MetricStream

Enterprise Quality & Compliance Management Solutions

Meeting 21 CFR Part 11 Requirements

Introduction
Food and Drug Administration (FDA) introduced 21 CFR Part 11 (Part 11) regulations to promote wide usage
of electronic technology in the life sciences industry in a way that is compatible with FDA's responsibility to
protect public health. MetricStream, the leading provider of quality and compliance management solutions to
life sciences companies, has designed its software to enable customers to streamline internal operations and
procedures while fully adhering to the Part 11 regulations. This paper discusses specific MetricStream solution
capabilities that address the Part 11 requirements.
Overview of 21 CFR Part 11
Part 11 provides criteria under which FDA will consider electronic records to be equivalent to paper records,
and electronic signatures equivalent to traditional and written signatures. Part 11 applies to any paper records
required by statute or agency regulations and supersedes any existing paper record requirements by providing
that electronic records may be used in lieu of paper records. Electronic signatures which meet the requirements
of the rule will be considered to be equivalent to full handwritten signatures, initials, and other general signings
required by agency regulations. Part 11 is divided into following subparts:
Subpart A - General Provisions
11.1 Scope.
11.2 Implementation.
11.3 Definitions.
Subpart B - Electronic Records
11.10 Controls for closed systems.
11.30 Controls for open systems.
11.50 Signature manifestations.
11.70 Signature/record linking.
Subpart C - Electronic Signatures
11.100 General requirements.
11.200 Electronic signature components and controls.
11.300 Controls for identification codes/ passwords.

Subpart A provides the general provisions that describe the scope, implementation, and definitions. Subpart B
and C describe the specific requirements for the software and hardware systems pertaining to Electronic
Records and Electronic Signatures respectively.
MetricStream and requirements for electronic records
11.10 Controls for closed systems: Persons who use closed systems to create, modify, maintain, or transmit electronic records shall
employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic
records, and to ensure that the signer cannot readily repudiate the signed record as not genuine. Such procedures and controls shall
include the following:
(a) Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered
records.

TECHNICAL BRIEF

MetricStream works closely with customers and provides the necessary tools and expertise to rapidly carry out
a successful validation and deploy the system in production. MetricStream implementation methodology includes
a Validation Master Plan that covers creation of scripts and documentation for Installation Qualification (IQ),
Operational Qualification (OQ), and Performance Qualification (PQ). MetricStream professional services team
collaborates with customers' IT and functional staff to execute these tests and document the results. MetricStream
has also partnered with leading consulting organizations that specialize in system validation to deliver turnkey
solutions.
(b) The ability to generate accurate and complete copies of records in both human readable and electronic form suitable for inspection,
review, and copying by the agency.

MetricStream solution stores all records and data in a secure and reliable enterprise-grade database like
Oracle. An easy-to-use interface is provided to view any record or data. The solution has an in-built reporting
engine that enables authorized users to define and generate scheduled or ad hoc reports. These reports can
be viewed on computer screen, printed, or exported to standard formats like Microsoft Excel, Microsoft Word,
and Adobe PDF to be stored locally or sent as email attachments.

Exporting Reports
(c) Protection of records to enable their accurate and ready retrieval throughout the records retention period.

MetricStream solution stores all records and data in a secure and reliable enterprise-grade database like
Oracle. MetricStream works with customers to design the software-hardware infrastructure that is failsafe. The

TECHNICAL BRIEF

system is configured for periodic archiving and backup storage so that any record can be accurately and easily
retrieved as and when required. The access to these records is restricted to authorized users.
(d) Limiting system access to authorized individuals.

MetricStream enforces a high-level of security through various protocols and procedures to limit system access
to authorized individuals. Each user has a unique username and password that is required each time a new
session is started. If a computer system is left idle for a certain time, the user is automatically logged out. Each
form can be configured such that when a user performs an action like creating, changing, or approving a
record, a second password, that serves as the users electronic signature, is required. This ensures that only
authorized individuals can perform each action and protects against unauthorized usage even when a user
leaves the system after logging in.
(e) Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and
actions that create, modify, or delete electronic records. Record changes shall not obscure previously recorded information. Such audit
trail documentation shall be retained for a period at least as long as that required for the subject electronic records and shall be
available for agency review and copying.

MetricStream solution has a unique way of storing and managing records to achieve accountability through out
the organization. Each change to the system is stored separately as a new record and does not erase the
previously stored information. This ensures complete traceability across the system to capture all entries and
action along with their date and time information. The solution can generate an accurate time-stamped audit
trail that shows the state of records at various points in time and who made what changes to the records along
with the reason for each change. This audit information can be retrieved as reports and present to FDA for
review. The system can be set up to generate scheduled audit reports and archive them for the stipulated time
period.
(f) Use of operational system checks to enforce permitted sequencing of steps and events, as appropriate.

MetricStream solution is implemented to replicate the Standard Operating Procedures (SOPs) that customers
follow for their quality processes. Using MetricStream Process Flow Designer Tool, workflows are configured
as per the sequence of steps and events in SOPs. The solutions provides tremendous flexibility during
configuration; for example, workflows can include parallel or serial steps and events, information routing to
multiple individuals, escalation rules, authoring rights, reviewing and approval privileges, optional and mandatory
fields, reassigning of assignments, etc. Once configured and deployed in production, the solution enforces
proper sequencing of steps and events. Any changes to this workflow require authorization and documentation
at an appropriate level.
(g) Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the
operation or computer system input or output device, alter a record, or perform the operation at hand.

MetricStream enforces a high-level of security through various protocols and procedures to limit system access
to authorized individuals. Each user has a unique username and password that is required each time a new
session is started. If a computer system is left idle for a certain time, the user is automatically logged out. Each
form can be configured such that when a user performs an action like creating, changing, or approving a
record, a second password, that serves as the users electronic signature, is required. This ensures that only
authorized individuals can perform each action and protects against unauthorized usage even when a user
leaves the system after logging in.

TECHNICAL BRIEF

The MetricStream Manage Users feature allows customers to assign individual users to specific work groups
or roles according to their responsibilities. By assigning specific responsibilities to specific users, customers
can better match user access to job function and skill level. The system administrator can create and manage
user profiles and assign roles-based access privileges for actions like modifying, appending, or approving a
record.

User Management
(h) Use of device (e.g., terminal) checks to determine, as appropriate, the validity of the source of data input or operational instruction.

MetricStream solution is fully web-based and is delivered through the customer's corporate intranet network.
The networking security and administrative infrastructure being used to manage the intranet is extended to
MetricStream solution as well. Moreover, MetricStream solution stores information about the user and the
computers (IP address) used to login and maintains a log of sources of data input and operational instructions.
(i) Determination that persons who develop, maintain, or use electronic record/electronic signature systems have the education,
training, and experience to perform their assigned tasks.

MetricStream development and professional services team comprises highly qualified individuals with in-depth
knowledge of application of information technology in the quality and compliance arena of the life science
industry. The changes and trends in the regulatory environment are closely monitored and appropriate training
in given to MetricStream staff. The solution roadmap incorporates features that match emerging industry
standards and practices.
MetricStream provides comprehensive training to customers' staff depending on their usage of the solution.
The training includes system administration training for the IT staff that enables them to maintain and manage
the solution on an ongoing basis, as well as user training to functional users and managers that enables them
to efficiently carry out their day-to-day responsibilities. These training programs can be conducted on an
ongoing basis to keep users up to date.
(j) The establishment of, and adherence to, written policies that hold individuals accountable and responsible for actions initiated under
their electronic signatures, in order to deter record and signature falsification.

TECHNICAL BRIEF

MetricStream provides bulletproof security through various protocols and procedures of electronic signatures
to limit system access to authorized individuals. Organizations can further deter record and signature falsification
by putting written policies in place that reinforces the sanctity of electronic signatures and holds individuals
accountable for actions initiated under their electronic signatures.
(k) Use of appropriate controls over systems documentation including:
(1) Adequate controls over the distribution of, access to, and use of documentation for system operation and maintenance.
(2) Revision and change control procedures to maintain an audit trail that documents time-sequenced development and modification
of systems documentation.

MetricStream provides complete documentation on the solution in the form of user guides and system
administration guides. The distribution of, access to, use of these documents can be controlled just as other
internal documents are managed in the organization. All updates and modifications to the solution are
accompanied by appropriate revision and changes to the documentation. These changes can follow the same
change control procedures already being used in the organization for other internal documents to maintain an
audit trail and capture time-sequenced development and modifications.
11.30 Controls for open systems: Persons who use open systems to create, modify, maintain, or transmit electronic records shall
employ procedures and controls designed to ensure the authenticity, integrity, and, as appropriate, the confidentiality of electronic
records from the point of their creation to the point of their receipt. Such procedures and controls shall include those identified in 11.10,
as appropriate, and additional measures such as document encryption and use of appropriate digital signature standards to ensure, as
necessary under the circumstances, record authenticity, integrity, and confidentiality.

If customers choose to deploy MetricStream solution in an open system environment, it seamlessly integrates
with state-of-the-art technologies and standards related to document encryption, virtual private networks (VPN),
digital signature and certificates, etc. to ensure authenticity, integrity, and confidentiality of records.
11.50 Signature manifestations.
(a) Signed electronic records shall contain information associated with the signing that clearly indicates all of the following:
(1) The printed name of the signer;
(2) The date and time when the signature was executed; and
(3) The meaning (such as review, approval, responsibility, or authorship) associated with the signature.
(b) The items identified in paragraphs (a)(1), (a)(2), and (a)(3) of this section shall be subject to the same controls as for electronic
records and shall be included as part of any human readable form of the electronic record (such as electronic display or printout).

The procedure for electronic signatures in MetricStream solution records the name of the signer, the date and
time of signature execution, and the exact activity for which the signature has been executed, such as record
creation, modification, approval, or review. This information is reflected on the record when it is retrieved on
the computer screen, exported to other formats, or printed.

TECHNICAL BRIEF

Electronic Signatures

11.70 Signature/record linking: Electronic signatures and handwritten signatures executed to electronic records shall be linked to their
respective electronic records to ensure that the signatures cannot be excised, copied, or otherwise transferred to falsify an electronic
record by ordinary means.

Each electronic signature is tightly tied to the record for which it was executed and stored in a secure database
like Oracle. The password used to execute the electronic signature is not stored along with the record but
maintained separately under strict control of the system administrator. This methodology ensures that the
electronic signatures cannot be tampered with for falsification of electronic records.
MetricStream and requirements for electronic signatures
11.100 General requirements.
(a) Each electronic signature shall be unique to one individual and shall not be reused by, or reassigned to, anyone else.

The customers' system administrator assigns unique usernames and passwords to individuals to control access
rights to MetricStream solution. The Manage Users feature of the solution gives system administrator complete
control to manage user profiles including passwords used for electronic signatures.
(b) Before an organization establishes, assigns, certifies, or otherwise sanctions an individual's electronic signature, or any element of
such electronic signature, the organization shall verify the identity of the individual.

MetricStream Manage User feature gives system administrators complete control on adding and managing
users who have access to the system. Proper user profiles need to be created before access to the system
and electronic signature is enabled to verify the identity of the individual.
(c) Persons using electronic signatures shall, prior to or at the time of such use, certify to the agency that the electronic signatures in
their system, used on or after August 20, 1997, are intended to be the legally binding equivalent of traditional handwritten signatures.
(1) The certification shall be submitted in paper form and signed with a traditional handwritten signature, to the Office of Regional
Operations (HFC-100), 5600 Fishers Lane, Rockville, MD 20857.
(2) Persons using electronic signatures shall, upon agency request, provide additional certification or testimony that a specific
electronic signature is the legally binding equivalent of the signer's handwritten signature.

This procedural requirement from FDA and can be met by filing the necessary documentation with the agency.

TECHNICAL BRIEF

11.200 Electronic signature components and controls.

(a) Electronic signatures that are not based upon biometrics shall:
(1) Employ at least two distinct identification components such as an identification code and password.

MetricStream meets this requirement by employing 3 distinct and unique identification components for each
user. These are the user name assigned to each user, a password needed for logging into the system, and
another password needed to execute an operation or action on any record.
(i) When an individual executes a series of signings during a single, continuous period of controlled system access, the first signing
shall be executed using all electronic signature components; subsequent signings shall be executed using at least one electronic
signature component that is only executable by, and designed to be used only by, the individual.

MetricStream meets this requirement by prompting for the username and password for executing each electronic
signature. Even if a series of signings are done during a single, continuous period of controlled system access,
username and password are required for each signing to ensure authenticity.
(ii) When an individual executes one or more signings not performed during a single, continuous period of controlled system
access, each signing shall be executed using all of the electronic signature components.

MetricStream meets this requirement by prompting for the username and password for executing each electronic
signature.
(2) Be used only by their genuine owners.

MetricStream Manage User feature gives system administrators complete control on assigning unique
usernames and passwords to authorized users who have access to the system. If multiple failed attempts are
made to login, the user is blocked from the system and the system administrator is notified to avoid any
unauthorized access. The sanctity of electronic signatures is reinforced during training to avoid informal sharing
of passwords with others.
(3) Be administered and executed to ensure that attempted use of an individual's electronic signature by anyone other than its genuine
owner requires collaboration of two or more individuals.

MetricStream documentation includes procedures on changing passwords for electronic signatures by anyone
other than its owner to require recorded presence and approval of two or more individuals. This procedure is
covered during the training and MetricStream can assist customers to put policies in place to ensure compliance
with this regulation.
(b) Electronic signatures based upon biometrics shall be designed to ensure that they cannot be used by anyone other than their
genuine owners.

MetricStream does not rely on biometrics based electronic signatures.

11.300 Controls for identification codes/passwords: Persons who use electronic signatures based upon use of identification codes in
combination with passwords shall employ controls to ensure their security and integrity. Such controls shall include:
(a) Maintaining the uniqueness of each combined identification code and password, such that no two individuals have the same
combination of identification code and password.

MetricStream solution ensures that the components of electronic signatures are distinct and unique for each
user. MetricStream Manage User feature gives system administrators complete control on assigning usernames
and passwords to authorized users who have access to the system. Passwords policies that check certain
properties like number and type of characters can be set up.

TECHNICAL BRIEF

(b) Ensuring that identification code and password issuances are periodically checked, recalled, or revised (e.g., to cover such events
as password aging).

MetricStream Manage User feature gives system administrators complete control on assigning usernames
and passwords to authorized users who have access to the system. The usernames and passwords can be
reset periodically; they can also be configured to expire on a certain date. If multiple failed attempts are made
to login, the user is blocked from the system and the system administrator is notified to avoid any unauthorized
access.
(c) Following loss management procedures to electronically de-authorize lost, stolen, missing, or otherwise potentially compromised
tokens, cards, and other devices that bear or generate identification code or password information, and to issue temporary or permanent replacements using suitable, rigorous controls.

MetricStream enables the system administrator to deactivate users from logging if a username and password
is compromised. MetricStream can assist customers to put policy and procedures in place regarding reporting
of such incidents. User training sessions can be used to reinforce the sanctity of electronic signatures and
ensure prompt reporting of any such incidents.
(d) Use of transaction safeguards to prevent unauthorized use of passwords and/or identification codes, and to detect and report in an
immediate and urgent manner any attempts at their unauthorized use to the system security unit, and, as appropriate, to organizational
management.

If multiple failed attempts are made to login into MetricStream system, the user is blocked from the system and
the system administrator is notified to avoid any unauthorized access.
(e) Initial and periodic testing of devices, such as tokens or cards, that bear or generate identification code or password information to
ensure that they function properly and have not been altered in an unauthorized manner.

MetricStream does not rely such devices for generating electronic signatures.

MetricStream Inc.
Copyright 2014 MetricStream.
All rights reserved.

TECHNICAL BRIEF

2600 E. Bayshore Road

Palo Alto, CA 94303
Telephone: 650-620-2955
Fax: 650-565-8542
www.metricstream.com