SAP White Paper

COMPLYING WITH U.S.

FDA TITLE 21 CFR
PART 11
ELECTRONIC RECORDS
ELECTRONIC SIGNATURES
FINAL RULE

THE BEST-RUN E-BUSINESSES RUN SAP

© Copyright 2001 SAP AG. All rights reserved.
No part of this publication may be reproduced or transmitted
in any form or for any purpose without the express permission
of SAP AG. The information contained herein may be changed
without prior notice.
Some software products marketed by SAP AG and its distribu-
tors contain proprietary software components of other
software vendors.
Microsoft®, WINDOWS®, NT®, EXCEL®, Word®,
PowerPoint® and SQL Server® are registered trademarks of
Microsoft Corporation.
IBM®, DB2®, OS/2®, DB2/6000®, Parallel Sysplex®,
MVS/ESA®, RS/6000®, AIX®, S/390®, AS/400®, OS/390®, and
OS/400® are registered trademarks of IBM Corporation.
HTML, DHTML, XML, XHTML are trademarks or registered
trademarks of W3C®, World Wide Web Consortium,
Massachusetts Institute of Technology.
JAVA® is a registered trademark of Sun Microsystems, Inc.
JAVASCRIPT® is a registered trademark of Sun Microsystems,
Inc., used under license for technology invented and
implemented by Netscape.
SAP, SAP Logo, R/2, RIVA, R/3, SAP ArchiveLink, SAP Business
Workflow, WebFlow, SAP EarlyWatch, BAPI, SAPPHIRE,
Management Cockpit, mySAP.com Logo and mySAP.com are
trademarks or registered trademarks of SAP AG in Germany
and in several other countries all over the world. All other
products mentioned are trademarks or registered trademarks
of their respective companies.

ORACLE® is a registered trademark of ORACLE Corporation.

INFORMIX®-OnLine for SAP and Informix® Dynamic

ServerTM are registered trademarks of Informix Software
Incorporated.
UNIX®, X/Open®, OSF/1®, and Motif® are registered trade-
marks of the Open Group.

Disclaimer
Compliance with this regulation is based solely upon the interpretation of this rule by SAP AG and in no way expresses the recogni-
tion, consent, or certification of SAP software by the United States Food and Drug Administration. SAP's claim of compliance to 21
CFR Part 11 is in reference to SAP R/3 Release 4.6C exclusively (with the U.S. FDA 21 CFR Part 11 Enhancement for Electronic Records
installed). It is the sole responsibility of the customer - not SAP AG -, to demonstrate compliance with all applicable regulations. Sug-
gestions and recommendations described within this document are intended to provide useful information and guidance to
customers.

2
CONTENTS
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
– U.S. Food and Drug Administration (FDA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
– 21 CFR Part 11 Electronic Records, Electronic Signatures; Final Rule . . . . . . . . . . . . . . . . . . . . . 5

Discussion of 21 CFR Part 11 Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

How Does SAP R/3 Comply with Part 11? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
How Does SAP R/3 Comply with Other GMP Guidelines With Similar Part 11 Requirements? . . 8
Subpart A – General Provisions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
What SAP R/3 Functionality May Be Regulated? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Subpart B – Electronic Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
– Validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
– Software Quality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
– Validation of SAP R/3 in an FDA-Regulated Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
– Validation Approach to Achieve Part 11 Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
– Electronic Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
– Change Master Record . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
– Change Document Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
– Table Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Subpart C – Electronic Signature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Electronic and Digital Signatures in SAP R/3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
– Digital Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Hybrid Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Appendix 1: SAP/FDA CGMP Functionality Matrix for Finished Pharmaceuticals . . . . . . . . . . . . . 20
Appendix 1: SAP/FDA CGMP Functionality Matrix for Finished Pharmaceuticals (continued) . . 22
Appendix 2: SAP/FDA CGMP Functionality Matrix for Medical Devices . . . . . . . . . . . . . . . . . . . . . 24
Appendix 2: SAP/FDA CGMP Functionality Matrix for Medical Devices (continued) . . . . . . . . . . 26
Appendix 2: SAP/FDA CGMP Functionality Matrix for Medical Devices (continued) . . . . . . . . . . 28
Appendix 3: FDA CGMP Critical Transactions List for Negative Testing of Security Profiles . . . . . 30
Appendix 4: Compliance Summary Table of EC and PIC GMP Guidelines for
Part 11 Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Appendix 5: Compliance Summary Table of Q 7a ICH Guideline for Part 11 Requirements. . . . . 32

3
4
INTRODUCTION
OVERVIEW
The purpose of this document is to describe the functions and
features of SAP R/3 Release 4.6C that (in the opinion of SAP
AG) demonstrate compliance with U.S. FDA 21 CFR Part 11
Electronic Records Electronic Signatures; Final Rule. This doc-
ument provides background information about the regulation,
discusses how SAP R/3 complies with this rule, and provides
examples of electronic records and signatures within SAP R/3.
In addition, several European Good Manufacturing Practice
(GMP) guidelines having similar 21 CFR Part 11 requirements
are discussed. The functions and features described within this
document apply only to SAP R/3 Release 4.6C with the U.S.
FDA 21 CFR Part 11 Enhancement for Electronic Records
installed. However, prior releases can be compliant depending
on the scope of functions implemented. In other instances, Part
11 compliance can still be achieved with some customization.
BACKGROUND
U.S. Food and Drug Administration (FDA)
The U.S. Food and Drug Administration (FDA) is a public
health agency that is charged with protecting American con-
sumers by enforcing the U.S. Federal Food, Drug, and Cosmetic
Act and other related public health laws. The FDA regulates
over $1 trillion U.S. dollars worth of products, which account
for 25 cents of every dollar spent annually within the United
States. These products include:
• Food for human and animal consumption
• Pharmaceuticals consisting of ethical, generic, and over-the-
counter (OTC) drugs for human use as well as medicines for
animals
• Biological and related products including blood, vaccines,
and biological therapeutics
• Medical devices
• Radiation-emitting devices such as microwaves
• Cosmetics
The FDA monitors the manufacture, import, transport,
storage, and sale of these products by some 95,000 FDA-regulat-
ed businesses in the United States alone and several thousand
international organizations that conduct business in the U.S.
Compliance with FDA regulations is a market requirement. In
addition, products require FDA approval before they can be
marketed or sold in the U.S. Non-compliance with any of the
laws enforced by the FDA can be very costly in the form of
recalls and legal sanctions such as import detentions. When
warranted, the FDA seeks criminal penalties, including prison
sentences, against manufacturers and distributors.
21 CFR Part 11 Electronic Records Electronic Signatures;
Final Rule
The U.S. FDA regulation 21 CFR Part 11 Electronic Records
Electronic Signatures; Final Rule (which we will refer to simply
as Part 11) was the result of a five-year effort by the FDA (with
input from industry) to supply all FDA-regulated companies
with requirements on how paperless (e.g. electronic) record
systems could be maintained while still complying with Good
Clinical, Laboratory, and Manufacturing Practices (GxP). The
regulation also details very specific requirements for electronic
and digital signatures because the FDA considers these
signatures to be legally binding.
Since its publication more than three years ago, this regulation
has been subject to evolving interpretations both by the FDA
and industry. Most SAP customers took a wait and see position
toward FDA interpretation and enforcement until May, 1999
when the FDA published Compliance Policy Guide Section
160.850 titled Enforcement Policy: 21 CFR Part 11; Electronic
Records; Electronic Signatures (CPG 7153.17). The enforcement
policy describes the FDA’s approach to enforcing the Part 11
regulation in addition to detailing the following expectations
and concerns of all regulated businesses. The FDA’s expecta-
tions include the following:
• The FDA expects that companies using computer systems
will begin taking steps to achieve full compliance. As
explained in the preamble to the final rule, Part 11 does not
grandfather any systems. This means that all systems must
comply or be replaced.
• The FDA expects that Part 11 requirements for procedural
controls will already be in place.
5

• The FDA recognizes that technology-based controls may take
longer to install in older systems.
The FDA concerns detailed in the policy are:
• Failure to secure files from alteration, erasure, or data loss
• Failure to secure access
• Functions that allow uncontrolled modifications, deletions,
or partial deletions of data files
DISCUSSION OF 21 CFR
PART 11 RULE
This section has four parts: a summary table that describes
clause-by-clause how SAP R/3 Release 4.6C complies with the
Part 11 rule, followed by discussion of key requirements for
each subpart A, B, and C of the regulation.
HOW DOES SAP R/3 COMPLY WITH PART 11?
The following table summarizes how SAP R/3 complies with
each requirement of Part 11.

Part 11 Clause Comments

11.10(a) All electronic records within SAP R/3 provide adequate audit trails that can be reviewed for information. These records are
secured from unauthorized access.
11.10(b) All electronic records generated in SAP R/3 are accurate, complete, and presented in a human readable format.
11.10(b) SAP R/3 records can be printed or exported into several industry-standard formats, such as ASCII text and spreadsheets.
11.10(c) All electronic records can be maintained in the active database or archived to accommodate all required retention periods even
when software is upgraded. Access to these records is secured using standard SAP authorization prof iles. In addition, SAP R/3
maintains the link between electronic signatures and electronic records even after archiving.
11.10(d) Robust security administration and authorization prof iles assure system access. Changes to security prof iles are recorded in SAP
R/3.
11.10(e) SAP R/3 automatically generates all electronic records for creating, modifying, or deleting information. These records are date-
time stamped and include the user ID of the person who performed the action. Electronic records also maintain the old and
new values of the change and the transaction used to generate the record.
11.10(e) Complementing the requirement in 11.10(c), all electronic records can be maintained in the active database or archived to
accommodate all required retention periods. In addition, SAP R/3 maintains the link between electronic signatures and
electronic records.
11.10(f) Process instruction (PI) sheets used in manufacturing execution include sequence enforcement (operational checks) to enforce
the allowable sequencing of steps and events, as appropriate.
11.10(g) SAP R/3 executes authority checks in conjunction with its robust security administration and security prof iles to ensure only
authorized individuals can access the system, electronically sign a record, and access or perform operations. SAP R/3 also records
changes to security prof iles.
11.10(h) Input devices, such as terminals, process control systems, and so on, and remote logon are maintained through the same SAP
security administration features and require authorization prof iles for connection to SAP R/3. In addition, device checks, such as
device type (for example, a weigh scale with specif ied range) and device status (such as calibrated) can be managed and
controlled via SAP R/3 classif ication features to determine the validity of the source of information.
11.10(i) The Quality Management Manual for SAP Development requires that all personnel responsible for developing and maintaining
SAP R/3 have the education, training, and experience to perform their assigned tasks. A wide range of additional education and
training offerings and regular assessments of individual training requirements ensures a process of continuous learning for SAP
staff involved in the development and support of all SAP software.
11.10(j) This clause covers a procedural requirement for customers and is not related to the functions or capabilities of SAP R/3.

6
 Comments
11.10(k) The SAP R/3 document management system, which is part of SAP Product Lifecycle Management (SAP PLM), can
provide controls over the distribution, access, and use of documentation for system operation and maintenance. In
addition, SAP R/3 maintains the electronic records (an audit trail) for revision and change control according to clause
11.10(e). Use of SAP online documentation and the SAP Knowledge Warehouse requires procedural controls by
customers to ensure compliance with this clause.
11.30 For open systems, SAP R/3 supports interfaces with complementary software partners that supply cryptographic
methods such as public key infrastructure (PKI) technology. Digital signatures can be executed in each function
where an electronic signature currently exists.
11.50(a) Electronic signature records within SAP R/3 contain the following information:
• The printed name of the signer
• The date and time when the signature was executed, including the local date and time for the signer when multiple
time zones are involved (see comment 101 in the preamble of Part 11)
• The meaning (such as review, approval, responsibility, or authorship) associated with the signature

SAP R/3 automatically records the meaning associated with the signature with standard descriptions of the activity the
signature performed (inspection lot approval, results recording, and so on). In addition, customers can use the
comment f ield to expand or clarify the meaning of the signature.
11.50(b) Electronic signature records are maintained in the same manner as all electronic records and can be displayed or
printed in a human readable format.
11.70 Electronic records of signatures are permanently linked to the executed electronic record. This link cannot be
removed, copied, or transferred to falsify other electronic records by any ordinary means. As stated previously, this
link remains when the electronic records are archived.
11.100(a) SAP R/3 user and security administration provides robust system checks and conf igurable security procedures to
establish and maintain a unique signature for each individual, including the prevention of reallocation of a signature
and deletion of information relating to the electronic signature once it has been used.
11.100(b) This clause covers a procedural requirement for customers and is not related to the functions or capabilities
of SAP R/3.
11.100(c) This clause covers a procedural requirement for customers and is not related to the functions or capabilities
of SAP R/3.
11.200(a)(1) SAP R/3 requires two distinct components – a user ID and a password – to perform each and every electronic
signature. By design, SAP R/3 does not support continuous sessions where only a single component is necessary
subsequent to the f irst signing.
11.200(a)(2) This clause covers a procedural requirement for customers and is not related to the functions or capabilities
of SAP R/3.
11.200(a)(3) SAP R/3 user and security administration functions ensure that the attempted use of an individual‘s electronic
signature other than the genuine owner requires the collaboration of two or more individuals.
11.200(b) SAP R/3 provides a certif ied interface to biometric devices such as f ingerprint and retinal scanning devices. Look for
certif ied vendors in the SAP Complementary Software Program™

7
Part 11 Clause Comments
11.300(a) SAP R/3 user and security administration provide the necessary controls to ensure that no two individuals have the same
combination of identif ication code (user id) and password.
11.300(b) SAP R/3 can be conf igured to force users to change passwords at various intervals and it provides system checks to prevent users
from repeating passwords or using combinations of alphanumeric characters that are included in the user ID. User IDs can also
be invalidated, for example, when an employee leaves the company.
11.300(c) This clause covers a procedural requirement for customers and is not related to the functions or capabilities of SAP R/3 .
11.300(d) SAP R/3 provides the following features to satisfy 11.300(d):
• When the number of failed attempts (for either logon or signature) is exceeded, SAP R/3 prevents the user from further access
without intervention from Security Administration. Note: The number of failed attempts allowed is conf igurable.
• SAP R/3 generates an express mail within SAPOff ice and sends it to a def ined distribution list to notify Security Administration
“in an immediate and urgent manner.” In addition, any MAPI-compliant messaging system can be interfaced to SAP R/3 to send
this message externally to e-mail systems such as Microsoft Exchange, or even a paging system.
• An electronic record of all failed attempts (for either logon or signature) is maintained in the Security Audit Log. SAP R/3
also generates electronic records for the locking and unlocking of users.
11.300(e) This clause covers a procedural requirement for customers and is not related to the functions or capabilities of SAP R/3.

HOW DOES SAP R/3 COMPLY WITH OTHER GMP
GUIDELINES WITH SIMILAR PART 11 REQUIREMENTS?
Outside of the U.S., other guidelines exist for Good Manufac-
turing Practice, electronic records, and electronic signatures.
These guidelines include:
• European Community Guideline to GMP for Medicinal
Products (1998), Annex 11, Computerised Systems “Whereas
all medicinal products for human use manufactured or
imported into the Community, including medicinal products
intended for export, should be manufactured in accordance
with the principles and guidelines of good manufacturing
practice.”
• Pharmaceutical Inspection Convention (PIC) GMP Guideline
PH 1/97 Guide to Good Manufacturing Practice for Medicinal
Products GMP-Guideline for PIC member states.
• Q 7a, Final Draft Step 4 (November, 2000) International
Conference on Harmonization of Technical Requirements
for Registration of Pharmaceuticals for Human Use (ICH)
Guideline Good Manufacturing Practice Guide for Active
Pharmaceutical Ingredients
“When this topic was adopted, the Steering Committee took
steps to ensure that due account was taken of the work already
in progress by PIC/S, FDA and other parties. In view of the
unusually wide implications of this topic, a much extended
EWG has been taken established which includes, in addition to
the six ICH parties and the Observers, experts representing
IGPA (generics industry), WSMI (self medication industry) and
PIUC/S. With respect to the latter, representatives from China,
India and Australia have been invited to participate.”
Appendices 4 and 5 provide summary tables that describe how
SAP R/3 complies with each of these guidelines in comparison
to the Part 11 rule.
Implementation (Step 5):
EU (European Union): Adopted by CPMP (Committee for Proprietary
Medicinal Products), November 2000, issued as CPMP/ICH/4106/00
MHW (Ministry of Health and Welfare Japan): to be notified
FDA: to be notified

8
SUBPART A – GENERAL PROVISIONS
What SAP R/3 Functionality May Be Regulated?
FDA regulations encompass many SAP R/3 functions. The only
functional areas that may be completely excluded from the
FDA scope are finance (for example, Financial Accounting,
Controlling, and Asset Management) and planning (for exam-
ple, Demand Management, Forecasting, Profitability Analysis,
and Sales and Operations Planning). Any functional area that is
FDA or GxP-relevant must comply with Part 11 based upon the
predicate rule. This includes:
• Human Resources (HR) (training information)
• Materials Management (MM)
• Plant Maintenance (PM)
• Production Planning (PP)
• Production Planning Process Industries (PP-PI)
• Quality Management (QM)
• Sales and Distribution (SD)
• Warehouse Management (WM)
In addition, central functions such as Classification, Engineer-
ing Change Management, and Document Management are also
included. For additional information, Appendices 1 and 2 con-
tain the SAP / FDA Current Good Manufacturing Practice
(CGMP) Functionality Matrix for both pharmaceuticals and
medical devices. These matrices illustrate how SAP R/3 pro-
motes compliance to these regulations and provides guidance
as to what functionality (and electronic records) may be regu-
lated by the FDA.
SUBPART B – ELECTRONIC RECORDS
Validation
In the Part 11 preamble (specifically comments 64 through 68),
the FDA discusses the validation of electronic systems and
acknowledges the complexity and controversy of validating
commercial software. The agency also reiterates its general
principle of validation that “planned and expected performance
is based upon predetermined design specifications.” The follow-
ing sections discuss the validation requirements both inferred
and stated within §11.10a.
Software Quality
SAP R/3 has been developed according to a formally recognized
software development life cycle and has maintained ISO 9001
certification since 1994. SAP Development and Horizon soft-
ware quality management program is audited numerous times
each year by individual companies as well as industry groups
such as the Pharmaceutical Validation Group (PVG). In addi-
tion, SAP is a member of the Audit Repository Center (ARC),
which has been licensed by the U.S. Parenteral Drug
Association (PDA) to manage the reports of audits performed
according to standardized processes for the suppliers of
computer products and services. This process is described in
further detail in PDA Technical Report #32. The first reposito-
ry audit of SAP development will be available to subscribing
members in the second half of 2001.
It must be recognized that this information provides only
assurance of the quality systems of the software supplier and
the development of SAP R/3. Pursuant to FDA’s general princi-
ple of validation and given the fact that SAP is a highly config-
urable software solution, the SAP R/3 configuration must
be validated according to predetermined business
requirements. Therefore, to establish documentary evidence
that provides a high degree of assurance that the configured
system performs as intended, a validation methodology as part
of a recognized software development life cycle (SDLC) must be
deployed.
9
Figure 1: Enhanced V-Model Highlighting the ASAP Methodology and Available SAP Tools

Validation of SAP R/3 in an FDA-Regulated Environment Validation Approach to Achieve Part 11 Compliance
Figure 1 shows a high-level representation of this methodology. Key activities necessary to validate SAP R/3 in compliance with
The “V-model” is a high-level concept illustration first intro- Part 11 are:
duced by the Good Automated Manufacturing Practice • Define Part 11 requirements in:
(GAMP) Forum that was established by representatives from – Validation Master Plan (VMP)
major international companies to interpret and improve – Operational Qualification (OQ)
understanding of regulations for the development, implemen- • Conduct GxP assessment
tation, and use of automated systems in pharmaceutical manu- – Determine GxP-relevant business processes and R/3 Objects
facturing. This “V-model” has been enhanced to more closely – GxP relevance can be determined at the transaction, object,
represent the AcceleratedSAP (ASAP) methodology, but it or field level
remains consistent with the formally recognized software • Configure software to activate complete audit trails and elec-
development life cycle. tronic signatures
• Develop security authorizations according to software devel-
opment life cycle (SDLC)

10
 – Establish functional requirements specification for job
roles
– Use the Business Process Master List (BPML) as the only
source of authorization profile development. This ensures
that unused, non-validated business processes within SAP
R/3 are effectively blocked from unauthorized access
– Profiles should be managed similar to configuration in
regard to change control and SAP R/3 Transport Manage-
ment
• System testing
– Create test objectives to demonstrate 21 CFR Part 11 com-
pliance for each relevant clause of the regulation (for
example, §11.10 (b) challenges the creation of an accurate
and complete electronic record)
– System testing of profiles should include negative testing
of business critical transactions (for example, CGMP). See
Appendix 3 for a suggested list of CGMP-critical
transactions
• Training
– Ideally, Users Should Be Trained For All Transactions
Within Their Profile(s) (ref. §11.10 (i))
It is important to recognize the impact of the interpretation of
§11.10 (b), specifically the word “complete,” as it pertains to
electronic records generated in SAP R/3. To identify where Part
11 applies, a GxP assessment must be performed. Before con-
ducting this assessment, however, a strategy must be established
defining at what level relevance to GxP will be assigned – the
transaction or object level (for example, process order, material
master, etc.) or at the field level (for example, order quantity,
but not scheduling margin key for process order). This strategy
is directly related to how the term “complete” is interpreted –
either all the data contained within the transaction or object
itself or only the data determined to be GxP relevant.
It is important to understand the impact of each approach both
from a compliance and system performance perspective. GxP
relevance at the object level may significantly reduce the risk of
potential challenges to the systems compliance because the
boundaries of GxP and non-GxP are more clearly defined.
Examples include a process order versus a planned order or a
resource versus a capacity. However, this approach increases the
amount of required configuration and can potentially affect
system performance.
GxP assessment at the field level requires less configuration and
does not affect system performance. However, this approach
potentially increases the risk of challenges to the systems com-
pliance. Establishing GxP relevance at the field level increases
the granularity to which SAP R/3 can be scrutinized – poten-
tially invoking challenges field by field within transactions and
master data objects.
Additional written justification is required to clearly explain
the assessment of why certain fields are not GxP relevant. This
approach can also be challenged with the technical argument
that SAP’s integrated infrastructure maintains both GxP and
non-GxP data within the same database tables and business
processes. Therefore, all data within these tables and trans-
actions are subject to the same level of control to protect the
integrity of the GxP data.
With respect to security and training, it is important to recog-
nize the intent of §11.10 (i) is to ensure that persons have the
wherewithal to competently execute and complete all of their
assigned tasks. A potential compliance issue is the interpre-
tation of “assigned tasks” and how job roles and authorizations
may be developed and assigned within SAP R/3. As part of their
assigned job role within SAP R/3, employees may have authori-
zation for various transactions that they themselves do not use,
but are included for other persons with the same assigned job
role that require these authorizations. Therefore, a person may
have authorization for transactions or “tasks” that have been
assigned to their job profile, but for which they have not been
trained.
11
Electronic Records
The FDA defines an electronic record as
“Any combination of text, graphics, data,
audio, pictorial, or other information repre-
sentation in digital form that is created,
modified, maintained, archived, retrieved, or
distributed by a computer system.” Applying
this comprehensive definition to SAP R/3,
there are various types of electronic records,
such as:
• Configuration within the Implementation
Guide (IMG)
• Transports and business configuration sets
used to migrate configuration from one
system to another
• Master data such as the material master,
vendor, resource, recipe, and customer
• Business processing objects such as
purchase orders, process orders, and
inspection lots Figure 2: Linked Object Types in Engineering Change Management
• Business process or transaction execution electronic records
such as material documents Change master records provide a full audit trail or change his-
• Electronic or digital signatures tory of the master data, including the reason for change. Some
people incorrectly associate this requirement with Part 11 when
Other electronic record types maintain change and deletion indeed, as discussed in comment 74 of the preamble, “the agen-
(e. g. audit trail) information for the SAP R/3 objects cy does not believe that Part 11 needs to require recording the
mentioned above. These include: reason for record changes because such a requirement, when
needed, is already in place in existing regulations that pertain to
• Change master record (Engineering Change Management) the records themselves.” An example is §211.194 (b) “Complete
• Change document objects records shall be maintained of any modification of an estab-
• Table logging lished method employed in testing. Such records shall include
the reason for the modification …”
Change Master Record
A change master record captures the changes made to master Change Document Object
data through SAP R/3’s Engineering Change Management A change document object captures changes to fields within a
(ECM) functions. Figure 2 illustrates the master data or object transaction and writes this information to a unique record.
types that can be managed using Engineering Change Manage- This record is date and time stamped and maintains the old and
ment: new values for each of the fields that have been changed in
addition to the user ID of the person who made the change.

12
A report is run to query and display the audit trail record.
These objects may be active in the shipped version of SAP or
may require configuration for activation. Figure 3 illustrates a
change document object record for a resource substitution
within a master recipe.
Figure 3: Example Change Document Object for Master Recipe Change
Table Logging
Where change masters or change document objects do not
exist, an alternative method for maintaining an audit trail is
required. Activating the Log data changes flag in the technical
settings of the table captures all changes made to a specific table
and writes this information into a unique record maintained
within the DBTABLOG table. Any transaction within SAP R/3
consists of multiple tables where the data is recorded and main-
tained. Therefore, to view the complete audit trail, a report is
run to query and display each record associated with a specific
event. The report provides all the required information for the
audit trail, including system date and time stamps, and the old
and new values for each of the fields that has been changed
within each table. The report can also provide the full printed
name of the user instead of the user ID. Figure 4 illustrates the
table log record.
Table logging may affect system performance, depending on
the number of records that generated. However, table logging is
only required in some instances. System configuration should
be reviewed when table logging requirements have been identi-
fied.
SUBPART C – ELECTRONIC SIGNATURE
Part 11 provides requirements under which the FDA will con-
sider electronic records equivalent to paper records and
electronic signatures equivalent to traditional handwritten sig-
natures. Part 11 does not delineate where electronic records
and electronic signatures are required. Instead, the FDA speci-
fies that these requirements are defined by the “predicate rule”
such as Current Good Manufacturing Practice for Finished
Pharmaceuticals (21 CFR Part 211) and Medical Devices (21 CFR
Part 820). Using these two regulations as examples, the follow-
ing list delineates where CGMP explicitly defines requirements
for signatures. It is important to note that various other
passages implicitly call for signatures as in the case wherever
the words “approved or approval” are used (for example,
§211.100).
§ 211.182 Equipment Cleaning and Use Log
“The persons performing and double-checking the cleaning
and maintenance shall date and sign or initial the log indicat-
ing that the work was performed.”
§ 211.186 Master Production and Control Records
“(a) To assure uniformity from batch to batch, master produc-
tion and control records for each drug product, including each
batch size thereof, shall be prepared, dated, and signed (full sig-
nature, handwritten) by one person and independently
checked, dated and signed by a second person.
(b)(8) Master production and control records shall include: ...
A description of the drug product containers, closures, and
packaging materials including a specimen or copy of each label
and all other labeling signed and dated by the persons responsi-
ble for approval of such labeling.”
13
Evaluation in the system Q00, client 004 on 27.02.2001 on 17:29:20 Dr. Thomas Wieczorek.
The system was able to evaluate all entered selection conditions table logs found: 6Change documents found: 0Selection
conditions. Table logs Data from 01.01.2001 00:00:00 to 27.02.2001 17:30:27 (time of the application host).
Last changed by Seraf inTransaction: IP02
Date Time Full name Tran tabl Name of Old value New value Data re Table key
f ield
16.02.2001 23:18:27 George Seraf in IP02 MPOS Change X changed Maintenence item:
Indicator 0000000000000201;
16.02.2001 23:18:27 George Seraf in IP02 MPOS Equipment 10000014 changed Maintenence item:
number 0000000000000201;
16.02.2001 23:18:27 George Seraf in IP02 MPOS last change 00.00.0000 16.02.2001 changed Maintenence item:
on 0000000000000201;
16.02.2001 23:18:27 George Seraf in IP02 MPOS Location and 4362 2379 changed Maintenence item:
account 0000000000000201;
assiggnment
for technical
object
16.02.2001 23:18:27 George Seraf in IP02 MPOS Maintenance 1 ZWD1 changed Maintenence item:
Planning 0000000000000201;
Plant

Figure 4: Example Table Log Record for Maintenance Plan Changes Made to the MPOS Table

§ 211.188 Batch Production and Control Records § 820.30 Design controls

“(a) An accurate reproduction of the appropriate master pro-
duction or control record, checked for accuracy, dated, and
signed;”
§ 211.192 Production Record Review
“All drug product production and control records, including
those for packaging and labeling, shall be reviewed and
approved by the quality control unit to determine compliance
with all established, approved written procedures before a batch
is released or distributed.”
§ 211.194 Laboratory Records
“(a)(7) The initials or signature of the person who performs
each test and the date(s) the tests were performed.
(a)(8) The initials or signature of a second person showing that
the original records have been reviewed for accuracy, complete-
ness, and compliance with established standards.”
“(c) The design input requirements shall be documented and
shall be reviewed and approved by a designated individual(s).
The approval, including the date and signature of the individ-
ual(s) approving the requirements, shall be documented.
(d) Design output shall be documented, reviewed, and
approved before release. The approval, including the date and
signature of the individual(s) approving the output, shall be
documented.”
§ 820.40 Document controls
“(a) Document approval and distribution. Each manufacturer
shall designate an individual(s) to review for adequacy and
approve prior to issuance all documents established to meet the
requirements of this part. The approval, including the date and
signature of the individual(s) approving the document, shall be
documented.”
§ 820.40 Document controls (continued)
“(b) Changes to documents shall be reviewed and approved by
an individual(s) in the same function or organization that per-
formed the original review and approval, unless specifically des-

14
ignated otherwise... Change records shall include a description
of the change, identification of the affected documents, the sig-
nature of the approving individual(s), the approval date, and
when the change becomes effective.”
§ 820.75 Process Validation
“(a) The validation activities and results, including the date and
signature of the individual(s) approving the validation and
where appropriate the major equipment validated, shall be
documented.”
§ 820.80 Receiving, in-process, and finished device
acceptance
“(d) Finished devices shall not be release for distribution until:
(1) The activities required by the DMR are completed; (2) the
associated data and documentation is reviewed; (3) the release is
authorized by the signature of a designated individual(s); and
(4) the authorization is dated.”
“(e) Each manufacturer shall document acceptance activities
required by this part. These activities include: (1) The
acceptance activities performed; (2) the dates acceptance activi-
ties are performed; (3) the results; (4) the signature of the indi-
vidual(s) conducting the acceptance activities; and (5) where
appropriate the equipment used.“
§ 820.90 Nonconforming product
“(b) Disposition of the nonconforming product shall be docu-
mented. Documentation shall include the justification for use
of nonconforming product and the signature of the
individual(s) authorizing the use.”
§ 820.120 Device Labeling
“(b) Labeling shall not be release for storage or use until a desig-
nated individual(s) has examined the labeling for accuracy
including, where applicable, the correct expiration date,
control number, storage instructions, handling instructions,
and any additional processing instructions. The release, includ-
ing the date and signature of the individual(s) performing the
examination, shall be documented in the DHR.
Note: Additional customer approval or signature requirements
may be defined by their internal procedures in support of
CGMP, such as approvals for approved suppliers and for new or
changed user access authorization.”
ELECTRONIC AND DIGITAL SIGNATURES IN SAP R/3
Electronic and digital signatures in SAP R/3 satisfy all applicable
Part 11 requirements (please refer to the summary table in the
section entitled “How Does SAP R/3 Comply with Part 11?”).
Electronic signatures are available in SAP R/3 for the following
business processes:
• Acceptance of process values outside predefined tolerance
limits
• Conversion of a change request to a change order in
engineering change management
• Electronic batch record (EBR) approval
• Engineering change order approval
• Process step completion within process instruction sheets
• Recording of inspection results for all quality-related process-
es, including goods receipt, in-process, and post-process
inspection
• Usage decision (quality disposition) of inspection results
Where multiple signatures may be required, SAP R/3 provides
signature strategies that define allowed signatures and the
sequence in which they must be executed. Figure 5 shows how
an electronic signature is created; Figure 6 is an example of the
electronic record of a signature.
Figure 5: How an electronic signature is executed in SAP R/3
15
Op. Local date Local time Global date Global time Signatory F. name L. name CL Signature SigStrat IndivSig AuthGr Signature Signature Signature
number reason reason for method
sign.
0010 10/25/2000 14:45:26 10/25/2000 20:45:26 SERAFIN George Seraf in X 00000000032 LAB1 QM1 Inspection Insp.results System
lot: recorded for Signature
results inspection with
recording lot authorization
040000000656, by R/3 user
operation ID/password
0010

Figure 6: A Sample Signature Electronic Record for Results Recording • When the number of failed attempts (for either logon or sig-
nature) is exceeded, SAP R/3 prevents the user from further
Digital Signatures access without intervention from Security Administration.
Most SAP systems are determined to be closed systems as Note: The number of failed attempts allowed is configurable.
defined by the FDA. However, e-business strategies are increas-
ingly opening systems to the Internet, and application hosting
provides a new IT paradigm that has raised significant interest
in regulated industries.

Digital signatures can be substituted for electronic signatures in

each of the functions described above with the addition of a
complementary software package that provides the encryption
technology. In this case, the user digitally signs the data using
his or her own private key (using public-key technology).
This mechanism is based on secure store & forward (SSF) mech-
anisms and requires an external security product (see the SAP
™
Complementary Software Program ; interface BC-SSF) and an
installed Public Key Infrastructure (PKI). Every signer is refer- Figure 7: How a Digital Electronic Signature is Executed in SAP R/3
enced using the SSF profile. Figure 7 illustrates the execution of
a digital signature in SAP R/3.

To ensure the integrity of signatures within an electronic sys-

tem and protect against falsification and data corruption, the
FDA is clear that the system must actively detect and prevent
unauthorized access including reporting these attempts to the
system security unit. Indeed, in comment 133 of the preamble,
the FDA equates the significance to reporting and response of
unauthorized access with how “individuals would respond to a
fire alarm.” To satisfy the requirements defined in §11.300(d),
SAP R/3 provides the following safeguards:

16

• SAP R/3 generates an express mail within SAPOffice and sends
it to a defined distribution list to notify Security Adminis-
tration “in an immediate and urgent manner.” In addition,
any MAPI-compliant messaging system can be interfaced to
SAP R/3 to send this message externally to e-mail systems
such as Microsoft Exchange, or even a paging system.
• An electronic record of all failed attempts (for either logon or
signature) is maintained in the Security Audit Log. SAP R/3
also generates electronic records for the locking and unlock-
ing of users.
CONCLUSION
Based upon the interpretation of the Part 11 rule and the func-
tions and features discussed within this document, SAP AG
believes that SAP R/3 Release 4.6C (with the Part 11 Enhanc-
ement Note For Electronic Records installed) complies with the
intent and requirements of 21 CFR Part 11. Prior releases of SAP
R/3 can be compliant depending on the scope of functionality
implemented. In other instances, Part 11 compliance can be
achieved with some customization.

HYBRID SYSTEMS
Where SAP does not currently provide electronic signature
functionality, a hybrid system of electronic and paper doc-
umentation is required. Hybrid systems are not discussed in the
Part 11 regulation, but have been acknowledged during various
FDA-industry forums and conferences as a temporary means to
address technological gaps. Customers are required to establish
standard operating procedures to control the master records
once they are approved, logging all changes, and maintaining
records in compliance with records retention requirements.

17
REFERENCES
European Community Guideline to GMP for Medicinal Prod-
ucts (1998), Annex 11, Computerized Systems
FDA Title 21 CFR Part 11 Electronic Records, Electronic Signa-
tures: Final Rule, March 1997

FDA Title 21 CFR Parts 210, 211 Current Good Manufacturing

Practice for Finished Pharmaceuticals, September, 1978

FDA Title 21 CFR Parts 808, 812, 820 Medical Devices; Current
Good Manufacturing Practice (CGMP); Final Rule, October,
1996
Good Automated Manufacturing Practice (GAMP) Special
Interest Group (21 CFR Part 11) Complying with 21 CFR Part 11
Electronic Records and Electronic Signatures, Final Draft, Sep-
tember, 2000

Parenteral Drug Association (PDA) Technical Report 32, Audit-

ing of Suppliers Providing Computer Products and Services for
Regulated Pharmaceutical Operations, October, 1999.
Pharmaceutical Inspection Convention (PIC) GMP Guideline
PH Guide to Good Manufacturing Practice for Medicinal Prod-
ucts, January, 1997

Q 7a, Final Draft Step 4 ICH Guideline Good Manufacturing

Practice Guide for Active Pharmaceutical Ingredients, Novem-
ber, 2000

18
19
APPENDIX 1: SAP/FDA CGMP FUNCTIONALITY MATRIX FOR FINISHED PHARMACEUTICALS

SAP R/3 Modules Materials Management Warehouse Management Production Planning

Pharmaceutical
CGMP
21 CFR Part 211
Subpart D Equipment
Subpart E • Approved Vendors List
Control of Components and Drug • Barcode Interfaces
Product Containers and Closures • Batch Management
• Engineering Change Management
• Expiration Dating
• Container Management
• Inventory Management
• Quarantine System
Process Industries
• Data Backup & Recovery
• Electronic/Digital Signature
• Engineering Change Management
• Process Instruction Sheets
• Resource/Equipment Mgmt.
• Security & Authorizations
• Sequence Enforcement
• Barcode Interface • Batch Determination
• Inventory Management • Engineering Change Management
• Quarantine System • Active Ingred Mgmt.
• Container Management

Subpart F • Barcode Interface • Barcode Interface • Batch Determination

Production and Process Controls
Subpart G
Packaging and Labeling Control
• Batch Management
• Engineering Change Management
• Container Management
• Inventory Management
• Quarantine System
• Packing List
• Barcode Interface
• Batch Management
• Engineering Change Management
• Expiration Dating
• Container Management
• Inventory Management
• Quarantine System
• Inventory Management • Document Mgmt System Interface
• Quarantine System • Electronic Batch Record
• Container Management • Electronic/Digital Signature
• Engineering Change Management
• In-process Inspection
• Order Management
• PI-PICS Interface
• Process Instruction Sheets
• Process Operator Cockpit
• Recipe Management
• Resource/Equipment Mgmt.
• Sequence Enforcement
• Statistical Process Control(SPC)
• Active Ingred. Mgmt
• Picking List
• Barcode Interface • Batch Determination
• Inventory Management • Document Mgmt System Interface
• Quarantine System • Electronic Batch Record
• Container Management • Electronic/Digital Signature
• Engineering Change Management
• In-process Inspection
• Label Reconciliation
• Order Management
• PI-PCS Interface
• Process Instruction Sheets
• Sequence Enforcement

20
Quality Management Plant Sales & Distribution
Maintenance

• Calibration • Calibration
• Electronic/Digital Signature • Engineering Change Management
• Engineering Change Management • Equipment Management
• Equipment Notif ications • Logbook*
• Preventative Maintenance
• PM-PCS

• Electronic/Digital Signature
• Engineering Change Management
• Goods Receipt Inspection
• Non-conformance Reporting
• QM-IDI Interface to LIMS
• Quality Dispostion
• Sample Management
• Source Inspection
• Statistical Quality Control (SQC)
• Supplier Quality Mgmt.
• Electronic/Digital Signature • Calibration
• Engineering Change Management • Engineering Change Management
• In-process Inspection • Equipment Management
• Non-conformance Reporting • Logbook*
• Post process Inspection • PM-PCS
• QM-IDI Interface to LIMS
• Quality Disposition
• Sample Management
• Statistical Process Control (SPC)
• Statistical Quality Control (SQC)

• Electronic/Digital Signature • Calibration

• Engineering Change Management • Engineering Change Management
• Goods Receipt Inspection • Equipment Management
• In-process Inspection • Logbook*
• Non-conformance Reporting
• Post-process Inspection
• Quality Disposition
• Sample Management
• Statistical Quality Control (SQC)

21
APPENDIX 1: SAP/FDA CGMP FUNCTIONALITY MATRIX FOR FINISHED PHARMACEUTICALS (CONTINUED)

SAP R/3 Modules Materials Management Warehouse Management Production Planning

Process Industries
Medical Devices
QSR
21 CFR Part 820
Subpart H • Barcode Interface • Barcode Interface
Holding and Distribution • Batch Management • FIFO & FEFO Removal Strategies
• Batch Where-used List • Inventory Management
• Inventory Management • Quarantine System
• Quarantine System

Subpart I
Laboratory Controls

Subpart J • Material Documents • Transfer Orders • Electronic Batch Record

Records and Reports • Batch Where-used List • Electronic/Digital Signatures
• Engineering Change Management
• Master Recipe
• Process Instruction Sheets
• Process Orders
• Order Info System
• Change Docs/Audit Trails
Subpart K • Inventory Management • Inventory Management
Returned and Salvaged Drug • Quarantine System • Quarantine System
Products

22
Quality Management Plant Sales & Distribution
Maintenance

• Batch Determination

• Calibration • Calibration
• Electronic/Digital Signature • Engineering Change Management
• Engineering Change Management • Equipment Management
• Equipment Management • Logbook*
• Goods Receipt Inspection
• In-process Inspection
• Inspection Methods
• Non-conformance Reporting
• Post-process Inspection
• QM-IDI Interfaces to LIMS
• Quality Disposition
• Recurring Inspection
• Sample Management
• Statistical Quality Control (SQC)
• Test Specif ication Mgmt
• Compliant Management • Engineering Change Management • Delivery Notes
• Electronic Digital Signatures • Logbook* • Sales Orders
• Engineering Change Management • Maintenance Orders
• Inspection Lots • Maintenance Task Lists
• Inspection Plans • Change Docs/Audit Trails
• Non-conformance Reporting
• Change Docs/Audit Trails

• Returns Inspection • Return Goods

• Compliant Management • Authorization
• QM-IDI Interface to LIMS
• Electronic/Digital Signature
• Quality Disposition
• Statistical Quality Control (SQC)

23
APPENDIX 2: SAP/FDA CGMP FUNCTIONALITY MATRIX FOR MEDICAL DEVICES
SAP R/3 Modules Materials
Management
Medical Device
QSR
21 CFR Part 820
Subpart C • Bills of Materials
Design Controls • Electronic/Digital Signature
• Engineering Change Management
• Material Master Records
Subpart D • Document Mgmt. System Interface
Document Controls • Engineering Change Management
Subpart E • Approved Vendor List
Purchasing Controls
Subpart F • Barcode Interfaces
Identif ication and Traceability • Batch Management
• Batch Where-used List
• Expiration Dating
• Inventory Management
• Quarantine System
• Serials Number Management
Subpart G • Barcode Interface
Production and Process Controls • Batch Management
• Engineering Change Management
• Inventory Management
• Picking List
• Quarantine System
• Serial Number Management
24
Warehouse Production Planning
Management
Production Planning
Process Industries
• Electronic/Digital Signature
• Engineering Change Management
• Master Recipe
• Process Instruction Sheets
• Routings
• Statistical Processs Control (SPC)
• Document Mgmt System Interface
• Engineering Change Management
• Barcode Interface • Electronic Batch Record
• Inventory Management
• Quarantine System
• Barcode Interface • Batch Determination
• Inventory Management • Document Mgmt. System Interface
• Quarantine System • Electronic Batch Record
• Electronic/Digital Signature
• Engineering Change Management
• In-process Inspection
• Order Management
• PI-PCS Interface
• Process Instruction Sheets
• Process Operator Cockpit
• Recipe Manangement
• Resource/Equipment Mgmt.
• Sequence Enforcement
• Statistical Process Control (SPC)
Quality Management Plant Sales & Distribution
Maintenance

• Electronic/Digital Signature
• In-process Inspection
• Non-conformance Reporting
• Post-process Inspection
• QM-IDI Interface to LIMS
• Quality Disposition
• Statistical Process Control (SPC)
• Statistical Quality Control (SQC)

• Document Mgmt System Interface • Document Mgmt System Interface

• Engineering Change Management • Engineering Change Management

• Electronic/Digital Signature
• Engineering Change Management
• Quality Information Records
• Quality Notif ications
• Supplier Quality Management

• Calibration • Calibration
• Electronic/Digital Signature • Engineering Change Management
• Engineering Change Management • Equipment Management
• Equipment Management • Logbook*
• In-process Inspection • Preventative Maintenance
• Non-conformance Reporting
• Post-process Inspection
• QM-IDI Interface to LIMS
• Sample Management
• Statistical Process Control (SPC)
• Statistical Quality Control (SQC)

25
APPENDIX 2: SAP/FDA CGMP FUNCTIONALITY MATRIX FOR MEDICAL DEVICES (CONTINUED)

SAP R/3 Modules Materials Warehouse Production Planning

Management Management
Production Planning
Medical Devices Process Industries
QSR
21 CFR Part 820
Subpart H
Acceptance Activities

Subpart I • Batch Management • Inventory Management • Electronic Batch Record

Nonconforming Product • Inventory Management • Quarantine System • Rework Orders
• Quarantine System

Subpart J • Inventory Management • Inventory Management

Corrective and Preventative Action • Quarantine System • Quarantine System

Subpart K • Barcode Interface • Barcode Interface • Batch Determination

Labeling and Packaging Control
• Batch Management
• Engineering Change Management
• Expiration Dating
• Handling Unit Management
• Inventory Management
• Quarantine System
• Inventory Management • Document Mgmt System Interface
• Quarantine System • Electronic Batch Record
• Electronic/Digital Signature
• Engineering Change Management
• In-process Inspection
• Label Reconciliation
• Order Management
• PI-PCS Interface
• Process Instruction Sheets
• Sequence Enforcement

26
Quality Management Plant Sales & Distribution
Maintenance

• Electronic/Digital Signature
• Engineering Change Management
• Goods Receipt Inspection
• In-process Inspection
• Inspection Methods
• Non-conformance Reporting
• Post-process Inspection
• QM-IDI Interface to LIMS
• Quality Disposition
• Sample Management
• Source Inspection
• Statistical Quality Control (SQC)
• Test Specif ication Mgmt.
• Electronic/Digital Signature
• Non-conformance Reporting
• Quality Disposition
• Quality Inspection
• Compliant Management • Return Goods Authorization
• Electronic/Digital Signature
• Non-Conformance Reporting
• QM-IDI Interface to LIMS
• Quality Disposition
• Returns Inspection
• Statistical Qualitiy Control (SQC)
• Electronic/Digital Signature • Calibration
• Engineering Change Management • Engineering Change Management
• Goods Receipt Inspection • Equipment Management
• In-process Inspection • Logbook*
• Non-conformance Reporting
• Post-process Inspection
• Quality Disposition
• Sample Management
• Statistical Quality Control (SQC)

27
APPENDIX 2: SAP/FDA CGMP FUNCTIONALITY MATRIX FOR MEDICAL DEVICES (CONTINUED)

SAP R/3 Modules Materials Warehouse Production Planning

Management Management
Medical Devices Production Planning
QSR Process Industries
21 CFR Part 820
Subpart L • Barcode Interface • Barcode Interface
Handling, Storage, Distribution and • Batch Management • FIFO & FEFO Removal Strategies
Installation • Batch Where-used List • Inventory Management
• Inventory Management • Quarantine System
• Quarantine System

Subpart M • Bills of Materials • Transfer Orders • Electronic Batch Record

Records • Material Documents • Electronic/Digital Signatures
• Engineering Change Management
• Master Recipe
• Process Instruction Sheets
• Process Orders
• Production Orders
• Routing
Subpart N
Servicing
Subpart O Statistical Process Control (SPC)
Statistical
Techniques

28
Quality Management Plant Sales & Distribution
Maintenance

• Installation Inspection • Equipment Management • Batch Determination

• Delivery Notes
• Sales Orders

• Compliant Management • Engineering Change Management • Delivery Notes

• Electronic/Digital Signatures • Logbook* • Sales Orders
• Engineering Change Management • Maintenance Orders
• Inspection Lots • Maintenance Task Lists
• Inspection Plans
• Non-conformance Reporting

• Service Inspection • Service Management

• QM-STI Statistical Interface

• Sample Management
• Statistical Process Control (SPC)
• Statistical Quality Control (SQC)

29
APPENDIX 3: FDA CGMP CRITICAL TRANSACTIONS LIST FOR NEGATIVE TESTING OF SECURITY PROFILES

1. COR1 Create Process Order With Material

2. COR2 Change Process Order
3. ME01 Maintain Source List
4. MM01 Create Material
5. MM02 Change Material
6. MMDE Delete All Materials
7. MSC1 Create Batch
8. MSC2 Change Batch
9. QA02 Change Inspection Lot
10. QA08 Mass Change of QM Inspection Data
11. QA11 Record Usage Decision
12. QA12 Change Usage Decision
13. QA14 Change Usage Decision Without History
14. QA16 Collective Usage Decision For OK Lots
15. QA32 Inspection Lot Selection
16. QAC1 Correct Actual Quantity In Insp Lot
17. QAC2 Transfer Insp. Lot Quant.
18. QAC3 Insp. Lot - Reset Sample Calculation
19. QE01 Record Results
20. QE02 Change Results
21. QE51 Worklist: Results Recording
22. QM01 Create Quality Notif ication
23. QM02 Change Quality Notif ication
24. QVM1 Inspection Lots Without Inspection Completion
25. QVM2 Inspection Lots With Open Quantities
26. QVM3 Inspection Lots Without Usage Decision
27. SE38 Execute Program

30
APPENDIX 4: COMPLIANCE SUMMARY TABLE OF EC AND PIC GMP GUIDELINES FOR PART 11 REQUIREMENTS

EC GMP Comments
Guideline
PIC GMP
Guideline PH 1/97
Section
Personnel 1 This guideline is comparable to clause 11.10(i) in Part 11.
Validation 2. Validation is a procedural requirement for customers and is not related to the functions or capabilities of SAP R/3. The SAP
Horizon quality management system describes those phases of the software life cycle involved in developing and maintaining
SAP software. SAP R/3 has been developed according to a formally recognized software development lifec ycle and has
maintained ISO 9001 certif ication since 1994. ISO 9001 requirements cover the development, production, sales, and
maintenance of products and services. This is comparable to clauses 11.10(e) and 11.10 (k) in Part 11.
System 3. This section is a procedural requirement for customers and is not related to the functions or capabilities of SAP R/3.
System 4. This section is a procedural requirement for customers and is not related to the functions or capabilities of SAP R/3.
System 5. The SAP Horizon quality management system describes those phases of the software life cycle involved in developing and
maintaining SAP software. SAP R/3 has been developed according to a formally recognized software development lifecycle
and has maintained ISO 9001 certif ication since 1994. ISO 9001 requirements cover the development, production, sales, and
maintenance of products and services.
System 6. SAP R/3 complies with these requirements. For example, warnings when users enter aberrant data, such as results recording
in QM or recording process data in process instruction sheets. The user is then prompted to conf irm entry of this data
before it is accepted. This is comparable to clause 11.10(h). Otherwise, this is a procedural requirement for customers and is
not related to the functions or capabilities of SAP R/3.
System 7. This section is a procedural requirement for customers and is not related to the functions or capabilities of SAP R/3.
System 8. This section is comparable to clauses 11.10(d), 11.10(e), and 11.10(g) in Part 11.
System 9. See System 6 and clause 11.10(f).
System10 This section is comparable to clauses 11.10(a), 11.10(e), and 11.50 (a)(b) in Part 11.
System 11. This section is a procedural requirement for customers and is not related to the functions or capabilities of SAP R/3.
System 12. This section is comparable to clause 11.10(b) in Part 11.
System 13. This section concerns physical properties that are procedural requirements for customers and is not related to the functions
or capabilities of SAP R/3. It is comparable to clauses 11.10(c) and 11.70 in Part 11.
System 14. This section is a procedural requirement for customers and is not related to the functions or capabilities of SAP R/3.
System 15. This section is a procedural requirement for customers and is not related to the functions or capabilities of SAP R/3.
System 16. This section is a procedural requirement for customers and is not related to the functions or capabilities of SAP R/3.
System 17. This section concerns the Horizon quality management system for SAP R/3 and is comparable to clauses 11.10(e) and
11.10(k). Otherwise, it is a procedural requirement for customers and is not related to the functions or capabilities of SAP
R/3.
System 18. This section is a procedural requirement for customers and is not related to the functions or capabilities of SAP R/3.
System 19. This section is comparable to clauses 11.10(d), 11.10(g), and 11.50(a) in Part 11.

31
APPENDIX 5: COMPLIANCE SUMMARY TABLE OF Q 7A ICH GUIDELINE FOR PART 11 REQUIREMENTS

Q 7a ICH Comment
Guideline
5.40 Validation is a procedural requirement for customers that is not related to the functions or capabilities of SAP R/3. The SAP
Horizon quality management system describes those phases of the software life cycle that are involved in developing and
maintaining SAP software. SAP R/3 has been developed according to a formally recognized software development life cycle and has
maintained ISO 9001 certif ication since 1994. ISO 9001 requirements cover the development, production, sales, and maintenance of
products and services. This guideline is comparable to clauses 11.10(e) and 11.10(k) in Part 11.
5.41 The SAP Horizon quality management system describes those phases of the software life cycle involved in developing and
maintaining SAP software. SAP R/3 has been developed according to a formally recognized software development life cycle and has
maintained ISO 9001 certif ication since 1994. ISO 9001 requirements cover the development, production, sales, and maintenance of
products and services.
5.42 This section is a procedural requirement for customers and is not related to the functions or capabilities of SAP R/3.

5.43 This section is comparable to clauses 11.10(c), 11.10(d), 11.10(e), 11.10(g), 11.50(a)(b), and 11.70 in Part 11.

5.44 This section is comparable to clauses 11.10(i) and 11.10(k) in Part 11.

5.45 SAP R/3 posts warnings when users enter aberrant data, such as results recording in QM or the recording of process data in process
instruction sheets. SAP R/3 then prompts the user to conf irm entry of this data before it is accepted. This guideline is comparable
to clauses 11.10(f) and 11.10(h) in Part 11.
5.46 This section is comparable to clauses in 11.10(a), 11.10(b), 11.10(c), and 11.10(e) in Part 11.

5.47 This is a procedural requirement for customers and is not related to the functions or capabilities of SAP R/3.

5.48 This section is comparable to 11.10(c). Otherwise, it is a procedural requirement for customers and is not related to the functions
or capabilities of SAP R/3.
5.49 This section is a procedural requirement for customers and is not related to the functions or capabilities of SAP R/3.

32
33
34
35
 THE BEST-RUN E-BUSINESSES RUN SAP

SAP AG
Neurottstraße 16
69190 Walldorf
Germany
T +49/1805/34 34 24
F +49/1805/34 34 20
www.sap.com

50 050 628 (01/11/13) Printed on environmentally friendly paper.