ERP Implementation Checklist for Regulated Manufacturers
By Thomas Brünger, Managing Partner
Implementing an ERP system in a regulated manufacturing environment is not the same as a standard rollout. The system will hold data that carries regulatory and patient risk, so the implementation has to produce not only a working system but the documented evidence that it was specified, built, and tested under control. Microsoft Dynamics 365 Business Central is not compliant out of the box — compliance is achieved through risk-based configuration and computer system validation (CSV) against documented requirements. This checklist walks through what an implementation for a regulated manufacturer has to cover, phase by phase.
How to use this checklist
Work through the phases in order; each one produces evidence the next depends on. The depth of effort per item should follow a risk assessment — a critical, GxP-relevant function (batch release, electronic signatures, audit trail) warrants more rigour than a low-risk report. This is the CSA / risk-based approach that GAMP 5 (Second Edition) expects: validate what matters, and document why the rest matters less.
Phase 1 — Scope and requirements
- Define the regulatory scope: which regulations apply (EU GMP Annex 11, 21 CFR Part 11, Annex 22 for AI, GAMP 5) and which processes are GxP-relevant.
- Write a User Requirements Specification (URS), approved by QA, covering functional, data-integrity, security, and regulatory requirements.
- Perform a GxP risk assessment per process area to set the validation effort (CSA / risk-based).
- Record the intended use and system boundaries, including integrations (LIMS, QMS, WMS, MES).
Phase 2 — Supplier and system qualification
- Assess the supplier: for Business Central online, evaluate Microsoft's documented quality and security controls rather than auditing the data centre yourself.
- Classify the system and its extensions against GAMP 5 software categories.
- Qualify the infrastructure (or document reliance on the SaaS platform's qualified infrastructure).
- Confirm the release / update cadence is understood and controlled (SaaS updates are a change-control input, not a surprise).
Phase 3 — Design, configuration, and data integrity
- Configure the audit trail so that GxP-relevant changes are captured, attributable, and tamper-evident (ALCOA+).
- Design access control on least-privilege: role-based permissions, segregation of duties, and no shared accounts.
- Configure electronic signatures where required, with the meaning of the signature recorded.
- Define data-integrity controls across the record lifecycle — creation, change, archival, and retention.
- Document every configuration decision so it can be traced to a requirement.
Phase 4 — Validation (IQ / OQ / PQ)
- Write validation protocols (IQ, OQ, PQ) that trace to the URS.
- Execute the protocols and retain the executed records with evidence.
- Log, assess, and close every deviation before release.
- Produce a Validation Summary Report (VSR), approved by QA, that concludes the system is fit for intended use.
- Maintain a requirements-to-test traceability matrix.
Phase 5 — Go-live and operations
- Put change control in place before go-live — no change to the validated system without assessment.
- Train users and record the training as evidence.
- Schedule periodic review to confirm the validated state remains current.
- Define the process for handling SaaS updates under change control (impact assessment, regression testing where warranted).
Related reading
- Computer system validation step by step — the validation lifecycle in depth.
- Audit readiness for Business Central — the companion checklist for producing evidence in an inspection.
- GxP validation for Business Central — the regulatory framework behind these steps.
A checklist is a starting point, not a validation plan. If you are scoping an implementation in a regulated environment, a short advisory conversation can clarify where the real risks are before the project starts.
Frequently asked questions
- Is an ERP system compliant out of the box?
- No. Microsoft Dynamics 365 Business Central is not GxP-compliant out of the box. Compliance is achieved through risk-based configuration, controls, and computer system validation (CSV) against documented requirements — not by the software alone. This checklist covers the steps that make an implementation defensible in an inspection.
- When should validation start in an ERP implementation?
- Validation planning starts at the requirements phase, not after go-live. The User Requirements Specification (URS) is the anchor: test protocols trace back to it, and a GxP risk assessment done early determines how much validation effort each function needs (a CSA / risk-based approach under GAMP 5).
- What is the difference between being compliant and being audit-ready?
- A compliant system meets the requirements; an audit-ready system can produce the evidence of compliance quickly and clearly during an inspection. Many findings arise not because requirements were unmet, but because the evidence could not be retrieved. Both are in scope for this checklist.
- Does this checklist apply to Business Central cloud (SaaS)?
- Yes. The same validation lifecycle applies to Business Central online. The supplier-qualification and infrastructure-qualification effort shifts to assessing Microsoft's documented controls and the SaaS release cadence, but data integrity, audit trail, access control, and change control still require configuration and validation on your side.