Part 11 Compatibility provides an audit ready trail of data origination. This includes—device information (measurement values/time of measurement), importation time of the data in the system(device -> Aqualink) and any modifications made to the record after importing it to Aqualink.
Decagon designed AquaLink Part 11 as a compliant and compatible system with minimal frustration for the end user.
User Access
Part 11 Compatibility requires restricted access to the software. The software administrator can accomplish this through the "NonAqualinkUser" windows group membership to prevent specific users from access. All Guests are automatically prohibited from using the software. A guest includes any user who is named "Guest" and is a member solely of the "Guests" User group or any User account that has no password protection.
Data Integrity
AquaLink Part 11 stores all data in a secure AES encrypted database. Redundancy CRC checks to ensure that no data has been tampered with and will engage system level logging for major events (Install/Setup/Rollback/Bad Password). The AquaLink 4 software requires a password entry on software start.
Take advantage of operating system security and domains
AquaLink4 makes efficient use of the security features built into the underlying Windows operating systems. For Part 11 compliance, all computers in a closed system must be part of the same Windows domain. All AquaLink4 computers must run Windows XP or Windows 7. Windows XP and Windows 7 encrypt passwords using the operating system’s built-in encryption mechanism.
Restrict access to the application
Use AquaLink 4 Part 11 to manage and view data you collected with Decagon’s AquaLab line of products. The Administrator can apply security parameters to the application through the standard Windows User Environment. To restrict users from making unauthorized changes, we recommended that Administrators restrict access to users that have the verified security credentials.
Use Windows account password aging and management
User account, password management, and password aging are done using Windows User Management. User accounts and passwords should be set up to expire after a certain time, to lockout after multiple failed login attempts, and to re-prompt users for their login credentials after brief periods of inactivity. This information is usually part of a comprehensive corporate IT department Standard Operating Procedure, or SOP. For more information, refer to the Windows documentation.
Users log on requirements for the AquaLink4 Part 11 Environment
Each user must log onto the Windows 7 or XP computer at the start of their session, and log out when they are done. In addition you will be prompted for your current user password each time you open AquaLink. Three invalid password entries will lock the system and prevent access to Windows.
Where possible, Administrators should require operators to log completely off Windows when not physically at the station. Administrators should not allow anyone else to perform operations using their user name and password. If it is necessary for a supervisor to perform or approve certain operations, the operator should log off Windows, and the supervisor should log on.
In order to be permitted to use AquaLink4 Part 11, the windows user account must meet all of bullets in the list.
Note: Admin accounts must not be a Windows guest account, or an account that is a member of the "guests."
-
Windows user group, and no other groups.
-
Must not be a member of the Windows group "NonAqualinkUser."
-
Must have a password associated with the account for Electronic Record (Data) Security.
-
All core data is encrypted using 128 bit AES encryption.
-
Create hash value (fingerprint) for each file that contains or affects acquired data.
-
All hash values are stored in a table and encrypted (128-bit encryption scheme).
-
Data verification program to ensure data bundles cannot be tampered with (even outside of the secured environment).
-
Full audit logs available for tracking data history.
-
Print verified reports that uniquely identify data sequences.
-
Generate PDFs that can be digitally signed by the operator(s).
Remember, no software package can enforce Part 11 Compliance; It can only be Part 11 compatible. It is up to the end user to set up an entire Part 11 compliant system. To view the audit trail of any data in the system, use your mouse to select blocks of data from the table view and select the appropriate audit history option from the context menu.
When exporting data from AquaLink 4 Part 11, you will export a PDF report by default. You can choose to export as an Excel file, however Excel files are not part 11 compatible and should only be used for unsecured data analysis.
Windows System Log Events
Several Events within the AquaLink 4 Part 11 system generate entries to the system (Windows) log for administrators to review later. This section will contain a brief explanation of the various events generated by AquaLink 4 Part11. All events will be found in the Windows Event Viewer under Windows Logs/Application. All events will have an event source of "AquaLink4".
| Event Type | Event | Code Description |
|---|---|---|
Rollback |
48045 |
An admin has rolled a corrupted database back to a good database |
Rollback |
47826 |
A user has done a minor rollback due to corrupted data |
Information |
47827 |
A user or admin has been notified of a corrupted database |
Information |
2989 |
First Start. AquaLink 4 first time starting on this system |
Information |
4013 |
User management performed by admin |
Warning |
51966 |
Bad login attempt detected {allows three attempts} |
Error |
57005 |
User locked out due to too many attempts with a bad password |
The interface that collects data from the AquaLab Water Activity instruments needs to have the necessary elements for CFR Part 11 compliance. This includes locking out data manipulation, administrator settings, and the ability to restrict users.
If CFR Part 11 compliance is not activated, the user should be able to enter an annotation to data downloaded from the instrument.
Redundancy Checks
AquaLink 4 operate on bit changes to inform it of any changes to data and if any data has changed the system will notify the operator. Administrators can look into the Event Viewer, for warnings, information, and errors about data changes. However, access should be restricted as the average user does not need to look at events and only the administrator should have access to the system logs.