FDA 21 CFR Part 11 Compliant Microscope Imaging Software

Quartz PCI-CFR is a specialized version of Quartz PCI microscopy software designed for laboratories that need to manage digital images in compliance with FDA 21 CFR Part 11 regulations governing electronic records and electronic signatures. It acquires stores, processes, and annotates images from light and electron microscopes while maintaining the complete audit trail, version control, encryption, and digital signature capabilities required by regulated laboratory environments.

The current version is PCI-CFR Version 6, which added Secure Repository support, an expanded workstation log, Windows 11 compatibility, and enhanced digital signature controls.

FDA 21 CFR Part 11 is a regulation that establishes requirements for electronic records and electronic signatures used in FDA-regulated industries, including pharmaceutical, biotechnology, and medical device manufacturing. It requires that electronic records be trustworthy, reliable, and equivalent to paper records : meaning data must be protected against unauthorized alteration, changes must be traceable, and signatures must be attributable to specific individuals.

Microscopy images present a particular challenge under 21 CFR Part 11 because, unlike text documents, it is typically not possible to compare two versions of a processed image and determine what processing steps were applied. Specialized software is therefore required to audit every processing operation and retain every predecessor version of each image in a protected, unalterable state.

PCI-CFR and Quartz PCI are separate products serving different purposes. PCI-CFR is a purpose-built product focused on 21 CFR Part 11 compliant image capture and storage, with a more targeted feature set oriented around data integrity controls rather than broad analytical capability. It also adds the following additional controls specifically for 21 CFR Part 11 compliance:

• Mandatory user authentication on every login, with re-authentication after 15 minutes of inactivity
• Complete audit trail recording every user action on every image, including date, time, username, computer name, and action detail
• Full version retention: every saved version of an image is stored; no version is ever overwritten or deleted
• Data encryption protecting stored image files against unauthorized modification
• Tamper detection via cryptographic digests: any attempt to alter a file outside of PCI-CFR is detectable
• Digital signatures enabling authorized users to sign images as electronic records
• Digitally signed PDF export: exported PDFs carry a cryptographic signature certifying they are unaltered representations of the stored data
• User roles and permissions controlling which users can acquire, view, modify, and sign data
• Workstation log tracking all system access and file access events, even when no images are saved

For batch processing runs, measurement data across all processed images is aggregated into a single CSV output file, providing a consolidated dataset ready for downstream analysis.

The audit trail in PCI-CFR records every operation carried out on an image within the software, including the date and time, the username, the computer name, and specific details of the action. This includes acquisition, all processing and annotation steps, saves, file opens, and digital signature events.

Authentication events: logins, logouts, session locks and unlocks, and failed login attempts are additionally recorded in the Windows Application Event Log, providing a system-level record of software use independent of whether any images were saved during the session.

A separate Workstation Log captures data acquisition events, file access events, and security-related events, providing a second layer of system activity tracking.

PCI-CFR uses two complementary protection mechanisms:

• Encryption: all data files are encrypted, making unauthorized modification of the underlying files virtually impossible
• Cryptographic digests: each file is protected with a digest that allows the system to detect any tampering that may have occurred, even if the encrypted data was accessed outside of PCI-CFR

If PCI-CFR detects a problem with a file when it is opened, it will deny access and flag the issue.

PCI-CFR never overwrites an existing image file. Every time an image is saved, the system generates a new versioned file pair, incrementing the version number in sequence. Both the original data as received from the instrument and every subsequent processed version are retained in full. Users can open and review any historical version of an image at any time.

This means the original raw data as it came off the instrument is always recoverable, regardless of what processing or annotation has been applied in subsequent sessions.

Authorized users belonging to the PCICFR-Sign Windows group can apply digital signatures to images stored in PCI-CFR. Applying a signature requires entry of two distinct identification components : username and password : as required by 21 CFR Part 11. The signature record includes the name of the signer, the date and time of signing, and the meaning of the signature, such as review, approval, responsibility, or authorship.

Signatures are embedded within the electronic record and cannot be separated from it. Rules can be applied to signatures to control the order in which signatures must be applied and whether a signature may be applied more than once.

A user who is logged in can also request that a different authorized user sign the image without requiring the first user to log out, supporting review workflows where the reviewer and the data originator are different individuals.

Yes. PCI-CFR can export images as digitally signed PDF files. The PDF carries a cryptographic signature applied by PCI-CFR certifying that the file is an unaltered representation of the data stored in the CFR-compliant record at the time of export. The audit trail is included in the export. These PDFs are suitable for regulatory submissions, client deliverables, or sharing with colleagues outside the organization.

The digital signature can be verified in Adobe Acrobat once the Quartz Imaging certificate has been added to the trusted identities list.

PCI-CFR manages user permissions through Windows Local Group membership. Four standard groups are provided, each granting a different level of access:

• PCICFR-Acquire: can acquire images and save newly acquired images only
• PCICFR-ReadOnly: can open and view images but cannot modify or save them
• PCICFR-ReadWrite: can open, modify, and save images
• PCICFR-Sign: can apply digital signatures to images

Users can belong to more than one group, allowing flexible role configurations. For example, a reviewer could be assigned to both PCICFR-ReadOnly and PCICFR-Sign, permitting them to review and sign images without being able to modify the underlying data.

PCI-CFR supports image acquisition from any light or electron microscope, using the same acquisition options as Quartz PCI:

• Direct integration with some PC-based SEMs
• TWAIN interface for digital still cameras on light microscopes
• Spider (hot folder): automatically loads images deposited into a designated folder by non-integrated SEMs and light microscopes
• USB slow-scan capture for analog SEMs
• Virtual Printer Driver: captures output from any Windows application with a print function, treating it as a controlled document within PCI-CFR

PCI-CFR reads and retains calibration information from most major digital SEM manufacturers.

The Secure Repository is an optional add-on for PCI-CFR that extends 21 CFR Part 11 controls to non-image data and to data generated by third-party software. It works by creating a virtual disk drive on the workstation (assigned drive letter Q: by default). Any file saved to this virtual drive : including TIF files, EDS spectra, Excel spreadsheets, or other data files : is automatically subject to version control, encryption, and audit trail tracking.

The Secure Repository is the appropriate choice when:

• You need to save raw data or analysis files from third-party software in a compliant manner
• You want to re-open and continue working with those files in their source application while maintaining version control
• You need to use third-party image analysis tools (such as particle counting software) to analyze images acquired by PCI-CFR

The Secure Repository records who saved or accessed each file and when. Because all versions are retained, it is possible to compare versions and identify changes even when the audit trail cannot capture internal operations of the third-party software.

The Virtual Printer Driver installs as a Windows printer on the workstation. Any Windows application with a print function: EDS analysis software, Excel, instrument control software can send its output to PCI-CFR simply by selecting "Send to Quartz PCI" as the printer. The output is received and stored by PCI-CFR as a controlled document, subject to version control and audit trail tracking.

The Virtual Printer Driver is the appropriate choice when you want to capture non-image data in a final, unchangeable report form, or when you want to apply a digital signature to non-image data.

Note: Because 21 CFR Part 11 requires digital signatures to be visible when data is displayed, and PCI-CFR cannot control how third-party software renders data, direct digital signatures are not available for files stored in the Secure Repository. The recommended approach for signing non-image data is to print the data to PCI-CFR via the Virtual Printer Driver and sign the resulting document within PCI-CFR.

Yes, with the Secure Repository option. Images acquired by PCI-CFR and stored in the Secure Repository are saved in industry-standard TIFF format, which can be opened by third-party image analysis software. If the file is re-saved by the external application, PCI-CFR records the event in the audit trail and retains the new version alongside all previous versions.

For labs that use specialized tools such as particle counting or image analysis software alongside PCI-CFR, this workflow maintains a compliant chain of custody without requiring that all processing be performed inside PCI-CFR.

For workflows where the standard operating procedure takes an image into external software and back, Quartz Imaging can assist with documenting the process to support compliance requirements.

PCI-CFR includes a full set of image processing and annotation tools comparable to those in Quartz PCI:

• Processing: contrast, brightness, and gamma adjustment; color correction; hue and saturation; local contrast; sharpening and median filtering; image rotation and resize; zooming, panning, false coloring, and slide show
• Measurement: line measurement, angle measurement, with measurement tools operating on the calibrated image
• Annotation: line, freehand, circle/ellipse, square/rectangle, polygon, and text drawing tools, operating on a separate overlay layer; Default Overlay for permanent marking such as company logo or confidential indicator
• General: micron marker function; slide show; dual monitor and widescreen support; output to any Windows-supported printer

All processing and annotation operations are captured in the audit trail regardless of whether the image is subsequently saved.

PCI-CFR Version 6 supports 32-bit and 64-bit versions of Microsoft Windows 7, Windows 8, Windows 10, and Windows 11.

Yes, IQ/OQ (Installation Qualification / Operational Qualification) support is available from Quartz Imaging. Qualification is conducted via web meeting, using Teams or GoToMeeting and typically takes approximately two and a half to three hours per instrument workstation. Quartz Imaging can perform the software installation as part of the IQ/OQ session, or customers can install the software themselves using the standard Windows installer and detailed configuration guidance provided by Quartz Imaging.

For sites where the instrument workstation cannot be connected to the internet, Quartz Imaging offers a license to use their IQ/OQ protocol and report template, which can be executed on-site without remote access. The license is per instrument, with no additional cost if the IQ/OQ needs to be repeated on the same instrument.

Requirements for a web-meeting IQ/OQ include a workstation connected to the corporate network, a local administrator login, installed driver software for the instrument (TWAIN driver for light microscope cameras, for example), a sample of known dimensions for SEM systems, and a stage micrometer for light microscope systems.

Yes. PCI-CFR uses a standard Windows installer and Quartz Imaging provides detailed configuration documentation to support independent installation. IQ/OQ support is available as a separate service if required.

Quartz PCI-CFR Version 6 runs on 32-bit and 64-bit versions of Microsoft Windows 7, Windows 8, Windows 10, and Windows 11

Quartz PCI-CFR is sold by subscription. As a subscriber, you receive ongoing access to technical support and periodic updates to the latest version.

A PCI-CFR subscription includes access to the current version of the software, ongoing technical support, and periodic software updates as they are released.

If the computer has internet access, activation occurs automatically the first time the software is launched. If automatic activation fails, you can activate manually by saving an Activation Request file and uploading it to https://activation.quartzimaging.com, or by emailing the file to activate@quartzimaging.com

Yes. Manual activation is available. You save the Activation Request file to a USB drive, transfer it to an internet-connected computer, upload it to the Quartz Imaging activation portal, then return the License Key file to the offline computer and load it into PCI-CFR.

Quartz Imaging provides technical support to all active subscribers. You can contact Quartz Imaging via the support email listed on www.quartzimaging.com.