Our company manufactures complex scientific instruments (mass spectrometers) and I lead the team that develops the desktop software used to control them. We sell around the world and are starting to get asked more and more about 21 CFR 11 by our biopharma customers. I'm struggling a little to understand what we'll need to do with our software as most articles are quite generalised and only mention broad headings such as user authentication, audit trails, data export, electronic signatures. (The cynic in me says this is intentional, to offload the work to external consultants!).
Some background: our machines are designed to analyse materials by breaking them down into their chemical components, which the instrument then detects. Our software records this large amount of data over a period of time, typically saving it to file for later "processing". A separate software package is then used to analyse the data and produce various reports.
Our instruments are complex beasts, consisting of dozens of hardware components (pumps, sensors, valves, etc), all of which are configured within the software to achieve optimum results when collecting data.
Regarding 21 CFR, one topic I'm unsure of is "auditing", which suggests that we have to record every change made in the software (including a reason for that change). This isn't practical/feasible for us, as customers can spend hours each day tuning these machines, changing dozens of settings, sometimes on a sub-second basis. As far as 21 CFR is concerned, I'm assuming that it really needs to know how the instrument was configured when a particular data set was recorded, therefore would it be sufficient to take a "snapshot" of all settings at the point in time when the user processed that sample?
In most cases, the collected data is saved to text files, so this obviously needs to change as they are open to tampering. Is it acceptable to use (say) encryption or binary files instead?
Our software already has user authentication, so I think that part of 21 CFR is covered.
Finally, regarding "electronic signatures" ("A piece of data logically associated with another data, used by the signatory to sign the associated data"): we know which user was signed-in when a particular data set was acquired, so is it sufficient to record their username in the data file - i.e. is that an acceptable "digital signature" (assuming the file can't be tampered with)?