appears. See Figure 48.
IMPORTANT The Source Path box is filled in automatically with the location of the
installation files. Do not change the path.
Thermo Scientific
LCquan Administrator Guide for 21 CFR Part 11
81
B
Installing an Oracle Database
Installing the Oracle Server
Figure 48. Oracle Universal Installer: File Locations page
5. Enter the Oracle Home name and its full path:
a. In the Destination Name box, enter or select a name for the Oracle Home.
b. In the Destination Path box, enter or select the location in which to install the
Oracle components.
6. Click Next. The Available Products page appears. See Figure 49.
82
LCquan Administrator Guide for 21 CFR Part 11
Thermo Scientific
B
Installing an Oracle Database
Installing the Oracle Server
Figure 49. Oracle Universal Installer: Available Products page
7. On the Available Products page, select the product to install.
8. Click Next. The Installation Types page appears. See Figure 50.
Thermo Scientific
LCquan Administrator Guide for 21 CFR Part 11
83
B
Installing an Oracle Database
Installing the Oracle Server
Figure 50. Oracle Universal Installer: Installation Types page
9. On the Installation Types page, select the type of installation.
10. Click Next. The Database Configuration page appears. See Figure 51.
84
LCquan Administrator Guide for 21 CFR Part 11
Thermo Scientific
B
Installing an Oracle Database
Installing the Oracle Server
Figure 51. Oracle Universal Installer: Database Configuration page
11. On the Database Configuration page, select a database.
12. Click Next.The Database Identification page appears. See Figure 52.
Thermo Scientific
LCquan Administrator Guide for 21 CFR Part 11
85
B
Installing an Oracle Database
Installing the Oracle Server
Figure 52. Oracle Universal Installer: Database Identification page
13. On the Database Identification page, enter the Global Database Name for the database
and the Oracle System Identifier (SID) name in the fields provided.
14. Click Next. The Database File Location page appears. See Figure 53.
86
LCquan Administrator Guide for 21 CFR Part 11
Thermo Scientific
B
Installing an Oracle Database
Installing the Oracle Server
Figure 53. Oracle Universal Installer: Database File Location page
15. On the Database File Location page, enter the directory location for the database files
(Directory for Database Files). The directory location must be a mapped drive.
16. Click Next. The Database Character Set page appears. See Figure 54.
Thermo Scientific
LCquan Administrator Guide for 21 CFR Part 11
87
B
Installing an Oracle Database
Installing the Oracle Server
Figure 54. Oracle Universal Installer: Database Character Set page
17. On the Database Character Set page, select the character set to use in your database.
18. Click Next. The Summary page appears. See Figure 55.
88
LCquan Administrator Guide for 21 CFR Part 11
Thermo Scientific
B
Installing an Oracle Database
Installing the Oracle Server
Figure 55. Oracle Universal Installer: Summary page
19. On the Summary page, review the space requirements to ensure that you have enough
disk space.
20. Click Install to start the installation.
When the installation is complete, the Configuration Tools page appears, and a series of
tools starts automatically to create and configure your database and Oracle Net Services
environments.The Configuration Tools page displays the results. See Figure 56.
• If the Oracle Database Configuration Assistant tool runs (see Figure 57), continue
with step 21.
• If the Oracle Database Configuration Assistant tool does not run, go to step 22 on
page 92.
Thermo Scientific
LCquan Administrator Guide for 21 CFR Part 11
89
B
Installing an Oracle Database
Installing the Oracle Server
Figure 56. . Oracle Universal Installer: Configuration Tools page
21. If the Oracle Database Configuration Assistant tool runs, you must change the default
passwords it sets:
a. After the tool completes, the Oracle Database Configuration Assistant dialog box
opens. See Figure 58. Make note of the database information listed in this dialog box.
b. On the Oracle Database Configuration Assistant dialog box, click Password
Management to open the Password Management dialog box. See Figure 59.
c. In the Password Management dialog box, change the default passwords.
d. Lock or unlock the database user accounts as necessary.
e. Click OK to save the changes and close the dialog box.
90
LCquan Administrator Guide for 21 CFR Part 11
Thermo Scientific
B
Installing an Oracle Database
Installing the Oracle Server
Figure 57. Oracle Database Configuration Assistant tool
Figure 58. Oracle Database Configuration Assistant dialog box
Thermo Scientific
LCquan Administrator Guide for 21 CFR Part 11
91
B
Installing an Oracle Database
Installing the Oracle Server
Figure 59. Password Management dialog box
22. When all the tools in the Configuration Tools page have finished, click Next. The
End Of Installation page appears. See Figure 60.
23. Click Exit to exit from the Oracle Universal Installer. The database is installed.
Figure 60. Oracle Universal Installer: End Of Installation page
92
LCquan Administrator Guide for 21 CFR Part 11
Thermo Scientific
B
Installing an Oracle Database
Installing the Oracle Client
Installing the Oracle Client
Y To install the Oracle Client software
1. Insert the Oracle Database Client compact disc. The Autorun installation program starts
automatically. See Figure 61. If it does not, locate and double-click the setup.exe file.
2. In the installation program, click Install/Deinstall Products. The Oracle Universal
Installer: Welcome page appears.
Figure 61. Oracle9i Client – Autorun installation program
Note Do not install Oracle software into an existing Oracle home that contains
another installation of Oracle software. Deinstall any previous versions before
installing a new version. Refer to your Oracle documentation for more information.
3. If you must remove a previous version of Oracle software before proceeding with this
installation, click Deinstall Products to open the Inventory dialog box. Then select the
previous version from the list and click Remove.
4. On the Welcome page, click Next. The File Locations page appears. See Figure 62.
IMPORTANT The Source Path box is filled in automatically with the location of the
installation files. Do not change the path.
Thermo Scientific
LCquan Administrator Guide for 21 CFR Part 11
93
B
Installing an Oracle Database
Installing the Oracle Client
Figure 62. Oracle Universal Installer: File Locations page
5. Enter the Oracle Home name and its full path:
a. In the Destination Name box, enter or select a name for the Oracle Home.
b. In the Destination Path box, enter or select the location in which to install the
Oracle components.
6. Click Next. The Installation Types page appears. See Figure 63.
94
LCquan Administrator Guide for 21 CFR Part 11
Thermo Scientific
B
Installing an Oracle Database
Installing the Oracle Client
Figure 63. Oracle Universal Installer: Installation Types page
7. On the Installation Types page, select the type of installation.
8. Click Next. The Summary page appears. See Figure 64.
Thermo Scientific
LCquan Administrator Guide for 21 CFR Part 11
95
B
Installing an Oracle Database
Installing the Oracle Client
Figure 64. Oracle Universal Installer: Summary page
9. On the Summary page, review the space requirements to ensure that you have enough
disk space.
10. Click Install to start the installation.
When the installation is complete, the Configuration Tools page appears, and a series of
tools automatically starts to create and configure your database and Oracle Net Services
environments.
The Configuration Tools page displays the results. See Figure 65.
• If the Oracle Net Configuration Assistant runs (see Figure 66), continue with
step 11.
• If the Oracle Net Configuration Assistant does not run, go to step 24 on page 101.
96
LCquan Administrator Guide for 21 CFR Part 11
Thermo Scientific
B
Installing an Oracle Database
Installing the Oracle Client
Figure 65. Oracle Universal Installer: Configuration Tools page
Figure 66. Oracle Net Configuration Assistant: Welcome page
11. On the Oracle Net Configuration Assistant: Welcome page, select the No, I Will
Create Net Service Names Myself option button.
Thermo Scientific
LCquan Administrator Guide for 21 CFR Part 11
97
B
Installing an Oracle Database
Installing the Oracle Client
12. Click Next. The Net Service Name Configuration, Database Version page appears.
See Figure 67.
Figure 67. Oracle Net Configuration Assistant: Net Service Name Configuration,
Database Version page
13. In the Net Service Name Configuration, Database Version page, select the
Oracle8i Or Later Database Or Service option button. See Figure 67.
14. Click Next. The Net Service Name Configuration, Service Name page appears.
See Figure 68.
98
LCquan Administrator Guide for 21 CFR Part 11
Thermo Scientific
B
Installing an Oracle Database
Installing the Oracle Client
Figure 68. Oracle Net Configuration Assistant: Net Service Name Configuration,
Service Name page
15. On the Net Service Name Configuration, Service Name page, enter the global database
name.
16. Click Next. The Net Service Name Configuration, Select Protocols page appears.
See Figure 69.
Figure 69. Oracle Net Configuration Assistant: Net Service Name Configuration,
Select Protocols page
Thermo Scientific
LCquan Administrator Guide for 21 CFR Part 11
99
B
Installing an Oracle Database
Installing the Oracle Client
17. On the Net Service Name Configuration, Select Protocols page, select the protocol
used for the database that you want to access.
18. Click Next. The next page that appears depends on what protocol you selected.
For example, if you selected the TCP protocol, then the Net Service Name
Configuration, TCP/IP Protocol page appears. See Figure 70.
Figure 70. Oracle Net Configuration Assistant: Net Service Name Configuration,
TCP/IP Protocol page
19. Based on your choice of protocol, you are asked for protocol parameter information.
Complete the specification of the protocol and click Next.
For example, on the Net Service Name Configuration, TCP/IP Protocol page, type the
host name for the system where the database is located, and select the Use Standard Port
Number option. See Figure 70. The Net Service Name Configuration, Test page
appears.
20. Select the Yes, Perform A Test option and click Next. The Net Service Name
Configuration, Connecting page appears and a connection test is performed.
• If the test is successful, click Next. The Net Service Name Configuration, Net
Service Name page appears. See Figure 71.
• If the test fails, click Back to review the information you entered. Make any necessary
changes and try the test again.
21. On the Net Service Name Configuration, Net Service Name page, accept the default
net service name or enter another net service name. The name you enter should be unique
to the client.
100
LCquan Administrator Guide for 21 CFR Part 11
Thermo Scientific
B
Installing an Oracle Database
Installing the Oracle Client
22. Click Next. The Net Service Name Configuration, Another Net Service Name? page
appears.
Figure 71. Oracle Net Configuration Assistant: Net Service Name Configuration,
Net Service Name page
23. On the Net Service Name Configuration, Another Net Service Name? page, specify
whether or not to configure another net service name for this client.
• If you select Yes and click Next, the Oracle Net Configuration Assistant leads you
through the process of configuring another net service name.
• If you select No and click Next, the Net Service Name Configuration Done page
appears. Click Next again and then click Finish to complete the Oracle Net
Configuration Assistant. You are returned to the Oracle Universal Installer:
Configuration Tools page (Figure 65).
24. On the Oracle Universal Installer: Configuration Tools page, click Next. The
installation is complete. See Figure 72.
Thermo Scientific
LCquan Administrator Guide for 21 CFR Part 11
101
B
Installing an Oracle Database
Installing the Oracle Client
Figure 72. Oracle Universal Installer: End of Installation page
102
LCquan Administrator Guide for 21 CFR Part 11
Thermo Scientific
C
IT Considerations
This appendix describes IT considerations to ensure that Xcalibur and LCquan work
properly.
Contents
• Updating the Registry
• Avoid Antivirus Scanning During Data Acquisition
• Do Not Delete the Xcalibur System Account
• Ensure that a Firewall Exception Exists for the Instrument
Updating the Registry
The local IT professional must change the security for user level accounts to allow read/write
permission to the following portion of the registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Finnigan
The registry changes are required to run Xcalibur and LCquan. The required changes are part
of the security template changes. Refer to “Applying the Security Template” on page 19. The
security template reconfigures the user accounts under Windows XP to have the same
permissions they had under Windows NT. Also, the Registry Editor can be used to change
user permission to Full Control individually.
To undo the changes made by applying the security template, apply the Default security
template. This template explicitly sets every setting to its default.
Note Users must also have read/write permission to access the folders where they will save
their methods and processed data. Applying the security template also takes care of this.
Thermo Scientific
LCquan Administrator Guide for 21 CFR Part 11
103
C
IT Considerations
Avoid Antivirus Scanning During Data Acquisition
Schedule utilities that actively scan the hard drive, such as, antivirus, defragmenting, and
backup utilities, to run at times other than during data acquisition. These utilities can
monopolize computer resources, interfere with data acquisition, and cause loss of
communication with the instrument.
Directories typically used during data acquisition include:
• C:\Documents and Settings\(Current User)\Local Settings\Temp
• C:\Xcalibur\methods or the directory where the instrument method (.meth) and
processing method (.pmd) files are stored
• C:\Xcaibur\data or the directory where raw files (.raw) are stored
• C:\Xcalibur\system\programs\
Do Not Delete the Xcalibur System Account
Sequential user logon allows a user to log on, start an acquisition, and then log out. When
sequential user logon is enabled, an extra user account, called Xcalibur System, is created. This
account runs in the background during data acquisition. Do not delete this account.
Ensure that a Firewall Exception Exists for the Instrument
Firewall settings must include an exception for the instrument in use. If the firewall exception
is not configured, the computer is unable to communicate with the instrument. The
instrument software installation configures the exception for a Windows firewall
automatically, but this might not be true for other firewalls.
104
LCquan Administrator Guide for 21 CFR Part 11
Thermo Scientific
D
Watson Interface
This chapter describes the Authorization Manager settings for the Watson interface.
Contents
• Recommended Settings for Excel
• About the Watson Digital Interface
Recommended Settings for Excel
For the Watson file interface, set the following features in the Authorization Manager to
ensure that you can import Excel reports correctly from LCquan:
• Remove Signature Line from Excel Reports—This setting removes the signature line
from the exported quantitation reports.
• Allow Watson File Interface Excel Format Reports—This setting corrects the format of
the acquisition date and time entries in the exported quantitation reports.
Rounding the Decimal Places
For the Watson digital interface, you can ensure consistency in the number of decimal places
displayed in the Excel reports that LCquan exports. To do this, use the Allow Excel Rounding
feature.
If you specify Excel rounding, the exported values are restricted to three decimal places
consistently in the Excel reports. However, if you use this feature, the Excel reports do not
include a full precision value.
To use the Excel rounding feature, set the permission level to Allow in the Authorization
Manager (“Setting the Excel Features” on page 106). Before the Excel rounding feature takes
effect for the Watson digital interface, you must start and then exit LCquan once.
Thermo Scientific
LCquan Administrator Guide for 21 CFR Part 11
105
D
Watson Interface
Recommended Settings for Excel
Setting the Excel Features
Y To set the Excel features for LCquan reports
1. From the Windows XP taskbar, choose
Start > All Programs > Xcalibur > Authorization Manager to start the Authorization
Manager. See Figure 73.
Figure 73. Authorization Manager window
2. In the Secure Groups area, select the group.
3. In the controlled features list, select LCquan, and then click Expand Tree. The LCquan
list of controlled features appears. See Figure 74.
106
LCquan Administrator Guide for 21 CFR Part 11
Thermo Scientific
D Watson Interface
About the Watson Digital Interface
Figure 74. Authorization Manager—LCquan Quantitate Section features list
4. In the Quantitate Section section, right-click the feature, and then choose Allow from
the shortcut menu for each of the following:
• Remove signature line from Excel report
• Allow Watson File Interface Excel Format
• Allow Excel Rounding
A check mark appears next to each allowed feature.
5. Click OK to apply the changes and close the Authorization Manager.
About the Watson Digital Interface
The following fields are exported to Watson using the digital interface for each sample/analyte
combination:
• Peak area
• Peak height
• Retention time
See also “Rounding the Decimal Places” on page 105.
To use the digital interface with Watson 7.2 or later, refer to the instructions in the
Installing and Using the Peak View Gateway Between Watson and LCquan manual.
Thermo Scientific
LCquan Administrator Guide for 21 CFR Part 11
107
I
Index
Numerics
C
21 CFR Part 11
compliance with 1
protecting records and 19
requirements of 1
Xcalibur software and compliance with 3
comments about actions, requiring 57
comments, setting predetermined list 60
compliance database 15–18
configuration file 60, 64
configuring software applications
checklist 10
overview of 3
controlling user access, overview of 4
CRCs
See cyclical redundancy checks
Create Private Group dialog box 54
creating private groups 53
cyclical redundancy checks (CRCs), definition 4
A
access
restricting to folders and files 33
unauthorized
definition 3
prevention of, overview 4
Acquisition section, setting permissions 76
Advanced Security Settings dialog box 37
antivirus scanning 104
Arbitrary Selection of Root Folder, disallowing 73
archiving files 49
audit log, requiring comments for 57
audit trail, definition 4
Audit Viewer
filtering entries 69
printing entries 71
sorting entries 70
starting from LCquan workbook 67
starting from Windows desktop 66
tabs 68
use for auditing 65
auditing databases
accessing 65–67
configuring 15–18
Authorization Manager
history log for 63
illustrated 106
printing security settings in 63
saving controlled feature settings in 64
Automatic Logoff feature 48
Automatic Logoff Setup dialog box 49
Thermo Scientific
D
data
falsification, prevention of 2
loss due to auto logoff, prevention of 48
reconstruction 2
databases
configuring 15–18
Global Auditing database, accessing 65–67
workbook database, accessing 65–67
decimal place rounding 105
defining as secure, private groups 53
definition
domain logon groups 8
private groups 8
user groups 8
disallowed state, changing appearance of 56
documentation vii
domain logon groups
defining as secure 53
definition 8
LCquan Administrator Guide for 21 CFR Part 11
109
Index: E
E
event log 4
Event page, Audit Viewer 68
Excel, recommended settings 105
Excel, rounding decimal places in 78
Explore section, setting permissions 76, 77
exporting permissions 58
installing Oracle Client 93–102
installing Oracle Server 80–92
Instrument Setup section, setting permissions 76
IT considerations 103–104
L
LCquan feature permissions 73–78
logging on and off 48
F
Fast User Switching, logging on and off 47
features, setting for LCquan 73–78
file and folder structure 7
File Tracking page, Audit Viewer 68
files
configuring security settings for 33
permissions, setting 76
removing and archiving 49
tracking 4
Filter Entries dialog box 69
Finnigan Security Server
functions 28
properties of
secure file operations 28
user authentication 28
verifying properties of 28
Finnigan Security Server Properties dialog box 29, 30
firewall exception 104
Folder Options dialog box 35
folder structure 7
folders
configuring security settings for 33
defining list of secure 59
permissions
inheriting 34
setting for root 34, 42
secure XReport templates 61–62
G
Global Auditing database 65–66
H
history log
for Authorization Manager 63
for software applications 4
History page, Audit Viewer 68
manuals vii
Microsoft Access database, configuring 15
multi-user logon 48
O
opening of workbooks with file tracking errors, disallowing
73, 75
Operator Use Allowed 75
Oracle Client installing 93–102
Oracle database, configuring 15
Oracle Server installing 80–92
P
permission level Signature List 57
permission levels
about setting 55
definition 55
exporting and importing 58
inheriting 58
setting all 58
settings 73–78
permissions for folders and files, setting 41
printing security settings 63
private groups
defining as secure 53
definition 8
editing 54
private groups, creating 53
Properties dialog box – Security page 36
protecting records, overview of 4
Q
Quantitate section, setting permissions 76, 77
R
I
importing permissions 58
inheriting permissions 58
110
M
LCquan Administrator Guide for 21 CFR Part 11
records, protecting 4
registry changes 103
removing files 49
Thermo Scientific
Index: S
reports
permissions for creating 77
rounding decimal places in Excel 78
serial numbers 61
setting up secure reporting 61–63, 78
root folder
allowing change 75
changing 59
configuring security settings for 34
disallowing arbitrary selection 73, 75
S
saving, controlled feature settings 64
secure folders list 59
secure reporting 61–63, 78
security features, within software applications 4
security folder
configuration file and 64
configuring security settings for 42
Security page, Properties dialog box 36
Security Server
See Finnigan Security Server
security settings
folders and files 33
printing from Authorization Manager 63
security template, applying 19
security, system 3
Select Users or Groups dialog box 40
Select Users, Computers, or Groups dialog box 39
Sequential User Logon feature 48
serial numbers, secure reports 61
setting permission levels 55
signature list
definition 57
Sort Entries dialog box 70
study
description 7
system security 3
user groups
definition 8
editing 54
single user belonging to multiple 53
user guides vii
W
Watson interface, setting features for 105–107
Watson LIMS, Oracle database 15
workbook
description 7
workbook databases 67
workbooks
already marked as opened 75
creation permissions 76
databases, auditing 66
file tracking errors 73
secure XReport templates 61
X
Xcalibur system account 104
XReport templates, secure 61–63, 78
T
tracking, files 4
U
unauthorized access
definition 3
prevention of, overview 4
user access
controlling 4
logging on and off 47
Thermo Scientific
LCquan Administrator Guide for 21 CFR Part 11
111
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement