Risk Assessment

Main Process

 

Applies a risk assessment to automated systems to enable the targeting of the validation effort to those areas and functions that most require it, including:

• Software validation regarding 21 CFR Part 820 (QSR)
• Level of validation effort regarding 21 CFR Part 820.70
• Criticality of the system

Remark

Procedural requirements for customers are not related to capabilities of SAP.

Detailed information:

Background

The goal of a project is to implement SAP R/3 as a company’s primary software for running business applications. FDA Quality System Regulation 21 CFR Part 820 (QSR) requires that when software is used to automate a production process or a part of the quality system, the software must be validated for its intended use (21 CFR Part 820.70(i)). For each software project, the level of validation effort must be determined and justified, as well as the specific combination of validation techniques to be used.

Purpose

Identifies the criticality of each requirement for the SAP R/3 system. These requirements were identified through the use of a prototyping methodology.

Identifies all functions/transactions within each SAP R/3 module to be implemented in Phase I. Specific detail is given to those functions that are controlled by the FDA Quality System Regulation 21 CFR Part 820. This regulation applies to any software that is used to automate device design, testing, component acceptance, manufacturing, labeling, packaging, distribution, and complaint handling, or to automate any aspect of the quality system.

Facilitates demonstration that the validation process is complete by accounting for and evaluating each business transaction script against the Quality System Regulation (QSR). It defines the scope for the validation master plan of SAP R/3 and will be maintained on an ongoing basis. Furthermore, this document can be viewed as a “compliance route map,“ delineating all SAP R/3 functions and the corresponding, relevant QSR sections where applicable.

Not included in this analysis are the BASIS module, security, and ABAP/4 programs. The BASIS module is recognized as a set of information technology administrative tools exclusively. This analysis is not applicable to security profiles and authorizations.

Results

Below are the results derived from the risk analysis. The results are presented in an SAP R/3 functionality matrix that includes all business transaction scripts. For completeness and information purposes only, this matrix includes business transaction scripts.

• SAP R/3 Functionality Matrix
• Script No. Description QSR Section No. or N/A - Justification

References

• FDA Quality System Regulation 21 CFR Part 820
• FDA General Principles of Software Validation, Final Guidance, January 2002
• SAP R/3 Business Transaction Scripts

• Software validation regarding 21 CFR Part 820 (QSR)
• Level of validation effort regarding 21 CFR Part 820.70
• Criticality of the processes

Detailed information:

Background The goal of the project is to implement SAP R/3 as a company’s primary software for running business applications. FDA Quality System Regulation 21 CFR Part 820 (QSR) requires that when software is used to automate a production process or a part of the quality system, the software must be validated for its intended use (21 CFR Part 820.70(i)). For each software project, the level of validation effort must be determined and justified, as well as the specific combination of validation techniques to be used.

Purpose

Identifies the criticality of each requirement for the SAP R/3 system. These requirements were identified through the use of a prototyping methodology.

Identifies all functions/transactions within each SAP R/3 module to be implemented in Phase I. Specific detail is given to those functions that are controlled by the FDA Quality System Regulation 21 CFR Part 820. This regulation applies to any software that is used to automate device design, testing, component acceptance, manufacturing, labeling, packaging, distribution, and complaint handling, or to automate any aspect of the quality system.

Facilitates demonstration that the validation process is complete by accounting for and evaluating each business transaction script against the Quality System Regulation (QSR). It defines the scope for the validation master plan of SAP R/3 and will be maintained on an ongoing basis. Furthermore, this document can be viewed as a “compliance route map,” delineating all SAP R/3 functions and the corresponding, relevant QSR sections where applicable.

Not included in this analysis are the BASIS module, security, and ABAP/4 programs. The BASIS module is recognized as a set of information technology administrative tools exclusively. This analysis is not applicable to security profiles and authorizations.

Strategy

Each SAP R/3 module’s utilized functionality is detailed by “Solution Specifications” created by the SAP R/3 project team. These scripts focus on individual SAP R/3 transactions and describe, in both a narrative and functional manner, how this transaction will be used by the business and what information will be processed by this transaction. These scripts were reviewed for compliance with the FDA QSR sections listed below. The QSR section number has been included as a reference and will be listed in the SAP R/3 functionality matrix next to the appropriate script.

Subparts A & B of 21 CFR Part 820 are not included since neither address specific quality system requirements.

Design Controls (820.30) - Design and development planning; design input, output, review, verification, validation; design transfer (to production specifications), changes, and history file.

Document Controls (820.40) - Document approval and distribution; document changes.

Purchasing Controls (820.50) - Evaluation of suppliers, contractors and consultants; purchasing data.

Identification (820.60) - Identifying product during all stages of receipt, production, and distribution to prevent mix-ups.

Traceability (820.65) - Identifying with a control number each unit, lot, or batch and components.

Production and Process Controls (820.70) - Documented instructions, SOPs and methods; monitoring and controlling of process parameters, components, and device characteristics; the approval of processes and process equipment; production and process changes; environmental controls; contamination controls; equipment maintenance, inspection, adjustment, calibration; manufacturing materials; automated processes. This includes inspection, measuring, and test equipment (820.72) and process validation (820.75). Receiving, In-Process, and Finished Device Acceptance (820.80)

Receiving acceptance activities (incoming product conformance); in-process acceptance activities (product is controlled until verification activities are completed); final acceptance activities (product is adequately controlled until release); acceptance records. This includes acceptance status (820.86). Non-conforming product (820.90)

Control of non-conforming product; non-conformity review and disposition, including rework and re-evaluation activities.

Corrective and Preventive Action (820.100)

Device Labeling (820.120) - Label integrity, inspection, and storage; labeling operations to prevent mix-ups; device control numbering.

Device Packaging (820.130) - Packaging and shipping containers are designed to protect the product during processing, storage, handling, and distribution.

Handling (820.140) - Ensure that mix-ups, damage, deterioration, contamination, etc., do not occur to the product.

Storage (820.150) - Control of storage areas, stock rotation, and methods for authorizing receipt from and dispatch to storage areas.

Distribution (820.160) - Ensure that only products approved for release are distributed. Ensure that expired or obsolete products are not distributed. Maintain records including name and address of initial consignee, identification, and quantity of product shipped, date shipped, and any control numbers. Records, Including General Requirements (820.180), Device Master Record (820.181), Device History

Record (820.184), and Quality System Record (820.186).

Results

Below are the results derived from the risk analysis. The results are presented in an SAP R/3 functionality matrix that includes all business transaction scripts in Phase I and corresponding, relevant QSR sections. For completeness and information purposes only, this matrix includes business transaction scripts that have become obsolete consequent to Phase I design or have been reassigned to another script.

• SAP R/3 Functionality Matrix
• Script No. Description QSR Section No. or N/A - Justification
• Controlling Module - (CO) CCA01B Cost Centers and Standard Hierarchy and Groups N/A - Financial transactions only
• CCA02B Cost Elements and Groups N/A - Financial transactions only
• CCA03B Activity Types/Groups N/A - Financial transactions only
• CCA04B Statistical Key Figures N/A - Financial transactions only
• CCA05B Internal Orders/Groups –and Master Data N/A - Financial transactions only
• CCA06B Planning Activity Quantities and Prices N/A - Financial transactions only

Conclusions

Based upon the above results, it is concluded that a significant amount of functionality within SAP R/3 is controlled by the Quality Systems Regulation, especially in the areas of purchasing controls, identification, and traceability; production and process controls; and handling, storage, and distribution. Although the entire SAP R/3 system will be validated to satisfy business requirements, particular attention will be given to those transactions that are controlled by QSRs to ensure compliance with the intent of this FDA regulation.

The only SAP R/3 modules determined not to be controlled by the Quality System Regulation are the finance and controlling modules. In addition, SAP R/3 functionality with respect to planning, scheduling, and general business practices, were also found not to be regulated by the Quality System Regulation.

References

• FDA Quality System Regulation 21 CFR Part 820
• FDA General Principles of Software Validation, Final Guidance, January 2002
• SAP R/3 Business Transaction Scripts