Problem Definition

A particular sterile manufacturing company was using BPCS as an ERP system for over 10 years. However, the system was not validated and the company was using manual processes and manual documentation to meet many compliance needs.  They were mandated to validate their ERP system by the EMEA.  However, the validation effort had the following major stumbling blocks:

• The system had evolved considerably in ten years, and they had an in-house development team and were also using external vendors for providing development assistance.  These developers that had actively tweaked, upgraded and modified the system over a decade.  Unfortunately, there was no clear documentation of changes for all the upgrades / modifications.
• The system was currently in production and bringing down the production system for considerable periods of time directly impacted the business.
• The system was large and touched a variety of departments in the facility.  Many of the departments touched were alien to validation / compliance (e.g. HR, Planning).
• No one person / group of persons had a clear idea of the functionality of the overall system.  Each department had a clear idea of their role within the system. Certain developers were knowledgeable in certain aspects / modules of the system.
• Since the system was a lumbering behemoth, validating the entire system was neither economically feasible nor doable given the six month timeframe that was promised to the regulatory agencies.

ValiMation’s Role

ValiMation took on the lead role for the compliance and validation for this project and managed the project from start to finish.  Some of the activities performed by ValiMation are described below:

Project Management

A ValiMation Project Manager was dedicated to this project and managed schedule, personnel (both ValiMation personnel and client personnel) and budgets.

Business Process Description

ValiMation considered it paramount to map the overall business process that was automated by the system. The business process flow map was generated by interviewing users on their current responsibilities and the processes used by their departments. This gave us a better picture of the business across the different departments and identified the critical decision making points throughout the information flow. The process map greatly helped in narrowing the processes that handle GxP data directly or indirectly. For example, though the Finance Department is very critical to the organization, it was deemed not important from a validation point of view and it was omitted in the business process flow as it did not handle GxP related data.

Risk Assessment

The risk analysis document helped in narrowing down the scope of validation, using a documented scientific approach.  Based on the Business Process Description and Specification documents, the risk assessment identified the various modules, sub-modules and programs that were to be qualified based on whether they directly / indirectly impacted GxP data.

Once the modules / sub-modules / programs that have GxP impact were identified, various risk scenarios were identified for the system.  These risk scenarios were broadly classified into:

• System Architecture / Design / Data Management Risks (based on the architecture / design of the system, and the impact to GxP data)
• System Usage Risks (based on usage of the system by system users, including potential wrong usages)
• Business Process Risks (based on the overall business process flow, and the risks associated with certain processes)
• Validation Risks (based on the methodology used for validation, e.g. we did not perform data validation checks for every screen object, this was documented and the risk was analyzed / justified)

Once the risk scenarios were identified, they were given a risk priority number (RPN) based on the following parameters:

• Risk Impact / Severity
• Frequency of Occurrence
• Possibility of Detection

Based on an acceptable RPN threshold, all risk scenarios were assessed and mitigated (technology changes, process upgrade, procedural checks and balances).  Any residual risks were identified and their acceptability determined.

The Risk Assessment document was updated at regular junctures throughout the lifecycle of the project, as the knowledge of the system increased. For this project, the document was revised at three times during the validation process

Specifications Development (Requirements / Design)

The specification documents and subsequently, the qualification protocols posed a unique challenge. The system had been customized for over a decade with inadequate documentation.  ValiMation engineers worked with the developers directly, talking “the same language” and developed the specification documents for the system.  The focus of the specifications was on the GxP modules / sub modules / programs, which were delved into in great detail.  All the other modules were documented at a high level.  ValiMation also assisted in identifying problem areas and suggested improvements to the overall “clean-up” of the system.

Qualification Protocols Development, Traceability Matrix and Testing

The qualification protocols were developed based on the specifications, business process documentation and the guidance provided by the Risk Assessment.  Traceability Matrices were also developed.  The testing involved in ValiMation working with the development team to bring the development environment to a “validate-able” state.  The development environment that existed was extremely cluttered with multiple vendors / developers using it as their own playground. ValiMation then did extensive testing on the development environment, did configuration verifications on the production environment to ensure that it matched with the development environment, and then performed a reduced operational testing on the production environment, which greatly reduced the amount of down-time of the production system.  The testing rationale and methodology was driven by the guidance provided in the Risk Assessment.

Procedures Development

ValiMation revisited all existing procedures for the system and appended them based on the guidance provided by the Risk Assessment document.  ValiMation also prepared a Configuration Management / Change Control SOP specific for the BPCS ERP system, since it’s requirements were unique from the other systems in the facility.

Training

ValiMation trained employees within the organization on compliance, GxPs, validation and communicated the need for the validation effort, especially to departments unfamiliar and resistant to validation / compliance / processes and procedures.

ValiMation’s Impact – Our Unique Value Proposition

• Establishing the business process workflow.
• Developing a comprehensive risk based approach to the validation effort.
• Identifying and mitigating risks associated with the business process, validation, system design and system usage.
• Winning the confidence of the IT personnel (managers, developers and system administrators) was the determining factor in achieving success.
• Deciphering the software and working with the development team, talking the same language, to unlock the mysteries hidden in the system software. Identifying problem areas and assisting in cleaning up the software.
• Establishing a clean development environment where most of the testing could be performed for this validation effort and subsequent validation efforts.
• Working with various departments, who were resistant / unaware of compliance / validation requirements and educating them in the process.
• We bridged Technology, Compliance and Business Processes.