An Enterprise Resource Planning (ERP) system is a critical and complex piece of technology with massive operational impacts. With judicious selection and appropriate implementation of an ERP system, efficient and effective operations are supported. The opposite can also be felt from poorly chosen or implemented ERP systems. However, ERP systems are often unfairly blamed for issues tied with a deficient selection or implementation approach. Some of those issues can be mitigated, if not completely avoided, with a sound Computer System Validation (CSV) strategy.
The current blog is meant to present 5 common and risky mistakes tied to validating ERP systems.
- Lacking a Holistic System View
A deceptively simple question that is frequently hard to answer is this: “What is your ERP system?” This can be a tough question because ERP systems are often an amalgamation of elements that can be combined in various ways… They can be deployed on-premise or in the cloud. They can include a great variety of out-of-the-box modules and features. They can make use of sub-systems for the management of barcodes, labels, Master Batch Records (MBR) or Master Device Records (MDR). They can interface with other systems (CRM, MES and QMS, to name a few). There are simply no laws defining what your system should be and it falls on your shoulders to do so.
These choices in ERP architecture, configuration or integration can all impact your validation effort. Without a clear picture of the system in scope, it is extremely difficult to ensure full system coverage while avoiding redundant work.
Too often, organizations strive to quickly validate a system that was never clearly defined. Luckily for us, creating a System Description document can help paint this essential picture and ISPE, GAMP 5 includes a section you can leverage to help you construct such a document.
- Not Following a Risk-Based Approach to Validation
If you are familiar with Computer System Validation (CSV) in the Life Science Industry, you are surely comfortable following a risk-based approach to validation. In a nutshell, adopting a risk-based approach means you that you should be evaluating your system’s uses against risks posed to patient safety, product quality and data integrity. ISPE, GAMP 5 is an industry recognized framework that explains how this can be done but is unfortunately too often poorly implemented or still worse, ignored.
Despite an ERP risk assessment being a time-intensive activity, it is a necessary one. Spending excessive time testing and documenting low risk elements of a system, for documentation sake, is adding work of questionable value that a sound risk assessment can help eliminate. A risk assessment can also help identify missing requirements or features that that could prevent, for instance, health-threatening recalls from occurring.
- Inadequate Vendor Assessment Process
Deploying and validating an ERP system is a significant undertaking. Whether you are a small medical device sub-contractor, or a large pharma organization, ignoring the need to conduct due diligence with your ERP provider is another common mistake.
Assessing a potential IT Service Provider prior to contracting them is inherent to a good due diligence process. The goal of this assessment is to evaluate the risk(s) associated with the use of this vendor in relation to the controls they have in place to develop, deliver and maintain their products/services offers. Here are some of the questions a good vendor evaluation should answer:
- Can you rely on the vendor’s internal processes to provide you with a high-quality system?
- Can you rely on the vendor’s Software Development Life Cycle (SDLC) to provide you with this level of quality for future updates and system customizations alike?
- Is there vendor documentation or applicable training programs available to support your users?
- Was the vendor system developed and tested with your regulatory requirements in mind?
Having those answers will not only allow you to mitigate any potential risks of going into business with this new vendor, but it will also allow you to adapt your validation strategy to work in conjunction with the specificities of your vendor’s products or services.
If you have an in-grown ERP system, you might be thinking that this mistake cannot possibly apply to you, but it does in more ways than you may realize. Based on your particular scenario, a vendor assessment may not be the right tool for the job, but it does not mean that you should avoid paying close attention to your internal operations and the level of support that will be expected from your user base, which are essentially the same principles that were presented above.
- Missing Key Operational Processes to Manage Validated Systems
We have covered the importance of assessing your ERP vendor but considering the fact that it is the responsibility of the organization using the ERP system, not the ERP vendor itself, to validate the system, missing key internal processes is another potential common mistake. Depending on an organization’s level of process maturity, this issue presents itself in any of the three broad categories of processes: General Quality Assurance (QA), Information Technology (IT) Management and, ERP System Use.
Without going into too much detail, issues found in QA Processes usually touch internal practices around managing electronic records, electronic signatures and employee training.
IT Management is comprised of processes that support the management of the systems themselves, such as:
- Computer System Validation (CSV)
- Physical/logical security
- System maintenance
- Back-up & recovery
- Business continuity
- System change control
- Incident management
ERP System-Use processes are those defining how users should be interacting with the system. Examples of system-use could include procedures describing how to enter a customer order, reject a defective product or issue a job floor order.
- Not Qualifying the Network Infrastructure
An often-ignored element of validating an ERP system is how critical its network infrastructure elements are. Design and implementation decisions about network infrastructure directly impact the security, availability, speed, reliability and the data integrity of any system it supports. It does not matter if your ERP system is cloud-based or on-premises. If your infrastructure is not adequately designed and implemented, you are exposing yourself to serious and unnecessary risks.
Because your infrastructure is likely supporting several systems, sub-systems and applications, it makes a lot of sense to qualify it independently from your ERP validation effort. You can look at a Qualified Infrastructure as a prerequisite to a Validated ERP System, so no need to heavily couple the two together from a CSV perspective.
ISPE GAMP® Good Practice Guide: IT Infrastructure Control and Compliance is an insightful document about infrastructure qualification you should acquire if you are looking for an established framework for infrastructure qualification.
In retrospect
Once a system has been validated and released into operation, it is critical to not throw away this hard work by losing control. A solid monitoring plan combined with good change management practices are invaluable friends when it comes to preventing unintended consequences from slipping into your day to day operations. Never mind the fact that respecting those principle should also safeguard you from falling out of compliance.
The mistakes presented above are based on empirical evidence and years of personal experience in the industry. I hope that you found this information insightful. Please do not hesitate to share your thoughts or to reach out if you would like to hear more about any of the solutions that can help you avoid those same mistakes.
References:
- ISPE, GAMP® 5 – A Risk-Based Approach to Compliant GxP Computerized Systems, 2008
- ISPE GAMP® Good Practice Guide: IT Infrastructure Control and Compliance (Second Edition), 2017