Applying GAMP 5 to Validate an ERP System ISPE’s GAMP 5 explains the methodology for implementing an ERP s ystem, either new or existing, in a reglated en!ironment" #ere is a dis$ssion of an a$tal implementation" Stephen R" %errell &'(')(*&'' Editor’s note: This article was originally published published in the November/December November/December 2010 issue issue o Pharma$eti$al Engineering ! Engineering ! the oicial publication publication o ISPE www#ispe#org $# Normally this content content is ISPE " www#ispe#org only available to society members! but is reprinted here in abridged orm by special arrangement# The full text, including all related related references, is available available online# %&'E has its Tampa (onerence! )ebruary
21*2+! 2011: www.ispe.org/20ta!paconference # Ris+ management $on$epts in the pharma$eti$al indstry are matring and harmoniing as refle$ted in I-# ./ 0International -onferen$e on #armoniation1 .ality Ris+ Management" GAMP 5 0Good Atomated Manfa$tring Pra$ti$e 51 pro!ides dire$tion in applying these $on$epts in the de!elopment, implementation, and maintenan$e of $ompteried systems" Ris+ to the patient and prod$t 2ality $ontine to 3e the primary areas of $on$ern" 4his arti$le shows how s$h ris+3ased approa$hes $an 3e effe$ti!ely applied to ERP !alidation and $omplian$e" 4ypi$ally 4ypi$ally,, $ommer$ial offtheshelf software 0-64S1 pa$+ages, in$lding those sed as the 3asis for most ERP implementations, implementations, will 3e $areflly tested 3y the sppliers 3efore $ommer$ial release" 4herefore, there is no intrinsi$ !ale in attempting to test e!ery mose $li$+ or e!ery s3men in this $ontext and it is not a reglatory re2irement" 4he fo$s shold 3e rather on ensring that the $onfigration of the prod$t is defined, defined, holisti$ 0in terms of GxP', GxP', * and Part ''7 $omplian$e1, $omplian$e1, follows a$tal 3siness pro$esses, and is !erified !erified to 3e fit for intended se" se" 4he reglated $ompany shold fo$s on managing potential ris+ to patient safety and prod$t 2ality, and ensring $omplian$e with the rele!ant GxP reglations, in$lding *' -% R Part ''" Additionally Additionally,, they also shold $onsider the impa$t to the o!erall 3siness pro$ess"
GAMP 5 defines a $ompteried system as8 9A $ompteried system $onsists of the hardware, software, and networ+ $omponents, together with the $ontrolled fn$tions and asso$iated do$mentation": ;ased on this definition, a holisti$ approa$h was sed in the implementation of the ERP system as des$ri3ed 3elow" Case study overview
4he ERP system dis$ssed in this arti$le, SAP, was a lega$y system" 4he s ystem had not 3een pre!iosly sed for GMP prposes" 4herefore, the do$mentation srronding the system was essentially non existent in that it did little to spport the se of the system in a reglated en!ironment" An important element when pr$hasing a $ompter prod$t or ser!i$e is spplier assessment, whi$h may in$lde spplier adit" In this $ase, howe!er, while the system was new to the GMP manfa$tring plant, it had 3een in se spporting the 3siness for '5 years" As a reslt, a de$ision was made, <stified, and do$mented with the rationale for why an adit wold not o$$r" 4he organiation a$+nowledged that the !endor is an esta3lished and re$ognied 3siness soltion pro!ider with a large ser 3ase in the indstry" 4he pro
-reating a $ompteried system !alidation plan is a fndamental 3ilding 3lo$+ of any !alidation pro
%or the prpose of this $ase stdy, the ris+ was 3ro+en down into the following three $omponents8 '" System ris+s> *" -riti$ality of ser re2irements> and 7" GMP 4-odes 0transa$tion $odes1"
Ea$h fn$tion in the system has an asso$iated $ode" ?sing a transa$tion $ode ena3les 2i$+er a$$ess to any tas+ in the system" System risks
A system ris+ assessment 0RA1 was prepared early in this pro *" Ensre $onfigration is ade2ately tested> 7" Ensre $onfigration is managed postgo li!e> and B" Ensre sers are trained on said $onfigration" 4he $ompany was a3le to apply the for themes in the $ontext of their own 3siness model to de!elop the following8 C @efine $reate the ser, $onfigration, fn$tional and design spe$ifi$ation> C 4est 3ild !alidation s$ripts> C Manage $reate ERP friendly S6Ps> and C 4rain tea$h the 3siness how to se the system"
4he ris+ assessment in$lded +ey GMP ris+s and other 3siness ris+s, in$lding those related to Sar3anes 6xley 0S6D1" All ris+ $onsiderations were e!alated and where appli$a3le, remedial a$tions were identified 3ased on $riti$ality" Ea$h ris+ identified was $learly designated as GMP or otherwise" As the pro on$e after the ser re2irements were defined and again after the 3siness 3leprinting or fn$tional spe$ifi$ations were written" 6ne of the $hallenges with any ris+ assessment pro$ess is the assignment of #(M( 0high(medim(low1 and the dependen$ies 3etween <stifying one ris+ as higher than any other" GAMP 5 pro!ided the following error o$$rren$e 3y transa$tion8 '&& > ',&&& M> and '&,&&& #" GAMP 5 sggests that a s$ientifi$ approa$h to ris+ assessment 3e applied" After m$h de3ate, the approa$h agreed pon was to rely on the +nowledge and $olle$ti!e experien$e of the wor+shop teams to $reate a 3aseline for #(M( assignation and then to $onsistently apply it to the system" 4his assessment was additionally sed to pro!ide priority targeting for remediation, and the reslts 3ro+e down as follows8 '&5 #igh ( )B Medim ( 5F ow priority for remediation" ?ltimately, the RA was re!isited at the $on$lsion of the pro
4he se!en step pro$ess 3elow des$ri3es how the team le!eraged the reglations and tilied the existing system do$mentation to aid in 3ilding the ?ser Re2irements" 4his pro$ess aided in the ris+ analysis and testing re2ired to exe$te the pro
Step *8 Re$y$leMost GMP reglated operating $ompanies will already ha!e an ERP or similar system in pla$e" If a $ompany has 3een reglated for a while, there may already 3e a !alidation pa$+age from a pre!ios system that $old 3e re$y$led, and perhaps a nm3er of $hange $ontrol pa$+ages to se" In this $ase stdy, sing a high le!el ris+ assessment system, the $ompany was a3le to dis$ern whi$h parts and pie$es of or original ?RS 0whi$h was system netral1 were appli$a3le to the $rrent 3siness pro$ess" Step 78 ;siness needs(ser re2irement wor+shopsIn order to ma+e the pro$ess as fo$sed as possi3le, ser re2irements wor+shops were formed with the !arios fn$tional grops" All ser grops were gi!en the s+eleton ?RS two wee+s in ad!an$e of the first wor+shop and were en$oraged to add, s3tra$t, edit, and $omment" 4he $ommented ?RSs were $onsolidated and ltimately yielded in ex$ess of 7,&&& ser re2irements, some dpli$ated, some am3igos, some 3iarre" Hext, three halfday wor+shops per wee+ for for wee+s were s$hedled, ea$h and e!ery ?RS was re!iewed, and a ni2e identifier for tra$ea3ility 0li+e PP'B or 6#*71 was $aptred" Ea$h ?RS was gi!en a $riti$ality nm3er dire$tly $orrelating to its impa$t on the GMPs and Part ''" 4hese were8 C Mandatory ?RS ran+ed as a 9': J GMP or GMP and 3siness $riti$al> C ;enefi$ial ?RS ran+ed as a 9*: J nonGMP, 3t 3siness $riti$al> and C 9Hi$e to ha!e: ?RS ran+ed as a 97: J nonGMP, non3siness $riti$al" At the end of the for wee+s, the following ser re2irements were $aptred8 C 7/ le!el '> C ','5F le!el *> and C '/) le!el 7" 4his approa$h a$hie!ed two +ey goals" %irst, 3y !irte of the ris+ and $riti$ality pro$ess, the GMP testing 3rden was red$ed to a little less than B&& re2irements and se$ond, a re2irements do$ment was now a!aila3le for the ERP analysts to 3ild from" 4his do$ment was de!eloped 3y all +ey sta+eholders, in$lding .A" Step B8 ;le printingIn order to translate the netral ser re2irements into ERP$entri$ fn$tional re2irements, a site of P@@s 0pro$ess design do$ments or fn$tional spe$ifi$ations1 was $reated" 4he
goal of the P@@s was to define the system in a way that $old 3e nderstood 3y 3oth the analysts and 3siness" Ea$h P@@ was tra$ea3le 3a$+ to as many as 7& ?RSs and all 3siness pro$esses were defined graphi$ally sing MS Visio" 4he pro$ess flows integrated into P@@s gradally formed a pi$tre of what the system wold loo+ li+e post goli!e, and the se of the ERP integrated into or 3siness pro$ess started to ta+e shape" ater, the flows were sed as a 3asis for P. and the P@@s were tied to the new S6Ps, whi$h then in trn formed the 3aseline for pro$ess $hange $ontrol" In addition to the pro$ess flows, the ERP implementation team translated ?RS into fn$tional pro$esses 3ro+en down 3y fn$tions, data, or interfa$es" Step 58 %n$tionsEa$h $olle$tion of ?RSs was translated into the appropriate fn$tion set in the ERP> any inpts, otpts, $al$lations, $onfigration, or se$rity $onsiderations were $aptred here" Step 8 @ata4he data se$tion was mainly fo$sed on those data elements ne$essary to 3e $onsidered for the fn$tion set in s$ope to exe$te $orre$tly" Kithin SAP, master data plays a !ery important role and $an $ase signifi$ant system isses if not formatted or defined $orre$tly" Khere possi3le, master data $onsiderations were in$lded in this se$tion" Step F8 Interfa$es;eyond a 3ar$oding system, the ERP instan$e does not ha!e any ma de to the natre of the formation of s3 teams 03y ERP modle1> howe!er, there was referen$e to the ERP modles that any parti$lar fn$tion set was or $old impa$t" 4his fa$ilitated the s3 team $ommni$ations as $ross fn$tional pro$esses were de!eloped" GAMP 5-based system configuration
4his posed a $hallenge as the lega$y ERP system was already in pla$e" As pre!iosly des$ri3ed, the system had 3een sed for nonGMP prposes> therefore, do$mentation that had 3een $reated while !ala3le to the ERP team was not easily translated into the reglated $ontext" 4he $onfigration definition pro$ess was split into two parts" %or the ser!ers, operating systems, and $ore ERP 3ild, system $onfigration spe$ifi$ation 0$ore S-S1 was $reated" 4his allowed !erifi$ation to o$$r
simltaneosly there3y 2alifying the hardware and $ore software, while the ERP analysts were translating the ser re2irements" %or the a$tal $onfigration or $stomiation of the ERP, the de$ision was made to se the lega$y system as a 3aseline, do$menting all $hanges that were ne$essitated 3y or $omplian$e re2irements tiliing additional $onfigration do$ments 0-%@1" Part ! " #ardware and core software SCS!$
GAMP 5 Appendix @7 pro!ides a $he$+ list for S-S $ontent" Also, the team tilied the 9I4 Infrastr$tre -ontrol and -omplian$e Gide": @epending pon the roles and responsi3ilities defined in yor organiation, the do$mentation $an 3e managed effe$ti!ely with well defined roles and responsi3ilities assigned to ea$h 3siness nit within the $ompany" %or this pro
4he ser!er setp is $onsidered standard and $onsists of the following for en!ironments8 '" @e!elopment> *" Sand3ox> 7" .ality 0test1> and B" Prod$tion" Hote that this !endor re$ommends installing the appli$ation ser!er and $entral data3ase ser!er on separate ma$hines and pla$ing them in a separate s3net" It is 3enefi$ial to see+ affirmation and spporting information from the !endor on installation re2irements" %RP infrastructure environmental conditions
It may seem redndant to $aptre and !erify en!ironmental $onditions, espe$ially $onsidering the ser!ers had already 3een sed in spport of the appli$ation" #owe!er, failre to ensre a temperate and sstained en!ironment for yor ser!ers $an ha!e a signifi$ant 3siness impa$t"
Physi$al se$rityAll of the physi$al se$rity attri3tes were defined and later formally !erified for the !arios data $enters arond the glo3e" @ata3ase se$rity profilesAn important and easily o!erloo+ed $omponent to any $lient(ser!er system is data3ase se$rity, i"e", who has a$$ess to yor 3a$+end ta3les" 4ypi$ally, appli$ation se$rity will not address those a$$essing yor ser!ers from otside the appli$ation" %or this ERP system, the administrator a$$onts, administrator’s roles, role mapping, data ex$hange a$$ont, and ?nix a$$ess were defined" Again, the 93$+ets: are not as important as the $ontent, and who $an a$$ess the data" It is important to nderstand who $an do what, define it, and $ontrol the a$$ess to the data" 'etwork to(ology
4ransport management4ransport pro$ess flow shold 3e managed from sand3ox to de!elopment, from de!elopment to .A, and then ltimately into prod$tion" It is important to define and $ontrol the transport method and flow" 4his shold 3e in$orporated into the $hange $ontrol system" Peripheral system interfa$es4he last +ey element to dis$ss in the $ore S-S are peripheral systems" It is important to nderstand the data inpt into the ERP, the data sor$e, and the $ontrols arond that sor$e" E2ally, one mst nderstand what system the ERP otpt data is sent to for se" 4hose interfa$es and the asso$iated systems shold 3e $areflly e!alated to determine GMP se and s3se2ently their !alidation stats" Examples from this implementation in$lded a 3ar$ode system, a IMS, and a la3eling system"
