SAP Innovation Meets GxP Compliance

How must validation approaches evolve in light of current SAP innovations? These challenges were the focus of Stefan Staub’s presentation at the SAP Executive Exchange Forum for Life Sciences 2026 in Zurich.

Stefan Staub, Partner & Principal Consultant, DHC AG (CH)

Cloud computing — especially the shift toward public cloud / SaaS solutions — is forcing regulated companies to adapt to shorter release cycles. The number one trend topic, Artificial Intelligence (AI), will significantly transform processes in the life sciences industry over the coming years through innovative applications. SAP is playing a leading role in this development, continuously making new technological capabilities available through its products. While the regulatory expectation of ensuring product quality, patient safety, and data integrity remains unchanged, the requirements for validation approaches are evolving rapidly. The presentation demonstrated how companies can successfully address these new challenges through risk-based supplier assessment and selection supported by audits and the GxP Cloud Control Matrix, as well as through continuous and automated validation enabled by an End-to-End Digital Validation Platform.

“Exciting Times” – But with New Compliance Challenges

One of the key principles in the cloud context can be summarized in a single sentence: Many responsibilities are no longer under the direct control of the regulated company — but accountability remains entirely with the company. This tension between shared responsibility and one-sided accountability (“shared responsibility but one-sided accountability”) explains why supplier selection and supplier qualification in cloud environments are not simply a “nice to have,” but an absolute necessity. No company wants to discover only after signing a contract that a provider is unable to deliver GxP capabilities or qualification support — and then face audits or inspections without adequate evidence. Regulatory requirements therefore mandate that this selection and assessment process be carried out before the collaboration begins. The following illustration further explains this across the cloud service models (IaaS/PaaS/SaaS): providers are responsible for areas such as secure operations, change management, and data integrity, while the regulated organization must demonstrate that the provider fulfills the required standards (qualification) and must validate that applications are “fit for intended use.”

From “Linear & Document-Centric” to “Continuous, Risk-Based & Automated”

Many validation approaches originate from a time when software was comparatively static. As a result, computer system validation (CSV) approaches became highly documentation-driven, in some cases even paper-based, and followed the linear structure of the traditional waterfall model. To some extent, this is still true today — but these approaches are increasingly perceived as too slow, bureaucratic, and costly.

The key takeaway: modern IT systems behave more like a “living organism” that is continuously evolving. Cloud services — especially SaaS applications — together with rapid release cycles, are accelerating the pace of change. Emerging AI applications will further increase these demands.

As a consequence, validation must evolve toward continuous validation. Managing this pace manually — particularly regarding change impact assessments and the required testing activities — is no longer feasible. Test automation is becoming a necessity, and in the future, AI-based approaches may also support validation activities.

In SAP landscapes shaped by cloud services, frequent releases, and new AI applications, future validation approaches and validation tools must therefore provide the following capabilities:

Fast & agile: Validation must keep pace with modern, rapid software development methods and their associated release cycles — rather than acting as a downstream bottleneck that slows innovation and limits efficiency gains.
Automated: Recurring verification and documentation activities must be industrialized and automated (e.g., change impact assessments based on release notes, regression testing, traceability).
Supplier-supported: In cloud computing environments such as SaaS, suppliers must be actively integrated into qualification and validation activities due to their responsibilities and control over the infrastructure, platform, and software layers.
Continuously validating: “Stay validated” becomes the new operating model — with clear governance, continuous change impact analysis, and ongoing monitoring instead of isolated validation efforts combined with periodic reviews.
Fully digitalized: In the future, CSV activities will be managed entirely electronically through integrated, workflow-driven CSV toolchains using structured data rather than isolated documents. This enables the automated generation of audit-ready documentation, increases compliance and transparency, and reduces the effort and lead times required for validation and GxP system releases.
AI-supported: AI can support the structuring of information, preparation of changes, and acceleration of reviews — without delegating regulatory responsibility.

Cloud: “Shared Responsibility” – But One-Sided Accountability

One of the key principles in the cloud context can be summarized in a single sentence:

Many tasks are no longer under the direct control of the regulated company – but accountability remains entirely with that company.

This tension between shared responsibility and one-sided accountability („shared responsibility but one-sided accountability“) explains why supplier selection and supplier qualification in the cloud context are not a „nice to have“ but a must: no one wants to discover only after signing a contract that a provider cannot deliver GxP capabilities or qualification support – and then face audits or inspections without adequate evidence. Regulatory requirements therefore mandate that this selection and assessment process is performed before the collaboration begins.

The following illustration breaks this down along the cloud service models (IaaS / PaaS / SaaS): providers are responsible for areas such as secure operations, change management, and data integrity, while the regulated organization must demonstrate that the provider meets the requirements (qualification) and must validate that applications are „fit for intended use“.

The following two methods, along with their variants, are particularly suited to the assessment:

Risk-Based Cloud Service Provider Assessment

There are several ways to assess Cloud Service Providers (CSPs). Depending on the criticality of the application and/or the supplier, different approaches should be applied.

GxP Cloud Control Matrix as Structured Evidence

Based on the Cloud Security Alliance’s international Cloud Controls Matrix standard, DHC has developed the GxP Cloud Control Matrix, extended with additional GxP requirements specifically for life sciences companies („GxP-enhanced cloud control matrix“). The GxP CCM is ideally suited for assessing CSPs and serves as documented evidence that the required assessment has been performed.

Use Case: Building Trust Between the Cloud Service Provider (CSP) and the Regulated Company Using SAP Digital Manufacturing (SAP DM) as an Example

As a prerequisite for a successful long-term collaboration between the regulated company and the Cloud Service Provider (CSP), both parties must do their homework:

Regulated Company:

CSP selection and assessment (see previous section)
Contractual definition of the collaboration, including:
- Master Service Agreement (MSA) and Service Level Agreements (SLAs)
- Quality Assurance Agreement (QAA)
- Data Processing Agreement (DPA)
- …

In this context, the company should ensure that it has the right to conduct audits of the CSP.

Ongoing monitoring of the CSP’s compliance and service quality throughout the duration of the collaboration.

SAP as the Cloud Service Provider (CSP) for SAP DM

SAP must ensure that regulatory and functional requirements for the life sciences industry are adequately addressed. The customer — the regulated company — requires SAP’s support for qualification and validation activities.

Quality assurance measures in the areas of software development and operations, including:
- Quality Management System (QMS)
- SOPs for the SDLC (Software Development Lifecycle)
- Certifications and attestations
- GxP white papers (SAP DM & SAP BTP)
- Framework for internal audits and controls
Qualified SaaS solution, including:
- SAP DM product certification
- SAP BTP platform certification
- Certification for Continuous Platform Services
- Regulatory requirements traceability matrix
- On-site audits upon request
Operational framework, including:
- Standard Operating Procedures (SOPs) for IT operations and service management
- Service Level Agreements (SLAs)
- Release management

Use Case: SaaS Validation Using SAP Digital Manufacturing (SAP DM) as an Example

SAP DM System Architecture, Boundaries, and Functionality

SAP DM is a SaaS solution running on the SAP Business Technology Platform (BTP as PaaS), which itself operates on a hyperscaler IaaS infrastructure. For regulated organizations, this means: no direct control over the system (keyword: shared responsibilities), but full accountability remains with the regulated company (see previous sections).

A (Still) Conventional Approach Can Work — But…

A traditional GAMP5-oriented, document-based validation approach managed through a DMS can still work effectively. However, the real bottleneck of such an approach becomes evident in change management — particularly in change impact assessment, regression testing, and the resulting demand placed on business resources.

SAP delivers new quarterly releases that must be tested within a two-week testing window. The release notes (“What’s New”) are published only one week before this test window begins. This creates two major challenges:

Change Impact Assessment
One of the biggest challenges in SaaS environments is the interpretation of release notes and, consequently, the change impact assessment process. Typically, SAP DM “What’s New” information is published one week before the testing window opens. Regulated companies therefore have only one week to analyze the release notes and assess the impact on the functionalities and processes they use.
Testing
Test and regression test planning, resource allocation, and test execution represent a significant effort for many organizations. Larger organizations may rely on test factories that perform testing activities on behalf of the business. Smaller organizations often do not have this option and therefore place a heavy burden on business teams with testing activities. In the long term, manual testing is not a sustainable solution.

Practical Conclusion

A conventional validation approach can help organizations remain in a validated state — but it is not feasible to continuously block business departments with manual testing every few weeks. In the long run, there is no alternative to test automation and the digitalization/automation of change impact analysis, documentation maintenance, and testing activities.

As a result, tool support in validation is evolving from a “nice-to-have” into a necessity. When release notes must be evaluated in short cycles, changes need to be assigned correctly, documents maintained, tests planned and executed, and evidence stored in an audit-ready manner, this can no longer be scaled manually or through purely document-centric approaches.

What becomes critical is an end-to-end chain covering:

Change impact assessment
Document maintenance
(Automated) testing
Automatic traceability

Otherwise, continuous validation turns into a permanent burden for IT, business departments, and QA/CSV organizations alike.

SAP’s Initiative for an End-to-End Digital Validation Platform

Many organizations have used SAP Solution Manager in recent years (SolDoc, ChaRM, ITSM, Test Management, potentially Focused Build with Test Step Designer, etc.) or other tools as their central validation platform. However, SAP Solution Manager is approaching end of support, meaning companies must now address the question: “What’s next?”

SAP positions Cloud ALM as the successor to Solution Manager, but it neither can nor intends to become an all-in-one validation platform.

For this reason, SAP — together with several SAP partners — is pursuing a current initiative for an End-to-End Digital Validation Platform based on an integrated toolchain consisting of:

SAP LeanIX: for Enterprise Architecture Management (EAM)
Signavio: for Business Process Management (BPM). From a validation perspective, Signavio provides a strong foundation for process definition and modeling.
SAP Cloud ALM: as the central platform for Application Lifecycle Management (ALM), including transport management, test management, requirements management, and more.
Tricentis Tosca: for automated testing
p36: for Continuous Service Qualification, especially for BTP services
DHC Smart Validation Accelerator (SVA): for managing validation objects, changes, and documentation. It serves as a key complementary component for validation documentation, versioning, electronic workflows, sign-offs, and traceability.

The Smart Validation Accelerator enables the electronic and integrated creation and management of, for example:

Validation plans
Validation objects and URS, FS, risk analyses, etc.
Technical documentation
Test reports, sign-offs, and validation reports

It also orchestrates the integrated collaboration across the entire toolchain.

DHC is currently finalizing the Change Impact Analyzer to interpret “What’s New” information and release notes, supporting risk-based change impact assessments. The goal is to determine which validation objects/documents are affected and what needs to be regression tested. This approach is intended to address the narrow time windows associated with SaaS release management.

Conclusion

Innovation is possible — and must remain possible. The prerequisite, and at the same time the enabler, is a validation approach supported by appropriate tools or an integrated toolchain that is fully digitalized, automated, and seamlessly integrated.

Would you like to learn more? Schedule a non-binding 1:1 consultation with one of our experts now.

Are you planning to use cloud/SaaS solutions in GxP-relevant processes, or are you facing the challenge of keeping your validation approach aligned with rapid release cycles?
We support you with, among other things:
- Supplier Qualification & audit-ready compliance evidence
- Cloud/SaaS GxP Assessments
- Validation strategies for IaaS, PaaS, and SaaS environments with accelerated release cycles (including Continuous Validation)
- Toolchain integration (SAP Cloud ALM × test automation × digital validation content)
- Digital Validation Platforms and the DHC Smart Validation Accelerator
→ Learn more about our consulting services for cloud / SaaS validation
→ Learn more about the DHC Smart Validation Accelerator

SAP Innovations and GxP Compliance

Would you like to learn more about validation approaches and tools for the use of cloud/SaaS solutions in GxP-relevant processes?

FAQs

Frequently Asked Questions about Cloud / SaaS

What does "SAP Innovation Meets GxP Compliance" mean in practice?

That cloud and SaaS innovation can only be used sustainably when supplier controls, governance, and validation evidence are set up in a way that captures frequent changes in an audit-ready manner.

Why is classic, document-centric validation often no longer enough?

Because systems change continuously and the pace of change can hardly be addressed manually in an economically viable way; it takes industrialized, partly automated approaches and a continuous validation logic.

What role does SAP Cloud ALM play in the future toolchain?

Cloud ALM is seen as a central ALM building block that interacts within a toolchain with process and architecture tools as well as test automation; for GxP-relevant validation objects, additional solutions are often required for documentation, workflows, and traceability.

Magazin