electronic records and signatures gxp transactions
TRANSCRIPT
Electronic Records and Electronic Signatures inSAP ERP
SAP AG
ã SAP AG 2007 , / 2
21 CFR Part 11
FDA-Compliance and validation trends
Requirements of 21 CFR Part 11 and realization in SAP ERP
E-Records and E-Signatures in SAP ERP
ã SAP AG 2007 , / 3
21 CFR Part 11
FDA-Compliance and validation trends
Requirements of 21 CFR Part 11 and realization in SAP ERP
E-Records and E-Signatures in SAP ERP
ã SAP AG 2007 , / 4
FDA-Compliance & Validation Trends
Draft Guidance for industry entitled „Part 11, Electronic Records; Electronic Signatures – Scope and Application“ published in February 2003
FDA intends to re-examine Part 11 and may propose revisions to that regulation
FDA intends to interpret the scope of Part 11 narrowly FDA intends to exercise enforcement discretion with respect to
certain Part 11 requirements FDA will not normally take regulatory action to enforce compliance
with the validation, audit trail, record retention and record copying requirements of Part 11
FDA intends to exercise enforcement discretion with regard to systems that were operational before the effective date of Part 11
ã SAP AG 2007 , / 5
FDA-Compliance & Validation Trends
Draft Guidance for industry entitled „Part 11, Electronic Records; Electronic Signatures – Scope and Application“ published in February 2003
Expectation of FDA: Records must still be maintained or submitted in accordance with
the underlying predicate rules Enforcement of predicate rule requirements for records that remain
subject to Part 11 and enforce all other provisions of Part 11 Regulated industry will continue to be responsible for maintaining
and submitting secure and reliable records under predicate rules and for meeting all other predicate rule requirements
ã SAP AG 2007 , / 6
otherselectronic
issues
1999 (warning letter)
2001 (483 observation)
020406080
100
%
1999 (warning letter) 2001 (483 observation)
FDA-Compliance & Validation Trends
Increase of part 11 issues by factor 10
comparison of the years 1999 and 2001
Assumption: same percentage of issue categories, regardless of the type of document issued by FDA
Consent degree Warning letter 483 observation
Source:Bio Quality, July 2001
Source:FDA warning letter 1999: “classical” pharmaceutical companies – GMP deviations concerning validation and qualification, compiled of 72 warning letters, divided into 6 categories, pharm. ind. 7 (2000)
ã SAP AG 2007 , / 7
21 CFR Part 11
FDA-Compliance and validation trends
Requirements of 21 CFR Part 11 and realization in SAP ERP
E-Records and E-Signatures in SAP ERP
ã SAP AG 2007 , / 8
21 CFR Part 11 - Electronic Records; Electronic Signatures; Final Rule
Proposed rule - Aug. 31, 1994 Comment period closed Nov. 29, 1994 Final regulation published Mar. 20, 1997 Effective Aug. 20, 1997
Many SAP customers took a “wait and see” approach regarding FDA interpretation and enforcement.
February 2003: FDA is embarking on a re-examination of Part 11 as it
applies to all regulated products
21 CFR Part 11 Background
ã SAP AG 2007 , / 9
Key Requirements Part 11 – Electronic Records
§11.10b The ability to generate accurate and complete copies of records in both human readable and electronic form suitable for inspection, review, and copying by the agency
§11.10e Use of secure, computer-generated, time-stamped audit trails to independently record
The user-ID Date/time stamp of operator entries and actions when the record
was created, modified, or deleted The transaction type (insert/delete/modify) associated with the
transaction Record changes shall not obscure previously recorded
information.New value and old value after record changes
Audit trail documentation shall be retained for a period at least as long as that required for the subject electronic records and shall be available for agency review and copying.
ã SAP AG 2007 , / 10
Consequence of §11.10 for electronic records Complete audit-trail for all GMP-relevant master data and
transactions in SAP ERP The requirements of Part 11 are applicable to all GMP-relevant fields
that can be changed within a transaction by users
Part 11 - Electronic Records: Consequence for SAP ERP
GMP-relevant?
SAP ERP business processes
GMP-relevantSAP ERP business processes
and transactions
Analysis ofvalidation
ã SAP AG 2007 , / 11
Key Requirements Part 11 – Electronic Signature
§11.50a Signed electronic records shall contain information associated with the signing that clearly indicates all of the following:
The printed name of the signer The date and time stamp (local time!) when the signature was executed,
including the date and time local to the signer when multiple time zones are involved (see comment 101 in the preamble of Part 11 Rule)
The meaning associated with the signature (such as review, approval, responsibility, or authorship)
ERP Signature manifestations Meaning of the signature Including the date and global, local time when the signature was executed
§11.200a Electronic signatures that are not based on biometrics shall: Employ at least two distinct identification components such as an
identification code and password Be used only by their genuine owners
ã SAP AG 2007 , / 12
Key Requirements Part 11 – Electronic Signature
§11.300d Use of transaction safeguards to prevent unauthorized use of passwords and/or identification codes, and to detect and report in an immediate and urgent manner any attempts of their unauthorized use to the system security unit, and as appropriate, organizational management
ERP Controls for identification codes/passwords User locking in case of too many failed attempts (configurable) Electronic record of failed attempts in the ERP Security Audit Log Express mail sent to security admin. distribution list (active) Alerts visible in the System Alert Monitor (passive)
ã SAP AG 2007 , / 13
Electronic/Digital Signature – 21 CFR Part 11
Part 11 regulates only the regulatory framework for e-records/signatures
Scope of Part 11 is determined by GxP (predicate rule)
What SAP ERP functionality could be regulated? HR Human Resources (for example, training information) MM Materials Management WM Warehouse Management PM Plant Maintenance PP/PP-PI Production Planning / for Process Industries QM Quality Management SD Sales and Distribution CA Classification, Document Management, ECM, …
ã SAP AG 2007 , / 14
SAP/FDA CGMP Functionality Matrix For Finished Pharmaceuticals
ã SAP AG 2007 , / 15
SAP/FDA CGMP Functionality Matrix For Medical Devices
ã SAP AG 2007 , / 16
21 CFR Part 11
FDA-Compliance and validation trends
Requirements of 21 CFR Part 11 and realization in SAP ERP
E-Records and E-Signatures in SAP ERP
ã SAP AG 2007 , / 17
Electronic Records
The FDA defines an electronic record as “any combination of text, graphics, data, audio, pictorial, or other information representation in digital form that is created, modified, maintained, archived, retrieved, or distributed by a computer system.” Applying this comprehensive definition to SAP ERP, there are various types of electronic records, such as:
Configuration within the Implementation Guide (IMG)
Electronic or digital signatures
Transports and business configuration sets used to migrate configuration from one system to another
Master data such as the material master, vendor, resource, recipe, and customer
Business processing objects such as purchase orders, process orders, and inspection lots
Business process or transaction execution electronic records such as material documents
ã SAP AG 2007 , / 18
Electronic Records – Audit Trails
Other electronic record types maintain change and deletion (e.g. audit trail) information for the SAP ERP objects mentioned above. These include:
Change master record (Engineering Change Management) Change document objects Table logging
DocumentPos. Material Quantity
10 80000311 1100.020 80000620 100.230 80000636 110.340 80000639 50.050 80000711 10
Change
User IDObject IDDate/timeTransaction
User IDObject IDDate/timeTransaction
1) 20 80000620 100.22) old value = 100.2 new value = 99.1
ã SAP AG 2007 , / 19
Electronic Records – Example
ã SAP AG 2007 , / 20
Electronic/Digital Signature - 21 CFR Part 11
21 CFR Part 11 - DefinitionsElectronic signature
“Electronic signature means a computer data compilation of any symbol or series of symbols executed, adopted, or authorized by an individual to be the legally binding equivalent to the individual’s handwritten signature”
Digital signature “Digital signature means an electronic signature based upon
cryptographic methods of originator authentication, computed by using a set of rules and a set of parameters such that the identity of the signer and the integrity of the data can be verified”
ã SAP AG 2007 , / 21
Digital Signature – User-ID/Password
Check authorization
DocumentPos. Material Quantity
10 80000311 1100.020 80000620 100.230 80000636 110.340 80000639 50.050 80000711 10
Signing
Store
Scholl
*******
User :
Password:
DocumentPos. Material Quantity
10 80000311 1100.020 80000620 100.230 80000636 110.340 80000639 50.050 80000711 10
User ID / Login password
Document, user info, local time stamp
SAP ERP System
IIIIIIIIIIIIIIIIIIIIIComment :
ã SAP AG 2007 , / 22
Security product
Digital Signature
Check authorization
DocumentPos. Material Quantity
10 80000311 1100.020 80000620 100.230 80000636 110.340 80000639 50.050 80000711 10
Signing
Store
DocumentPos. Material Quantity
10 80000311 1100.020 80000620 100.230 80000636 110.340 80000639 50.050 80000711 10
Private
J. Scholl
1200
J. Scholl
1200
Scholl
*******
User :
Password:IIIIIIIIIIIIIIIIIIIIIComment :
ã SAP AG 2007 , / 23
Signature Types in SAP ERP
System signature with authorization by user ID and password First shipment with release 4.6C Usage of PKCS#7 standard, encryption executed by 128 bit No external security product necessary. When logging on to system, users
identify themselves by entering their user IDs and passwords. The SAP system then executes the digital signature. The user name and ID are part of the signed document. Public key infrastructure can be administered by customers themselves sufficient according Part 11 for digital signature
Digital user signature with verification First shipment with release 4.0B (1998) External security (third party) product necessary. Users execute digital
signatures themselves using their private keys. The executed signatures are automatically verified.
Crypto hardware, for example, smart card, must support the PKCS#7 standard data format. This mechanism is based on secure store and forward mechanism (interface BC-SSF).
New: SAP Trust Center Service: X.509, no accredited signature according to EU signature legislation
ã SAP AG 2007 , / 24
Encryption Methods
PKCS#7 (Cryptographic Message Syntax Standard) Standard data format generating signed and/or encrypted
documents Description of a general syntax for data using cryptographic
methods
X.509 Standard SSF standard “public key” (Secure Store Forward) Standardized data format for certificates, basis for SSL (Secure
Socket Layers) For more information: SAP Service Marketplace alias “security”
ã SAP AG 2007 , / 25
DocumentPos. Material Quantity
10 80000311 1100.020 80000620 100.230 80000636 110.340 80000639 50.050 80000711 10
Signature Strategy
DocumentPos. Material Quantity
10 80000311 1100.020 80000620 100.230 80000636 110.340 80000639 50.050 80000711 10
Sign:
Sign:Sign:
IIIIIIIIIIIIIIIIIIIIIComment:
ã SAP AG 2007 , / 26
Digital Signatures in SAP ERP already implemented
PI sheet: event log
PI sheet: complete process step
PI sheet: accept invalid input values
ECM: status changes of ECOs
ECM: status changes of object
management records
Document management:
status changes
Digital signature
EBR – electronicbatch record
approval
ã SAP AG 2007 , / 27
Digital Signatures in SAP ERP already implemented
Learning solution 200: proof of
course participation
mySAP Public Sector: digitally
signing webrequests
mySAP Healthcare: material
requisition/Goods issue
Physical-sample drawing
Inspection lot: results recording
Inspection lot: usage decision
Digital signature
EBR – electronicbatch record
approval
ã SAP AG 2007 , / 28
Digital Signatures in SAP ERP
New: e-signature in learning solution 200 For the learner as proof of course participation Integrated at the point where a learner finishes a course and sets it
to complete
New: e-signature in event log of the PI sheetLogging for Value entry Activation/deactivation of process steps Locking/canceling/completion of process steps and process
instructions Further events can be implemented as a customer project
ã SAP AG 2007 , / 29
Digital Signatures in SAP ERP
Generic signature tool Further modularization of the e-signature Easier implementation of e-signature in new processes Creation of a uniform flexible programming interface. Tool can be
integrated into any business areas either in SAP ERP or in other systems, such as APO or CRM
6.20 application basis necessary
ã SAP AG 2007 , / 30
Preview: Enhanced functionality of Digital Signatures in SAP ERP
ã SAP AG 2007 , / 31
Preview: Enhanced functionality of Digital Signatures in SAP ERP - With display of documents
ã SAP AG 2007 , / 32
Preview: Enhanced functionality of Digital Signatures in SAP ERP - With selection of a remark
ã SAP AG 2007 , / 33
Preview: Enhanced functionality of Digital Signatures in SAP ERP – verify signature
ã SAP AG 2007 , / 34
Digital Signatures in SAP ERP – event log PI-Sheet
ã SAP AG 2007 , / 35
Starting Point for Fulfillment of 21 CFR Part 11 E-Records Requirements
Most of the 21 CFR Part 11-relevant ERP transactions have audit trail functionality
Not all audit trails are complete, including all table field changes Current approach in customer projects: activation of further data
elements in ABAP Dictionary for change document creation – dictionary modifications!
Audit trail functionality does not exist in transactions PM – Transactions for maintenance planning PP-PI – Maintenance of resource hierarchies QM – Maintenance of basic data (catalog data, inspection
stages, dynamic modification rules etc.)
SD – …
No logging for long text functionality in SAP ERP!
ã SAP AG 2007 , / 36
Required Enhancements in ERP for Fulfillment of 21 CFR Part 11 on Electronic Records
A result of a risk analysis of a business process in a customer project on release 4.x demonstrated:
In 24 transactions, complete tables had to be activated for logging because changes to long texts had not been logged for these tables.
In defined GxP-relevant transactions, all data elements had to be activated for creation of change documents.
Until now, these settings meant modifying the ABAP Dictionary, which was also very time-consuming!
ã SAP AG 2007 , / 37
Focus of Part 11 Enhancement for Electronic Records
Development focus
Enhancements of reporting for
audit trail logs
Enhancements of audit trail
creation
ã SAP AG 2007 , / 38
Electronic signature Interactive
process Front-end
based
Electronic records Automatic
process Back-end
based
Focus of 21 CFR Part 11
§11.10b
The ability to generate accurate and complete copies of records in both human readable and electronical form suitable for inspection, review and copying by the agency.
§11.10e Use of secure, computer-generated, time-stamped audit-trails The user-ID Date/time stamp of operator entries when the record was created, modiefied or deleted The transaction type (insert/delete/modified) associeated with the transaction New value and old value after record changes
Consequences from §11.10 on electronic records Complete audit-trail for all GMP-relevant master data and transactions in R/3 All fields that can be changed by a user must become part of electronic record Better to activate change record logging on a table level than on field level
FDA 21 CFR Part 11
Logging
ã SAP AG 2007 , / 39
Technical Environment – Logging in SAP ERP
Logging atDB interface
Table logging Focus on table Logging is automatically “SAVED”
check at DBI (table logging - yes/no?)
Whole set of data is written to the log table (DBTABLOG)
Logging at level of application server
Change documents In change document objects
(CDO) tables for logging are grouped together
Implementation of CDOs in applications
Focus on fields/data elements Marked fields are written to the log
table (CDPOS/CDHDR)
SAP ERP
ã SAP AG 2007 , / 40
Part 11 Enhancement on Electronic Records
Customizing tool to configure audit trails You can activate additional fields for audit trail completion
(activation of change documents for data elements) You can activate tables for audit trail creation for ERP transactions
where audit trails are missing (table logging) Flexible, free of modifications Included as part of core in SAP ERP Comfortable selection via
TransactionTableChange document objectData element
Log table entries for tables and data elements activated by the customizing tool will be written
Support of support packagesSupport of SAP ERP release upgrades
ã SAP AG 2007 , / 41
Data Search in SAP ERP – E-Records
Electronic recordsSearch via standard:
For evaluation, you need to access the actual transaction, for example, base quantity: master data planning recipe reporting recipe change document objects
Some data changes that are implemented within transactions are not registered, for example, change of charge quantity range, which can be solved easily by the audit trail tool
Search via audit trail tool At the moment, a convenient evaluation in the production system
using the audit trail tool is possible. In addition, a convenient evaluation for longtexts in archive is
possible via transaction SARA and SARI (archive development kit)
ã SAP AG 2007 , / 42
Solution Tools – Reporting Tool Transaction AUT10
ã SAP AG 2007 , / 43
Solution Tools – Reporting Tool Transaction AUT10
ã SAP AG 2007 , / 44
Long Texts in Part 11 Enhancement Tool
Evaluation of long texts The user has the option of enhancing data for certain applications by
entering additional comments or explanations, known as long texts (for example, comments for quality notifications, creation of batches…)
ã SAP AG 2007 , / 45
Architecture – Archiving of Longtexts – Enhancement of Audit Trail Tool
Longtexts Archiving object Archive
Archive Informations
SystemLongtext
ã SAP AG 2007 , / 46
Configuration for Logging – Transaction AUT01
ã SAP AG 2007 , / 47
Evaluation of Digital Signatures – Transaction DSAL
ã SAP AG 2007 , / 48
Evaluation of Digital Signatures – Transaction DSAL
ã SAP AG 2007 , / 49
Evaluation of Digital Signatures – Transaction DSAL
ã SAP AG 2007 , / 50
Shipment Strategy
General availability of SAP PH-ELR As part of SAP ERP
Rel. 4.6C: shipment as add-on Since May 1, 2001 the enhancement has been available free of
charge as add-on SAP PH-ELR for pharma customers on release 4.6C. Download of PH-ELR component from SAP Service Marketplace
Only for customers with FDA requirements (pharmaceutical and medical device industries) master code 11
Available documentation Product documentation (German and English) Assessment documents on 21 CFR Part 11-critical transactions
with Change Document Objects and DB tables 21 CFR Part 11 white paper with SAP’s position
ã SAP AG 2007 , / 51
Download page consists of the following:• 3 documentation files
• White paper• “How-to” guide• SAP FDA GxP transactions
• Part 11 enhancement in .SAR (compressed) format
Download of Part 11 Enhancement via Service Marketplace
http://service.sap.com/pharmaceuticals/Reg. Manufacturing
ã SAP AG 2007 , / 52
Thank you very much
for listening!
Questions?
ã SAP AG 2007 , / 53
Copyright 2007 SAP AG. All Rights Reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.
Microsoft, Windows, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.
IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries, xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity, Tivoli, and Informix are trademarks or registered trademarks of IBM Corporation.
Oracle is a registered trademark of Oracle Corporation.
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.
HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.
Java is a registered trademark of Sun Microsystems, Inc.
JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape.
MaxDB is a trademark of MySQL AB, Sweden.
SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.
The information in this document is proprietary to SAP. No part of this document may be reproduced, copied, or transmitted in any form or for any purpose without the express prior written permission of SAP AG.
This document is a preliminary version and not subject to your license agreement or any other agreement with SAP. This document contains only intended strategies, developments, and functionalities of the SAP® product and is not intended to be binding upon SAP to any particular course of business, product strategy, and/or development. Please note that this document is subject to change and may be changed by SAP at any time without notice.
SAP assumes no responsibility for errors or omissions in this document. SAP does not warrant the accuracy or completeness of the information, text, graphics, links, or other items contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, or non-infringement.
SAP shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of these materials. This limitation shall not apply in cases of intent or gross negligence.
The statutory liability for personal injury and defective products is not affected. SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages.