CSV & Validation

Computer System Validation for SaaS and Cloud Applications in Pharma

9 min read By Mohammad Awawdeh

SaaS and cloud-hosted systems have become standard in pharmaceutical operations - LIMS, document management systems, CTMS, ERP, and validation lifecycle management platforms like PHARPRO DVS are all delivered as cloud services. Validating these systems requires a different approach than traditional on-premise software, and many quality teams are still working out how to do it correctly.

When Does a Cloud System Need Validation?

Apply the GxP rule: if the system creates, modifies, maintains, archives, retrieves, or transmits electronic records that are used to make GxP decisions (product release, batch record, quality approval, regulatory submission), it requires validation. The hosting model is irrelevant to the GxP obligation.

Common mistake: Teams assume a vendor's SOC 2 or ISO 27001 certification is sufficient validation evidence. These certifications address information security - they do not demonstrate GxP fitness for use. They are complementary to validation, not a substitute for it.

Applying GAMP 5 to SaaS Systems

GAMP 5 Second Edition provides updated guidance specifically for cloud-hosted and SaaS systems. Most configured SaaS products fall into Category 3 (Configured Products). The validation strategy should be proportionate to the system's GxP impact and the degree of configuration applied by your organisation.

For a Category 3 SaaS system, the typical validation package includes:

  • User Requirements Specification (URS) - defining what the system must do in GxP terms
  • Supplier/Vendor Assessment - qualifying the SaaS vendor as a GxP service provider
  • Risk Assessment - identifying GxP risks associated with the configuration and data managed
  • Configuration Specification - documenting how the system is set up
  • Operational Qualification (OQ) - testing that the configuration meets the URS
  • Data Migration Validation (if applicable)
  • Validation Summary Report

Vendor Qualification for SaaS Providers

The pharmaceutical company must assess the SaaS vendor as a critical supplier. This assessment includes:

  • Review of the vendor's Software Development Life Cycle (SDLC) and change management process
  • Data hosting, backup, and disaster recovery arrangements
  • Access control and segregation of duties
  • Audit trail capabilities
  • Data integrity controls including encryption at rest and in transit
  • Incident management and notification procedures
  • Sub-processor management (third-party cloud infrastructure like AWS, Azure, GCP)

A quality agreement should be established with the SaaS vendor covering GxP-relevant responsibilities, notification obligations for changes, and your right to audit.

Data Integrity in the Cloud

EU GMP Annex 11 and FDA data integrity guidance apply equally to cloud-hosted data. Key data integrity controls include:

  • Audit trails that capture who did what, when - and are not editable by users
  • Access controls preventing unauthorised modification of GxP records
  • Backup and recovery with defined RPO/RTO aligned to GMP requirements
  • Data retention in accordance with regulatory and company requirements
  • Verified export/migration capability to ensure records can be retrieved if the SaaS vendor relationship ends

Change Control for SaaS Systems

SaaS vendors update their systems on their own schedules, often without advance notice to customers. Your quality agreement must require the vendor to notify you of changes that could impact validated functionality. Your change control SOP must address how vendor-initiated updates are assessed, tested, and approved before deployment to the production environment - or, in the case of automatic updates, how post-deployment verification is conducted.

Inspection risk: EU and FDA inspectors have cited pharmaceutical companies for using SaaS systems without a documented change control process covering vendor updates. Ensure your QMS addresses this scenario explicitly.

PHARPRO DVS - Built for GxP Cloud Validation

PHARPRO DVS is an AI-assisted validation lifecycle management platform built specifically for pharmaceutical teams. It generates, manages, and approves validation documentation in a 21 CFR Part 11-compliant, cloud-hosted environment. If you are validating DVS itself, PHARPRO can provide the vendor documentation package to support your qualification. Learn more at dvs.pharpro.co.

PHARPRO - Expert Pharma Consulting

Looking for a compliant cloud validation platform? PHARPRO DVS is AI-assisted validation lifecycle software built for pharmaceutical teams - FDA 21 CFR Part 11 and EU GMP Annex 11 aligned.

PHARPRO DVS Software → Free Assessment
Related Insights

Keep reading

More in-depth guides from the PHARPRO compliance team.

21 CFR Part 11 Audit Trail: What Your System Must Capture
Which events must be logged, how to configure compliant audit trails, and the most common gaps.
GAMP 5 Risk Categories Explained
What changed in the Second Edition, how to classify your system, and how category affects testing depth.
FDA 21 CFR Part 11: Data Integrity Requirements
Electronic records, e-signatures, and audit-trail requirements every regulated system must meet.
How to Write a URS for a Pharmaceutical Computerised System
Structure, GxP requirements, and a step-by-step guide to a compliant User Requirements Specification.
Risk Assessment in CSV: Applying GAMP 5 Principles
How to conduct a risk assessment for computerised systems and document it to regulatory standards.

Ready to strengthen your compliance programme?

Start with a free assessment - no commitment required.

Book Free Assessment WhatsApp
PHARPRO DVS - Pharmaceutical Validation Software

The purpose-built SaaS platform for pharma validation teams

30 document builders, AI-assisted IQ/OQ/PQ drafting, automated RTM, and FDA 21 CFR Part 11 e-signatures. Same-day deployment. From $253/month.

Book a Free Demo → View All Features