CONTENTS. List of Tables List of Figures

Transcription

1 Prelims 13/3/06 9:11 pm Page iii CONTENTS List of Tables List of Figures ix xi 1 Introduction The Need for Guidance on ERP System Validation The Need to Validate ERP Systems The ERP Implementation Phenomenon Why Enterprise Resource Planning Systems? Background and Content Chapter by Chapter Background Reading 8 2 Acquisition and Procurement Stakeholder Involvement Cost of Compliant Ownership Package Assessment System Integrator Selection Supplier Audits Contractual Commitments Program Structure IT Infrastucture Qualification and Control 25 3 Developing and Documenting User (Business) Requirements What Are User Requirements For? Regulatory Expectations for User Requirements User Requirements Capture Use of Process Narratives Use of Business Process Models Identifying Regulatory Requirements Non-Functional Requirements 35 iii

2 Prelims 13/3/06 9:11 pm Page iv iv Successfully Validating ERP Systems 3.8 Recommended Approach to User Requirement Specifications What About Functional Requirements? Requirements Identification,Verification and Allocation 41 4 Validation Planning Assumptions The Implementation Program Off-the-Shelf Validation Models System Integrators Experience Validation Training Rapid Applications Development Configurable versus Custom Software System, not Software Developoment Lifecycle Roles and Responsibilities Risk Management 62 5 Governance Procedures Establishing Procedures Scope Roles and Responsibilities Program Team Training Document Management Configuration Management Change Control Change Control during the Implementation Phases Operational Change Control Incident and Defect Management Program Risks and Issues Regulatory and Business Risk Management Requirements Management Other Program SOPs 78 6 Conference Room Pilots The System Integrator s View of Conference Room Pilots The Users View of Conference Room Pilots Successfully Positioning the Conference Room Pilot Interactive Conference Room Pilots Verification Conference Room Pilots One Conference Room Pilot or Two? Inputs to a Conference Room Pilot Outputs from a Conference Room Pilot Conference Room Pilots in a Validation Context 85 7 Test Strategies Testing and Other Forms of Verification To Test or Not to Test What Tests to Conduct Installation, Operational and Performance Qualification 91

3 Prelims 13/3/06 9:11 pm Page v Contents v Risk Assessment and Testing Workflow Reports Interfaces Data Conversions Custom Extensions (Including Standard COTS Software Calling Extensions) Standard Functional COTS Software Other Testing Test Planning, Management and Reporting Managing Configuration Settings Configuration Settings Determining the Correct Configuration Settings Documenting Configuration Settings Verification of Configuration Settings Change Control and Configuration Management Configuration Settings Transport Verification of Configuration Settings between Instances Electronic Records and Signatures Scope and Application Definition Documentation Technical Compliance Procedural, Security and User Issues Customisations What is a Customisation? Waterfall or Iterative Development? Design Specifications Design Verification Software Development and Verification Change Control and Configuration Management Appropriate Testing Program Integration Data Migration What Data Should We Migrate? Metadata and Audit Trails GxP Data Criticality Manual Verification Automatic Verification Validated Data Migration Routines Data Migration Steps and Phases Hardware and Infrastructure Qualification Large, Complex Architectures Instances 140

4 Prelims 13/3/06 9:11 pm Page vi vi Successfully Validating ERP Systems Environments Qualifying Environments Specifying and Installing Components Open Source Software The Desktop (or Laptop) Speciality Field Devices Common Items of IT Infrastructure Detailed Risk Management Leverage Industry Good Practice Risk Management Scope and Process Risk Management Scope Risk Management Process Functional Risk Management Initial Functional Risk Assessment Risk Impact and Requirements Requirements Allocation, Risk Likelihood and Probability of Detection Functional Risk Mitigation Technical Risk Management Managing Other Risks Is It Worth It? SOPS and User Training Change Management and Regulatory Roles User Roles and the Need for Effective Communications Revising and Creating SOPS Training Users Verifying Successful Change Testing ERP Systems Nature and Scope of Testing Pressure of Time Training,Tools and Templates Roles and Responsibilities Test Documentation The Role of Operational Qualification Unit Testing Integration Testing Functional Testing User Acceptance Testing The Use of Computer Based Test Tools Go Live! Going Live and the Validation Report The Validation Report Are We Ready? Proceeding at Risk Go Live! 209

5 Prelims 13/3/06 9:11 pm Page vii Contents vii 16.3 Gone Live Performance Qualification (Post Go Live) Additional Use Cases Enhanced Monitoring Initial Periodic Review Post Implementation Review Audit/Inspection Readiness Review Maintaining the Validated State Competency Centres Outsourcing New Requirements Upgrades and Patches Maintenance and Support Processes Intrusion Detection Vulnerability Management Anti-Virus Shield Updates Security Incident Management Public Key Infrastructure Server Management Client Management Network Management Change Management Configuration Management Help Desk Management Problem Management Backup, Restore and Archiving Disaster Recovery Performance Monitoring Supplier Management Periodic Review Decommissioning Conclusions Implementation and Validation Overview Conclusions 235 Appendix A Definitions 239 Appendix B References and Bibliography 245 Appendix C Acknowledgements 247 Index 249

6 Prelims 13/3/06 9:11 pm Page viii

7 Prelims 13/3/06 9:11 pm Page ix LIST OF TABLES 2.1 Assumed ERP Program Organisation Example of Non-Functional Requirement Categories Example of Test Type versus Qualification Mapping Example of Responsibility Based Test versus Qualification Mapping Typical Data Migration Steps Typical Data Migration Integration Points Typical ERP System Instances (Applications Installs) Example Risk Criteria and Weightings Example Risk Impact Breakpoints Example of Relative Risk Likelihood Criteria Example of Relative Risk Probability of Detection Criteria 171 ix

8 Prelims 13/3/06 9:11 pm Page x

9 Prelims 13/3/06 9:11 pm Page xi LIST OF FIGURES 2.1 Recommended Program Structure Example Recommended Program Structure Example Recommended Program Structure Example Example of a Simple Business Process Model Excerpt from User Requirements Specification Examples of Business Process Flow Diagram Included in Functional Requirements Specification Examples of Requirements Management Stages Mapped to CRPs and SDLC Spiral Development Model (Rapid Prototyping/RAD) Basic GAMP V Model ERP Software Development/Validation Model Typical ERP SDLC Deliverables Example of Program Process Roles and Responsibilities Defined as a Process Swim Lane CRPs in a Validation/Verification Context Risk Based Test Type Matrix Example of Test Documentation Relationship (showing many-to-one relationships Example of Separate E-Record Formatted as a Paper Record Example of ERP Electronic Records Search Facility Example of an ERP Digital Signature Solution Simple Example of Instance/Server/Environment Qualification Scope Example of Instance/Operating System/Server/Environment Qualification Scope Example of More Complex IT Infrastructure and Qualification Scope Example of Qualification Scope with IT Infrastructure Components Shared Across Environments The Risk Management Life Cycle Risk Assessment and Risk Mitigation in the SDLC Examples of Functional Risk Impact Distribution 164 xi

10 Prelims 13/3/06 9:11 pm Page xii xii Successfully Validating ERP Systems 13.4 Example Risk Assessment for Multiple Requirements GAMP /ISO Derived Risk Management Process GAMP /ICH Q9 Derived Risk Management Process Example of Ishikawa (Fish Bone) Diagram to Identify Risks Example of Mind Mapping to Identify Risks Example of ERP Test Script Template Example of ERP Test Case Review Check List Recommended ERP Implementation/Validation Approach Juggling Time, Cost and Quality 238