Complying with Global ERES Regulations in the Life Sciences Industry

Transcription

1 SAP for Life Sciences Complying with Global ERES Regulations in the Life Sciences Industry Table of Contents 5 Know the Rules 7 ERES Regulations and SAP ERP 21 SAP Software Quality 30 Why Choose SAP Solutions for ERES Compliance 32 Appendixes About the Author Dr. Christoph Roller is solution manager in the global industry business solutions group for life sciences at SAP.

2 By complying with global regulations, your life sciences company can enjoy the benefits of increased overall efficiency and reduced costs for handling and storing traditional paper records. But whatever life sciences business you conduct, there is even more that you can do. With solutions such as the SAP for Life Sciences solution portfolio, you can comply with key electronic signature regulations and limit the costs involved in compliance. TODAY S APPROACH TO COMPLIANCE To compete in this market, your life sciences company needs to comply with various regulations, depending on which markets you do business in. These regulations include those of the U.S. Food and Drug Administration (FDA) such as 21 CFR Part 11 Electronic Records; Electronic Signature the European Commission s Annex 11 Computerized Systems, and Japan s PFSB Notification, No , Electronic Records/Electronic Signature. Regulatory authorities across the globe have acknowledged the importance of computerized systems and records within the life sciences industry. These regulations all share the same intent of ensuring the integrity of electronic data and records. However, applying these requirements to the numerous computerized systems within your life sciences company can translate into millions of dollars in project costs to validate these systems. Also, maintaining these systems in a validated state for their productive lifetime requires significant annual costs. Systems-Based Inspection Approach More and more, regulatory authorities globally are taking a risk-based approach to determine which computer systems are the most critical. They then follow a systems-based approach that aims at conducting and evaluating inspections with regard to specific systems to evaluate risks. For example, a global regulatory agency like the FDA s inspection compliance program consists of six major systems, which is similar to the other agency inspection programs: Quality system Facilities and equipment system Materials system Production system Packaging and labeling system Laboratory control system These systems are not considered discrete entities but instead are part of an integrated system model. The idea underlying this approach is that deficiencies in one system will affect all other systems as well. The integrated systems-based inspection approach recognizes the widespread use of computers to support each company s quality initiatives. Therefore, regulatory agencies review the qualification, validation, and security of integrated computer solutions much more closely than that of stand-alone systems during an inspection. 2 /45

3 Regulatory agencies review the qualification, validation, and security of integrated computer solutions much more closely than that of stand-alone systems during an inspection. Cost of Compliance Figures 1 and 2 illustrate the cost of compliance and noncompliance. Figure 1: Model of Compliance Costs Cost of noncompliance (NC$) Cost NC$ > C$ Optimal area to balance risk versus benefit Not compliant Compliant Overcompliant Compliance Figure 2: Model of Compliance Costs Reduced Through Process Optimization Cost of noncompliance (NC$) Sum of both exponential curves (total $) Sum of both exponential curves (total $) Cost of compliance (C$) C$ > NC$ The goal is to operate in this area. Cost of compliance (C$) Cost of compliance curve enhanced through process optimization and standardization On the basis of global regulations for electronic records and electronic signatures, companies that fail to establish adequate control of their computerized systems face sanctions as for any other significant noncompliance of good practices. Figure 1 shows two opposing exponential curves depicting the cost of noncompliance and compliance. The cost of noncompliance is determined to be a function of regulatory agencies enforcement actions including warning letters, import detention, and consent decree and the time and resources required to remediate regulatory bodies observations. The cost of compliance is determined to be a function of time and resources. The graph also shows that the state of compliance is not dichotomous. Rather, compliance is a state of operation determined by a company s interpretation of pertinent global regulations and the corporate culture applied to the various business processes within the quality system. The three levels of compliance are therefore subjective as depicted by the range for each level. Figure 2 illustrates the beneficial movement of the cost of compliance curve manifested by process optimization and other internal cost reductions including consolidation of IT systems. Therefore, companies can choose to improve their level of compliance in order to significantly reduce costs. Cost NC$ > C$ Vigilance and maturity to manifest this beneficial movement C$ > NC$ Maintenance of same level of compliance with reduced cost Not compliant Compliant Overcompliant Compliance 3 /45

4 Companies can choose to improve their level of compliance in order to significantly reduce costs. A Win-Win Proposition for Life Sciences Many life sciences companies have taken advantage of this win-win proposition and leveraged their SAP ERP application infrastructure to support the following: Enterprise asset Enterprise quality Supplier quality Laboratory information systems Problem reporting and execution of corrective action and preventive action Manufacturing execution and electronic batch records Qualifications (training) Warehouse Customer relationship Product lifecycle Sales and distribution Materials Environment, health, and safety Additionally, specific SAP solutions are available that promote various regulatory and compliance operations, such as: Integrated product development and compliance Supply chain execution Supply network traceability and supply chain integrity Contract Service excellence for medical devices Compliant manufacturing operations Contract manufacturing for life sciences companies Calibration and equipment maintenance Contract lifecycle and compliance Enterprise information Pharmaceutical, medical diagnostics, medical devices, and biotechnology companies continue to promote regulatory compliance, while reducing their costs and maximizing their ROI, by appropriately leveraging their existing systems and implementing new systems and solutions as needed. 4 /45

5 Know the Rules Many functions and features of SAP ERP support technical compliance with global electronic record and electronic signature (ERES) regulations. ERES REQUIREMENTS FROM GLOBAL REGULATORY AGENCIES Many regulations deal with electronic records and electronic signatures. FDA 21 CFR Part 11 FDA regulation 21 CFR Part 11 Electronic Records; Electronic Signatures; Final Rule (referred to here as Part 11) was the result of a six-year effort by the FDA (with input from the industry). The goal was to supply all FDA-regulated companies with requirements on how to maintain paperless (that is, electronic) record systems while still complying with good clinical, laboratory, and manufacturing practices. These include: Good manufacturing practice (GMP): 21 CFR 110 (food), 210 (drugs in general, also includes good manufacturing practices for biologics), 211 (finished pharmaceuticals), and 820 (medical devices) Good laboratory practice: 58 Good clinical practice: 50, 54, and 56 The regulation also details specific requirements for electronic and digital signatures because the FDA considers these signatures to be legally binding. Since its publication in 1997, this regulation has been subject to evolving interpretations by both the FDA and industry. In February 2003, the FDA withdrew all Part 11 guidelines and the Compliance Policy Guide. The Part 11 rule is still valid, but these accompanying guidelines are withdrawn. The reasons for the withdrawal are discussed in the FDA document from August 2003, Guidance for Industry Part 11, Electronic Records; Electronic Signatures Scope and Application, as follows: Concerns have been raised that some interpretations of the part 11 requirements would (1) unnecessarily restrict the use of electronic technology in a manner that is inconsistent with FDA s stated intent in issuing the rule, (2) significantly increase the costs of compliance to an extent that was not contemplated at the time the rule was drafted, and (3) discourage innovation and technological advances without providing a significant public health benefit. These concerns have been raised particularly in the areas of part 11 requirements for validation, audit trails, record retention, record copying, and legacy systems. EU GMP Annex 11: Computerized Systems This regulation states the following: Electronic records may be signed electronically. Electronic signatures are expected to: a. Have the same impact as handwritten signatures within the boundaries of the company b. Be permanently linked to their respective record c. Include the time and date that they were applied 5 /45

6 Pharmaceutical, medical diagnostics, medical devices, and biotechnology companies promote regulatory compliance, while reducing their costs and maximizing their ROI, by appropriately leveraging existing systems and implementing new solutions. ANVISA (Brazil): ANVISA Resolution RDC n. 17 The Technical Regulation of Good Manufacturing Practices of Drugs per the ANVISA Resolution says the following: Article 223. During the production process, all steps undertaken should be recorded, looking at the initial time and final implementation of each operation. The record of implementation of these steps must be properly dated by the executors, clearly identified by signature or electronic password, and ratified by the area supervisor. PFSB/ELD Notification No of Japan In Japan, the Guideline on Control of Computerized Systems in Drug Manufacturing Regulatory Guide provides a number of requirements. These include guidelines for electromagnetic records and electronic signatures used for documents and source documents relevant to applications, notifications, and reports for approval or licensing of drugs, quasidrugs, cosmetics and medical devices, and registrations of conformity assessment bodies. PHARMACEUTICAL CGMPS: A RISK-BASED APPROACH Global regulatory agencies like the FDA have enhanced the regulation of pharmaceutical manufacturing and product quality by applying a scientific and risk-based approach to product quality regulation. This initiative incorporates an integrated quality-systems approach to current good manufacturing practice (cgmp). Regulatory agencies have been developing a more systematic and rigorous, risk-based approach toward compliance and using good science. A justifiable and documented risk assessment, and one that is defensible, has become a predominant theme within recent initiatives of global regulatory agencies. Ultimately, your company must comply with applicable rules. Records that agencies require be maintained or submitted must remain secure and reliable in accordance with the predicate rules. In an agency inspection, the inspection of any computerized system includes a review of the system documentation. The documentation is required to demonstrate that the regulated activities controlled by a computerized system can be reliably performed and reliably repeated as the user intends and as detailed by the system specifications. Regulated records must have the ability to be written to media and recovered without corrupting the original data, and audit trails must document the computer s action related to any changes to the data. As with any regulated processes, computer processes are required to show documented validation, and any changes to the system must be tested and documented through a change control process. This testing needs to be rigorous and designed to stress the system. Documented training of personnel who were involved with system development, validation, deployment, and maintenance is the basic premise of all regulated activities. This is exactly what the life sciences industry does for all processes. 6 /45

7 ERES Regulations and SAP ERP FUNCTIONALITY IN SAP ERP THAT MAY BE REGULATED The determination of whether a transaction performed in SAP ERP has regulatory compliance implications is directly dependent on the business process that is making use of the transaction. Creating a purchase order for sodium chloride to be used for melting ice and snow is drastically different than creating a purchase order for sodium chloride to use in your manufacturing process. The business processes and the subsequent records requirements for materials used in the manufacturing process are subject to the predicate rules associated with the cgmp. The business process that your life science company uses to perform operations must comply with applicable FDA regulations governing good clinical practices, good manufacturing practices, good laboratory practices, and good deployment practices, together referred to as GxP. These regulations require that you retain certain records and documentation to support these activities and demonstrate compliance. When your company uses a computerized system to support execution of all or part of your business processes, and that system creates, modifies, maintains, or transmits records, those records are subject to regulatory requirements. And you need system controls to protect the accuracy, completeness, authenticity, and reliability of those records. SAP ERP is a transaction-based software system. These transactions, when mapped to the business process flows that they use for execution, can be assessed for regulatory relevance. By identifying the tenets of the applicable regulations and attributing them to the corresponding steps of the business process, you can determine the regulated SAP ERP application transactions. The following areas have consistently been shown to be relevant to regulatory issues. Logistics include: Materials Plant maintenance Production planning Production planning for process industries Quality Sales and distribution Logistics execution Environment, health, and safety Human resources and training information Warehouse Central functions include: Batch Handling unit Document Cross-application components include: Engineering change Classification Document Electronic records (audit trail) Digital signature Notifications Records and case Master data governance Business processes addressed by the SAP NetWeaver technology platform include: Audit trail (BC-SRV-ASF-AT) Digital signature (CA-DSG) 7 /45

8 Functional areas that have consistently been demonstrated to be excluded from the FDA scope are finance (financial accounting, controlling, and asset components) and planning (demand, forecasting, profitability analysis, and sales and operations planning components). Appendixes 1 and 2 contain the SAP ERP and FDA cgmp functionality matrix for both pharmaceuticals and medical devices. These matrixes illustrate how SAP ERP promotes compliance with these regulations and provides guidance as to what functionality (and electronic records) may be regulated by the FDA. To demonstrate regulatory compliance, you must document the assessment performed to determine the regulatory applicability of the transaction. The following table features a sample of a regulatory assessment applicable for a pharmaceutical manufacturer. Tcode Description 21 CFR Part 211 QE01 Record results , , , , and QE02 Change results , , , , and The following table is a sample of a regulatory assessment applicable for a medical device manufacturer. Tcode Description 21 CFR Part 820 QE01 Record results and QE02 Change results , , and Assessing the applicability of regulations allows for testing that the electronic record requirements and, if applicable, the electronic signature require ments associated with the records created, modified, or maintained by these transactions are compliant with regulatory requirements. Conversely, if the assessment cannot identify a specific regulatory tenet, the records associated with that transaction code are not considered to be relevant to regulatory issues and therefore are not subject to the same regulatory records requirements. Your life sciences company can dramatically reduce validation costs by performing this assessment and using the results during implementation projects. You can realize additional benefits during the production use of the system when you introduce changes to processes and functionality through change control. 8 /45

9 ELECTRONIC RECORDS In general, global regulatory agencies define an electronic record as follows: information created, stored, generated, received, or communicated by electronic means in a form that a person can perceive and that can be accurately reproduced or distributed by a computer system. If you apply this comprehensive definition to SAP ERP, you find various types of electronic records, such as: Configuration within the implementation guide Transports and business configuration sets used to migrate configuration from one software system to another Master data such as the material master, vendor, resource, recipe, and customer Business processing objects such as purchase orders, process orders, and inspection lots Electronic records for business processes or transaction execution, such as material documents Electronic or digital signatures Other electronic record types maintain change and deletion (that is, audit trail) information for the objects in SAP ERP mentioned above. These include: Change master record (engineering change component) Change document objects Table logging Change Master Record The change master record is a master record that contains information necessary for the and control of changes. A change master record captures the changes made to master data through the engineering change component in SAP ERP. Figure 3 illustrates the master data or object types that you can manage using engineering change. Figure 3: Linked Object Types in Engineering Change Management Master data Material master Substance master Dangerous goods Bills of materials Materials Equipment Sales order Functional location Document structure Task lists Routings Master recipes Inspection plan Equipment task list General maintenance Reference rate routings Reference operation set Documents Standard operations procedure Material safety data sheets Classification system Classes Characteristics Variant configuration Configuration profile Object dependencies 9 / 10

10 The change master record provides a full audit trail or change history of master data and contains data of a descriptive character (such as the reason for the change). It also contains control data (such as effectivity data and object type indicators). Besides this data that the user maintains, there is also data that is automatically updated by the software system ( data). Change Document Object A change document logs changes to a business object. A change document object is defined for a certain business document, captures changes to fields within a changing transaction, and writes this information to a unique record. This record is date and time stamped and maintains the old and new values for each of the fields that have been changed, in addition to the user ID of the person who made the change. SAP ERP runs a report to query and display the audit trail record. Change document objects are available for most of the important business documents. They may require configuration for activation. Figure 4 illustrates a change document object record for a resource substitution within a master recipe. Figure 4: Example of a Change Document Object for Master Recipe Change 10 /45

11 Table Logging Where change masters or change document objects do not exist for a certain business document, you need an alternative method for maintaining an audit trail. Activating the flag log data changes in the technical settings of the database table captures all the changes made to this table and writes this information into a unique record maintained within the DBTABLOG table. Any transaction executed within SAP ERP includes multiple tables where the data is recorded and maintained. Therefore, to view the complete audit trail, you can run a report to query and display each record associated with a specific event. The report provides all the required information for the audit trail, including system date and time stamps and the old and new values for each of the fields that have been changed within each table. The report can also provide the full, printed name of the user instead of the user ID. Figure 5 illustrates the table log record. Table logging may affect system performance, depending on the number of records that are generated. However, table logging is required only in some instances. You should review system configuration when table logging requirements have been identified. Figure 5: Output of Table Log and Change Document Log 11 /45

12 Audit Trail The audit trail (logging) component enables you to log and evaluate changed data in the system. The audit trail facilitates a detailed, consistent, and traceable description of your production processes. You can change logging settings intuitively and without technical modification and carry out an evaluation of the changed data that conforms to FDA requirements. The audit trail is a component of SAP NetWeaver (BC-SRV-ASF-AT) that you can use to log all SAP ERP applications. In addition to the audit trail, the electronic records component in SAP_APPL also provides logging functions (although only for applications in SAP_APPL). Compared with the electronic records component, the audit trail offers enhanced functions plus the advantage that you can use it to log data of all the applications of SAP Business Suite software (as of release 7.0). However, you can use only one of the two components. Parallel use is not possible. If you are already using electronic records, you can switch to the audit trail functions. For further information, refer to the manual Audit Trail (SAP NetWeaver) or Electronic Records (SAP ERP) at help.sap.com. Date and Time Stamp SAP ERP uses Coordinated Universal Time (UTC) for change master record, change document objects, and table-logging activities. UTC is unique and unequivocal. To compare the local times of users in different time zones, SAP software represents times differently externally and internally. External representation of time corresponds to a context-dependent local time. For example, time is represented in Germany in Central European Time and in New York in Eastern Standard Time. SAP software normalizes the internal system time to UTC, which serves as a reference time. UTC corresponds to Greenwich Mean Time. By converting all local, relative times to absolute times based on UTC, the software can compare times and use them in calculations. If you have locations in multiple time zones, you need procedures to define the time zone of the application server and describe how the date and time stamp is to be interpreted by each site. In addition, the procedures should include daylight saving time requirements. These procedures should be included in performance qualification testing. Many functions and features of SAP ERP support technical compliance with global electronic records and electronic signatures (ERES) regulations. 12 /45

13 Electronic Copies for Inspection Because of the systems-based inspection approach of global regulatory agencies, SAP ERP is often included in GMP inspections, as it is routinely used to support the quality system and all other subsystems. You can print reports and electronic records or export them into several industry-standard formats such as Adobe PDF and XML. Retention and Maintenance of Electronic Records You can maintain all electronic records in the active database or archive them to accommodate all required retention periods even when software is upgraded. You can secure access to these records using authorization profiles that are standard in SAP software. In addition, SAP ERP maintains the link between electronic signatures executed to electronic records even after archiving. Hybrid Systems Companies using hybrid systems must comply with ERES requirements. Information that you have recorded in SAP software or activities that you have performed directly in SAP software can be printed or exported into industry-standard formats such as Adobe PDF and XML. An example of a hybrid system with SAP software is a batch record that includes printouts of process instruction sheets that have been executed by operators and quality personnel. Another hybrid system with a different twist is part of an organization s corrective action and preventive action (CAPA) program that uses the quality notification component as the CAPA solution. In this example, paper documents with handwritten approvals, including engineering and laboratory reports, are scanned into the content server component and attached to investigations within SAP ERP. Thus, an investigation within SAP ERP contains electronic records, including electronic signatures, executed as part of the lifecycle of the investigation and electronic images of documents that contain handwritten approvals. All hybrid systems require procedural controls to maintain compliance and need to be included in the scope of your organization s computerized system validation. SAP ERP is a transaction-based software system. These transactions, when mapped to the business process flows that they use for execution, can be assessed for regulatory relevance. 13 /45

14 Digital signatures in SAP ERP satisfy all applicable ERES requirements. ELECTRONIC SIGNATURE Many agencies such as the FDA and EU authorities consider electronic records equivalent to paper records and electronic signatures equivalent to traditional handwritten signatures. For the FDA, the ERES guidance documents specify that these requirements are defined by the predicate rule, such as cgmp for finished pharmaceuticals (21 CFR Part 211) and medical devices (21 CFR Part 820). Note that some passages implicitly call for signatures, for example, wherever the words approved, signed, initialed, authorized, rejected, or verified are used. Electronic and Digital Signatures in SAP ERP Electronic and digital signature definitions are shown in 21 CFR Part 11 as follows: Electronic signature A computer data compilation of any symbol or series of symbols executed, adopted, or authorized by an individual to be the legally binding equivalent to the individual s handwritten signature Digital signature An electronic signature based on cryptographic methods of originator authentication, computed by using a set of rules and a set of parameters such that the identity of the signer and the integrity of the data can be verified Closed system An environment in which system access is controlled by persons who are responsible for the content of electronic records that are on the system Open system An environment in which system access is not controlled by persons who are responsible for the content of electronic records that are on the system Digital Signature Throughout the SAP ERP application, the term digital signature is referenced in each dialog screen during signature execution and electronic record reporting (see Figures 6 and 7). The term electronic signature is not referenced within SAP ERP. This is based on SAP s interpretation of the ERES signature definitions concerning the use of cryptographic encryption techniques such as Public-Key Cryptography Standard #7 (PKCS #7). Public-Key Cryptography Standards are specifications for secure information exchange using the Internet, and PKCS #7 is the standard format in the market. All signatures executed within SAP ERP use crypto graphic encryption techniques. Therefore, SAP defines all signatures within SAP ERP to be digital signatures even when the SAP ERP application is used in a closed system. To ensure the integrity of signatures within an electronic system and protect against falsification and data corruption, the FDA requires that the system actively detect and prevent unauthorized access. This includes reporting these attempts to the system security unit. Many agencies equate the reporting and response of unauthorized access to the way individuals would respond to a fire alarm, as mentioned in the Part 11 rule. To satisfy the requirements defined in ERES, SAP ERP provides many safeguards. 14 /45

15 When the number of failed attempts (for either logon or signature) is exceeded, SAP ERP prevents the user from further access without intervention from the security administration. Note that the number of failed attempts allowed is configurable: SAP ERP generates and sends an express message to a defined distribution list to notify the security administration immediately. In addition, you can interface any Messaging Application Programming Interface (MAPI) compliant messaging system to SAP ERP to send this message externally to systems such as Microsoft Exchange or even a paging system. The security audit log maintains an electronic record of all failed attempts (for either logon or signature). SAP ERP also generates electronic records for the locking and unlocking of users. System signature with authorization by user ID and password has the following attributes: It has been available in SAP software beginning with the first shipment of release 4.6C of SAP R/3 software. It includes the use of the PKCS #7 standard. No external security product is necessary. When logging on, users identify themselves by entering their user IDs and passwords. SAP software then executes the digital signature. The username and ID are part of the signed document. Digital user signature with verification has the following attributes: It has been available in SAP software beginning with the first shipment of SAP R/3 4.0B. An external (third-party) security product is necessary. Users execute digital signatures them selves using their private keys. The executed signatures are automatically verified. Information is available from global.sap.com /partners/directories/searchsolution.epx. Cryptographic hardware and biometrics, using such elements as smart cards and fingerprints, must support the PKCS #7 standard data format. This mechanism is based on Secure Store and Forward mechanisms. Digital signatures in SAP ERP satisfy all applicable ERES requirements. (Please refer to the summary table in Appendix 5 titled How Does SAP ERP Comply with Part 11? ) SAP ERP includes a digital signature tool. This powerful functionality enables you to include signature functionality in any transaction or supported business process within SAP ERP. 15 /45

16 Digital signatures are already implemented in SAP ERP for the following supported business processes and components: Production planning for process industries (PP-PI) Process step completion within process instruction sheets and acceptance of process values outside predefined tolerance limits (transaction code CO60) Production planning for process industries (PP-PI) The user of the industry service sheet for the soft logon process can display only the process industry sheet, and the dialog user must log in and work on a process industry sheet (trans action code CO60). Execution steps (transaction code SXS) repository The status change (transaction code for standard execution step repository) is as follows: approval, withdraw, and obsolete. Engineering change (ECM) The status change of the engineering change order is as follows: change number as well as create and change (transaction codes CC01 and CC02). Engineering change (ECM) The status change of object records (transaction code CC22) allows conversion of a change request to a change order in engineering change. Electronic batch record approval (transaction code COEBR) Quality (QM): inspection lot and results recording (transaction codes QE01, QE02, and QE51N) Quality (QM): usage decision (quality disposition), as well as record and change (transaction codes QA11 and QA12) Quality (QM): physical sample drawing (transaction codes QPR1 and QPR2) Quality (QM): Quality notifications, as well as create and change (transaction codes QM01 and QM02) Document system (DMS): create or change (transaction codes CV01N and CV02N) Potential failure mode and effects analysis (FMEA): preventive action and detection action (transaction codes QM_FMEA and QM_FMEAMONITOR) Audit : preventive and corrective measures (transaction codes PLMD_AUDIT and PLM_AUDITMONITOR) Maintenance processing (PM-WOC-MO) maintenance order: sign-off work operation (transaction code IW32) Easy document system (Easy DMS): front-end tool for DMS create or change (transaction codes CV01N and CV02N); see Note in the SAP Notes tool Approve payments (transaction code BNK_APP) Where multiple signatures may be required, SAP ERP provides signature strategies that define allowed signatures and the sequence in which they must be executed. 16 /45

17 SAP has maintained ISO 9001 certification since The corresponding quality system includes all standards that control the structured development lifecycle. Figure 6: Execution of a Signature in SAP ERP Figure 7: Example of the Electronic Record of a Signature (Transaction DSAL) 17 /45

18 Digital Signature Tool in SAP ERP SAP ERP now includes a digital signature tool (component CA-DSG). This powerful functionality enables you to include signature functionality in any transaction or supported business process within SAP ERP. Additional benefits of the signature tool are: Further modularization of digital signatures Easier implementation of digital signatures in new processes Creation of a uniform flexible programming interface In addition, you can integrate tools into any business-area support in SAP ERP or in other SAP Business Suite applications, such as the SAP Product Lifecycle Management or SAP Customer Relationship Management applications. All transactions and workflow of SAP ERP can include signature functionality with the digital signature tool. If a digital signature is needed within SAP ERP where it s not implemented by the standard digital signature tool in the SAP NetWeaver Application Server (SAP NetWeaver AS) component, you can implement it on a project basis. You must have SAP NetWeaver AS 6.20 or higher to use the digital signature tool. As of enhancement package 2 for SAP NetWeaver AS 7.00, you can archive digital signature tool data and the corresponding metadata of the application. For this, you can use the archiving object DS_ARCH in transaction SARA. For further information, refer to the implementation guide titled Digital Signature Tool (Note ). Date and Time Stamp for Signature SAP ERP uses UTC as the global date and time stamp for signatures. The local date and time stamp for the electronic record of a signature is available but must be configured: it is calculated from UTC. Daylight saving time rules and the time zone are maintained within the user s profile. Many regulatory agencies have stated at industry forums that local data and time stamps are not required as long as the global date and time is unique and unequivocal and procedures exist to correctly interpret local time. SAP Solution Manager can support the compliance of SAP ERP in a crucial manner and reduce the validation and revalidation effort of SAP ERP significantly. 18 /45

19 OTHER INTERNATIONAL GMP GUIDELINES Several other guidelines for good manufacturing practice include ERES regulations. EU GMP Guideline Annex 11 The GMP guideline of the European Medicines Agency, Directive 2003/94/EC, delineates the legal requirements for good manufacturing practice in the EU, including the need to maintain a system of documentation. The main requirements affecting electronic records are that the data is available in human-readable form, available for the required time, and protected against loss or damage. The objective of this guideline is to provide requirements for ensuring reliability in using the electronic record and electronic signature systems in those contexts. The new Annex 11 and EU GMP Chapter 4 requirements on generation, control, and retention of documents are more current, effective July There are many similarities between the regulations of Annex 11 and Part 11 (and Part 11 Guidance). In general, they both include information addressing risk, personnel, validation, system and documentation, software, data, security, audit trails, signatures, printouts, and data storage. Annex 11 introduces new categories that encompass infrastructure, as well as fine-tunes requirements and interpretations. For example, Annex 11 expands computerized systems to include qualification of the IT infrastructure. Part 11 mentions protection of records. In addition, Annex 11 adds information about electronic records backup with the identification of storage location and validation of the storage system. PIC/S Guidance The Pharmaceutical Inspection Convention and Pharmaceutical Inspection Co-operation Scheme (jointly referred to as PIC/S) published guidance called Guide to Good Manufacturing Practice for Medicinal Products, Annex 11 Computerized Systems in January The guidance provides background information and recommendations regarding inspection of and training concerning computerized systems. It contains a section on electronic records and signatures aligned to EU GMP expectations. ICH Guideline The International Conference on Harmonization (ICH) guideline, ICH Q7A, Part II Basic Requirements for Active Substances Used as Starting Materials, is the first GMP guideline that has been harmonized for the United States, the EU, and Japan. ICH Q7A was published as Annex 18 in EU GMP Guidelines in July In addition, ICH Q7A has been adopted by Australia, Japan, and PIC/S. Appendixes 4 and 5 provide summary tables that describe how SAP ERP complies with EU GMP, PIC/S, and ICH guidelines in comparison to the Part 11 rule. 19 /45

20 ANVISA (Brazil) ANVISA Resolution RDC n. 17 was published on April 16, It is called the Technical Regulation of Good Manufacturing Practices of Drugs. The guidance provides details about computerized systems used in manufacturing, holding, packing, and shipping of finished products. Computer system validation requires documented evidence that attests to a high degree of safety that analysis of a computerized system, controls, and records is performed correctly and that data processing complies with predetermined specifications. Canada GMP Regulations Equipment used during the critical steps of fabrication, packaging and labeling, and testing including computerized systems is subject to installation and operational qualification. Further guidance is provided in Health Canada s document Validation Guidelines for Pharmaceutical Dosage Forms (GUI-0029) and in PIC/S Annex 11: Computerized Systems. You can also get guidance from Good Manufacturing Practices (GMP) Guidelines 2009 Edition, Version 2 (GUI-0001), which discusses records and electronic signatures. Japan GMP Regulations Regulatory authorities in Japan provide Guideline on Management of Computerized Systems for Marketing Authorization Holders and Manufacturers of Drugs and Quasi-Drugs, October 21, The guidance provides background information and recommendations regarding validation, inspection, and training concerning computerized systems. It contains a section on electronic records and signatures aligned to Japan GMP expectations. Chinese State Food and Drug Administration The Ministry of Health in China adopted the Good Manufacturing Practice for Drugs on October 19, It was retroactive to March 1, This decree states that manufacturing and quality of drugs shall be per GMP. Manufacturers must establish a quality system covering all factors that influence quality of drugs. GMP must be strictly implemented with integrity. Any falsification and fraud is forbidden. Global agencies such as the FDA and EU organizations acknowledge the complexity and controversy of validating commercial software. 20 /45

21 SAP Software Quality SAP has maintained ISO 9001 certification since The corresponding quality system includes all standards that control the structured development lifecycle. The standards are binding for all employees in development. They help ensure that SAP solutions are examined for completeness and correctness against standardized checklists, have a standard quality when released, and are introduced to the market according to a defined process. The process standards describing the development phases are standard SAP operating procedures. In addition, product standards define the quality criteria for SAP solutions. All deliverables of the lifecycle phases are defined in a master list. The adherence to the process and product standards is documented in internal systems. Quality gates between the phases help ensure that the activities and deliverables defined by the master list are complete. We have developed SAP ERP according to this development lifecycle. Audits of the SAP software development areas are carried out each year by individual companies as well as industry groups such as the Pharmaceuticals Validation Group and the Executive Council for Life Sciences. In conformance to the FDA s general principle of validation, GAMP 5 Guide, and given the fact that SAP software is highly configurable, the SAP ERP application configuration must be validated according to predetermined business requirements. Therefore, companies must deploy a validation methodology as part of a recognized development lifecycle to establish documented evidence providing a high degree of assurance that the con figured system performs as intended. VALIDATION OF SAP ERP IN A GXP-REGULATED ENVIRONMENT The SAP Solution Manager application solution is the platform for application lifecycle from SAP (see Figure 8). It provides the tools, the integrated content, and the gateway to SAP software that you need to implement, support, operate, and monitor your SAP solutions in the life sciences industry. SAP Solution Manager can support the compliance of SAP ERP in a crucial manner and reduce the validation and revalidation effort of SAP ERP significantly. Figure 8: Orchestrating a Solution with SAP Solution Manager Processes and Platform Incident, problem, and request Portfolio and project Run SAP Like a Factory Business process operations Application operations Single source of truth Solution documentation and implementation Change, test, and release Application lifecycle Integration validation Maintenance optimization and security 21 /45

22 With SAP Solution Manager, you can manage your SAP software throughout the entire lifecycle to help ensure reliability, reduce total cost of ownership, and increase ROI. SAP Solution Manager lets you: Manage core business processes and link business processes to underlying IT infrastructure Support both SAP and non-sap software and get more from existing IT investments Manage user requirement specification documents, which are descriptions of the functionalities that you want to run in the software system Use its road map functionality to fully support documentation of the different phases of the project, including predefined accelerators with versioning and status Use its business blueprint functionality to manage and document all kinds of templates, documents, and so on with versioning, status, and definition of electronic signatures Integrate content, tools, and methods for implementation, support, operation, and control Conduct central administration, which provides control of allocated, decentralized applications Use automatic functions to evaluate problems Manage change requests GAMP V-Model and Available SAP Tools Figure 9 shows a high-level representation of the good automated manufacturing practice (GAMP) methodology. The V-model is a high-level concept illustration first introduced by the GAMP Forum. The GAMP Forum was established by represen tatives from major international companies to interpret and improve the understanding of regulations for the development, implementation, and use of automated systems in pharmaceutical manufacturing. SAP has enhanced the V-model to more closely represent the ASAP Focus methodology, but it remains consistent with the formally recognized software development lifecycle. Figure 9: Adaptation of V-Model for SAP Software Implementation DQ User requirement specification Technical specification Technical, functional specification IQ Install system (hardware and software) Configure system Installation tests Integration tests Functional tests Acceptance tests Ongoing operation CC PQ OQ DQ Design qualification IQ Installation qualification OQ Operational qualification PQ Performance qualification CC Change control 22 /45

23 Application Lifecycle Management Application lifecycle (ALM) addresses the challenges of ensuring business continuity, accelerating innovation, and reducing risk as well as total cost of operations while protecting your investments with an integrated IT Infrastructure Library (ITIL) based approach. According to ITIL, the application lifecycle consists of six phases: requirements, design, build and test, deploy, operate, and optimize. ALM solutions from SAP provide processes, tools, services, and an organizational model to manage SAP and non-sap solutions throughout the complete application lifecycle. Instead of just focusing on the individual phases, SAP provides a holistic approach. You can leverage results of the different phases in other phases because of the integration provided by SAP Solution Manager. SAP Solution Manager addresses your entire IT environment by supporting 12 core process areas throughout the ALM process (see Figure 10). Figure 10: SAP Solution Manager Core Process Areas for ALM Landscape transformation Create requirements Solution documentation Upgrade Custom code Maintenance Business process operations Operate Optimize ITIL SAP Solution Manager Design Build and test Solution implementation Template Test Change control Technical operations Deploy IT service 23 /45

24 The following table provides an overview of the functionality of SAP Solution Manager. SAP Solution Manager Features Selection Recommendation Use Project administration Configuration Document Business process change analyzer (BPCA) Use the SAP Solution Manager application solution to perform all central project administration tasks such as defining the project scope and project language, assigning team members, defining the system landscape, selecting the templates for documentation, and so on. Use this feature to manage and perform configuration of the support for business processes in SAP software. Use the document feature to store SAP software related documents in SAP Solution Manager. (Final approval of controlled documents is tracked in SAP Solution Manager. It serves as the final repository.) Use BPCA to compare the objects in a transport to the objects in the technical bill of materials (TBOM) of the target system. (Since every TBOM is clearly assigned to a certain trans action in a certain scenario, business process, or process step, you can determine precisely which parts of a business process hierarchy are affected by the change.) Provide accelerated, risk-based testscope identification for regression tests. Create project for SAP Solution Manager Define project scope Set up and assign team Set up the templates, keywords, and status for reporting Plan configuration (assignments to team members) Manage access to configuration Perform process-based configuration Document the configuration Organize document storage for final approval of documentation Facilitate searching and indexing of the documents Analyze which parts of a business process are affected by the specified change Analyze which parts of a business process are affected by the activation of a business function Use accelerated, risk-based test-scope identification for regression tests 24 /45

25 SAP Solution Manager Features Selection Recommendation Use Test with the adapter of SAP Solution Manager for the SAP Quality Center application by HP SAP Test Acceleration and Optimization application SAP Test Data Migration Server software Support role-specific testing with SAP Quality Center and cover the complete testing process from requirements gathering to test-case definitions and reporting. (The infrastructure is intuitive to implement and use, as it follows the typical testing process for SAP solutions.) Free up test teams to enable them to conduct more extensive tests. Create automated test cases for SAP solutions in an accelerated way. (The acceleration is achieved by automatically creating test components for SAP software transactions that you select.) Create small, intuitive-to-maintain, nonproduction environments with consistent, relevant extracts of business data, minimizing infrastructure and maintenance expenses while maximizing the effectiveness and accuracy of development, test, and training activities. Use the adapter to transfer information about business processes and test assets smoothly to SAP Quality Center, which serves as the main testing environment for your quality teams After test completion, transfer the test results out of SAP Quality Center directly into SAP Solution Manager, automatically displaying the results of the predefined tests Help project leads gain increased control over testing processes and reuse this information during later application phases like upgrades or continuous business improvement projects Track test status by business process Generate automatic tests during regression testing Automatically upload test components into SAP Quality Center (these draft test cases are for single transactions, which you can then consolidate into a scenario test case) Support maintenance of components and test cases by integration into the BPCA of SAP Solution Manager Reduce infrastructure expenditures by greatly reducing the volume of data in the test environment Improve the quality of software developments by improving the quality of test data 25 /45

26 SAP Solution Manager Features Selection Recommendation Use SAP Productivity Pak application by ANCILE SAP Central Process Scheduling application by Redwood System monitoring and central system administration Change control (ChARM) Enable the collaborative creation, storage, and of e-learning material, application simulations, and procedural documentation. Manage batch jobs using the standardized SAP software job functionality. (This application is recommended if standard job scheduling functionality in SAP software is not sufficient to address job scheduling. Full system functionality must be procured.) Monitor the performance of various components that comprise the system landscape. Use standardized methods and procedures to help ensure efficient of all the changes within the IT infrastructure and to minimize the effects of change-related breakdowns. Help develop business process procedures, training materials, documentation of configuration steps, and so on Manage the batch jobs Interface SAP Solution Manager with SAP Central Process Scheduling Monitor the systems in the system landscape, in real time Monitor the availability and performance of, for example, transaction codes, reports, jobs, and interfaces by using the central case system monitors Manage all change requests Categorize change requests Document change Enable the approval workflow Report statuses Provide complete change history 26 /45

27 VALIDATION APPROACH TO ACHIEVE ERES COMPLIANCE Global agencies such as the FDA and EU authorities acknowledge the complexity and controversy of validating commercial software. The agencies reiterate the general principle of validation that planned and expected performance is based on predetermined design specifications. The next sections discuss the validation requirements inferred in the regulations. Key activities necessary to validate SAP ERP in compliance with ERES are as follows. Conduct system compliance assessment: Evaluation of GxP predicate rules: Determine whether the computerized system is regulated by any GxP predicate rules Criticality assessment: Determine criticality of the computerized system on the basis of the processes and data those processes manage or support Complexity assessment: Determine the complexity of the computerized system on the basis of technology, resources, software, and infrastructure requirements Determination of validation level: Determine the level of validation for the computerized system by the results of the previous compliance evaluation and assessments Identification of software category (such as GAMP 5.0) Deliverables determination: Validate deliverables on the basis of your organization s internal requirements and the assessment results Define Part 11 requirements in: User requirements Business process documents Functional design specification It is important to recognize the impact of the interpretation of ERES regulations specifically, the word complete as it pertains to electronic records generated in SAP ERP. To identify where ERES regulations apply, perform a GxP assessment. 27 /45

28 Define the overall strategy in the validation master plan and determine how the system will be deployed as per your software development lifecycle (SDLC) methodology (see Figure 11). Conduct good practice assessments at the business process level: Determine GxP-relevant business processes and SAP software objects Determine GxP relevance at the transaction, object, or field level Develop security authorizations according to SDLC. Establish functional requirements specifications for job roles: Use the business process master list as the only source of authorization profile development (this helps ensure that unused, nonvalidated tools for support for business processes within SAP ERP are effectively blocked from unauthorized access) Manage profiles similarly to configuration in regard to change control and the transportation component Figure 11: Validation Methodology for SAP Software Validation of project progress DQ DQ protocol Vendor audit Validation master plan Risk assessment (system) Validation summary report PQ PQ production Verification of production cutover OQ report OQ tests OQ Configuration documentation (BC sets) Test plan Test case definition Solution specification OQ protocol ERES assessment Relevant SOPs in place Technical and functional specification Risk assessment (processes) User requirements specification IQ report IQ productions system IQ QA system IQ development system IQ protocol Technical specification IQ Change control Project preparation Business blueprint Realization Final preparation Going live and support ASAP methodology project progress DQ IQ OQ Design qualification Installation qualification Operational qualification PQ BC CC Performance qualification Business configuration Change control ERES Electronic records and electronic signatures QA Quality assurance SOP Statement of purpose 28 /45

29 Configure software to activate complete audit trail reporting and electronic signatures. Test the system: Conduct formal testing of ERES requirements on the basis of risk assessment results Create test objectives to demonstrate ERES compliance for each relevant clause of the regulation (for example, challenge the creation of an accurate and complete electronic record) Include negative testing of business-critical transactions (for example, cgmp) in system testing of profiles (see Appendix 3 for a suggested list of cgmp-critical transactions) Train users for all transactions within their profiles. It is important to recognize the impact of the interpretation of ERES regulations specifically, the word complete as it pertains to electronic records generated in SAP ERP. To identify where ERES regulations apply, perform a GxP assessment. Before conducting this assessment, however, establish a strategy to define at what level the relevance to GxP will be assigned. For example, define the relevance at the transaction or object level (such as process order, material master, and so on) or at the field level (such as order quantity but not scheduling margin key for process order). This strategy is directly related to how the term complete is interpreted. That is, you determine whether it is interpreted as all the data contained within the transaction or object itself or as only the data determined to be GxP relevant. It is important to understand the impact of each approach from both a compliance and a system-performance perspective. GxP relevance at the object level may significantly reduce the risk of potential challenges to the system s compliance because the boundaries of GxP and non-gxp at that level are more clearly defined. Examples include a process order versus a planned order or a resource versus a capacity. However, this approach increases the amount of required configuration and can potentially affect system performance. GxP assessment at the field level requires fewer configurations and does not affect system performance. However, this approach potentially increases the risk of challenges to the system s compliance. Establishing GxP relevance at the field level increases the granularity to which SAP ERP can be scrutinized potentially invoking challenges field by field within transactions and master data objects. You need additional written justification to clearly explain the assessment of why certain fields are not GxP relevant. This approach can also be challenged with the technical argument that the integration of SAP software infrastructure maintains both GxP and non-gxp data within the same database tables and business processes. Therefore, all data within these tables and transactions is subject to the same level of control to protect the integrity of the GxP data. 29 /45

30 Why Choose SAP Solutions for ERES Compliance SAP believes that SAP ERP technically complies with the intent and requirements of global ERES and several international good manufacturing practice guidelines. As life science companies compete across the global marketplace, a number of key factors are influencing their approach to regulatory compliance for their computer systems, including: The focus and methodology of various regulatory agencies, including the global regulatory agencies inspection compliance program Financial and reputational costs associated with noncompliance Opportunities afforded through the use of integrated computer systems to control costs and increase compliance As a result, life sciences companies have wisely leveraged their SAP ERP application infrastructure to support various systems across their organizations. The infrastructure and solutions provided by the SAP for Life Sciences solution portfolio vary but share the common goal of driving regulatory compliance. SAP has a deep relationship with the life sciences industry, and SAP ERP provides a win-win opportunity for you to promote global ERES and GMP compliance while reducing your costs and maximizing ROI. ACKNOWLEDGMENTS We thank George Serafin and Satya Patloori from Deloitte LLP for great support in providing valuable advice and feedback for this document. REFERENCES For more information, check out the following references, many of which are found on the SAP Service Marketplace extranet at (authorization required): EU GMP Guideline Commission Directive 2003/94/EC EU Annex 11 to the EU GMP Guideline Commission Directive 2003/94/EC, 2011 ICH Q7A Guideline, Part II Basic Requirements for Active Substances Used as Starting Materials, 2005 Annex 11 to PIC/S Guidance Guide to Good Manufacturing Practice for Medicinal Products, 2013 PIC/S Guidance Good Practices for Computerized Systems in Regulated GxP Environments, 2007 FDA Title 21 CFR Part 11 Electronic Records; Electronic Signatures; Final Rule, March 1997 FDA Title 21 CFR Parts 210 and 211 Current Good Manufacturing Practice for Finished Pharmaceuticals, September 1978 FDA Title 21 CFR Parts 808, 812, and 820 Medical Devices; Current Good Manufacturing Practice (cgmp); Final Rule, October 1996 General Principles of Software Validation Final Guidance for Industry and FDA Staff, FDA CDRH, January 2002 Guidance for Industry, Part 11, Electronic Records; Electronic Signatures Scope and Application, FDA, August 2003 Parenteral Drug Association (PDA) Technical Report No. 32, Report on the Auditing of Suppliers Providing Computer Products and Services for Regulated Pharmaceutical Operations, 1999 (revised 2004) 30 /45

31 GAMP 5, A Risk-Based Approach to Compliant GxP Computerized Systems, 2008 GAMP Good Practice Guide: Risk-Based Approach to Electronic Records & Signatures, April 2005 International Society for Pharmacoepidemiology, white paper, Risk-Based Approach to 21 CFR Part 11 (2002) ANVISA (Brazil): Technical Regulation of Good Manufacturing Practices of Drugs ANVISA Resolution RDC n. 17 Japan GMP Regulations: Guideline on Control of Computerized Systems in Drug Manufacturing Regulatory Guide Japan PFSB Notification, No Chinese SFDA: Ministry of Health adoption of good manufacturing practice on October 19, 2010 Canada GMP: Validation Guidelines for Pharmaceutical Dosage Forms (GUI-0029) and Good Manufacturing Practices (GMP) Guidelines 2009 Edition, Version 2 (GUI-0001) SAP Release Strategy, brochure, March 2013 Getting Started with an Upgrade, brochure for SAP Business Suite, March 2011 Business Function Prediction, June 2013 Introducing SAP Enhancement Packages, version 4, SAP presentation, August 2012 Master Guide: SAP Enhancement Package 6 for SAP ERP 6.0 Powered by SAP NetWeaver, 2013 SAP Enhancement Packages Technology Facts, version 9, September 2012 SAP Enhancement Packages Selecting and Activating Business Functions, version 1.01, October 2011 SAP NetWeaver Security Guide, SAP brochure SAP Manufacturing Execution (ME) Title 21 CFR Part 11 Compliance, SAP document, 2013 FIND OUT MORE For more information about how SAP solutions can help you comply with ERES regulations, call your SAP representative or visit us online at /lifesciences. 31 /45

32 Appendixes APPENDIX 1 SAP and FDA cgmp Functionality Matrix for Finished Pharmaceuticals (List does not claim to be exhaustive.) SAP ERP 21 CFR Part 211 cgmp for Finished Pharmaceuticals Subpart D Equipment Subpart E Control of components and drug product containers and closures Materials Management Approved vendors list Bar-code interface Batch Expiration dating Container Inventory Quarantine system Warehouse Management Production Quality Management Plant Maintenance Sales and Distribution Bar-code interface Inventory Quarantine system Container Data backup and recovery Electronic (digital) signature Process instruction sheets Resource (equipment) Security and authorizations Sequence enforcement Batch determination Active ingredient Test equipment calibration Electronic (digital) signature Equipment notifications Electronic (digital) signature Goods receipt inspection Nonconformance reporting Quality and inspection data interface (QM-IDI) to logistics information system (LIMS) Quality disposition Sample Source inspection Statistical quality control Supplier quality Plant equipment calibration Equipment Equipment status logbook Preventive maintenance Plant maintenance process controls system (PM-PCS) interface 32 / 45

33 APPENDIX 1 SAP and FDA cgmp Functionality Matrix for Finished Pharmaceuticals (List does not claim to be exhaustive.) SAP ERP 21 CFR Part 211 cgmp for Finished Pharmaceuticals Subpart F Production and process controls Subpart G Packaging and labeling control Subpart H Holding and distribution Materials Management Warehouse Management Production Quality Management Plant Maintenance Sales and Distribution Bar-code interface Bar-code interface Batch Inventory Quarantine system Container Container Task and resource Inventory Quarantine system Picking list Approved vendors list Bar-code interface Batch Expiration dating Container Inventory Quarantine system Bar-code interface Inventory Quarantine system Container Global label Bar-code interface Bar-code interface Batch First-in, first-out, and Batch where-used list first-ended, first-out, Container removal strategies Container Inventory Inventory Quarantine system Quarantine system Batch determination Document system interface Electronic batch record Electronic (digital) signature Order Active ingredient Process industries and process control system (PI-PCS) and process control connector (PCC) for operative procurement center data access (ODA) Process instruction sheets Process operator cockpit Recipe Resource (equipment) Sequence enforcement Statistical process control Subcontract manufacturing Picking list Shift report notes Batch determination Document system interface Electronic batch record Electronic (digital) signature Order Label reconciliation Process instruction sheets PI-PCS and OPC interface (ODA) Sequence enforcement Electronic (digital) signature Incoming (receiving) inspection In-process inspection Nonconformance reporting Postprocess inspection QM-IDI to LIMS Quality disposition Sample Statistical process control Statistical quality control Quality notifications Supplier quality Electronic (digital) signature Goods receipt inspection In-process inspection Nonconformance reporting Postprocess inspection Quality disposition Sample Statistical quality control Failure mode and effects analysis and control plan Calibration Equipment Equipment status logbook PM-PCS Calibration Equipment Equipment status logbook Batch determination 33 / 45

34 APPENDIX 1 SAP and FDA cgmp Functionality Matrix for Finished Pharmaceuticals (List does not claim to be exhaustive.) SAP ERP 21 CFR Part 211 cgmp for Finished Pharmaceuticals Subpart I Laboratory controls Subpart J Records and reports Subpart K Returned and salvaged drug products Materials Management Warehouse Management Production Quality Management Plant Maintenance Sales and Distribution Material documents Transfer orders Batch where-used list Inventory information Logistics and purchasing information system system Container Container Inventory Inventory Quarantine system Material reconciliation Quarantine system Material reconciliation Electronic batch record Electronic (digital) signature Master recipe Process instruction sheets Process orders Change documents and audit trails Shop-floor information system Order information system Calibration Calibration Electronic (digital) signature Equipment Equipment Equipment status logbook Incoming (receiving) inspection In-process inspection Inspection methods Nonconformance reporting Postprocess inspection Inspection data interface to LIMS Quality disposition Recurring inspection Sample Statistical quality control Test specification Stability studies Complaint Electronic (digital) signature Inspection lots Inspection plans Nonconformance reporting Change documents and audit trails Quality information system Returns inspection Complaint QM-IDI to LIMS Electronic (digital) signature Quality disposition Statistical quality control Equipment status logbook Maintenance orders Maintenance task lists Change documents and audit trails Maintenance information system Delivery notes Sales orders Sales and shipment information system Return goods authorization 34 / 45

35 APPENDIX 2 SAP and FDA cgmp Functionality Matrix for Medical Devices (List does not claim to be exhaustive.) SAP ERP: Medical Device QSR 21 CFR Part 820 Subpart H Materials Acceptance Activities Management Subpart C Design controls Subpart D Document controls Subpart E Purchasing controls Subpart F Identification and traceability Bills of materials Substance, dangerous goods Electronic (digital) signature Material master records Document system interface Approved vendors list Warehouse Management Bar-code interface Bar-code interface Batch Container Batch where-used list Inventory Container Quarantine system Shelf-life expiration Inventory Quarantine system Serial number Production Planning and Production Planning for Process Industries Quality Management Plant Maintenance Sales and Distribution Electronic (digital) signature Master recipe Process instruction sheets Routings Statistical process control Security and authorization Document system interface Bar-code interface Container Inventory Quarantine system Electronic (digital) signature Incoming (receiving) inspection In-process inspection Nonconformance reporting Postprocess inspection QM-IDI to LIMS Quality disposition Statistical process control Statistical quality control Document system interface Electronic (digital) signature Quality information records Quality notifications Supplier quality Document system interface 35 / 45

36 APPENDIX 2 SAP and FDA cgmp Functionality Matrix for Medical Devices (List does not claim to be exhaustive.) SAP ERP: Medical Device QSR 21 CFR Part 820 Subpart H Materials Acceptance Activities Management Subpart G Production and process controls Subpart H Acceptance activities Bar-code interface Batch Container Inventory Quarantine system Serial number Warehouse Management Bar-code interface Container Inventory Quarantine system Task and resource Production Planning and Production Planning for Process Industries Quality Management Plant Maintenance Sales and Distribution Batch determination Document system Electronic batch record Electronic (digital) signature In-process inspection Order Process industries process control system (PI-PCS) and process control connector (PCC) for operative procurement center data access (ODA) Process instruction sheets Process operator cockpit Recipe Resource and equipment Subcontract manufacturing Sequence enforcement Statistical process control Test equipment calibration Electronic (digital) signature Equipment Incoming (receiving) inspection In-process inspection Nonconformance reporting Postprocess inspection QM-IDI to LIMS Sample Statistical process control Statistical quality control Failure mode and effects analysis (FMEA) and control plan Electronic (digital) signature Incoming (receiving) inspection In-process inspection Inspection methods Nonconformance reporting Stability studies Postprocess inspection QM-IDI to LIMS Quality disposition Sample Source inspection Statistical quality control Test specification Plant equipment calibration Equipment Equipment status logbook Preventive maintenance 36 / 45

37 APPENDIX 2 SAP and FDA cgmp Functionality Matrix for Medical Devices (List does not claim to be exhaustive.) SAP ERP: Medical Device QSR 21 CFR Part 820 Subpart H Materials Acceptance Activities Management Subpart I Nonconforming product Batch Container Inventory Quarantine system Subpart J Container Corrective action and preventive action Inventory Quarantine system Subpart K Labeling and packaging control Subpart L Handling, storage, distribution, and installation Bar-code interface Batch Expiration dating Container Inventory Quarantine system Bar-code interface Batch Batch where-used list Container Inventory Quarantine system Warehouse Management Container Inventory Quarantine system Returns handling Container Inventory Quarantine system Lot genealogy (batch tracking) Bar-code interface Container Inventory Quarantine system Global label Bar-code interface Container First-in, first-out, and first-ended, first-out, removal strategies Inventory Quarantine system Container Production Planning and Production Planning for Process Industries Quality Management Plant Maintenance Sales and Distribution Electronic batch record Rework orders Batch determination Document system interface Electronic batch record Electronic (digital) signature In-process inspection Label reconciliation Order PI-PCS and OPC interface (ODA) Process instruction sheets Sequence enforcement Electronic (digital) signature Nonconformance reporting Quality disposition Quality inspection Complaint Electronic (digital) signature Nonconformance reporting QM-IDI to LIMS Quality disposition Corrective and preventive actions root cause analysis Returns inspection Statistical quality control Electronic (digital) signature Goods receipt inspection In-process inspection Nonconformance reporting Postprocess inspection Quality disposition Sample Statistical quality control Calibration Equipment Equipment status logbook Return goods authorization Installation inspection Equipment Batch determination Delivery notes Sales orders 37 / 45

38 APPENDIX 2 SAP and FDA cgmp Functionality Matrix for Medical Devices (List does not claim to be exhaustive.) SAP ERP: Medical Device QSR 21 CFR Part 820 Subpart M Records Subpart N Servicing Subpart O Statistical techniques Materials Management Bills of materials Material documents Logistics and purchasing information system Warehouse Management Production Planning Quality Management Plant Maintenance Sales and Distribution Transfer orders Inventory information system Electronic batch record Electronic (digital) signature Master recipe Process instruction sheets Process orders Production orders Routing Shop-floor information systems Statistical process control Complaint Electronic (digital) signature Inspection lots Inspection plans Nonconformance reporting Quality information system Service inspection Spare-parts control Quality statistical data interface Sample Statistical process control Statistical quality control Equipment status logbook Maintenance orders Maintenance task lists Maintenance information system Service Spare-parts Delivery notes Sales orders Sales and shipment information system 38 / 45

39 APPENDIX 3 cgmp Critical Transactions List for Negative Testing of Security Profiles: Examples Technical Data 1 SU01 Maintain authorizations 2 SE38 Execute program Master/Transactional Data 3 MM01 Create material 4 MM02 Change material 5 MMDE Delete all materials 6 ME01 Maintain source list 7 MSC1 Create batch 8 MSC2 Change batch 9 BMBC Create batch information cockpit 10 C201 Create master recipe 11 C202 Change master recipe 12 C298 Delete master recipe 13 COR1 Create process order with material 14 COR2 Change process order 15 QA01 Create inspection lot 16 QA02 Change inspection lot Master/Transactional Data 17 QA08 Do mass change of quality inspection data 18 QA11 Record usage decision 19 QA12 Change usage decision 20 QA14 Change usage decision without history 21 QA16 Create collective usage decision for OK lots 22 QA32 Select inspection lots 23 QAC1 Correct actual quantity in inspection lot 24 QAC2 Transfer inspection lot quantity 25 QAC3 Inspection lot reset sample calculation 26 QE01 Record results 27 QE02 Change results 28 QE51 Work list: record results 29 QVM1 Create inspection lots without inspection completion 30 QVM2 Create inspection lots with open quantities 31 QVM3 Create inspection lots without usage decision 32 QM01 Create quality notification Master/Transactional Data 33 QM02 Change quality notification 34 LT0G Return delivery to stock 35 MB57 Build up batch where-used list 36 MI07 Create process list of differences 37 CO54 Monitor messages 38 CO55 Create work list for maintaining product information (PI) sheet 39 CO58 Maintain PI sheet 40 CO59 Delete PI sheet 41 MRCHVW Enable batch with reconciliation 42 MB56 Analyze batch where-used list 43 VCH1 Create batch search strategy 44 VCH2 Change batch search strategy 45 CS01 Create material bill of materials As life science companies compete across the global marketplace, a number of key factors are influencing their approach to regulatory compliance for their computer systems. 39 / 45

40 APPENDIX 4 Compliance Summary Table of EU and PIC/S GMP Guidelines for Annex 11 Requirements EU Annex 11 to the EU GMP Guideline Commission Directive 2003/94/EC and PIC/S Guide to Good Manufacturing Practice for Medicinal Products Risk Management 1 Comment This section is a procedural requirement for organizations and is not related to the functions of the SAP ERP application. Personnel 2 This section is comparable to clause 11.10(i) in Part 11. Suppliers and Service Providers 3 Validation 4 Data 5 Accuracy Checks 6 Data Storage 7 This section is a procedural requirement for organizations and is not related to the functions of SAP ERP. Validation is a procedural requirement for organizations and is not related to the functions of SAP ERP. The quality system used at SAP to help ensure software quality describes those phases of the software lifecycle involved in developing and maintaining SAP software. We have developed SAP ERP according to a formally recognized software development lifecycle and have maintained ISO 9001 certification for SAP ERP since ISO 9001 requirements cover the development, production, sales, and maintenance of products and services. This is comparable to clauses 11.10(e) and 11.10(k) in Part 11. SAP ERP complies with these requirements. For example, warnings appear when users enter aberrant data, such as when a user records results in quality or records process data in process instruction sheets. The user is then prompted to confirm entry of this data before it is accepted. This is comparable to clause 11.10(h). Otherwise, this is a procedural requirement for organizations and is not related to the functions of SAP ERP. See Data 5 and clause 11.10(f). This section is a procedural requirement for organizations and is not related to the functions of SAP ERP. Printouts 8 This section is comparable to clause 11.10(b) in Part 11. Audit Trails 9 This section is comparable to clauses 11.10(a), 11.10(e), and 11.50(a)(b) in Part 11. The exception is that Annex 11 specifically requires a reason for change in order for certain critical data to be defined in a statement of purpose, to which high-gmp-critical transactions should be linked with a reason for change. According to the predicate rule, high-gmp-critical trans actions are those that require a digital signature where a comment field is being offered. The digital signature tool can be linked as well to any business object in SAP Business Suite software using the comment field. In addition, you can manage critical data through engineering change. Moreover, you can record the reason for change by long text. 40 / 45

41 APPENDIX 4 Compliance Summary Table of EU and PIC/S GMP Guidelines for Annex 11 Requirements Change and Configuration Management 10 Periodic Evaluation 11 This section is a procedural requirement for organizations and is not related to the functions of SAP ERP. This section is a procedural requirement for organizations and is not related to the functions of SAP ERP. Security 12 This section is comparable to clauses 11.10(d), 11.10(e), and 11.10(g) in Part 11. Incident Management 13 This section concerns the quality method used by SAP for SAP ERP and is comparable to clauses 11.10(e) and 11.10(k). Otherwise, it is a procedural requirement for organizations and is not related to the functions of SAP ERP. Electronic Signature 14 This section is comparable to clauses 11.50(a), 11.50(b), and in Part 11. Batch Release 15 This section is comparable to clauses 11.10(d), 11.10(g), and 11.50(a) in Part 11. Business Continuity 16 Archiving 17 This section is a procedural requirement for organizations and is not related to the functions of SAP ERP. This section concerns physical properties that are procedural requirements for organizations and is not related to the functions of SAP ERP. It is comparable to clauses 11.10(c) and in Part 11. SAP has a deep relationship with the life sciences industry, and SAP ERP provides a win-win opportunity for you to promote global ERES and GMP compliance while reducing your costs and maximizing ROI. 41 / 45

42 APPENDIX 5 Compliance Summary Table of ICH Q7A Guideline for Part 11 Requirements ICH Q7A Guideline, Part II Basic Requirements for Active Substances Used as Starting Materials Comment 5.40 Validation is a procedural requirement for organizations and is not related to the functions of the SAP ERP application. The quality method used by SAP describes those phases of the software lifecycle involved in developing and maintaining SAP software. SAP ERP has been developed according to a formally recognized software development lifecycle and has maintained ISO 9001 certification since ISO 9001 requirements cover the development, production, sales, and maintenance of products and services. This is comparable to clauses 11.10(e) and 11.10(k) in Part The quality method used by SAP describes those phases of the software lifecycle involved in developing and maintaining SAP software. SAP ERP has been developed according to a formally recognized software development lifecycle and has maintained ISO 9001 certification since ISO 9001 requirements cover the development, production, sales, and maintenance of products and services This section is a procedural requirement for organizations and is not related to the functions of SAP ERP This section is comparable to clauses 11.10(c), 11.10(d), 11.10(e), 11.10(g), 11.50(a)(b), and in Part This section is comparable to clauses 11.10(e) and 11.10(2) in Part SAP ERP posts warnings when users enter aberrant data or when a user records results in quality or records process data in process instruction sheets. SAP ERP then prompts the user to confirm entry of this data before it is accepted. This is comparable to clauses 11.10(f) and 11.10(h) in Part This section is comparable to clauses 11.10(a), 11.10(b), 11.10(c), and 11.10(e) in Part This section is a procedural requirement for organizations and is not related to the functions of SAP ERP This section is comparable to clause 11.10(c). Otherwise, it is a procedural requirement for organizations and is not related to the functions of SAP ERP This section is a procedural requirement for organizations and is not related to the functions of SAP ERP. 42 / 45

43 How Does SAP ERP Comply with Part 11? The following table summarizes how SAP ERP complies with each requirement of Part 11. SAP ERP Application Compliance with Part 11 Part 11 Clause Comments 11.10(a) You can configure the SAP ERP application as per the predicate rules. You can perform data conversion and transfer validation for SAP ERP to verify the accuracy while also carrying out performance and stress testing to validate the reliability of SAP ERP. Consistent intended performance can be validated through multiple testing such as the following: Unit and functional cycle testing Integration cycle testing Regression cycle testing Interface and security cycle testing Site and gap testing All electronic records within the SAP ERP application provide adequate audit trails that can be reviewed for information. These records are secured from unauthorized access (b) 11.10(c) 11.10(d) 11.10(e) 11.10(f) All electronic records generated in SAP ERP are accurate, complete, and presented in a human-readable format. Electronic records in SAP ERP can be printed or exported into several industry-standard formats such as PDF and XML. You can configure the audit trails maintained for either a specific table or a transaction code within SAP ERP. This would allow for the use of a risk-based approach to the information that would require an audit trail. (For example, you can configure GxP critical data tables to be tacked while other non-gxp data would not necessarily require the same rigor.) You can maintain all electronic records in the active database or archive them to accommodate all required retention periods even when you upgrade the software. Access to these records is secured using standard SAP software authorization profiles. In addition, SAP ERP maintains the link between electronic signatures executed to electronic records even after archiving. Robust security administration and authorization profiles help ensure system access to authorized individuals. Changes to security profiles are recorded as audit trails in SAP ERP. The same can be verified by application and Basis security testing: Security profile testing Basis security testing SAP ERP automatically generates all electronic records for creating, modifying, or deleting data. These records are date and time stamped and include the user ID of the individual who is logged on to the system and who performed the action. Electronic records also maintain the old and new values of the change and the transaction used to generate the record. This complements the requirement in 11.10(c) in that you can maintain all electronic records in the active database or archive them to accommodate all required retention periods. In addition, SAP ERP maintains the link between electronic signatures executed to electronic records. SAP ERP helps ensure that you follow steps in the correct sequence where there are sequences of operations, sequential events, or sequential data entry that is important to the system. For example, process instruction sheets used in manufacturing execution include sequence enforcement (operational checks) to enforce permitted sequencing of steps and events, as appropriate. 43 / 45

44 SAP ERP Application Compliance with Part 11 Part 11 Clause Comments 11.10(g) SAP ERP executes authority checks in conjunction with its robust security administration and authorization profiles. This helps ensure that only authorized individuals can access the system, electronically sign a record, and access or perform the operation at hand. SAP ERP also records changes to authorization profiles. The same can be verified by application and Basis security testing: Security profile testing Basis security testing 11.10(h) 11.10(i) 11.10(j) 11.10(k) Input devices such as terminals, measurement devices, and process control systems, in addition to remote logon, are maintained through the same SAP software security administration features and require authorization profiles for connection to SAP ERP. In addition, you can manage and control device checks such as device type (for example, a weigh scale with specified range) and device status (such as calibrated) through classification features in SAP ERP. This lets you determine the validity of the source of information. The Quality Management Manual for SAP software development requires that all personnel responsible for developing and maintaining SAP ERP have the education, training, and experience to perform their assigned tasks. A wide range of additional education and training offerings and regular assessments of individual training requirements help ensure a process of continuous learning for SAP staff involved in the development and support of all SAP software. This clause covers a procedural requirement for organizations and is not related to the functions of SAP ERP. The document system, which is part of the SAP Product Lifecycle Management application, can provide controls over the distribution, access, and use of documentation for system operation and maintenance. In addition, SAP ERP maintains the electronic records (audit trail) for revision and change control according to clause 11.10(e). Use of online documentation and knowledge warehouse functionality from SAP requires procedural controls by your organization to help ensure compliance with this clause The SAP software system is a closed system, so 11.30, which specifies controls for open systems, does not apply. For open systems, SAP ERP supports interfaces with complementary software partners that supply cryptographic methods such as public key infrastructure technology (a) 11.50(b) Electronic signature records within SAP ERP contain the following information: The printed name of the signer The date and time when the signature was executed, including the date and time local to the signer when multiple time zones are involved The meaning (such as review, approval, responsibility, or authorship) associated with the signature SAP ERP automatically records the meaning associated with the signature with standard descriptions of the activity the signature performed (inspection lot approval, results recording, and so on). In addition, you can use the comment field to expand or clarify the meaning of the signature. In SAP ERP, electronic signature records are maintained in the same manner as all electronic records, and you can display or print them in a human-readable format In SAP ERP, electronic records of signatures are permanently linked to the executed electronic record. This link cannot be removed, copied, or transferred to falsify other electronic records by any ordinary means. As stated previously, this link remains when the electronic records are archived (a) User and security administration functions of SAP ERP provide robust system checks and configurable security procedures to establish and maintain a unique signature for each individual. This includes the prevention of reallocating a signature and deleting information relating to the electronic signature once it has been used. 44 / 45

45 SAP ERP Application Compliance with Part 11 Part 11 Clause Comments (b) This clause covers a procedural requirement for organizations and is not related to the functions of SAP ERP (c) (a)(1) (a)(2) (a)(3) (b) (a) (b) (c) (d) (e) This clause covers a procedural requirement for organizations and is not related to the functions of SAP ERP. SAP ERP requires two distinct components a user ID and a password to perform each and every electronic signature. By design, SAP ERP does not support continuous sessions where only a single component is necessary subsequent to the first signing. For signatures executed, for example, in production planning for process industries or quality, the user ID of the person logged on to the current session is displayed by the system in the field. When a person executes a signature, this user ID can be deleted and replaced by a different user. SAP ERP requires the user ID and the corresponding password to authenticate the identity of each user. The user who has successfully executed the signature is recorded in the electronic record of the signature. You must have procedural controls to manage this process accordingly. This clause covers a procedural requirement for organizations and is not related to the functions of SAP ERP. User and security administration functions of SAP ERP help ensure that the attempted use of an individual s electronic signature other than the genuine owner requires the collaboration of two or more individuals. SAP ERP provides a certified interface to biometric devices such as fingerprint and retinal scanning devices. Look for certified vendors in the directory at User and security administration functions of SAP ERP provide the necessary controls to help ensure that no two individuals have the same combination of identification code (user ID) and password. You can configure SAP ERP to force users to change passwords at various intervals. In addition, the application provides system checks to prevent users from repeating passwords or using combinations of alphanumeric characters that are included in the user ID. You can invalidate user IDs, for example, when an employee leaves the company. This clause covers a procedural requirement for organizations and is not related to the functions of SAP ERP. SAP ERP provides the following features to satisfy (d): When the number of failed attempts (for either logon or signature) is exceeded, SAP ERP prevents the user from further access without intervention from the security administration. Note that you can configure the number of failed attempts allowed. SAP ERP generates an express message and sends it to a defined distribution list to notify the security administration in an immediate and urgent manner. In addition, you can interface any Messaging Application Programming Interface (MAPI)-compliant messaging system to SAP ERP to send this message externally to systems such as Microsoft Exchange or even a paging system. An electronic record of all failed attempts (for either logon or signature) is maintained in the security audit log. SAP ERP also generates electronic records for the locking and unlocking of users. This clause covers a procedural requirement for organizations and is not related to the functions of SAP ERP. CMP28340 (13/12) 45 / 45

46 No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. National product specifications may vary. These materials are provided by SAP AG and its affiliated companies ( SAP Group ) for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. Please see for additional trademark information and notices. Disclaimer These materials are subject to change without notice. SAP AG s compliance analysis with respect to SAP software performance based on U.S. FDA 21 CFR Part 11, EU Annex 11 to the EU GMP-Guideline Commission Directive 2003/94/EC, Annex 11 to PIC/S Guide to Good Manufacturing Practice for Medicinal Products, ICH Q7A Guideline, Part II Basic Requirements for Active Substances used as Starting Materials and further mentioned international ERES regulations: (i) in no way expresses the recognition, consent, or certification of SAP software by the United States Food and Drug Administration or European/International Authorities; and (ii) applies to certain components of the SAP ERP application only as stated herein. The customer is solely responsible for compliance with all applicable regulations, and SAP AG and its affiliated companies ( SAP Group ) have no liability or responsibility in this regard. These materials are provided by SAP Group for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.