Meeting 21 CFR Part 11 Requirements

Favorites

Download

Overview of 21 CFR Part 11
Part 11 provides criteria under which FDA will consider electronic records to be equivalent to paper records, and electronic signatures equivalent to traditional and written signatures. Part 11 applies to any paper records required by statute or agency regulations and supersedes any existing paper record requirements by providing that electronic records may be used in lieu of paper records. Electronic signatures which meet the requirements of the rule will be considered to be equivalent to full handwritten signatures, initials, and other general signings required by agency regulations.

MetricStream and requirements for electronic records
Controls for closed systems: Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine. Such procedures and controls shall include the following:

Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records.
MetricStream works closely with customers and provides the necessary tools and expertise to rapidly carry out a successful validation and deploy the system in production. MetricStream implementation methodology includes a Validation Master Plan that covers creation of scripts and documentation for Installation Qualification (IQ), Operational Qualification (OQ), and Performance Qualification (PQ). MetricStream professional services team collaborates with customers' IT and functional staff to execute these tests and document the results. MetricStream has also partnered with leading consulting organizations that specialize in system validation to deliver turnkey solutions.

The ability to generate accurate and complete copies of records in both human readable and electronic form suitable for inspection, review, and copying by the agency.
MetricStream solution stores all records and data in a secure and reliable enterprise-grade database like Oracle. An easy-to-use interface is provided to view any record or data. The solution has an in-built reporting engine that enables authorized users to define and generate scheduled or ad hoc reports. These reports can be viewed on computer screen, printed, or exported to standard formats like Microsoft Excel, Microsoft Word, and Adobe PDF to be stored locally or sent as email attachments.

Protection of records to enable their accurate and ready retrieval throughout the records retention period.
MetricStream solution stores all records and data in a secure and reliable enterprise-grade database like Oracle. MetricStream works with customers to design the software-hardware infrastructure that is failsafe. The system is configured for periodic archiving and backup storage so that any record can be accurately and easily retrieved as and when required. The access to these records is restricted to authorized users.

Limiting system access to authorized individuals.
MetricStream enforces a high-level of security through various protocols and procedures to limit system access to authorized individuals. Each user has a unique username and password that is required each time a new session is started. If a computer system is left idle for a certain time, the user is automatically logged out. Each form can be configured such that when a user performs an action like creating, changing, or approving a record, a second password that serves as the user’s electronic signature, is required. This ensures that only authorized individuals can perform each action and protects against unauthorized usage even when a user leaves the system after logging in.

Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Record changes shall not obscure previously recorded information. Such audit trail documentation shall be retained for a period at least as long as that required for the subject electronic records and shall be available for agency review and copying.
MetricStream solution has a unique way of storing and managing records to achieve accountability through out the organization. Each change to the system is stored separately as a new record and does not erase the previously stored information. This ensures complete traceability across the system to capture all entries and action along with their date and time information. The solution can generate an accurate time-stamped audit trail that shows the state of records at various points in time and who made what changes to the records along with the reason for each change. This audit information can be retrieved as reports and present to FDA for review. The system can be set up to generate scheduled audit reports and archive them for the stipulated time period.

Use of operational system checks to enforce permitted sequencing of steps and events, as appropriate.
MetricStream solution is implemented to replicate the Standard Operating Procedures (SOPs) that customers follow for their quality processes. Using MetricStream Process Flow Designer Tool, workflows are configured as per the sequence of steps and events in SOPs. The solutions provides tremendous flexibility during configuration; for example, workflows can include parallel or serial steps and events, information routing to multiple individuals, escalation rules, authoring rights, reviewing and approval privileges, optional and mandatory fields, reassigning of assignments, etc. Once configured and deployed in production, the solution enforces proper sequencing of steps and events. Any changes to this workflow require authorization and documentation at an appropriate level.

Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand.
MetricStream enforces a high-level of security through various protocols and procedures to limit system access to authorized individuals. Each user has a unique username and password that is required each time a new session is started. If a computer system is left idle for a certain time, the user is automatically logged out. Each form can be configured such that when a user performs an action like creating, changing, or approving a record, a second password, that serves as the users electronic signature, is required. This ensures that only authorized individuals can perform each action and protects against unauthorized usage even when a user leaves the system after logging in.

The MetricStream Manage Users feature allows customers to assign individual users to specific work groups or roles according to their responsibilities. By assigning specific responsibilities to specific users, customers can better match user access to job function and skill level. The system administrator can create and manage user profiles and assign roles-based access privileges for actions like modifying, appending, or approving a record.

Use of device (e.g., terminal) checks to determine, as appropriate, the validity of the source of data input or operational instruction
MetricStream solution is fully web-based and is delivered through the customer's corporate intranet network. The networking security and administrative infrastructure being used to manage the intranet is extended to MetricStream solution as well. Moreover, MetricStream solution stores information about the user and the computers (IP address) used to login and maintains a log of sources of data input and operational instructions.

Determination that persons who develop, maintain, or use electronic record/electronic signature systems have the education, training, and experience to perform their assigned tasks.
MetricStream development and professional services team comprises highly qualified individuals with in-depth knowledge of application of information technology in the quality and compliance arena of the life science industry. The changes and trends in the regulatory environment are closely monitored and appropriate training in given to MetricStream staff. The solution roadmap incorporates features that match emerging industry standards and practices.

MetricStream provides comprehensive training to customers' staff depending on their usage of the solution. The training includes system administration training for the IT staff that enables them to maintain and manage the solution on an ongoing basis, as well as user training to functional users and managers that enables them to efficiently carry out their day-to-day responsibilities. These training programs can be conducted on an ongoing basis to keep users up to date.

The establishment of, and adherence to, written policies that hold individuals accountable and responsible for actions initiated under their electronic signatures, in order to deter record and signature falsification.
MetricStream provides bulletproof security through various protocols and procedures of electronic signatures to limit system access to authorized individuals. Organizations can further deter record and signature falsification by putting written policies in place that reinforces the sanctity of electronic signatures and holds individuals accountable for actions initiated under their electronic signatures.

Use of appropriate controls over systems documentation including:

• Adequate controls over the distribution of, access to, and use of documentation for system operation and maintenance.
• Revision and change control procedures to maintain an audit trail that documents time-sequenced development and modification of systems documentation.

MetricStream provides complete documentation on the solution in the form of user guides and system administration guides. The distribution of, access to, use of these documents can be controlled just as other internal documents are managed in the organization. All updates and modifications to the solution are accompanied by appropriate revision and changes to the documentation. These changes can follow the same change control procedures already being used in the organization for other internal documents to maintain an audit trail and capture time-sequenced development and modifications.

Controls for open systems: Persons who use open systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, as appropriate, the confidentiality of electronic records from the point of their creation to the point of their receipt. Such procedures and controls shall include hose identified in 11.10, as appropriate, and additional measures such as document encryption and use of appropriate digital signature standards to ensure, as necessary under the circumstances, record authenticity, integrity, and confidentiality.

If customers choose to deploy MetricStream solution in an open system environment, it seamlessly integrates with state-of-the-art technologies and standards related to document encryption, virtual private networks (VPN), digital signature and certificates, etc. to ensure authenticity, integrity, and confidentiality of records.

Signature manifestations

• Signed electronic records shall contain information associated with the signing that clearly indicates all of the following:
• The printed name of the signer;
• The date and time when the signature was executed; and
• The meaning (such as review, approval, responsibility, or authorship) associated with the signature.

The items identified in paragraphs (a)(1), (a)(2), and (a)(3) of this section shall be subject to the same controls as for electronic records and shall be included as part of any human readable form of the electronic record (such as electronic display or printout).
The procedure for electronic signatures in MetricStream solution records the name of the signer, the date and time of signature execution, and the exact activity for which the signature has been executed, such as record creation, modification, approval, or review. This information is reflected on the record when it is retrieved on the computer screen, exported to other formats, or printed.

Signature/record linking: Electronic signatures and handwritten signatures executed to electronic records shall be linked to their respective electronic records to ensure that the signatures cannot be excised, copied, or otherwise transferred to falsify an electronic record by ordinary means.
Each electronic signature is tightly tied to the record for which it was executed and stored in a secure database like Oracle. The password used to execute the electronic signature is not stored along with the record but maintained separately under strict control of the system administrator. This methodology ensures that the electronic signatures cannot be tampered with for falsification of electronic records.

MetricStream and requirements for electronic signatures

• General requirements.
• Each electronic signature shall be unique to one individual and shall not be reused by, or reassigned to, anyone else

The customers' system administrator assigns unique usernames and passwords to individuals to control access rights to MetricStream solution. The Manage Users feature of the solution gives system administrator complete control to manage user profiles including passwords used for electronic signatures.

Before an organization establishes, assigns, certifies, or otherwise sanctions an individual's electronic signature, or any element of such electronic signature, the organization shall verify the identity of the individual.
MetricStream Manage User feature gives system administrators complete control on adding and managing users who have access to the system. Proper user profiles need to be created before access to the system and electronic signature is enabled to verify the identity of the individual.

Persons using electronic signatures shall, prior to or at the time of such use, certify to the agency that the electronic signatures in their system, used on or after August 20, 1997, are intended to be the legally binding equivalent of traditional handwritten signatures.

• The certification shall be submitted in paper form and signed with a traditional handwritten signature, to the Office of Regional Operations (HFC-100), 5600 Fishers Lane, Rockville, MD 20857.
• Persons using electronic signatures shall, upon agency request, provide additional certification or testimony that a specific electronic signature is the legally binding equivalent of the signer's handwritten signature

Electronic signature components and controls.

• Electronic signatures that are not based upon biometrics shall:
• Employ at least two distinct identification components such as an identification code and password.

MetricStream meets this requirement by employing 3 distinct and unique identification components for each user. These are the user name assigned to each user, a password needed for logging into the system, and another password needed to execute an operation or action on any record.

When an individual executes a series of signings during a single, continuous period of controlled system access, the first signing shall be executed using all electronic signature components; subsequent signings shall be executed using at least one electronic signature component that is only executable by, and designed to be used only by, the individual.
MetricStream meets this requirement by prompting for the username and password for executing each electronic signature. Even if a series of signings are done during a single, continuous period of controlled system access, username and password are required for each signing to ensure authenticity.

When an individual executes one or more signings not performed during a single, continuous period of controlled system access, each signing shall be executed using all of the electronic signature components.

MetricStream meets this requirement by prompting for the username and password for executing each electronic signature.

Be used only by their genuine owners.
MetricStream Manage User feature gives system administrators complete control on assigning unique usernames and passwords to authorized users who have access to the system. If multiple failed attempts are made to login, the user is blocked from the system and the system administrator is notified to avoid any unauthorized access. The sanctity of electronic signatures is reinforced during training to avoid informal sharing of passwords with others.

Be administered and executed to ensure that attempted use of an individual's electronic signature by anyone other than its genuine owner requires collaboration of two or more individuals.
MetricStream documentation includes procedures on changing passwords for electronic signatures by anyone other than its owner to require recorded presence and approval of two or more individuals. This procedure is covered during the training and MetricStream can assist customers to put policies in place to ensure compliance with this regulation.

Electronic signatures based upon biometrics shall be designed to ensure that they cannot be used by anyone other than their genuine owners
MetricStream does not rely on biometrics based electronic signatures.

Controls for identification codes/passwords: Persons who use electronic signatures based upon use of identification codes in combination with passwords shall employ controls to ensure their security and integrity. Such controls shall include:

• Maintaining the uniqueness of each combined identification code and password, such that no two individuals have the same combination of identification code and password.

Ensuring that identification code and password issuances are periodically checked, recalled, or revised (e.g., to cover such events as password aging).
MetricStream Manage User feature gives system administrators complete control on assigning usernames and passwords to authorized users who have access to the system. The usernames and passwords can be reset periodically; they can also be configured to expire on a certain date. If multiple failed attempts are made to login, the user is blocked from the system and the system administrator is notified to avoid any unauthorized access.

Following loss management procedures to electronically de-authorize lost, stolen, missing, or otherwise potentially compromised tokens, cards, and other devices that bear or generate identification code or password information, and to issue temporary or permanent replacements using suitable, rigorous controls.
MetricStream enables the system administrator to deactivate users from logging if a username and password is compromised. MetricStream can assist customers to put policy and procedures in place regarding reporting of such incidents. User training sessions can be used to reinforce the sanctity of electronic signatures and ensure prompt reporting of any such incidents.

Use of transaction safeguards to prevent unauthorized use of passwords and/or identification codes, and to detect and report in an immediate and urgent manner any attempts at their unauthorized use to the system security unit, and, as appropriate, to organizational management.
If multiple failed attempts are made to login into MetricStream system, the user is blocked from the system and the system administrator is notified to avoid any unauthorized access.

Initial and periodic testing of devices, such as tokens or cards, that bear or generate identification code or password information to ensure that they function properly and have not been altered in an unauthorized manner.
MetricStream does not rely such devices for generating electronic signatures.