You are on page 1of 44

Technical

Information
CENTUM CS 1000/CS 3000
Yokogawa's Approach to meeting
FDA 21 CFR Part 11
TI 33Q01A61-01E
TI 33Q01A61-01E
Copyright Feb. 2002(YK)
3rd Edition Sep. 2003(YK)
Blank Page
i
TI 33Q01A61-01E
Introduction
Electronic records and signatures are increasingly important to the process control and
automation industry to capitalize on the increasing efciency, reduced cost, and simplied
storage associated with elimination of paper documents. U.S. Federal Regulations that govern
access, storage, security, etc. associated with electronic records and electronic signatures are
dened in the Code of Federal Regulations, Title 21, Volume 1, Part 11 (abbreviated CFR21P11).
Yokogawa Electric Company provides solutions for various industries. Regarding to
pharmaceutics industry, Yokogawa has dedicated packages for production management of
medicine factories in its product line up. Using these packages together with Yokogawas control
system, a comprehensive FDA 21CFR Part 11 compliant plant control system can be built up.
This document is the main material about Yokogawas comprehensive 21CFR Part 11 compliant
control system and about the applications of the system. The explanation in this document
focuses on the control schemes corresponding to the 21CFR Part 11 provisions.
In order to implement the 21 CFR Part 11 compliant control system, it is necessary to understand
the meanings of the 21 CFR Part 11 regulations.
In the 21 CFR Part 11 compliant control system, various applications corresponding to the 21
CFR Part 11 provisions are provided with the instruction manuals of the standard operation
procedure on how to utilize the applications. Thus, read and understand these documents are
important for the personals involved in the applications of Yokogawas 21 CFR Part 11 compliant
control system.
All Rights Reserved Copyright 2002, Yokogawa Electric Corporation Sep. 30, 2003-00
ii
TI 33Q01A61-01E
Scope
In chapter 1, CS 1000/CS 3000 system conguration that conforms to CFR21P11 and the related
software packages are described.
IIn chapter 2, the applications in CENTUM CS 1000/CS 3000 that are corresponding to 21 CFR
Part 11 provisions are listed.
If an item is marked with [Y], it means Yokogawa has provided a corresponding application to
support that provision. If an item is marked with [U], it means the user must properly utilize and
manage the CS 1000/CS 3000 application to conform to the provision.
However, even for the item marked with [Y], the user also needs to prepare a standard operation
procedure (SOP) so as to properly utilize the application to conform to the corresponding
regulation.
In chapter 3, how to build up a 21 CFR Part 11 compliant CS 1000/CS 3000 control system and
the required application packages are explained.
In chapter 4, how to handle the date and time adjustment in CENTUM CS 1000/CS 3000 control
systems is explained since the consistency of date and time is critical for the audit trails regulated
by 21 CFR Part 11.
IMPORTANT
21 CFR Part 11 is a regulation stipulated by FDA of US government.
In this document, the phrases 21 CFR Part 11 compliant and conform to 21 CFR Part 11
provisions are used. However, the compliance and conformity are based on Yokogawas
understanding towards the 21 CFR Part 11. It is the users responsibility to determine if to accept
Yokogawas systems as the compliant and conformed.
Thus, users of Yokogawas control system need to fully understand the 21 CFR Part 11
regulations and the corresponding applications in CENTUM CS 1000/CS 3000 control systems,
and need to create a standard operation procedure based on users policy to apply and
implement with the control system.
Sep. 30, 2003-00
Toc-1
TI 33Q01A61-01E
CENTUM CS 1000/CS 3000 Yokogawa's Approach to meeting
FDA 21 CFR Part 11
Sep. 30, 2003-00
CONTENTS
1. CENTUM CS 1000/CS 3000 Basic System Conguration in Compliance
with FDA 21 CFR Part 11 .......................................................................... 1-1
1.1 Standard CS 3000 functionality Architecture Conforms to
21 CFR Part 11 ................................................................................................... 1-1
1.2 Architecture of Enhanced Capability for archiving the
Long Term Operation Result Data ................................................................... 1-2
2. CENTUM CS 1000/CS 3000 21 CFR Part 11 Compliance
Summary Table ......................................................................................... 2-1
Part 11 ELECTRONIC RECORDS; ELECTRONIC SIGNATURES
General Provisions (Subpart A) .......................................................................... 2-2
11.1 Scope ................................................................................................ 2-3
11.2 Implementation. ................................................................................. 2-4
11.3 Denitions .......................................................................................... 2-4
Electronic Records (Subpart B) .......................................................................... 2-5
11.10 Controls for closed systems. .............................................................. 2-5
11.30 Controls for open systems. ................................................................ 2-8
11.50 Signature manifestations. .................................................................. 2-8
11.70 Signature/record linking. .................................................................... 2-9

Electronic Signatures (Subpart C) .................................................................... 2-10
11.100 General requirements. ..................................................................... 2-10
11.200 Electronic signature components and controls. ............................... 2-10
11.300 Controls for identication codes/passwords. ................................... 2-12
Authority: Secs. 201-903 of the Federal Food,Drug, and Cosmetic Act (21 U.S.C.
321-393); sec. 351 of the Public Health Service Act (42 U.S.C. 262).
TI 33Q01A61-01E 3rd Edition
Toc-2
TI 33Q01A61-01E
3. Guidance on Conforming CENTUM CS 1000/CS 3000 to
21 CFR Part 11 .......................................................................................... 3-1
3.1 Access Restrictions ......................................................................................... 3-1
3.2 Audit Trails ......................................................................................................... 3-9
3.3 Report Package PHS6530/LHS6530 ............................................................. 3-12
4. Time Management of CENTUM CS 1000/CS 3000 ................................ 4-1
4.1 Time Management of A CENTUM CS 1000/CS 3000 Domain ....................... 4-1
4.1.1 Time Stamp of Audit Trail Record ...................................................... 4-1
4.1.2 Time Synchronization Scheme .......................................................... 4-2
4.1.3 System Clock and VEHICLE Clock ................................................... 4-3
4.1.4 Cautions ............................................................................................. 4-3
4.1.5 Time Synchronization of Others ........................................................ 4-4
4.2 Time Synchronization Across Domains ......................................................... 4-5
4.2.1 Time Notication ................................................................................ 4-5
4.2.2 Time Synchronization Between Domains .......................................... 4-5
4.2.3 BCV Settings ...................................................................................... 4-5
4.3 Time Related Notices ........................................................................................ 4-6
4.3.1 Summer Time ..................................................................................... 4-6
4.3.2 Accuracy of VEHICLE Clock ............................................................. 4-6
4.3.3 Time Synchronization with Exaquantum ........................................... 4-7
4.3.4 Time Synchronization with External Clock ........................................ 4-8
Sep. 30, 2003-00
1. CENTUM CS 1000/CS 3000 Basic System Conguration 1-1
TI 33Q01A61-01E
1. CENTUM CS 1000/CS 3000
Basic System Conguration in
Compliance with FDA 21 CFR Part 11
1.1 Standard CS 3000 functionality Architecture
Conforms to 21 CFR Part 11
In CS 3000, the users to access the system are classied into the following four user groups (A to
D).
System Administrator manages the audit trails of user management.
A Operator:
With user rights for operation.
B Operator:
With user rights of reporting (printing a report; creating a report).
C Instrumentation Engineer:
With user rights of maintaining system builders.
D Recipe Engineer:
With user rights of creating master recipes.
System Administrator:
With user rights of access management, audit policy change, system error handling and all
the authorized operations to the system administrator of the local computer.
A: Audit Operator Events
(Operation Events)
B: Audit Operator Events
(Report and Print
Events) (*1)
C: Audit Instrumentation
Engineer Events
Site
HIS
Access Control
Audit Trail
System Builders
PC
FCS
HIS
Ethernet
V net
Access Control
Audit Trail
Access Control
Audit Trail
Access Control
Audit Trail
Access Control
Audit Trail
*1: To be released in R3.03
Audit trail
data server
D: Audit Recipe
Engineer Events
Recipe Builders
Report
Save Data
Search Data
Report Search Result
F010001.ai
Audit Trails of the Whole System and All Events
System Administrator
Audit Trail Database of user groups (A to D)
HIS: Human Interface Station
FCS: Field Control Station
Figure Standard CS 3000 Functionality Architecture Conforms to 21 CFR Part 11
Note: Do not install engineering builder to HIS. Problems may happen to activate the screen lock which will be hereinafter described.
Sep. 30, 2003-00
1. CENTUM CS 1000/CS 3000 Basic System Conguration 1-2
TI 33Q01A61-01E
1.2 Architecture of Enhanced Capability for
archiving the Long Term Operation Result
Data
CENTUM CS 3000 has various capabilities that conform to the stipulations of CFR21P11. If the
CENTUM CS 3000 is connected to Exaquantum/Batch which is PIMS (PIMS: Plant Information
Management System), (*1) long term trend save, long-term production logging, batch cycle
improvement and various advanced analyses, advanced batch control systems conguration can
be realized.
Exaquantum/Batch is a package of highly compatible with CENTUM CS 1000/CS 3000 control
system and can be simply connected to the system. Using Exaquantum/Batch, the large quantity
of long-term data can be stored in high reliable relational database (RDB).
Audit Operator Events
Audit Recipe
Engineer Events
Recipe Management
(*1)
System
Builders
PC FCS
Audit Instrumentation
Engineer Events
System Administrator
Audit all audit trail data of CS 3000
Audit Trail Database of HIS
Audit Trail Database of System Builders
Audit Trail Database of Recipe Builders (*1)
Save Data
Search Data
Report Search
Result (Printout,
Print to PDF files)
HIS
Ethernet
V net
HIS: Human Interface Station
FCS: Field Control Station
HIS
In the field
Audit trail
data server
Report
Batch Trend (*1)
Save Operation Result
Data
Archive Control Recipe
Batch Analysis
Web Client, etc.
Conforms to 21 CFR Part 11
Conforms to 21 CFR Part 11
CENTUM CS 3000
Batch PIMS
Exaquantum/Batch
F010002.ai
*1: Available when using
CS Batch 3000
Figure Architecture of Enhanced Capability for archiving the Long Term Operation Result Data
Sep. 30, 2003-00
2. CS 1000/CS 3000 Solutions 2-1
TI 33Q01A61-01E
2. CENTUM CS 1000/CS 3000 21 CFR
Part 11 Compliance Summary Table
Part 11 ELECTRONIC RECORDS; ELECTRONIC SIGNATURES
Subpart A General Provisions
11.1 Scope
11.2 Implementation.
11.3 Denitions
Subpart B Electronic Records
11.10 Controls for closed systems.
11.30 Controls for open systems.
11.50 Signature manifestations.
11.70 Signature/record linking.
Subpart C Electronic Signatures
11.100 General requirements.
11.200 Electronic signature components and controls.
11.300 Controls for identication codes/passwords.
Authority: Secs. 201-903 of the Federal Food,Drug, and Cosmetic Act (21 U.S.C. 321-393); sec.
351 of the Public Health Service Act (42 U.S.C. 262).
May 24, 2002-00
2. CS 1000/CS 3000 Solutions 2-2
TI 33Q01A61-01E
General Provisions (Subpart A)
Subpart A of CFR21P11 denes the scope, implementation, and denitions of Part 11. These
sections are provided mainly for information and understanding of the regulations provided
in Subparts B (Electronic Records) and C (Electronic Signatures). CFR21P11 applies to all
computer systems that store or handle electronic information required for either retention for, or
submittal to, the Food and Drug Administration (FDA). These regulations apply to the CS 1000/
CS 3000 Human Machine Interfaces (including standard HIS stations, Recipe Development
Stations, Engineering/Builder Stations, and Remote Reporting Stations). CS 1000/ CS 3000
Human Machine Interfaces (HMI) are commercially available personal computers / workstations
with Microsoft Windows operating systems and off-the-shelf Yokogawa CS 1000/ CS 3000
software applications.
These systems assemble data, alarms, messages, and other electronic information in a secure
environment and are considered to be the point of creation of the electronic records. The CS
1000/ CS 3000 distributed control system is congured and maintained in an environment
controlled by the end user. Access to the CS 1000/ CS 3000 HMI is limited to authorized
personnel with predened privileges. These individuals have authorization to control the
associated part(s) of the manufacturing process. In accordance with the denition in 11.3 (b) (4),
CS 1000/ CS 3000 is therefore a closed system for purposed of limiting access and maintaining
integrity of electronic records.
The electronic signature provided in CENTUM CS 1000/CS 3000 system cannot be used as the
signature with legal responsibility, it is only an attachment of the electronic record. (*1)
For the electronic signatures of logging reports, such as daily reports or batch reports, the
signature features of Acrobat can be used.
In the following table, the provisions of Subpart C are described in regarding to the personal
authentications.
*1: Electronic Signature
Electronic signatures with legal responsibility: The signatures used in a report for approval or authorship and so on.
Attachment of electronic record: The signatures attached to the electronic records for identifying the personals that have ever
accessed the records.
Sep. 30, 2003-00
2. CS 1000/CS 3000 Solutions 2-3
TI 33Q01A61-01E
Listing of Titles and General Provisions (Subpart A)
TITLE 21 FOOD AND DRUGS
PART 11 ELECTRONIC RECORDS; ELECTRONIC SIGNATURES
Subpart A--General Provisions
Sec.
11.1 Scope.
11.2 Implementation.
11.3 Denitions.
Subpart B--Electronic Records
11.10 Controls for closed systems.
11.30 Controls for open systems.
11.50 Signature manifestations.
11.70 Signature/record linking.
Subpart C--Electronic Signatures
11.100 General requirements.
11.200 Electronic signature components and controls.
11.300 Controls for identication codes/passwords.
Authority: 21 U.S.C. 321-393; 42 U.S.C. 262.
Source: 62 FR 13464, Mar. 20, 1997, unless otherwise noted.
Subpart A General Provisions
11.1 Scope.
(a)
The regulations in this part set forth the criteria under which the agency considers electronic
records, electronic signatures, and handwritten signatures executed to electronic records
to be trustworthy, reliable, and generally equivalent to paper records and handwritten
signatures executed on paper.
(b)
This part applies to records in electronic form that are created, modied, maintained,
archived, retrieved, or transmitted, under any records requirements set forth in agency
regulations. This part also applies to electronic records submitted to the agency under
requirements of the Federal Food, Drug, and Cosmetic Act and the Public Health Service
Act, even if such records are not specically identied in agency regulations. However, this
part does not apply to paper records that are, or have been, transmitted by electronic means.
(c)
Where electronic signatures and their associated electronic records meet the requirements
of this part, the agency will consider the electronic signatures to be equivalent to full
handwritten signatures, initials, and other general signings as required by agency
regulations, unless specically excepted by regulation(s) effective on or after August 20,
1997.
Sep. 30, 2003-00
2. CS 1000/CS 3000 Solutions 2-4
TI 33Q01A61-01E
Listing of Titles and General Provisions (Subpart A)
(d)
Electronic records that meet the requirements of this part may be used in lieu of paper
records, in accordance with 11.2, unless paper records are specically required.
(e)
Computer systems (including hardware and software), controls, and attendant
documentation maintained under this part shall be readily available for, and subject to, FDA
inspection.
11.2 Implementation.
(a)
For records required to be maintained but not submitted to the agency, persons may use
electronic records in lieu of paper records or electronic signatures in lieu of traditional
signatures, in whole or in part, provided that the requirements of this part are met.
(b)
For records submitted to the agency, persons may use electronic records in lieu of paper
records or electronic signatures in lieu of traditional signatures, in whole or in part, provided
that:
(1) The requirements of this part are met; and
(2)
The document or parts of a document to be submitted have been identied in public docket
No. 92S0251 as being the type of submission the agency accepts in electronic form.
This docket will identify specically what types of documents or parts of documents are
acceptable for submission in electronic form without paper records and the agency receiving
unit(s) (e.g., specic center, ofce, division, branch) to which such submissions may be
made. Documents to agency receiving unit(s) not specied in the public docket will not be
considered as ofcial if they are submitted in electronic form; paper forms of such documents
will be considered as ofcial and must accompany any electronic records. Persons are
expected to consult with the intended agency receiving unit for details on how (e.g., method
of transmission, media, le formats, and technical protocols) and whether to proceed with the
electronic submission.
11.3 Denitions.
(a)
The denitions and interpretations of terms contained in section 201 of the act apply to those
terms when used in this part.
(b) The following denitions of terms also apply to this part:
(1) Act means the Federal Food, Drug, and Cosmetic Act (secs. 201903 (21 U.S.C. 321393)).
(2) Agency means the Food and Drug Administration.
(3)
Biometrics means a method of verifying an individuals identity based on measurement of the
individuals physical feature(s) or repeatable action(s) where those features and/or actions
are both unique to that individual and measurable.
(4)
Closed system means an environment in which system access is controlled by persons who
are responsible for the content of electronic records that are on the system.
(5)
Digital signature means an electronic signature based upon cryptographic methods of
originator authentication, computed by using a set of rules and a set of parameters such that
the identity of the signer and the integrity of the data can be veried.
(6)
Electronic record means any combination of text, graphics, data, audio, pictorial, or other
information representation in digital form that is created, modied, maintained, archived,
retrieved, or distributed by a computer system.
(7)
Electronic signature means a computer data compilation of any symbol or series of symbols
executed, adopted, or authorized by an individual to be the legally binding equivalent of the
individuals handwritten signature.
(8)
Handwritten signature means the scripted name or legal mark of an individual handwritten by
that individual and executed or adopted with the present intention to authenticate a writing in
a permanent form. The act of signing with a writing or marking instrument such as a pen or
stylus is preserved. The scripted name or legal mark, while conventionally applied to paper,
may also be applied to other devices that capture the name or mark.
(9)
Open system means an environment in which system access is not controlled by persons
who are responsible for the content of electronic records that are on the system.
Sep. 30, 2003-00
2. CS 1000/CS 3000 Solutions 2-5
TI 33Q01A61-01E
Electronic Records (Subpart B)
The CS 1000/CS 3000 family of distributed control systems is capable of generating a variety of
electronic records for process historical reports, operator logs, trends, audit trails (conguration
management), and more.
Listing and Analysis of Subpart B CS 1000/CS 3000 Solutions
Subpart B Electronic Records
11.10 Controls for closed systems.
Persons who use closed systems to
create, modify, maintain, or transmit
electronic records shall employ procedures
and controls designed to ensure
the authenticity, integrity, and, when
appropriate, the condentiality of electronic
records, and to ensure that the signer
cannot readily repudiate the signed record
as not genuine. Such procedures and
controls shall include the following:
CS 1000/CS 3000 are closed systems for
purposed of limiting access and maintaining
integrity of electronic records.
Secure methods for operator and engineer
access to the four major operations (Process
Operation, Builder Maintenance, Process
Data Reporting (R3.03), and Master Recipe
Maintenance) are designed in accordance with
CFR21P11.
The HIS user groups, Operator, Reporter,
Instrumentation Engineer and Recipe Engineer
are all referred to as engineering groups.
The users of the groups are all referred to as
operators.
(a) Validation of systems to ensure accuracy,
reliability, consistent intended performance,
and the ability to discern invalid or altered
records.
T Validation of CS 1000/CS 3000 systems is
performed in accordance with the end users
master validation plan. All process operations
are recorded automatically by the system
Audit Trail. Moreover, if required all operations
performed for Process Data Reporting, Builder
Maintenance and Master Recipe Maintenance
are also automatically recorded by the system
Audit Trail function.
(b) The ability to generate accurate and
complete copies of records in both human
readable and electronic form suitable for
inspection, review, and copying by the
agency. Persons should contact the agency
if there are any questions regarding the
ability of the agency to perform such review
and copying of the electronic records.
T In consideration of the requirement for portability,
security, and traceability, electronic records can
be output into widely used le format, suitable
for long term storage and for reviewing and
evaluating by the FDA. Specic examples
include:
- Audit Trail: PDF
- Trend Data: CSV
- Reports: CSV, XLS, PDF
- Master Recipe: PDF (using self-documentation
Package)
Using Exaquantum ,Yokogawa PIMS (Plant
Information Management System), the control
recipes and various production result data can
be stored in RDB, These data can be exported
to various type of les.
T: Yokogawa DCS supports the required functionality.
User must create a SOP for utilizing the functionality.
Sep. 30, 2003-00
2. CS 1000/CS 3000 Solutions 2-6
TI 33Q01A61-01E
Listing and Analysis of Subpart B CS 1000/CS 3000 Solutions
(c) Protection of records to enable their
accurate and ready retrieval throughout the
records retention period.
T Audit Trail is provided with a viewer to provide
the ability to correctly and rapidly search for
required records. With this viewer, electronic
records can be efciently searched according
to their date, personnel, batch ID, equipment,
message type, and so on. Moreover, the result of
the search and the search condition (meta-data)
can be output into a read-only PDF le.
When saving the data of audit trail, the free
space of the hard disk is checked. Moreover,
CPU usage, communication capacity, memory
usage can also be checked by the DCS system.
(d) Limiting system access to authorized
individuals.
T System access limitations are provided for:
- System Administration
- Process Data Reporting
- Process Operation and Monitoring System
- Maintenance (Builder)
- Recipe Generation (Master Recipe
Maintenance)
Personnel Authentication is performed using
User ID and Password. Authentication is
required at login, and can also be required each
time when starting certain process operations.
The individual to be authenticated can be
assigned privilege levels based on assigned
authority.
If no user is designated to login, OFFUSER
(initial user) will be the login user.
The OFFUSER has an operation right limited to
the plant safety operations such as emergency
shutdown and privilege of plant monitoring. The
operations performed by OFFUSER are also
logged by audit trail and stamped with the user
ID. Moreover, direct le access from Windows
Desktop is also restricted by CENTUM Desktop
functions. In CENTUM Desktop environment,
the les displayed in Windows Explorer,
manipulating the les in CD-ROM or oppy disks
are restricted.
(e) Use of secure, computer-generated,
time-stamped audit trails to independently
record the date and time of operator
entries and actions that create, modify, or
delete electronic records. Record changes
shall not obscure previously recorded
information. Such audit trail documentation
shall be retained for a period at least
as long as that required for the subject
electronic records and shall be available for
agency review and copying.
T Only the users with the privilege of administrator
can perform the operator registration.
Operations performed by the operators are
all recorded as Audit Trail records with the
information of Who, When, Where, What, Why,
and How (5W1H).
The Audit Trail records can be sorted and then
output into a PDF le.
The time stamped to the audit trail record is
automatically synchronized with the time in all
terminal HISs of the CENTUM CS 1000/CS
3000 system (in the cycle of 10 seconds).
T: Yokogawa DCS supports the required functionality.
User must create a SOP for utilizing the functionality.
Sep. 30, 2003-00
2. CS 1000/CS 3000 Solutions 2-7
TI 33Q01A61-01E
Listing and Analysis of Subpart B CS 1000/CS 3000 Solutions
(f) Use of operational system checks to
enforce permitted sequencing of steps and
events, as appropriate.
T Standard sequence functions provided in the
CS 1000/CS 3000 systems can be congured
to enforce permitted sequencing of steps and
events as needed. The following sequence
functions can be used to enforce the permitted
operation steps:
SFC
Sequence Table
Logic Chart
SEBOL
The following human machine interfaces require
passwords and conrmation operations so as to
meet the security requirements.
User Security
HIS Operation and Monitoring
(g) Use of authority checks to ensure that only
authorized individuals can use the system,
electronically sign a record, access the
operation or computer system input or
output device, alter a record, or perform the
operation at hand.
T An authorized engineer on the builder must
register the operator. Operating privileges for
authenticated personnel are classied up to
seven levels of hierarchy such as Read-Only,
Read/Write, and so on.
Moreover, the operating privileges can be
assigned to each group based on operation
target (e.g. panels, function blocks, messages,
Control Recipe, etc.) and console.
Restrictions on each operator console (HIS):
The operation windows, function blocks and
messages handled on each operator console
can be classied.
Restrictions on each operation group: The
operation windows, function blocks and
messages handled on each operation group can
be classied.
(h) Use of device (e.g., terminal) checks to
determine, as appropriate, the validity of
the source of data input or operational
instruction.
T Since the I/O devices (I/O modules) of DCS
are all addressed, so that the route of the input
data can be identied from the address of the
connected I/O module.
All the operations performed on the operator
consoles are stamped with the consoles IDs for
the audit trail records.
(i) Determination that persons who develop,
maintain, or use electronic record/electronic
signature systems have the education,
training, and experience to perform their
assigned tasks.
P A proper education program according to the
work assignment of each individual is required.
The execution of the education program should
be recorded.
Yokogawa offers standard and custom training
classes on the development, maintenance, and
use of CS 1000/ CS 3000 system features. The
engineering works of CENTUM CS 3000 should
be performed by the personals that have had the
proper trainings stipulated by the company rules.
(j) The establishment of, and adherence
to, written policies that hold individuals
accountable and responsible for actions
initiated under their electronic signatures,
in order to deter record and signature
falsication.
P
T: Yokogawa DCS supports the required functionality.
User must create a SOP for utilizing the functionality.
P: User must have an efcient management to observe the SOP.
Sep. 30, 2003-00
2. CS 1000/CS 3000 Solutions 2-8
TI 33Q01A61-01E
Listing and Analysis of Subpart B CS 1000/CS 3000 Solutions
(k) Use of appropriate controls over systems
documentation including:
(1) Adequate controls over the distribution of,
access to, and use of documentation for
system operation and maintenance.
P Users should establish a documentation
management system.
(2) Revision and change control procedures to
maintain an audit trail that documents time-
sequenced development and modication
of systems documentation.
T+P Actual document control is established by the
end users management system.
CENTUM CS 1000/CS 3000 has self-
documentation capability to support the
document revisions in accordance with the
system modications.
CENTUM CS 1000/CS 3000 self-
documentation can add a revision number for
audit trail purpose when outputting to paper
document or to PDF le.
11.30 Controls for open systems.
Persons who use open systems to
create, modify, maintain, or transmit
electronic records shall employ procedures
and controls designed to ensure the
authenticity, integrity, and, as appropriate,
the condentiality of electronic records from
the point of their creation to the point of
their receipt. Such procedures and controls
shall include those identied in 11.10,
as appropriate, and additional measures
such as document encryption and use of
appropriate digital signature standards
to ensure, as necessary under the
circumstances, record authenticity, integrity,
and condentiality.
Not applicable to closed systems.
11.50 Signature manifestations.
(a) Signed electronic records shall contain
information associated with the signing that
clearly indicates all of the following:
(1) The printed name of the signer; T The user name is authenticated at real time
by checking the login name (User-In dialog
box) against the registered user names in the
Security Builder.
Moreover, the name can also be put in the
remarks column of the audit trail. Each audit
trail record is stamped with the operator ID,
and the full names corresponding to the IDs
can be output to a PDF le (by self-docum
entation).
(2) The date and time when the signature was
executed; and
T Each record in Audit Trail is time-stamped
with year, month, day, hour, minute, and
second.
(3) The meaning (such as review, approval,
responsibility, or authorship) associated
with the signature.
T Each record in Audit Trail can be remarked in
the Reason eld.
T: Yokogawa DCS supports the required functionality.
User must create a SOP for utilizing the functionality.
P: User must have an efcient management to observe the SOP.
Sep. 30, 2003-00
2. CS 1000/CS 3000 Solutions 2-9
TI 33Q01A61-01E
Listing and Analysis of Subpart B CS 1000/CS 3000 Solutions
(b) The items identied in paragraphs (a)(1),
(a)(2), and (a)(3) of this section shall
be subject to the same controls as for
electronic records and shall be included
as part of any human readable form of
the electronic record (such as electronic
display or printout).
T The audit trails can be listed on display, and can
be output into a PDF le.
11.70 Signature/record linking.
Electronic signatures and handwritten
signatures executed to electronic records
shall be linked to their respective electronic
records to ensure that the signatures
cannot be excised, copied, or otherwise
transferred to falsify an electronic record by
ordinary means.
T User IDs are automatically included in the Audit
Trail by the CS 1000/CS 3000 system within
the relevant electronic records as they are
generated. Each audit trail record is stamped
with the operator ID, and the full names
corresponding to the IDs can be output to a PDF
le (by self-documentation).
Audit Trail les are generated as write-protected
system les.
T: Yokogawa DCS supports the required functionality.
User must create a SOP for utilizing the functionality.
Sep. 30, 2003-00
2. CS 1000/CS 3000 Solutions 2-10
TI 33Q01A61-01E
Electronic Signatures (Subpart C)
Electronic signatures are established to eliminate the need to print electronic records that are
otherwise secure and compliant with regulations in Subpart B, solely for the purpose of uniquely
identifying the individual that creates, manages, reviews, or approves content. CS 1000/CS
3000 systems employ User ID (user name) and password combinations as electronic signatures
associated with individual electronic records. Standard on all CS 1000/CS 3000 systems are
levels of user identication with password protection and congurable levels of secure access.
Options are also available for identication through use of biometrics (e.g. nger printing).
Listing and Analysis of Subpart C CS 1000/CS 3000 Solutions
Subpart C Electronic Signatures
11.100 General requirements.
(a) Each electronic signature shall be unique to
one individual and shall not be reused by,
or reassigned to, anyone else.
T The computer administrator checks the
identical user name when registering a new
user account. Each individual can have his own
password, which is protected from everyone
including the computer administrator but the
individual himself.
The registered user IDs are under the
permanent control. Once a registered ID
becomes invalid for a certain reason (retire or
transfer), the ID cannot be used again.
(b) Before an organization establishes,
assigns, certies, or otherwise sanctions
an individuals electronic signature, or any
element of such electronic signature, the
organization shall verify the identity of the
individual.
P
(c) Persons using electronic signatures shall,
prior to or at the time of such use, certify to
the agency that the electronic signatures
in their system, used on or after August 20,
1997, are intended to be the legally binding
equivalent of traditional handwritten
signatures.
P
(1) The certication shall be submitted in
paper form and signed with a traditional
handwritten signature, to the Ofce of
Regional Operations (HFC100), 5600
Fishers Lane, Rockville, MD 20857.
P
(2) Persons using electronic signatures shall,
upon agency request, provide additional
certication or testimony that a specic
electronic signature is the legally binding
equivalent of the signers handwritten
signature.
P
11.200 Electronic signature components and
controls.
(a) Electronic signatures that are not based
upon biometrics shall:
T: Yokogawa DCS supports the required functionality.
User must create a SOP for utilizing the functionality.
P: User must have an efcient management to observe the SOP.
Sep. 30, 2003-00
2. CS 1000/CS 3000 Solutions 2-11
TI 33Q01A61-01E
Listing and Analysis of Subpart C CS 1000/CS 3000 Solutions
(1) Employ at least two distinct identication
components such as an identication
code and password.
T Authentication is performed to the two
components, User ID and Password.
User ID: A unique string of up to 16
alphanumeric characters assigned by the
system administrator
Password: A user-dened string of up to 32
alphanumeric characters
(i) When an individual executes a series
of signings during a single, continuous
period of controlled system access, the
rst signing shall be executed using
all electronic signature components;
subsequent signings shall be executed
using at least one electronic signature
component that is only executable by,
and designed to be used only by, the
individual.
T At the rst login to the system, both User ID and
password need to be put in the User-In dialog
box for authentication. For the succeeding
operations, only password needs to be entered
for authentication.
If the login user does not operate for a certain
length of time, the user will be automatically
logged out. However, the user can use his user
ID and password to login again (Automatic
Logout).
(ii) When an individual executes one or
more signings not performed during a
single, continuous period of controlled
system access, each signing shall be
executed using all of the electronic
signature components.
T If the user is logged out either manually or
automatically, further operations cannot be
performed until the user login again.
Both User ID and password are required to be
put in the User-In dialog box for authentication
again.
(2) Be used only by their genuine owners;
and
T The password of a user is set at the rst time
when the user login with his user ID.
The password should not be disclosed to
anyone even the system administrator but the
user himself.
(3) Be administered and executed to ensure
that attempted use of an individuals
electronic signature by anyone other
than its genuine owner requires
collaboration of two or more individuals.
Using an individual electronic signature by
anyone other than its genuine owner requires
an OnBehalf signature, and the OnBehal users
management should be established. (For an
example, the OnBehalf signature should be
performed with the collaboration of the OnBehalf
user and system administrator.)
A user should have a password in CENTUM
CS 1000/CS 3000 system that cannot be easily
guessed or parsed by others.
In case emergency actions are required and
the person assigned for the required actions
is absent, another person having the same or
higher privileges is able to take the actions on
behalf. Using a mode-switching key (physically a
metal key), an operator can switch into a special
user Engineer who has a higher privilege to
perform almost all operations.
Nevertheless, all the operations performed by
Engineer is logged and recorded by audit trail.
Since the computer cannot identify the particular
individual that performed the operations under
the account of Engineer, it is necessary to
have a security policy on the management of the
mode-switching key.
(b) Electronic signatures based upon
biometrics shall be designed to ensure
that they cannot be used by anyone
other than their genuine owners.
T Fingerprint identication unit is also provided as
an option for authentication.
T: Yokogawa DCS supports the required functionality.
User must create a SOP for utilizing the functionality.

Sep. 30, 2003-00
2. CS 1000/CS 3000 Solutions 2-12
TI 33Q01A61-01E
Listing and Analysis of Subpart C CS 1000/CS 3000 Solutions
11.300 Controls for identication codes/
passwords.
Persons who use electronic signatures
based upon use of identication codes in
combination with passwords shall employ
controls to ensure their security and
integrity. Such controls shall include:
(a) Maintaining the uniqueness of each
combined identication code and
password, such that no two individuals
have the same combination of identication
code and password.
T When registering a new user ID, the system
administrator checks for the identical IDs so as
to guarantee all the IDs are unique.
Each individual can have his own password,
which is protected from everyone including
the computer administrator but the individual
himself.
All user IDs are under the permanent control.
Once a registered ID becomes invalid for a
certain reason (retirement or transfer), the ID
cannot be used again.
(b) Ensuring that identication code and
password issuances are periodically
checked, recalled, or revised (e.g., to cover
such events as password aging).
T Password validity (valid password is user
denable) is checked by the system. When the
expiration date is past, the system prompts for
updating the password.
(c) Following loss management procedures
to electronically deauthorize lost,
stolen, missing, or otherwise potentially
compromised tokens, cards, and other
devices that bear or generate identication
code or password information, and to issue
temporary or permanent replacements
using suitable, rigorous controls.
T When a specic User ID becomes invalid (due
to compromised password, retirement, or other),
the User ID is marked invalid by the authorized
administrator. Invalid IDs are not deleted, but
are maintained by the system to prevent future
reuse.
(d) Use of transaction safeguards to
prevent unauthorized use of passwords
and/or identication codes, and to
detect and report in an immediate and
urgent manner any attempts at their
unauthorized use to the system security
unit, and, as appropriate, to organizational
management.
T When a user logon failed continuously, an
authentication failure alarm message is
broadcasted to all terminals (HISs) and the
event is recorded by audit trail. Moreover, the
user ID will be lockout (User Lockout feature).
With optional packages, the alarm message can
also be sent to PDA or mobile phone at real time.
(e) Initial and periodic testing of devices, such
as tokens or cards, that bear or generate
identication code or password information
to ensure that they function properly and
have not been altered in an unauthorized
manner.
P Security settings can be checked and conrmed
during the computer validation, initially and
periodically as needed.
T: Yokogawa DCS supports the required functionality.
User must create a SOP for utilizing the functionality.
P: User must have an efcient management to observe the SOP.
Sep. 30, 2003-00
3. Guidance on Conforming CENTUM CS 1000/CS 3000 to 21 CFR Part 11 3-1
TI 33Q01A61-01E
3. Guidance on Conforming CENTUM
CS 1000/CS 3000 to 21 CFR Part 11
CENTUM CS 1000/CS 3000 classies the users into four groups: Operator,
Instrumentation Engineer, Recipe Engineer and Reporter. All the operations performed
by the users of these user groups are subject to the audit trails regulated in 21 CFR Part
11. The user rights and the audit trails applied to the users of Operator group (hereinafter
referred to as HIS user group) and the users of other groups (hereinafter referred to as
engineer groups) are different. In this chapter, the user rights and the audit trails applied
to users, how to implement and what to take care of during implementation are explained
in detail.
The option packages for FDA 21 CFR Part 11 compliance are shown in the table below:
Option Package
HIS User Group
User Rights/Audit Trails
Engineer User Group (System Builders,
Recipe Builders, Report Builders)
User Rights/Audit Trails
FDA 21 CFR Part 11 Compliant
Package (PHS5170/LHS5170)
- (*1)
Consolidate Historical Messaging
Package (FDA 21 CFR Part 11
Compliant) (*3)
(*2) -
*1: To restrict users access capabilities on HIS, the standard security settings can be used, this option package is not required for
this purpose.
*2: If Exaquantum/Batch is used as the server for managing the audit trails, this option package is not required.
*3: With Long-Term Data Archive package (PHS6510/LHS6510). The trend data, closing data, historical messages in the HIS can be
stored. But extracting data from the stored les to create reports or PDF les is not supported.
3.1 Access Restrictions
Access Restriction Settings
The following table lists the functions set by the system administrator. The table includes the
required items in the LHS1100 Standard Operation and Monitoring Function and LHS6530
Report Package. In addition, access-control requirement functions are classied into the
following four:
A: User ID registration management handling of user IDs and passwords
B: Access control setting conditions for accessing the system
C: Password policy Password setting conditions, etc.
D: Windows direct access PC desktop environment
Sep. 30, 2003-00
3. Guidance on Conforming CENTUM CS 1000/CS 3000 to 21 CFR Part 11 3-2
TI 33Q01A61-01E
User group HIS group
Engineering group
(system builder, recipe
builder, report builder) (*1)
Set location
Security
builder (*2)
HIS utility
(each HIS)
Access control utility
(each PC)
Optional packages required
Not required (included in
standard applications)
LHS5170 packages for
FDA 21CFR Part 11
Function
A
User ID registration and deletion X (*3) X
Authorization setting for each user ID X (*3) X
Password management (Local control/Common control) X
B
Automatic user logoff /automatic screen lock X X
Check illegal logon attempts X (*3) X
User lockout (*4) X X
User ID release during lockout (*4) X X
Password resetting (*4) X X
Reconrmation with double authentication X (*3)
Biometric authentication (ngerprint authentication) X Optional
C
Check expiration date of passwords X (*3) X
Check obsolete passwords (*4) X X
Check password-length (*4) X X
D
Automatic logon Windows X (*3) X
CENTUM desktop X (*3) X
*1: Report packages (PHS6530/LHS6530) are separately needed to perform report functions.
*2: Registration and authorization of the engineer are needed as well as the system administrator authorization (PC administrator authorization)
to operate the security builder.
*3: The System administrator authorization is needed in revision R3.04 or later.
*4: This is a new function of R3.04.
Sep. 30, 2003-00
3. Guidance on Conforming CENTUM CS 1000/CS 3000 to 21 CFR Part 11 3-3
TI 33Q01A61-01E
Overview
Registering and Removing User ID
Each person permitted to use the system must be registered (ID, name and group). The user IDs
of the retired or transferred persons are removed and permanently stored as the obsolete IDs.
The user account with an obsolete ID (or identical of the obsolete ID) (*1) will not able to logon
the system forever.
*1: The maximum number of obsolete user IDs is 10,000. When the number of obsolete IDs reaches 10,000, no more user account
can be removed.
User Account Description
Max. No of Valid Users
(Groups)
HIS Users
CS 1000
Up to 16 alphanumeric
characters (Should not be
identical with other user ID
nor the obsolete ID)
Up to 32 alphanumeric
characters (The name of
the personal)
100 (not including
obsolete users)
CS 3000
250 (not including
obsolete users)
HIS User
Groups
CS 1000
Up to 8 alphanumeric
characters
Up to 32 alphanumeric
characters (The name of
the personal)
15
CS 3000 50
User Account Description
Max. No of Valid Users
(Groups)
Engineers
CS 1000 Up to 16 alphanumeric
characters (Should not be
identical with other user ID
nor the obsolete ID)
Up to 64 alphanumeric
characters (The name of
the personal)
-
CS 3000
Engineer
User
Groups
CS 1000
Up to 8 alphanumeric
characters
Up to 32 alphanumeric
characters
-
CS 3000
Note: For the operations that an specic user account is not required for identifying each individual operator, DEFGRP, NONEGRP is
provided as the default user group, and OFFUSER, ONUSER, ENGUSER are provided as the default users name.
User Rights of Each Account
User rights can be assigned to each registered user account. The detail settings are as follows:
[HIS User Groups]
The user rights and user group privileges for HIS user groups are set as follows:
Privilege Monitoring Operation Maintenance
S1 Y N N
S2 Y Y N
S3 Y Y Y
Y: Enable N: Disable
Note: The user rights dened for each privilege from S1 to S3 cannot be changed.
Sep. 30, 2003-00
3. Guidance on Conforming CENTUM CS 1000/CS 3000 to 21 CFR Part 11 3-4
TI 33Q01A61-01E
In order to meet the requirements for operating various types of plants, with HIS security builder,
the user-dened privileges U1 to U7 can be added. The following user rights can be assigned to
each privilege.
Window monitoring rights
Window operation rights
Whether to display the Tuning and Faceplate windows of a function block
Whether to allow writing to data items in a function block
Operation mark security levels
Operation mark install/remove attributes
Password control mode (Choose between Common and Local)
Operation-
Window Monitoring
Window Operation User Group Valid User Tag view Item Operation Operator Action
No. S1 S2 S3 U1 U2 U3 U4 U5 U6 U7
Y Y Y Y Y Y Y Y Y Y
N Y Y Y Y Y Y Y Y Y
N N Y Y Y Y Y Y Y Y
N N N N N N N N N N
N Y Y Y Y Y Y Y Y Y
N N Y Y Y Y Y Y Y Y
N N N N N N N N N N
N N N N N N N N N N
1
2
3
4
5
6
7
8
Fixed User-defined privilege level (can be changed)
F030001.ai Window access level
Figure Security Builder - Window Operation Tab
[Engineer User Group] (System Builders, Recipe Builders and Report Builders)
Engineer User Group User Rights
Recipe Engineer READ, WRITE, DELETE, DOWNLOAD, ENGINEERING
Instrumentation Engineer (System Builders) READ, WRITE, CREATE
Table Default Values of Rights
User group Right Report denition le Report printout image le
Manager group
Create For all les For all le
Write For all les For all le
Operator group
Create None None
Write None For all les
Sep. 30, 2003-00
3. Guidance on Conforming CENTUM CS 1000/CS 3000 to 21 CFR Part 11 3-5
TI 33Q01A61-01E
Password Control Mode (Choose between Common and Local)
The passwords registered in HISs can be controlled in two ways: Common and Local. Common
means the passwords of all HISs are under the same administration while Local means the
passwords of each HIS is controlled separately. The merits and demerits of the two control
modes are:
Local
Each person can set his user account on each HIS.
The same user can use different passwords on different HISs so that the risk of leaking
passwords is reduced.
Common
Each person only needs to set his password to one HIS in the system, the password will
equalized to all other HISs connected in the system. If a system consists of a couple of
dozens HISs, using Common mode will be convenient. However, user cannot pick up one or
tow HISs in a system to use Local mode if the system is using Common mode.
Automatic Logout/Screen Lock
[HIS User Group: Automatic User Logout]
If an operator leaves his seat after login, and there is no operation performed on the operator
console for a specied time, automatic logout will start, the previous operation windows will be
cleared, the user will become OFFUSER (initial user).
OFFUSER only has monitoring privilege and minimum operation rights, however, the operations
related to the plant safety such as emergency shutdown are permitted.
Moreover, the operations performed by OFFUSER are also subject to audit trails.
Default: 0 Minute (disables Automatic Logout)
Setting: 1 to 59 minutes (wait time)
[Engineer User Group (System Builders, Recipe Builders and Report Builders) : Screen Lock]
If an engineer leaves his seat after login, and there is no operation performed on the engineering
station for a specied time, automatic screen lock will start, the previous operation windows and
status will be locked. The same password of the login password is required to release the locked
screen.
OFFUSER only has monitoring privilege and minimum operation rights, however, the operations
related to the plant safety such as emergency shutdown are permitted.
Moreover, the operations performed by OFFUSER are also subject to audit trails.
Default: 0 Minute (disables Screen Lock).
Setting: 1 to 59 minutes (wait time)
Account Lockout
If a user account failed to provided correct password thus failed to pass the authentication for
the specied times, the logon attempts will be treated as intrusion, a real time alarm will be
broadcasted to all HISs and the operations are recorded in audit trails. At the same time, the user
account will lockout; the user cannot use the account to logon unless the system administrator
releases the lockout after checking the possible intrusions.
Sep. 30, 2003-00
3. Guidance on Conforming CENTUM CS 1000/CS 3000 to 21 CFR Part 11 3-6
TI 33Q01A61-01E
[HIS User Groups]
Default: 0 Time (disables intrusion detector)
Setting: 1 to 10 Times (triggers intrusion alarm and account lockout)
F030002.ai
Security Policy Setting
OK Cancel
Password required for confirmation
Limits the window call at user out state
Send a notification after 5 invalid logon attempts. (0: No notification)
Lockout repeatedly denied account
Prompt for changing password 60 days. (0: No prompt)
Minimum password length 6
Do not use previous password
Figure Security Policy Setting Dialog Box
[Engineer User Groups (System Builders, Recipe Builders and Report Builders)]
Default: 0 Time (disables intrusion detector)
Setting: 1 to 10 Times (triggers intrusion alarm and account lockout)
Choose an existing file
Engineers Account Files
General Electronic Record
Access Control
F030003.ai
Access Control Utilities
Apply Cancel OK
Edit... Change...
Times
Refer to:
Password
The password can not be set.:
Use semi-colon (;) to delimit entries.
Other Parameters
Notice Consecutive Authentication Failures: 0
HIS0164
Days Valid period: 0
Computer Name of Notification OPC Server:
Enable Account Lockout
Do not use previous password
Characters Minimum Password Length: 1
Figure Access Control Tab of Access Control Utilities
Note: If the HIS computers names, in which install the Exaopc package (NTPF100), are registered, when authentication failure occurs,
the system alarm will be broadcasted to all HISs.
However, it needs one HIS which installs the Exaopc at least, and it is able to communicate via Ethernet with PC, which carries
engineering function, recipe management, and access control for report function. Moreover it needs to be registered at the
project belong in the HIS which should be notied of the system alarm.
Sep. 30, 2003-00
3. Guidance on Conforming CENTUM CS 1000/CS 3000 to 21 CFR Part 11 3-7
TI 33Q01A61-01E
Prevent Using Previous Password
When a password reaches its age, a new password needs to be set and must be different from
the previous password.
Enforcement of the password change to the four user groups, Operator, Instrumentation
Engineer, Recipe Engineer and Reporter User groups can be enable or disabled.
Default: Disabled (The previous password can be used again)
(See Figure Access Control Tab of Access Control Utilities)
Minimum Password Length
The minimum number of password characters can be set. Thus a password with fewer
characters will not be accepted by the system.
[HIS User Group]
Minimum Password Length: 0 to 32 (Integer; 0: No minimum length)
(See Figure Access Control Tab of Access Control Utilities)
[Engineer User Groups (System Builders, Recipe Builders and Report Builders)]
Minimum Password Length: 1 to 32 (Integer; Default: 1 (At least a single-character password is
required)
(See Figure Access Control Tab of Access Control Utilities)
Reset Password
If a password for an account is forgotten, system administrator can reset the password of the
account. When the password is reset, the user account can be login by everyone, so that it is
necessary for the user to enter a new password right after the password is reset. For security
reason, great cautions must be taken when resetting passwords of accounts.
Conrm with Double Authentications
For the critical operations such as manipulating the important function block on HIS, in addition to
the current user and his password, another user, either a colleague operator or a supervisor, and
his password are also required. The user for double authentication can be any user other than
the default users (ENGUSER, ONUSER, OFFUSER) and the current user.
F030004.ai
PIC100 Outside the Set Range OK ?
Reactor Steam Pressure
Name1:
Password:
Reason :
TANAKA
For Summer Operations
********
SUZUKI
Confirmation
********
Name2:
Password:
Reason:
Sep. 30, 2003-00
3. Guidance on Conforming CENTUM CS 1000/CS 3000 to 21 CFR Part 11 3-8
TI 33Q01A61-01E
Maximum Password Age
A password needs to be changed after a certain period so as to improve the security capability.
When Maximum Password Age is set to an account, when the password closer to its maximum
age, a message is sent to the user to prompt for password change.
The message prompting for password change is sent to the user 14 days before the password
reaches its age.
However, when password reaches its maximum age, the account will not become an obsolete
account.
Default: 0 Day (0 means no limit); Setting Range: 0 to 1000 Days
(See Figure Access Control Tab of Access Control Utilities)
CENTUM Desktop Environment
To prevent the operators using the Windows Explorer to directly access the system les from
Windows Desktop environment, CENTUM Desktop environment is provided. With CENTUM
Desktop, not only the system security is enhanced but also the accidental mistakes such as
deleting useful les are prevented.
CENTUM Desktop has the following features:
Hide Explorer
Hide all the icons on the desktop
No menu pop out by right click the mouse
Cannot open CD-ROM directly
Using [Ctrl] + [Alt] + [Del] keys cannot not pop out the Windows Security dialog box. Thus
[Lock Computer], [Shut Down], [Change Password] and [Task Manager] cannot be used.
On [Start] menu, YOKOGAWA CENTUM is the only program menu.
[Programs],[Documents], [Settings], [Search], [Help and Support] and [Run] are not
displayed.
Start
Programs
HIS Utility
Online Manual
Recipe View
Access Control Utilities
Consolidated Historical Viewer
System View
Logsave
Command Prompt
Projectsave
F030009.ai
YOKOGAWA CENTUM
Maintenance
No items on the display
Only CENTUM-related
menu
Figure CENTUM Desktop
Automatic Logon
When turn on the power switch of the PC, the PC can automatically logon to CENTUM
environment. With the CENTUM desktop environment, user will be prevented from accessing
les through Windows Explorer directly.
Sep. 30, 2003-00
3. Guidance on Conforming CENTUM CS 1000/CS 3000 to 21 CFR Part 11 3-9
TI 33Q01A61-01E
3.2 Audit Trails
Overview of Audit Trails
The operations performed by HIS user group members and the engineer group members (such
as the operations of maintenance on builders, recipe maintenance and report generation) are
subject to audit trails. And the audit trails are stored as electronic records.
The audit trails contain who, when, where, what and why information of the operations.
However, the operations performed by system administrators are not subject to audit trails.
With the privilege of administrators, the stored electronic records of the audit trails can be
converted into generic le format, or can be used to create reports or archived into external
media.
HIS User Group
User Rights/Audit Trails
Engineer User Group
(System Builders, Recipe Builders
Report Builders)
User Rights/Audit Trails
Option Package
Consolidate Historical Message
(FDA 21 CFR Part 11 Compliant)
(PHS4200/LHS4200)
FDA 21 CFR Part 11 Compliant
Package (PHS5170/LHS5170)
Function
Operation Log
Audit trails of Alarm & message
Acknowledgement operations
-
Convert to Generic File Format
Search Audit Trails & Report
Generation

*1: Administrators privilege is required for this operation.
Sep. 30, 2003-00
3. Guidance on Conforming CENTUM CS 1000/CS 3000 to 21 CFR Part 11 3-10
TI 33Q01A61-01E
Main Features
When using the main features, the following cautions need to be taken into account.
Audit Trails of Operations
[HIS User Group]
The historical messages in each HIS are recorded in the hard disk of the HIS with FIFO rotary
mode. Audit trails, alarm and event messages are stored in a PC assigned for storing audit trail
records, and the records are under the comprehensive management.
The PC for storing audit trail records should be a dedicated PC other than HIS. In order to
prevent the data loss from disk crash, it is necessary to have redundant storage schemes and
disk backup schedules.
Note: Archive from the historical message les are performed at 0:05 am.
FCS
HIS
External Storage
PC for storing
audit trails
HIS
Ethernet
V net
F030005.ai
Historical
Message
Files
Consolidate Historical
Message Package
Historical
Message
Files
Comprehensive
Management
[Engineer User Groups]
The audit trails of the operations on the builders (System Builders, Recipe Builders and Report
Builders) are fetched to the assigned folders at the real times of downloading the builder contents
to the target devices. It is recommended to use a dedicated PC other than the PC for engineering
builders to save the logs (of fetching les at the real times of downloading to target devices). If the
hard disk encounters insufcient disk space problem, downloading will not success. In this case,
a message from system administrator prompting for backup may arrive. The user should follow
the instruction in the message and perform the backup manually.
In order to prevent the data loss from disk crash, it is necessary to have redundant storage
schemes and disk backup schedules.
Note: The full disk capacity of the PC for storing audit trails can be used. Disk check is performed every time right before downloading
or right after saving the modications to the les. If the disk free space is less than the specied threshold value, a warning
message will be displayed in a dialog box.
Sep. 30, 2003-00
3. Guidance on Conforming CENTUM CS 1000/CS 3000 to 21 CFR Part 11 3-11
TI 33Q01A61-01E
Audit Trails of Acknowledgement Operations (HIS User Group Only)
The acknowledgement (ACK) operations of alarm and operation guide messages performed on
HIS are recorded in the historical message le.
Convert to Generic File Format
The stored les can be converted into PDF les with a generic le format. It is easier to submit to
the administration or used as reference when the system is changed in the future.
Note: AdobeAcrobat5.0 and AdobeDistiller5.0 are required.
Search Audit Trails and Create Report
The saved audit trails can be searched with the specied categories (Date, ID and so on), the
search results can be exported to a PDF le in the format of reports. The report le consists of
cover page and the record pages, they are all converted into the same PDF le.
Audit
Trail
Log
0002
Audit
Trail
Log
0001
Cover
A PDF File
F030006.ai
Figure Report File Schemes







Title changeable
Created By;
Approved By
Comments
F030007.ai











Figure Cover Page Layout Figure A Record Page
Sep. 30, 2003-00
3. Guidance on Conforming CENTUM CS 1000/CS 3000 to 21 CFR Part 11 3-12
TI 33Q01A61-01E
3.3 Report Package PHS6530/LHS6530
With Report Package (PHS6530/LHS6530), the data collected in HIS such as process data,
trend data and closing data can be fetched by Microsoft Excel spread sheet and export as
reports. Using the report package in the environment where the FDA 21 CFR Part 11 compliant
package (PHS5170/LHS5170), the report generation, modication and export are all under the
access control and subject to audit trails. How to use the report package (PHS6530/LHS6530) in
compliance with FDA 21 CFR Part 11 regulations are explained as follows:
Export Report Files
The report can be exported into EXCEL, PDF and CSV format les when printing. One format or
all the three formats can be selected from the above three options. The format should be chosen
in accordance with the usage of the les and the features of the les.
EXCEL Format: The data in the EXCEL le can be conveniently added or modied.
PDF Format: The data in the PDF cannot be modied so as to prevent from forgery.
CSV Format: The data in multiple les can be crossly referenced for indexing.
For PDF les, data can only be searched inside each individual le.
For CSV les, multiple les can be merged into one le so that data can be searched across
the multiple les. It is recommended to use a combination of PDF les and CSV les.
Electronic Signatures of Electronic Records
The digital signature capability of Adobe Acrobat products can be used for the PDF les are
the electronic signatures of the electronic records. Thus can be used as the management of
customer.
Add or Modify Data in Exported Files
When the report les exported by Batch Report or other automatic export tasks need to be
modied, it is necessary to start the report builder and use Audit Trail Viewer to open the report
le, after adding or modifying data and saving the le, then use Print to export the le again.
F030008.ai
Audit Trail PC
Ethernet
HIS
Process Data
Trend Data
Closing Data
Tag Information
Historical Data
Batch Data
Report Definition
Report Print
Audit Trail Management
The PC Installed with
Report Package
PDF
XLS
CSV
Records of Audit trails
Database of modified Files
Exported Report Files
Save Report Definition Files
Save the Audit Trails
about Modification of
Exported Report Files
Report
Audit Trail
Log Data
Modification
Records
Databese
Note: If multiple PCs are installed with Report Package (PHS6530/LHS6530), the FDA 21 CFR Part 11 compliant package (PHS5170/LHS5170)
should be installed separately to all the PCs together with the Report Package.
Figure Example of System Conguration
Sep. 30, 2003-00
3. Guidance on Conforming CENTUM CS 1000/CS 3000 to 21 CFR Part 11 3-13
TI 33Q01A61-01E
Type of Report
Report package supports the following types of report.
Table Type of Report
Type Service Data
Hourly Report Print out the process report of every hours
Hourly closing data and trend
data
Shift Report Print out the process report of every shifts (8 hours) Closing data
Daily Report Print out the process report of every day
Hourly closing data or daily
closing data.
Weekly Report Print out the process report of every week Daily closing data
Monthly Report Print out the process report of every month
Daily closing data or monthly
closing data.
Yearly Report Print out the process report of every year Monthly closing data
Snapshot Report or
On demand report
Print out the instantaneous process variables on
demand at any time
Snapshot of the process
variables
Alarm Report
Print out the alarm messages related to the
designated time period or designated function block
Alarm event message
Batch Report
Print out the messages during the batch operation
and the result of the batch process
Closing data at the timing of
batch end
Sep. 30, 2003-00
4. Time Management of CENTUM CS 1000/CS 3000 4-1
TI 33Q01A61-01E
4. Time Management of CENTUM
CS 1000/CS 3000
4.1 Time Management of A CENTUM CS 1000/
CS 3000 Domain
4.1.1 Time Stamp of Audit Trail Record
The time stamp attached to each record of the audit trails must be reliable. CENTUM CS 1000/
CS 3000 has a standard feature to periodically synchronize the times of all the stations in a
domain on the V net. Since the PC for audit trails is not connected to V net, so that the standard
time synchronization is not applied to this PC. Nevertheless, the time stamp of each audit trail
record is stamped on HISs, which are the stations in the time synchronization scheme, so that
the time stamps of the audit trails are guaranteed from the reliable time sources.
Sep. 30, 2003-00
4. Time Management of CENTUM CS 1000/CS 3000 4-2
TI 33Q01A61-01E
4.1.2 Time Synchronization Scheme
CENTUM has a capability to synchronize the time of stations within a domain. The time
synchronization scheme of CENTUM CS 1000/CS 3000 is illustrated in the following gure.
Besides the system clocks, the stations on V net also have VEHICLE clocks which is a V net
rmware clock. All the VEHICLE clocks in the same domain are managed together so as to keep
the same clock time.
In one domain, a time master station exists. Since the time master station is automatically
assigned, user does not need to know the whereabouts of the time master station. The reference
time is broadcasted from the time master station periodically on the network (per 10 seconds). All
the VEHICLE clocks in other stations will correct the time based on the reference time sent from
the time master.
F040001.ai
System
Clock
Time
Synchronization
Service
Time
Notification
System
Clock
VEHICLE
Clock
VEHICLE
Clock
System
Clock
VEHICLE
Clock
Time
Synchronization
Recipe
Management
PC
Audit trail
data server
HIS(Time Master) ENG
System
Clock
VEHICLE
Clock
FCS
HIS
Ethernet
Vnet
Vnet
Synchronized time
stamped on the audit
trail record
BCV
Figure Time Synchronization Scheme
TIP
When a station receives the time synchronization signal, the station adjusts its VEHICLE clock in accordance with
the discrepancy scale.
Sep. 30, 2003-00
4. Time Management of CENTUM CS 1000/CS 3000 4-3
TI 33Q01A61-01E
1) Smoothly Synchronize
When a station receives the time synchronization signal and the time discrepancy is less than
one second, the clock will not be adjusted sharply at once but smoothly tuned only for 0.005ms
(0.05%) at 10ms interval.
2) Drastically Synchronize
When a station receives the time synchronization signal and the time discrepancy is greater than
one second, the clock will be adjusted drastically to the reference time.
4.1.3 System Clock and VEHICLE Clock
For the stations in a domain, the time of the VEHICLE clock takes higher priority. All stations
check the discrepancies of the system clocks and VEHICLE clocks, and adjust the clock in
accordance with the time of VEHICLE clocks.
4.1.4 Cautions
In a control system, the rst HIS that completed startup will automatically become the time
master station. If a VEHICLE clock in a HIS is manually adjusted, this HIS will become the time
master station.
In any case, if the time master station fail, another HIS will automatically take over. User does not
need to know which one had become the time master station.
The time of VEHICLE clock in a HIS is the reference time of the HIS. Using the Control panel to
change the system time will be meaningless. It is necessary to adjust the VEHICLE time on the
HIS Setup window.
Sep. 30, 2003-00
4. Time Management of CENTUM CS 1000/CS 3000 4-4
TI 33Q01A61-01E
4.1.5 Time Synchronization of Others
In a system that compliant to FDA 21 CFR Part 11 regulations, besides the HIS stations, there
are other stations such as the PC of engineering builders which is connected to V net, and
the PC with recipe builders, report package or consolidated historical package which are not
connected to V net.
However, for the audit trails, the system clocks in these stations also need to be synchronized.
The synchronization methods are described in the table below.
Function Installed in HIS Installed Separately
V net
Connected
Engineering Builders
(System Builders)
Adjust Automatically
(Synchronized with VEHICLE
Clock)
Adjust Manually; or Use time
synchronization option program
V net
Not Connected
Recipe Builders
Adjust Automatically
(Synchronized with VEHICLE
Clock)
Adjust Manually
Report Package
Consolidate Historical
Message
In general, cannot be installed
in HIS
Adjust Manually
1) Time Synchronization of Engineering Builders
The standard package of engineering builders does not contain the option program for time
synchronization with VEHICLE clock of V net. Though VEHICLE clock in the PC is synchronized
with other stations on the same V net, the system clock of the PC that can be monitored on
GUI does not synchronize with the VEHICLE clock. An option program is required for time
synchronization between engineering station and operator consoles. If users need to install the
option program, it is necessary to contact Yokogawa sales agents.
2) Time Synchronization of the Stations Not Connected on V Net
Time synchronization of the stations not connected on V net cannot be performed automatically.
Thus manually adjust the system clock on the following PCs becomes necessary.
PC Installed with Recipe Builders
The audit trails of the recipe builders are attached with the time stamps of the system clock
in the local PC.
PC Installed with Report Package
The time stamps of the reports are the time of the system clock in the local PC.
PC Installed with Consolidate Historical Message Package
The time stamps of the processes such as printing out are the time of the system clock in
the local PC.
Sep. 30, 2003-00
4. Time Management of CENTUM CS 1000/CS 3000 4-5
TI 33Q01A61-01E
4.2 Time Synchronization Across Domains
In a CENTUM CS 1000/CS 3000 control system that contains multiple domains, the bus
converter (BCV) placed to link the domains has time synchronization capability to synchronize
the clocks of the multiple domains. The time synchronization performed by BCV consists of the
two actions, time notication and time synchronization.
4.2.1 Time Notication
BCV passes the time adjustment from one domain to the other. When a clock of a HIS in a
domain is adjusted on HIS clock dialog box, BCV will notify the new time to all the other domains.
4.2.2 Time Synchronization Between Domains
BCV periodically scans the time differences between the linked domains per two minutes. The
time of one domain is used as reference time, when the time difference of the other domain is
greater than 5 seconds and prolonged for consecutive two scans, BCV synchronizes the clocks
of the domains in according to the reference time.
F040002.ai
HIS
HIS
V net
V net
Reference Time
Adjusted Time
Time
Notification BCV
HIS
HIS
V net
V net
Reference Time
Adjusted Time
Time
Synchronization BCV
2) Time Synchronization 1) Time Notification
Figure BCV Time Synchronization Scheme
4.2.3 BCV Settings
With two option boxes on BCV builder, which domains time is reference time and which direction
the time notication to be performed can be dened for 4 patterns of BCV behavior.
Pattern 1
No option is checked
No time synchronization between domains.
Pattern 2
[Transfer Lower] is checked
Upper domain has reference time. Lower domain clock should be adjusted.
Pattern 3
[Transfer Upper] is checked
Lower domain has reference time. Upper domain clock should adjusted.
Pattern 4
Both [Transfer Upper] and [Transfer Lower] are checked
Time notication is sent in both directions when either an upper domain clock or lower domain
clock is manually adjusted. However, upper domain time is the reference time for time
synchronization.
Sep. 30, 2003-00
4. Time Management of CENTUM CS 1000/CS 3000 4-6
TI 33Q01A61-01E
4.3 Time Related Notices
4.3.1 Summer Time
Summer time is only the appearance of the displayed time; the data inside of CENTUM are not
affected by summer time.
However, the schedulers are based on the system clock. When time becomes summer time, the
system clock jumps forward for one hour, vice versa, when summer time ends, the system clock
jumps backward for one hour. If a task is scheduled to start at the jumped hour, the task may not
be started when the system clock jumps forward or the task may start twice the system clock
jumps backward. However, if refrain setting the scheduler time in the jumping hours (1:00 am to
3:00 am), the problem can be avoided.
4.3.2 Accuracy of VEHICLE Clock
The accuracy of VEHICLE clock is 120 seconds/month.
Sep. 30, 2003-00
4. Time Management of CENTUM CS 1000/CS 3000 4-7
TI 33Q01A61-01E
4.3.3 Time Synchronization with Exaquantum
An Exaopc station has the same type of VEHICLE clock and time synchronization program
as a HIS so that the clock of Exaopc station is also synchronized. An Exaquantum station can
synchronize its clock with either HIS or Exaopc station. Thus the time synchronization covers
the whole project including Exaquantum station. The timing for time synchronization between
Exaquantum station HIS or Exaopc station is set on Exaquantum. The default setting is per 10
minutes.
Inside of Exaquantum, the internal data use UTC(Coordinated Universal Time), so that the data
are not affected by summer time.
F040003.ai
System
Clock
VEHICLE
Clock
System
Clock
VEHICLE
Clock
Exaquantum
Time
Synchronization
Service
Time synchronization
between Exaquantum
and Exaopc
Time
Notification
HIS (Time Master) Exaopc
System
Clock
VEHICLE
Clock
FCS
Ethernet
V net
Time
Synchronization
Service
Sep. 30, 2003-00
4. Time Management of CENTUM CS 1000/CS 3000 4-8
TI 33Q01A61-01E
4.3.4 Time Synchronization with External Clock
As described in the previous sections, the time synchronization within a domain of V net is based
on the reference time of the time master station. However, the time synchronization can be
performed in accordance with an external reference time.
The external reference time can be performed either on HIS or FCS. When using HIS to get an
external time signal, an option program is required.
1) Using FCS to Get External Time Signal
Link an external time signal to FCS, and the FCS sends an M3% message to HIS. A program in
HIS may adjust the HIS clock in accordance with the time signal.
F040004.ai
System
Clock
VEHICLE
Clock
System
Clock
Option Program
VEHICLE
Clock
Time
Synchronization
Service
%M3 Message
Time Synchronization Service
(System Clock to VEHICLE Clock)
Time
Notification
HIS
HIS (Time Master)
System
Clock
VEHICLE
Clock
FCS
V net
External
Clock
Contact Input
Sep. 30, 2003-00
4. Time Management of CENTUM CS 1000/CS 3000 4-9
TI 33Q01A61-01E
2) Using HIS to Get External Time Signal
Link an external time signal to HIS, a program in HIS may adjust the HIS clock in accordance with
the time signal.
F040005.ai
System
Clock
VEHICLE
Clock
System
Clock
Option Program
VEHICLE
Clock
Time
Synchronization
Service
Time Synchronization Service
(System Clock to VEHICLE Clock)
Time
Notification
HIS
HIS (Time Master)
System
Clock
VEHICLE
Clock
FCS
V net
External
Clock
Contact Input
Sep. 30, 2003-00
i
TI 33Q01A61-01E
Revision Information
Title: CENTUM CS 1000/CS 3000 Yokogawa's Approach to meeting FDA 21 CFR Part 11
Manual No.: TI 33Q01A61-01E
Feb. 2002/1st Edition
Newly published
May 2002/2nd Edition
Overall revision
Sep. 2003/3rd Edition
Overall revision
Sep. 30, 2003-00
Written by Yokogawa Electric Corporation
Published by Yokogawa Electric Corporation
2-9-32 Nakacho, Musashino-shi, Tokyo 180-8750, JAPAN
Printed by KOHOKU PUBLISHING & PRINTING INC.
Subject to change without notice.