RISE for pharmaceutical and life sciences. Validation requirements.

Pharmaceutical and life sciences companies operate SAP under regulatory regimes that no other industry shares. GxP validation, twenty one CFR Part 11 in the United States, EU Annex 11 in Europe, and the equivalent national rules across major markets all impose specific obligations on the operation of computerised systems that record, calculate, or report data used in regulated activities. RISE with SAP introduces a new operating model into that regulatory environment, with SAP managing the infrastructure, the basis administration, and the upgrade cadence on behalf of the buyer. The validation implications are not minor. They are central to the negotiation, and they affect almost every operational provision in the contract. This article describes the validation requirements that shape RISE for pharmaceutical and life sciences buyers, and the contractual provisions that protect validated state across the contract term.

Why RISE changes the validation model

Under a traditional on premises SAP deployment, the regulated company controls every aspect of the system that affects validated state. The basis team owns the change control. The infrastructure team owns the configuration. The application team owns the customisation. The quality team owns the validation lifecycle. Every change passes through a defined approval and documentation process that the regulator can inspect. The traceability is complete because the regulated company has the records.

Under RISE, SAP performs many of the activities that previously sat inside the regulated company. SAP manages the infrastructure changes, the operating system patches, the database upgrades, the application support packs, and the regular upgrade cadence. The regulated company retains responsibility for the validated state of the system but no longer controls the activities that affect it. The validation model has to adapt. The contract has to provide the visibility, the change control, and the documentation that the regulator expects, in a form that the regulated company can present at inspection.

Change control provisions that the contract must include

The most important contractual provision for a regulated company is the change control commitment. The contract must specify that SAP will not make any change to the system that affects validated state without prior notice, prior assessment, and prior approval by the regulated company. The notice period must be long enough to permit a validation impact assessment. The assessment must be documented in a form that the regulated company can include in its quality records. The approval must be explicit and recorded.

The change control commitment extends to infrastructure changes, operating system patches, database changes, application support packs, and upgrades. The regulated company needs the ability to defer changes that conflict with regulatory submissions, validation windows, or business critical operations. The contract should specify a defer right that allows the regulated company to delay a change by up to ninety days, subject to defined exception handling for security critical patches. Without the defer right, SAP can impose a change at an operationally unacceptable time.

Documentation rights and audit support

The regulated company needs access to the documentation that supports the validated state of the system. The contract must require SAP to maintain change records, configuration records, and operational records in a form that the regulated company can extract and present at regulatory inspection. The retention period must align with regulatory expectations, typically the longer of seven years and the product lifecycle. The format must permit extraction without ambiguity, with audit trails that show who made each change, when it was made, what it changed, and what approval supported it.

The audit support provision must include SAP cooperation with regulatory inspection. When the FDA, the EMA, the MHRA, or another regulator inspects the regulated company, the inspection often extends to the systems that support regulated activities. SAP must agree contractually to support the inspection, to provide access to records, to make personnel available for interview, and to respond to inspection observations within defined timeframes. The provision protects the regulated company from a situation where the regulator demands evidence that SAP controls but the contract does not require SAP to provide.

Validation lifecycle support

The validation lifecycle for a regulated SAP system has defined phases. User requirements, functional specification, design specification, installation qualification, operational qualification, performance qualification, and ongoing periodic review. Under RISE, several of the qualification activities require SAP cooperation. The installation qualification depends on SAP installing the system to a documented specification. The operational qualification depends on SAP operating the system to defined parameters. The periodic review depends on SAP providing the operational evidence that supports the review.

The contract must specify SAP's role in each phase of the validation lifecycle. The role can vary by phase, but the obligation must be explicit. SAP will provide installation evidence to a defined format. SAP will support the operational qualification testing. SAP will provide the operational evidence that supports the periodic review. SAP will participate in the change control board where appropriate. Without explicit obligations, the validation activities depend on goodwill from the SAP service team, which is unreliable across a seven year contract.

Data integrity and twenty one CFR Part 11 requirements

Twenty one CFR Part 11 imposes specific requirements on electronic records and electronic signatures. The records must be reliable, the signatures must be unique to the user, the audit trail must be unalterable, and the system must enforce access controls that prevent unauthorised changes. RISE introduces new actors into the system, including SAP basis administrators and SAP infrastructure operators, who have privileged access. The contract must address how Part 11 requirements are met given the new actors.

The provisions that matter include explicit segregation of duties between SAP personnel and the regulated company. SAP cannot have access to electronic signatures or to records that would permit alteration of regulated data. SAP must maintain its own audit trail of administrative actions, and the trail must be available to the regulated company for inclusion in the data integrity assessment. SAP must support the regulated company's data integrity controls, including periodic review of access privileges, anomaly investigation, and incident reporting. The provisions are detailed because the regulatory expectations are detailed.

Conclusion

Pharmaceutical and life sciences companies operate SAP inside a regulatory environment that imposes specific obligations on change control, documentation, validation, and data integrity. RISE with SAP shifts many of the activities that affect validated state from the regulated company to SAP, without shifting the regulatory obligation. The contract must therefore include explicit provisions for change control notification and approval, documentation and audit support, validation lifecycle cooperation, and data integrity protection. Regulated buyers who negotiate the provisions explicitly enter RISE on a defensible footing. Regulated buyers who accept the standard provisions inherit obligations they cannot discharge through the contract that exists. The negotiation is not optional. The provisions are.