Upgrade of a Global Information System: from SAP ECC to S4HANA – A Case Study

by David Bini, PhD, ERP Operations Unit Manager & Senior Associate Partner @PQE Group


Currently, SAP is the lead ERP solution for medium and large pharma companies. Many of them are now facing the challenge to identify a solution to upgrade from SAP ECC to S4HANA as a required step: the support of the SAP ECC solution will end in 2025. 

The embedded complexity of the project is due to the impact of the project:

  1. The number of changes and stratification of modifications during the years, which includes a very high number of Z-transactions; 
  2. The number of interfaces with field equipment (printers, handheld devices) and systems (see also Figure 2); 
  3. The number of companies and differentiated processes between them, for example:
    • 3 pharmaceutical production plants
    • 1 API production plant 
    • 10+ commercial and distribution sites around the world 

SAP ECC was validated in its first implementation and then in all succeeding roll outs. The S4HANA Validation Exercise should be executed to maintain the validated status of the system. 

From SAP ECC to S4HANA_Site Banner PQE

Risk Based Approach 

  1. The number of risks embedded in the project requires strong project management, especially with respect to the risk management that was deeply connected with the validation life cycle, which should be executed in order to mitigate risks in the GxP environment. The risk based approach is key and must be applied to the life cycle: A risk based approach must be used to select the scope of the project:
    1. The scope should be limited to the upgrade of SAP ECC to S4HANA in an outsourced “on premise” IT infrastructure: any possible cloud adoption is required for a 2nd phase of the project; 
    2. The approach to the update of the process is limited to the mandatory simplifications that S4HANA introduced; 
    3. Consolidation in a unique life cycle multiple roll out / changes and documentation that from 2009 to 2020 constituted a weak validation baseline: a new solid life cycle provided the occasion to introduce compliant processes such as Logical Security and Audit trail review.
  2. A risk based approach in the selection of the partner (system integrator) to lead such a complex and fundamental project;
  3. A risk based approach in the migration verification (SUM, SAP Upgrade Manager used to drive the activity);
  4. A risk based approach in the overall validation exercise focusing the attention on the customization impacted by the change. 


Figure 1: SAP HANA System Architecture (PRD = production environment, QUA = Quality Environment, TST = Test Environment, DEV = Development Environment) 


Figure 2: SAP Architecture 

Project Validation Deliverable 

The project life cycle took 12 months for implementation, including the unique release in all the sites in a unique solution. 

Key success factors were the application of the concept of a Global Information System (see also GAMP5 Guideline: GPG Global information System Control and Compliance, see reference 1) and therefore the entire life cycle structure is based on a core level documentation that is used as leverage for the following roll outs: 


Figure 3: Validation Life Cycles 

Functional Risk Assessment 

The cornerstone of the entire validation life cycle is the Functional Risk Assessment that is intended to drive the OQ/PQ testing phase for each site in scope. 

A risk based approach included in the validation life cycle includes the standard FMEA approach to the focus: 

  1. Criticality of the process (in the sense of Patient Safety, Product Quality and Data Integrity); 
  2. Occurrence (it is fundamental to focus on the technical complexity of the upgrade including the cases defined in Table 1); 
  3. Detectability.

 Table 1 

Type of Transformation 


Standard to standard (without functional modification) 

To this category belongs all the transactions that were standard in the SAP ECC and have been kept as standard, including in the new SAP HANA. All the SAP objects linked to the function have also been maintained for the new ERP system environment. 

Standard to standard (with functional modification) 

To this category belongs all the transactions that were standard in the SAP ECC and have been replaced by another standard function in SAP HANA. The environment could be partially affected by this change, but the potential failures are still easily detectable. 

Back to standard 

To this category belongs all the transactions that were customized in the SAP ECC and that have been replaced by a new standard function of the SAP HANA system. The environment could be heavily affected by this change and the business process in which the function is involved may need a modification. The ability to detect potential failures is lower than the previous category.  

Custom to custom/New Custom 

This complex category encompasses all the transactions that were customized in the SAP ECC and that have been replaced by a new custom function or that were missing in SAP ECC and have been created from scratch. The environment is heavily affected by the new customization and related linked object. The ability to detect potential failures is very limited. 


GxP Risk Mitigation 

As result of a combination of the three factors (criticality, occurrence, detectability), the analysis is allowed to focus on the activities of validation -- Risk Mitigation actions derived directly from risk strategy included in the Functional Risk Assessment and driving the OQ/PQ activities:

Table 2 


(*) = note: the % the classification of the transactions is to be intended specifically for this case study and not as general assumption. 



Validation is an exercise that constitutes a project unto itself in the overall implementation project, requiring dedicated timelines, resources and dependencies.  

A cost effective implementation and validation was executed focusing the validation exercise on the most significant risks that were mitigated. Otherwise, the overall implementation plan would not have been achievable. 

Future Improvements 

The case study had a successful conclusion even though the company decided to plan, for the following years, some technological transformations on the S4HANA system and the Quality Management system in general: 

  1. Implementing a cloud based IT infrastructure platform: the processes of backup and restore, disaster recovery and high availability will be sensitively improved with a cost effective solution;  
  1. Introducing an application life cycle system (ALM) to leverage the cost of test preparation and execution, possibly interfaced with an automated tool to run automatic regression tests for the changes that the company intended to implement. 

These evolutions are included in the mainstream of the digital transformation. Current guidelines are already captured in the new edition of GAMP5 - A Risk-based Approach to Compliant GxP Computerized Systems (see reference 2). 


  1. Good Practice Guide: Global Information Systems Control and Compliance, second Edition 
  1. GAMP5 A Risk based approach to Compliant GxP Computerized systems, second Edition 

Want to know more?

PQE Group staff comprises experienced and skilled experts in multidisciplinary teams, available to support your company achieving the highest levels of safety for your systems.

Visit our Digital Governance services page to know more or to contact us, and find the most suitable solution for your company.

Connect with us