A mid-sized medical device company, subject to cGMPs, needed to bring their legacy Enterprise Resource Planning (ERP) system into FDA compliance. The system is called Sage 100. They had not validated it in the past. This was clearly a concern to them and a gap they needed to mitigate as soon as possible.
Sage 100 can manage the company’s sales order, purchase order, work order, inventory, and bill of materials for their production sites. These functions support the manufacture of cGMP products (e.g. master batch records) and thus must be validated.
Performance Validation (PV) was contacted to perform the validation and bring the system into cGMP compliance.
PV staff employed a traditional validation approach using the ISPE GAMP® 5 Guide: A Risk-Based Approach to Compliant GxP Computerized Systems. This is perhaps the most commonly used industry standard for validating computer systems for GxP use. PV is very familiar with the standard and how to put it into action. The client had their own computer system validation (CSV) procedures but did not have documentation templates they were prepared to use. PV was able to use their existing templates (developed over years of experiences) and shape them them into the client’s style and format. Some aspects of industry-standard CSV processes were not addressed, so they were added to the Validation Plan for Sage 100.
The deliverables PV produced were a Validation Plan (including a system risk and 21 CFR Part 11 Assessment), User Requirements Specification, Installation Qualification (IQ), Performance Qualification (PQ), and a Validation Summary Report (including user requirements traceability).
The Validation Plan was arguably the most critical aspect of this validation. This is because the system has been in place for a number of years while not in a formally validated state. A thorough risk assessment was needed to understand how the system was informally being kept in control. PV staff, with the client’s stakeholders, examined the system’s governing and supporting SOPs looking for gaps from a cGMP and 21 CFR Part 11 aspect. When gaps were found, PV recommended how to handle them and helped with devising the solutions. The risk assessment process determined that the system was in a state of low risk – in spite of having not been validated. Their supporting and governing procedures were largely in good shape from a cGMP standpoint. When looking at a legacy system for validation, the system history is important to consider. This system had been stable for many years. Very few problems had been encountered. Also, the vendor risk was low. It has an excellent Software Development Lifecycle (SDLC).
With a lower risk legacy system and vendor, it was determined that Operational Qualification (e.g. OQ or functional testing) was not necessary. This is because between the vendor’s own OQ/functional testing (as evaluated through the vendor evaluation) objectively demonstrated that the system operated as it was designed to do. As such, concentration of efforts could be placed the PQ. The PQ (i.e. user acceptance or intended use testing) always falls upon the end-user organization to perform. So PV partnered with Subject Matter Experts and stakeholders to develop the User Requirements Specification to document the intended use of the system. There were aspects of Sage 100 that were configured for the client’s use; they functions not used “out of the box” but changed to meet their needs. It was decided to include those requirements into the User Requirements Specification. Sometimes a separate Configuration Specification is used to document these type of requirements. Either way, it was critical to document the user and configuration requirements so that they could be controlled and tested. The PQ was written and executed against these requirements. A variety of unique scenarios had to be setup to ensure the true intended use of the system was being tested.
The Sage 100 validation project was completed with all acceptance criteria met. Some testing deviations were encountered and resulted in changes to procedures and user requirements. PV conducted the retesting required and aided in solution development for the procedures.
This medical device company now had a cGMP compliant ERP system. This was obviously important from a regulatory perspective. The company also uncovered a few issues with their procedures and intended use that needed to be addressed. Their change control procedures for this system, for example, were completely developed through the validation process. Now they could ensure changes to the system would not be implemented without an assessment to the risk to the intended use or other configured aspects of the system.
The PV Advantage
Through their extensive knowledge industry best practices, PV was able to help the client validate their Sage 100 ERP system even though it was already implemented and in production use. PV staff had experience with legacy system validation and knew that risk/vendor assessment and system history were keys to knowing how to right-size the validation effort. The client will likely being moving to a newer ERP in the near future. They now have processes, templates, precedence, and a partnership with PV to expedite the validation effort for that system.
For more information please use our “Contact Us” form or contact:
CSV Services Manager