Three ERP security concerns for medical manufacturers

It is Friday afternoon (really evening) and Julia is leaning back in her chair thinking about the meeting Monday to select an ERP provider. Her company has begun, at last, to grow and there is a need for an ERP system. Their medical device is cutting edge and now has government approval.  But after years of everyone wearing many hats and just getting things done, they need to comply now with a lot of rules they have skirted while ramping up. What is really important that will distinguish the manufacturing ERP providers in the realm of security?  GRC, governance, risk management, and compliance are at the heart of continued certification.

How can we ensure that work is only done by people fully qualified?

Any ERP will allow a manager to set up a new user. You need to be sure that user is qualified and that qualification is documented by training and certifications.  An unqualified user should not even be able to log onto a job / operation to prevent work on products by the wrong people.  Along with this are separation of duties requirements.  An engineer or inspector could have the qualifications to build products but SoD requires them to remain apart from production tasks.  While this was commonly done last year, it is no longer allowed.

Use this manufacturing ERP requirements template to plan out your security needs for new software

How can we stay in CAPA compliance?

Errors will occur – that is certain.  You need to be sure that corrective actions and preventative actions are built into the ERP.  If a problem was caused by the use of an out-of-current-revision component, can the ERP help prevent that possibility in the future?  Can the ERP support a workflow that moves from changing a revision in engineering to force the removal of inventory that is no longer in spec?  When we build a product to a specific customer’s documentation, will ERP ensure that only that customer’s drawings are available to production?  It is impossible to imagine all the possible corrective and preventative actions that might be required, is the ERP flexible and agile enough to likely be able to enforce those CAPA requirements?

Will this manufacturing ERP help protect the crown jewels?

A new manufacturing ERP needs to stay cutting edge and keep you ahead of any competition.  That means data security to prevent any unauthorized viewing or downloading of product data.  It also means limiting access to any part of that data internally to only those with a documented need to know.  This kind of security is tricky and multi-level. You don’t want to prevent a junior engineer from updating any part routing when you only want to limit access to the routing of our primary product.  If we choose to keep data for that product on a separate server, can the ERP switch easily between two data sources?  Could the ERP provider have better ideas for security?

Julia leans back and puts her feet on her desk.  There are many security domains to consider but these are her primary questions.  She and her ERP selection team have agreed on these.  Next they find out if one of the ERP providers can meet their requirements.

author image
Tom Miller

About the author…

Tom completed implementations of Epicor, SAP, QAD, and Micro MRP. He works as a logistics and supply chain manager and he always looks for processes to improve. He lives near San Francisco Bay in California and can be found on the water in his kayak or on the road riding his motorcycle. Contact Tom at

author image
Tom Miller

Featured white papers

Related articles