Compliance Response Electronic Records / Electronic Signatures for COMOS V10.0

Transcription

1 Compliance Response Electronic Records / Electronic Signatures for COMOS V10.0 SIEMENS AG Industry Sector I IA VSS Pharma D Karlsruhe, Germany pharma@siemens.com November 2013 SIEMENS AG

2 Table of Contents Introduction The Requirements in Short Meeting the Requirements with COMOS Life Cycle and Validation of Computerized Systems Suppliers and Service Providers Data Integrity Centrally managed data Managing of documents with COMOS PQM (Project Quality Management) Workflow suport Backup & Restore Audit Trail, Change Control Support Working layer Audit Trail / History Monitoring Revisioning / Versioning of documents System Access, Identification Codes and Passwords Electronic Signature Evaluation List for COMOS Life Cycle and Validation of Computerized Systems Suppliers and Service Providers Data Integrity Audit Trail, Change Control Support System Access, Identification Codes and Passwords Electronic Signature Open Systems Appendix A references SIEMENS AG 2013

3 Introduction Introduction Life science industries are increasingly basing key decisions on regulated records that are often being generated, processed and kept electronically. Further than that reviews and approval of such data are also being provided electronically. Thus the appropriate management of electronic records and electronic signatures become an important topic for the life science industries. Accordingly regulatory bodies defined criteria under which electronic records and electronic signatures will be considered being as reliable and as trustworthy as paper records and handwritten signatures executed on paper. These requirements have been set forth by the US FDA in 21 CFR Part 11 1 (in short: Part 11) and by the European Commission in Annex 11 to chapter 4 of the EU GMP Guideline 2 (in short: Annex 11). Since requirements on electronic records and electronic signatures are always tied to a computerized system being in a validated state, both regulations also include stipulations on validation and life-cycle of the computerized system. Application of Part 11 and Annex 11 (or their corresponding implementation in national legislation) is mandatory for the use of electronic records and electronic signatures. However, these regulations are only valid within their defined scope. The scope of both regulations is defined by the regional market the finished pharmaceutical is distributed to, and by whether or not the computerized systems and electronic records are used as a part of GMP-regulated activities (see Part and Annex 11 Principle 2 ). Supplemental to the regulations a number of guidance documents, good practice guides and interpretations have been published in recent years to support the implementation of the regulations. Some of them are being referred to within this document.. To help its clients, Siemens as supplier of COMOS evaluated version 10.0 of the system with regard to these requirements and published its results in this Compliance Response. Due to its level of detail, this analysis is based on the regulations and guidelines mentioned above. COMOS V10.0 fully meets the functional requirements for the use of electronic records and electronic signatures. Operation in conformity with the regulations is ensured in conjunction with organizational measures and procedural controls to be established by the client (the regulated company). Such guidelines are mentioned in section 3 of this document. This document is divided into three parts: chapter 1 provides a brief description of the requirement clusters, while chapter 2 introduces the functionality of COMOS V10.0 as means to meet those requirements. Chapter 3 contains a detailed system assessment on the basis of the single requirements of the according regulations CFR Part 11 Electronic Records; Electronic Signatures, US FDA, March 20 th 1997 (revised as of April 1st, 2013) 2 Volume 4 Good Manufacturing Practice Medicinal Products for Human and Veterinary Use / Annex 11: Computerised Systems, European Commission / EudraLex, June 30 th 2011 SIEMENS AG

4 1 The Requirements in Short Annex 11 and Part 11 take into account that the risk of manipulation, misinterpretation and changes without leaving a visible trace is higher with electronic records and electronic signatures, than with conventional paper records and handwritten signatures. Furthermore the means to restrict access to electronic records to authorized individuals are very different to those required to restrict access to paper records. Additional measures are required for such reasons. The terms electronic record / electronic document mean any combination of text, graphics, data, audio, pictorial or other information representation in digital form, that is created, modified, maintained, archived, retrieved or distributed by a computer system. The term electronic signature means a computer data compilation of any symbol or series of symbols executed, adopted, or authorized by an individual to be the legally binding equivalent of the individual s handwritten signature. Since electronic signatures are also considered being electronic records by themselves, all requirements on electronic records are applied to electronic signatures too. The following table provides an overview of the requirements from both regulations. Requirement Life Cycle and Validation of the Computerized System Suppliers and Service Providers Data Integrity Audit Trail, Change Control Support System Access, Identification Codes and Passwords Description Computerized systems used as a part of GMP-related activities must be validated. The validation process should be defined using a risk-based approach. It should cover all relevant steps of the lifecycle and must provide appropriate documented evidence. The systems functionality should be traceable throughout the lifecycle by being documented in specifications or a system description. A formal change control procedure as well as an incident management should be established. Periodic evaluation should confirm that the validated state of the system is being maintained. Since competency and reliability of suppliers and service providers are considered as key factors, the supplier assessment should be chosen using a risk-based approach. Formal agreements should exist between the regulated user and these 3 rd parties, including clear responsibilities of the 3 rd party. Under the requirements of both regulations electronic records and electronic signatures must be as reliable and trustworthy as paper records. The system must provide the ability to discern altered records. Built-in checks for the correct and secure handling of data should be provided for manually entered data as well as for data being electronically exchanged with other systems. The system s ability to generate accurate and complete copies is essential for the use of the electronic records for regulated purposes. Beside recording changes to the system itself as mentioned above, both regulations require that changes on GMP-relevant data are being recorded. Such audit trail must include information on the change (before / after data), the identity of the operator, a time stamp, as well as the reason for the change. Access to the system must be limited to authorized individuals. Attention should be paid to password security. Changes on the configuration of user access management should be recorded. Periodic reviews should ensure the validity of identification codes. Procedures should exist for recalling access rights if a person leaves and for loss management. Special consideration should be given to the use of devices that bear or generate identification code or password information. 4 SIEMENS AG 2013

5 The Requirements in Short Requirement Electronic Signature Open Systems Description Regulations consider electronic signatures being legally binding and generally equivalent to handwritten signatures executed on paper. Beyond requirements on identification codes and passwords as stated above, electronic signatures must be unique to an individual. They must be linked to their respective electronic record and not be copied or otherwise being altered. Open systems might require additional controls to ensure data integrity and confidentiality. SIEMENS AG

6 2 Meeting the Requirements with COMOS The following sections provide an overview how the regulatory requirements mentioned in section 1 can be fulfilled while working with COMOS. Nonetheless detailed recommendations and instructions are described in the COMOS documentation as mentioned and referred to in the following overview. 2.1 Life Cycle and Validation of Computerized Systems Although Annex 11 in 1992 and Part 11 in 1997 underlined that a computerized systems should be subject to validation, it was not until the 2011 revision of Annex 11, that a comprehensive set of criteria for the validation of the system and its life-cycle had been introduced. Nonetheless the requirements to validate a computerized system and to keep it in a validated state had long been a part of regulations other than Part 11 and Annex 11. Which had been the motivation for the ISPE 3 to publish practical guidance like the Baseline Guide 4, the GAMP 5 5 guide as well as the GAMP Good Practice Guides. Thus the systems life-cycle as well as the approach to validation should be defined considering the guidance from the GAMP 5 guide. The guide also includes a number of appendices for life-cycle management, system development and operation of computerized systems. Since most pharmaceutical companies already have a validation methodology for computerized systems as a part of their process landscape, it is preferable to setup the systems life-cycle and validation according to these. 2.2 Suppliers and Service Providers Especially Annex 11 introduces a number of requirements for the selection of suppliers and risk-based supplier assessments in its sections three (Suppliers and Service Providers) and four (Project Phase). These requirements are also congruent with the recommendations of GAMP 5 Annex 11. Siemens as the manufacturer of COMOS is operating its business based on its Quality Management System and its Product LifeCycle Management Process. 2.3 Data Integrity Centrally managed data The integrated COMOS software concept is based on object orientation. Components are described holistically and displayed graphically in their true-to-life representation. The graphical and data related description, which includes all data associated with the component, forms a single unit within the database The complete plant information is stored in a central database. As a result, all disciplines and departments involved in the engineering and operating phases always access the same data for a given object. Changes to objects or documents are thus available to every user directly within the relevant engineering document. Related data sheets, lists, and other documents are linked to the 3 ISPE; International Society of Pharmaceutical Engineers, 4 Baseline Pharmaceutical Engineering Guides for New and Renovated Facilities, 5 GAMP 5 A Risk-Based Approach to Compliant GxP Computerized Systems, ISPE, SIEMENS AG 2013

7 Meeting the Requirements with COMOS corresponding objects. Every change of an object is checked against in build validation rules, before the change is performed. Figure 1: Object orientation in COMOS COMOS manage data centrally in the network. Thus, the PCs of users are "clients" and access a common "server". If multiple clients in networks work with a common stock of data, it is necessary to ensure that all information is constantly updated on all stations. This necessary constant data exchange and the corresponding coordination is ensured in COMOS by the Cache Validation Service (CVS). More information about the CVS can be found in Managing of documents with COMOS PQM (Project Quality Management) The operation of a plant requires numerous documents which are very important for information brokering, tracking and quality control. Apart from the documents created by COMOS, you also need certain external documents, such as device specifications from the manufacturer, communication with customers, old inventory documents of other software suppliers, etc. There is no need, however, to fully integrate these documents, as they do not have to be edited in the COMOS applications. COMOS PQM enables the complete mapping of technical plant documentation due to simple management of external documents. Nevertheless, structured and simple management of the documents is required in order to be able to access external documents quickly. 6 Infrastructure planning, Operating Manual, 09/2011, A5E SIEMENS AG

8 COMOS PQM (Project Quality Management) enables complete technical mapping of the plant in one database. External documents including metadata are attached to the objects on the basis of object orientation. Mandatory Metadata are defined per document type and their completeness is checked before a document can be checked in. Figure 2: Metadata for a document object in COMOS PQM 7 COMOS PQM differentiates plant documentation from project documentation. Plant documentation includes the latest documents and describes the as-built status of the plant. Project-specific changes can be made without changing the plant documentation. Figure 3: Plant and project documentation This is accomplished using working layers with different views of the plant documentation. In this way, you can test and optimize projects in a safe environment. Once engineering is complete and the changes accepted, the project-specific changes can be integrated into the plant documentation. Next to that it is possible to archive the changes inside the database with history tracking and locking the working layer against further changes. 7 PQM, Operating Manual, 08/2011, A5E SIEMENS AG 2013

9 Meeting the Requirements with COMOS Workflow Support Pre-configured processes can be defined in COMOS workflows based on the integrated Windows Workflow Foundation technology. Figure 4: COMOS workflows The COMOS workflow consists of individual tasks. The single tasks are connected with each other with the Workflow Designer by means of a simple flow diagram. Specific User and/or user groups can be assigned to each task to ensure the correct sequence of working steps as described in the Workflow Operating Manual Backup & Restore COMOS data consists of two components: The actual database in which information regarding the COMOS objects and all administrative information is stored. An associated document directory in which the report files are stored. To ensure data consistency, the database and the document directory need to be back up at the same time. Depending upon which architecture is implemented, either standard platform functionality or software can be used to backup and retrieve electronic records. The implementation of the archiving tools and software is varied per installation to optimize the archiving of records. Optional additional integrity can be achieved through the use of standard technologies such as RAID. The end user is responsible for maintaining the records throughout the retention period. The Maintenance Operation Manual 9 provides further guidance. 8 Workflow, Operating Manual, 02/2011, A5E Maintenance, Operating Manual, 09/2011, A5E SIEMENS AG

10 2.4 Audit Trail, Change Control Support Working layer Simultaneous engineering is the simultaneous implementation of originally consecutive work steps and plays a decisive role in efficient plant engineering. With the innovative working layer technology, COMOS enables optimum implementation of simultaneous engineering. Working layers are different views of the same plant data. Thus, engineering data and plant objects can be processed by several users in parallel, without changing the original database of the plant. The implemented work steps can then easily be consolidated with the original plant data and released in the as built status of the plant. Furthermore, the working layer technology is very well-suited for running through various scenarios in a secure environment. For example, different planning statuses can be extensively tested and optimized. Multiple working layers can be created side-by-side and compared. Figure 5: COMOS Working Layer technology Working layers are overlapping views of an engineering project in which work can be performed in parallel without manipulating the common database. They can be used to version control projects (unlimited number of versions) and allow access to deeper-lying working layers as well as creation of objects in the working layer s own layer. Thus, changes can first be tested and then if necessary rejected and deleted. See the Basic Operation Operating Manual 10 for further details. 10 Basic Operation, Operating Manual, 08/2011, A5E SIEMENS AG 2013

11 Meeting the Requirements with COMOS Audit Trail / History Monitoring The Audit trail/history monitoring feature provides an overview of the changes made within the working layers, when they are released into the released area. The aim of the project history is to track the project-based release of all objects. History entries permanently store the various editing states of the data, but only if it concerns validated data. According to the working layer model in COMOS, there are therefore only history entries for Level 0 (zero), this being the released area. The released area includes the validated data, while the subsequent working layers can only include data that is still incomplete or has not been checked yet. Figure 6: Create a history entry When a working layer is released into the released area, a backup copy of the objects is created in advance. The backup copy contains all own data. All data that only shines through are not saved in the backup copy. This applies both to inherited attribute values and to information that was applied from references. A time stamp is automatically written to the history entry as well Figure 7: Object history An overview of all history entries can be listed in the "Working layer/history management" context menu. Also s See the Basic Operation Operating Manual 10 for further details. SIEMENS AG

12 2.4.3 Revisioning / Versioning of documents COMOS native (Internal) and third party (external) documents can be easily revised within COMOS. Different users can review a document which is then released in a final step. The released document is then available as Adobe PDF and can no longer be edited. The history such as author, review steps, person responsible for release etc. is attached to the respective object in the form of metadata The software provides the option to implement controlled individual or bulk revisions of centrally collected and stored data. Various workflows are available for this purpose, which can be preconfigured in the system for the specific document type. These workflows ensure an efficient, controlled project flow. In COMOS the revision information is displayed form of a table. Figure 8: Revision Table The revision table contains the information which revision step was performed by whom and when 11. All external documents are automatically archived in COMOS. Archiving takes place with versioning: COMOS archives automatically a version of the document, when it is checked in for the first time. Before a document can be edited, it needs to be checked out. During the checkout process a completely new version of the document is created. All previous versions of the document are kept and can be accessed at any time. No data is lost and you can always trace who made which changes to the document at a specific time. If necessary, old versions can also be recalled and declared to be the current version once again. Figure 9: Document version history A detailed description of the COMOS document version management can be found in the PQM Operating Manual Revisions, Operating Manual, 09/2011, A5E SIEMENS AG 2013

13 Meeting the Requirements with COMOS 2.5 System Access, Identification Codes and Passwords During the COMOS start users identify themselves with their windows system user credentials. Figure 10: COMOS logon Individual users and their assignment to Windows user groups are defined in the Windows user administration. When logging into the database, each user is automatically created as a user in the COMOS user management with his system login name. Thereby the following access security requirements are fulfilled: Central user management (setup, deactivation, blocking, unblocking, assignment to user groups) by the administrator Unique combination of a user identification (user ID) and password Definition of access rights for groups and users Access and authorization levels depending on specific plant areas Password aging: The user is forced to change his/her password on expiration of a configurable time; the password can be reused only after n generations. The system can prompt the user to define a new password at initial logon (initial password). The user is automatically blocked after a configurable number of failed logon attempts and can only be unblocked by the administrator. Automatic logoff (auto-logout) after a configurable idle time of the keyboard and mouse Log functions for actions related to access security, such as logon, manual and automatic logoff, input of incorrect user ID or password, user blocked after several attempts to enter an incorrect password, and password change by user. Initially a COMOS user has no rights in the database until an administrator grants it. All COMOS user rights are based on the individual rights as well as the rights of those COMOS user groups of which the user is a member of. Both the individual rights and the rights of the COMOS user group can derive from the user management as well as from the object management. 12 PQM, Operating Manual, 08/2011, A5E SIEMENS AG

14 Apart from the meta-rights, which are not related to a specific project, rights always only take effect within a project. It does not matter if this concerns an object right, a function right or the assignment of working areas; the assigned rights are valid for a specific project only Electronic Signature Documents can be signed with a digital signature using the esign technology. esign enables the user to carry out a revision step and link it to your electronic signature. The signature is protected by a personal password. COMOS uses PFX certificates to sign a document digitally. In case of signing the document COMOS verifies if the certificate is a valid PFX file and if the entered password matches the password saved in the PFX file. Figure 11: COMOS esign If the verification is successful, the data relevant for the electronic signature is saved in the database. With the help of the estamp functionality the electronic signature is visualized on the PDFfile. Figure 12: estamp on P&ID Modifications to PDF documents with digital signature are monitored by COMOS and the validity or invalidity of the contents of documents is indicated with estamp technology Rights, Operating Manual, 09/2011, A5E Revisions, Operating Manual, 09/2011, A5E SIEMENS AG 2013

15 Evaluation List for COMOS 3 Evaluation List for COMOS The following list of requirements includes all regulatory requirements from 21 CFR Part 11 as well as from Annex 11. All requirements are structured in the same way introduced in part 1 of this Compliance Response. The enlisted requirements fully considers both regulations, regardless if technological or procedural controls or a combination of both are needed to fully Part 11 and Annex 11 The answers include if applicable how the requirement is handled during the development of the product and which measures should be implemented during customization and operation of the system. Furthermore the answer includes references to the products documentation for technological topics and to the GAMP 5 guide for procedural controls that are already considered in the guide. 3.1 Life Cycle and Validation of Computerized Systems The fundamental requirement that a computerized system used as a part of GMP related activities must be validated is extended by a number of newer Annex 11 requirements detailing expectations on a systems life cycle. Requirement Reference Answer Risk management should be applied throughout the lifecycle of the computerized system. Annex 11, 1 The R&D process for Siemens software products incorporates risk management accordingly. During the validation of a customer-specific application 15 risk management should be ensured by the regulated user. Validation of a system ensures the accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records. 21 CFR (a) Yes, the development of the software product (COTS, see Annex 11, glossary) is under the control of the Siemens QMS and the Product Lifecycle Management process. The regulated user 16 should take appropriate measures to validate the customer-specific application (see Annex 11, glossary), as well as maintaining its validated state.. Validation documentation covers relevant steps of the life cycle. A process for the validation of bespoke or customized systems should be in place. Annex 11, 4.1 Annex 11, 4.6 Yes, the R&D process for the software product covers all relevant steps of the Software Development LifeCycle (SDLC). The responsibility for the validation of the customer-specific application (see Annex 11, glossary) is with the regulated user. The validation process for customer-specific applications is under the responsibility of the customer. Nonetheless Siemens is able to support the customer regarding validation activities. 15 Customer-specific application: A computerized system individually customized to suit the needs of a specific customer. 16 Regulated user: might include the roles process owner (the person responsible for the business process) as well as the system owner (the person responsible for the availability, and maintenance of a computerized system and for the security of the data residing on that system) as defined in Annex 11: Computerised Systems, European Commission / EudraLex, June 30 th SIEMENS AG

16 Requirement Reference Answer Change management and deviation management are applied during the validation process. An up-to-date inventory of all relevant systems and their GMP functionality is available. User Requirements Specifications should describe required functions, be risk-based and be traceable throughout the life-cycle. Evidence of appropriate test methods and test scenarios should be demonstrated. Annex 11, 4.2 Annex 11, 4.3 Annex 11, 4.4 Annex 11, 4.7 Yes, the R&D process for the software product includes change management, deviation management and fault corrections. The regulated user should establish appropriate change management and deviation management (see GAMP 5, appendices M8, D5). The regulated user should establish appropriate reporting, a system inventory as well as system descriptions (see GAMP 5, appendix D6). Product Requirement Specifications are used during the R&D process. The regulated user should have the User Requirement Specification appropriately considered in the systems life cycle (see GAMP 5, appendix D1). Ensuring the suitability of test methods and scenarios is an integral part of the R&D process and test planning. The regulated user should have procedural controls in place to ensure a good testing practice (see GAMP 5, appendix D5). Appropriate controls should be used over system documentation. Such controls include the distribution of, access to, and use of system operations and maintenance documentation. A formal change control procedure for system documentation maintains a time sequenced record of changes. Persons, who develop, maintain, or use electronic record/ electronic signature systems should have the education, training and experience to perform their assigned task. Computerized systems should be periodically evaluated to confirm that they remain in a valid state and are compliant with GMP. All incidents should be reported and assessed. For the availability of computerized systems supporting critical processes, provisions should be made to ensure continuity of support for those processes in the event of a system breakdown. 21 CFR (k) During the development of the product the products documentation is treated as being part of the product. Thus the documentation itself is under the control of the development process. 21 CFR (k) Annex The regulated user should establish appropriate procedural controls during development and operation of the system (see GAMP 5, appendices M9 and D6). During the development of the product changes are handled according to the development process. The regulated user should establish appropriate procedural controls during development and operation of the system (see GAMP 5, appendices M8 and O6). 21 CFR (i) Siemens processes do ensure that employees have according training for their tasks and that such training is properly documented. Annex 11, 11 Annex 11, 13 Annex 11, 16 Furthermore the COMOS academy program offers a variety of courses for users, administrators and support staff. The regulated user should establish appropriate procedural controls (see GAMP 5, appendices O3 and O8). The regulated user should establish appropriate procedural controls (see GAMP 5, appendix O5). The regulated user should appropriately consider the system in his business continuity planning (see GAMP 5, appendix O10). 16 SIEMENS AG 2013

17 Evaluation List for COMOS 3.2 Suppliers and Service Providers If the regulated user is partnering with third parties for planning, development, validation, operation and maintenance of a computerized system, then the competence and reliability of this partner should be considered utilizing a risk-based approach. Requirement Reference Answer When third parties are used, formal agreements must exist between the manufacturer and any third parties. The competency and reliability of a supplier are key factors when selecting a product or service provider. The need for an audit should be based on a risk assessment. The regulated user should ensure that the system has been developed in accordance with an appropriate Quality Management System. Documentation supplied with commercial off-the-shelf products should be reviewed by regulated users to check that user requirements are fulfilled. Quality system and audit information relating suppliers or developers of software and implemented systems should be made available to inspectors on request. Annex 11, 3.1 Annex 11, 3.2 Annex 11, 4.5 Annex 11, 4.5 Annex 11, 3.3 Annex 11, 3.4 The regulated user is responsible to establish formal agreements with suppliers and 3 rd parties. The regulated user should assess its suppliers accordingly (see GAMP 5, appendix M2). The development of COMOS follows the R&D process stipulated in Siemens Quality Management System. The regulated user is responsible for the performance of such checks and design reviews. Matter and extent of the documentation affected by this requirement should be agreed on by the regulated user and Siemens. The joint nondisclosure agreement should reflect this requirement accordingly. SIEMENS AG

18 3.3 Data Integrity The main goal of both regulations, defining criteria under which electronic records and electronic signatures are as reliable and trustworthy as paper records, requires a high degree of data integrity throughout the whole data retention period. Requirement Reference Answer The system should provide the ability to discern invalid or altered records. For records supporting batch release it should be possible to generate printouts indicating if any of the data has changed since the original entry. The system should provide the ability to generate accurate and complete copies of electronic records in both human readable and electronic form. Computerized systems exchanging data electronically with other systems should include appropriate built-in checks for the correct and secure entry and processing of data. For critical data entered manually, there should be an additional check on the accuracy of the data. Data should be secured by both physical and electronic means against damage. Regular back-ups of all relevant data should be done. 21 CFR Part (a) Annex 11, CFR (b) Annex 11, 8.1 Annex 11, 5 Annex 11, 6 Annex 11, 7.1 Annex 11, 7.2 Feasible via the following functions: time stamping and revisions for COMOS-generated documents; versioning for COMOS-external documents that are managed inside COMOS. Furthermore an audit trail can be used. Not applicable, since COMOS does not keep data supporting a batch release in its database. Yes. Accurate and complete copies can be generated in electronic portable document formats or on paper. COMOS has built in plausibility checks to validate data, which are automatically exchanged with other systems. Next to that it is possible to create individual data validation rules for each data exchange itself. Only partly applicable, since critical data entered manually in terms of Annex 11 does not represent a common use case within COMOS. Nonetheless critical operations, like design reviews and approvals, can be secured by the use of revisioning or versioning steps for documents and data, the approval of data is secured via review and approval workflows. Furthermore the system has built-in plausibility checks for data entry. The regulated user should establish appropriate security means. Furthermore the data retention period should be determined by the regulated user and appropriately considered in the users processes (see GAMP 5, appendices O3, O4, O8, O9, O11, O13) The regulated user should establish appropriate processes for backup and restore (see GAMP 5, appendix O9). Electronic records must be readily retrievable throughout the records retention period. If the sequence of system steps or events is important, then appropriate operational system checks should be enforced. 21 CFR (c) Yes. As stated above, procedural controls for Backup/Restore and Archiving/Retrieval should be established. 21 CFR (f) Yes, the sequence of activities on documents can be designed in Workflow Engineering. 18 SIEMENS AG 2013

19 Evaluation List for COMOS 3.4 Audit Trail, Change Control Support During operation regulations require to record operator actions that may result in the generation of new records or the alteration or deletion of existing records. Requirement Reference Answer The system should create a record of all GMP-relevant changes and deletions (a system generated audit trail ). For change or deletion of GMP-relevant data the reason should be documented. Management systems for data and documents should be designed to record the identity of operators entering, changing, confirming or deleting data including date and time. 21 CFR (e) Annex 11, 9 Annex 11, 12.4 Comos provides a number of features to trace changes. 1) Changes which are adapted from a working layer to the approved layer can be traced via audit trail / history monitoring. 2) 2) Changes to document can be traced via revisions / versions. The requested information is part of the revision information, version information, as well as audit trails / history monitoring. Changes to electronic records shall not obscure previously recorded information. 21 CFR (e) Supported for all revisioned documents. Furthermore a detailed tracking of changes can be realized by using cascading working layers above the approved area. The audit trail shall be retained for a period at least as long as that required for the subject electronic records. 21 CFR (e) Annex 11, 9 Yes, this is technically feasible and must be considered in the application specific backup and restore process (cp. GAMP 5, appendices O9 and O13). The audit trail should be available for review and copying by regulatory agencies. 21 CFR (e) Yes. 3.5 System Access, Identification Codes and Passwords Since access to a system must be restricted to authorized individuals and the uniqueness of electronic signatures too depends on the authenticity of user credentials, user access management is a vital set of requirements regarding the acceptance of electronic records and electronic signatures. Requirement Reference Answer System access should be limited to authorized individuals. The extent of security controls depends on the criticality of the computerized system. 21 CFR (d) 21 CFR (g) Annex 11, 12.1 Annex 11, 12.2 Yes, system access is based on the operating systems user access management system. Nonetheless also procedural controls should be established by the regulated user, as described in GAMP 5, appendix O11. System security is a key factor during design and development of the COMOS product. Nonetheless, since system security highly depends on the operating environment of each ITsystem, these aspects should be considered in security management (see GAMP 5, appendix O11). SIEMENS AG

20 Requirement Reference Answer Creation, change, and cancellation of access authorizations should be recorded. Annex 11, 12.3 Changes in the user access management are being recorded. If it is a requirement of the system that input data or instructions can only come from certain input devices (e.g. terminals) does the system check the validity of the source of any data or instructions received? (Note: This applies where data or instructions can come from more than one device, and therefore the system must verify the integrity of its source, such as a network of weigh scales, or remote, radio controlled terminals). Controls should be in place to maintain the uniqueness of each combined identification code and password, so that no individual can have the same combination of identification code and password as any other. Procedures are in place to ensure that the validity of identification codes are periodically checked. Password should periodically expire and require to be revised. A procedure should be established for recalling identification codes and passwords if a person leaves or is transferred. A procedure should be followed for electronically disabling an identification code, a password or a devices that bear or generate identification code or password information if it is lost, stolen or potentially at risk. Loss management procedures should include the issuance of temporary and permanent replacements. Devices that bear or generate identification code or password information should be initially and periodically tested to ensure proper functionality. Testing of such devices should include a check that there have been no unauthorized alterations. 21 CFR (h) Not applicable. The right to perform specific actions on data is linked to certain roles and/or individuals, not on the geographic location of an input device. Nonetheless narrowing down the possibilities to access data can be done via the distribution of licenses as well as by utilizing user rights. 21 CFR (a) Yes. The user access management of the operating systems is used as a platform for access management. Thus the combination of user-id and password are unique. 21 CFR (b) The regulated user should establish appropriate procedural controls (see Good Practice and Compliance for Electronic Records and Signatures, Part 2). 21 CFR (b) Yes. Password aging is based on the operating systems user access management. 21 CFR (b) The regulated user should establish appropriate procedural controls (see Good Practice and Compliance for Electronic Records and Signatures, Part 2). 21 CFR (c) The regulated user should establish appropriate procedural controls (see Good Practice and Compliance for Electronic Records and Signatures, Part 2). 21 CFR (c) The regulated user should establish appropriate procedural controls (see Good Practice and Compliance for Electronic Records and Signatures, Part 2). 21 CFR (e) The regulated user should establish appropriate procedural controls (see Good Practice and Compliance for Electronic Records and Signatures, Part 2). 21 CFR (e) The regulated user should establish appropriate procedural controls (see Good Practice and Compliance for Electronic Records and Signatures, Part 2). 20 SIEMENS AG 2013

21 Evaluation List for COMOS Requirement Reference Answer A loss management procedure should be followed if a device is lost or stolen. Measure for detecting attempts of unauthorized use and for informing security and management should be in place. 21 CFR (c) The regulated user should establish appropriate procedural controls (see Good Practice and Compliance for Electronic Records and Signatures, Part 2). 21 CFR (d) Yes, unsuccessful attempts to use the system or to perform electronic signatures are recognized and can be logged. The regulated user should establish appropriate procedural controls to ensure a periodic review of security and access control information logs (see GAMP 5, appendix O8). 3.6 Electronic Signature To ensure that electronic signatures are accepted as generally equivalent to handwritten signatures executed on paper, requirements are not only limited to the act of electronically signing records. They also include requirements on record keeping as well as on the manifestation of the electronic signature. Requirement Reference Answer Written policies should be established, that hold individuals accountable and responsible for actions initiated under their electronic signatures, in order to deter record and signature falsification. Signed electronic records should contain the following related Information: - The printed name of the signer - The date and time of signing - The meaning of the signing (such as approval, review, responsibility) 21 CFR (j) Annex 11, 14.a 21 CFR Annex 11, 14.c The regulated user should establish appropriate procedural controls. Yes. Referenz oder Screenshot in Kapitel 2 ratsam The above listed information is shown on displayed and printed copies of the electronic record. 21 CFR Yes. Electronic signatures shall be linked to their respective electronic records to ensure that the signatures cannot be excised, copied, or otherwise transferred to falsify an electronic record by ordinary means. Each electronic signature shall be unique to one individual and shall not be reused by, or reassigned to, anyone else. 21 CFR Annex 11, 14.b 21 CFR (a) 21 CFR (a) (2) Yes. Yes, the digital signatures used in COMOS are unique to an individual. Due to the use of unique identifiers for user accounts, the integration of document hashes in the performed electronic signature, the re-use or re-assignment of electronic signatures is effectively prevented. SIEMENS AG

22 Requirement Reference Answer When a system is used for recording certification and batch release, the system should allow only Qualified Persons to certify the release of the batches and it should clearly identify and record the person releasing or certifying the batch. Annex 11, 15 Not applicable. A COMOS system is usually not utilized for storing batch release information. Nonetheless COMOS uses digital signatures linked to an individual, and it allows strict determinations about which role and/or individual is allowed to perform a digital signature. The identity of an individual should be verified before electronic signature components are allocated. When an individual executes one or more signings not performed during a single session, each signing shall be executed using all of the electronic signature components. When an individual executes a series of signings during a single session, the first signing shall be executed using all electronic signature components; subsequent signings shall be executed using at least one private electronic signature component. The use of an individual s electronic signature by anyone other than the genuine owner would require the collaboration of two or more individuals. Electronic signatures based upon biometrics shall be designed to ensure that they cannot be used by anyone other than their genuine owner. 21 CFR (b) The regulated user should establish appropriate procedural controls for the verification of an individual s identity before allocating a user account and/or electronic signatures. 21 CFR (a) (1) (ii) 21 CFR (a) (1) (i) 21 CFR (a) (3) Yes, performing an electronic signature requires the user-id as well as the user s password. Not applicable, a shortcut for multiple signings during a continuous session is not utilized. Yes. 21 CFR (b) Not applicable, since COMOS is currently not using biometric signatures. 3.7 Open Systems The operation of an open system may require additional controls to ensure data integrity as well as the possible confidentiality of electronic records. Requirement Reference Answer To ensure the authenticity, integrity, and, as appropriate, the confidentiality of electronic records additional measures such as data encryption are used. To ensure the authenticity and integrity of electronic signatures, additional measures such as the use of digital signature standards are used. 21 CFR Not applicable. Although COMOS is designed to be operated in either an closed IT environment or one that implements additional means to make it as secure as a closed systems, critical communication paths like synchronization between WebService and WebApp are already encrypted. 21 CFR Yes, COMOS is already using digital signatures instead of electronic signatures. 22 SIEMENS AG 2013

23 Evaluation List for COMOS SIEMENS AG

24 4 References 21 CFR Part 11 Electronic Records; Electronic Signatures, US FDA, March 20th 1997 (revised as of April 1st, 2013) Volume 4 Good Manufacturing Practice Medicinal Products for Human and Veterinary Use / Annex 11: Computerised Systems, European Commission / EudraLex, June 30th 2011 ISPE; International Society of Pharmaceutical Engineers, Baseline Pharmaceutical Engineering Guides for New and Renovated Facilities, GAMP 5 A Risk-Based Approach to Compliant GxP Computerized Systems, ISPE, 2008 Basic Operation, Operating Manual, 08/2011, A5E Infrastructure planning, Operating Manual, 09/2011, A5E Maintenance, Operating Manual, 09/2011, A5E PQM, Operating Manual, 08/2011, A5E Revisions, Operating Manual, 09/2011, A5E Rights, Operating Manual, 09/2011, A5E Workflow, Operating Manual, 02/2011, A5E Disclaimer , Siemens AG The information provided in this document contains merely general descriptions or characteristics of performance which in case of actual use do not always apply as described or which may change as a result of further development of the products. An obligation to provide the respective characteristics shall only exist if expressly agreed in the terms of contract. The marks mentioned are registered trademarks of the respective owner. All product designations may be trademarks or product names of Siemens AG or supplier companies whose use by third parties for their own purposes could violate the rights of the owners. 24 SIEMENS AG 2013