ERP Validation:War stories from the Front
Presented by Terry Jeanes
4 July, 2016
Slide 2 © PharmOut 2015
Agenda
• Validation deliverables• GxP Impact• Data Conversion
• Security• Standard transactions• ERP extension frameworks
• Agile, Waterfall and Spiral• Cadenced Delivery• Image Synchronisation
• Real Time Analysis• Implications of Cloud Computing
Deliverables
Implementation
Development Methodologies
HANA, Exalytics and The Cloud
Slide 3 © PharmOut 2015
Guidelines
Please contribute
Please stop me to ask a question
Please relax and enjoy yourself
Please place your phone on silent mode
Slide 4 © PharmOut 2015
Validation Deliverables
• Vendor Audit
• Validation Plan
• Business Process – models, descriptions etc.
• System requirements and Design specifications
• Risk management file
• GxP Impact assessment
• Test plans, protocols, reports
• Data Conversion – mapping, cleansing, migration
• Security Authorisations and SOPs
• Training documents
• Change management documents
• Validation certificate
Slide 5 © PharmOut 2015
GxP Impact
• Product quality
• Patient Safety
• Data Integrity
• Regulatory requirement
• Process based – process decomposition
• Transaction based
• Do we validate non-GxP processes?
Slide 6 © PharmOut 2015
Data Conversion
• Mapping
• Cleansing
• Migration
• Verification
• Selecting a sample size
• 100% verification if possible
• Impact of diacritics et al
Slide 7 © PharmOut 2015
Security
• Generic user accounts
• Wide access profiles
• Align security settings with the organisation
• Define roles for groups
• Users – segregation of duties
• User access and periodic review
• Change management – transports (Dev | QA | Prod)
• Access to sensitive functions
• Business ownership of security processes
Slide 8 © PharmOut 2015
Standard Transactions
• Select appropriate transaction codes
• e.g. MM01, MM02, MM03?
• MM01 – Create Material Master
• MM02 – Change Material Master
• MM03 – Display Material Master
• Least risk
• Daisy chaining - UI overhead
• What modules do we implement first?
• When do we decide to customise?
Slide 9 © PharmOut 2015
ERP Extension Frameworks
• SAP RICEF(W)
• Reports, Interfaces, Conversions, Enhancements, Forms
• Oracle CEMLI
• Configuration, Extension, Modification, Localisation, Integration
• Customised extensions
• Assess for GxP impact
• Can turn into a full-blown sub project
• Core Changes
• Modify standard transactions
• Invalidates warranty - unsupported
• Lost on next update
Slide 10 © PharmOut 2015
Package Slam
• Bypass the ‘as-is’ and ‘to-be’
• Consequence of fixed price implementation
• Result can be verified but not truly validated
• ‘Improvements’ continuing 1-2 years after Go-Live
• Hidden cost in ‘BAU’
• Time and Materials contract will minimise the risk
Slide 11 © PharmOut 2015
Agile vs Waterfall
• SAP – asap Oracle - AIM
• V Model = Waterfall with a kink
• Documentation maps nicely to Waterfall
• Agile is more representative of development
• Versions or ERP modules in an Epic
• Walk part way up the ‘V’
• Update requirements and tests after multi sprints
• A plan is a plan – avoid doc-centric mindset
• Reports say what we did – variance from plan
Slide 12 © PharmOut 2015
Cadenced Delivery
• Cadencing provides stability for clients
• Potential savings – known release dates
• Unfinished features pushed to next release
• Identify a suitable cadence for the organisation
Slide 13 © PharmOut 2015
Image Synchronisation
• Vital to maintain system integrity
• Manage transports across images
• Identify orphan transports
• Validated state cannot be guaranteed unless synched
• May trigger re-validation
• Part of maintaining the configuration baseline
Slide 14 © PharmOut 2015
HANA and Exalytics
• Near real-time processing
• Memory resident vs Disk based
• Not for Big Data (terabytes rather than petabytes)
• Good for:
• Optimising supply chain
• Security monitoring
• Energy use
• Network optimisation
Slide 15 © PharmOut 2015
Cloud Computing Implications
• HANA and Exalytics can utilise the Cloud
• How secure is secure?
• Life of a secure encryption algorithm – 10 years max
• Cloud providers are suppliers.
• Apply the existing standards and regulations for
handling suppliers
• Formal agreements (SLA) including GxP
requirements
• Audits
Slide 16 © PharmOut 2015
Cloud Security
• ISO 27001 – 43% of certified companies subsequently shown to
not be compliant
• Physical theft, employee mistakes (like lost devices), and insider
threats were responsible for 42.7% of 2013 data breaches in the
US.
• Computers, laptops, and company servers are responsible for
the large majority of your vulnerabilities, not the cloud.
• An enterprise data center (EDC) is 4x more likely to suffer a
malware/bot attack than a cloud hosting provider (CHP).
• EDCs and CHPs are equally vulnerable to a “vulnerability scan”
and a “brute force” hack.
• EDCs are 3x times more likely to suffer a recon and 4x an app
attack
Slide 17 © PharmOut 2015
Australian Regulations & Guidelines
2013 - National Cloud Computing Strategy
2014 – Cloud Computing Regulatory Stock Take (91 Pages)
• Competition and Copyright - 2012, ALRC Inquiry, Technology centric
• Consumer Protection - 2010, Competition and Consumer Act
• Data Protection and Privacy - 2014, Changes to the Privacy Act
• Cybersecurity - 2012, Cybercrime Legislation Amendment Act
• Law Enforcement Access - 2013, Parliamentary report
• Regulatory Burden - Over 450 pieces of legislation at present
Government policy – regulation should not be the default option
NSCCC – National Standing Committee for Cloud Computing
Breach Notification - May 2013, Legislation lapsed due to the Election
Slide 18 © PharmOut 2015
Thank you for your time.Questions?
Terry Jeanes
Senior Software Quality EngineerCochlear Limited