SaaS and cloud-hosted systems have become standard in pharmaceutical operations - LIMS, document management systems, CTMS, ERP, and validation lifecycle management platforms like PHARPRO DVS are all delivered as cloud services. Validating these systems requires a different approach than traditional on-premise software, and many quality teams are still working out how to do it correctly.
When Does a Cloud System Need Validation?
Apply the GxP rule: if the system creates, modifies, maintains, archives, retrieves, or transmits electronic records that are used to make GxP decisions (product release, batch record, quality approval, regulatory submission), it requires validation. The hosting model is irrelevant to the GxP obligation.
Common mistake: Teams assume a vendor's SOC 2 or ISO 27001 certification is sufficient validation evidence. These certifications address information security - they do not demonstrate GxP fitness for use. They are complementary to validation, not a substitute for it.
Applying GAMP 5 to SaaS Systems
GAMP 5 Second Edition provides updated guidance specifically for cloud-hosted and SaaS systems. Most configured SaaS products fall into Category 3 (Configured Products). The validation strategy should be proportionate to the system's GxP impact and the degree of configuration applied by your organisation.
For a Category 3 SaaS system, the typical validation package includes:
- User Requirements Specification (URS) - defining what the system must do in GxP terms
- Supplier/Vendor Assessment - qualifying the SaaS vendor as a GxP service provider
- Risk Assessment - identifying GxP risks associated with the configuration and data managed
- Configuration Specification - documenting how the system is set up
- Operational Qualification (OQ) - testing that the configuration meets the URS
- Data Migration Validation (if applicable)
- Validation Summary Report
Vendor Qualification for SaaS Providers
The pharmaceutical company must assess the SaaS vendor as a critical supplier. This assessment includes:
- Review of the vendor's Software Development Life Cycle (SDLC) and change management process
- Data hosting, backup, and disaster recovery arrangements
- Access control and segregation of duties
- Audit trail capabilities
- Data integrity controls including encryption at rest and in transit
- Incident management and notification procedures
- Sub-processor management (third-party cloud infrastructure like AWS, Azure, GCP)
A quality agreement should be established with the SaaS vendor covering GxP-relevant responsibilities, notification obligations for changes, and your right to audit.
Data Integrity in the Cloud
EU GMP Annex 11 and FDA data integrity guidance apply equally to cloud-hosted data. Key data integrity controls include:
- Audit trails that capture who did what, when - and are not editable by users
- Access controls preventing unauthorised modification of GxP records
- Backup and recovery with defined RPO/RTO aligned to GMP requirements
- Data retention in accordance with regulatory and company requirements
- Verified export/migration capability to ensure records can be retrieved if the SaaS vendor relationship ends
Change Control for SaaS Systems
SaaS vendors update their systems on their own schedules, often without advance notice to customers. Your quality agreement must require the vendor to notify you of changes that could impact validated functionality. Your change control SOP must address how vendor-initiated updates are assessed, tested, and approved before deployment to the production environment - or, in the case of automatic updates, how post-deployment verification is conducted.
Inspection risk: EU and FDA inspectors have cited pharmaceutical companies for using SaaS systems without a documented change control process covering vendor updates. Ensure your QMS addresses this scenario explicitly.
PHARPRO DVS - Built for GxP Cloud Validation
PHARPRO DVS is an AI-assisted validation lifecycle management platform built specifically for pharmaceutical teams. It generates, manages, and approves validation documentation in a 21 CFR Part 11-compliant, cloud-hosted environment. If you are validating DVS itself, PHARPRO can provide the vendor documentation package to support your qualification. Learn more at dvs.pharpro.co.