Validation of SAP R/3 in Compliance With Part 11 Requirements

Validation of SAP R/3 in Compliance With
Part 11 Requirements
George Serafin
SAP Pharmaceutical Industry Business Unit
Agenda
1 Key Considerations
2 Validation Strategy
3 Validation Best Practices
 SAP AG 2002, IVT ER/ES Conference, April 24, 2002, George Serafin 2
How Does SAP Collaborate With The FDA?
Industry Groups
•Parenteral Drug Association (PDA)
•Industry Advisory Board
•Technical Report 32
•Subscribing member of Audit Repository Center (ARC)
(Audited June, 2001)
•Part 11 Task Force
•International Society of Pharmaceutical Engineers (ISPE)

•GAMP U.S. Chapter
•Institute of Validation Technology (IVT)

•Presenting at April Conference in Washington D.C.
•American Society for Quality (ASQ)
•ADVAMED (formerly HIMA)

How Does SAP Collaborate With Industry?

Close relationship with National and Regional User Groups:
 ASUG – America’s SAP User Group
 JSUG - Japanese Pharma User Group
 MSUG - Multinational SAP User Group
 PISUG - Process Industry User Group
 PVG – Pharma Validation Group
 VCI - Verband der Chemischen Industrie - German Chemical Association
Transportation Solution Map Analysis
eCl@ss Global Label Management

MES / EBR
Validation / Part 11
Regulated Manufacturing
Co-Products
EH&S
Planning and Costing
Why Can’t SAP Provide a “Validated” Version?
Modular, Highly Configurable systems, such as SAP, cannot

be fully validated by the supplier
(Note: 21 CFR Part 11 Preamble comments 64-68)
Business Process Business Process Selected
Core Product
Validation Strategy - System Landscape
Development QA/Validation Production
Sandbox Validation Production
Configuration DATA
Verification Training
IDOC Backup
Configuration Transported Via TMS

Client Copy
Suggested SAP Quality Assurance Documentation
http://service.sap.com/
HORIZON – Quality Management Manual of SAP Development
DIN EN ISO 9001 Certificate
The Release and Maintenance Strategy of mySAP.com Components -

White Paper
Complying with FDA 21 CFR Part 11 Electronic Records; Electronic

Signatures; Final Rule – White Paper
www.auditcenter.com
Validation Scope - Old Paradigm for Stand-alone Systems
Old Paradigm
GMP systems such as SFC and LIMS are

implemented, validated, and maintained separately as
part of a distributed technical infrastructure with
minimal interfaces to other non-GMP systems. Non-
GMP systems such as financials are not subjected to
any validation requirements.
New Paradigm for Integrated Systems
New Paradigm
GMP and non-GMP business processes are integrated

within the R/3 platform (ex. GR of material includes
MM and FI)
GMP & non-GMP data are maintained within the same

R/3 objects and data structures (ex. Material
master, process order)
Validation must ensure data integrity and complete

business process integration
SAP Strategic Approach to Manufacturing Execution
Functional Model
Supply Chain Execution
Master Data SAP

Warehouse Management
Batch Management
Recipe Management Plant Logistics
SAP Portal
Electronic Order Management

Batch Equipment Status
Record Finite Scheduling (PP-DS) (Logbook)
PI-Sheet (PI-Sets)
SAP Standard Interfaces
Weigh
Middleware
Partner Independent
System
Process Control
SAP R/3 Enterprise
SAP R/3 Enterprise

SAP
SAP R/3
R/3 SAP
SAP R/3
R/3
Enterprise
Enterprise Enterprise
Enterprise
Core
Core Extenstions
Extenstions
SAP R/3
Enterprise
Core
 The name of the next version of SAP R/3 is SAP R/3 Enterprise
 This will be available to all SAP Customers as part of maintenance
Industry Trends – Key Trends for SAP
• Enterprise extends into R&D

• Expansion of R/3 footprint to support
Part 11 remediation
Revenue Driving
• Use of SAP as pilot application for PKI
Customer
• Manufacturing Execution / EBR Relationship
Management
• 2 Customers Live
• Intensified interest concerning
MES/EBR Cost Reduction
• APO in Pharma – Several Live Plant Engineering Operations Distribution
many in pilot
• Enterprise Quality Management Material Flow
• Supplier Quality Management
• Enterprise LIMS
Intellectual Flow
• Problem Reporting / CAPA
Research &
• PLM for Enterprise DMS Development
• Use of BC Set Technology to

document configuration
• Growing interest for analytical CRM
FDA Compliance & Validation Trends
Systems-based Inspection Approach
FDA has “unofficially” adopted systems-based inspection approach originally piloted
1st half of 2001 (see Pfizer warning letter)
This inspection strategy requires review of validation and security of computer
systems used to support each system (e.g. materials, production, quality, etc.)
System-based Approach to Validation

Validation Strategy recognizes the entire SAP system (application and landscape) as
a FDA-regulated system.
The industry has adopted this strategy approximately 2 years ago.
This is consistent with the CSV & Part 11 training the FDA investigators are receiving
from EduQuest.
Include Part 11 requirements in Validation Strategy

FDA enforcement increasing in frequency and vigilance
FDA investigators being trained on CSV and Part 11
FDA recruitment of technical (computer/engineering) vs science (chem/bio) graduates
21 CFR Part 11 Compliance Rollout in 2001
European Pilot - Janssen Cilag (Switzerland)
PISUG (Scottsdale, AZ)
U.S. Pilot - Roche Diagnostics (Branchburg, NJ)
Part 11 Enhancement Workshop - SAP America (NSQ)
Part 11 Workshop for U.S. Customers (NSQ)
SAPPHIRE Lisbon (Lisbon, Portugal)
SAPPHIRE Orlando (Orlando, Florida)
Part 11 Enhancement Workshop for European Affiliates (Walldorf)
Part 11 Workshop for European Customers (Walldorf)
PDA Audit of Part 11 Development (Walldorf)
Part 11 Workshop Hosted by SAP Denmark
PVG Part 11 Assessment (Walldorf)
“SAP is to be congratulated on producing such a

comprehensive solution to meet the requirements
of 21 CFR Part 11.” - PVG Part 11 Assessment Nov 2001
21 CFR Part 11 Compliance Rollout in 2001

http://service.sap.com/pharmaceuticals

Part 11 Web Page
 Accessed By 160+ Users
 Representing 19 different countries
North America
EMEA
Asia
 Whitepaper and Claim of Compliance Widely Accepted by

Industry
Agenda
What needs to be validated?
Software Hardware Equipment

1 2 4
Operating
Procedures and
Documentation
5
Controlling System Controlled Process
(Computer System) 6
3
Total System
(Computerized System) ... and
7 all the links
between the boxes
Operational Environment
8
Installation Qualification (IQ)
“Establishing by objective evidence that all key aspects of the process,

process equipment, and ancillary system installation adhere to the
approved design criteria and that the recommendations of the
manufacturer of the equipment have been suitably considered.”
FDA GHTF Study Group 3 - Process Validation Draft Guidance, June 1998.
•Hardware
•Database and application servers
(including full system landscape e.g. Dev, QA, Prod.)
•Client workstations
•Network (connectivity, data integrity)
•Peripherals (printers, tape drives, etc.)
•Software
•Operating system
•Application software (DBA, SAP, BW, etc)
•Utility software (backup, archiving, etc.)
Operational Qualification (OQ)
“Establishing by objective evidence parameters which result in product that

meets all pre-determined requirements.”
• Demonstrates that the configured system performs its

intended functions as defined by the functional requirements
 This includes manual operations that are formalized through
SOPs which are established to support the computerized process
Performance Qualification (PQ)
“Establishing by objective evidence that the process, under anticipated

conditions, including worst case conditions, consistently produces a
product which meets all pre-determined requirements..”
Performance to measure response time and throughput rates

under a variety of conditions.
Volume to subject the system to heavy volumes of data similar to

the loads expected to be encountered in the course of normal
operations.
Stress to examine the behavior of the system at and beyond the

limits of its resources by subjecting it to excessively high loads.
ASAP System Development Lifecycle Roadmap
ASAP Roadmap
Project Prep Blueprinting Realization Final Prep. Go-Live

Unit System
Concept Requirements Design Build Installation Maintenance
Test Test
Industry-recognized SDLC
Project Milestones
PQ Production
Validation
Report
Summary
Verify
Cutover
Production
OQ Production
IQ Production
Validation Project Progress
Generate SOPs
OQ QA/Validation
IQ QA/Validation
Traceability Matrix
System Design Specification
Functional Requirements Specification
IQ Development
Validation Master
 Vendor Assessment Plan
Validation
Determination
Change Control
Project Preparation Business Blueprint Realization Final Preparation GoLive/Support
ASAP Project Progress
System Development Lifecycle - Enhanced “V” Model
VMP CONCEPT & OPERATION &
REQUIREMENTS MAINTENANCE
Audit
Report
ONGOING
APPLICATION SELECTION
LIVE MONITORING &
USER REQUIREMENTS
SYSTEM MEETS ORIGINAL SELECTION CHANGE CONTROL
ASAP Best CRITERIA AND USER REQUIREMENTS SOP
Practices
SOP
Scenario
Process
FUNCTIONAL REQUIREMENTS CATT
SPECIFICATION SYSTEM
BUSINESS PROCESS MODEL ACCEPTANCE
SOPS SYSTEM PERFORMS INTENDED TESTING
INTEGRATED FUNCTIONS
D 1 BPP per Process BPP T R/3
Test
E BPP E Workbench
S SYSTEM DESIGN SPECIFICATION

S
I PROGRAM SPECIFICATION PROCESSES & PROGRAMS
UNIT TESTING
T R/3 Cross
G PERFORM INTENDED
FUNCTIONS BAPI I System
Viewer
N N
PROGRAM SPECIFICATION
ABAP G
PROGRAMMING STANDARDS
STRUCTURAL BC Sets
CODE CODE REVIEW
SOURCE CODE
COMPLIES
TO STANDARDS
BPML R/3 IMG

Business Process Master List
CONFIGURE / CODE
DEVELOPMENT
Validation Strategy - 21 CFR Part 11 Compliance
Define 21 CFR Part 11 Requirements in:

•Validation Master Plan (VMP)
•Functional Requirements Specification
•Operational Qualification (OQ)
Conduct GxP Assessment

Determine GxP-relevant business processes and R/3 Objects
GxP Relevance Can Be Determined At:
•Transaction or Object level

• Field level
System Testing
•Create test objectives to demonstrate 21 CFR Part 11 compliance for each
relevant clause of the regulation
• For example, §11.10(e) challenge the creation of a secure, computer-generated
time-stamped, audit trail. Audit trail shall contain the user-id, date, time and
the changes that were made. All changes do not obscure or overwrite the
previous information maintained.

GMP Determination Rules – Examples
GMP 21 CFR Part 211, Current Good

Determination Question Manufacturing Practice for
Rule Finished Pharmaceuticals
Subpart E – Control of Components and Drug Product

Containers and Closures
211.80 General requirements.
211.82 Receipt and storage of untested components,

drug product containers, and closures.
211.84 Testing and approval or rejection of components,

drug product containers, and closures.
Does the process impact the
211.87 Retesting of approved components, drug product
control of components, labeling containers, and closures.
or packaging materials, including
R5 goods receipt, identification,
Subpart G – Packaging and Labeling Control
211.122 Materials examination and usage criteria.

quarantine, storage, handling,
211.125 Labeling issuance.
sampling, testing, or QA release?
Subpart H – Holding and Distribution
Warehousing procedures.
Subpart J – Records and Reports
211.180 General requirements.
211.184 Component, drug product container, closure, and

labeling records.
SAP / FDA CGMP Functionality Matrix For Finished Pharmaceuticals
SAP / FDA CGMP Functionality Matrix For Finished Pharmaceuticals
SAP / FDA CGMP Functionality Matrix For Medical Devices
Validation Strategy - Security
Develop Security Profiles In Accordance With System Development Lifecycle (SDLC)
•Establish Functional Requirements Specification For Job Roles
•Use Business Process Master List (BPML) as the only source of

authorization profile development. This will ensure that unused, non-
validated business processes within SAP R/3, are effectively blocked from
unauthorized access
•System testing of profiles should include negative testing of business

critical transactions (ex. CGMP)
•Profiles should be managed similar to configuration in regards to Change

§11.10
§11.10(i)
Control and R/3 Transport Management (i)Determination
Determinationthat
thatpersons
personswho
who
develop,
develop,maintain,
maintain,or
oruse
useelectronic
electronic
record/electronic
record/electronic signaturesystems
signature systems
Ideally, Users Should Be Trained For All have
havethe
theeducation,
Transactions training,
Within
education, Theirand
training, Profile(s)
and
 §11.10 (i) experience
experiencetotoperform
performtheir
theirassigned
assigned
tasks.
tasks.
System Development Lifecycle – Key Deliverables
System
Test
Deliverable
Project Charter
Project Plan
Vendor Qualification
Responsibilities Matrix
System
Test
Deliverable
Validation Master Plan
 State intention to validate in accordance with §11.10(a)
 Describe use (if any) of electronic signatures
Training Program
 Not only CGMP requirement but also §11.10(i)
Functional Requirements Specifications

 “Business Blueprint” Custom programs and reports
 GxP requirements  Data conversion
 Detailed Part 11 requirements  Interfaces

 Job Roles / User Authorization
 Full SDLC for Security

System
Test
Deliverable
System Design Specifications
 Business Process Design
 Custom programs and reports
 Programming standards, naming conventions
 ER/ES requirements
 Data conversion  Data integrity
 Interfaces  Prevention against alteration, erasure, data loss
 Use business process (e.g. transaction) master list as only source of

authorization development
Traceability Matrix
System
Test
Deliverable
Operational Qualification
 Describe how ER/ES requirements will be challenged during
testing
 Unit Test
 Create test objectives to demonstrate 21 CFR Part 11
compliance for each relevant clause of the regulation
For example, §11.10(e) challenge the creation of a secure,computer-
generated time-stamped, audit trail.

 Perform manual review (static analysis) of authorization profiles
against functional requirements for unit testing.
System
Test
Deliverable
Manage integration testing in two (2) phases:
 Application-centric
 Focus on how business processes within ERP application
interact with each other
 Enterprise-wide
 Focus on integration of outside systems through manual and
electronic interfaces
Job Roles / User Authorization

 System testing of profiles should include negative testing of
business critical transactions (ex. CGMP)
Cutover Strategy and Plan
System
Test
Deliverable
Various Summary Reports (testing, data conversion, etc)
Validation Report
 Includes completed, documented resolution of all deviations from
Validation Plan.
Traceability Matrix
Client Operations Manual
Training Materials
Performance Qualification of Production Environment
Post Implementation Review Protocol*
System
Test
Deliverable
Rigorous Change Control Program
 Established, streamlined procedure
 Clear definition and classification of triggers
 Complete, accurate impact assessments
 Documented assessment of software fixes from vendor
 Effective revalidation /regression testing
 Complete, documentation package of implemented change
Problem Reporting
 Established, streamlined procedure
 2 levels (help desk, System Investigation Reports)
Trend Analysis
 Periodic review of change, Help Desk, and incident logs for trends
What Needs To Be Re-validated?
 Releases/versions
 Operating systems
 Database
Software Hardware  SAP Equipment
1 2  Desktop Applications
4
 SAP fixes
 Kernel patches
 Hot packages
Operating
 OSS Procedures
notes and
Documentation
 IMG configuration
5
 Enhancements/Reports
(Computer System)  Interfaces 6
3
Total System
(Computerized System)
7
8
What Needs To Be Re-validated?
 Database & Apps. Servers

Software Hardware Equipment
 Workstations
1 2 4
 Network
 Peripherals
Operating
Procedures and
Documentation
5
(Computer System) 6
3
Total System
(Computerized System)
7
8
Agenda
Validation Standards
Documentation Testing
Version Control
Pre-approval Before Execution
Handwritten Approval
Specific Test Instructions
Document Naming/Numbering Convention
Independence of Review***
Format / Templates Expected Results
Actual Results
“Objective” Evidence of Test Results
Reference to Support Documentation
Test Problem Report / Resolution
Post Approval
*** Recent FDA Guidance Documents

Guidance for Industry 21 CFR Part 11; Electronic Records; Electronic Signatures Validation
General Principles of Software Validation; Final Guidance for Industry and FDA Staff
Validation Best Practices
 Validation Is The Responsibility Of The Business Owner(s)

 Validate To Satisfy Your Business Requirements - Not FDA
 Document What You Do / Do What You Document
 There Can Be Only One Project Plan
 Include QA/Validation At The Beginning Of Project Preparation
And Planning
 Communicate The Validation Requirements & Expectations At The
Beginning Of The Project
 Maintain Only One Set Of Project Standards & Templates
 Document Justification For non-GxP Determination
 Challenge Configuration - Not Standard SAP
 Rigorous Change Control And Problem Reporting
 Aggressively Manage Feedback Loop
Validation - Post Implementation
 System Must Remain In A “Validated State”

 Visibility Of Changes In Development
 Change Control System Must Assess All Changes For “Triggers”
Which Impact The Validated State Of The System
 Re-validation Activities Are Defined By The Impact Assessment
And Regression Analysis Conducted During Evaluation Of
Proposed Change
 Establish An Audit Schedule (begin quarterly then expand to
annually) To Review Implemented Changes And Incident Trends
 Each Change Documentation Package Should Describe The
Whole Change Process And Provide Proof (e.g. documentation)
That All Activities Were Completed
Common Weaknesses Observed During Customer Audits

Part 11 Requirements Not Included in the Validation

Requirement Documents Not Being Updated and Maintained

Traceability Matrix and the Ability to Sufficiently Prove Traceability

Approved, Current Validation Responsibility Matrix

Code Review Procedure and Forms (Including a Dead Code Review)

Approved Job Role Requirements for Security Profiles

Adequate Testing of Security Authorization Profiles
Rigorous Change Control Including Thorough Impact Assessments and

Documented Complete Closure of Changes
Documented Training Program (Including Level 1 GMP Training) and


Training Logs for Project Team Members (This is Also a Part 11 Requirement
(11.10i) Hence, More Attention)

Qualifications for Consultants
The above information is based upon the personal experience of the presenter both from within industry
and SAP. Its purpose is to highlight that most of these same items were emphasized at the training
course “21 CFR Part 11 and Computer System Validation Training provided to FDA investigators”
conducted by EduQuest, Inc.
Thank You For Your Attention
Questions?
george.serafin@sap.com
+1 (973) 316-3668

Validation of SAP R/3 in Compliance With Part 11 Requirements

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Validation of SAP R/3 in Compliance With Part 11 Requirements

Uploaded by

Copyright:

Available Formats

Validation of SAP R/3 in Compliance With

3 Validation Best Practices

•International Society of Pharmaceutical Engineers (ISPE)

•Institute of Validation Technology (IVT)

•American Society for Quality (ASQ)

•ADVAMED (formerly HIMA)

Transportation Solution Map Analysis

eCl@ss Global Label Management

Modular, Highly Configurable systems, such as SAP, cannot

Development QA/Validation Production

Sandbox Validation Production

Configuration Transported Via TMS

HORIZON – Quality Management Manual of SAP Development

DIN EN ISO 9001 Certificate

The Release and Maintenance Strategy of mySAP.com Components -

Complying with FDA 21 CFR Part 11 Electronic Records; Electronic

GMP systems such as SFC and LIMS are

GMP and non-GMP business processes are integrated

GMP & non-GMP data are maintained within the same

Validation must ensure data integrity and complete

Master Data SAP

Electronic Order Management

SAP R/3 Enterprise

• Enterprise extends into R&D

• Use of BC Set Technology to

System-based Approach to Validation

Include Part 11 requirements in Validation Strategy

“SAP is to be congratulated on producing such a

 Whitepaper and Claim of Compliance Widely Accepted by

3 Validation Best Practices

Software Hardware Equipment

“Establishing by objective evidence that all key aspects of the process,

“Establishing by objective evidence parameters which result in product that

• Demonstrates that the configured system performs its

“Establishing by objective evidence that the process, under anticipated

Performance to measure response time and throughput rates

Volume to subject the system to heavy volumes of data similar to

Stress to examine the behavior of the system at and beyond the

Project Prep Blueprinting Realization Final Prep. Go-Live

ASAP Project Progress

S SYSTEM DESIGN SPECIFICATION

BPML R/3 IMG

Define 21 CFR Part 11 Requirements in:

Conduct GxP Assessment

•Transaction or Object level

GMP 21 CFR Part 211, Current Good

Subpart E – Control of Components and Drug Product

211.80 General requirements.

211.82 Receipt and storage of untested components,

211.84 Testing and approval or rejection of components,

211.122 Materials examination and usage criteria.

Subpart J – Records and Reports

211.180 General requirements.

211.184 Component, drug product container, closure, and

Develop Security Profiles In Accordance With System Development Lifecycle (SDLC)

•Establish Functional Requirements Specification For Job Roles

•Use Business Process Master List (BPML) as the only source of

•System testing of profiles should include negative testing of business

•Profiles should be managed similar to configuration in regards to Change

Functional Requirements Specifications

 Detailed Part 11 requirements  Interfaces

 Full SDLC for Security