
The world leader in serving science
Using Chromeleon 7.3 CDS to comply with regulations

4
Data
Technical Controls
Procedural Controls
Qualification
• Compliance layers
• Compliance must be combination of technical and procedural controls
Built for Compliance
Data
Technical Controls
Procedural Controls
Qualification

5
• Software must be capable of 21 CFR Part 11 compliance
• Compliance can be considered
in four categories:
• Security
• Access control and data security
• Record Management
• All data stored, controlled
and archived
• Audit Trails
• Traceability of all actions in CDS
• No loss of productivity
• Qualification
• Verify correct performance
• Time/costs must be minimized
Built for Compliance

6
• Multiple levels of access security
Built for Compliance – Security
Data Vault
Data Vault
Service
Raw Data Files
SQL Server
or Oracle
Database
User
Management
Service
License Service
Local System/IT Administrator
User Database
License File
Instrument
Controller
Instrument
Configuration
Scheduler
Windows User
Chromeleon CDS User
Chromeleon CDS Administrator
Chromeleon CDS Super User
Increasing security
Instrument
Configuration
Manager
Administration
Console
Console &
Studio
Relational
database

7
• Comprehensive user management
• Create unlimited users, roles and
access groups
• Role is collection of privileges
• Defines what user can and cannot do
• User can be assigned different roles
• At login can choose an assigned role
• Access and roles can be controlled at
every level
• Data Vault, Folder, Instrument
Built for Compliance – Security

8
• Data security
• No loss of data and 24/7 lab uptime with
Network Failure Protection (NFP)
• License and User Management information cached locally
• Instrument and user licenses always available
• Users can always logon and continue to work
• XVault technology ensures continuous operation
• NFP mode automatically enabled at network failure
• Uninterrupted data acquisition
• After network recovery, data automatically uploaded to central server
• User can log on to instrument controller to view and edit running queue,
submit new analyses, process and report data
• User management active to ensure data security
• All information and actions are audited and traceable to protect data integrity
Built for Compliance – Security
Network
Data Vault
Chromeleon CDS
Workstation
Instrument
Controller

9
• Flexible data organization options
• Integrated electronic signature functions
• Automatic scheduler tool for archiving
• Exporting in FDA-approved formats
Built for Compliance – Record Management

10
Flexible Data Organization
• Data Vault concept
• Mount multiple Data Vaults
• Local, regional and/or global
• Mount Chromeleon 6 CDS
Datasources
• Controlled access
• Flexible folder structure
• Can organize by anything, e.g.
project, location, date, user,
instrument, etc.
• Controlled access
Built for Compliance – Record Management
Flexible folder structure

11
Electronic Signatures
• 3 Levels of signature Submit, Review, Approve
• Applied to electronic report
• Complete sequence protected by checksums
• Controlled by privileges
Built for Compliance – Record Management

12
Built for Compliance – Record Management
Scheduler for Automatic Archiving
• Automatically move data by combining powerful injection queries with the Scheduler
• Easily organize your system

13
Exporting
• Chromeleon CDS provides automatic printing or
exporting of sequence results with just two clicks
• Print or export results in various formats, e.g.
• PDF or spreadsheet for client
• Result export as text or GAML file for LIMS
• Multiple output formats for all purposes
• Text (TXT, CSV)
• Excel (XLS)
• Portable document format (PDF)
• Generalized Analytical Markup Language (GAML)
• AnDI/NetCDF (CDF)
• Raw File (RAW)
• Chromeleon Data File (CMBX)
Built for Compliance – Record Management

14
• Qualification vs. validation
• Qualification – prove and document that systems are
properly installed, work correctly, and comply with
specified requirements
• Directly related to equipment, systems or software
• Validation – document evidence that assures a process
will consistently produce results within specifications
• Directly related to the process
• Qualification is part of validation
• Regulatory agencies take view that end-users of CDS are
responsible for its qualification and validation
Built for Compliance – Qualification
Quality is not an act; it is a habit.
— Aristotle

15
Built for Compliance – Qualification
• Deliverables
• IQ plan, test scripts, report
• Functional Requirement Specifications
• System Configuration Document
• Project Plan
• Validation Plan
• OQ plan, test scripts (i.e. val kit), report
• User Requirement Specification
• PQ plan, tests, report
• Traceability Matrix
• Validation Report
ResponsibilityType
Qualification
Validation
Validation
Validation
Validation
Qualification
Validation
Qualification
Validation
Validation

16
• Chromeleon CDS provides complete set of qualification procedures
• Certificate of Validation
• Automated Software IQ and OQ
• Automated Instrument IQ, OQ and PQ
• Automated System Suitability Testing
Built for Compliance – Qualification
• Qualification processes are fully automated
• Occasional, minor manual interaction for instrument IQ/OQ
(e.g. pump priming)
• Qualification can be performed in as short a time as possible
• All processes are available as standard
• Requalification can be performed by the customer
• Ensures down time and cost is kept to a minimum

18
• What is “data integrity”?
• Completeness, consistency, and accuracy of data
Built for Data Integrity
Attributable
•Who did what,
when?
Legible
•Readable
throughout
lifecycle
Contemporaneous
•Recorded at time of
activity
Original
•Original record or
certified copy
Accurate
•Data with no
errors or
undocumented
editing
Complete
•All data including
repeat or reanalysis
Consistent
•Date/time stamped
in expected
sequence
Enduring
•Recorded in
enduring media
throughout lifecycle
Available
•Accessible for
review/audit
throughout lifecycle
ALCOA+

19
Built for Data Integrity
Data Integrity and Compliance
with Drug CGMP
• Data integrity for electronic records is not new

20
Built for Data Integrity
• Data integrity guidelines 2015 & 2016 from FDA, MHRA, CFDA & PIC/S
• Clarifies role of data integrity in current good manufacturing practice
(CGMP) for drugs
• Contains current thinking on creation and handling of data in
accordance with CGMP requirements
• FDA data integrity guidelines Dec 2018
• Introduces need for regular audit trail reviews
• US Food & Drug Administration (FDA)
• International Society for Pharmaceutical Engineering (ISPE)
• Medicines and Healthcare Products Regulatory Agency (MHRA)
• European Medicines Agency
• China Food and Drug Administration (CFDA)
• World Health Organization (WHO)
• International Council for Harmonisation of Technical Requirements for
Pharmaceuticals for Human Use (ICH)
• Pharmaceutical Inspection Co-operation Scheme (PIC/S)

21
Audit Trails
• What is an audit trail?
• “Secure, computer-generated, time-stamped
electronic record that allows for reconstruction
of events relating to creation, modification, or
deletion of an electronic record.”
• “Electronic audit trails include those that
track creation, modification, or deletion of data
and those that track actions at the record or
system level.”
The chronology of “who did what,
when, and why” of a record
Built for Data Integrity
• Audit trails are critical requirement of
electronic record regulations
• Enable detection of non-desirable activity
• Provide tool that influences users’ behavior
• Ensure data integrity
• Regulators use audit trails to review
trustworthiness of presented data
• They are aware of available audit trails and
expect to see them:
• Enabled
• Configured correctly
• Part of data review or periodic review cycle

22
• Chromeleon CDS version 7.2 already introduced many
compliance features to capture the ‘who, what, when
and why’
• 11 audit trailed areas
• Comprehensive user management
• Privileged Actions
• Version comparison with roll back
• Read-only Studio viewer
Built for Data Integrity

23
• Audit Trails
• Chromeleon CDS provides industry-leading
audit trails
• 11 audit trailed areas
• 3 main audit trails
• Instrument
• Data
• Administration
• All audit trails can be stored and
managed centrally in Chromeleon CDS
Built for Data Integrity
Instrument
Injection
Instrument
Config
Data
User
Administration
Station
Domain
Data Vault
eWorkflows
Org
Units
Global
Policies
Instrument
Data

24
• Audit Trails
• Chromeleon CDS provides industry-leading
audit trails
• 11 audit trailed areas
• 3 main audit trails
• Instrument
• Data
• Administration
• All audit trails can be stored and
managed centrally in Chromeleon CDS
Built for Data Integrity
Instrument
Data
Administration

25
Built for Data Integrity
• Data Audit Trail
• Log of all changes within Data Vault
• Separate audit trail maintained per Data
Vault and per data object, e.g., folder,
sequence, injection, etc.
• Injection audit trail logs all information
recorded for a specific injection
• Stored with & locked to raw data

26
Built for Data Integrity
• Instrument Audit Trail
• Daily event log per instrument
• Records all instrument operation events, e.g.,
system events, pre-run settings, commands
and errors
• Log of changes to instrument configuration

27
Built for Data Integrity
• Administrative Audit Trails
• Domain Resources
• Data Vault Manager
• eWorkflow Tags
• Station
• Global Policies
• Organizational Units

28
Privileged Actions
• Require authorization for specified actions
• Ensure users add appropriate comments for specified actions – enforcing the “why?”
• Use standardized comments or free entry
Built for Data Integrity

29
Version Comparison with Roll Back
• Show Changes
• View two object versions side by side
• Changes in objects easily identified
by symbols
• Restore
• In Data Audit Trail can roll back to
previous object version
• Restore is not permanent until saved
• Save creates new version
Built for Data Integrity
Change
Addition
Deletion

30
Built for Data Integrity
Read-only Studio Viewer
• Studio
• View object version in a read-only
Chromatography Studio session
• Selected item (e.g., injection, chromatogram,
Processing Method, Instrument Method,
Report Template, etc.) is automatically opened
in a read-only Studio window

31
Built for Data Integrity
• Selected version of sequence shown
in caption
• Easy visual comparison of results
• All sequence objects are read-only
except View Settings
• View Settings can be changed but
not saved
• Allows secure data review with zooming,
changing panes, resizing, etc.

32
Different Verisons
Different Versions
Built for Data Integrity
Identify Changes
Identify Differences
Read Only
• Open multiple read-only Studio sessions to compare different versions

33
Built for Data Integrity
• Compliant customers need to prove (regular) audit trail reviews
• Chromeleon 7.3 software provides framework
• Configurable Audit Trail Events to highlight specific use cases
• Connects Data, Instrument and Admin audit trails
• Workflows to search and report Audit Trail Events

34
• Audit Trail Events (ATE) configured in Admin Console (global policy)
• When new sequence created, ATE configuration is copied to sequence as read only. From that
point, sequence defines which ATE are recorded and which not
Built for Data Integrity

35
• ATE recorded in Data Audit Trail of Sequence
• Every Data Audit Trail record may have one or more events
Built for Data Integrity

36
Built for Data Integrity
• Audit Trail Query capability
• Executed via database Query
• Faster than normal Query
• Will also search for ATE

37
• Two report tables
• Configured ATE in sequence – shows which ATE were configured or not
• Recorded ATE in sequence – shows which events did and did not occur
• Option to show details of changes – old and new values
• Can be embedded in printouts / electronic reports
Built for Data Integrity

39
Chromeleon CDS – Making Compliance Easier
Chromeleon CDS Delivers Ease of Compliance
and Chromeleon CDS has passed 1000’s of regulatory audits
Easy demonstration of
compliance during audits
Audit trails with Query
Version comparison
Audit Trail Events
Advanced reporting tools
Effective monitoring to
enhance behavior
Easy data review with
sequence-centered structure
Injection & audit trail queries
to detect potential issues
Login & logout auditing
Monitoring
Adherence
Comprehensive set of tools
Easy, centralized administration
User Management with reduced
admin settings
Electronic Reports
and Signatures
Technical
Controls
Technical
Controls
Demonstration
of Compliance

40
For more information on Chromeleon CDS software visit:
thermofisher.com/chromeleon
Like Charlie Chromeleon on Facebook to follow
his travels and get important updates on
chromatography software!
Join the LinkedIn customer forum to discuss
Chromeleon CDS with us and your industry peers.
Facebook.com/CharlieLovesChromatography Chromeleon CDS User Group