Validating ERP Systems: A Toolkit Approach
Executive Summary

Enterprise Resource Planning (ERP) systems are increasingly deployed within life sciences companies to help improve resource management and increase operational efficiency. As these organizations endeavor to accelerate new products to market faster, they encounter many of the requirements of other manufacturers but also must achieve the hurdle of software validation and verification of these complex solutions prior to deployment in a cGMP environment. For many years, ERP implementations have been plagued by poor project management and complexities which extend far beyond the boundaries of the I.T. organization. Significant time and money has been spent with sometimes arguably few successful implementations. As life sciences companies increase their deployment of ERP solutions, they must have a clear, practical approach for software validation to ensure sustained compliance. This article will address some of the key implementation challenges unique to ERP implementations, validation implementation strategies and principles, and an efficient, cost-effective approach leveraging a validation toolkit.

Software validation is a requirement of the Quality System regulation, which was published in the Federal Register on October 7, 1996 and took effect on June 1, 1997. According to U.S. FDA General Principles of Software Validation; Final Guidance for Industry and FDA Staff, January 11, 2002 "…computer systems used to create, modify, and maintain electronic records and to manage electronic signatures are also subject to the validation requirements. (See 21 CFR §11.10(a).) Such computer systems must be validated to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records…." In general terms, ERP systems create mission-critical electronic records and are thus subjected to the validation requirements. The level of validation performed on these systems should be commensurate with the level of risk imposed by the system. It is strongly recommended that a comprehensive, documented risk assessment precede any validation effort for ERP systems. One aspect of software validation that is sometimes overlooked in ERP implementations in particular is the principle of "intended use". Many companies do not take the time to define clear, reasonable requirements for the system thus making it nearly impossible to properly validate the system. According to FDA guidelines for software validation, test protocols must be developed and executed to determine if the software is suitable for its intended use. The intended use principle provides the context for the validation and is an essential element of the overall validation. Many companies focus on the development and execution of the test protocols and often overlook this fundamental requirement. ERP systems by their nature are complex systems involving comprehensive master data schemes and other relevant information. Failure to clearly understand how this information is "intended" to be used across highly regulated processes can have catastrophic regulatory implications. The "intended use" of the system is typically documented in the User Requirements Specification (URS) as part of the validation artifacts. A good URS should define requirements that are easily tested through your validation initiative.
RISK: The Elephant in the Room

Now more than ever, life sciences companies are increasingly risk-averse. In these changing economic times, failure to overlook risk can have consequences that extend far beyond compliance boundaries. Risk-based validation is not a new concept. For many years, the FDA has advocated a risk-based approach to help minimize regulatory burdens and to help organizations answer the age-old question "how much validation is enough". The position of the regulators has always been that the proportionate level of validation conducted should be based on the amount of risk attributed to the records generated by the system. Given the impact of ERP systems on financial, manufacturing, and business processes, risk is an important consideration for software validation of these systems. In one key aspect of regulatory requirements governing electronic records and signatures known as 21 CFR Part 11, the FDA recommends that software validation be focused on "a justified and documented risk assessment and a determination of the potential of the system to affect product quality and safety, and record integrity." Many ERP systems increasingly include Part 11 features which make them subject to these requirements and a documented risk assessment. For those organizations implementing ERP systems, it should be noted that risk is highly dependent on the specific processes the system facilitates. ERP processes which must be assessed include those within the system that create, transmit, archive, or analyze records.

A proper risk assessment must include the classification and prioritization of each identified risk. Once each risk has properly been categorized and classified, the assessment of these risks can then be used to help define the proper extent of validation required for the ERP system.

As life sciences companies increasingly embrace virtualization as a means to reduce the cost and complexity of their I.T. infrastructure, the impact on software validation must be considered. Virtualizing the ERP environment drives cost savings from server consolidation and improved development efficiencies. The Info-Tech Research Group, in a Jan 2009 research paper reported that ERP virtualization may drop project Total Cost of Ownership (TCO) by as much as 30%. The reason for this impact is clear. Virtualization has been shown to significantly reduce the cost of setting up separate servers for validation, development, QA, and production machines required for an effective validation infrastructure. Setting up a multi-server environment typically involves buying multiple pieces of physical hardware which adds to the overall expense of the project. The obvious downside to this approach is the steep labor and equipment costs to install, maintain, and deploy physical hardware. Also, power consumption and energy requirements may have significant impact on the organization as a whole. Validation best practices for ERP systems require the setup of development, testing, and the production server environment so that software can be tested and implemented in a compliant, cGMP change controlled manner. This time-tested approach is intended to reduce risk and ensure a sustained validated state.

The question is, how does validation change when ERP systems are deployed in a virtual systems environment? What is the difference between the physical environment and the virtual environment from a validation perspective? When validating a virtual infrastructure there are several key points which must be considered prior to adopting a virtualized approach. These are:

1. Physical Server Running Virtualization Software

2. System Deployment

3. Change Control

When leveraging a virtualized server environment, it is understood that validation of the virtualization software is a key consideration. Validation protocols must be developed for each virtual machine to ensure that a repeatable process which protects the integrity and authenticity of the data stored. The recommended validation strategy in a virtual environment is as follows:

1. Physical Server Qualification - Develop comprehensive protocols for the Installation Qualification (IQ) of the physical server(s) in a non-virtualized physical environment.

2. Install and Qualify Virtualization Software – Upon completion of the physical server IQ, an IQ for the virtualization software should be executed.

3. Virtualization Maintenance & Operation Process – After the successful IQ of the physical and virtualization software, it is important to document the process required for successful maintenance and operation of the virtual systems environment including change control and disaster recovery procedures.

4. Complete IQ/OQ/PQ of ERP Software in Virtual Environment – The next logical step in the process is to execute IQ/OQ/PQ's for all ERP software components in the virtual systems environment.

The Validation Master Plan should reflect the fact that a virtualized environment is deployed with the appropriate risk assessment to ensure the proper level of validation testing. It is strongly recommended that you initially invest time and effort into designing, documenting, and testing your virtual platform up front.

It is important not to overlook the risk assessment aspect in a virtual environment as well as the disaster recovery plan.

It has often been said that software validation can cost as much as 50-100% or more of the software cost. Further, once an ERP system is implemented and validated, you must ensure that changes or enhancements to the validated configuration are properly documented. This may involve significant I.T. resources, time, and money to produce the required supporting documentation. Efficiency and cost-effectiveness are very important when validating ERP systems. However, as most organizations undertake software validation initiatives, especially involving ERP, the question of how to save time and money is a key consideration.

Validation of custom software in general requires more validation due diligence than Commercially-Off-the-Shelf (COTS) software applications. Most ERP solutions are deployed as modular solutions using COTS software. For COTS software implementations, many companies are turning to the use of ‘validation toolkits' to accelerate validation and produce the required deliverables. Validation Toolkits are defined as ‘accelerators' which help jump start the validation document deliverables. A good validation toolkit will provide detailed document templates and protocols required for each validation effort. The most time-consuming document deliverables to produce are the validation test protocols. For an ERP system, these may be hundreds of pages in length covering the required ‘intended use' functionality of the ERP solution. The validation toolkit would not only provide the IQ/OQ/PQ test protocols but templates to help accelerate the production of other validation deliverables. Samples of some of toolkit deliverables are:

* Validation Master Plan & Risk Assessment

* Validation Project Plan

* User Requirements Specification (Intended Use)

* Functional Requirements Specification

* 21 CFR Part 11 Assessment

* Installation/Migration Plan (optional)

* Installation Qualification (IQ's)

* Disaster Recovery Plan

* Requirements Traceability Matrix

* OQ Test Scripts - (Pre-Approved)

* OQ Test Scripts - (Post-Approved)

* Validation Summary Report

* Final System Acceptance

The toolkit has many benefits which could save hundreds of man-hours on your next validation initiative. A summary of benefits includes:

* Pre-Defined Validation Test Protocols – the pre-written protocols are a huge time-saver for validation teams. These protocols can be reused or updated to meet any validation project requirements.

* Standard Methodology – Most validation toolkits leverage standard methodology such as GAMP to ensure consistency in deliverables and implementation.

* Edit Versus Create – The toolkit allows users to edit pre-defined validation artifacts versus creating them from scratch.

* Proven Testing – the test methods have been proven over hundreds of implementation thus, the user gets the benefit of knowing that the protocols are correct and the results are suitable for an FDA regulated environment.

* 21 CFR Part 11 – Compliant – the validation toolkits are often delivered with a 21 CFR Part 11 compliant assessment. This helps to ensure that the system to be validated conforms to the requirements of Part 11.

* Built-in Risk Assessment – the toolkit should include a comprehensive validation risk assessment based on GAMP methodology.

* Pre-defined requirements for Virtual Environment – the validation toolkit should deliver everything you need to validate your ERP system in a virtual environment. The test kit should include protocols for testing the virtualization software so that this does not have to be recreated for each validation initiative.

Are there validation toolkits available for ERP systems? The answer is yes. Fullscope has developed a validation toolkit for Microsoft Dynamics AX 2009 for process industries. The toolkit is delivered on DVD and is exclusively designed to help companies overcome the challenges associated with software validation of ERP systems. Other companies are starting to catch on to this emerging trend.

As life sciences companies seek to streamline validation efforts, the three main emerging trends to watch are validation of ERP in a virtualized environment, more comprehensive risk assessment, and the use of validation toolkits to streamline the process. Lessons learned from many previous efforts clearly indicate that validation without a clear definition of intended use is not acceptable. The intended use principle is alive and well and must be included within the User Requirements Specification (URS). To ensure that your validation due diligence is commensurate with the appropriate level of risk, it is strongly recommended that a comprehensive risk assessment accompany any validation effort.

And finally, validation no longer has to be the burden many perceive it to be. Virtualization is here to stay and many companies are embracing this strategy as part of their overall implementation strategy. Virtualization requires the validation and verification of the virtualization software and its environment. Many organizations are leveraging validation toolkits to help accelerate validation initiatives. 21st century validation strategies require innovative techniques and methodologies to ensure success. Virtualization and the use of validation toolkits help reduce the level of effort, save costs, and accelerate deployment.