compliance response 21 cfr part 11 simatic wincc...

Compliance Response 21 CFR Part 11SIMATIC WinCC V6.2

De

cla

rati

on

of

Co

nfo

rmit

y –

Au

gu

st 2

00

7

2

Contents

3 Introduction

4 1. The Requirements of 21 CFR Part 11 in Short

5 2. Response of SIMATIC WinCC V6.2 to 21 CFR Part 11

5 2.1 Technological Solution for access Security

7 2.2 Technological Solution for Audit Trail

9 2.3 Technological Solution for archiving and retrieval

9 2.4 Technological Solution for electronic signatures

9 3. Evaluation list for SIMATIC WinCC V6.2

10 3.1 Procedures and controls for closed systems

13 3.2 Additional procedures and controls for open systems

14 3.3 Signed electronic records

15 3.4 Electronic signatures (general)

16 3.4.1 Electronic signatures (non-biometric)

17 3.4.2 Electronic signatures (biometric)

17 3.5 Controls for user IDS and passwords

3

Introduction On August 20, 1997 the, regulation 21 CFR Part 11 “Electronic Records; ElectronicSignatures” of the US Food and Drug Administration (FDA) took effect. 21 CFR Part 11(Part 11 in short) defines the acceptance criteria of the FDA for the use of electronicrecords and electronic signatures in place of records in paper form and hand-writtensignatures on paper. In this regard, electronic records and signatures must be astrustworthy, reliable and effective as traditional records. The implementation of thisregulation for electronic records and signatures is mandatory. However, Part 11 onlyapplies to records maintained in accordance with the guidelines of the FDA (as definedin the “predicate rules”) or to records which are to be submitted to the FDA in electronicform. There are various interpretations and recommendations from the FDA as well asfrom the ISPE and PDA. Beyond the use of electronic records and signatures, traditionalpaper documents and handwritten signatures, or a combination of both, can still beused.

To help our clients, Siemens as supplier of SIMATIC WinCC evaluated Version 6.2 ofthe system on the basis of these requirements. The results of the assessment of theSIMATIC WinCC V6.2 SCADA system are published in this paper.

SIMATIC WinCC V6.2 fully meets the functional requirements of 21 CFR Part 11.Operation in conformity to the regulations is ensured in conjunction with

administrative measures and procedural guidelines to be established by the customer.The Siemens recommendations for the system architecture, design and

configuration assist the customer in achieving compliance. You can find additioninformation and assistance in the document “GMP Engineering manual: SIMATIC WinCCGuidelines for Implementing Automation Projects in a GMP Environment”.

The FDA standards are applied beyond the pharmaceuticals industry in other lifesciences (such as the food industry, cosmetics and consumer care).

The requirements of Part 11 are open to interpretation. This document supports theinterpretation of the ISPE CoP GAMP and PDA that are accepted worldwide. If theinterpretation of a requirement by a company differs from the requirement specifiedhere, please contact the Competence Center Pharmaceuticals of Siemens AG A&D inKarlsruhe for more information.

This document comprises three parts. The first part provides a brief overview of therequirements of Part 11, the second provides the solutions for the main technicalrequirements from the viewpoint of SIMATIC WinCC V6.2, and the third contains adetailed system evaluation according to ISPE/PDA1.

1 Good Practice and Compliance for Electronic Records and Signatures;Part2 “Complying with 21 CFR Part 11, Electronic Records and Electronic Signatures”; ISPE and PDA 2002

4

1. The requirements of 21 CFR Part 11 in short21 CFR Part 11 assumes that the risk of manipulation, misinterpretation, and changes without trace is higher withelectronic records and electronic signatures than with conventional paper records and handwritten signatures or aremore difficult to detect. Additional measures are required for this reason.“Electronic Record” / “Electronic Document” means any combination of text, graphics, data, audio, pictorial or otherrepresentation of information in digital form that is created, modified, maintained, archived, retrieved or distributedby a computer system.

“Electronic Signature” means a computer data compilation of any symbol or series of symbols executed, adopted,or authorized by an individual to be the legally binding equivalent of the individual’s handwritten signature.1

All GMP-relevant automated systems must be validated to ensure precise, reliable and

consistent data preparation in accordance with the standards.

Validation

DescriptionRequirement

Systems must limit access to only authorized, qualified personnel. In open systems,

additional security measures must be implemented to ensure this (see also 21 CFR Part 11.30).

Access security

All operator actions which create modify or delete an electronic record must be recorded in a

secure, time-stamped, computer-generated audit trail.

Audit Trails

Systems must have capability to retain, protect and readily retrieve records throughout the

established retention period. Systems must be able to reproduce electronic records in both

human readable and electronic form.

Record Retention,

Protection, Reproducibility

and Retrievability

Written certification must be provided to the FDA Office of Regional Operations that all

electronic signatures in use are the legally binding equivalent of traditional handwritten

signatures.

Certificate to FDA

Controls must exist over access to, revision of, distribution of, and use of documentation for

system operation and maintenance.

Document Controls

Systems must provide measures to ensure that use is limited to genuine owners only and that

attempted use by others is promptly detected and recorded. Non-biometric systems must

employ two distinct identification mechanisms (user identifier / password). Both the user

identifier and password must be entered before a signing session and at least the password is

entered at each subsequent signing during the same session. Electronic signatures must not

be reused or reassigned. The purpose of an electronic signature must be clearly indicated.

Finally, systems must include measures to prohibit falsification of electronic signatures using

standard tools. Written policies must be in place which hold individuals responsible for

actions initiated under their electronic signatures.

Electronic signature


5

2. Response of SIMATIC WinCC V6.2 to 21 CFR Part 11

The requirements which can be fulfilled by technological solutions can be summarizedunder four topics • Access security• Audit trail • Archiving and retrieval of archived data• Electronic signature

2.1 Technological solution for access security

User management is provided with the SIMATIC Logon option based on MS Windowssecurity mechanisms:• Based on user groups, user rights are defined in the WinCC user management.• Individual users and their assignment to Windows user groups are defined in the

Windows user management.• SIMATIC Logon provides the link between the Windows user groups and the WinCC

user groups.

The following requirements for access security are fulfilled in this way:• Centralized management of users (setup, deactivation, blocking, unblocking,

assigning to groups) is performed by the administrator.• Unique combination of user identifier (user ID) and password.• Definition of access permissions for groups and users.• Access and permission levels based on the plant area.• Password aging: the user is forced to change his/her password after a configurable

time, password can be reused only after “n” generations.• The system can force the user to define a new password during the first logon (initial

password).• The user is automatically blocked after a configurable number of logon attempts and

can only be unblocked by the administrator.

6

• Automatic logout after a configurable time, in which neither the keyboard nor themouse is used.

• Log functions for actions related to access security, such as logon, manual andautomatic logoff, wrong user ID, wrong password, user blocked after severalattempts to enter wrong password, password change by user.

SIMATIC Logon fulfills the requirements of 21 CFR Part 11 regarding access security incombination with procedures, such as those for “clarifying the responsibility and accessof the system users”.

In addition, unauthorized access to the directory structures of the individual systemprograms should be prevented using the rights allocation of the Windows operatingsystem, thus excluding the chance of unwanted manipulation.

If system access is not controlled by persons who are responsible for the content ofthe electronic records, the system is defined as “open”. If there is an "open path”, thispath can be secured using standard tools.

Figure 1 SIMATIC Logon

Configuration

7

2.2 Technological solution for audit trail

Audit trails are particularly important in situations in which data is created, modified ordelete by user actions during normal operation.

If an electronic record is generated automatically and cannot be altered or deleted bythe operator, an audit trail is unnecessary. These electronic recordings are saved by theapplications of the WinCC system (with access security, for example).

The following sections describe how the SIMATIC WinCC system supports theimplementation of the 21 CFR Part 11 requirements in regard to the audit trails duringruntime operation. They also describe the resources provided by the system for tracingchanges made in the engineering system.

Runtime operationProcess dataProcess data (such as process values, process or operator messages) are stored withoutany option for the operator to change this data.

Changes in runtime operationUsing the option WinCC Audit, actions performed by the operator in the processvisualization system during runtime are recorded in an audit trail.

Optionally, changes can be displayed in a simplified form in the WinCC Alarm Logging.

Figure 2 Display of audit trail

in WinCC Audit

8

During configurationConfigurationThe WinCC/Audit option can record changes made in WinCC projects (such as logs,graphics, settings for user permissions, etc.) to support a formal change controlprocedure. The document control function of WinCC/Audit allows full check-in, check-out, deletion, rollback and recovery of application documents and user documents. Asecure database retains copies of all configuration states of a document.

Configuration of user managementChanges in the user management (e.g. creating new users, blocking users etc.) arerecorded by the Windows audit trail. The Windows event log must be configuredaccordingly for this purpose.

Figure 4

Archive configuration

9

2.3 Technological solution for archiving and retrieval

Continuous archivingSIMATIC WinCC offers a configurable and scalable archiving concept. Messages andmeasured values are continuously stored in local WinCC archives. These locally storeddata can be automatically transferred to long-term archives. A checksum is formed toprevent the manipulation of archived data. The archived data can be retrievedthroughout the entire duration of the defined retention period. The call can be madewithin WinCC with standard functions or from standard interfaces or add-on packages(e.g. Connectivity Pack).

Batch-oriented archivingThe WinCC Premium add-on, PM-QUALITY, is used to perform batch-oriented dataarchiving. PM-QUALITY independently manages local archives and long-term archives.PM-QUALITY uses standard interfaces of WinCC to access WinCC data. They are alsoavailable in other archiving tools (from Siemens or third-party manufacturers).

2.4 Technological solution for electronic signatures

SIMATIC Logon provides an interface (API) for configuration of electronic signatures inWinCC.

The electronic signature is executed through the SIMATIC Logon dialog. A user IDand password are queried and verified for identification.

3. Evaluation list for SIMATIC WinCC V6.2

The following checklist for evaluating SIMATIC WinCC is taken from a document

developed by the “GAMP Special Interest Group”1.

The checklist for system assessment involves all requirements, not only those which can

be fulfilled by technological solutions. Customers must introduce corresponding

procedures in their company to satisfy certain requirements of the 21 CFR Part 11

regulations. The specifications of 21 CFR Part 11 always relate to the customer-specific

application, which was implemented with WinCC. Consequently, the solutions then

specified are valid only in conjunction with specific procedures and organizational

measures.


10

3.1 Procedures and controls for closed systems

If system access is controlled by persons who are responsible for the content of the electronic records, the system isdefined as “closed” and must be assessed against the requirements of this section.

11.10(a)detail 1

Is the system validated? The customer is responsible for the validation of the

applications or system. The validation should follow an

established system life cycle (SLC) methodology, e. g. as

described in GAMP 41.

SIMATIC WinCC has been developed according to Siemens’

Quality Management system (ISO 9001:2000 certified). The

validation of the application can be supported by Siemens

during projects.

11.10(b)detail 1

Is the system capable of

producing accurate and

complete copies of electronic

records on paper?

Yes.

WinCC provides complete printouts of process values,

messages and audit trails.

11.10(b)detail 2

Is the system capable of

producing accurate and

complete copies of records in

electronic form for inspection,

review and copying by the

FDA?

Yes.

Process values, messages and audit trails can be exported in

electronic form and can be viewed with WinCC or the option

DataMonitor. The WinCC/Audit option allows export of the

audit trail to Microsoft Excel, PDF format or CSV files.

11.10(a)detail 2

Is it possible to discern

invalid or altered records?

Yes.

An entry can be generated in the audit trail for any operator

action (if, for example, the operator changes setpoints /

alarm thresholds / the monitoring mode or acknowledges

alarms). All relevant changes are recorded including time

stamp, user ID, old value and new value and comment.

Unauthorized changes are prevented by the system through

access security.

Archived records are protected with a checksum mechanism

to detect any unauthorized changes.

Changes within the configuration of WinCC can be tracked

using WinCC/Audit.

Question / RequirementParagraph / detail Comments

1 GAMP Guide for Validation of Automated Systems

11

11.10(c) Are the records readily

retrievable throughout their

retention period?

Yes.

Records can be archived in a readable format, on CD or DVD.

We assume that these devices and formats will be readable in

the future. The archived records can be viewed either using

the tool DataMonitor or by restoring the records to WinCC.

In addition, the customer should specify retention periods

and also define procedures for archiving, backup and

retrieval for electronic records.

11.10(d) Is system access limited to

authorized individuals?

Yes.

By implementing SIMATIC Logon, all options for user

management from Windows are provided (see section 2,

Solution for access security).

The customer should ensure that only persons who have a

legitimate business requirement to use the system should be

allowed physical access to the system (e. g. server, system

console).

Since this requirement is virtually the same as 11.10(g), it is

generally interpreted to refer to both physical access and

logical access.

11.10(e)detail 1

Is there a secure, computer-

generated, time-stamped

audit trail that records the

date and time of operator

entries and actions that

create, modify, or delete

electronic records?

Yes.

The audit trail is secure within the system and cannot be

changed by a user.

Changes during production can be traced back by the system

itself and contain information with time stamp, user ID, old

and new value and comment.

11.10(e)detail 2

If a change is made to

electronic data, is previously

recorded information still

available (or is it, for

example, obscured by the

change)?

Yes.

Recorded information is still available within the database.

11.10(h) If it is a requirement of the

system that input data or

instructions can only come

from certain input devices

(e.g. terminals), does the

system check the validity of

the source of any data or

instructions received?

(Note: This applies where

data or instructions can come

from more than one device,

and the system must

therefore verify the integrity

of its source, such as a

network of weigh scales, or

remote, radio-controlled

terminals.)

Yes.

The WinCC workstations can be configured so that special

input of data / commands can only be performed from a

dedicated workstation or from a group of workstations. All

other workstations then have only read-access rights at the

most.

The system performs validation checks because the stations

must connected within the system.

11.10(g) Does the system ensure that

only authorized individuals

can use the system,

electronically sign records,

access the operation or the

computer system’s input or

output devices, alter a record,

or perform other operations?

Yes.

SIMATIC Logon is layered on MS Windows security. A user ID

and password are used.

Centralized user management is used in this regard for

managing users and user groups.

In addition, the customer should define how access within

WinCC Runtime is limited to authorized individuals only

(e.g. who has access to specific objects or functions),

including the special rights for administrators.

11.10(f) If the sequence of system

steps or events is important,

is this also taken into account

by the system (e.g. as would

be the case in a process

control system)?

Yes.

A specific sequence of operator actions can be included

based on the configuration of the application.

11.10(e)detail 4

Is the audit trail available for

review and copying by the

FDA?

Yes.

The option WinCC/Audit allows export of the audit trail to

Microsoft Excel, PDF format or CSV files.

If the audit trail is recorded in the Alarm Logging, it can be

exported in PDF or CSV format.

11.10(e)detail 3

Is an electronic record’s audit

trail retrievable throughout

the record’s entire retention

period?

Yes.

The audit trail can be made available during the entire

retention period. (see section 11.10(c))

12

13

11.10(k)Punkt 1

Is the distribution of, access

to, and use of system

operation and maintenance

documentation controlled?

The customer is responsible for providing procedural

controls.

11.10(i) Is there documented training,

including on-the-job training

for system users, developers,

IT support staff?

Yes.

Siemens offers either standard training courses or training

related to customer projects which must be planned and

executed separately.

The customer is responsible for planning and performing

these courses.

11.10(j) Is there a written policy that

holds individuals fully

accountable and responsible

for actions initiated under

their electronic signatures?


controls.

11.10(k)Punkt 2

Is there a formal change

control procedure for the

system documentation,

which stores an audit trail in

a time sequence for changes

made by the pharmaceutical

organization?


controls.

11.30detail 1

Is data encrypted? In open systems, standard tools are available in the market

to encrypt records / reports in order to secure the “open

path”.

11.30detail 2

Are digital signatures used? WinCC does not provide digital signature functionality.

Standard tools are available in the market to enable digital

signing of the records (e.g. for PDF files).

3.2 Additional procedures and controls for open systems

If system access is NOT controlled by persons who are responsible for the content of the electronic records, the systemis defined as “open” and must in addition be assessed against the requirements of this section. SIMATIC WinCC can beoperated in both a closed and an open environment. Additional requirements must be met in the implementation foropen systems.


14

11.50detail 1

Do signed electronic records

contain the following

information?

a) Printed name of the signer

b) Date and time of signing

c) Meaning of the signature

(such as approval, review,

responsibility)

Yes.

Signed electronic records include the following information:

a) Printed name or user ID of the signer

b) Date and time of signing

c) Including the meaning

11.50detail 2

Is the information mentioned

above shown on displayed

and printed copies of the

electronic record?

Yes.

The above mentioned information can be printed and

displayed as part of the electronic record.

11.70 Are signatures linked to their

respective electronic records

to ensure that they cannot be

cut, copied, or otherwise

transferred to other records

for the purpose of

falsification?

Yes.

As soon as an electronic record is signed, it is saved to the

WinCC database. This record cannot be cut, copied, changed

or deleted. External access to the database is password-

protected.

In addition it is recommended to restrict access to the

database using Windows security features.


3.3 Signed electronic records

15

11.100(a)detail 1

Are electronic signatures

unique to an individual?

Yes.

The electronic signature uses the ID and the password of the

user. The uniqueness of the user ID is ensured by the MS

Windows security system. It is not possible to define two

users with the same user ID within a workgroup / domain.

In addition, the customer must ensure the uniqueness of the

electronic signature to an individual.

11.100(a)detail 2

Are electronic signatures ever

reused by or reassigned to

anyone else?

The customer has to ensure and is responsible that a user ID

is assigned to one person only.

11.100(b) Is the identity of an

individual verified before an

electronic signature is

allocated?

This is the responsibility of the customer. He must provide

organizational measures.


3.4 Electronic signatures (general)

16

11.200(a)(2)

Can non-biometric electronic

signatures only be used by

their real owner?


controls that prevent passwords from becoming known.

11.200(a)(3)

Would an attempt to falsify

an electronic signature

require the collaboration of

at least two individuals?

Yes.

It is not possible to falsify an electronic signature during

signing and after the system has written it into a record.

The administrator cannot misuse the signature, although he

configures the user ID and initial password, because the user

is forced to change his password at the first logon.

Unauthorized use of user IDs / passwords (failed logon

attempt) is detected immediately and recorded.

The customer also requires a procedural control that prevent

passwords from becoming known.

11.200(a)(1)(iii)

If signatures are not entered

in a continuous session, are

both components of the

electronic signature executed

for each signature?

Yes.

Each signature requires at least two components (user ID and

password).

11.200(a)(1)(ii)

When several signatures are

made during a continuous

session, is the password

entered for each signature?

(Note: both components must

be provided at the beginning

of the session)

Yes.

Each signature requires at least two components (user ID and

password).


11.200 (a)(1)(i) Is the signature made up of

at least two components,

such as an identification code

and password, or a smart

card and password?

Yes.

SIMATIC Logon identifies the person with two distinct

components: a user ID and password or a smart card and

password.

3.4.1 Electronic signatures (non-biometric)

17

11.200(b) Can biometric electronic

signatures be used only by

their real owner?

Tools from third-party manufacturers can be used to create

biometric electronic signatures. The integrity of such a

solution should be specifically assessed.


11.300(a) Are controls in place to

maintain the uniqueness of

each identification code and

password combination which

ensures that no other

individual can have the same

combination of identification

code and password?

See 11.100(a).

11.300(b)detail 1

Are procedures in place to

ensure that the validity of

user IDs is periodically

checked?


controls.

11.300(b)detail 2

Do passwords periodically

expire and need to be

revised?

Yes.

A password expires after a specified number of days and

cannot be reused for a specified number of generations

according to MS Windows security parameters. Password

aging does not influence the previous use (records,

signatures).


3.4.2 Electronic signatures (biometric)

3.5 Controls for user IDs and passwords

If smart cards, tokens or other devices containing or generating identification code or password information are usedon this automated system for electronic signatures, then the system must be assessed against the requirements in thissection.

18

11.300(d)detail 2

Is there a procedure for

reporting repeated or serious

attempts at unauthorized use

to the administrator?

The customer is responsible for providing appropriate


11.300(e)detail 1

Is there initial and periodic

testing of tokens and cards?



11.300(e)detail 2

Does this test check that there

have been no unauthorized

alterations?



11.300(c) Is there a procedure for

electronically changing a

user ID or password if it is

potentially compromised or

lost?


controls.

The user accounts can be changed using the MS Windows

security system.

The user can change his password at any time using SIMATIC

Logon.

11.300(d)detail 1


detecting attempts at

unauthorized use and for

informing the security

system?

Unauthorized attempts are logged within the MS Windows

security log. The user account is blocked after a specified

number of unauthorized attempts.

In addition, the customer is responsible for providing

appropriate organizational measures.

11.300(b)detail 3


canceling identification codes

and passwords if a person

leaves the company or is

transferred?

Customers are responsible for providing procedural

controls.

The user accounts can be disabled using the MS Windows

security system.

19

API Application Programming Interface

CD Compact Disk

CFR Code of Federal Regulations

CoP Community of Practice

CSV Comma Separated Values

DVD Digital Versatile Disc

FDA Food and Drug Administration

GAMP Good Automated Manufacturing Practice

GMP Good Manufacturing Practice

ID Identification

ISPE International Society for Pharmaceutical Engineering

ISO International Standards Organization

PDA Parenteral Drug Association

SCADA Supervisory Control and Data Acquisition

SLC System Life Cycle

Abbreviations:

PU

BL

ICIS

Siemens AG

Automation and Drives GroupCompetence Center Pharmaceutical IndustrySiemensallee 84D-76187 KARLSRUHE GERMANY

www.siemens.com/pharma

The information provided in this brochure contains merely generaldescriptions or characteristics of performance which in case ofactual use do not always apply as described or which may change asa result of further development of the products. An obligation toprovide the respective characteristics shall only exist if expresslyagreed in the terms of contract.

All product designations may be trademarks or product names ofSiemens AG or supplier companies whose use by third parties fortheir own purposes could violate the rights of the owners.

SIMATIC® is a registered trademark of Siemens. Other designationsused in this publication may be trademarks whose use by thirdparties for their own purposes could violate the rights of the owners.

More information:

www.siemens.com/pharma

E-mail: [email protected]

Fax: +49 7 21 5 95-63 90

Subj

ect

to c

han

ge w

ith

out

prio

r n

otic

e 0

8/0

7 |

E20

00

1-A

73

0-P

20

0-X

-76

00

| 4

9RZ

52

5 M

K.A

S.C

P.X

XX

X.5

2.5

.01

DS

08

07

.4 |

Prin

ted

in G

erm

any

| © S

iem

ens

AG

20

07

compliance response 21 cfr part 11 simatic wincc...

Documents