compliance response 21 cfr part 11 simatic wincc v6 · 5 2. response of simatic wincc v6.2 to 21...
TRANSCRIPT
Compliance Response 21 CFR Part 11SIMATIC WinCC V6.2
De
cla
rati
on
of
Co
nfo
rmit
y –
Au
gu
st 2
00
7
2
Contents
3 Introduction
4 1. The Requirements of 21 CFR Part 11 in Short
5 2. Response of SIMATIC WinCC V6.2 to 21 CFR Part 11
5 2.1 Technological Solution for access Security
7 2.2 Technological Solution for Audit Trail
9 2.3 Technological Solution for archiving and retrieval
9 2.4 Technological Solution for electronic signatures
9 3. Evaluation list for SIMATIC WinCC V6.2
10 3.1 Procedures and controls for closed systems
13 3.2 Additional procedures and controls for open systems
14 3.3 Signed electronic records
15 3.4 Electronic signatures (general)
16 3.4.1 Electronic signatures (non-biometric)
17 3.4.2 Electronic signatures (biometric)
17 3.5 Controls for user IDS and passwords
3
Introduction On August 20, 1997 the, regulation 21 CFR Part 11 “Electronic Records; ElectronicSignatures” of the US Food and Drug Administration (FDA) took effect. 21 CFR Part 11(Part 11 in short) defines the acceptance criteria of the FDA for the use of electronicrecords and electronic signatures in place of records in paper form and hand-writtensignatures on paper. In this regard, electronic records and signatures must be astrustworthy, reliable and effective as traditional records. The implementation of thisregulation for electronic records and signatures is mandatory. However, Part 11 onlyapplies to records maintained in accordance with the guidelines of the FDA (as definedin the “predicate rules”) or to records which are to be submitted to the FDA in electronicform. There are various interpretations and recommendations from the FDA as well asfrom the ISPE and PDA. Beyond the use of electronic records and signatures, traditionalpaper documents and handwritten signatures, or a combination of both, can still beused.
To help our clients, Siemens as supplier of SIMATIC WinCC evaluated Version 6.2 ofthe system on the basis of these requirements. The results of the assessment of theSIMATIC WinCC V6.2 SCADA system are published in this paper.
SIMATIC WinCC V6.2 fully meets the functional requirements of 21 CFR Part 11.Operation in conformity to the regulations is ensured in conjunction with
administrative measures and procedural guidelines to be established by the customer.The Siemens recommendations for the system architecture, design and
configuration assist the customer in achieving compliance. You can find additioninformation and assistance in the document “GMP Engineering manual: SIMATIC WinCCGuidelines for Implementing Automation Projects in a GMP Environment”.
The FDA standards are applied beyond the pharmaceuticals industry in other lifesciences (such as the food industry, cosmetics and consumer care).
The requirements of Part 11 are open to interpretation. This document supports theinterpretation of the ISPE CoP GAMP and PDA that are accepted worldwide. If theinterpretation of a requirement by a company differs from the requirement specifiedhere, please contact the Competence Center Pharmaceuticals of Siemens AG A&D inKarlsruhe for more information.
This document comprises three parts. The first part provides a brief overview of therequirements of Part 11, the second provides the solutions for the main technicalrequirements from the viewpoint of SIMATIC WinCC V6.2, and the third contains adetailed system evaluation according to ISPE/PDA1.
1 Good Practice and Compliance for Electronic Records and Signatures;Part2 “Complying with 21 CFR Part 11, Electronic Records and Electronic Signatures”; ISPE and PDA 2002
4
1. The requirements of 21 CFR Part 11 in short21 CFR Part 11 assumes that the risk of manipulation, misinterpretation, and changes without trace is higher withelectronic records and electronic signatures than with conventional paper records and handwritten signatures or aremore difficult to detect. Additional measures are required for this reason.“Electronic Record” / “Electronic Document” means any combination of text, graphics, data, audio, pictorial or otherrepresentation of information in digital form that is created, modified, maintained, archived, retrieved or distributedby a computer system.
“Electronic Signature” means a computer data compilation of any symbol or series of symbols executed, adopted,or authorized by an individual to be the legally binding equivalent of the individual’s handwritten signature.1
All GMP-relevant automated systems must be validated to ensure precise, reliable and
consistent data preparation in accordance with the standards.
Validation
DescriptionRequirement
Systems must limit access to only authorized, qualified personnel. In open systems,
additional security measures must be implemented to ensure this (see also 21 CFR Part 11.30).
Access security
All operator actions which create modify or delete an electronic record must be recorded in a
secure, time-stamped, computer-generated audit trail.
Audit Trails
Systems must have capability to retain, protect and readily retrieve records throughout the
established retention period. Systems must be able to reproduce electronic records in both
human readable and electronic form.
Record Retention,
Protection, Reproducibility
and Retrievability
Written certification must be provided to the FDA Office of Regional Operations that all
electronic signatures in use are the legally binding equivalent of traditional handwritten
signatures.
Certificate to FDA
Controls must exist over access to, revision of, distribution of, and use of documentation for
system operation and maintenance.
Document Controls
Systems must provide measures to ensure that use is limited to genuine owners only and that
attempted use by others is promptly detected and recorded. Non-biometric systems must
employ two distinct identification mechanisms (user identifier / password). Both the user
identifier and password must be entered before a signing session and at least the password is
entered at each subsequent signing during the same session. Electronic signatures must not
be reused or reassigned. The purpose of an electronic signature must be clearly indicated.
Finally, systems must include measures to prohibit falsification of electronic signatures using
standard tools. Written policies must be in place which hold individuals responsible for
actions initiated under their electronic signatures.
Electronic signature
1 Good Practice and Compliance for Electronic Records and Signatures;Part2 “Complying with 21 CFR Part 11, Electronic Records and Electronic Signatures”; ISPE and PDA 2002
5
2. Response of SIMATIC WinCC V6.2 to 21 CFR Part 11
The requirements which can be fulfilled by technological solutions can be summarizedunder four topics • Access security• Audit trail • Archiving and retrieval of archived data• Electronic signature
2.1 Technological solution for access security
User management is provided with the SIMATIC Logon option based on MS Windowssecurity mechanisms:• Based on user groups, user rights are defined in the WinCC user management.• Individual users and their assignment to Windows user groups are defined in the
Windows user management.• SIMATIC Logon provides the link between the Windows user groups and the WinCC
user groups.
The following requirements for access security are fulfilled in this way:• Centralized management of users (setup, deactivation, blocking, unblocking,
assigning to groups) is performed by the administrator.• Unique combination of user identifier (user ID) and password.• Definition of access permissions for groups and users.• Access and permission levels based on the plant area.• Password aging: the user is forced to change his/her password after a configurable
time, password can be reused only after “n” generations.• The system can force the user to define a new password during the first logon (initial
password).• The user is automatically blocked after a configurable number of logon attempts and
can only be unblocked by the administrator.
6
• Automatic logout after a configurable time, in which neither the keyboard nor themouse is used.
• Log functions for actions related to access security, such as logon, manual andautomatic logoff, wrong user ID, wrong password, user blocked after severalattempts to enter wrong password, password change by user.
SIMATIC Logon fulfills the requirements of 21 CFR Part 11 regarding access security incombination with procedures, such as those for “clarifying the responsibility and accessof the system users”.
In addition, unauthorized access to the directory structures of the individual systemprograms should be prevented using the rights allocation of the Windows operatingsystem, thus excluding the chance of unwanted manipulation.
If system access is not controlled by persons who are responsible for the content ofthe electronic records, the system is defined as “open”. If there is an "open path”, thispath can be secured using standard tools.
Figure 1 SIMATIC Logon
Configuration
7
2.2 Technological solution for audit trail
Audit trails are particularly important in situations in which data is created, modified ordelete by user actions during normal operation.
If an electronic record is generated automatically and cannot be altered or deleted bythe operator, an audit trail is unnecessary. These electronic recordings are saved by theapplications of the WinCC system (with access security, for example).
The following sections describe how the SIMATIC WinCC system supports theimplementation of the 21 CFR Part 11 requirements in regard to the audit trails duringruntime operation. They also describe the resources provided by the system for tracingchanges made in the engineering system.
Runtime operationProcess dataProcess data (such as process values, process or operator messages) are stored withoutany option for the operator to change this data.
Changes in runtime operationUsing the option WinCC Audit, actions performed by the operator in the processvisualization system during runtime are recorded in an audit trail.
Optionally, changes can be displayed in a simplified form in the WinCC Alarm Logging.
Figure 2 Display of audit trail
in WinCC Audit
8
During configurationConfigurationThe WinCC/Audit option can record changes made in WinCC projects (such as logs,graphics, settings for user permissions, etc.) to support a formal change controlprocedure. The document control function of WinCC/Audit allows full check-in, check-out, deletion, rollback and recovery of application documents and user documents. Asecure database retains copies of all configuration states of a document.
Configuration of user managementChanges in the user management (e.g. creating new users, blocking users etc.) arerecorded by the Windows audit trail. The Windows event log must be configuredaccordingly for this purpose.
Figure 4
Archive configuration
9
2.3 Technological solution for archiving and retrieval
Continuous archivingSIMATIC WinCC offers a configurable and scalable archiving concept. Messages andmeasured values are continuously stored in local WinCC archives. These locally storeddata can be automatically transferred to long-term archives. A checksum is formed toprevent the manipulation of archived data. The archived data can be retrievedthroughout the entire duration of the defined retention period. The call can be madewithin WinCC with standard functions or from standard interfaces or add-on packages(e.g. Connectivity Pack).
Batch-oriented archivingThe WinCC Premium add-on, PM-QUALITY, is used to perform batch-oriented dataarchiving. PM-QUALITY independently manages local archives and long-term archives.PM-QUALITY uses standard interfaces of WinCC to access WinCC data. They are alsoavailable in other archiving tools (from Siemens or third-party manufacturers).
2.4 Technological solution for electronic signatures
SIMATIC Logon provides an interface (API) for configuration of electronic signatures inWinCC.
The electronic signature is executed through the SIMATIC Logon dialog. A user IDand password are queried and verified for identification.
3. Evaluation list for SIMATIC WinCC V6.2
The following checklist for evaluating SIMATIC WinCC is taken from a document
developed by the “GAMP Special Interest Group”1.
The checklist for system assessment involves all requirements, not only those which can
be fulfilled by technological solutions. Customers must introduce corresponding
procedures in their company to satisfy certain requirements of the 21 CFR Part 11
regulations. The specifications of 21 CFR Part 11 always relate to the customer-specific
application, which was implemented with WinCC. Consequently, the solutions then
specified are valid only in conjunction with specific procedures and organizational
measures.
1 Good Practice and Compliance for Electronic Records and Signatures;Part2 “Complying with 21 CFR Part 11, Electronic Records and Electronic Signatures”; ISPE and PDA 2002
10
3.1 Procedures and controls for closed systems
If system access is controlled by persons who are responsible for the content of the electronic records, the system isdefined as “closed” and must be assessed against the requirements of this section.
11.10(a)detail 1
Is the system validated? The customer is responsible for the validation of the
applications or system. The validation should follow an
established system life cycle (SLC) methodology, e. g. as
described in GAMP 41.
SIMATIC WinCC has been developed according to Siemens’
Quality Management system (ISO 9001:2000 certified). The
validation of the application can be supported by Siemens
during projects.
11.10(b)detail 1
Is the system capable of
producing accurate and
complete copies of electronic
records on paper?
Yes.
WinCC provides complete printouts of process values,
messages and audit trails.
11.10(b)detail 2
Is the system capable of
producing accurate and
complete copies of records in
electronic form for inspection,
review and copying by the
FDA?
Yes.
Process values, messages and audit trails can be exported in
electronic form and can be viewed with WinCC or the option
DataMonitor. The WinCC/Audit option allows export of the
audit trail to Microsoft Excel, PDF format or CSV files.
11.10(a)detail 2
Is it possible to discern
invalid or altered records?
Yes.
An entry can be generated in the audit trail for any operator
action (if, for example, the operator changes setpoints /
alarm thresholds / the monitoring mode or acknowledges
alarms). All relevant changes are recorded including time
stamp, user ID, old value and new value and comment.
Unauthorized changes are prevented by the system through
access security.
Archived records are protected with a checksum mechanism
to detect any unauthorized changes.
Changes within the configuration of WinCC can be tracked
using WinCC/Audit.
Question / RequirementParagraph / detail Comments
1 GAMP Guide for Validation of Automated Systems
11
11.10(c) Are the records readily
retrievable throughout their
retention period?
Yes.
Records can be archived in a readable format, on CD or DVD.
We assume that these devices and formats will be readable in
the future. The archived records can be viewed either using
the tool DataMonitor or by restoring the records to WinCC.
In addition, the customer should specify retention periods
and also define procedures for archiving, backup and
retrieval for electronic records.
11.10(d) Is system access limited to
authorized individuals?
Yes.
By implementing SIMATIC Logon, all options for user
management from Windows are provided (see section 2,
Solution for access security).
The customer should ensure that only persons who have a
legitimate business requirement to use the system should be
allowed physical access to the system (e. g. server, system
console).
Since this requirement is virtually the same as 11.10(g), it is
generally interpreted to refer to both physical access and
logical access.
11.10(e)detail 1
Is there a secure, computer-
generated, time-stamped
audit trail that records the
date and time of operator
entries and actions that
create, modify, or delete
electronic records?
Yes.
The audit trail is secure within the system and cannot be
changed by a user.
Changes during production can be traced back by the system
itself and contain information with time stamp, user ID, old
and new value and comment.
11.10(e)detail 2
If a change is made to
electronic data, is previously
recorded information still
available (or is it, for
example, obscured by the
change)?
Yes.
Recorded information is still available within the database.
11.10(h) If it is a requirement of the
system that input data or
instructions can only come
from certain input devices
(e.g. terminals), does the
system check the validity of
the source of any data or
instructions received?
(Note: This applies where
data or instructions can come
from more than one device,
and the system must
therefore verify the integrity
of its source, such as a
network of weigh scales, or
remote, radio-controlled
terminals.)
Yes.
The WinCC workstations can be configured so that special
input of data / commands can only be performed from a
dedicated workstation or from a group of workstations. All
other workstations then have only read-access rights at the
most.
The system performs validation checks because the stations
must connected within the system.
11.10(g) Does the system ensure that
only authorized individuals
can use the system,
electronically sign records,
access the operation or the
computer system’s input or
output devices, alter a record,
or perform other operations?
Yes.
SIMATIC Logon is layered on MS Windows security. A user ID
and password are used.
Centralized user management is used in this regard for
managing users and user groups.
In addition, the customer should define how access within
WinCC Runtime is limited to authorized individuals only
(e.g. who has access to specific objects or functions),
including the special rights for administrators.
11.10(f) If the sequence of system
steps or events is important,
is this also taken into account
by the system (e.g. as would
be the case in a process
control system)?
Yes.
A specific sequence of operator actions can be included
based on the configuration of the application.
11.10(e)detail 4
Is the audit trail available for
review and copying by the
FDA?
Yes.
The option WinCC/Audit allows export of the audit trail to
Microsoft Excel, PDF format or CSV files.
If the audit trail is recorded in the Alarm Logging, it can be
exported in PDF or CSV format.
11.10(e)detail 3
Is an electronic record’s audit
trail retrievable throughout
the record’s entire retention
period?
Yes.
The audit trail can be made available during the entire
retention period. (see section 11.10(c))
12
13
11.10(k)Punkt 1
Is the distribution of, access
to, and use of system
operation and maintenance
documentation controlled?
The customer is responsible for providing procedural
controls.
11.10(i) Is there documented training,
including on-the-job training
for system users, developers,
IT support staff?
Yes.
Siemens offers either standard training courses or training
related to customer projects which must be planned and
executed separately.
The customer is responsible for planning and performing
these courses.
11.10(j) Is there a written policy that
holds individuals fully
accountable and responsible
for actions initiated under
their electronic signatures?
The customer is responsible for providing procedural
controls.
11.10(k)Punkt 2
Is there a formal change
control procedure for the
system documentation,
which stores an audit trail in
a time sequence for changes
made by the pharmaceutical
organization?
The customer is responsible for providing procedural
controls.
11.30detail 1
Is data encrypted? In open systems, standard tools are available in the market
to encrypt records / reports in order to secure the “open
path”.
11.30detail 2
Are digital signatures used? WinCC does not provide digital signature functionality.
Standard tools are available in the market to enable digital
signing of the records (e.g. for PDF files).
3.2 Additional procedures and controls for open systems
If system access is NOT controlled by persons who are responsible for the content of the electronic records, the systemis defined as “open” and must in addition be assessed against the requirements of this section. SIMATIC WinCC can beoperated in both a closed and an open environment. Additional requirements must be met in the implementation foropen systems.
Question / RequirementParagraph / detail Comments
14
11.50detail 1
Do signed electronic records
contain the following
information?
a) Printed name of the signer
b) Date and time of signing
c) Meaning of the signature
(such as approval, review,
responsibility)
Yes.
Signed electronic records include the following information:
a) Printed name or user ID of the signer
b) Date and time of signing
c) Including the meaning
11.50detail 2
Is the information mentioned
above shown on displayed
and printed copies of the
electronic record?
Yes.
The above mentioned information can be printed and
displayed as part of the electronic record.
11.70 Are signatures linked to their
respective electronic records
to ensure that they cannot be
cut, copied, or otherwise
transferred to other records
for the purpose of
falsification?
Yes.
As soon as an electronic record is signed, it is saved to the
WinCC database. This record cannot be cut, copied, changed
or deleted. External access to the database is password-
protected.
In addition it is recommended to restrict access to the
database using Windows security features.
Question / RequirementParagraph / detail Comments
3.3 Signed electronic records
15
11.100(a)detail 1
Are electronic signatures
unique to an individual?
Yes.
The electronic signature uses the ID and the password of the
user. The uniqueness of the user ID is ensured by the MS
Windows security system. It is not possible to define two
users with the same user ID within a workgroup / domain.
In addition, the customer must ensure the uniqueness of the
electronic signature to an individual.
11.100(a)detail 2
Are electronic signatures ever
reused by or reassigned to
anyone else?
The customer has to ensure and is responsible that a user ID
is assigned to one person only.
11.100(b) Is the identity of an
individual verified before an
electronic signature is
allocated?
This is the responsibility of the customer. He must provide
organizational measures.
Question / RequirementParagraph / detail Comments
3.4 Electronic signatures (general)
16
11.200(a)(2)
Can non-biometric electronic
signatures only be used by
their real owner?
The customer is responsible for providing procedural
controls that prevent passwords from becoming known.
11.200(a)(3)
Would an attempt to falsify
an electronic signature
require the collaboration of
at least two individuals?
Yes.
It is not possible to falsify an electronic signature during
signing and after the system has written it into a record.
The administrator cannot misuse the signature, although he
configures the user ID and initial password, because the user
is forced to change his password at the first logon.
Unauthorized use of user IDs / passwords (failed logon
attempt) is detected immediately and recorded.
The customer also requires a procedural control that prevent
passwords from becoming known.
11.200(a)(1)(iii)
If signatures are not entered
in a continuous session, are
both components of the
electronic signature executed
for each signature?
Yes.
Each signature requires at least two components (user ID and
password).
11.200(a)(1)(ii)
When several signatures are
made during a continuous
session, is the password
entered for each signature?
(Note: both components must
be provided at the beginning
of the session)
Yes.
Each signature requires at least two components (user ID and
password).
Question / RequirementParagraph / detail Comments
11.200 (a)(1)(i) Is the signature made up of
at least two components,
such as an identification code
and password, or a smart
card and password?
Yes.
SIMATIC Logon identifies the person with two distinct
components: a user ID and password or a smart card and
password.
3.4.1 Electronic signatures (non-biometric)
17
11.200(b) Can biometric electronic
signatures be used only by
their real owner?
Tools from third-party manufacturers can be used to create
biometric electronic signatures. The integrity of such a
solution should be specifically assessed.
Question / RequirementParagraph / detail Comments
11.300(a) Are controls in place to
maintain the uniqueness of
each identification code and
password combination which
ensures that no other
individual can have the same
combination of identification
code and password?
See 11.100(a).
11.300(b)detail 1
Are procedures in place to
ensure that the validity of
user IDs is periodically
checked?
The customer is responsible for providing procedural
controls.
11.300(b)detail 2
Do passwords periodically
expire and need to be
revised?
Yes.
A password expires after a specified number of days and
cannot be reused for a specified number of generations
according to MS Windows security parameters. Password
aging does not influence the previous use (records,
signatures).
Question / RequirementParagraph / detail Comments
3.4.2 Electronic signatures (biometric)
3.5 Controls for user IDs and passwords
If smart cards, tokens or other devices containing or generating identification code or password information are usedon this automated system for electronic signatures, then the system must be assessed against the requirements in thissection.
18
11.300(d)detail 2
Is there a procedure for
reporting repeated or serious
attempts at unauthorized use
to the administrator?
The customer is responsible for providing appropriate
organizational measures.
11.300(e)detail 1
Is there initial and periodic
testing of tokens and cards?
The customer is responsible for providing appropriate
organizational measures.
11.300(e)detail 2
Does this test check that there
have been no unauthorized
alterations?
The customer is responsible for providing appropriate
organizational measures.
11.300(c) Is there a procedure for
electronically changing a
user ID or password if it is
potentially compromised or
lost?
The customer is responsible for providing procedural
controls.
The user accounts can be changed using the MS Windows
security system.
The user can change his password at any time using SIMATIC
Logon.
11.300(d)detail 1
Is there a procedure for
detecting attempts at
unauthorized use and for
informing the security
system?
Unauthorized attempts are logged within the MS Windows
security log. The user account is blocked after a specified
number of unauthorized attempts.
In addition, the customer is responsible for providing
appropriate organizational measures.
11.300(b)detail 3
Is there a procedure for
canceling identification codes
and passwords if a person
leaves the company or is
transferred?
Customers are responsible for providing procedural
controls.
The user accounts can be disabled using the MS Windows
security system.
19
API Application Programming Interface
CD Compact Disk
CFR Code of Federal Regulations
CoP Community of Practice
CSV Comma Separated Values
DVD Digital Versatile Disc
FDA Food and Drug Administration
GAMP Good Automated Manufacturing Practice
GMP Good Manufacturing Practice
ID Identification
ISPE International Society for Pharmaceutical Engineering
ISO International Standards Organization
PDA Parenteral Drug Association
SCADA Supervisory Control and Data Acquisition
SLC System Life Cycle
Abbreviations:
PU
BL
ICIS
Siemens AG
Automation and Drives GroupCompetence Center Pharmaceutical IndustrySiemensallee 84D-76187 KARLSRUHE GERMANY
www.siemens.com/pharma
The information provided in this brochure contains merely generaldescriptions or characteristics of performance which in case ofactual use do not always apply as described or which may change asa result of further development of the products. An obligation toprovide the respective characteristics shall only exist if expresslyagreed in the terms of contract.
All product designations may be trademarks or product names ofSiemens AG or supplier companies whose use by third parties fortheir own purposes could violate the rights of the owners.
SIMATIC® is a registered trademark of Siemens. Other designationsused in this publication may be trademarks whose use by thirdparties for their own purposes could violate the rights of the owners.
More information:
www.siemens.com/pharma
E-mail: [email protected]
Fax: +49 7 21 5 95-63 90
Subj
ect
to c
han
ge w
ith
out
prio
r n
otic
e 0
8/0
7 |
E20
00
1-A
73
0-P
20
0-X
-76
00
| 4
9RZ
52
5 M
K.A
S.C
P.X
XX
X.5
2.5
.01
DS
08
07
.4 |
Prin
ted
in G
erm
any
| © S
iem
ens
AG
20
07