Vous êtes sur la page 1sur 12

U.S.

FDA TiTle 21 CFR PART 11 ComPliAnCe ASSeSSmenT oF SAP enviRonmenT, HeAlTH & SAFeTy

Disclaimer

These materials are subject to change without notice. SAP AGs compliance analysis with respect to SAP software performance based on FDA Title 21 CFR Part 11: (i) in no way expresses the recognition, consent, or certification of SAP software by the United States Food and Drug Administration; and (ii) applies to certain components of SAP Environment, Health & Safety (SAP EH&S) application only as stated herein. The customer is solely responsible for compliance with all applicable regulations, and SAP AG and its affiliated companies (SAP Group) have no liability or responsibility in this regard. These materials are provided by SAP Group for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.

ConTenTS
Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 FDA.Title.21.CFR.Part.11.Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 SAP EH&S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 E-Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 FDA Requirement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Change Management in SAP EH&S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Digital Signature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 How SAP EH&S Complies with FDA Title 21 Part 11 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 References. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

SUmmARy
On the basis of the interpretation of the FDA Title 21 CFR Part 11 rule of the U.S. Food and Drug Administration and the functions and features discussed within this document, SAP AG believes that the SAP Environment, Health & Safety (SAP EH&S) application fully complies with FDA Title 21 CFR Part 11.

FDA TiTle 21 CFR PART 11 ASSeSSmenT


SAP eH&S

The SAP EH&S application includes the following components: Basic data and tools With the basic data and tools component, you can manage specifications for different SAP EH&S application objects (substances, dangerous goods classifications, agents, waste codes, and packagings) and create templates for reports. Product safety The product safety component contains functions required to manage hazardous substances in companies that manufacture hazardous substances. For example, you can manage and ship environment, health, and safety (EH&S) reports, such as material safety data sheets, and create labels. The software can determine data sheets and labels automatically and create the composition of the specification for the relevant substance from the bill of material (BOM) for a material. Hazardous substance management The hazardous substance management component contains functions that allow companies that use hazardous substances to manage them appropriately. For example, functions are available that make it easier for you to create the reports prescribed by the U.S. Superfund Amendments and Reauthorization Act (SARA). Dangerous goods management With the dangerous goods management component, you can manage dangerous goods master records, run dangerous goods checks, and create dangerous goods documents. Occupational health With the occupational health component, you can support the general employee occupational healthcare in your enterprise. You can record all relevant medical data (for example, diagnoses, examinations, and injuries), plan and perform health surveillance protocols on the basis of the employee-specific exposure situation, and monitor the results of medical examinations and diagnoses.

Industrial hygiene and safety With the industrial hygiene and safety component, you can organize industrial hygiene and safety in your enterprise and manage the agents that are present. In addition, you can process events with or without injury to persons and create reports (such as standard operating procedures or accident reports). Waste management With the waste management component, you can manage waste-disposal processes, create the reports necessary for transportation and disposal of waste, and distribute the resulting costs proportionally among the cost centers in the enterprise that generated the waste. Waste management is of high criticality concerning environmental regulations, but it is not critical for good manufacturing practices (GMPs). So, in the following document, the emphasis is on basic data and tools, product safety, hazardous substance management, dangerous goods management, occupational health, and industrial hygiene and safety. SAP performed the investigation for the mySAP ERP application.
Security

SAP EH&S is part of the product life-cycle management (PLM) extension to mySAP ERP 2005, which is built on top of the SAP NetWeaver platform. Therefore, all security features of the SAP NetWeaver Application Server component are valid for SAP EH&S. For details, please refer to the document FDA Title 21 CFR Part 11 Compliance Assessment of SAP NetWeaver.

e-Records FDA Requirement

The FDA requires the ability to log and track changes on business objects and dependent objects in a compliant software environment. The computer system must provide functionality to log changes, creations, and deletions applied to business objects and to dependent objects (such as configuration data). The system must provide the following minimal information: Old value of an attribute of the changed business object New value of this attribute Person who changed the value Date and time of change Action (create, modify, or delete)
Change Management in SAP EH&S

date using a change number. In this way, you can, for example, today enter data that will be valid only in the future. Each change number is valid from a particular validity date so that the data has a validity period in accordance with the change number. The phrase history function enables you to compare current phrase versions with previously valid versions. The software displays the history in relation to the day on which changes were made, according to the creation of change documents. You can use the specification status function to specify for a specification the usages of its identifiers and value assignment instances and whether they should be protected. You can use appropriate status entries to set the software so that it prohibits changing specification data, prohibits outputting specification data on reports, or issues a warning against editing specification data (default setting, for example, in the status For release). In the customizing process, an indicator profile specifies for each status which protection effect the status should have. You can enhance the basic status network as required to suit your needs. For reports, versioning is available for specifications of all specification categories, such as for substances, agents, and dangerous goods classifications. The versioning function supports the assignment of version numbers to a number of reports that are generated for the same specification, generation variant, and language. As long as you have not yet released a report and not assigned it to a version, the new report replaces the old reports. However, once you release a report and, therefore, you must preserve every version, the software creates a new version of the report for the newly generated report, which does not replace the old one. Versioning enables the comparison of the old and new reports and includes the user who made the change. Standard operating procedures (such as safety instructions for workers) that are used in industrial hygiene and safety, as well as transport emergency cards that are used in dangerous goods management, are based on reports. So the versioning described above is available for those documents.

In change documents, the SAP software logs all changes that are made within specification and phrase management. In the customizing process (in the Implementation Guide) for Basic Data and Tools under Specify Context Fields for Creation of Change Documents, you can specify which context information is displayed on the objects that are determined in the creation of the change documents log for specifications (such as identifier, material assignment, and transport approval). The change documents determine the objects that you created, deleted, and changed. The software marks changes that you made by a reference or inheritance. For each object, SAP EH&S displays the change date, change time, and user name of the person who made the change, in addition to the context information. For the dangerous goods management component, you can write master data change documents as well. SAP EH&S uses application server time for change documents and history. You can use the engineering change management function for specifications, phrases, and dangerous goods master records. This function enables you to make data changes for a particular key
6

If you need an audit trail for objects not explicitly mentioned in this document, use the electronic records tool for creation of change documents. A change document object captures changes to fields within a transaction and writes this information to a unique record. This record is date stamped and time stamped and maintains the old and new values for each of the fields that have been changed, in addition to the user ID of the person who made the change. You run a report to query and display the audit trail record. These objects may be active in the shipped version of SAP EH&S or may require configuration for activation. You can perform the configuration modification free with the electronic records tool. For more details, please refer to www.sap.com/industries/lifesciences/brochures/index.epx. SAP EH&S uses the standard authorization management of SAP software to ensure the proper access of users on objects.
Digital Signature

The prerequisite for the use of the encapsulated signature tool is that the solution must fully consist of coding of the ABAP programming language, which is the case for SAP EH&S. The prerequisite is not true for user interfaces, as the tool can also be used with user interfaces programmed in a language other than ABAP, such as Java. In this case, you must carefully consider security and authentication issues to avoid security gaps. All transactions and workflow steps of the SAP EH&S functionalities of product safety, hazardous substance management, and industrial hygiene and safety can include signature functionality with the encapsulated signature tool. You must have release 6.20 or higher of SAP NetWeaver Application Server (formerly named SAP Web Application Server) for the use of the encapsulated signature tool. For further information, refer to the implementation guide titled Digital Signature Tool (see References below).

If you need a digital signature within SAP EH&S, you can implement the encapsulated signature tool, which is part of SAP NetWeaver Application Server, on a project basis for the EH&S functionalities of product safety, hazardous substance management, and industrial hygiene and safety. Asynchronous signatures are supported. For occupational health functionality, digital signatures are not required, according to 21 CFR Part 211 211.28 Personnel responsibilities. Reports are sufficient in this case. Therefore, the software ensures compliance to FDA Title 21 CFR Part 11 even though you cannot realize digital signatures for occupational health functionality.

How SAP eH&S Complies with FDA Title 21 Part 11

11.10(k) 11.30

This is not applicable to SAP EH&S. For open systems, SAP NetWeaver Application Server supports interfaces with complementary software partners that supply cryptographic methods such as public key infrastructure (PKI) technology. You can implement the encapsulated signature tool to satisfy these requirements. You can implement the encapsulated signature tool to satisfy these requirements. You can implement the encapsulated signature tool to satisfy these requirements. You can implement the encapsulated signature tool to satisfy these requirements. This clause covers a procedural requirement for customers and is not related to the functions of the computer system. This clause covers a procedural requirement for customers and is not related to the functions of the computer system. SAP NetWeaver Application Server requires two distinct components a user ID and a password to create each electronic signature. By design, SAP NetWeaver Application Server does not support continuous sessions where only a single component is necessary subsequent to the first signing. This clause covers a procedural requirement for customers and is not related to the functions of the computer system. User and security administration functions of SAP NetWeaver Application Server ensure that the attempted use of an individuals electronic signature by someone other than the genuine owner requires the collaboration of two or more individuals. SAP NetWeaver Application Server provides a certified interface to biometric devices such as fingerprint and retinal-scanning devices. Look for SAP-certified security partners in the SAP Service Marketplace extranet. User and security administration functions of SAP NetWeaver Application Server provide the necessary controls to ensure that no two individuals have the same combination of identification code (user ID) and password. You can configure SAP NetWeaver Application Server to force users to change passwords at various intervals, and the component provides system checks to prevent users from repeating passwords or using combinations of alphanumeric characters that are included in the user ID. You can also invalidate user IDs, for example, when an employee leaves the company. This clause covers a procedural requirement for customers and is not related to the functions of the computer system. SAP NetWeaver Application Server fulfills this requirement and behaves as demanded by the requirement. This clause covers a procedural requirement for customers and is not related to the functions of the computer system.

The following table summarizes how SAP EH&S complies with each requirement of Part 11.
Part 11 Clause 11.10(a) SAP Assessment of SAP EH&S Specifications and phrases within the SAP Environment, Health & Safety (SAP EH&S) application have a complete audit trail. For reports via versioning, the software allows you to track changes. If you need an audit trail for other objects within SAP EH&S, you can use the electronic records tool. The audit trail records are secured from unauthorized access. All electronic records generated in SAP EH&S are accurate, complete, and presented in a human-readable format. Electronic records in SAP EH&S can be printed or exported into several industry-standard formats, such as Adobe PDF and XML. You can maintain all electronic records in the active database or archive the records to accommodate all required retention periods, even when the software is upgraded. Access to these records is secured by authorization profiles. Robust security administration and authorization profiles assure system access. You record changes to security profiles in the SAP NetWeaver Application Server component. SAP EH&S provides for specifications and phrases complete audit trails within the application. You can write change documents for dangerous goods master data as well. For reports via versioning, you can track changes. If you need an audit trail for other objects within SAP EH&S, you can use the electronic records tool. The audit trail records are secured from unauthorized access. You can control the processing statuses of objects in SAP EH&S by using status and workflow management and so enforce the proper sequence of operations as required by the applicable regulation. SAP NetWeaver Application Server executes authority checks in conjunction with its robust security administration and authorization profiles to ensure that only authorized individuals can access the system, electronically sign a record, and access or perform an operation. SAP NetWeaver Application Server also records changes to authorization profiles. This is not applicable to SAP EH&S. The product innovation life cycle (PIL) for SAP development requires that all personnel responsible for developing and maintaining SAP products have the education, training, and experience to perform their assigned tasks. A wide range of additional education and training offerings and regular assessments of individual training requirements ensure a process of continuous learning for staff involved in the development and support of all SAP software. This clause covers a procedural requirement for customers and is not related to the functions of the computer system.

11.50(a) 11.50(b) 11.70 11.100(a) 11.100(b) 11.100(c) 11.200(a)(1)

11.10(b)

11.10(c)

11.10(d)

11.200(a)(2) 11.200(a)(3)

11.10(e)

11.200(b)

11.10(f)

11.300(a)

11.10(g)

11.300(b)

11.10(h) 11.10(i)

11.300(c) 11.300(d) 11.300(e)

11.10(j)

ReFeRenCeS
For more information, look up the following references, many of which are found in the SAP Service Marketplace extranet (authorization required): SAP NetWeaver 04 Security Guide (help.sap.com) SAP NetWeaver 2004s Security Guide (help.sap.com) Complying with U.S. FDA Title 21 CFR Part 11 for the Life Sciences Industry (white paper, www .sap .com/usa/solutions/ grc/pdf/BWP_FDA_Title21 .pdf) SAP NetWeaver: Providing the Building Blocks for Effective Governance, Risk, and Compliance Management (white paper) Digital Signature Tool, an implementation guide available in note 7005 in the SAP Notes service FDA Title 21 CFR Part 11 Electronic Records; Electronic Signatures: Final Rule, March 20, 17 (www.fda.gov/ora/compliance_ref/part11/) Environment, Health and Safety (help.sap.com) Electronic Records (help.sap.com) Authors: Dr. Anja Modler-Spreitzer and Dr. Christoph Roller IBU Consumer Products & Life Sciences, SAP

www.sap.com/contactsap

50 083 535 (07/03)

2007 by SAP AG. All rights reserved. SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. Printed on environmentally friendly paper. These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies (SAP Group) for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.