 |
|
|||||||
Newsletter
|
Title 21 Code of Federal
Regulations (21 CFR Part 11) has been in effect since August 1997 and
establishes the FDA’s requirements for electronic records and electronic
signatures to be trustworthy, reliable, and essentially equivalent to
paper records and hand written signatures. The driving force in its
creation was to prevent fraud while permitting the widest possible use of
electronic technology to reduce costs incurred from paper processes. The rule contains two major
sections: one that addresses requirements for electronic records and one
for electronic signatures. Electronic records are defined as “any
combination of text, graphics, data, audio, pictorial, or other
information in digital form that is created, modified, archived,
retrieved, or distributed by a computer system.” The rules apply to any
records covered by FDA regulations that exist in an electronic form –
including records that are required to be maintained whether they are
submitted to FDA or not. Electronic signatures are defined as “a
computer data compilation of any symbol or series of symbols executed,
adopted, or authorized by an individual to be the legally binding
equivalent of the individual’s handwritten signature.” The
determination of whether to use an electronic signature is up to an
individual organization. The use of electronic records and
their submission to the FDA is voluntary. Also, if there is no FDA
requirement that a document or record be created or maintained, then 21
CFR Part 11 does not apply. It is important to note that the regulations
represent minimum requirements for implementation, but organizations can
choose to make their systems more secure if they choose. Applying this comprehensive definition to SAP R/3,
there are various types of electronic records such as:
q
Configuration within the implementation guide
q
Transports and business configuration sets used to migrate
configuration from one system to another q
Master data such as the Material master, Customer, Vendor,
Resource, Recipe etc… q
Business processing objects such as Process orders, Purchase
orders, Inspection lots etc… q
Business process execution records such as inventory movement
documents q
Electronic and digital signatures Other electronic record types for create, change,
deletion (complete audit trail) of information for the SAP R/3 objects
mentioned above. These include:
q
Change master record q
Change document objects q
Table
logging Electronic signatures are available in SAP R/3 for
many business processes.
Where multiple signatures may be
required, SAP R/3 provides signature strategies that define allowed
signatures and the sequence in which they must be executed.
21 CFR Part 11 enhancements for Electronic records
and Electronic signatures: In the opinion of SAP AG, the functions and features of SAP
R/3 Release 4.6C product are compliant with 21 CFR Part
11, when used with the Pharmaceuticals and
Chemical Industry Solutions master code 11. Prior SAP R/3 releases
can be compliant depending upon the scope of functions implemented. In
other instances compliance can still be achieved with some customization.
SAP supplies an add-on component PH-ELR to activate the electronic record
change management and electronic signature. During
Change Document creation & logging, data changes are logged at the
application server level. The Change Document Objects (CDO) are focused on
the individual table fields (data elements), and all marked fields are
logged into CDHDR/CDPOS audit trail tables. Each CDO is comprised of a
group of related tables and they must be activated for the corresponding
application. CDO logging requirements are: q
Transaction
must be connected to change document creation q
Table
containing field must exist in connected change document object q
Logging
must be active for data element in relevant change document Overview of change document:
Data element level setting:
Logging for whole tables is
performed at the database-interface (DBI) level. Table logging focuses on the table where the data is changed
and saved, and automatically checks the DBI to verify if logging is turned
on for table. The log table DBTABLOG stores all table data for every
change to the specific table. Table logging requirements are: q
Setting the log data changes flag in the technical settings
of the table q
Activation of the parameter rec/client, allows for table
logging to execute at individual client level
Electronic signature availability: Electronic signatures are available for following SAP
business processes: q
Acceptance
of process values outside predefined tolerance limits q
Electronic
batch record (EBR) approval q
Change request to change order conversion (engineering change
mgmt) q
Engineering change order approval q
Process step completion within process instruction sheets q
Recording of inspection results for all quality related
processes (goods rcpt, in-process, post-process) q
Usage
decision (quality disposition) of inspection results Electronic signature: To ensure the integrity of
signatures within the electronic system and protect against falsification
and data corruption, the FDA is clear the system must actively detect and
prevent unauthorized access including reporting these attempts to the system
security unit.
R/3 requires two components
(User-Id and Password) to perform every electronic signature. All SAP R/3 electronic signature
records contain: printed name of signer, date and time when signature was
performed, and meaning associated with signature. Electronic signature
records are permanently linked to the executed electronic record. This
link cannot be removed, copied, or transferred to falsify other electronic
records, and is even retained when archived.
Digital signature: Most SAP systems are determined to
be closed systems by FDA but E-business strategies are increasingly
opening systems to the Internet, raising significant interest in regulated
industries. Digital signatures can be substituted for electronic
signatures with the addition of a external security product with Secure
Store & Forward (SSF) mechanisms and installed Public Key
Infrastructure (PKI) software that provide required encryption technology.
The user digitally signs the data
using their own private key (PKI technology) and then the signer is
referenced using their SSF profile.
Digital signature logging/locking: When the number of failed attempts
is exceeded, R/3 prevents the user from further access without
intervention from Security Administration. SAP R/3 generates an SAPOFFICE
express mail to a defined distribution list to notify security
administration in an immediate and urgent manner.
Any MAPI-compliant messaging system
can also be interfaced with R/3 to send these messages to external
e-mails. R/3 Security Audit Log maintains an electronic record of all
failed logon or signature attempts, along with the generation of
electronic records for locking and unlocking of users. (Note: The number of
failed attempts allowed is configurable).
|
|
Author Profile
|
|
All
Rights Reserved. No reproduction without prior permission from Blue Marlin
Systems. |
