SAP for Life Sciences

COMPLYING WITH
U.S. FDA TITLE 21 CFR PART 11
FOR THE LIFE SCIENCES INDUSTRY

 Copyright 2008 SAP AG. All rights reserved.

No part of this publication may be reproduced or transmitted in
any form or for any purpose without the express permission of
SAP AG. The information contained herein may be changed
without prior notice.
Some software products marketed by SAP AG and its distributors
contain proprietary software components of other software
vendors.
Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.
IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/
ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries, xSeries,
zSeries, System i, System i5, System p, System p5, System x, System z, System z9, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity, Tivoli, Informix, i5/OS, POWER, POWER5, POWER5+,
OpenPower and PowerPC are trademarks or registered trademarks of IBM Corporation.
Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries.
Oracle is a registered trademark of Oracle Corporation.
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the
Open Group.
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame,
VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.

HTML, XML, XHTML and W3C are trademarks or registered

trademarks of W3C, World Wide Web Consortium, Massachusetts Institute of Technology.
Java is a registered trademark of Sun Microsystems, Inc.
JavaScript is a registered trademark of Sun Microsystems, Inc.,
used under license for technology invented and implemented by
Netscape.
SAP, R/3, xApps, xApp, SAP NetWeaver, Duet, PartnerEdge,
ByDesign, SAP Business ByDesign, and other SAP products and
services mentioned herein as well as their respective logos are
trademarks or registered trademarks of SAP AG in Germany and
in several other countries all over the world. All other product
and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.
These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies (SAP
Group) for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable
for errors or omissions with respect to the materials. The only
warranties for SAP Group products and services are those that
are set forth in the express warranty statements accompanying
such products and services, if any. Nothing herein should be construed as constituting an additional warranty.

CONTENTS
Disclaimer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Executive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
A Compliance Model in Transition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Cost of Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
A Win-Win Proposition for Life Sciences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
U.S. Food and Drug Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
21 CFR Part 11 Electronic Records; Electronic Signatures; Final Rule . . . . . . . . . . . . . . . . . . . . . . . . 8
Pharmaceutical cGMPs for the 21st Century: A Risk-Based Approach . . . . . . . . . . . . . . . . . . . . . . . 8
New Part 11 Guidance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Discussion of 21 CFR Part 11 Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Subpart A General Provisions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
What Functionality in SAP ERP May Be Regulated? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Subpart B Electronic Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Change Master Record . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Change Document Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Table Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Date and Time Stamp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Electronic Copies for Inspection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Retention and Maintenance of Electronic Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Hybrid Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Subpart C Electronic Signature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Electronic and Digital Signatures in SAP ERP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Digital Signature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Encapsulated Signature Tool in SAP ERP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Date and Time Stamp for Signature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
How Does SAP ERP Comply with Part 11? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Other International GMP Guidelines with Similar Part 11 Requirements and SAP ERP . 18
EU GMP Guideline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
PIC/S Guidance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
ICH Guideline. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Software Quality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Validation of SAP ERP in an FDA-Regulated Environment . . . . . . . . . . . . . . . . . . . . . . . . . 20
SAP Solution Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
GAMP V-Model and Available SAP Tools. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Validation Approach to Achieve Part 11 Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Appendixes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
3

DISCLAIMER
These materials are subject to change without notice. SAP AGs
compliance analysis with respect to SAP software performance
based on U.S. FDA 21 CFR Part 11, EU Annex 11/18 to the EU
GMP-Guideline Commission Directive 2003/94/EC and Annex 11
to PIC/S Guidance Good Manufacturing Practice for Medicinal
Products: (i) in no way expresses the recognition, consent, or certification of SAP software by the United States Food and Drug
Administration or European/International Authorities; and (ii)
applies to certain components of the SAP ERP application only as
stated herein. The customer is solely responsible for compliance
with all applicable regulations, and SAP AG and its affiliated
companies (SAP Group) have no liability or responsibility in
this regard. These materials are provided by SAP Group for informational purposes only, without representation or warranty of
any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP
Group products and services are those that are set forth in the
express warranty statements accompanying such products and
services, if any. Nothing herein should be construed as constituting an additional warranty.

EXECUTIVE SUMMARY
SAP has enjoyed over 35 years of partnership with the life sciences industry. The SAP for Life Sciences solution portfolio supports
business processes for all types of enterprises from pharmaceutical to medical diagnostics and devices, and biotechnology companies worldwide. Although the infrastructure and solutions
provided by each of these installations are different, they have a
common key business requirement: regulatory compliance.
Most of these life sciences companies want to compete in the
lucrative U.S. market and, therefore, need to comply with U.S.
Food and Drug Administration (FDA) regulations, including
those covering the use of computerized systems that support
good clinical, laboratory, and manufacturing practice (also
known as predicate rules or GxPs). Another regulation, 21 CFR
Part 11 Electronic Records; Electronic Signature; Final Rule,
signaled FDAs awareness of the transition from paper-based,
manual systems to computerized systems occurring within
the life sciences industry.
Applying these requirements to the numerous computerized
systems within life sciences companies translates into millions of
dollars in project costs to validate these systems and significant
annual costs to maintain them in a validated state for their
productive lifetime.

FDAS SYSTEMS-BASED INSPECTION APPROACH

Current State

Future State

Isolated functional units

Integrated infrastructure and

solutions-oriented approach to
compliance

Focus on remediation of FDA-483s

and FDA warning letters exclusively

Enforced compliance built into each

quality system

Fragmented compliance systems

(hybrid systems)

Integrated compliance systems

Validation and maintenance of

numerous stand-alone systems

Validation and maintenance of a

consolidated infrastructure

Batches on hold, delayed investigations, and lengthy reviews

Real-time investigations

Inability to identify process

improvements

Electronic batch records

Real-time batch record review
Enterprise-wide visibility of
compliance activities

The integrated systems-based inspection approach also recognizes the widespread use of computers to support each companys
quality initiatives. Therefore, the validation and security of integrated computer solutions is reviewed much more closely than
that of stand-alone systems during an inspection.

A Compliance Model in Transition

FDAs systems-based inspection approach that was officially

adopted in February 2002 initiated a transition of how companies
must now assess compliance from a systems-oriented approach
rather than as isolated functional units, as described in the table
to the right.

Cost of Compliance

Figures 1 and 2 illustrate the cost of compliance and

noncompliance.

Cost of Noncompliance (NC$)

(Enforcement Actions, Time, Resources)

Cost of Compliance (C$)

(Time, Resources)

Sum of Both Exponential

Curves (Total $)
Optimal
Area to
Balance
Risk vs.
Benefit

COST

NC$ > C$

Not Compliant

C$ > NC$

Compliant

Overcompliant

Figure 1 shows two opposing exponential curves depicting the

cost of noncompliance and compliance. The cost of noncompliance is determined to be a function of FDAs enforcement actions, including FDA Warning Letters, import detention, consent
decree, and the time and resources required to remediate FDAs
observations. The cost of compliance is determined to be a function of time and resources. The graph also shows that the state of
compliance is not dichotomous. Rather, compliance is a state of
operation determined by each companys interpretation of pertinent FDA regulations and their corporate culture applied to the
various business processes within the quality system. The three
levels of compliance are, therefore, subjective, as depicted by the
range for each level.
Figure 2 illustrates the beneficial movement of the cost of compliance curve manifested by process optimization and other internal cost reductions including consolidation of IT systems.
Therefore, companies can choose to improve their level of compliance in order to significantly reduce costs.

COMPLIANCE

A Win-Win Proposition for Life Sciences

Figure 1: Compliance Cost Model

Cost of Noncompliance
(NC$)

Cost of Compliance (C$)

Sum of Both Exponential

Curves (Total $)

Cost of Compliance Curve

Enhanced Through
Process Optimization

COST

NC$ > C$

C$ > NC$
Maintain Same Level of
Compliance with
Reduced Cost

Not Compliant

Compliant

Overcompliant

COMPLIANCE

Figure 2: Compliance Cost Model Reduced Through Process Optimization

Various life sciences companies have taken advantage of this

win-win proposition and leveraged their SAP ERP application
to support the following:
Enterprise asset management
Enterprise quality management
Supplier quality management
Laboratory information management systems (LIMSs)
Problem reporting/corrective and preventive action
execution
Manufacturing execution/electronic batch record
Qualifications management (training)
Warehouse management

INTRODUCTION
Drug
Enforcement
Administration

Quality Systems
Package/
Lab
Facility/
Label
Control
Equipment
Systems
Systems
Systems
Compliance Policy Manual CPM 7356.002 (FDA 21 CFR 210 and 211)

Materials
Systems

Production
Systems

Only SAP provides an integrated GRC

platform for companies to institutionalize
compliance across the enterprise
Enterprise Performance Management
Measure, Alert, Correct, and Validate
Enforcing
Compliance
While
Enabling
Innovation

Managing
Industry
Risk and
Compliance

Operational
Compliance

Financial
Compliance

Environmental
Compliance

Global Trade
Compliance

GxP
Controls
21 CFR Part 11
Audit Trail
RFID/E-Pedigree

SOX
FASB
Basel II
SEC

Waste Mgmt
Hazardous
Material
Occ. Safety
Emissions
Management

Denied Parties
Import/Export
Documentation
Duty

Proven Life Science Best Practices

Security

Validation

Authentication

Services-Oriented Network Architecture

Enterprise Foundation for Growth and Compliance
(Enterprise Resource Planning)

Figure 3: Life Sciences Compliance Model in Transition

These pharmaceutical, medical diagnostics, medical devices, and

biotechnology companies have promoted FDA compliance while
reducing their costs and maximizing their ROI.

The purpose of this document is to describe the functions and

features of SAP ERP that (in the opinion of SAP AG) demonstrate
technical compliance with U.S. FDA 21 CFR Part 11 Electronic
Records; Electronic Signatures Final Rule and several international good manufacturing practice (GMP) guidelines having
similar requirements. This document provides background information about the regulation, discusses how SAP ERP complies
with this rule, and provides examples of electronic records and
signatures within SAP ERP.
U.S. Food and Drug Administration

The U.S. Food and Drug Administration is a public health agency

that is charged with protecting American consumers by enforcing the U.S. Federal Food, Drug, and Cosmetic Act and other related public health laws. FDA regulates over US$1 trillion worth
of products, which account for 25 cents of every dollar spent
annually within the United States. These products include:
Food for human and animal consumption
Pharmaceuticals consisting of ethical, generic, and over-thecounter drugs for human use as well as medicines for animals
Biological and related products including blood, vaccines, and
biological therapeutics
Medical devices
Radiation-emitting devices such as microwaves
Cosmetics
FDA monitors the manufacture, import, transport, storage, and
sale of these products by some 98,000 FDA-regulated businesses in
the United States alone and by several thousand international
organizations that conduct business in the United States.
Compliance with FDA regulations is a market requirement. In
addition, products require FDA approval before they can be marketed or sold in the United States. Noncompliance with any of
the laws enforced by FDA can be very costly in the form of recalls
and legal sanctions, such as import detentions. When warranted,
FDA seeks criminal penalties, including prison sentences, against
manufacturers and distributors.

21 CFR Part 11 Electronic Records; Electronic

Pharmaceutical cGMPs for the 21st Century: A

Signatures; Final Rule

Risk-Based Approach

FDA regulation 21 CFR Part 11 Electronic Records; Electronic Signatures; Final Rule (referred to here as Part 11) was the
result of a six-year effort by FDA (with input from the industry)
to supply all FDA-regulated companies with requirements on
how to maintain paperless (that is, electronic) record systems
while still complying with good clinical, laboratory, and manufacturing practices, such as:
GMP: 21 CFR 110 (food), 210 (drugs in general, also includes
GMP for biologics), 211 (finished pharmaceuticals), 820 (medical devices)
Good laboratory practice (GLP) 58
Good clinical practice (GCP) 50, 54, 56

In August 2002 FDA announced a significant initiative to enhance

the regulation of pharmaceutical manufacturing and product
quality by applying a scientific and risk-based approach to product quality regulation incorporating an integrated qualitysystems approach to current good manufacturing practice
(cGMP). FDA has been developing a more systematic and rigorous, risk-based approach toward compliance and using good
science. A justifiable and documented risk assessment, and one
that is defensible, has become a predominant theme within
FDAs recent initiatives.

The regulation also details very specific requirements for electronic and digital signatures, because FDA considers these signatures to be legally binding.
Since its publication more than nine years ago, this regulation
has been subject to evolving interpretations both by FDA and
industry.
In February 2003 FDA withdrew all Part 11 guidelines and the
Compliance Policy Guide. The reasons for the withdrawal are
discussed in the FDA document from August 2003, Guidance for
Industry Part 11, Electronic Records; Electronic Signatures
Scope and Application, as follows: . . . concerns have been
raised that some interpretations of the part 11 requirements
would (1) unnecessarily restrict the use of electronic technology
in a manner that is inconsistent with FDAs stated intent in issuing the rule, (2) significantly increase the costs of compliance to
an extent that was not contemplated at the time the rule was
drafted, and (3) discourage innovation and technological advances without providing a significant public health benefit. These
concerns have been raised particularly in the areas of part 11 requirements for validation, audit trails, record retention, record
copying, and legacy systems.

New Part 11 Guidance

As mentioned earlier, in August 2003 FDA published the final

guidance titled, Guidance for Industry Part 11, Electronic
Records; Electronic Signatures Scope and Application.
The final guidance delineates how FDA intends to reexamine
Part 11 and may propose revisions to that regulation. The approach outlined in the guidance is based upon the following:
FDA intends to narrowly interpret the scope of Part 11 in an effort to clarify fewer records to be considered subject to Part 11
FDA intends to exercise enforcement discretion with respect to
certain Part 11 requirements for both legacy and current
systems
Predicate rule requirements for records subject to Part 11 will
be enforced
Hybrid systems necessary to comply with Part 11 requirements
are acceptable
What has not changed? FDAs interpretation of the following
requirements has not changed:
Controls for closed systems
Controls for open systems
Electronic signatures
Ultimately, companies must comply with applicable predicate
rules. Records that FDA requires be maintained or submitted
must remain secure and reliable in accordance with the predicate
rules.

DISCUSSION OF 21 CFR
PART 11 RULE
Subpart A General Provisions
What Functionality in SAP ERP May Be Regulated?

FDA regulations encompass many functions in SAP ERP. The

only functional areas that may be completely excluded from the
FDA scope are finance (for example, financial accounting, controlling, and asset management components) and planning (for
example, demand management, forecasting, profitability analysis, and sales and operations planning components).
All other functional areas and components that are relevant to
FDA GxP must comply with Part 11 based upon the predicate
rules as follows:
Logistics
Materials management (MM)
Plant maintenance (PM)
Production planning (PP)
Production planning, process industries (PP-PI)
Quality management (QM)
Sales and distribution (SD)
Logistics execution (LE)
Environment, health, and safety
Human resources (HR), training information
Warehouse management (WM)
Central functions
Batch management
Handling unit management
Document management
Cross-application functionality for engineering change
management
Logging (audit trail reporting)
Classification
Document management

For additional information, Appendixes 1 and 2 contain the SAP

and FDA cGMP functionality matrix for both pharmaceuticals
and medical devices. These matrixes illustrate how the SAP ERP
application promotes compliance with these regulations and
provides guidance as to what functionality (and electronic
records) may be regulated by FDA.
Subpart B Electronic Records

FDA defines an electronic record as any combination of text,

graphics, data, audio, pictorial, or other information representation in digital form that is created, modified, maintained, archived, retrieved, or distributed by a computer system. Applying
this comprehensive definition to SAP ERP, there are various types
of electronic records, such as:
Configuration within the implementation guide
Transports and business configuration sets used to migrate
configuration from one system to another
Master data such as the material master, vendor, resource,
recipe, and customer
Business processing objects such as purchase orders, process
orders, and inspection lots
Business process or transaction execution electronic records
such as material documents
Electronic or digital signatures
Other electronic record types maintain change and deletion
(that is, audit trail) information for the objects in SAP ERP mentioned above. These include:
Change master record (engineering change management
component)
Change document object
Table logging

Change Master Record

A change master record captures the changes made to master

data through the engineering change management (ECM) functionality in SAP ERP. Figure 4 illustrates the master data or object
types that can be managed using ECM.
Master Data

Material master
master
Substance
Dangerous master
Task Lists

Routings
recipes
Master
Inspection plan
task list
Equipment
maintenance
General
Ref. rate routings
Ref. operation se t

Bill of Materials

Material
Equipment
order
Sales
Functional location
Document structure

Classification System
Classes
Characteristics

Documents
Standard operating
Procedure
Material safety data
sheet

Variant Configuration
Configuration profile
Object dependencies

Figure 4: Linked Object Types in Engineering Change Management

Change master records provide a full audit trail or change

history of master data, including the reason for change.
Change Document Object

A change document object captures changes to fields within a

transaction and writes this information to a unique record. This
record is date and time stamped and maintains the old and new
values for each of the fields that have been changed, in addition
to the user ID of the person who made the change. A report is
run to query and display the audit trail record. These objects
may be active in the shipped version of SAP software or may require configuration for activation. Figure 5 illustrates a change
document object record for a resource substitution within a
master recipe.

10

Figure 5: Example of a Change Document Object for Master Recipe Change

Table Logging

Where change masters or change document objects do not exist,

an alternative method for maintaining an audit trail is required.
Activating the log data changes the flag in the technical settings
of the table, captures all the changes made to a specific table, and
writes this information into a unique record maintained within
the DBTABLOG table. Any transaction executed within SAP ERP
includes multiple tables where the data is recorded and maintained. Therefore, to view the complete audit trail, a report is
run to query and display each record associated with a specific
event. The report provides all the required information for the
audit trail, including the system date and time stamps and the
old and new values for each of the fields that have been changed
within each table. The report can also provide the full, printed
name of the user instead of the user ID. Figure 6 illustrates the
table log record.

For customers with locations in multiple time zones, procedures

must be in place to define the time zone of the application server
and describe how the date and time stamp is to be interpreted by
each site. In addition, the procedures should include daylight
saving time requirements. These procedures should be included
in performance qualification testing.
Electronic Copies for Inspection

Due to FDAs systems-based inspection approach, SAP ERP is often included in FDA inspections, as it is routinely used to support
the quality system and all other subsystems. Reports and electronic records can be printed or exported into several industrystandard formats such as Adobe PDF and XML.
Figure 6: Output of Table Log and Change Document Log
Retention and Maintenance of Electronic Records

Table logging may affect system performance depending on the

number of records that are generated. However, table logging is
only required in some instances. System configuration should be
reviewed when table logging requirements have been identified.
For further information, refer to the manual Electronic Records at
help.sap.com > SAP ERP > ERP Central Component > SAP ERP Central Component > Cross-Application Components > Electronic Records.

All electronic records can be maintained in the active database or

archived to accommodate all required retention periods even
when software is upgraded. Access to these records is secured
using authorization profiles that are standard in SAP software.
In addition, SAP ERP maintains the link between electronic signatures executed to electronic records even after archiving.
Hybrid Systems

Date and Time Stamp

SAP ERP uses Coordinated Universal Time (UTC) for change

master records, change document objects, and table logging
activities. UTC is unique and unequivocal.
To compare the local times of users in different time zones, SAP
software represents times differently externally and internally.
External representation of time corresponds to a contextdependent local time. For example, time is represented in Germany in Central European Time (CET) and in New York in Eastern Standard Time (EST). SAP software normalizes the internal
system time to UTC, which serves as a reference time. UTC corresponds to Greenwich mean time (GMT). By converting all local, relative times to absolute times based on UTC, the software
can compare times and use them in calculations.

As discussed in the new FDA Part 11 guidance, using hybrid systems as necessary to comply with Part 11 requirements is acceptable. Information that has been recorded in SAP software or activities that have been performed directly in SAP software can be
printed or exported into several industry-standard formats such
as Adobe PDF and XML. An example of a hybrid system with SAP
software is a batch record that includes printouts of process instruction sheets that have been executed by operators and quality
personnel.

11

All hybrid systems require procedural controls to maintain compliance and need to be included in the scope of each customers
computerized system validation.

Digital signature
Digital signature means an electronic signature based upon
cryptographic methods of originator authentication, computed by using a set of rules and a set of parameters such that the
identity of the signer and the integrity of the data can be
verified.
Closed system
Closed system means an environment in which system access
is controlled by persons who are responsible for the content of
electronic records that are on the system.
Open system
Open system means an environment in which system access is
not controlled by persons who are responsible for the content
of electronic records that are on the system.

Subpart C Electronic Signature

Digital Signature

Part 11 provides requirements under which FDA will consider

electronic records equivalent to paper records and electronic signatures equivalent to traditional handwritten signatures. Part 11
does not delineate where electronic records and electronic signatures are required. Instead, FDA specifies that these requirements
are defined by the predicate rule, such as current good manufacturing practice for finished pharmaceuticals (21 CFR Part 211)
and medical devices (21 CFR Part 820). It is important to note
that some passages implicitly call for signatures, for example,
wherever the words approved, signed, initialed, authorized,
rejected, or verified are used.

Throughout the SAP ERP application, the term digital signature is referenced in each dialog screen during signature execution and electronic record reporting. The term electronic signature is not referenced within SAP ERP. This is based upon SAPs
interpretation of the Part 11 signature definitions concerning the
use of cryptographic encryption techniques like Public-Key
Cryptography Standard #7 (PKCS #7). PKCS standards are specifications for secure information exchange using the Internet.
PKCS #7 is a format currently established in the market. All signatures executed within SAP ERP utilize cryptographic encryption techniques. Therefore, SAP defines all signatures within SAP
ERP to be digital signatures even when the SAP ERP application is
used in a closed system.

Another hybrid system with a different twist is part of a customers corrective and preventative action (CAPA) program that uses
the quality notification component as the CAPA solution. In this
example, paper documents with handwritten approvals, including engineering and laboratory reports, are scanned into the
content server component and attached to investigations within
SAP ERP. Thus, an investigation within SAP ERP contains electronic records, including electronic signatures, executed as part
of the life cycle of the investigation and electronic images of documents that contain handwritten approvals.

Electronic and Digital Signatures in SAP ERP

Electronic and digital signature definitions are shown in 21 CFR

Part 11 as follows:
Electronic signature
Electronic signature means a computer data compilation of
any symbol or series of symbols executed, adopted, or authorized by an individual to be the legally binding equivalent to
the individuals handwritten signature.

12

To ensure the integrity of signatures within an electronic system

and protect against falsification and data corruption, FDA is clear
that the system must actively detect and prevent unauthorized
access including reporting these attempts to the system security
unit. Indeed, in comment 133 of the preamble, FDA equates the
significance of reporting and response of unauthorized access
with how individuals would respond to a fire alarm. To satisfy
the requirements defined in 11.300(d), SAP ERP provides the
following safeguards:
When the number of failed attempts (for either logon or signature) is exceeded, SAP ERP prevents the user from further access without intervention from the security administration.
Note: the number of failed attempts allowed is configurable.
SAP ERP generates and sends an express message to a defined
distribution list to notify the security administration in an immediate and urgent manner. In addition, any Messaging Application Programming Interface (MAPI)compliant messaging system can be interfaced to SAP ERP to send this message
externally to e-mail systems such as Microsoft Exchange or
even a paging system.
An electronic record of all failed attempts (for either logon or
signature) is maintained in the security audit log. SAP ERP also
generates electronic records for the locking and unlocking of
users.

Digital user signature with verification is available as follows:

It is available in SAP software beginning with the first shipment
of SAP R/3 4.0B (1998).
An external security (third party) product is necessary. Users
execute digital signatures themselves using their private keys.
The executed signatures are automatically verified.
Information is available at the SAP Service Marketplace extranet at www.service.sap.com/security > Security in Detail >
Certified Security Partners and at www.sap.com/partners.
Crypto hardware and biometrics, using such elements as smart
cards and fingerprints, must support the PKCS #7 standard
data format. This mechanism is based on Secure Store and
Forward (SSF) mechanisms.

System signature with authorization by user ID and password is available as follows:

It is available in SAP software beginning with the first shipment
of SAP R/3 4.6C software.
It includes the use of the PKCS #7 standard.
No external security product is necessary. When logging on,
users identify themselves by entering their user IDs and passwords. SAP software then executes the digital signature. The
username and ID are part of the signed document.

13

Digital signatures in SAP ERP satisfy all applicable Part 11 requirements. (Please refer to the summary table in the section titled
How Does SAP ERP Comply with Part 11?)
Digital signatures are already implemented in SAP ERP for the
following business processes and components:
Production planning for process industries (PP-PI)
Process step completion within process instruction sheets and
acceptance of process values outside predefined tolerance limits (transaction code CO60)
Production planning for process industries (PP-PI)
Users of the soft logon process industry sheet service can only
display process industry sheet, and dialog user is required to
login and work on a process industry sheet (transaction code
CO60)
Execution steps (transaction code SXS) repository
Status change (transaction code for standard execution step
repository); approval, withdraw, obsolete
Engineering change management (ECM)
Status change of engineering change order; change number;
create and change (transaction codes CC01, CC02)
Engineering change management (ECM)
Status change of object management records (transaction code
CC22); conversion of a change request to a change order in engineering change management
Electronic batch record approval (transaction code COEBR)
Quality management (QM): Inspection lot; results recording
(transaction codes QE01, QE02, QE51N)
QM: Usage decision (quality disposition); record and change
(transaction codes QA11, QA12)
QM: Physical sample drawing (transaction codes QPR1, QPR2)
Quality notifications (transaction codes QM01/02); create and
change
Document management system (DMS)
Create or change (transaction codes CV01N, CV02N)
Collaboration projects application; sign-off project phases
using digital signatures in the SAP Interactive Forms software
by Adobe

14

Easy document management system (Easy DMS)

Front-end tool for DMS create or change (transaction codes
CV01N, CV02N), see SAP Note 941344
Learning solution
Digital signatures for follow-up course activities (transaction
code LSO_PV15), in learning portal business server pages (BSP),
and human capital management (HCM) learning software for
course confirmation
Approve payments (transaction code BNK_APP)
Where multiple signatures may be required, SAP ERP provides
signature strategies that define allowed signatures and the sequence in which they must be executed. Specifically, for quality
management results recording and usage decision, user statuses
can be configured to require multiple signatures.

Figure 7: Execution of a Signature in the SAP ERP Application

All transactions and workflow of SAP ERP can include signature

functionality with the new encapsulated signature tool: If a digital signature is needed within SAP ERP where its not implemented by the standard encapsulated signature tool in the
SAP NetWeaver Application Server (SAP NetWeaver AS) component, it can be implemented on a project basis. You must have
SAP NetWeaver AS 6.20 or higher to use the encapsulated signature tool. For further information, refer to the implementation
guide titled Digital Signature Tool (SAP Note #700495).
Date and Time Stamp for Signature

SAP ERP uses UTC as the global date and time stamp for signatures. UTC is unique and unequivocal.
Figure 8: Example of the Electronic Record of a Signature
Encapsulated Signature Tool in SAP ERP

A new feature in SAP ERP is the inclusion of an encapsulated

signature tool. This powerful functionality enables customers
to include signature functionality in any transaction or business
process within SAP ERP. Additional benefits of the signature
tool are:
Further modularization of digital signatures
Easier implementation of digital signatures in new processes
Creation of a uniform flexible programming interface; tools
can be integrated into any business areas either in SAP ERP or
in SAP Business Suite applications, such as the SAP Product
Lifecycle Management or SAP Customer Relationship Management applications

The local date and time stamp for the electronic record of a signature is available but must be configured: it is calculated from
UTC. Daylight saving time rules and the time zone are maintained within the users profile.
Comment 101 in the preamble of Part 11 discusses date and time
local to the signer. In recent years, FDA has expressed at various
industry forums that this is not required as long as the global
date and time is unique and unequivocal and procedures are in
place to correctly interpret the local time.

15

HOW DOES SAP ERP COMPLY

WITH PART 11?
The following table summarizes how SAP ERP complies with
each requirement of Part 11.
Part 11
Clause

Comments

11.10(a)

All electronic records within the SAP ERP application

provide adequate audit trails that can be reviewed for
information. These records are secured from unauthorized
access.

11.10(b)

All electronic records generated in SAP ERP are accurate,

complete, and presented in a human-readable format.

11.10(b)

SAP ERP electronic records can be printed or exported

into several industry-standard formats such as PDF and
XML.

11.10(c)

All electronic records can be maintained in the active

database or archived to accommodate all required retention periods even when software is upgraded. Access to
these records is secured using standard SAP authorization
profiles. In addition, SAP ERP maintains the link between
electronic signatures executed to electronic records even
after archiving.

11.10(d)

Robust security administration and authorization profiles

assure system access. Changes to security profiles are
recorded in SAP ERP.

11.10(e)

SAP ERP automatically generates all electronic records

for creating, modifying, or deleting data. These records
are date and time stamped and include the user ID of the
individual who was logged on the system and performed
the action. Electronic records also maintain the old and
new values of the change and the transaction used to
generate the record.

11.10(e)

11.10(f)

11.10(g)

16

Complementing the requirement in 11.10(c), all electronic

records can be maintained in the active database or
archived to accommodate all required retention periods. In
addition, SAP ERP maintains the link between electronic
signatures executed to electronic records.
Process instruction (PI) sheets used in manufacturing
execution include sequence enforcement (operational
checks) to enforce permitted sequencing of steps and
events, as appropriate.
SAP ERP executes authority checks in conjunction with its
robust security administration and authorization profiles to
ensure only authorized individuals can access the system,
electronically sign a record, and access or perform the
operation at hand. SAP ERP also records changes to
authorization profiles.

11.10(h)

Input devices such as terminals, measurement devices,

and process control systems, in addition to remote logon,
are maintained through the same security administration
features and require authorization profiles for connection
to SAP ERP. In addition, device checks such as device
type (for example, a weigh scale with specified range) and
device status (such as calibrated) can be managed and
controlled via classification features in SAP ERP to determine the validity of the source of information.

11.10(i)

The Quality Management Manual for SAP development

requires that all personnel responsible for developing and
maintaining SAP ERP have the education, training, and
experience to perform their assigned tasks. A wide range
of additional education and training offerings and regular
assessments of individual training requirements ensure a
process of continuous learning for SAP staff involved in
the development and support of all SAP software.

11.10(j)

This clause covers a procedural requirement for customers

and is not related to the functions of SAP ERP.

11.10(k)

In SAP ERP, the document management system, which

is part of the SAP Product Lifecycle Management application, can provide controls over the distribution, access,
and use of documentation for system operation and
maintenance. In addition, SAP ERP maintains the electronic records (audit trail) for revision and change control
according to clause 11.10(e). Use of SAP online documentation and knowledge warehouse functionality requires
procedural controls by customers to ensure compliance
with this clause.

11.30

For open systems, SAP ERP supports interfaces with

complementary software partners that supply cryptographic methods such as public key infrastructure (PKI)
technology.

11.50(a)

Electronic signature records within SAP ERP contain the

following information:

The printed name of the signer

The date and time when the signature was executed, including the date and time local to the signer when multiple time zones are involved (see comment 101 in the
preamble of Part 11)

The meaning (such as review, approval, responsibility, or

authorship) associated with the signature. SAP ERP automatically records the meaning associated with the signature with standard descriptions of the activity the signature performed (inspection lot approval, results
recording, and so on). In addition, customers can use
the comment field to expand or clarify the meaning of
the signature.

11.50(b)

Electronic signature records are maintained in the same

manner as all electronic records and can be displayed or
printed in a human-readable format.

11.70

Electronic records of signatures are permanently linked

to the executed electronic record. This link cannot be
removed, copied, or transferred to falsify other electronic
records by any ordinary means. As stated previously, this
link remains when the electronic records are archived.

11.100(a)

SAP ERP user and security administration functions

provide robust system checks and configurable security
procedures to establish and maintain a unique signature
for each individual. This includes the prevention of reallocating a signature and deleting information relating to the
electronic signature once it has been used.

11.100(b)

This clause covers a procedural requirement for customers

and is not related to the functions of SAP ERP.

11.100(c)

This clause covers a procedural requirement for customers

and is not related to the functions of SAP ERP.

11.200(a)(1)

SAP ERP requires two distinct components a user ID

and a password to perform each and every electronic
signature. By design, SAP ERP does not support continuous sessions where only a single component is necessary
subsequent to the first signing. For signatures executed
outside of manufacturing (for example, in production
planning for process industries), the user ID of the person
logged on to the current session is defaulted only. When
executing a signature, this user ID can be deleted and
replaced by a different user. SAP ERP will require the
user ID and the corresponding password to authenticate
the identity of each user. The user who has successfully
executed the signature will be recorded in the electronic
record of the signature. Procedural controls must be in
place to manage this process accordingly.

11.200(a)(2)

This clause covers a procedural requirement for customers

and is not related to the functions of SAP ERP.

11.200(a)(3)

SAP ERP user and security administration functions

ensure that the attempted use of an individuals electronic
signature other than the genuine owner requires the collaboration of two or more individuals.

11.200(b)

SAP ERP provides a certified interface to biometric

devices such as fingerprint and retinal scanning devices.
Look for certified vendors in the directory at
www.sap.com/partners/directories/searchsolution.epx.

11.300(a)

SAP ERP user and security administration functions provide the necessary controls to ensure that no two individuals have the same combination of identification code (user
ID) and password.

11.300(b)

SAP ERP can be configured to force users to change

passwords at various intervals, and it provides system
checks to prevent users from repeating passwords or
using combinations of alphanumeric characters that are
included in the user ID. User IDs can also be invalidated,
for example, when an employee leaves the company.

11.300(c)

This clause covers a procedural requirement for customers

and is not related to the functions of SAP ERP.

11.300(d)

SAP ERP provides the following features to satisfy

11.300(d):

When the number of failed attempts (for either logon or

signature) is exceeded, SAP ERP prevents the user
from further access without intervention from the security administration. Note: the number of failed attempts
allowed is configurable.

SAP ERP generates an express message and sends it

to a defined distribution list to notify the security administration in an immediate and urgent manner. In addition, any MAPI-compliant messaging system can be interfaced to SAP ERP to send this message externally to
e-mail systems such as Microsoft Exchange or even a
paging system.

An electronic record of all failed attempts (for either log-

on or signature) is maintained in the security audit log.

SAP ERP also generates electronic records for the locking and unlocking of users.

11.300(e)

This clause covers a procedural requirement for customers

and is not related to the functions of SAP ERP.

17

OTHER INTERNATIONAL GMP

GUIDELINES WITH SIMILAR
PART 11 REQUIREMENTS AND
SAP ERP
EU GMP Guideline

ICH Guideline

The GMP guideline of the European Medicines Agency (EMEA),

Directive 2003/94/EC, delineates the legal requirements for good
manufacturing practice in the EU, including the need to maintain a system of documentation. The main requirements affecting electronic records are that the data is available in humanreadable form, available for the required time, and protected
against loss or damage.

The International Conference on Harmonization (ICH) guideline, ICH Q7A, called Good Manufacturing Practice Guide for
Active Pharmaceutical Ingredients, is the first GMP guideline
that has been harmonized for the United States, EU, and Japan.
ICH Q7A has been published as Annex 18 in EU GMP Guideline in July 2001. In addition, ICH Q7A has been adopted by Australia, Japan, and PIC/S.

The objective of this guideline is to provide requirements for ensuring reliability in using the electronic record and electronic
signature systems in those contexts.

Appendixes 4 and 5 provide summary tables that describe how

SAP ERP complies with EU-GMP, PIC/S, and ICH guidelines in
comparison to the Part 11 rule.

PIC/S Guidance

The Pharmaceutical Inspection Convention and Pharmaceutical

Inspection Co-operation Scheme (jointly referred to as PIC/S)
published guidance called Good Practices for Computerized
Systems in Regulated GxP Environments in July 2004. The guidance provides background information and recommendations
regarding inspection of and training concerning computerized
systems. It contains a section on electronic records and signatures aligned to EU GMP expectations.

18

SOFTWARE QUALITY
SAP has maintained ISO 9001 certification since 1994. The corresponding quality management system includes all standards that
control the structured development life cycle in place. The standards are binding for all employees in development and ensure
that SAP solutions are checked for completeness and correctness
against standardized checklists, have a standard quality when released, and are introduced to the market according to a defined
process. The process standards describing the development phases are standard SAP operating procedures. In addition, product
standards define the quality criteria for SAP solutions. All deliverables of the life-cycle phases are defined in a master list. The
adherence to the process and product standards is documented
in internal systems. Quality gates between the phases ensure that
the activities and deliverables defined by the master list are
complete.

SAP ERP has been developed according to this development life

cycle. Audits of the SAP development areas are carried out each
year by individual companies as well as industry groups such as
the Pharmaceuticals Validation Group. Pursuant to FDAs general principle of validation and given the fact that SAP software is
highly configurable, the SAP ERP configuration must be validated according to predetermined business requirements. Therefore, a validation methodology as part of a recognized development life cycle must be deployed to establish documented
evidence providing a high degree of assurance that the configured system performs as intended.

19

VALIDATION OF SAP ERP

IN AN FDA-REGULATED
ENVIRONMENT
SAP Solution Manager

The SAP Solution Manager application management solution

provides the integrated content, tools, and methodologies you
need to implement, support, operate, and monitor your enterprises solutions in the life sciences industry.

Tool

Content

Methodologies
Road Maps
Services
Best Practices
SAP Active Global Support
SAP Development

Gateway to SAP

Service Delivery Platform

Figure 9: SAP Solution Manager Application Management Solution

Implementation of SAP
Solutions

Solution Management
System monitoring
Business process monitoring
Central system administration
Solution reporting
Service-level reporting

SAP methods and tools

Global rollout
Customizing synchronization
E-learning management
Test management

Core
Business
Processes

pt

Impleme

Op

SAP methods and tools

E-learning management
Test management

tion
ta

imization
Change Request
Management
Follows ITIL standards
Maintenance processes

Delivery of
SAP Services
On-site/remote delivery
Issue management

Service Desk
Best practices for
messaging
Integration of 3rd-party
help desk

Update of SAP
Solutions

SAP EarlyWatchTM Alert

atio
er

With SAP Solution Manager you can manage your SAP software
throughout the entire life cycle to ensure reliability, reduce total
cost of ownership, and increase ROI. With SAP Solution Manager
you can perform the following:
Manage core business processes and link business processes to
underlying IT infrastructure
Support both SAP and non-SAP software, and get more from
existing IT investments
Manage user requirement specification (URS) documents,
which are descriptions of the functionalities that the customer
wants to run in the system
Use the road map functionality in SAP Solution Manager to
fully support documentation of the different phases of the
project, including predefined accelerators with versioning and
status management
Use the business blueprint in SAP Solution Manager to manage
and document all kinds of templates, documents, and so on,
with versioning, status management, and definition of electronic signatures
Integrate content, tools, and methods for implementation,
support, operation, and control
Conduct central administration, which provides control of
allocated, decentralized applications
Use automatic functions to evaluate problems
Manage change requests

Open End-to End Application

Technology Management and Maintenance
Document
Implement
Train
Test a deployment
Support and maintain
Monitor and optimize
Control change
Manage incidents

Root Cause Analysis

Safe remote access
Performance measurement
Logs and dumps
Traces
Technical conguration

Required for the delivery of

SAP Standard Support
option

Figure 10: SAP Solution Manager Supports All Phases of the Application
Management Life Cycle

20

GAMP V-Model and Available SAP Tools

The figure below shows a high-level representation of this methodology. The V-model is a high-level concept illustration first
introduced by the Good Automated Manufacturing Practice
(GAMP) Forum, which was established by representatives from
major international companies to interpret and improve the understanding of regulations for the development, implementation, and use of automated systems in pharmaceutical manufacturing. The V-model has been enhanced to more closely
represent ASAP Focus methodology, but it remains consistent
with the formally recognized software development life cycle.

Audit
Management

Best
Practices

Validation
Master Plan
User

SAP Solution
Requirements
Manager

Specification

Design
Business Benefits
Reduction of
cost of validation

Business Configuration Sets

Change Management Tools

Test
Work Bench

Release

Acceptance
Test

Computer Aided
Test Tool (CATT) Integration

Test
CrossSystem Viewer Function

Test

Transport
System

Transports

Standard
Operating
Procedure
Performance
Qualification
Operational
Qualification

Module
Integration
Test
Installation
Qualification

Configuration
Customizing

Figure 11: Enhanced V-Model Showing ASAP Focus Methodology and Available
SAP Tools

Conduct system risk assessment:

Predicate rules GxP evaluation
Determine whether the computerized system is regulated by
any GxP predicate rules
Criticality assessment
Determine criticality of the computerized system based upon
the processes and data it manages or supports
Complexity assessment
Determine complexity of the computerized system based
upon technology, resources, software, and infrastructure
requirements
Determine validation level
The level of validation for the computerized system is determined by the results of the previous evaluation and
assessments.
Identify software category (such as GAMP 4.0)
Determine deliverables
Validation deliverables will be based upon each organizations
internal requirements and the assessment results
Define Part 11 requirements in:
Validation master plan (VMP)
Operational qualification (OQ)
Conduct GxP assessments at the business process level:
Determine GxP-relevant business processes and SAP software
objects
Determine GxP relevance at the transaction, object, or field
level

Validation Approach to Achieve Part 11 Compliance

In the Part 11 preamble (specifically, comments 64 through 68),

FDA discusses the validation of electronic systems and acknowledges the complexity and controversy of validating commercial
software. The agency also reiterates its general principle of validation that planned and expected performance is based upon
predetermined design specifications. The next sections discuss
the validation requirements both inferred and stated within
11.10(a). Key activities necessary to validate SAP ERP in compliance with Part 11 are as follows.

Configure software to activate complete audit trail reporting

and electronic signatures.

21

Develop security authorizations according to software development life cycle (SDLC). Establish functional requirements specification for job roles:
Use the business process master list (BPML) as the only source
of authorization profile development; this ensures unused,
nonvalidated business processes within SAP ERP are effectively
blocked from unauthorized access
Manage profiles similarly to configuration in regards to change
control and the SAP Transportation Management application
Test the system:
Conduct formal testing of Part 11 requirements based upon
risk assessment results
Create test objectives to demonstrate 21 CFR Part 11 compliance for each relevant clause of the regulation (For example,
11.10[b] challenges the creation of an accurate and complete
electronic record.)
Include negative testing of business-critical transactions (for
example, cGMP) in system testing of profiles; see Appendix 3
for a suggested list of cGMP-critical transactions
Train users:
Ideally, you should train users for all transactions within their
profile(s) (ref. 11.10[i]).
It is important to recognize the impact of the interpretation of
11.10(b), specifically the word complete, as it pertains to electronic records generated in SAP ERP. To identify where Part 11
applies, a GxP assessment must be performed. Before conducting
this assessment, however, a strategy must be established to define
at what level relevance to GxP will be assigned at the transaction or object level (for example, process order, material master,
and so on) or at the field level (for example, order quantity, but
not scheduling margin key for process order). This strategy is directly related to how the term complete is interpreted, that is,
whether it is interpreted as all the data contained within the
transaction or object itself or as only the data determined to be
GxP relevant. It is important to understand the impact of each
approach both from a compliance and system performance
perspective.

22

GxP relevance at the object level may significantly reduce the

risk of potential challenges to the systems compliance because
the boundaries of GxP and non-GxP at that level are more clearly
defined. Examples include a process order versus a planned order
or a resource versus a capacity. However, this approach increases
the amount of required configuration and can potentially affect
system performance.
GxP assessment at the field level requires fewer configurations
and does not affect system performance. However, this approach
potentially increases the risk of challenges to the systems compliance. Establishing GxP relevance at the field level increases the
granularity to which SAP ERP can be scrutinized potentially invoking challenges field by field within transactions and master
data objects. Additional written justification is required to clearly
explain the assessment of why certain fields are not GxP relevant.
This approach can also be challenged with the technical argument that the integration of SAP software infrastructure maintains both GxP and non-GxP data within the same database
tables and business processes. Therefore, all data within these
tables and transactions is subject to the same level of control to
protect the integrity of the GxP data.

CONCLUSION
Based upon the interpretation of the Part 11 rule and the functions and features discussed within this document, SAP believes
that SAP ERP technically complies with the intent and requirements of 21 CFR Part 11 and several international good manufacturing practice guidelines.
SAP continues its long-standing partnership with the life sciences
industry and provides technology, tools, and solutions to its
pharmaceutical, medical diagnostics and devices, and biotechnology customers. SAP ERP provides a win-win opportunity for
customers to promote FDA and GMP compliance while reducing
their costs and maximizing their ROI.

23

REFERENCES
For more information, look up the following references, many of
which are found in the SAP Service Marketplace extranet (authorization required):

Parenteral Drug Association (PDA) Technical Report No. 32, Report on

the Auditing of Suppliers Providing Computer Products and Services for Regulated Pharmaceutical Operations, PDA, 1999

EU GMP Guideline Commission Directive 2003/94/EC

PIC/S Guide to Good Manufacturing Practice for Medicinal Products, document PH 1/97 (rev. 3), PIC/S Secretariat, 9-11 rue de Varemb,
H-1211 Geneva 20

EU Annex 11 to the EU GMP Guideline Commission Directive 2003/94/EC

ICH Q7A Good Manufacturing Practice for Active Pharmaceutical Ingredients
/EU Annex 18 to the EU GMP Guideline Commission Directive 2003/94/EC
Annex 11 to PIC/S Guidance Good Manufacturing Practice for Medicinal Products, PE 009-6 (Annexes), April 2007
PIC/S Guidance Good Practices for Computerized Systems in Regulated
GxPEnvironments, July 2004
FDA Title 21 CFR Part 11 Electronic Records; Electronic Signatures; Final
Rule, March 1997

Risk-Based Approach to 21 CFR Part 11, ISPE, white paper, 2002

IVT Computer & Software Validation & Electronic Records and Signatures
Conference, April 28, 2003, George Serafin and Sharon Strause,
Washington DC, presentation, Regulatory Requirements &
Computer System Validation
IVT Computer & Software Validation & Electronic Records and Signatures
Conference, September 18, 2003, George Serafin, Brussels, presentation, Validation of an ERP System
SAP ERP Solution Overview, SAP AG, 2007

FDA Title 21 CFR Parts 210, 211 Current Good Manufacturing Practice for
Finished Pharmaceuticals, September 1978
FDA Title 21 CFR Parts 808, 812, 820 Medical Devices; Current Good Manufacturing Practice (cGMP); Final Rule, October 1996

What You Want to Know About Upgrading to SAP ERP, frequently asked
questions document for SAP R/3 software customers, SAP AG,
2007
Global Solutions Without Boundaries, SAP solution brief, SAP AG, 2005

GAMP Good Practice Guide: Risk-Based Approach to Electronic Records &

Signatures, April 2005
GAMP Guide for Validation of Automated Systems GAMP 4,
December 2001
General Principles of Software Validation Final Guidance for Industry and
FDA Staff, FDA CDRH, January 2002

24

User Productivity Enablement with SAP NetWeaver, SAP solution brief,

SAP AG, 2007
SAP NetWeaver 2004s Security Guide, SAP AG, October 2005
SAP NetWeaver 2004 Security Guide, SAP AG, April 2004

SAP ERP 2004 and 2005 Security Guides, 2007

Digital Signatures in Practice, SAP technical brief, SAP AG, 2002

U.S. FDA Title 21 CFR Part 11 Compliance Assessment of SAP NetWeaver

Audit Management Functionality, SAP document, Dr. Anja ModlerSpreitzer, Dr. Christoph Roller, SAP AG, March 2007

Digital Signatures in SAP Applications. SAP Web Application Server 640,

SAP AG, 2003

Safeguarding Upgrades of Your SAP Applications, SAP solution brief, SAP

AG, February 2007

U.S. FDA Title 21 CFR Part 11 Compliance Assessment of SAP NetWeaver,

SAP document, Dr. Christoph Roller, Dr. Anja Modler-Spreitzer,
SAP AG, December 2006

An Integrated Approach to Managing Governance, Risk, and Compliance, SAP

document, SAP AG, 2006

U.S. FDA Title 21 CFR Part 11 Compliance Assessment of SAP Solution

Manager, SAP document, Dr. Christoph Roller, Dr. Anja ModlerSpreitzer, SAP AG, February 2007
U.S. FDA Title 21 CFR Part 11 Compliance Assessment of the Interaction
Center (IC) of SAP CRM, SAP document, Dr. Christoph Roller, Dr.
Anja Modler-Spreitzer, SAP AG, December 2006
U.S. FDA Title 21 CFR Part 11 Compliance Assessment of SAP Environment,
Health & Safety, SAP document, Dr. Anja Modler-Spreitzer, Dr.
Christoph Roller, SAP AG, March 2007
U.S. FDA Title 21 CFR Part 11 Compliance Assessment of SAP Recipe Management, SAP document, Dr. Anja Modler-Spreitzer, Dr. Christoph
Roller, SAP AG, May 2007

Automated Controls Monitoring, SAP solution brief, SAP AG,

January 2007
Customized Access Control Applications to Ensure Regulatory Compliance,
SAP solution brief, January 2007
Governance, Risk, and Compliance Management: Realizing the Value of CrossEnterprise Solutions, SAP white paper, SAP AG, January 2007
SAP Solutions for Governance, Risk, and Compliance, SAP solution overview brochure, SAP AG, March 2007
SAP Security Guide, Volume II Introduction, Version 3.0, SAP AG,
2000

U.S. FDA Title 21 CFR Part 11 Compliance Assessment of SAP NetWeaver

Business Intelligence, SAP document, Dr. Anja Modler-Spreitzer, Dr.
Christoph Roller, SAP AG, February 2007
U.S. FDA Title 21 CFR Part 11 Compliance Assessment of mySAP SRM 4.0,
SAP document, Dr. Christoph Roller, Dr. Anja Modler-Spreitzer,
SAP AG, May 2007
U.S. FDA Title 21 CFR Part 11 Compliance Assessment of SAP Supplier Relationship Management 5.0, SAP document, Dr. Christoph Roller, Dr.
Anja Modler-Spreitzer, SAP AG, January 2007

25

APPENDIXES
Appendix 1: SAP/FDA cGMP Functionality Matrix for Finished Pharmaceuticals
SAP ERP
PLANNING PROCESS PHARMACEUTICAL cGMP 21 CFR PART 211
Industries

Materials Management

Warehouse Management

Production Planning/Process
Industries

Data backup and recovery

Electronic/digital signature
Engineering change management
Process instruction sheets
Resource/equipment management
Security and authorizations
Sequence enforcement

Subpart D
Equipment

Subpart E
Control of components and drug
product containers and closures

Approved vendors list

Bar-code interface
Batch management
Engineering change management
Expiration dating
Container management
Inventory management
Quarantine system

Bar-code interface
Inventory management
Quarantine system
Container management

Batch determination
Engineering change management
Active ingredient management

Subpart F
Production and process controls

Bar-code interface
Batch management
Engineering change management
Container management
Inventory management
Quarantine system
Picking list
Approved vendors list

Bar-code interface
Inventory management
Quarantine system
Container management
Task and resource management

Batch determination
Document management system
interface

Electronic batch record

Electronic/digital signature
Engineering change management
Order management
Active ingredient management
Process industries process control
system (PI-PCS) and process control connector (PCC) for operative
procurement center data access
(ODA)
Process instruction sheets
Process operator cockpit
Recipe management
Resource/equipment management
Sequence enforcement
Statistical process control
Subcontract manufacturing
Picking list

Subpart G
Packaging and labeling control

26

Bar-code interface
Batch management
Engineering change management
Expiration dating
Container management
Inventory management
Quarantine system

Bar-code interface
Inventory management
Quarantine system
Container management
Global label management

Batch determination
Document management system
interface

Electronic batch record

Electronic/digital signature
Engineering change management
Order management
Label reconciliation
Process instruction sheets
PI-PCS and PCC for ODA
Sequence enforcement

Quality Management

Plant Maintenance

Test equipment calibration

Electronic/digital signature
Engineering change management
Equipment notifications

Plant equipment calibration

Engineering change management
Equipment management
Equipment status logbook
Preventative maintenance
Plant maintenance process con-

Sales and Distribution

trols system (PM-PCS) interface

Electronic/digital signature
Engineering change management
Goods receipt inspection
Nonconformance reporting
Inspection data interface to logis-

tics information management system (LIMS)

Quality disposition
Sample management
Source inspection
Statistical quality control
Supplier quality management

Electronic/digital signature
Engineering change management
Incoming/receiving inspection
In-process inspection
Nonconformance reporting
Postprocess inspection
Inspection date interface to LIMS
Quality disposition
Sample management
Statistical process control
Statistical quality control
Quality notifications
Supplier quality management

Calibration
Engineering change management
Equipment management
Equipment status logbook
PM-PCS

Electronic/digital signature
Engineering change management
Goods receipt inspection
In-process inspection
Nonconformance reporting
Postprocess inspection
Quality disposition
Sample management
Statistical quality control

Calibration
Engineering change management
Equipment management
Equipment status logbook

27

Industries

Materials Management

Warehouse Management

Subpart H
Holding and distribution

Bar-code interface
Batch management
Batch where-used list
Container management
Inventory management
Quarantine system

Bar-code interface
First-in, first-out and first-ended,

Material documents
Batch where-used list
Logistics and purchasing

Transfer orders
Inventory information system

Container management
Inventory management
Quarantine system
Material reconciliation

Container management
Inventory management
Quarantine system
Material reconciliation

Production Planning/Process
Industries

first-out removal strategies

Container management
Inventory management
Quarantine system

Subpart I
Laboratory controls

Subpart J
Records and reports

information system

Subpart K
Returned and salvaged drug products

28

Electronic batch record

Electronic/digital signatures
Engineering change management
Master recipe
Process instruction sheets
Process orders
Change documents and audit trails
Shop-floor information system
Order information system

Quality Management

Plant Maintenance

Sales and Distribution

Batch determination

Calibration
Electronic/digital signature
Engineering change management
Equipment management
Incoming/receiving inspection
In-process inspection
Inspection methods
Nonconformance reporting
Postprocess inspection
Inspection data interface to LIMS
Quality disposition
Recurring inspection
Sample management
Statistical quality control
Test specification management
Stability studies

Calibration
Engineering change management
Equipment management
Equipment status logbook

Complaint management
Electronic/digital signatures
Engineering change management
Inspection lots
Inspection plans
Nonconformance reporting
Change documents, audit trails
Quality information system

Engineering change management

Equipment status logbook
Maintenance orders
Maintenance task lists
Change documents, audit trails
Maintenance information system

Returns Inspection
Complaint management
QM-IDI interface to LIMS
Electronic/digital signature
Quality disposition
Statistical quality control

Delivery notes
Sales orders
Sales and shipment information
system

Return goods authorization

29

Appendix 2: SAP/FDA cGMP Functionality Matrix for Medical Devices

SAP ERP
Medical Device QSR 21 CFR
Part 820

Materials Management

Warehouse Management

Production Planning/
Process Industries

Subpart C
Design controls

Bills of materials
Substance, dangerous goods
Electronic/digital signature
Engineering change management
Material master records

Electronic/digital signature
Engineering change management
Master recipe
Process instruction sheets
Routings
Statistical process control
Security and authorization

Subpart D
Document controls

Document management system

Document management system

interface
Engineering change management

interface

Engineering change management

Subpart E
Purchasing controls

Approved vendors list

Subpart F
Identification and
traceability

Bar-code interface
Batch management
Batch where-used list
Container management
Shelf-life expiration
Inventory management
Quarantine system
Serial number management

Bar-code interface
Container management
Inventory management
Quarantine system

Electronic batch record

Subpart G
Production and process controls

Bar-code interface
Batch management
Container management
Engineering change management
Inventory management
Quarantine system
Serial number management

Bar-code interface
Container management
Inventory management
Quarantine system
Task and resource management

Batch determination
Document management system
Electronic batch record
Electronic/digital signature
Engineering change management
In-process inspection
Order management
Process industries process control
system (PI-PCS) and process control connector (PCC) for operative
procurement center data access
(ODA)
Process instruction sheets
Process operator cockpit
Recipe management
Resource/equipment management
Subcontract manufacturing
Sequence enforcement
Statistical process control

30

Quality Management

Plant Maintenance

Sales and Distribution

Electronic/digital signature
Incoming/receiving inspection
In-process inspection
Nonconformance reporting
Postprocess inspection
Inspection data interface to logis-

tics information management system (LIMS)

Quality disposition
Statistical process control
Statistical quality control

Document management system

interface
Engineering change management

Document management system

interface

Engineering change management

Electronic/digital signature
Engineering change management
Quality information records
Quality notifications
Supplier quality management

Test equipment calibration

Electronic/digital signature
Engineering change management
Equipment management
Incoming/receiving inspection
In-process inspection
Nonconformance reporting
Postprocess inspection
Inspection data interface to LIMS
Sample management
Statistical process control
Statistical quality control

Plant equipment calibration

Engineering change management
Equipment management
Equipment status logbook
Preventative maintenance

31

SAP ERP
Medical Device QSR 21 CFR
Part 820

Materials Management

Warehouse Management

Subpart I
Nonconforming product

Batch management
Container management
Inventory management
Quarantine system

Container management
Inventory management
Quarantine system
Returns handling

Subpart J
Corrective and preventative action

Container management
Inventory management
Quarantine system

Container management
Inventory management
Quarantine system
Lot genealogy (batch tracking)

Subpart K
Labeling and packaging control

Bar-code interface
Batch management
Engineering change management
Expiration dating
Container management
Inventory management
Quarantine system

Bar-code interface
Container management
Inventory management
Quarantine system
Global label management

Bar-code interface
Batch management
Batch where-used list
Container management
Inventory management
Quarantine system

Bar-code interface
Container management
First-in, first-out and first-ended,

Production Planning/
Process Industries

Subpart H
Acceptance activities

Subpart L
Handling, storage, distribution, and
installation

32

first-out removal strategies

Inventory management
Quarantine system
Container management

Electronic batch record

Rework orders

Batch determination
Document management system
interface

Electronic batch record

Electronic/digital signature
Engineering change management
In-process inspection
Label reconciliation
Order management
PI-PCS and PCC for ODA
Process instruction sheets
Sequence enforcement

Quality Management

Plant Maintenance

Sales and Distribution

Electronic/digital signature
Engineering change management
Incoming/receiving inspection
In-process inspection
Inspection methods
Nonconformance reporting
Stability studies
Postprocess inspection
Inspection data interface to LIMS
Quality disposition
Sample management
Source inspection
Statistical quality control
Test specification management
Electronic/digital signature
Nonconformance reporting
Quality disposition
Quality inspection
Complaint management
Electronic/digital signature
Nonconformance reporting
Inspection data interface to LIMS
Quality disposition
Corrective and preventive actions

Return goods authorization

root cause analysis

Returns inspection
Statistical quality control
Electronic/digital signature
Engineering change management
Goods receipt inspection
In-process inspection
Nonconformance reporting
Postprocess inspection
Quality disposition
Sample management
Statistical quality control

Calibration
Engineering change management
Equipment management
Equipment status logbook

Installation inspection

Equipment management

Batch determination
Delivery notes
Sales orders

33

SAP ERP
Medical Device QSR 21 CFR
Part 820

Subpart M
Records

Materials Management

Warehouse Management

Bills of materials
Material documents
Logistics and purchasing informa-

Transfer orders
Inventory information system

tion system

Production Planning/
Process Industries

Electronic batch record

Electronic/digital signatures
Engineering change management
Master recipe
Process instruction sheets
Process orders
Production orders
Routing
Shop-floor information systems

Subpart N
Servicing
Subpart O
Statistical techniques

34

Statistical process control

Quality Management

Plant Maintenance

Sales and Distribution

Complaint management
Electronic/digital signatures
Engineering change management
Inspection lots
Inspection plans
Nonconformance reporting
Quality information system

Engineering change management

Equipment status logbook
Maintenance orders
Maintenance task lists
Maintenance information system

Delivery notes
Sales orders
Sales and shipment information

Service inspection
Spare-parts control

Service management
Spare-parts management

system

Statistical data interface

Sample management
Statistical process control
Statistical quality control

35

Appendix 3: FDA cGMP Critical Transactions List for

Negative Testing of Security Profiles
Technical Data

1.

SU01

Maintain authorizations

2.

SE38

Execute program
Master Data

3.

MM01

Create material

4.

MM02

Change material

5.

MMDE

Delete all materials

6.

ME01

Maintain source list

7.

MSC1

Create batch

8.

MSC2

Change batch

9.

BMBC

Batch management cockpit

10.

COR1

Create process order with material

Transactional Data

11.

COR2

Change process order

12.

QA01

Create inspection lot

13.

QA02

Change inspection lot

14.

QA08

Mass change of quality management inspection

data

15.

QA11

Record usage decision

16.

QA12

Change usage decision

17.

QA14

Change usage decision without history

18.

QA16

Collective usage decision for OK lots

19.

QA32

Inspection lot selection

20.

QAC1

Correct actual quantity in inspection lot

21.

QAC2

Transfer inspection lot quantity

22.

QAC3

Inspection lot reset sample calculation

23.

QE01

Record results

24.

QE02

Change results

25.

QE51

Work list: results recording

26.

QVM1

Inspection lots without inspection completion

27.

QVM2

Inspection lots with open quantities

28.

QVM3

Inspection lots without usage decision

29.

QM01

Create quality notification

30.

QM02

Change quality notification

36

Appendix 4: Compliance Summary Table of EU and PIC/S GMP Guidelines for Part 11 Requirements
EU Annex 11 to the EU GMP Guideline
Commission Directive 2003/94/EC
and PIC/S Guidance Good Manufacturing Practice for Medicinal Products

Comment

Personnel 1

This section is comparable to clause 11.10(i) in Part 11.

Validation 2

Validation is a procedural requirement for customers and is not related to the functions of the SAP ERP application. The quality management method used at SAP to ensure software quality describes those phases of
the software life cycle involved in developing and maintaining SAP software. SAP ERP has been developed
according to a formally recognized software development life cycle and has maintained ISO 9001 certification
since 1994. ISO 9001 requirements cover the development, production, sales, and maintenance of products
and services. This is comparable to clauses 11.10(e) and 11.10(k) in Part 11.

System 3

This section is a procedural requirement for customers and is not related to the functions of SAP ERP.

System 4

This section is a procedural requirement for customers and is not related to the functions of SAP ERP.

System 5

The quality management method used by SAP describes those phases of the software life cycle involved in
developing and maintaining SAP software. SAP ERP has been developed according to a formally recognized
software development life cycle and has maintained ISO 9001 certification since 1994. ISO 9001 requirements
cover the development, production, sales, and maintenance of products and services.

System 6

SAP ERP complies with these requirements. Warnings appear when users enter aberrant data, for example,
when a user records results in quality management or records process data in process instruction sheets. The
user is then prompted to confirm entry of this data before it is accepted. This is comparable to clause 11.10(h).
Otherwise, this is a procedural requirement for customers and is not related to the functions of SAP ERP.

System 7

This section is a procedural requirement for customers and is not related to the functions of SAP ERP.

System 8

This section is comparable to clauses 11.10(d), 11.10(e), and 11.10(g) in Part 11.

System 9

See System 6 and clause 11.10(f).

System10

This section is comparable to clauses 11.10(a), 11.10(e), and 11.50(a)(b) in Part 11 with the exception that
Annex 11 specifically requires a reason for change for all critical data. When critical data cannot be managed
via ECM, the reason for change must be recorded by long text.

System 11

This section is a procedural requirement for customers and is not related to the functions of SAP ERP.

System 12

This section is comparable to clause 11.10(b) in Part 11.

System 13

This section concerns physical properties that are procedural requirements for customers and is not related to
the functions of SAP ERP. It is comparable to clauses 11.10(c) and 11.70 in Part 11.

System 14

This section is a procedural requirement for customers and is not related to the functions of SAP ERP.

System 15

This section is a procedural requirement for customers and is not related to the functions of SAP ERP.

System 16

This section is a procedural requirement for customers and is not related to the functions of SAP ERP.

System 17

This section concerns the quality management method used by SAP for SAP ERP and is comparable to
clauses 11.10(e) and 11.10(k). Otherwise, it is a procedural requirement for customers and is not related to the
functions of SAP ERP.

System 18

This section is a procedural requirement for customers and is not related to the functions of SAP ERP.

System 19

This section is comparable to clauses 11.10(d), 11.10(g), and 11.50(a) in Part 11.

37

Appendix 5: Compliance Summary Table of ICH Q7A Guideline for Part 11 Requirements
ICH Q7A Guideline, Annex 18 to the
EU Guide to Good Manufacturing
Practice

Comment

5.40

Validation is a procedural requirement for customers and is not related to the functions of the SAP ERP
application. The quality management method used by SAP describes those phases of the software life cycle
involved in developing and maintaining SAP software. SAP ERP has been developed according to a formally
recognized software development life cycle and has maintained ISO 9001 certification since 1994. ISO 9001
requirements cover the development, production, sales, and maintenance of products and services. This is
comparable to clauses 11.10(e) and 11.10(k) in Part 11.

5.41

The quality management method used by SAP describes those phases of the software life cycle involved in
developing and maintaining SAP software. SAP ERP has been developed according to a formally recognized
software development life cycle and has maintained ISO 9001 certification since 1994. ISO 9001 requirements
cover the development, production, sales, and maintenance of products and services.

5.42

This section is a procedural requirement for customers and is not related to the functions of SAP ERP.

5.43

This section is comparable to clauses 11.10(c), 11.10(d), 11.10(e), 11.10(g), 11.50(a)(b), and 11.70 in Part 11.

5.44

This section is comparable to clauses 11.10(e), 11.10(2) in Part 11.

5.45

SAP ERP posts warnings when users enter aberrant data, when a user records results in quality management
or records process data in process instruction sheets. SAP ERP then prompts the user to confirm entry of this
data before it is accepted. This is comparable to clauses 11.10(f) and 11.10(h) in Part 11.

5.46

This section is comparable to clauses 11.10(a), 11.10(b), 11.10(c), and 11.10(e) in Part 11.

5.47

This section is a procedural requirement for customers and is not related to the functions of SAP ERP.

5.48

This section is comparable to clause 11.10(c). Otherwise, it is a procedural requirement for customers and is
not related to the functions of SAP ERP.

5.49

This section is a procedural requirement for customers and is not related to the functions of SAP ERP.

Authors:
Dr. Christoph Roller and Dr. Anja
Modler-Spreitzer
IBU Life Sciences, SAP AG

38

39

www.sap.com/contactsap

50 050 628 (08/02)