What is an ERP?
ERP is short for Enterprise Resource Planning. Enterprise Resource Planning (ERP) is a term to define a business process management software or set of integrated modules that allows an organization to automate the processes around the management of resources for the most common back office functions related to finance, sales, purchasing, inventory, production planning, shipping and distribution. As these are very common functions needed to run a business then ERP systems are found across all industries and there are particular ERP solutions and configurations that have been developed for the service, retail and manufacturing industries and within these also specific ERP packages that are available to support the Pharmaceutical industry. Well known ERP suppliers include SAP, Oracle, Microsoft and SAGE.
Why is ERP relevant for the Pharma industry?
A typical Pharmaceutical production company in ASEAN, produces formulated product and packages and distributes to hospitals, wholesalers and major retail outlets in their local country and also in some cases export to other ASEAN / Asian countries. As PIC/s now is a regional GMP standard then such companies have to manage an ever increasing number of records in an ever more efficient and compliant manner. Most local Pharma companies are relying on paper records and the adoption of modern IT systems is slower than in other manufacturing sectors. Spreadsheets are commonly found throughout the business and these are used for managing key data needed for compliance, manufacturing and the wider business such as inventory and supply chain records, this approach to data and process management is very cheap and simple to initiate and can work for very small companies, however for even SME companies now the increasing regulations and the need to centralize data and information means that at an early point in the company’s growth then an ERP system is needed to manage the business.
Complying with PIC/S regulations means lots of records and many companies release that moving to electronic records is much more efficient way to manage the records. It makes business sense to consider the IT strategy and consider the whole issue of where to store the records at the same time as investigating the options for an ERP solution.
We have to consider which systems to use to store these records but also where we store them as we can now choose to store our records locally on a sever or use a SaS solution (Software as a Service)and store in the ‘cloud’.
So what about ERP validation, why is it a big deal?
PIC/s regulations require Pharma companies to validate their GxP IT systems, and usually this means that ERP systems have to be validated! This is a big change for many companies in the region as very little focus has historically been put on IT systems by the local regulators. This is set to drastically change as now the major economies in ASEAN are PIC/s members then much greater scrutiny is expected during inspections and especially in areas that were traditionally not in scope for the legacy GMP then gaps are to be expected. So if you have an ERP that is not validated or are thinking of implementing a new ERP then computer validation should be a major requirement and concern for you.
How to get started for ERP validation
Lewis Carroll in Alice in Wonderland said ‘begin at the beginning’ – and this is true for ERP validation as the first thing that is required is a plan, it is very important to build the validation in at the beginning of the project. Projects which attempt validation after implementation often fail. This is a highly important point as often we see across ASEAN the lack of awareness of the need for computer validation causing unsuccessful ERP projects, large delays in IT projects and much increased costs for the implementation due to untrained staff and software service providers.
Computer Systems Validation (CSV) is a 20 year old discipline and guidance is available, the GAMP guide from ISPE is considered to represent industry best practice on the subject and ISPE certified trainers are available in the region, we recommend initial upfront training and knowledge development in CSV as the starting point before undertaking any validation projects. CSV should not just be considered and valued as a compliance requirement but also as a critical guidance for IT solution project management. ERP projects can incur high costs and risks for any company whether large or small and so the careful planning and step wise control that CSV ensures adds a very good benefit to the company to safe guard their investments in IT.
As follows are the main elements needed to build a validation approach for your ERP
Validation Planning & Brief Description of the Plan
1. Define validation policies up front related to the company QMS, policies include planning, specifications, testing and reporting.
2. Write a ERP validation plan to establish the following :-
- Identify all validation activities and documents required
- Who will do what – Management, QA, Production, IT, Engineering, Supplier (Integrator), very often a Subject Matter Expert is used to manage the validation
- Verify availability and adequacy of project documents, specifications, SOPS , wherever gaps are found, they need to be closed with reasonable timeline
- Define document requirements and standards.
3. Create a business process flow chart showing process and data flows and showing the following processes, Warehouse process, QA/QC process, production process, ERP process
4. Identify the GMP parts , often the ERP has modules and some modules are GMP and others are Non- GMP
5. Carryout Risk Assessment on all GMP processes using GAMP 5 approach (which is based on ICH Q9), focus on the importance of the data /record, classify into High, Medium and Low
- Identify GMP & Non-GMP processes, all commercials are Non GMP.
- Business Critical functions
- SoX classification (if appropriate for the market – required in USA)
- The rigor of testing (positive/negative) is related to the criticality of the functionality. The test scripts will describe the detail.
6. Based on the risk assessment identify controls which may be system controls and part of validation testing or can be procedural controls (SOPs). Create test protocols to include :-
- test of master data
- testing routine operations and process scenarios
- test controls, this involves positive and negative testing depending on risk level
- test SOPs
7. Create a list of records being generated by the system
- Define and document all records, i.e. manual records, electronic or hybrid.
- For all electronic records, define and implement an Audit Trail management policy.
8. Define and verify User Authorisation matrix. It should be verified and approved by user and QA for requirement and compliance aspects.
9. Controls include operational procedures such as disaster plans and backup plans, these also have to be tested (see more details below)
10. Some of the validation activity may have commercial implications eg copying, check what the license says.
Important Documents and Activities required for ERP validation
The URS should contain the work flow for the business process, definition of critical data and records including reports and labels, audit trails, and levels of access by users. Develop the URS based on use of standard functions of the system and standard configuration where possible. Identify the GMP parts of the system in the URS.
- Supplier Assessment
Audit the Supplier to gather information about their quality management system, how they develop the system and documents and about Supplier testing. Use the Supplier testing where possible as part of the validation
- Functional Specification
A detailed design document normally provided by the supplier and used in the risk assessment
- Configuration Specifications
Configuration required in the URS/FS are provided by the project team and used in the risk assessment
- Risk Assessment
- One risk assessment at a point when the definition is sufficiently defined
- Identify modules which affect quality eg, HR, Distribution, MM and QM in SAP
- The system may contain other GMP data such as approved supplier information, or distribution data about final product shipments
- Follow workflow to identify critical data and controls to ensure correct data.
- For GMP critical data there should be an additional check on the accuracy of the record which is made prior to further processing of these data, additional checks are required for data exchanged with other systems through interfaces,
Normally the following tests are performed:-
- Development Unit Test (DUT) – Proves that the developers have done their development correctly for developed software
- Functional Test – (FT) – Proves that the standard software and developed software works correctly.
- Integration Test (IT) – Shows that the individual modules work together in a process.
- User Acceptance Test (UAT) – End to end testing of specific processes.
The validation should reference all these tests and also cover all the controls identified in the risk assessment and testing of the user access levels.
Formal process to move between the environments
- Development environment
- Test environment (DEV – used by development team)
- Pre-production environment (QA – configuration and user testing )
- Production environment (PRD)
- Data take on
All fixed data and master data is verified by printing out and inspecting, variable data may be checked by selecting a percentage to check.
Procedures for system use, IT department and training
- Quality Management System
Validation assumes that already the company has a robust QMS in place to manage records for documentation, training and quality event processes, to best manage a complex project then the use of electronic document and change control tools is recommended.
- Change control
Project and Operational Change control is required, failure in change management is a key compliance and project risk area. Many large IT projects failed or incurred very large cost and time overrun due to the mis-management of changes during the software development lifecycle. Configuration management is an important part of change control to ensure the base detailed configuration is documented.
- Operational SOPs
The ERP system must be controlled in operation by using established operating procedures for
- Access control
- Security management
- Operational change control
- Configuration management
- Business continuity (perhaps factory cannot manufacture if ERP system unavailable)
- Archiving of data (dealing with customer complaints)
- Periodic Review
- IT Network
Companies that run their ERP system on a server usually run on the company IT network. PIC/s says that the application should be validated and the network should be qualified, the network should be documented and controlled. These tasks might require specialists who are knowledgeable in IT but also experienced in CSV and how to apply validation concepts to a specific infrastructure setup. Companies can use a SaS solution (Software as a Service) and store their records in the ‘cloud’do not have this problem.
ERP systems can be part of the solution to remain competitive and to use the efficiency improvements of electronic systems to develop the business to stay ahead, if you do not know your true cost of production then how can you be sure to maintain a margin in the market and react to pricing changes? In addition, the GMP standards and regulatory environment has now changed across ASEAN, and inspectors in the major countries are now trained on CSV, and due to PIC/s the validation of IT systems is now mandatory. This will lead to a greater number of negative observations and an increased seriousness and awareness of the risks of not running compliant software tools. Help is available and with a step by step, training first approach we are happy to assist you from the start to ensure that you understand the requirements and use the correct IT Strategy to ensure the success of your IT projects through proper planning and a constant advisory support.