Using Electronic Signatures
Using Electronic Signatures
Using Electronic Signatures
The information contained in this manual is believed to be accurate and reliable. However, GE Intelligent Platforms,
Inc. assumes no responsibilities for any errors, omissions or inaccuracies whatsoever. Without limiting the foregoing,
GE Intelligent Platforms, Inc. disclaims any and all warranties, expressed or implied, including the warranty of mer-
chantability and fitness for a particular purpose, with respect to the information contained in this manual and the
equipment or software described herein. The entire risk as to the quality and performance of such information, equip-
ment and software, is upon the buyer or user. GE Intelligent Platforms, Inc. shall not be liable for any damages, includ-
ing special or consequential damages, arising out of the use of such information, equipment and software, even if GE
Intelligent Platforms, Inc. has been advised in advance of the possibility of such damages. The use of the information
contained in the manual and the software described herein is subject to GE Intelligent Platforms, Inc. standard
license agreement, which must be accepted by the buyer or user before the use of such information, equipment or
software.
Trademark Notices
Proficy is a trademark of GE Intelligent Platforms, Inc., a wholly-owned subsidiary of General Electric Company.
All other product names and marks identified throughout this book are trademarks or registered trademarks of their
respective companies. They are used throughout this book in editorial fashion only. No such use, or the use of any
trade name, is intended to convey endorsement or affiliation.
No part of this publication may be reproduced in any form, or stored in a database or retrieval system, or transmitted
or distributed in any form by any means, electronic, mechanical photocopying, recording or otherwise, without the
prior written permission of GE Intelligent Platforms. Information contained herein is subject to change without notice.
We want to hear from you. If you have any comments, questions, or suggestions about our documentation, send them
to the following email address:
[email protected]
Table of Contents
Reference Documents 1
Introduction 2
Getting Started 5
Configuring Security 6
Account Lockout 7
Additional Considerations 7
Signature Options 12
Configuration 14
Run Time 14
To define limits directly in the picture using the Data Entry Expert: 17
Index 47
Using Electronic Signatures is intended for application developers, process control engineers, and iFIX
users who want to incorporate electronic signatures and secure electronic records (security audit trails)
into their operations. This manual provides application developers with suggestions for integrating the
electronic signature feature in iFIX and instructs engineers and operators on how to sign for actions.
This manual also assists users, operators, and supervisors responsible for creating a secure, auditable
environment, especially those working with the 21 CFR Part 11 United States FDA government regulation.
Reference Documents
For related information about subjects discussed in this manual, refer to the following manuals:
The Electronic Signature option enables you to create a more secure environment by requiring that oper-
ators electronically "sign" for all database process changes resulting from data entry and alarm acknow-
ledgement. Electronic signatures uniquely identify the operator making the change, and can optionally
require the electronic signature of another person to verify the change. Operators no longer need to use
paper and pen to record and sign for their actions, and the possibility of losing or damaging such records
is essentially eliminated.
More detailed permanent records of operator actions are now written to and stored in a relational data-
base. You can query and report on these records, and then use this data to provide a comprehensive audit
trail detailing the history of your process. The electronic signature audit trail provides greater versatility
than paper trails. You can query and analyze data quickly and conveniently. Additionally, record tracking
through electronic signatures increases security for process changes and alarm acknowledgements.
You can easily upgrade existing applications to take advantage of this functionality. None of your pictures
need to be modified. A simple change to the tags in the Database Manager allows you to implement the
Electronic Signature option. For more information, refer to Configuring Electronic Signatures.
Electronic signature capability also helps address the needs of iFIX users who must conform to the 21 CFR
Part 11 United States FDA government regulation. Using the feature by itself does not ensure compliance;
however, applications built using the Electronic Signature option can help provide the necessary electronic
verification needed to satisfy the requirements of this regulation. See Understanding 21 CFR Part 11 for
more information.
An electronic record is generated each time an action is signed for. Electronic records consist of the name
of the person(s) involved in the signing process, and other details, such as the type of action performed.
Electronic records are written to a relational database, and retained as a permanent record of a signed
action. Refer to Tracking Electronic Signatures for more information on electronic records.
Depending on the way your tags are configured, a signed action may require a supervisor or another oper-
ator to verify or validate the action performed by the operator. The concept of "performed by" and "verified
by" provides the foundation of understanding how electronic signatures work in iFIX.
An electronic signature is either a Perform Only signature or a Perform and Verify signature:
Perform Only Signature – the operator (the "performer") that initiated the action must electronically sign
for that action.
Perform and Verify Signature – the operator (the "performer") that initiated the action must electronically
sign for that action and another individual (the "verifier") must electronically sign to validate the action.
The action is not initiated until both signatures are entered.
NOTE: The person who performs an action cannot be the same person who verifies that action.
User Name – name of the user performing the action or verifying the action.
Password – password for the user performing the action or verifying the action.
NOTE: If an operator's iFIX user account was established using Windows security, his iFIX user name and pass-
word are the same as his Windows user name and password.
When an operator performs or verifies an action, he can optionally enter a comment related to that action.
The operator can select or change a pre-defined comment, or enter an original one.
For more information on using comments with electronic signatures, refer to Using Comment Tables.
Operators can perform many actions in the iFIX run-time environment. When electronic signing is enabled
in iFIX, operators may be required to electronically sign when they:
The need to sign for an action is determined by the way the associated tag is configured in the process
database. When the application developer creates a tag, he can optionally require an electronic signature
for the tag.
The application developer can configure a tag to be used by the following objects:
When these objects are used at run time to access a tag that requires electronic signature, the operator is
prompted to enter the appropriate electronic signature.
Refer to the Creating an Electronic Signature Audit Trail chapter for complete information about con-
figuring audit trail messages for electronic signature and examples of signed messages sent to a rela-
tional database.
Using electronic signatures, you realize these benefits in your daily operations, including:
l Requiring electronic signatures for data entry and alarm acknowledgement. Refer to Using Elec-
tronic Signatures at Run Time.
l Allowing operators and supervisors to add optional comments with the signature. Refer to Using
Comment Tables.
l Sending signed operator messages to a relational database to track operator actions. Refer to
Creating an Electronic Signature Audit Trail.
l Improved Windows password management, including the ability to change an expired Windows
password when logging in or signing. Refer to Configuring Security.
l Automatically logging out a user from an inactive workstation with the iFIX Screen Saver. Refer to
the The iFIX Screen Saver section of the Configuring Security Features manual.
21 CFR Part 11 is a United States Government Food and Drug Administration (FDA)-mandated regulation
that requires all electronic records and signatures, paperless records, and reporting procedures related to
the manufacture of a product be captured and stored securely for businesses under its control, such as
the Bio-Pharmaceutical and Food and Beverage industries. This regulation requires the protection, accur-
acy, and quick retrieval of all records. Secured, computer-generated, time-stamped audit trails must be
available to independently record the date and time of operator actions that modify the manufacturing pro-
cess.
Electronic records can be used to identify the ingredients and people involved in the production and dis-
tribution of regulated substances, such as prescription drugs. Additionally, electronic records ensure accur-
acy, reliability, and security in data collection and record keeping.
The Electronic Signature option included with iFIX allows you to design an application that assists you in
the demands of this regulation. The paperless environment that results from using this feature benefits
you with faster information exchange, improved ability to integrate, trend, and search data, a reduction in
errors, and reduced data storage costs.
GE Intelligent Platforms offers 21 CFR Part 11 consulting services to assist you with your goal of achieving
21 CFR Part 11 compliance. Using these services, you can reduce the time, effort, and expense of devel-
oping, implementing, and maintaining a compliant solution to meet the regulation. These services include:
l Training
l Assessment
l Detailed Detection
l Maintenance
Getting Started
This chapter presents an overview of the tasks required to implement the Electronic Signature option. It
contains a brief description of how the option is licensed from GE Intelligent Platforms. Most importantly,
this chapter contains information and suggested strategies on implementing the security necessary to use
the Electronic Signature option. It includes the following sections:
The steps that follow provide an overview of the steps to implement electronic signatures into your iFIX
application.
1. Ensure that both the computer to be used to enter electronic signatures and the computer to be
used as the SCADA node are equipped with hardware keys that have the Electronic Signature
option enabled.
2. Establish the appropriate security configuration, which includes:
a. Enabling security and creating users and groups. This may be done using the iFIX Security
Configurator, or by using the iFIX Security Synchronizer. Refer to Configuring Security and
Using the Security Synchronizer for more information.
b. Assigning the appropriate security areas to those users and groups.
c. Assigning the appropriate application features to those users and groups. The application
features available for electronic signature are:
l Electronic Signature - Perform By – Grants the user the ability to perform and sign
for actions.
l Electronic Signature - Verify By – Grants the user the ability to verify actions that
another user performs.
3. Configure tags to require electronic signature.
4. Configure the Alarm ODBC Service and your relational database. You must perform this step if you
want to provide an audit trail of your process.
To use the Electronic Signature option, you must purchase the option from GE Intelligent Platforms and
receive hardware keys with this functionality enabled. You must install the keys on both the SCADA node
and on the iClient node. The application developer typically configures tags on the SCADA node, and oper-
ators typically enter electronic signatures on the iClient node. The keys are checked at run time, when an
object whose tag requires electronic signature is selected. Both the iClient and the SCADA keys must have
the Electronic Signature option enabled to use this functionality.
When the Electronic Signature option is enabled, you may be required to sign for actions you perform dur-
ing run time. When the Electronic Signature option is disabled, you can perform actions without needing to
sign for them.
Refer to Determining if the Node is Enabled for Signing for details on determining the status of the node.
Configuring Security
To use the Electronic Signature option, you must first enable iFIX security. Once security is enabled, you
must assign the appropriate application features to the users who will use this option. You can perform
both of these tasks in the iFIX Security Configuration program. If your application uses security areas on
tags, you will also need to make sure that these same users also have rights to those security areas.
If you want to build an application with the goal of achieving compliance with the 21 CFR Part 11 reg-
ulation, it is strongly encouraged that you use Windows user accounts when using the Electronic Signature
option within iFIX. Windows user accounts allow for password expiration and account lockout, which
Refer to the Using iFIX With Windows Security chapter in the Configuring Security Features manual for
more information on using Windows user accounts.
It is encouraged that you use Windows user accounts to provide a more robust security environment, as
either part of a strategy for 21 CFR Part 11 or as a means to provide an additional level security within any
operation. By leveraging this functionality, you can add password expiration control and account lockout to
your overall security environment.
For more information on using Windows security, refer to the Using iFIX With Windows Security chapter in
the Configuring Security Features manual.
l If the Windows password has expired, the user is notified and prompted to change the password.
l If the Windows password is about to expire, a notification message displays, reminding the user to
change the password.
If you do not want passwords to expire, you can enable the Password Never Expires option in the Windows
security configuration. If you do not want operators to change passwords, you can enable the User Cannot
Change Password option in the Windows security configuration.
Account Lockout
The application developer can set an account lockout threshold, which prevents a user from accessing the
account after he enters the incorrect user name or password beyond the number of acceptable times.
When a user logs in or enters an electronic signature at run time, he receives an error if the account has
been disabled. The application developer can configure the message to display with the error, such as a
telephone number or the name of a contact person; otherwise, a general message displays.
Refer to the Configuring the Account Disabled Message in iFIX and Limiting the Number of Invalid Login
Attempts sections in the Configuring Security Features manual for information on setting the account lock-
out threshold and configuring the account disabled message.
Additional Considerations
This section contains some suggested strategies for configuring a 21 CFR Part 11 environment.
Application developers may want to disable an operator's ability to change the system time by removing
the "Change the system time" user right from the appropriate user accounts in Windows security. By doing
so, you can prevent inaccurate timestamps from entering the audit trail.
Enabling Auditing in the Windows Security System
Application developers who want to monitor Windows security events, such as logon and logoff, should
enable auditing in the Windows Local Security Policy. You can display these events in the Windows Event
Viewer's security log.
Each time an unsuccessful attempt is made to access the iFIX system, a message is sent to the alarm sys-
tem. If you have configured the Alarm ODBC Service and your relational database, these messages are
also written to your relational database, and can be included in the audit trail of your process.
Refer to the Understanding the Security Log File section in the Configuring Security Features manual for
more information.
A new tool, the Security Synchronizer, is available to help synchronize your iFIX user accounts with your
Windows user accounts. The Windows-to-iFIX Security Synchronizer provides a single point of con-
figuration for management of user accounts. This application assists customers who want to create Win-
dows user accounts to produce a more secure environment.
The person who administers the Windows security system adds and removes users from specific Win-
dows groups. The Security Synchronizer application creates, modifies, and deletes iFIX user accounts
based on information retrieved from the Windows security system. This allows you to administer security
in Windows and have those changes propagated to iFIX. When you are using the Security Synchronizer, all
modifications are made to the iFIX security configuration; the Windows security configuration is not mod-
ified.
Refer to the Using Security Synchronizer section of the Configuring Security Features manual for complete
information about configuring and using this tool.
Application developers can allow certain remote nodes the ability to write to specific SCADA nodes only.
This prevents the possibility of access from unknown or unauthorized nodes. This is an important feature
to ensure that operators are positioned physically close to the equipment they are manipulating. You may
want to incorporate this feature to provide a more secure environment for your SCADA nodes.
Refer to the Protecting SCADA Nodes section in the Configuring Security Features manual for more inform-
ation.
The following table shows each user's job responsibility and the iFIX application features and security
areas assigned to each.
Security
User Job Responsibility Application Feature(s)
Area(s)
George Operator for Line 1 Electronic Signature - Perform By Line 1
Thomas Operator for Line 2 Electronic Signature - Perform By Line 2
Peter Senior Operator for Electronic Signature - Perform By Electronic Sig- Line 2
Line 2 nature - Verify By
Laura Supervisor Electronic Signature - Perform By Electronic Sig- Line 1, Line 2
nature - Verify By
The following table shows the tags that represent the set point for each line. Each tag is configured with a
signature type of Perform and Verify and has been assigned the appropriate security area.
The following table shows which users can perform and verify for actions on each line.
The following table shows a set of operator actions and the result at run time.
As part of your strategy to secure inactive computers, you can use the iFIX Screen Saver. You can con-
figure the iFIX Screen Saver to perform many functions, such as terminating the continuous use period or
logging out the current iFIX user when the Screen Saver activates.
Refer to the The iFIX Screen Saver section in the Configuring Security Features manual for complete
details on configuring the iFIX Screen Saver.
When using electronic signature, it is always best to use 4.0 SCADA and 4.0 iClient nodes. Nodes running
earlier versions may not respond properly to electronic-signature enabled tags.
If you open a 4.0 database from an older-version node, such as 2.6, you cannot add or modify individual
tags, but you can otherwise modify the database. For example, you can delete and duplicate tags. You can-
not open an older-version node from a 4.0 node.
If you use multiple versions, the older version node may produce this type of message:
No message exists for error <error number>.
The error number will display as a literal, such as 1798. This message is likely caused by a signature-
related error, but the older version node does not support electronic signature functions. Consequently,
the message does not display properly.
If you use multiple versions of iFIX, you run the risk of acknowledging alarms configured for electronic sig-
nature without capturing a signature for them.
If your intention is to create an application for use in a 21 CFR Part 11 environment, you must use a 4.0 (or
greater) SCADA and 4.0 (or greater) iClient node.
IMPORTANT: If you configure a tag to require electronic signature on a 4.0 SCADA node and then acknowledge an
alarm for that tag on a 2.6 or earlier iClient node, the Electronic Signature dialog box will not appear, and the
operator will be able to acknowledge the alarm without entering a signature. It is strongly recommended that
you use only 4.0 SCADA and iClient nodes when using electronic signature.
You can configure each tag in the process database to require a signature, including built-in block types,
such as Analog Output (AO) and Digital Output (DO), and any other Database Dynamo (also known as a
loadable block) that has been updated to support electronic signature. Signature options and security
areas for each tag are configured by the application developer in the Database Manager for operators to
use.
If you want to use an OPC server, you can pull that data into the iFIX process database using the OPC Client
Driver, and then access the data through the tag. The tag must be configured to require electronic sig-
nature.
You cannot configure system tag fields, NSD fields, and alarm counters fields for electronic signature. To
help maintain a secure environment, you should avoid using these tags when creating pictures that oper-
ators will use.
CAUTION: Exercise caution when enabling electronic signature in existing databases. Some tags may be written
to from custom programs and scripts. Exporting the database and changing all tags to require electronic sig-
nature may cause custom programs and scripts to function improperly.
The Electronic Signature options for each tag are located on the Advanced tab of the tag's configuration
dialog box, and are available when you create or modify a tag. These options are:
l Signature Type
l Signature Option
l Unsigned Writes
Signature Type
The following fields are available for the Signature Type option:
None – Do not require signature for this tag. This option is the default setting.
Perform Only – Require only the signature of the operator performing the action.
For example, tag AO_3 is configured to require a Perform Only signature, as indicated in the following fig-
ure.
Signature Options
The following fields are available for the Signature Option on the Analog Output.
Allow Continuous Use – When enabled, lets you repeatedly sign for successive actions by supplying only a
password. For more information, on this option, refer to the Allow Continuous Use section.
Exempt Alarm Acknowledgment –When enabled, allows you to configure whether Alarm Acknowledgments
and Manual Alarm Deletions will require an electronic signature.
The Allow Continuous Use check box is selected in the Enabling the Electronic Signature Option dialog box
figure. By default, continuous use is enabled. This option allows the operator to repeatedly sign for suc-
cessive actions by supplying only a password. A continuous use period starts when the operator suc-
cessfully signs for an action. The operator's user name is recorded as the continuous user. While the
continuous use period is in effect, the operator's user name displays in the Performed By section in each
subsequent Electronic Signature dialog box displayed for this tag. This feature saves the operator the time
required to repeatedly type the user name. Continuous use applies only to the person performing an
action and does not affect the person verifying an action.
When the continuous use period ends, the Performed By user name is cleared in the Electronic Signature
dialog box. When a valid signature is entered, another continuous use period begins.
NOTE: The name of the continuous user changes and the continuous use period restarts each time a different
user enters a valid signature.
When selected, the Performed By Comment Required option enables Comment enforcement in the Per-
form Comment section. This means that the operator must enter comments in the Performed By Com-
ment box in the Electronic Signature section during run mode. Comments in the Verify Comment section
are optional.
Configuration
In conjunction with the Perform By Comment Required option, you must select the Electronic Signature
type as one of the following for that specific writable tag:
l Perform Only
l Perform and Verified
The Perform by Comments Required check box appears in every block configuration where Electronic Sig-
nature settings are available. By default, this check box is disabled.
You can also configure this option to display an additional column in the Database Manager tag list.
l In Ribbon view, navigate to Settings > Properties. The eSig Comment Required property appears in
the Column >Available Columns section. You can use the Add button to select to display this inform-
ation in your Database Manager tag list.
l In Classic view, navigate to View > Properties. Select the eSig column you want to display from the
Available Column listing. Use the Add button to add it to the Display Columns, which makes this
column visible in the Database Manager tag list.
Run Time
During run time, if you enter a setpoint value for a tag, or if you acknowledge alarms, then the electronic
signature dialog appears depending on the option configured for the tag. If a tag is configured with Per-
form By Comment Required enabled, you must enter a comment in the appropriate edit box. The com-
ment must be more than 1 character but less than 168 characters. An error message box appears when
the comment does not meet these specifications.
For more information on the these dialog boxes, refer to the Examining the Electronic Signature Dialog
Box section.
The Exempt Alarm Acknowledgement check box allows you to configure whether Alarm Acknow-
ledgements and Manual Alarm Deletions will require an electronic signature. By default, once you con-
figure the tag to require signature, these actions require a signature. By selecting this check box, you can
While the most common data entry objects support electronic signature, there are ways to write to a tag
without capturing a signature. This is called an unsigned write. The application developer can specify
whether to allow these writes to update the database (accept) or to block (reject) them on a tag-by-tag
basis. Unsigned writes can originate from:
l Scripts.
l Recipe downloads.
l Use of the Acknowledge All command on the Alarm Summary object or the AcknowledgeAllAlarms
global subroutine.
l Global subroutines called from Scheduler scripts.
l Applications other than the WorkSpace, such as the Scheduler, Database Manager, or externally-
written EDA applications.
l Writes to data sources that use expressions.
l Writes that originate from an iFIX 2.x or FIX32 node.
You can configure a tag to accept or reject an unsigned write. In a secure signing environment, it is typical
to reject unsigned writes; by default, the Reject Unsigned Writes option is selected.
Log – sends a message to the alarm system, indicating that the tag accepted an unsigned write. This field
is available only when the Accept option is selected.
Reject – the tag rejects a write from an unsigned source in the same manner a write is rejected for a
security violation. A message is sent to the alarm system to flag the violation. By default, this option is
selected.
If a user changes a field of a tag that requires electronic signature directly in the Database Manager
spreadsheet, that change is considered an unsigned write. Writes from the Database Manager tag con-
figuration dialogs and SAC are always accepted, regardless of how you configure unsigned writes. Refer
to the Changing Tag Values in the Database Manager Spreadsheet section in the Testing and Troubleshoot-
ing Electronic Signature chapter for details.
Values written from signature-disabled nodes to tags that require signature may be rejected. If an applic-
ation has mixed nodes (some with the Electronic Signature option enabled, some with the option disabled),
the application developer can restrict access to certain remote nodes to disallow writes from the disabled
nodes, if necessary. For more information about disabled nodes, refer to Restricting Access from Remote
Nodes. For more information about mixed nodes, refer to Using Multiple Versions of iFIX in a Network.
You must understand the implications of database writes in a secure environment when electronic sig-
nature is enabled. Unsigned writes do not prompt for electronic signature. However, you can trace the res-
ults of unsigned writes through the alarm system. This section discusses the behavior of unsigned writes,
based on the tag's configuration. To learn how to configure a tag for unsigned writes, refer to Under-
standing Unsigned Writes.
If the tag is configured to reject unsigned writes, the write is rejected and this type of message is written
to the alarm system:
UNSIGNED WRITE REJECTED: <tag name> cannot be written without electronic signature by <logged-in user name>
If the tag is configured to accept unsigned writes and to log the event, the write is accepted, and this type
of message is written to the alarm system:
UNSIGNED WRITE ACCEPTED: <tag name> was written without electronic signature by <logged-in user name>
If the tag is configured to accept unsigned writes, but not to log the event, the write is accepted, and this
type of message is written to the alarm system:
<tag name> set to <new value> by <node>::<logged-in user name>
To view electronic signature settings for a tag, you can add these columns to the Database Manager
spreadsheet using the Column tab of the Database Manager's Properties dialog box:
eSig Type – Indicates the signing requirements on this tag. When you add this column, the following values
display:
PERFONLY – The tag requires only the signature of the operator performing the action.
PERVERI – The tag requires the signature of the operator performing the action and the signature of
the person verifying the action.
eSig Cont Use – Indicates if allow continuous use is enabled for this tag.
eSig Exempt Ack – Indicates if signing is required for alarm acknowledgement and manual alarm deletion
on this tag.
eSig Unsigned Writes – Indicates if unsigned writes are accepted or rejected by this tag. When you add
this column, the following values can display:
REJECT – This tag is configured to reject unsigned writes. A message is sent to the relational database
whenever an unsigned write is rejected.
For more information on changing database columns, refer to the Locating and Displaying Data chapter of
the Building a SCADA System manual.
You can configure AO blocks to have both engineering unit limits and operator limits. You set these limits,
respectively, in the Basic tab and Advanced tab of the Analog Output dialog box. The value you set for the
engineering unit limit overrides the value you set for the operator limit if the operator limit is outside the
range of the engineering limit. For example, you can set an AO tag to have a high engineering limit of 100,
and you can set the operator limit for this tag to be 80. If an operator changes the value of this tag to 90,
the value written to the tag is 90, but the tag clamps the value at 80, the operator limit.
The message sent to the audit trail reflects the value the operator signed for, in this example, 90. If the AO
tag has Alarming and Event Messaging options enabled, an event message is sent by the AO tag that
reflects the clamped value, in this example, 80.
You can also define limits directly on data entry objects used in pictures.
To define limits directly in the picture using the Data Entry Expert:
1. Click the Data Entry Expert button to open the Data Entry Expert dialog box.
2. In the Data Source field, define your data source.
3. Clear the Fetch Limits from the Data Source check box. If you enable this field, the limits are
derived from the engineering unit limits defined for the data source, and the limits you define here
are overridden.
4. In the Low Limit and High Limit text boxes, enter preferred low and high limits.
NOTE: These limits are checked before the limits on the tag are checked.
The Electronic Signature option does not support Acknowledge All alarms capability. It is encouraged that
you disable this function from the Alarm Summary object by clearing the Allow Acknowledge All Alarms
check box on the Operator tab of the Alarm Summary Configuration. This removes the Acknowledge All
option from the right-click menu and prevents an operator from acknowledging all alarms from the Alarm
Summary object.
IMPORTANT: If you do not disable the Allow Acknowledge All Alarms option, you risk the chance of allowing oper-
ators to acknowledge alarms in an unsecured environment. This option is enabled by default in pictures created
in iFIX 3.0 and higher.
Operators cannot sign for alarm acknowledgements when using AcknowledgeAll through the Alarm Sum-
mary object or through a script.
You may want operators to add specific comments to their electronic signature at run time, either when
performing an action or when verifying an action. An operator may enter a comment about the condition
of a machine, such as "Conveyor jammed." and the person who verifies that action may enter a comment
about the resolution, such as "Problem fixed. Realigned station 14."
You can create pre-defined comments for the operator to select from when entering an electronic sig-
nature. To create a pre-defined comment, you must create comment tables. These tables can populate the
Predefined Comment list of the Electronic Signature dialog box with your comments. The operator can also
write a free-form comment in the Comment field.
NOTE: The operator can enter text in the Comment field regardless of whether you configure a comment table
and create pre-defined comments.
1. In the iFIX WorkSpace, in Ribbon view, on the Home tab, in the WorkSpace group, click Settings,
then select User Preferences.
- Or -
In Classic View, on the WorkSpace menu, click User Preferences.
2. Select the General tab.
3. Optionally, rename the table(s) by entering text in the Perform Comments Table Name field and the
Verify Comments Table Name fields, respectively.
4. Click the corresponding button, either the Create Perform Comments Sample Table button or the
Create Verify Comments Sample Table button, as appropriate. A message box appears, confirming
that the comment table was successfully created. If you do not rename the tables in step 3, these
default names are assigned to the tables:
l PerformESigComments
l VerifyESigComments
The comment tables you create are listed in the System Tree of the WorkSpace, in the Globals/User
folder, as indicated in this graphic:
5. Click OK in the WorkSpace message box to save the changes in the user.fxg file.
Once you create a comment table, you can fill it with comments you want to use in your application.
1. Right-click the comment table, such as PerformESigComments, in the System Tree, and select Cus-
tom. The Custom Lookup Table dialog box appears.
1. Open the Properties window using a standard method, such as right-clicking a comment table in
the System Tree and selecting the Property Window... option.
2. Access the System Tree.
3. Select the comment table you want to rename in the System Tree.
4. Return to the Properties window, select the Name property, and enter the new table name.
5. Close the Property window.
To delete a comment table:
This chapter describes how Electronic Signatures are used in the run-time environment, and describes the
tasks required of an operator when electronic signature is required. It includes the following sections:
Before using electronic signatures at run time, you should be familiar with the fields used in the Electronic
Signature dialog box.
The Electronic Signature dialog box appears each time an operator performs an action that requires an
electronic signature. If the tag associated with the action requires Perform Only signature, the Electronic
Signature dialog box displays the Performed By section only, as shown in the following figure.
If the tag associated with the action requires Perform and Verify signatures, the Electronic Signature dia-
log box displays the Performed By and Verified By sections, as shown in the following figure. When a user
signs in the Perform By section, the Verify By section is always dimmed; when a user signs in the Verify By
section, the Perform By section is always dimmed. Entering comments in the Verify Comment section is
optional.
The following information explains each section of the Electronic Signature dialog box:
Description Area – describes the action to be signed for. This area is located at the top of the dialog box. If
the action is a data entry, the description area includes:
Performed By – section of the Electronic Signature dialog box that displays when the tag is configured for
electronic signature. If the tag is configured for Perform By signature, only this section of the Electronic
Signature dialog box displays. If the tag is configured for Perform By and Verify By, both the Performed
By and the Verified By sections of the Electronic Signature dialog box display.
If the tag is configured for Perform By signature only, once the operator enters his user name and
password, and then clicks OK, the signature is validated, the value is written to the database, and
the Electronic Signature dialog box closes.
If the tag is configured for Perform and Verify signature, once the operator enters his user name
and password, and then clicks OK, the Performed By section of the Electronic Signature dialog box
dims and the Verified By section activates.
User Name - name of the user performing the action or verifying the action. The name you supply here is
your iFIX user name.
If the tag associated with the action allows continuous use, the user name of the continuous user
automatically displays in this field in the Performed By section. The name of the continuous user is
recorded from the last valid signature. You can enter a different name in this field. Refer to the
Allow Continuous Use section for more information.
Password - password for the user performing the action or verifying the action. The password you supply
here is the password assigned to your Windows or iFIX user account.
Verified By – optional section of the Electronic Signature dialog box that displays when the tag is con-
figured with a signature type of Perform and Verify. After the Performed By signature is validated, the
Verified By section activates and the Performed By section dims. Once the person who verifies the sig-
nature enters his user name and password in the Verified By section and then clicks OK, the signature
is validated, the value is written to the database, and the Electronic Signature dialog box closes.
Comment – field available in both the Performed By and Verified By sections in which the operator or the
person verifying the action enters comments. When the Perform By Comment Required option is
enabled, text must be entered in the Comments field.
You can select or change a pre-defined comment from the drop-down list, or enter an original one
in the text box. When the operator selects a pre-defined comment, it displays in the Comment field.
When entering text in the Comment field, you must enter less than 168 characters. However, when
Perform By Comment Required is enabled in that block, you must enter more than 1 character but
less than 168 characters.
In addition to entering text in the Comment field, you can also change the text of the predefined
comment as it displays in the Comment field. Your changes do not alter the text of the predefined
comment stored in the comment table.
If a comment table cannot be read for any reason, or if the application developer did not configure
a comment table, the Predefined Comments drop-down list is dimmed.
For more information, refer to Using Comment Tables.
The behavior of data links and text objects configured for in-place data entry changes in run-time mode
when the associated tag requires electronic signature. When the operator enters a value and presses
Enter, the Electronic Signature dialog box appears.
The following list shows the data entry methods you can choose from the Data Entry Expert and how each
method behaves when the associated tag requires electronic signature:
Numeric/Alphabetic Entry – When the operator enters a new value and clicks OK, the Electronic Sig-
nature dialog box appears.
Slider Entry – When the operator moves the slider bar and clicks OK or enters a value in the edit box and
clicks OK, the Electronic Signature dialog box appears.
NOTE: When using the slider bar with electronic signature, you cannot also use the Write Continuously
option. When the application developer chooses the Slider Entry option, he should clear the Write Continu-
ously check box in the Data Entry Expert dialog box. If the Write Continuously option is left enabled, elec-
tronic signature is ignored at run time.
PushButton Entry – When the operator clicks a toggle button in the PushButton Entry dialog box, the Elec-
tronic Signature dialog box appears.
Ramp Entry – Each time the operator clicks one of the four ramp buttons, the Electronic Signature dialog
box appears.
l Operator George Clark performs an action that he must sign for, but the action does not require
verification. Refer to Example 1: Perform Only Signature.
l Operator George Clark performs an action that he must sign for, and his supervisor, Thomas White,
verifies that action. Refer to Example 2: Perform and Verify Signature.
l Operator George Clark performs an action that requires a signature, but the value changes before
he completes the signature. Refer to Example 3: Value Changes During Signing.
l Operator George Clark performs an action and his supervisor, Thomas White, verifies that action.
Each signer selects a predefined comment and enters an additional comment. Refer to Example 4:
Selecting and Entering Comments When Signing.
l Operator George Clark performs an action that requires a signature, but when he tries to sign for
his action, he enters his password incorrectly too many times, and his account becomes disabled.
Refer to Example 5: Account is Disabled.
Example 1: Perform Only Signature
George Clark changes the value of a data link that uses the IFIX1_PHARM_HSM1_TEMP_SP tag as the data
source. He changes the value from 10 to 20. This tag has been configured to require the signature of the
performer only. When George changes the value and then presses Enter, the Electronic Signature dialog
box appears, with the Performed By section displayed, as shown in the following figure.
George signs for this action by entering his user name and password, and then clicks OK. Because the tag
George signed for does not require a user to verify the action, his signature is validated, the value is writ-
ten to the tag, the Electronic Signature dialog box closes, and the updated value displays in the data link. A
message is written to the audit trail that details George's action.
Example 2: Perform and Verify Signature
George Clark changes the value of a data link that uses the IFIX1_PHARM_HSM1_START_BUTTON tag as
the data source. He changes the value from 0 to 1. This tag has been configured to require Perform and
Verify signatures. When George changes the value and then presses the Enter key, the Electronic Sig-
nature dialog box appears, with the Performed By and Verified By sections displayed.
The Verified By section of the dialog box remains dimmed until George successfully enters his user name
and password. When George clicks OK, his signature is validated, the Performed By section dims, and the
Verified By section activates.
George's supervisor, Thomas White, enters his user name and password, as shown in the following figure.
When Thomas clicks OK, his signature is validated, the value is written to the tag, the Electronic Signature
dialog box closes, and the updated value displays in the data link. A message is written to the audit trail
that details this action, including both George's and Thomas' signatures.
When the Electronic Signature dialog box initially appears, the current value of the tag and the value
George entered display. In this example, the current value of 10 is being changed to 20, as shown in the fol-
lowing figure.
When Thomas White verifies this action, he also selects a predefined comment and adds more text in the
Comment text field, as illustrated in the following figure.
George forgets his password and makes an incorrect guess. The following message displays:
Error Number: -2147210963 (8004292d)
Unknown user name or bad password.
George clicks the OK button and tries again. The bad password message displays for each subsequent
incorrect attempt until he reaches the account lockout threshold, which, in this example, is set at three. On
George's fourth incorrect attempt, the following message displays:
Error Number: -2147210967 (80042929)
Account currently disabled.
The Alarm Summary object supports the Electronic Signature option. Both single and multiple alarm
acknowledgement is supported. Manual alarm deletion is also supported.
The operator can acknowledge one or more alarms using the Alarm Summary object with any of these
conventional methods:
l Double-click a row.
l Select one or more rows and then press Enter.
l Use the Acknowledge Page command from the right mouse menu.
l Use the Acknowledge an Alarm command from the right mouse menu.
l Select the Alarm Summary object and press K on the keyboard.
Whenever the operator acknowledges an alarm for a tag configured to require electronic signature using
one of these methods, the Electronic Signature dialog box appears.
The Electronic Signatures dialog box appears when the operator acknowledges multiple alarms. The dia-
log box displays the names and descriptions of all the tags being acknowledged by the operator. The
alarms the operator acknowledges may have mixed signing requirements; some may require no sig-
nature, some may require Perform Only signature, and others may require Perform and Verify signatures.
When the operator acknowledges two or more alarms, the most restrictive signing requirements are
enforced. The following table shows the signing requirements for the indicated conditions:
When the operator acknowledges a single alarm for a tag that requires a Perform Only signature, the Per-
formed By section of the Electronic Signature dialog box appears. When the operator acknowledges a
single alarm for a tag that requires Perform and Verify signature, the Performed By and Verified By sec-
tions of the Electronic Signature dialog box appear.
When the operator acknowledges a page of alarms whose tags require Perform Only signature, the Per-
formed By section of the Electronic Signature dialog box appears. When the operator acknowledges a
page of alarms whose tags require Perform and Verify signatures, the Performed By and Verified By sec-
tions of the Electronic Signature dialog box appear.
The Electronic Signature dialog box for alarm acknowledgement is identical in layout and function as the
dialog box for data entry. However, it contains a list of all alarms to be acknowledged in a scrollable area,
as indicated in the following figure. The information displayed here includes the node name, tag name, and
description of each tag whose alarms are being acknowledged.
When the operator acknowledges a page of alarms, a separate message is sent to the audit trail for each
alarm acknowledged. Refer to the Electronic Signature Signing Requirements table for a list of electronic
signature signing requirements.
The audit trail is a key component in a 21 CFR Part 11 compliant system, but it can also be useful in many
different applications. The electronic signature audit trail contains a computer-generated, time-stamped
record of each electronic signature. Each record clearly identifies all pertinent information about the per-
son who entered the signature, such as the person's name, the time he entered the signature, and why he
entered the signature.
iFIX stores the electronic signature audit trail in a relational database. A relational database provides you
with an open, secure storage solution you can query using established methods to produce reports and
perform analysis and review. The relational database must be ODBC-compliant, such as Microsoft's SQL
Server or Oracle.
NOTE: Microsoft Access is not supported in the electronic signature environment because it is not secure enough
to ensure tamper-resistance.
Each time an operator signs for an action, a message is sent to the relational database containing all the
elements of the signature, including:
l User name and full name of the person that performed the action.
l User name and full name of the person that verified the action.
l Description of the action.
l Time the action occurred.
l Name of the iFIX node where the user signed.
l User name and full name of the person logged in to the iFIX security system when the user signed.
l Optional comments entered by the performer and verifier.
Additionally, fields such as the name of the iFIX tag and the name of the SCADA node are included. You can
also configure up to four user-defined fields that can be read from the tag and incorporated into the mes-
sage.
The iFIX Alarm ODBC Service inserts alarms, messages, and the electronic signature audit trail into an
ODBC-compliant relational database. The data is parsed into a set of columns you can query to produce
reports and perform analysis. You can configure the columns you want to include in your relational data-
base table using the Alarm ODBC Configurator.
You can configure the Connection Lost Tag in the Alarm ODBC Service Configuration dialog box, which
allows you to specify a database tag that is used to indicate a broken connection with the relational data-
base.
You can also configure a temporary file to store alarms when the Alarm ODBC Service cannot connect to
the relational database. The temporary file is encrypted. This feature prevents the loss of any electronic
signature messages while the relational database is down or offline. If you do not want a temporary file,
leave the Lost Connection File field blank.
Refer to the Implementing Alarms and Messages manual for more information on the Alarm ODBC Service
and other alarm issues.
Several relational database table columns are included in the Alarm ODBC service for signed operator
actions. These columns allow you to perform detailed database queries. The columns for signed operator
actions are:
Operator Login User Name – user name of the person currently logged in to iFIX.
Operator Login Full Name – full name of the person currently logged in to iFIX.
Performed By User Name – user name of the person performing the action.
Performed By Full Name – full name of the person performing the action.
Verified By User Name – user name of the person verifying the action.
Verified By Full Name – full name of the person verifying the action.
Message ID – Globally Unique Identifier (GUID) that uniquely identifies each message.
For information on the other columns in the Alarm ODBC service, refer to the Implementing Alarms and
Messages manual.
If you have successfully enabled the Alarm ODBC Service and have configured your relational database,
then each time an operator successfully signs for an action, a message is sent to the relational database.
The message contains the following:
When electronic signature is not required for the tag, the message sent to the relational database is the
standard iFIX operator message containing the timestamp for the action, the user name of the logged-in
user, and the new value.
Signed operator messages are sent to alarm areas configured for operator messages. Therefore, oper-
ator messages do not necessarily get sent to the same alarm area that the corresponding tag belongs to.
Refer to the Configuring Alarms section of the Setting Up the Environment manual for more information.
Example 1: Electronic Signature Not Required
In this example, electronic signature is not required for the tag. This message is sent to the relational data-
base when an operator changes the value of the tag:
In this message, SJONES represents the user name of the currently logged-in iFIX user.
Example 2: Perform Only Signature Required
In this example, the tag requires a Perform Only signature. This message is sent to the relational database
when an operator changes the value of the tag and signs for it:
In this message, JHARPER is the user name, and James Harper, Sr. Operator is the full name of the oper-
ator that changed the analog setpoint value. LWALL is the user name, and Lisa Wall, Shift Supervisor, is the
full name of the supervisor that verified this action. Both the original value, 50.00, and the new value,
60.00, are clearly indicated.
Each time an operator successfully signs for an action, a message is sent to the iFIX alarm system. You can
view these messages in the Alarm History window, in the Alarm File, or on an alarm printer. The message
contains the following:
In the SCU, for the Alarm Startup Queue Service, do not clear the Summary alarms only check box in the
Startup Queue Configuration dialog box. If you disable this option, duplicate messages may be sent to the
audit trail. By default, the Summary alarms only check box is selected in the SCU.
You can create a script or another application that prompts the operator to enter an electronic signature
using the iFIX Electronic Signature object. This allows you to:
The Electronic Signature object is a COM object that implements the IESignature interface. The object can
be instantiated by both VB/VBA and C/C++ code. You can call methods in the IESignature interface to:
For more information on using the Electronic Signature object, refer to examples provided later in this
chapter and to the iFIX Automation Interfaces Help file.
When you use a global subroutine in a script that writes to the database, such as WriteValue, the Elec-
tronic Signature dialog box appears at run time if the tag is configured for signing. If one script uses two or
more global subroutines that write to the database, the Electronic Signature dialog box appears for each
tag that requires signature.
To prevent the Electronic Signature dialog box from appearing for each tag configured for signing, you can
disable signing on one or more of the tags, or you can change the script.
IMPORTANT: If you do not use a global subroutine that supports electronic signature in your script, you must use
the Electronic Signature object within the script to invoke the Electronic Signature dialog box.
Several global subroutines and Alarm Summary object methods support electronic signature. If the data
source that the global subroutine or method writes to requires electronic signature, the Electronic Sig-
nature dialog box displays. If the data source does not require signature, it is written directly.
l AcknowledgeAnAlarm
l EnableAlarm
l DisableAlarm
l OpenDigitalPoint
l CloseDigitalPoint
l ToggleDigitalPoint
l WriteValue
l RampValue
l OnScan
l OffScan
l ToggleScan
l ToggleManual
l SetAuto
l SetManual
NOTE: The AcknowledgeAllAlarms subroutine does not support electronic signature.
The following table indicates which Alarm Summary object methods support electronic signature.
The following scripts provide examples of using the Electronic Signature object to acknowledge a list of
alarms and a single alarm.
Value = 0
Else
'Acknowledge the alarm without signature or warn node is not enabled for electronic signatures
End If
The following sample script provides an example of using the Electronic Signature object, in this case to
perform a recipe download:
Private Sub Rect1_Click()
' Check if the logged-in user has the privilege to download recipes
CanDownload = System.FixCheckApplicationAccess(52)
If CanDownload = 1 Then
Set ESignatureObject = CreateObject("ElectronicSignature.ESignature")
If bValidSig Then
Exit Sub
RecipeDownloadError:
MsgBox (Err.Description)
End Sub
This chapter contains information and suggestions about how to test and troubleshoot the Electronic Sig-
nature option. The following topics are described:
The application developer can disable the Electronic Signature option for testing purposes; this allows you
to fully test an application without the need to repeatedly enter signatures.
To disable the electronic signature feature, create a user account that has the Electronic Signature -
Bypass application feature assigned to it and then log in with that account. A corresponding user account
with the Electronic Signature - Bypass application feature assigned to it must also exist on the SCADA
node.
You can achieve the same effect by disabling security. However, this is not the recommended approach,
since it leaves the system in a very vulnerable state.
CAUTION: Do not leave the Bypass account logged in, as it effectively disables the Electronic Signature option.
When the Electronic Signature - Bypass application feature is enabled, a message is sent to the alarm sys-
tem each time a tag configured for electronic signature is changed. If the Alarm ODBC Service is enabled,
the message is also sent to the relational database; for example:
4/19/02 00:21.50.7[SAND] UNSIGNED WRITE ACCEPTED: FIX.AI2.F_CV - electronic signature bypassed by PSMITH.
The user name, in this example PSMITH, identifies the logged-in user on the node where the change was
made.
When security is disabled, a similar message is sent each time a tag configured for electronic signature is
changed; for example:
4/21/02 00:13.51.7[SAND] UNSIGNED WRITE ACCEPTED: FIX.AI2.F_CV - electronic signature bypassed - security disabled.
To prevent this from happening, you can make the local computer a member of a domain. A domain is a
group of computers that share a common directory on the same network. Your security accounts should
be located on the domain controller, not on the local computer. You ensure the proper security and pass-
word settings when you use Windows security from the domain.
If a user changes a field of a tag that requires electronic signature directly in the Database Manager
spreadsheet, that change is considered an unsigned write. Therefore, a user can change a field in a tag
that requires electronic signature in the Database Manager spreadsheet only if one of these conditions is
true:
If neither condition is true, a message box appears when the user attempts to change a field of a tag that
requires electronic signature. Here is an example of the text that appears in the message box:
[FIX:AI_1] Database block access requires electronic signature.
NOTE: Modifications to a tag made from the tag's configuration dialog box are always allowed.
When an operator executes an action at run time using one of the signature-enabled user interfaces, such
as the data link, these checks are performed to determine if the node is enabled for signing:
These checks are performed to determine if a signature is necessary for the data source if the node is
enabled for signing:
If you change the name of a node where security is enabled, electronic signatures may not work as expec-
ted. This occurs because the system detects that security is disabled (when the security path is set to a
folder other than the default, which is the C:\Program Files\Proficy\Proficy iFIX\Local folder). To resolve
this issue, you must immediately disable and then re-enable security for the node and save the security
configuration after you change the name of the node.
understanding 4 renaming 18
account lockout with electronic signature 7 configuring database tags for electronic sig-
nature 11
Acknowledge All alarms 17
configuring security for electronic signature 6
acknowledging alarms with electronic
signature 17 continuous use 13
E
B
electronic signature
behavior of unsigned writes 15
21 CFR Part 11 Services 5
using other applications for signing 38 features and benefits of electronic signature 4
passwords 2 behavior 16
restricting access from remote nodes 8 disabling ability to change system time 7
Security Synchronizer 8