The life sciences industry is rapidly adopting SAPās public cloud offerings. According to McKinsey, over 80% of the top 30 global pharmaceutical and MedTech companies have adopted cloud solutions across various parts of their operations. Key drivers include lower cost of ownership, scalability, and rapid innovation. Another major influence is the advent of AI and Gen-AI, which McKinsey estimates could unlock $60b – $110b a year in economic value for the industry. However, organizations can only leverage Gen-AI at scale if they operate in the cloud. This adoption also come with a key challenge: How can organizations demonstrate GxP compliance in public clouds, when many controls are managed by SAP?
This article explores the adoption journey for public cloud products, using SAP Digital Manufacturing as an example.
Discover and Prepare
Product assessment for Cloud controls
Traditional on-premises compliance strategies were built around physical infrastructures and static environments. In a modern automated public cloud environment, compliance requirements need adaptation. For example:
Backup and Recovery ā Life sciences organizations must meet regulatory requirements for backup, including regular snapshots and defined retention schedules. Traditionally, this meant storing daily, weekly, and monthly backups for extended periods. With microservice based environments, older backups lose relevance with every update, limiting restoration usefulness. Organizations should rather adopt a risk-based approachāaligning backup requirements with Recovery Point Objective (RPO) and Recovery Time Objective (RTO) strategiesāto ensure regulatory adherence and true system recoverability.Network delivery control: Network and perimeter controls should account for business continuity requirements and the latency challenges in distributed cloud environments. Different components of an application may run across geographically distant regions, impacting performance. When evaluating these factors, SAP published service-level agreements (SLAs) should be considered to get guidance on expected network performance and availability.Data Residency and Sovereignty: Organizations must ensure not only that their data is hosted in compliant regions, but also that backups and replicated environments adhere to the same regulatory and regional requirements.
Supplier Assessment
Life sciences organizations operating under GxP regulations must ensure quality, compliance, and control, even when using public cloud solutions. Under the shared responsibility model, certain application responsibilities are managed by SAP, while others remain with the life sciences organizations. However, the organizations themselves remain fully accountable to regulatory bodies for demonstrating compliance.
Due to the shared or deleted controls, organizations must qualify SAP as a supplier of GxP-relevant IT solutions. Customers may leverage the available information, questionnaires and 3rd party audit reports such as ISO 9001/27001 and SOC2. Additionally, customers may perform an on-site audit to help bridge gaps in understanding of SAPās Quality Management System and other processes.
To facilitate on-site auditsāsuch as with SAP Digital Manufacturingācustomers can leverage the SAP Quality Requirement Schedule, which grants limited rights to perform an on-site audit and ensures support when life sciences organizations face regulatory audits.
Explore and Realize
GxP Strategy
Following product and supplier assessment, GxP strategy should be defined to ensure long term viability. Key elements of this strategy can include:
Application Architecture: Evaluate which processes remain on-premises and which move to the cloud. Distributed manufacturing workflows spanning ERP (SAP S/4HANA and SAP S/4HANA Cloud) and MES (SAP Digital Manufacturing) require balancing data duplication, separation of responsibilities, ease of use, performance, and validation requirements.Extension: Extensions if required must undergo their own GxP evaluation and IQ/OQ/PQ. Consider the various APIās and dependencies utilized by the extensions and to adhere to clean core principals to ensure minimal PQ efforts over the extension lifecycle.
Partner selection
Many SAP customers leverage partners to accelerate adoption. Partners solutions are available through various marketplaces such as SAP Store, SAP Business Accelerator Hub and Qualified Partner Packages. For software partners, a supplier assessment is recommended to verify their Quality Management processes and that any integrated solution complies with GxP requirements.
Life sciences organizations also rely on implementation partners for consulting, deployment, and ongoing support activities. These partners should be evaluated on their ability to deliver in a GxP-regulated environment. Partner Blogs highlight nice capabilities, providing insight into compliant implementations.
Deploy and Run
Validation Strategy
Validation requirements for a public cloud are similar to on-premises, however these must be adapted to accommodate the fixed release schedule. Key practices that can assist :
Risk Based on Scope and Usage: Leverage SAPās existing documentation, such as Service Catalog, to define the validation scope based on business criticality and GxP impact. Organizations can exclude non-GxP functions to narrow down the scope of validation testing. Validation efforts should prioritize highly critical functionality, while lower critical functions may be tested through smoke test etc.
For regular release cycles the Whatās New Viewer can be used to identify changes in functionality that require assessment on validation requirements. Not all new functionalities must be validated ā with validation only necessary before the actual usage/adoption of the functionality.
Automation: Automating Computer System Validation (CSV) reduces effort and helps ensure validation is completed on time. SAP Digital Manufacturing provides automation test modules compatible with Tricentis Test Automation (included in Enterprise Support). These automated tests can be leveraged for continuous testing and validation as part of a regression suite.Leveraging controls from SAP: GAMP5 recommends leveraging supplier testing (post supplier assessment) into verification. Organizations can inherit SAPās controls based on the shared responsibility model around topics such as infrastructure, platform, security, data integrity etc.
Gen-AI
Generative AI can further reduce the compliance burden. By combining SAPās structured documentation with a customerās own documentation, it can generate automated, digitized risk assessments, documentation, and testsāsignificantly improving both the quality and speed of validation.
Conclusion
Maximizing SAPās public cloud potential requires rethinking compliance controls. By adopting a risk-based approach and leveraging various tools provided by SAP, life sciences organizations can meet regulatory requirements while accelerating cloud adoption. This approach ensures compliance, fosters innovation, and builds trust in cloud-based operations.
Ā
āĀ The life sciences industry is rapidly adopting SAPās public cloud offerings. According to McKinsey, over 80% of the top 30 global pharmaceutical and MedTech companies have adopted cloud solutions across various parts of their operations. Key drivers include lower cost of ownership, scalability, and rapid innovation. Another major influence is the advent of AI and Gen-AI, which McKinsey estimates could unlock $60b – $110b a year in economic value for the industry. However, organizations can only leverage Gen-AI at scale if they operate in the cloud. This adoption also come with a key challenge: How can organizations demonstrate GxP compliance in public clouds, when many controls are managed by SAP?This article explores the adoption journey for public cloud products, using SAP Digital Manufacturing as an example.Discover and PrepareProduct assessment for Cloud controlsTraditional on-premises compliance strategies were built around physical infrastructures and static environments. In a modern automated public cloud environment, compliance requirements need adaptation. For example:Backup and Recovery ā Life sciences organizations must meet regulatory requirements for backup, including regular snapshots and defined retention schedules. Traditionally, this meant storing daily, weekly, and monthly backups for extended periods. With microservice based environments, older backups lose relevance with every update, limiting restoration usefulness. Organizations should rather adopt a risk-based approachāaligning backup requirements with Recovery Point Objective (RPO) and Recovery Time Objective (RTO) strategiesāto ensure regulatory adherence and true system recoverability.Network delivery control: Network and perimeter controls should account for business continuity requirements and the latency challenges in distributed cloud environments. Different components of an application may run across geographically distant regions, impacting performance. When evaluating these factors, SAP published service-level agreements (SLAs) should be considered to get guidance on expected network performance and availability.Data Residency and Sovereignty: Organizations must ensure not only that their data is hosted in compliant regions, but also that backups and replicated environments adhere to the same regulatory and regional requirements.Supplier Assessment Life sciences organizations operating under GxP regulations must ensure quality, compliance, and control, even when using public cloud solutions. Under the shared responsibility model, certain application responsibilities are managed by SAP, while others remain with the life sciences organizations. However, the organizations themselves remain fully accountable to regulatory bodies for demonstrating compliance.Due to the shared or deleted controls, organizations must qualify SAP as a supplier of GxP-relevant IT solutions. Customers may leverage the available information, questionnaires and 3rd party audit reports such as ISO 9001/27001 and SOC2. Additionally, customers may perform an on-site audit to help bridge gaps in understanding of SAPās Quality Management System and other processes.To facilitate on-site auditsāsuch as with SAP Digital Manufacturingācustomers can leverage the SAP Quality Requirement Schedule, which grants limited rights to perform an on-site audit and ensures support when life sciences organizations face regulatory audits.Explore and RealizeGxP StrategyFollowing product and supplier assessment, GxP strategy should be defined to ensure long term viability. Key elements of this strategy can include:Application Architecture: Evaluate which processes remain on-premises and which move to the cloud. Distributed manufacturing workflows spanning ERP (SAP S/4HANA and SAP S/4HANA Cloud) and MES (SAP Digital Manufacturing) require balancing data duplication, separation of responsibilities, ease of use, performance, and validation requirements.Extension: Extensions if required must undergo their own GxP evaluation and IQ/OQ/PQ. Consider the various APIās and dependencies utilized by the extensions and to adhere to clean core principals to ensure minimal PQ efforts over the extension lifecycle.Partner selectionMany SAP customers leverage partners to accelerate adoption. Partners solutions are available through various marketplaces such as SAP Store, SAP Business Accelerator Hub and Qualified Partner Packages. For software partners, a supplier assessment is recommended to verify their Quality Management processes and that any integrated solution complies with GxP requirements.Life sciences organizations also rely on implementation partners for consulting, deployment, and ongoing support activities. These partners should be evaluated on their ability to deliver in a GxP-regulated environment. Partner Blogs highlight nice capabilities, providing insight into compliant implementations.Deploy and RunValidation StrategyValidation requirements for a public cloud are similar to on-premises, however these must be adapted to accommodate the fixed release schedule. Key practices that can assist :Risk Based on Scope and Usage: Leverage SAPās existing documentation, such as Service Catalog, to define the validation scope based on business criticality and GxP impact. Organizations can exclude non-GxP functions to narrow down the scope of validation testing. Validation efforts should prioritize highly critical functionality, while lower critical functions may be tested through smoke test etc.For regular release cycles the Whatās New Viewer can be used to identify changes in functionality that require assessment on validation requirements. Not all new functionalities must be validated ā with validation only necessary before the actual usage/adoption of the functionality.Automation: Automating Computer System Validation (CSV) reduces effort and helps ensure validation is completed on time. SAP Digital Manufacturing provides automation test modules compatible with Tricentis Test Automation (included in Enterprise Support). These automated tests can be leveraged for continuous testing and validation as part of a regression suite.Leveraging controls from SAP: GAMP5 recommends leveraging supplier testing (post supplier assessment) into verification. Organizations can inherit SAPās controls based on the shared responsibility model around topics such as infrastructure, platform, security, data integrity etc.Gen-AI Generative AI can further reduce the compliance burden. By combining SAPās structured documentation with a customerās own documentation, it can generate automated, digitized risk assessments, documentation, and testsāsignificantly improving both the quality and speed of validation.ConclusionMaximizing SAPās public cloud potential requires rethinking compliance controls. By adopting a risk-based approach and leveraging various tools provided by SAP, life sciences organizations can meet regulatory requirements while accelerating cloud adoption. This approach ensures compliance, fosters innovation, and builds trust in cloud-based operations.Ā Ā Ā Read MoreĀ Technology Blog Posts by SAP articlesĀ
#SAP
#SAPTechnologyblog
