ERP Systems in the Cloud: What You Need to Know
In March of 2016, Microsoft will formally launch its latest version of Dynamics AX7 (previously codenamed “Rainier”) to much fanfare. Although there are no major functionality changes, the look and feel of the system underwent a significant make over and something called Lifecycle Services has taken center stage. With this new release, Microsoft is promoting a “mobile first, cloud first” strategy which means a computing environment and platform for the masses. With each strategic step Microsoft takes towards the cloud, the impact on computer systems validation is profound.
If you think about the goal of Enterprise Resource Planning (ERP) systems, it is the management of supply chain processes across the enterprise. The validation of these systems is designed to ensure that the system meets its intended use. Deployment of ERP systems in an on-premise environment was a time-consuming proposition. The validation of the system was carried out by most validation engineers on paper and using manual processes, sometimes with “validation toolkits” to accelerate this process.
The biggest paradigm shift in the cloud environment is that of rapid deployment. With tools like Microsoft Lifecycle services, Microsoft Dynamics AX can be installed automatically in a matter of hours, not days. Therefore, given the speed at which applications can be deployed in a cloud environment, can validation keep up? How do you “rapidly validate” cloud-based solutions? What does one need to know when validating Microsoft Dynamics AX7/Azure?
There are 5 key things you need to know when validating Microsoft Dynamics AX7/Azure® which are summarized below.
Point 1 – The Principles of Validation Endure
It is important to understand that the basic principles of validation have not gone away with the cloud. You still have to conduct a risk assessment, define user/functional/design/performance requirement, develop a test plan, test the system, summarize the validation effort and manage the system under change control. The difference in cloud validation is who is responsible for the infrastructure and application layers. In a cloud environment, it is important to understand that the Sponsor organization is still ultimately responsible for validation. The FDA will never audit Microsoft on your behalf. It is your responsibility to ensure that your Microsoft Dynamics AX7/Azure system is validated according to its intended use.
You will still have to conduct a supplier audit to qualify the vendor. You need to know that Microsoft has been independently audited by 3rd party organizations and that the controls that govern the Azure platform are sound. You can read their SOC 1/SOC 2 reports at the Microsoft Trust Center https://www.microsoft.com/en-us/TrustCenter/Compliance/SOC1-and-2. You must keep these reports available for Agency inspection with your validation package.
When validating the application itself, you need to conduct positive and negative testing to rigorously test the application to ensure that it consistently and repeatedly delivers the desired results. Some companies think that because the application is in the cloud, you do not have to test as thoroughly. This is NOT TRUE! You still must conduct the proper level of validation testing based on RISK. The higher the risk, the more level of validation due diligence. You also must determine the level of testing based on the GAMP 5 category. The Microsoft Dynamics AX7/Azure system is considered a CATEGORY 4 system from a GAMP 5 perspective. However, if Microsoft Dynamics AX7/Azure is highly customized, it may be a CATEGORY 4/5 system. The higher the level of customization, the greater the level of validation due diligence required. This is the way validation has always been conducted.
The principles of validation endure but you need to know that the cloud changes things. You must adjust your strategy to meet the demands of the cloud.
Point 2 – You Must Maintain the Validated State
When it comes to validation in the cloud, the elephant in the room is how do you manage change control and how do you maintain the validated state. Change control is an essential quality process that helps to ensure that validated systems are maintained and updated in a controlled manner. You need to know that when the ERP system is in the cloud, the paradigm of change control is out of the hands of the Sponsor and in control of the cloud provider. Your first order of business is to conduct a thorough supplier audit of your cloud provider. All cloud providers are not created equal. You need to ensure that your cloud provider understands the unique challenges of validation in a regulated environment.
To maintain the validated state, you need to understand that cloud environments undergo frequent changes. This concept is antithetical to the process of validation which states that changes to validated system environments must be documented. Your cloud provider, if they passed a SOC 1/SOC 2 audit has implemented a change policy and controls as part of their data center strategy. You need to understand what this is and request, if possible, copies of change logs since changes to the infrastructure are their responsibility.
Once changes are made, regression testing needs to occur. In the past, many validation engineers have been reluctant to change their systems and conduct revalidation efforts. Sometimes this meant that systems were left in a “validated state” for years without any changes. You no longer have this luxury in a cloud environment. Therefore, you need a way to facilitate regression testing in a more frequent manner without significant impact on already strained validation resources.
One way we have recommended that clients address this is with automated validation testing. OnShore offers an Enterprise Validation Management system called ValidationMaster designed to facilitate this type of testing.
Point 3 – Get Smart About Regression Testing
As previously mentioned, you may have to test a bit more often in a cloud environment. Thus, you need to get smarter about regression testing. With most ERP systems once you conduct validation on paper, you have a set of test scripts which can be referenced again on paper. However, if you generate AUTOMATED test scripts, you will create a reusable test script library, traced to your specific user requirements which can be used over and over again in a cloud environment. When revalidating an ERP system, you will have to generate a validation test plan, draft a risk assessment based on the type of change, determine the level of testing, conduct validation testing, record test results and summarize the effort. If the infrastructure or application changes, you will have to document these changes in the configuration specification and user requirements specification respectively. Having a system in place like ValidationMaster helps to drive more efficient processes and helps with smart regression testing that can be completed in a matter of hours and not weeks as in the manual process.
Point 4 – Understand The Differences Between On-Premise Vs Cloud Validation
You need to understand how the differences between on-premise vs cloud validation impact the validation strategy. The key difference is who is responsible. In a cloud environment, the cloud provider is responsible for the infrastructure. You will need to develop SOPs that include the cloud validation scenario. You will need to define key deliverables for cloud validation and ensure that you have a strategy to maintain the validated state in the cloud.
Point 5 – Cybersecurity Matters
Finally, one of the biggest issues in with ERP in the cloud is cybersecurity. This is a MAJOR issue which requires careful consideration of life sciences companies as they deploy ERP systems in the cloud. The Cloud Security Controls Matrix (CCM) https://cloudsecurityalliance.org/group/cloud-controls-matrix/ provides an effective framework for assessing security in the cloud. You will need to go beyond typical role-based security when dealing with the cloud. There is an excellent article in Government Technology magazine called “The Importance of Cybersecurity in the Age of the Cloud and Internet of Things”. http://www.govtech.com/security/The-Importance-of-Cybersecurity-in-the-Age-of-the-Cloud-and-Internet-of-Things.html This article highlights new initiatives like the Federal Risk and Authorization Management Program (FedRAMP) that are designed to help ensure the proper level of governance around cloud security. Life sciences companies need to know that this is VERY IMPORTANT and they will have to do the same thing for their ERP systems. We strongly recommend that you do not reinvent the wheel and use processes like those in FedRAMP or other similar strategies.
I will also point you to a Harvard article which discusses the same principles called “Cloud Cyber Security: What Every Director Needs to Know”. https://corpgov.law.harvard.edu/2014/08/06/cloud-cyber-security-what-every-director-needs-to-know/ This article discusses key principles around cloud cybersecurity governance and control. The article highlights the principle of continuous monitoring of the cloud environment as highlighted above.
Bottom line, the cloud changes things. You will need up-to-date validation strategies to effectively implement, validate, and maintain your ERP application. Are you ready for the cloud?