Professional Documents
Culture Documents
Disclaimer
Compliance with this regulation is based solely upon the interpretation of this rule by SAP AG and in no way expresses the recogni-
tion, consent, or certification of SAP software by the United States Food and Drug Administration. SAP's claim of compliance to 21
CFR Part 11 is in reference to SAP R/3 Release 4.6C exclusively (with the U.S. FDA 21 CFR Part 11 Enhancement for Electronic Records
installed). It is the sole responsibility of the customer - not SAP AG -, to demonstrate compliance with all applicable regulations. Sug-
gestions and recommendations described within this document are intended to provide useful information and guidance to
customers.
2
CONTENTS
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
– U.S. Food and Drug Administration (FDA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
– 21 CFR Part 11 Electronic Records, Electronic Signatures; Final Rule . . . . . . . . . . . . . . . . . . . . . 5
Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Appendix 1: SAP/FDA CGMP Functionality Matrix for Finished Pharmaceuticals . . . . . . . . . . . . . 20
Appendix 1: SAP/FDA CGMP Functionality Matrix for Finished Pharmaceuticals (continued) . . 22
Appendix 2: SAP/FDA CGMP Functionality Matrix for Medical Devices . . . . . . . . . . . . . . . . . . . . . 24
Appendix 2: SAP/FDA CGMP Functionality Matrix for Medical Devices (continued) . . . . . . . . . . 26
Appendix 2: SAP/FDA CGMP Functionality Matrix for Medical Devices (continued) . . . . . . . . . . 28
Appendix 3: FDA CGMP Critical Transactions List for Negative Testing of Security Profiles . . . . . 30
Appendix 4: Compliance Summary Table of EC and PIC GMP Guidelines for
Part 11 Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Appendix 5: Compliance Summary Table of Q 7a ICH Guideline for Part 11 Requirements. . . . . 32
3
4
INTRODUCTION
OVERVIEW Compliance with FDA regulations is a market requirement. In
The purpose of this document is to describe the functions and addition, products require FDA approval before they can be
features of SAP R/3 Release 4.6C that (in the opinion of SAP marketed or sold in the U.S. Non-compliance with any of the
AG) demonstrate compliance with U.S. FDA 21 CFR Part 11 laws enforced by the FDA can be very costly in the form of
Electronic Records Electronic Signatures; Final Rule. This doc- recalls and legal sanctions such as import detentions. When
ument provides background information about the regulation, warranted, the FDA seeks criminal penalties, including prison
discusses how SAP R/3 complies with this rule, and provides sentences, against manufacturers and distributors.
examples of electronic records and signatures within SAP R/3.
In addition, several European Good Manufacturing Practice 21 CFR Part 11 Electronic Records Electronic Signatures;
(GMP) guidelines having similar 21 CFR Part 11 requirements Final Rule
are discussed. The functions and features described within this The U.S. FDA regulation 21 CFR Part 11 Electronic Records
document apply only to SAP R/3 Release 4.6C with the U.S. Electronic Signatures; Final Rule (which we will refer to simply
FDA 21 CFR Part 11 Enhancement for Electronic Records as Part 11) was the result of a five-year effort by the FDA (with
installed. However, prior releases can be compliant depending input from industry) to supply all FDA-regulated companies
on the scope of functions implemented. In other instances, Part with requirements on how paperless (e.g. electronic) record
11 compliance can still be achieved with some customization. systems could be maintained while still complying with Good
Clinical, Laboratory, and Manufacturing Practices (GxP). The
BACKGROUND regulation also details very specific requirements for electronic
U.S. Food and Drug Administration (FDA) and digital signatures because the FDA considers these
The U.S. Food and Drug Administration (FDA) is a public signatures to be legally binding.
health agency that is charged with protecting American con-
sumers by enforcing the U.S. Federal Food, Drug, and Cosmetic Since its publication more than three years ago, this regulation
Act and other related public health laws. The FDA regulates has been subject to evolving interpretations both by the FDA
over $1 trillion U.S. dollars worth of products, which account and industry. Most SAP customers took a wait and see position
for 25 cents of every dollar spent annually within the United toward FDA interpretation and enforcement until May, 1999
States. These products include: when the FDA published Compliance Policy Guide Section
• Food for human and animal consumption 160.850 titled Enforcement Policy: 21 CFR Part 11; Electronic
• Pharmaceuticals consisting of ethical, generic, and over-the- Records; Electronic Signatures (CPG 7153.17). The enforcement
counter (OTC) drugs for human use as well as medicines for policy describes the FDA’s approach to enforcing the Part 11
animals regulation in addition to detailing the following expectations
• Biological and related products including blood, vaccines, and concerns of all regulated businesses. The FDA’s expecta-
and biological therapeutics tions include the following:
• Medical devices • The FDA expects that companies using computer systems
• Radiation-emitting devices such as microwaves will begin taking steps to achieve full compliance. As
• Cosmetics explained in the preamble to the final rule, Part 11 does not
The FDA monitors the manufacture, import, transport, grandfather any systems. This means that all systems must
storage, and sale of these products by some 95,000 FDA-regulat- comply or be replaced.
ed businesses in the United States alone and several thousand • The FDA expects that Part 11 requirements for procedural
international organizations that conduct business in the U.S. controls will already be in place.
5
DISCUSSION OF 21 CFR
PART 11 RULE
• The FDA recognizes that technology-based controls may take This section has four parts: a summary table that describes
longer to install in older systems. clause-by-clause how SAP R/3 Release 4.6C complies with the
Part 11 rule, followed by discussion of key requirements for
The FDA concerns detailed in the policy are: each subpart A, B, and C of the regulation.
• Failure to secure files from alteration, erasure, or data loss
• Failure to secure access HOW DOES SAP R/3 COMPLY WITH PART 11?
• Functions that allow uncontrolled modifications, deletions, The following table summarizes how SAP R/3 complies with
or partial deletions of data files each requirement of Part 11.
6
Comments
11.10(k) The SAP R/3 document management system, which is part of SAP Product Lifecycle Management (SAP PLM), can
provide controls over the distribution, access, and use of documentation for system operation and maintenance. In
addition, SAP R/3 maintains the electronic records (an audit trail) for revision and change control according to clause
11.10(e). Use of SAP online documentation and the SAP Knowledge Warehouse requires procedural controls by
customers to ensure compliance with this clause.
11.30 For open systems, SAP R/3 supports interfaces with complementary software partners that supply cryptographic
methods such as public key infrastructure (PKI) technology. Digital signatures can be executed in each function
where an electronic signature currently exists.
11.50(a) Electronic signature records within SAP R/3 contain the following information:
• The printed name of the signer
• The date and time when the signature was executed, including the local date and time for the signer when multiple
time zones are involved (see comment 101 in the preamble of Part 11)
• The meaning (such as review, approval, responsibility, or authorship) associated with the signature
SAP R/3 automatically records the meaning associated with the signature with standard descriptions of the activity the
signature performed (inspection lot approval, results recording, and so on). In addition, customers can use the
comment f ield to expand or clarify the meaning of the signature.
11.50(b) Electronic signature records are maintained in the same manner as all electronic records and can be displayed or
printed in a human readable format.
11.70 Electronic records of signatures are permanently linked to the executed electronic record. This link cannot be
removed, copied, or transferred to falsify other electronic records by any ordinary means. As stated previously, this
link remains when the electronic records are archived.
11.100(a) SAP R/3 user and security administration provides robust system checks and conf igurable security procedures to
establish and maintain a unique signature for each individual, including the prevention of reallocation of a signature
and deletion of information relating to the electronic signature once it has been used.
11.100(b) This clause covers a procedural requirement for customers and is not related to the functions or capabilities
of SAP R/3.
11.100(c) This clause covers a procedural requirement for customers and is not related to the functions or capabilities
of SAP R/3.
11.200(a)(1) SAP R/3 requires two distinct components – a user ID and a password – to perform each and every electronic
signature. By design, SAP R/3 does not support continuous sessions where only a single component is necessary
subsequent to the f irst signing.
11.200(a)(2) This clause covers a procedural requirement for customers and is not related to the functions or capabilities
of SAP R/3.
11.200(a)(3) SAP R/3 user and security administration functions ensure that the attempted use of an individual‘s electronic
signature other than the genuine owner requires the collaboration of two or more individuals.
11.200(b) SAP R/3 provides a certif ied interface to biometric devices such as f ingerprint and retinal scanning devices. Look for
certif ied vendors in the SAP Complementary Software Program™
7
Part 11 Clause Comments
11.300(a) SAP R/3 user and security administration provide the necessary controls to ensure that no two individuals have the same
combination of identif ication code (user id) and password.
11.300(b) SAP R/3 can be conf igured to force users to change passwords at various intervals and it provides system checks to prevent users
from repeating passwords or using combinations of alphanumeric characters that are included in the user ID. User IDs can also
be invalidated, for example, when an employee leaves the company.
11.300(c) This clause covers a procedural requirement for customers and is not related to the functions or capabilities of SAP R/3 .
11.300(d) SAP R/3 provides the following features to satisfy 11.300(d):
• When the number of failed attempts (for either logon or signature) is exceeded, SAP R/3 prevents the user from further access
without intervention from Security Administration. Note: The number of failed attempts allowed is conf igurable.
• SAP R/3 generates an express mail within SAPOff ice and sends it to a def ined distribution list to notify Security Administration
“in an immediate and urgent manner.” In addition, any MAPI-compliant messaging system can be interfaced to SAP R/3 to send
this message externally to e-mail systems such as Microsoft Exchange, or even a paging system.
• An electronic record of all failed attempts (for either logon or signature) is maintained in the Security Audit Log. SAP R/3
also generates electronic records for the locking and unlocking of users.
11.300(e) This clause covers a procedural requirement for customers and is not related to the functions or capabilities of SAP R/3.
HOW DOES SAP R/3 COMPLY WITH OTHER GMP “When this topic was adopted, the Steering Committee took
GUIDELINES WITH SIMILAR PART 11 REQUIREMENTS? steps to ensure that due account was taken of the work already
Outside of the U.S., other guidelines exist for Good Manufac- in progress by PIC/S, FDA and other parties. In view of the
turing Practice, electronic records, and electronic signatures. unusually wide implications of this topic, a much extended
These guidelines include: EWG has been taken established which includes, in addition to
• European Community Guideline to GMP for Medicinal the six ICH parties and the Observers, experts representing
Products (1998), Annex 11, Computerised Systems “Whereas IGPA (generics industry), WSMI (self medication industry) and
all medicinal products for human use manufactured or PIUC/S. With respect to the latter, representatives from China,
imported into the Community, including medicinal products India and Australia have been invited to participate.”
intended for export, should be manufactured in accordance
with the principles and guidelines of good manufacturing Appendices 4 and 5 provide summary tables that describe how
practice.” SAP R/3 complies with each of these guidelines in comparison
• Pharmaceutical Inspection Convention (PIC) GMP Guideline to the Part 11 rule.
PH 1/97 Guide to Good Manufacturing Practice for Medicinal
Products GMP-Guideline for PIC member states. Implementation (Step 5):
• Q 7a, Final Draft Step 4 (November, 2000) International EU (European Union): Adopted by CPMP (Committee for Proprietary
Medicinal Products), November 2000, issued as CPMP/ICH/4106/00
Conference on Harmonization of Technical Requirements
MHW (Ministry of Health and Welfare Japan): to be notified
for Registration of Pharmaceuticals for Human Use (ICH) FDA: to be notified
Guideline Good Manufacturing Practice Guide for Active
Pharmaceutical Ingredients
8
SUBPART A – GENERAL PROVISIONS Software Quality
What SAP R/3 Functionality May Be Regulated? SAP R/3 has been developed according to a formally recognized
FDA regulations encompass many SAP R/3 functions. The only software development life cycle and has maintained ISO 9001
functional areas that may be completely excluded from the certification since 1994. SAP Development and Horizon soft-
FDA scope are finance (for example, Financial Accounting, ware quality management program is audited numerous times
Controlling, and Asset Management) and planning (for exam- each year by individual companies as well as industry groups
ple, Demand Management, Forecasting, Profitability Analysis, such as the Pharmaceutical Validation Group (PVG). In addi-
and Sales and Operations Planning). Any functional area that is tion, SAP is a member of the Audit Repository Center (ARC),
FDA or GxP-relevant must comply with Part 11 based upon the which has been licensed by the U.S. Parenteral Drug
predicate rule. This includes: Association (PDA) to manage the reports of audits performed
• Human Resources (HR) (training information) according to standardized processes for the suppliers of
• Materials Management (MM) computer products and services. This process is described in
• Plant Maintenance (PM) further detail in PDA Technical Report #32. The first reposito-
• Production Planning (PP) ry audit of SAP development will be available to subscribing
• Production Planning Process Industries (PP-PI) members in the second half of 2001.
• Quality Management (QM)
• Sales and Distribution (SD) It must be recognized that this information provides only
• Warehouse Management (WM) assurance of the quality systems of the software supplier and
the development of SAP R/3. Pursuant to FDA’s general princi-
In addition, central functions such as Classification, Engineer- ple of validation and given the fact that SAP is a highly config-
ing Change Management, and Document Management are also urable software solution, the SAP R/3 configuration must
included. For additional information, Appendices 1 and 2 con- be validated according to predetermined business
tain the SAP / FDA Current Good Manufacturing Practice requirements. Therefore, to establish documentary evidence
(CGMP) Functionality Matrix for both pharmaceuticals and that provides a high degree of assurance that the configured
medical devices. These matrices illustrate how SAP R/3 pro- system performs as intended, a validation methodology as part
motes compliance to these regulations and provides guidance of a recognized software development life cycle (SDLC) must be
as to what functionality (and electronic records) may be regu- deployed.
lated by the FDA.
9
Figure 1: Enhanced V-Model Highlighting the ASAP Methodology and Available SAP Tools
Validation of SAP R/3 in an FDA-Regulated Environment Validation Approach to Achieve Part 11 Compliance
Figure 1 shows a high-level representation of this methodology. Key activities necessary to validate SAP R/3 in compliance with
The “V-model” is a high-level concept illustration first intro- Part 11 are:
duced by the Good Automated Manufacturing Practice • Define Part 11 requirements in:
(GAMP) Forum that was established by representatives from – Validation Master Plan (VMP)
major international companies to interpret and improve – Operational Qualification (OQ)
understanding of regulations for the development, implemen- • Conduct GxP assessment
tation, and use of automated systems in pharmaceutical manu- – Determine GxP-relevant business processes and R/3 Objects
facturing. This “V-model” has been enhanced to more closely – GxP relevance can be determined at the transaction, object,
represent the AcceleratedSAP (ASAP) methodology, but it or field level
remains consistent with the formally recognized software • Configure software to activate complete audit trails and elec-
development life cycle. tronic signatures
• Develop security authorizations according to software devel-
opment life cycle (SDLC)
10
– Establish functional requirements specification for job Examples include a process order versus a planned order or a
roles resource versus a capacity. However, this approach increases the
– Use the Business Process Master List (BPML) as the only amount of required configuration and can potentially affect
source of authorization profile development. This ensures system performance.
that unused, non-validated business processes within SAP
R/3 are effectively blocked from unauthorized access GxP assessment at the field level requires less configuration and
– Profiles should be managed similar to configuration in does not affect system performance. However, this approach
regard to change control and SAP R/3 Transport Manage- potentially increases the risk of challenges to the systems com-
ment pliance. Establishing GxP relevance at the field level increases
• System testing the granularity to which SAP R/3 can be scrutinized – poten-
– Create test objectives to demonstrate 21 CFR Part 11 com- tially invoking challenges field by field within transactions and
pliance for each relevant clause of the regulation (for master data objects.
example, §11.10 (b) challenges the creation of an accurate
and complete electronic record) Additional written justification is required to clearly explain
– System testing of profiles should include negative testing the assessment of why certain fields are not GxP relevant. This
of business critical transactions (for example, CGMP). See approach can also be challenged with the technical argument
Appendix 3 for a suggested list of CGMP-critical that SAP’s integrated infrastructure maintains both GxP and
transactions non-GxP data within the same database tables and business
• Training processes. Therefore, all data within these tables and trans-
– Ideally, Users Should Be Trained For All Transactions actions are subject to the same level of control to protect the
Within Their Profile(s) (ref. §11.10 (i)) integrity of the GxP data.
It is important to recognize the impact of the interpretation of With respect to security and training, it is important to recog-
§11.10 (b), specifically the word “complete,” as it pertains to nize the intent of §11.10 (i) is to ensure that persons have the
electronic records generated in SAP R/3. To identify where Part wherewithal to competently execute and complete all of their
11 applies, a GxP assessment must be performed. Before con- assigned tasks. A potential compliance issue is the interpre-
ducting this assessment, however, a strategy must be established tation of “assigned tasks” and how job roles and authorizations
defining at what level relevance to GxP will be assigned – the may be developed and assigned within SAP R/3. As part of their
transaction or object level (for example, process order, material assigned job role within SAP R/3, employees may have authori-
master, etc.) or at the field level (for example, order quantity, zation for various transactions that they themselves do not use,
but not scheduling margin key for process order). This strategy but are included for other persons with the same assigned job
is directly related to how the term “complete” is interpreted – role that require these authorizations. Therefore, a person may
either all the data contained within the transaction or object have authorization for transactions or “tasks” that have been
itself or only the data determined to be GxP relevant. assigned to their job profile, but for which they have not been
It is important to understand the impact of each approach both trained.
from a compliance and system performance perspective. GxP
relevance at the object level may significantly reduce the risk of
potential challenges to the systems compliance because the
boundaries of GxP and non-GxP are more clearly defined.
11
Electronic Records
The FDA defines an electronic record as
“Any combination of text, graphics, data,
audio, pictorial, or other information repre-
sentation in digital form that is created,
modified, maintained, archived, retrieved, or
distributed by a computer system.” Applying
this comprehensive definition to SAP R/3,
there are various types of electronic records,
such as:
• Configuration within the Implementation
Guide (IMG)
• Transports and business configuration sets
used to migrate configuration from one
system to another
• Master data such as the material master,
vendor, resource, recipe, and customer
• Business processing objects such as
purchase orders, process orders, and
inspection lots Figure 2: Linked Object Types in Engineering Change Management
• Business process or transaction execution electronic records
such as material documents Change master records provide a full audit trail or change his-
• Electronic or digital signatures tory of the master data, including the reason for change. Some
people incorrectly associate this requirement with Part 11 when
Other electronic record types maintain change and deletion indeed, as discussed in comment 74 of the preamble, “the agen-
(e. g. audit trail) information for the SAP R/3 objects cy does not believe that Part 11 needs to require recording the
mentioned above. These include: reason for record changes because such a requirement, when
needed, is already in place in existing regulations that pertain to
• Change master record (Engineering Change Management) the records themselves.” An example is §211.194 (b) “Complete
• Change document objects records shall be maintained of any modification of an estab-
• Table logging lished method employed in testing. Such records shall include
the reason for the modification …”
Change Master Record
A change master record captures the changes made to master Change Document Object
data through SAP R/3’s Engineering Change Management A change document object captures changes to fields within a
(ECM) functions. Figure 2 illustrates the master data or object transaction and writes this information to a unique record.
types that can be managed using Engineering Change Manage- This record is date and time stamped and maintains the old and
ment: new values for each of the fields that have been changed in
addition to the user ID of the person who made the change.
12
A report is run to query and display the audit trail record. Table logging may affect system performance, depending on
These objects may be active in the shipped version of SAP or the number of records that generated. However, table logging is
may require configuration for activation. Figure 3 illustrates a only required in some instances. System configuration should
change document object record for a resource substitution be reviewed when table logging requirements have been identi-
within a master recipe. fied.
13
Evaluation in the system Q00, client 004 on 27.02.2001 on 17:29:20 Dr. Thomas Wieczorek.
The system was able to evaluate all entered selection conditions table logs found: 6Change documents found: 0Selection
conditions. Table logs Data from 01.01.2001 00:00:00 to 27.02.2001 17:30:27 (time of the application host).
Last changed by Seraf inTransaction: IP02
Date Time Full name Tran tabl Name of Old value New value Data re Table key
f ield
16.02.2001 23:18:27 George Seraf in IP02 MPOS Change X changed Maintenence item:
Indicator 0000000000000201;
16.02.2001 23:18:27 George Seraf in IP02 MPOS Equipment 10000014 changed Maintenence item:
number 0000000000000201;
16.02.2001 23:18:27 George Seraf in IP02 MPOS last change 00.00.0000 16.02.2001 changed Maintenence item:
on 0000000000000201;
16.02.2001 23:18:27 George Seraf in IP02 MPOS Location and 4362 2379 changed Maintenence item:
account 0000000000000201;
assiggnment
for technical
object
16.02.2001 23:18:27 George Seraf in IP02 MPOS Maintenance 1 ZWD1 changed Maintenence item:
Planning 0000000000000201;
Plant
Figure 4: Example Table Log Record for Maintenance Plan Changes Made to the MPOS Table
14
ignated otherwise... Change records shall include a description Note: Additional customer approval or signature requirements
of the change, identification of the affected documents, the sig- may be defined by their internal procedures in support of
nature of the approving individual(s), the approval date, and CGMP, such as approvals for approved suppliers and for new or
when the change becomes effective.” changed user access authorization.”
15
Op. Local date Local time Global date Global time Signatory F. name L. name CL Signature SigStrat IndivSig AuthGr Signature Signature Signature
number reason reason for method
sign.
0010 10/25/2000 14:45:26 10/25/2000 20:45:26 SERAFIN George Seraf in X 00000000032 LAB1 QM1 Inspection Insp.results System
lot: recorded for Signature
results inspection with
recording lot authorization
040000000656, by R/3 user
operation ID/password
0010
Figure 6: A Sample Signature Electronic Record for Results Recording • When the number of failed attempts (for either logon or sig-
nature) is exceeded, SAP R/3 prevents the user from further
Digital Signatures access without intervention from Security Administration.
Most SAP systems are determined to be closed systems as Note: The number of failed attempts allowed is configurable.
defined by the FDA. However, e-business strategies are increas-
ingly opening systems to the Internet, and application hosting
provides a new IT paradigm that has raised significant interest
in regulated industries.
16
CONCLUSION
• SAP R/3 generates an express mail within SAPOffice and sends Based upon the interpretation of the Part 11 rule and the func-
it to a defined distribution list to notify Security Adminis- tions and features discussed within this document, SAP AG
tration “in an immediate and urgent manner.” In addition, believes that SAP R/3 Release 4.6C (with the Part 11 Enhanc-
any MAPI-compliant messaging system can be interfaced to ement Note For Electronic Records installed) complies with the
SAP R/3 to send this message externally to e-mail systems intent and requirements of 21 CFR Part 11. Prior releases of SAP
such as Microsoft Exchange, or even a paging system. R/3 can be compliant depending on the scope of functionality
• An electronic record of all failed attempts (for either logon or implemented. In other instances, Part 11 compliance can be
signature) is maintained in the Security Audit Log. SAP R/3 achieved with some customization.
also generates electronic records for the locking and unlock-
ing of users.
HYBRID SYSTEMS
Where SAP does not currently provide electronic signature
functionality, a hybrid system of electronic and paper doc-
umentation is required. Hybrid systems are not discussed in the
Part 11 regulation, but have been acknowledged during various
FDA-industry forums and conferences as a temporary means to
address technological gaps. Customers are required to establish
standard operating procedures to control the master records
once they are approved, logging all changes, and maintaining
records in compliance with records retention requirements.
17
REFERENCES
European Community Guideline to GMP for Medicinal Prod-
ucts (1998), Annex 11, Computerized Systems
FDA Title 21 CFR Part 11 Electronic Records, Electronic Signa-
tures: Final Rule, March 1997
FDA Title 21 CFR Parts 808, 812, 820 Medical Devices; Current
Good Manufacturing Practice (CGMP); Final Rule, October,
1996
Good Automated Manufacturing Practice (GAMP) Special
Interest Group (21 CFR Part 11) Complying with 21 CFR Part 11
Electronic Records and Electronic Signatures, Final Draft, Sep-
tember, 2000
18
19
APPENDIX 1: SAP/FDA CGMP FUNCTIONALITY MATRIX FOR FINISHED PHARMACEUTICALS
20
Quality Management Plant Sales & Distribution
Maintenance
• Calibration • Calibration
• Electronic/Digital Signature • Engineering Change Management
• Engineering Change Management • Equipment Management
• Equipment Notif ications • Logbook*
• Preventative Maintenance
• PM-PCS
• Electronic/Digital Signature
• Engineering Change Management
• Goods Receipt Inspection
• Non-conformance Reporting
• QM-IDI Interface to LIMS
• Quality Dispostion
• Sample Management
• Source Inspection
• Statistical Quality Control (SQC)
• Supplier Quality Mgmt.
• Electronic/Digital Signature • Calibration
• Engineering Change Management • Engineering Change Management
• In-process Inspection • Equipment Management
• Non-conformance Reporting • Logbook*
• Post process Inspection • PM-PCS
• QM-IDI Interface to LIMS
• Quality Disposition
• Sample Management
• Statistical Process Control (SPC)
• Statistical Quality Control (SQC)
21
APPENDIX 1: SAP/FDA CGMP FUNCTIONALITY MATRIX FOR FINISHED PHARMACEUTICALS (CONTINUED)
Subpart I
Laboratory Controls
22
Quality Management Plant Sales & Distribution
Maintenance
• Batch Determination
• Calibration • Calibration
• Electronic/Digital Signature • Engineering Change Management
• Engineering Change Management • Equipment Management
• Equipment Management • Logbook*
• Goods Receipt Inspection
• In-process Inspection
• Inspection Methods
• Non-conformance Reporting
• Post-process Inspection
• QM-IDI Interfaces to LIMS
• Quality Disposition
• Recurring Inspection
• Sample Management
• Statistical Quality Control (SQC)
• Test Specif ication Mgmt
• Compliant Management • Engineering Change Management • Delivery Notes
• Electronic Digital Signatures • Logbook* • Sales Orders
• Engineering Change Management • Maintenance Orders
• Inspection Lots • Maintenance Task Lists
• Inspection Plans • Change Docs/Audit Trails
• Non-conformance Reporting
• Change Docs/Audit Trails
23
APPENDIX 2: SAP/FDA CGMP FUNCTIONALITY MATRIX FOR MEDICAL DEVICES
24
Quality Management Plant Sales & Distribution
Maintenance
• Electronic/Digital Signature
• In-process Inspection
• Non-conformance Reporting
• Post-process Inspection
• QM-IDI Interface to LIMS
• Quality Disposition
• Statistical Process Control (SPC)
• Statistical Quality Control (SQC)
• Electronic/Digital Signature
• Engineering Change Management
• Quality Information Records
• Quality Notif ications
• Supplier Quality Management
• Calibration • Calibration
• Electronic/Digital Signature • Engineering Change Management
• Engineering Change Management • Equipment Management
• Equipment Management • Logbook*
• In-process Inspection • Preventative Maintenance
• Non-conformance Reporting
• Post-process Inspection
• QM-IDI Interface to LIMS
• Sample Management
• Statistical Process Control (SPC)
• Statistical Quality Control (SQC)
25
APPENDIX 2: SAP/FDA CGMP FUNCTIONALITY MATRIX FOR MEDICAL DEVICES (CONTINUED)
26
Quality Management Plant Sales & Distribution
Maintenance
• Electronic/Digital Signature
• Engineering Change Management
• Goods Receipt Inspection
• In-process Inspection
• Inspection Methods
• Non-conformance Reporting
• Post-process Inspection
• QM-IDI Interface to LIMS
• Quality Disposition
• Sample Management
• Source Inspection
• Statistical Quality Control (SQC)
• Test Specif ication Mgmt.
• Electronic/Digital Signature
• Non-conformance Reporting
• Quality Disposition
• Quality Inspection
• Compliant Management • Return Goods Authorization
• Electronic/Digital Signature
• Non-Conformance Reporting
• QM-IDI Interface to LIMS
• Quality Disposition
• Returns Inspection
• Statistical Qualitiy Control (SQC)
• Electronic/Digital Signature • Calibration
• Engineering Change Management • Engineering Change Management
• Goods Receipt Inspection • Equipment Management
• In-process Inspection • Logbook*
• Non-conformance Reporting
• Post-process Inspection
• Quality Disposition
• Sample Management
• Statistical Quality Control (SQC)
27
APPENDIX 2: SAP/FDA CGMP FUNCTIONALITY MATRIX FOR MEDICAL DEVICES (CONTINUED)
28
Quality Management Plant Sales & Distribution
Maintenance
29
APPENDIX 3: FDA CGMP CRITICAL TRANSACTIONS LIST FOR NEGATIVE TESTING OF SECURITY PROFILES
30
APPENDIX 4: COMPLIANCE SUMMARY TABLE OF EC AND PIC GMP GUIDELINES FOR PART 11 REQUIREMENTS
EC GMP Comments
Guideline
PIC GMP
Guideline PH 1/97
Section
Personnel 1 This guideline is comparable to clause 11.10(i) in Part 11.
Validation 2. Validation is a procedural requirement for customers and is not related to the functions or capabilities of SAP R/3. The SAP
Horizon quality management system describes those phases of the software life cycle involved in developing and maintaining
SAP software. SAP R/3 has been developed according to a formally recognized software development lifec ycle and has
maintained ISO 9001 certif ication since 1994. ISO 9001 requirements cover the development, production, sales, and
maintenance of products and services. This is comparable to clauses 11.10(e) and 11.10 (k) in Part 11.
System 3. This section is a procedural requirement for customers and is not related to the functions or capabilities of SAP R/3.
System 4. This section is a procedural requirement for customers and is not related to the functions or capabilities of SAP R/3.
System 5. The SAP Horizon quality management system describes those phases of the software life cycle involved in developing and
maintaining SAP software. SAP R/3 has been developed according to a formally recognized software development lifecycle
and has maintained ISO 9001 certif ication since 1994. ISO 9001 requirements cover the development, production, sales, and
maintenance of products and services.
System 6. SAP R/3 complies with these requirements. For example, warnings when users enter aberrant data, such as results recording
in QM or recording process data in process instruction sheets. The user is then prompted to conf irm entry of this data
before it is accepted. This is comparable to clause 11.10(h). Otherwise, this is a procedural requirement for customers and is
not related to the functions or capabilities of SAP R/3.
System 7. This section is a procedural requirement for customers and is not related to the functions or capabilities of SAP R/3.
System 8. This section is comparable to clauses 11.10(d), 11.10(e), and 11.10(g) in Part 11.
System 9. See System 6 and clause 11.10(f).
System10 This section is comparable to clauses 11.10(a), 11.10(e), and 11.50 (a)(b) in Part 11.
System 11. This section is a procedural requirement for customers and is not related to the functions or capabilities of SAP R/3.
System 12. This section is comparable to clause 11.10(b) in Part 11.
System 13. This section concerns physical properties that are procedural requirements for customers and is not related to the functions
or capabilities of SAP R/3. It is comparable to clauses 11.10(c) and 11.70 in Part 11.
System 14. This section is a procedural requirement for customers and is not related to the functions or capabilities of SAP R/3.
System 15. This section is a procedural requirement for customers and is not related to the functions or capabilities of SAP R/3.
System 16. This section is a procedural requirement for customers and is not related to the functions or capabilities of SAP R/3.
System 17. This section concerns the Horizon quality management system for SAP R/3 and is comparable to clauses 11.10(e) and
11.10(k). Otherwise, it is a procedural requirement for customers and is not related to the functions or capabilities of SAP
R/3.
System 18. This section is a procedural requirement for customers and is not related to the functions or capabilities of SAP R/3.
System 19. This section is comparable to clauses 11.10(d), 11.10(g), and 11.50(a) in Part 11.
31
APPENDIX 5: COMPLIANCE SUMMARY TABLE OF Q 7A ICH GUIDELINE FOR PART 11 REQUIREMENTS
Q 7a ICH Comment
Guideline
5.40 Validation is a procedural requirement for customers that is not related to the functions or capabilities of SAP R/3. The SAP
Horizon quality management system describes those phases of the software life cycle that are involved in developing and
maintaining SAP software. SAP R/3 has been developed according to a formally recognized software development life cycle and has
maintained ISO 9001 certif ication since 1994. ISO 9001 requirements cover the development, production, sales, and maintenance of
products and services. This guideline is comparable to clauses 11.10(e) and 11.10(k) in Part 11.
5.41 The SAP Horizon quality management system describes those phases of the software life cycle involved in developing and
maintaining SAP software. SAP R/3 has been developed according to a formally recognized software development life cycle and has
maintained ISO 9001 certif ication since 1994. ISO 9001 requirements cover the development, production, sales, and maintenance of
products and services.
5.42 This section is a procedural requirement for customers and is not related to the functions or capabilities of SAP R/3.
5.43 This section is comparable to clauses 11.10(c), 11.10(d), 11.10(e), 11.10(g), 11.50(a)(b), and 11.70 in Part 11.
5.44 This section is comparable to clauses 11.10(i) and 11.10(k) in Part 11.
5.45 SAP R/3 posts warnings when users enter aberrant data, such as results recording in QM or the recording of process data in process
instruction sheets. SAP R/3 then prompts the user to conf irm entry of this data before it is accepted. This guideline is comparable
to clauses 11.10(f) and 11.10(h) in Part 11.
5.46 This section is comparable to clauses in 11.10(a), 11.10(b), 11.10(c), and 11.10(e) in Part 11.
5.47 This is a procedural requirement for customers and is not related to the functions or capabilities of SAP R/3.
5.48 This section is comparable to 11.10(c). Otherwise, it is a procedural requirement for customers and is not related to the functions
or capabilities of SAP R/3.
5.49 This section is a procedural requirement for customers and is not related to the functions or capabilities of SAP R/3.
32
33
34
35
THE BEST-RUN E-BUSINESSES RUN SAP
SAP AG
Neurottstraße 16
69190 Walldorf
Germany
T +49/1805/34 34 24
F +49/1805/34 34 20
www.sap.com