Professional Documents
Culture Documents
Validation of SAP R/3 in Compliance With Part 11 Requirements
Validation of SAP R/3 in Compliance With Part 11 Requirements
Part 11 Requirements
George Serafin
SAP Pharmaceutical Industry Business Unit
Agenda
1 Key Considerations
2 Validation Strategy
SAP AG 2002, IVT ER/ES Conference, April 24, 2002, George Serafin 2
How Does SAP Collaborate With The FDA?
Industry Groups
•Parenteral Drug Association (PDA)
•Industry Advisory Board
•Technical Report 32
•Subscribing member of Audit Repository Center (ARC)
(Audited June, 2001)
•Part 11 Task Force
Close relationship with National and Regional User Groups:
ASUG – America’s SAP User Group
JSUG - Japanese Pharma User Group
MSUG - Multinational SAP User Group
PISUG - Process Industry User Group
PVG – Pharma Validation Group
VCI - Verband der Chemischen Industrie - German Chemical Association
Validation / Part 11
Regulated Manufacturing
Co-Products
EH&S
Planning and Costing
SAP AG 2002, IVT ER/ES Conference, April 24, 2002, George Serafin 4
Why Can’t SAP Provide a “Validated” Version?
SAP AG 2002, IVT ER/ES Conference, April 24, 2002, George Serafin 5
Validation Strategy - System Landscape
Configuration DATA
Verification Training
IDOC Backup
SAP AG 2002, IVT ER/ES Conference, April 24, 2002, George Serafin 6
Suggested SAP Quality Assurance Documentation
http://service.sap.com/
www.auditcenter.com
SAP AG 2002, IVT ER/ES Conference, April 24, 2002, George Serafin 7
Validation Scope - Old Paradigm for Stand-alone Systems
Old Paradigm
SAP AG 2002, IVT ER/ES Conference, April 24, 2002, George Serafin 8
New Paradigm for Integrated Systems
New Paradigm
SAP AG 2002, IVT ER/ES Conference, April 24, 2002, George Serafin 9
SAP Strategic Approach to Manufacturing Execution
Functional Model
Supply Chain Execution
PI-Sheet (PI-Sets)
SAP Standard Interfaces
Weigh
Middleware
Partner Independent
System
Process Control
SAP AG 2002, IVT ER/ES Conference, April 24, 2002, George Serafin 10
SAP R/3 Enterprise
SAP R/3
Enterprise
Core
The name of the next version of SAP R/3 is SAP R/3 Enterprise
This will be available to all SAP Customers as part of maintenance
SAP AG 2002, IVT ER/ES Conference, April 24, 2002, George Serafin 11
Industry Trends – Key Trends for SAP
• Enterprise LIMS
Intellectual Flow
• Problem Reporting / CAPA
Research &
• PLM for Enterprise DMS Development
SAP AG 2002, IVT ER/ES Conference, April 24, 2002, George Serafin 13
21 CFR Part 11 Compliance Rollout in 2001
European Pilot - Janssen Cilag (Switzerland)
PISUG (Scottsdale, AZ)
U.S. Pilot - Roche Diagnostics (Branchburg, NJ)
Part 11 Enhancement Workshop - SAP America (NSQ)
Part 11 Workshop for U.S. Customers (NSQ)
SAPPHIRE Lisbon (Lisbon, Portugal)
SAPPHIRE Orlando (Orlando, Florida)
Part 11 Enhancement Workshop for European Affiliates (Walldorf)
Part 11 Workshop for European Customers (Walldorf)
PDA Audit of Part 11 Development (Walldorf)
Part 11 Workshop Hosted by SAP Denmark
PVG Part 11 Assessment (Walldorf)
http://service.sap.com/pharmaceuticals
Part 11 Web Page
Accessed By 160+ Users
Representing 19 different countries
North America
EMEA
Asia
SAP AG 2002, IVT ER/ES Conference, April 24, 2002, George Serafin 15
Agenda
1 Key Considerations
2 Validation Strategy
SAP AG 2002, IVT ER/ES Conference, April 24, 2002, George Serafin 16
What needs to be validated?
Operating
Procedures and
Documentation
5
Controlling System Controlled Process
(Computer System) 6
3
Total System
(Computerized System) ... and
7 all the links
between the boxes
Operational Environment
8
SAP AG 2002, IVT ER/ES Conference, April 24, 2002, George Serafin 17
Installation Qualification (IQ)
•Hardware
•Database and application servers
(including full system landscape e.g. Dev, QA, Prod.)
•Client workstations
•Network (connectivity, data integrity)
•Peripherals (printers, tape drives, etc.)
•Software
•Operating system
•Application software (DBA, SAP, BW, etc)
•Utility software (backup, archiving, etc.)
SAP AG 2002, IVT ER/ES Conference, April 24, 2002, George Serafin 18
Operational Qualification (OQ)
SAP AG 2002, IVT ER/ES Conference, April 24, 2002, George Serafin 19
Performance Qualification (PQ)
SAP AG 2002, IVT ER/ES Conference, April 24, 2002, George Serafin 20
ASAP System Development Lifecycle Roadmap
ASAP Roadmap
Industry-recognized SDLC
SAP AG 2002, IVT ER/ES Conference, April 24, 2002, George Serafin 21
Project Milestones
PQ Production
Validation
Report
Summary
Verify
Cutover
Production
OQ Production
IQ Production
Validation Project Progress
Generate SOPs
OQ QA/Validation
IQ QA/Validation
Traceability Matrix
System Design Specification
Functional Requirements Specification
IQ Development
Validation Master
Vendor Assessment Plan
Validation
Determination
Change Control
Project Preparation Business Blueprint Realization Final Preparation GoLive/Support
SAP AG 2002, IVT ER/ES Conference, April 24, 2002, George Serafin 22
System Development Lifecycle - Enhanced “V” Model
VMP CONCEPT & OPERATION &
REQUIREMENTS MAINTENANCE
Audit
Report
ONGOING
APPLICATION SELECTION
LIVE MONITORING &
USER REQUIREMENTS
SYSTEM MEETS ORIGINAL SELECTION CHANGE CONTROL
ASAP Best CRITERIA AND USER REQUIREMENTS SOP
Practices
SOP
Scenario
Process
FUNCTIONAL REQUIREMENTS CATT
SPECIFICATION SYSTEM
BUSINESS PROCESS MODEL ACCEPTANCE
SOPS SYSTEM PERFORMS INTENDED TESTING
INTEGRATED FUNCTIONS
D 1 BPP per Process BPP T R/3
Test
E BPP E Workbench
G PERFORM INTENDED
FUNCTIONS BAPI I System
Viewer
N N
PROGRAM SPECIFICATION
ABAP G
PROGRAMMING STANDARDS
STRUCTURAL BC Sets
CODE CODE REVIEW
SOURCE CODE
COMPLIES
TO STANDARDS
DEVELOPMENT
SAP AG 2002, IVT ER/ES Conference, April 24, 2002, George Serafin 23
Validation Strategy - 21 CFR Part 11 Compliance
System Testing
•Create test objectives to demonstrate 21 CFR Part 11 compliance for each
relevant clause of the regulation
• For example, §11.10(e) challenge the creation of a secure, computer-generated
time-stamped, audit trail. Audit trail shall contain the user-id, date, time and
the changes that were made. All changes do not obscure or overwrite the
previous information maintained.
SAP AG 2002, IVT ER/ES Conference, April 24, 2002, George Serafin 24
GMP Determination Rules – Examples
Warehousing procedures.
SAP AG 2002, IVT ER/ES Conference, April 24, 2002, George Serafin 25
SAP / FDA CGMP Functionality Matrix For Finished Pharmaceuticals
SAP AG 2002, IVT ER/ES Conference, April 24, 2002, George Serafin 26
SAP / FDA CGMP Functionality Matrix For Finished Pharmaceuticals
SAP AG 2002, IVT ER/ES Conference, April 24, 2002, George Serafin 27
SAP / FDA CGMP Functionality Matrix For Medical Devices
SAP AG 2002, IVT ER/ES Conference, April 24, 2002, George Serafin 28
SAP / FDA CGMP Functionality Matrix For Medical Devices
SAP AG 2002, IVT ER/ES Conference, April 24, 2002, George Serafin 29
SAP / FDA CGMP Functionality Matrix For Medical Devices
SAP AG 2002, IVT ER/ES Conference, April 24, 2002, George Serafin 30
Validation Strategy - Security
SAP AG 2002, IVT ER/ES Conference, April 24, 2002, George Serafin 31
System Development Lifecycle – Key Deliverables
Project Prep Blueprinting Realization Final Prep. Go-Live
System
Concept Requirements Design Build Installation Maintenance
Test
Deliverable
Project Charter
Project Plan
Vendor Qualification
Responsibilities Matrix
SAP AG 2002, IVT ER/ES Conference, April 24, 2002, George Serafin 32
System Development Lifecycle – Key Deliverables
Project Prep Blueprinting Realization Final Prep. Go-Live
System
Concept Requirements Design Build Installation Maintenance
Test
Deliverable
Validation Master Plan
State intention to validate in accordance with §11.10(a)
Describe use (if any) of electronic signatures
Training Program
Not only CGMP requirement but also §11.10(i)
Deliverable
System Design Specifications
Business Process Design
Custom programs and reports
Programming standards, naming conventions
ER/ES requirements
Data conversion Data integrity
Interfaces Prevention against alteration, erasure, data loss
Job Roles / User Authorization
SAP AG 2002, IVT ER/ES Conference, April 24, 2002, George Serafin 34
System Development Lifecycle – Key Deliverables
Project Prep Blueprinting Realization Final Prep. Go-Live
System
Concept Requirements Design Build Installation Maintenance
Test
Deliverable
Operational Qualification
Describe how ER/ES requirements will be challenged during
testing
Unit Test
Create test objectives to demonstrate 21 CFR Part 11
compliance for each relevant clause of the regulation
For example, §11.10(e) challenge the creation of a secure,computer-
generated time-stamped, audit trail.
SAP AG 2002, IVT ER/ES Conference, April 24, 2002, George Serafin 35
System Development Lifecycle – Key Deliverables
Project Prep Blueprinting Realization Final Prep. Go-Live
System
Concept Requirements Design Build Installation Maintenance
Test
Deliverable
Manage integration testing in two (2) phases:
Application-centric
Focus on how business processes within ERP application
Enterprise-wide
Focus on integration of outside systems through manual and
electronic interfaces
SAP AG 2002, IVT ER/ES Conference, April 24, 2002, George Serafin 36
System Development Lifecycle – Key Deliverables
Project Prep Blueprinting Realization Final Prep. Go-Live
System
Concept Requirements Design Build Installation Maintenance
Test
Deliverable
Various Summary Reports (testing, data conversion, etc)
Validation Report
Includes completed, documented resolution of all deviations from
Validation Plan.
Traceability Matrix
Client Operations Manual
Training Materials
Performance Qualification of Production Environment
Post Implementation Review Protocol*
SAP AG 2002, IVT ER/ES Conference, April 24, 2002, George Serafin 37
System Development Lifecycle – Key Deliverables
Project Prep Blueprinting Realization Final Prep. Go-Live
System
Concept Requirements Design Build Installation Maintenance
Test
Deliverable
Rigorous Change Control Program
Established, streamlined procedure
Clear definition and classification of triggers
Complete, accurate impact assessments
Documented assessment of software fixes from vendor
Effective revalidation /regression testing
Complete, documentation package of implemented change
Problem Reporting
Established, streamlined procedure
2 levels (help desk, System Investigation Reports)
Trend Analysis
Periodic review of change, Help Desk, and incident logs for trends
SAP AG 2002, IVT ER/ES Conference, April 24, 2002, George Serafin 38
What Needs To Be Re-validated?
Releases/versions
Operating systems
Database
Software Hardware SAP Equipment
1 2 Desktop Applications
4
SAP fixes
Kernel patches
Hot packages
Operating
OSS Procedures
notes and
Documentation
IMG configuration
5
Enhancements/Reports
Controlling System Controlled Process
(Computer System) Interfaces 6
3
Total System
(Computerized System)
7
Operational Environment
8
SAP AG 2002, IVT ER/ES Conference, April 24, 2002, George Serafin 39
What Needs To Be Re-validated?
Operational Environment
8
SAP AG 2002, IVT ER/ES Conference, April 24, 2002, George Serafin 40
Agenda
1 Key Considerations
2 Validation Strategy
SAP AG 2002, IVT ER/ES Conference, April 24, 2002, George Serafin 41
Validation Standards
Documentation Testing
Version Control
Pre-approval Before Execution
Handwritten Approval
Specific Test Instructions
Document Naming/Numbering Convention
Independence of Review***
Format / Templates Expected Results
Actual Results
“Objective” Evidence of Test Results
Reference to Support Documentation
Test Problem Report / Resolution
Post Approval
SAP AG 2002, IVT ER/ES Conference, April 24, 2002, George Serafin 42
Validation Best Practices
SAP AG 2002, IVT ER/ES Conference, April 24, 2002, George Serafin 43
Validation - Post Implementation
SAP AG 2002, IVT ER/ES Conference, April 24, 2002, George Serafin 44
Common Weaknesses Observed During Customer Audits
Part 11 Requirements Not Included in the Validation
Requirement Documents Not Being Updated and Maintained
Traceability Matrix and the Ability to Sufficiently Prove Traceability
Approved, Current Validation Responsibility Matrix
Code Review Procedure and Forms (Including a Dead Code Review)
Approved Job Role Requirements for Security Profiles
Adequate Testing of Security Authorization Profiles
Rigorous Change Control Including Thorough Impact Assessments and
Training Logs for Project Team Members (This is Also a Part 11 Requirement
(11.10i) Hence, More Attention)
Qualifications for Consultants
The above information is based upon the personal experience of the presenter both from within industry
and SAP. Its purpose is to highlight that most of these same items were emphasized at the training
course “21 CFR Part 11 and Computer System Validation Training provided to FDA investigators”
conducted by EduQuest, Inc.
SAP AG 2002, IVT ER/ES Conference, April 24, 2002, George Serafin 45
Thank You For Your Attention
Questions?
george.serafin@sap.com
+1 (973) 316-3668