INTRODUCTION:

The growing adoption of cloud technologies in the pharmaceutical and life sciences industries is fundamentally transforming the way regulated systems are developed, deployed, and maintained. Platforms such as Software as a Service (SaaS) and Infrastructure as a Service (IaaS) offer enhanced scalability, cost efficiency, and flexibility, making them increasingly attractive for GxP-critical applications. However, the shift from traditional on-premises systems to cloud-hosted environments introduces new compliance risks and validation challenges under stringent regulatory frameworks.

Computer System Validation (CSV) has long been a foundational requirement in regulated environments to ensure systems are reliable, accurate, and fit for their intended use. Traditionally, CSV has been applied to systems where the regulated company had full ownership and control over the infrastructure, software, and data. In contrast, cloud-based systems operate under a shared responsibility model, where ownership and control of system components—such as infrastructure, platform configuration, updates, and cybersecurity—are distributed between the cloud service provider (CSP) and the regulated organization. This division introduces complexity in ensuring accountability, traceability, and compliance with regulatory mandates such as EU Annex 11 and 21 CFR Part 11^1,2,3.

Historically, CSV methodologies were not designed to accommodate the dynamic, automated, and virtualized nature of cloud computing. Legacy validation frameworks struggle to address multi-tenant environments, continuous delivery/deployment (CI/CD) pipelines, and automated software updates, which are now commonplace in SaaS platforms. Moreover, regulated organizations often face ambiguity in how to validate infrastructure-level controls, manage data residency, ensure end-to-end encryption, and verify the integrity of audit trails in shared cloud ecosystems. This review aims to bridge the gap between traditional CSV principles and the evolving demands of cloud-based systems. By examining current challenges and introducing forward-thinking validation strategies, the paper seeks to empower pharmaceutical and life sciences organizations to adopt cloud technology while maintaining full compliance with GxP regulations. It serves as a guide for developing agile, scalable, and inspection-ready validation frameworks for the next generation of regulated digital infrastructure.

Use of Cloud-Based Computerized Systems in the Pharmaceutical Industry:

The pharmaceutical industry is quickly adopting cloud-based computerized solutions to handle a wide range of vital duties. Research and development (R&D), clinical trial management, manufacturing execution systems (MES), supply chain management, quality control, regulatory compliance, and comprehensive data management are among the roles that these systems facilitate. Pharmaceutical companies can benefit from centralized and secure data storage by utilizing cloud technology. This allows for real-time collaboration between geographically dispersed teams and enhances accessibility to essential applications and datasets across various devices and locations. This is particularly helpful in global pharmaceutical operations where data integration for regulatory submissions and decision-making must be performed smoothly.

Importance of Cloud-Based Computerized Systems in the Pharmaceutical Industry:

To assure patient safety, product quality, and data integrity, the pharmaceutical sector is subject to strict regulatory monitoring. Computerized system validation (CSV), data traceability, audit trails, electronic signatures, and secure access controls are all governed by strict regulations like FDA 21 CFR Part 11 and EU Annex 11, as well as standards like GAMP 5(2nd Edition). Because they provide scalable, secure, and tested environments that meet these regulatory requirements, cloud-based solutions have become essential in fulfilling the pharmaceutical industry's demand for reliable and auditable processes. They improve company innovation cycles through allowing rapid software solution deployment and updates without compromising compliance controls. Furthermore, cloud solutions improve disaster recovery capabilities by reducing the possibility of data loss and system outages through geo-redundancy and scheduled backups. By reducing investments and maintenance expenses, cloud solutions provide greater cost efficiency as compared to traditional on-premises infrastructure.

Why Cloud-Based Systems are Essential for the Modern Pharma Industry Regulatory Compliance and Data Integrity:^{4, 5, 6, 7}^.

Important laws and regulations, such as FDA 21 CFR Part 11, which governs electronic records and signatures to assure authenticity, integrity, and confidentiality, can be fulfilled in the development and use of cloud platforms. EU Annex 11, which deals with the European computerized system requirements. Best practices for compliant system lifecycle management are provided by GAMP 5. By establishing in place role-based access restrictions, electronic signature capabilities, and secure audit trails, these systems ensure complete traceability of data modifications and protect data integrity, which is essential to regulatory submissions and inspections.

Scalability and Flexibility:

Clinical trial phases, production development, or regulatory inspection schedules frequently require pharmaceutical companies to deal with varied demands. Because cloud solutions provide variable resource allocation, organizations may quickly adjust their data processing and storage capacity up or down in response to demand without suffering delay or costly investments in infrastructure.

Cost Efficiency:

By shifting from capital-intensive, on-premises IT infrastructure to cloud-based solutions, pharmaceutical companies can reduce upfront hardware costs, IT personnel expenses, and facility maintenance. This operational expenditure model improves budget control and enables investment to focus more on core scientific research and product development.

Global Collaboration:

Global R&D teams, manufacturing facilities, and regulatory bodies may collaborate and share data easily and securely through cloud-based technologies. Drug research and approval periods are minimized, making decisions are accelerated, and errors are reduced due to this immediate communication.

Business Continuity and Disaster Recovery:

Comprehensive disaster recovery services, such as geographically separated data centres and automatic backup possibilities, are usually offered by cloud providers. This reduces downtime and regulatory risks by protecting vital pharmaceutical data from system failures, security breaches, and natural disasters.

Support for Modern Technologies:

Cloud environments easily support the integration of advanced technologies that are transforming pharmaceutical development and manufacturing, such as Artificial Intelligence (AI) and Machine Learning (ML) for drug discovery and predictive analytics. Internet of Things (IoT) for real-time monitoring of manufacturing processes. Automation and continuous integration pipelines in software development. These capabilities improve efficiency, reduce risk, and enhance product quality.

Classification of Cloud-Based Applications in the Pharmaceutical Industry:^1,2

These classifications help companies in utilizing the scalability, cost-effectiveness, and innovation potential of cloud technology while implementing the appropriate validation process and upholding compliance. There are mainly three categories into which cloud-based solutions in the pharmaceutical industry belong:

Classification by Function:

These applications support vital tasks like manufacturing, clinical, quality, and regulatory procedures. Enterprise Resource Planning (ERP), Pharmacovigilance and Safety Systems, Manufacturing Execution Systems (MES), Quality Management Systems (QMS), Regulatory Information Management (RIM), Document Management Systems (DMS), Clinical Trial Management Systems (CTMS), Laboratory Information Management Systems (LIMS), and Data Analytics & Reporting Platforms are a few examples.

Classification by Deployment Model:

· Public Cloud: Commonly used in pharma for AI/ML, analytics, backup, and disaster recovery.

· Private Cloud: Typically used for hosting sensitive GxP systems such as LIMS, MES, and QMS.

· Hybrid Cloud: Used for deploying regulated applications in the private cloud and non-GxP or analytics tools in the public cloud.

· Community Cloud: Often used for collaborative research initiatives and regulatory submission platforms.

These deployment models enable organizations to implement the most suitable validation strategy while maintaining compliance and leveraging the scalability, cost efficiency, and innovation of cloud computing.

Classification by GxP Compliance Impact:

· GxP-Critical Systems: Systems with a direct impact on product quality or patient safety.

· Examples: QMS, LIMS, MES, CTMS, and DMS.

· GxP-Supporting Systems: Systems that indirectly support GxP operations. Examples: ERP, data warehouses, and training portals.

· Non-GxP Systems: Systems with no direct impact on product or patient safety. Examples: Marketing tools, HR systems, and finance applications.

Cloud Deployment Models in the Pharmaceutical Sector: Compliance Responsibilities and Regulatory Alignment for SaaS, PaaS, and IaaS:^8,9,10

The pharmaceutical industry's adoption of cloud-based technologies continues to expand, driven by the need for scalable, efficient, and compliant digital solutions. This section outlines the roles, benefits, and regulatory obligations associated with Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), and Infrastructure-as-a-Service (IaaS) in GxP-regulated environments. "Cloud applications used in the pharmaceutical industry include:"

Software-as-a-Service (SaaS):

Software-as-a-Service (SaaS) is widely used in the pharmaceutical industry for standardized processes with minimal IT management. It delivers cloud-hosted applications such as Clinical Trial Management Systems (CTMS), Quality Management Systems (QMS), and Regulatory Information Management (RIM) accessible via web browsers without local installation. SaaS offers benefits like automatic updates, scalability, and remote access, supporting global collaboration and regulatory agility. From a compliance standpoint, vendors must ensure secure access, audit trails, electronic signatures, and data integrity following 21 CFR Part 11, GAMP 5, and other regulatory requirements. Validation responsibility is shared, with the vendor managing infrastructure and core functionality, while the pharma company validates intended use and data controls.

Infrastructure-as-a-Service (IaaS):

Infrastructure-as-a-Service (IaaS) provides virtual servers, storage, and networking over the internet, enabling pharmaceutical companies to host and manage their applications without physical hardware. IaaS supports high-performance tasks such as bioinformatics, drug discovery, and large-scale analytics, offering flexibility to configure environments and secure GxP-regulated data. From a compliance perspective, the pharma company holds full responsibility for validating the entire system stack, OS, middleware, and applications. Compliance must include data encryption, access controls, audit trails, change management, disaster recovery, and assurance of data integrity, aligned with GAMP 5, 21 CFR Part 11, and data protection regulations.

Platform-as-a-Service (PaaS):

Platform-as-a-Service (PaaS) is selectively used in the pharmaceutical industry to develop and deploy custom applications beyond the scope of standard off-the-shelf solutions. It provides a cloud-based environment without the need to manage infrastructure components such as servers, storage, or networking. Pharma companies use PaaS for tailored solutions like stability study systems or data dashboards, often built on platforms such as Microsoft Azure App Services, AWS Elastic Beanstalk, or Google App Engine. From a compliance perspective, PaaS places full validation responsibility on the pharmaceutical organization. This includes validating all custom code and configurations, maintaining audit trails, enforcing access controls, ensuring data integrity, and documenting all changes in line with GAMP 5 and 21 CFR Part 11 requirements.

Regulatory Alignment and Requirements for CSV of Cloud-Based Applications in the Pharmaceutical Industry:^11,12,13

Cloud-based applications in the pharmaceutical industry must meet the same validation standards as on-premises systems. Key regulatory frameworks—21 CFR Part 11, EU Annex 11, and GAMP 5 (2nd Edition) establish the requirements for data integrity, system validation, supplier control, and electronic record management. While the cloud enables scalability and innovation, it also requires formal agreements, ongoing validation, and risk-based oversight to ensure continued compliance with global health regulations.

Cloud providers must ensure their systems comply with all 21 CFR Part 11 requirements, even when offering services externally or through SaaS platforms. Pharmaceutical companies retain full responsibility for validating cloud-based systems, even when these services are outsourced to cloud providers. GAMP 5 endorses the use of cloud-based systems provided that effective controls, complete documentation, and robust supplier management are established.

21 CFR Part 11 (FDA U.S. Regulations):

21 CFR Part 11 applies to electronic records and electronic signatures used in GxP-regulated activities. This regulation outlines the criteria under which electronic records and signatures are considered trustworthy, reliable, and equivalent to paper records. Cloud CSV Requirements:

· Audit Trails: The system must automatically capture secure, time-stamped audit logs that document the creation, modification, and deletion of GxP-relevant data.

· Electronic Signatures: Cloud-based systems must support compliant electronic signature functionality, including dual authentication, unique user credentials, and secure linking of signatures to electronic records.

· Data Integrity: The system must ensure that data is complete, consistent, and accurate throughout its lifecycle. Controls should prevent unauthorized changes or data loss.

· Access Control: Role-based access controls must be enforced, ensuring that only authorized users can access or modify GxP-critical information.

Implications for Cloud Providers: Systems must demonstrate compliance with 21 CFR Part 11 controls even if hosted externally or as Software-as-a-Service (SaaS).

EU Annex 11 (EMA – European Guidelines):

Focuses on computerized systems used in pharmaceutical manufacturing and research in the EU.
Cloud CSV Requirements:

· Validation: Cloud-based systems must be validated to ensure consistent performance as intended.

· Data Storage & Availability: Data must be securely stored, retrievable, and protected throughout its lifecycle.

· Service Provider Oversight: Sponsors (regulated companies) must ensure that cloud providers follow GxP principles, including formal agreements, audits, and technical assessments.

· Change Management: Updates and patches to the system must be assessed for validation impact and documented.

Implications for Cloud Use The regulated company remains accountable for validation, even when outsourcing to a cloud provider.

GAMP 5 (2nd Edition – ISPE Guidance):

Provides a globally recognized framework for validating computerized systems using a risk- and lifecycle-based approach. Cloud CSV Relevance:

· Supports Agile & DevOps: The second edition of GAMP 5 explicitly addresses modern development models such as Agile, DevOps, and cloud computing.

· Risk-Based Validation: Encourages focusing validation efforts on functions that impact product quality and patient safety.

· Supplier Assessment: Cloud vendors must be qualified and assessed based on their role in maintaining GxP compliance.

· Continuous Validation: Allows iterative validation (e.g., within sprints) with automation (e.g., CI/CD pipelines), provided traceability and control are maintained.

According to GAMP 5 guidelines, using cloud systems is acceptable if companies implement appropriate controls, maintain thorough documentation, and properly oversee their cloud service providers.

Current Gaps in Cloud-Based CSV and Their Justification in the Pharmaceutical Industry:^14,15

Despite the increasing reliance on cloud technologies in the pharmaceutical and life sciences sectors, several critical gaps persist in the application of Computer System Validation (CSV) to cloud-hosted systems. These gaps threaten not only data integrity but also the industry's ability to demonstrate regulatory compliance during audits and inspections.

Lack of Standard Validation Frameworks for Cloud-Native Applications:

Traditional CSV frameworks are based on static, on-premises systems where configuration changes are infrequent and under full organizational control. However, cloud-native applications are dynamic, scalable, and often built using microservices, APIs, and containerized deployments. The absence of industry-wide, standardized validation protocols that accommodate the unique architecture and deployment patterns of these applications leads to inconsistent validation practices across organizations. This increases the risk of regulatory non-compliance due to varied interpretations of validation scope and depth.

Insufficient Risk-Based Approaches Tailored for SaaS/IaaS Platforms:

Current risk-based CSV models are primarily built around complete system ownership. In cloud models, particularly SaaS and IaaS, organizations often lack direct control over the software stack or infrastructure. Without tailored risk assessment frameworks that account for shared responsibilities, many companies either overvalidate low-risk areas or neglect high-risk ones, leading to inefficiencies or compliance gaps. Regulatory bodies like the FDA encourage risk-based validation, but few practical examples exist for applying this to cloud platforms.

Limited Guidance on Validating Third-Party Cloud Tools and Microservices:

Limited Guidance on Validating Third-Party Cloud Tools and Microservices Modern cloud systems often rely on third-party services, such as analytics engines, file converters, authentication providers, and communication modules. These micro-services are external to the core application, may be rapidly updated, and are rarely validated by the CSP. The lack of formal guidance on when and how to validate these dependencies leaves regulated companies unsure of their obligations. This can result in gaps in data control, auditability, and validation traceability, especially when microservices directly affect GxP-relevant data.

Inadequate Monitoring of Cloud System Changes (e.g., Patches, Auto-Updates):

Cloud vendors frequently apply automatic patches and updates to address bugs, improve performance, or enhance security. However, these changes can alter the behavior of validated systems. Many pharmaceutical companies do not have real-time visibility into these changes, nor do they receive advance notice or impact assessments. Without robust change monitoring and revalidation triggers, these silent updates may invalidate previous validation efforts or introduce new compliance risks without the organization’s knowledge.

Ambiguity in Demonstrating Compliance across Global Data Residency Laws:

Data residency laws such as GDPR (EU), HIPAA (US), and LGPD (Brazil) impose strict controls on the geographic location, movement, and access of sensitive data. In cloud environments, data can be stored or processed in multiple regions through automated load balancing and backup mechanisms. This makes it difficult for regulated organizations to prove compliance during inspections, especially if the CSP cannot guarantee that GxP data remains confined to approved jurisdictions. The lack of clarity on how to validate and document data residency compliance presents a growing regulatory risk.

Minimal Visibility into CSP’s Internal Controls, Testing, and Change Logs:

Unlike on-premises systems, where every component is under the control of the regulated entity, cloud systems rely heavily on vendor-managed infrastructure and services. Most cloud service providers do not share detailed internal testing records, change logs, or audit trails for their back-end systems due to multi-tenancy, IP protection, or security policies. This limited transparency hinders the ability of pharmaceutical companies to conduct thorough supplier qualification, validation impact assessments, or regulatory audits, which are mandatory under GxP guidelines.

Challenges in Validating AI/ML-Driven Features within Cloud Platforms:

As cloud platforms increasingly integrate Artificial Intelligence (AI) and Machine Learning (ML) to automate functions like anomaly detection, predictive maintenance, or image analysis, new validation challenges arise. These features are non-deterministic by nature, meaning outcomes may change over time as the model learns from new data. Traditional CSV approaches, which expect fixed inputs to yield predictable outputs, are not suitable for validating adaptive or evolving systems. This makes it difficult for regulated organizations to ensure repeatability, auditability, and explainability, all of which are essential for GxP compliance.

Gaps and Regulatory Solutions in Cloud-Based CSV for the Pharmaceutical Industry:¹⁶

The shift to cloud computing in the pharmaceutical and life sciences sectors has highlighted significant shortcomings in traditional Computer System Validation (CSV) practices. These gaps hinder organizations’ ability to ensure data integrity, maintain regulatory compliance, and confidently face inspections. Below is a consolidated summary of these gaps, along with proposed solutions aimed at closing them effectively. Without addressing these challenges, regulated organizations may face delays in product approvals, inspection findings, and increased compliance risk in a digital-first regulatory landscape.

Summary of GxP Gaps and Remedial Measures in Cloud-Based Validation

Sr No.	Current Gaps or Lack	Solutions
1.	Lack of Standard Validation Frameworks for Cloud-Native Applications	Develop standard operating procedures (SOPs) and validation templates specific to cloud systems. Use modular and reusable validation components. Apply version control and configuration management to ensure traceability.
2.	Insufficient Risk-Based Approaches Tailored for SaaS/IaaS Platforms	Use GAMP 5-based risk assessment tools designed for cloud models. Clearly define roles and responsibilities between the company and the cloud provider. Perform documented risk assessments with relevant stakeholders.
3.	Limited Guidance on Validating Third-Party Tools and Microservices	Classify third-party tools based on their GxP impact. Request compliance certifications from vendors. Validate data exchange interfaces and document control measures.
4.	Inadequate Monitoring of Cloud System Changes (e.g., Patches, Auto-Updates)	Include change notification and review clauses in vendor agreements. Monitor changes using automated tools. Re-validate impacted areas using documented procedures.
5.	Ambiguity in Demonstrating Compliance Across Global Data Residency Laws	Select cloud providers that allow data to be stored and processed in approved locations. Map data flows and document storage locations. Use encryption and legal safeguards for international transfers.
6.	Minimal Visibility into CSP’s Internal Controls, Testing, and Change Logs	Review third-party audit reports and certifications. Include audit and inspection rights in contracts. Maintain a responsibility matrix to track shared compliance controls.

Validation Models for Cloud-Based Systems Aligned with 21 CFR Part 11 and GAMP 5 (2nd Edition):

To validate cloud-based systems in alignment with 21 CFR Part 11 and GAMP 5 (2nd Edition), especially for the modules you listed, you can use two primary validation models depending on the system type and project nature:

V-Model (Traditional Approach):^17,18

"The V-Model is best suited for systems with well-defined, static requirements and core infrastructure modules such as access control, audit trails, and backup/recovery. It is especially useful for GxP-heavy environments that require high assurance of traceability. This model aligns each development phase with a corresponding testing phase, ensuring structured documentation and end-to-end traceability from requirements to system release. It is recommended for validating IAM (Access Controls), Audit Trail Modules, Electronic Signatures, Backup & Recovery, Configuration Management, and Validation Lifecycle Documentation."

V-Model Validation Lifecycle for Cloud-Based GxP Systems.

Sr No.	Development Phase	Validation Phase (Test Activity)
1.	User Requirements Specification (URS)	User Acceptance Testing (UAT)
2.	Functional Specification (FS)	System Testing (ST)
3.	Design Specification (DS)	Integration Testing
4.	Configuration/Build (Code	Unit Testing

Agile/Iterative CSV (Modern Cloud-Aligned Approach)^{19, 20}

"This model is primarily used for cloud-native, fast-evolving applications such as SaaS platforms and micro services. It integrates validation activities continuously within agile sprints or DevOps cycles, using risk-based justifications and automated testing tools to ensure compliance. This approach is recommended for validating Patch & Update Management, System Interfaces/API Integrations, AI/ML Management Modules, Risk Management, Reporting & Analytics, and Data Residency Controls."

Agile-Based Validation Lifecycle for Cloud-Native GxP Systems.

Sr No.	Agile Phase	CSV Action
1.	Sprint Planning	Define testable, risk-based user stories (e.g., GxP impact)
2.	Development & Build	Develop code/configuration with built-in traceability.
3.	Continuous Integration (CI)	Run automated unit/integration tests (scripted)
4.	Deployment	Perform validation (e.g., OQ, regression)
5.	Review & Retrospective	Update traceability matrix, log evidence.

Hybrid Approach (Best Practice for Cloud-Based CSV) ^[21]

"Many regulated pharmaceutical companies adopt a hybrid validation strategy, using the V-Model for high-risk, static modules and Agile methods for dynamic components such as micro services and AI-based tools."

Validation Strategy Matrix: Hybrid Approach for Cloud-Based GxP Systems

Sr No.	Validation Layer	Preferred Approach
1.	Core GxP Compliance (Audit trail, eSignatures, IAM)	V-Model
2.	Cloud-native services/APIs/Interfaces	Agile
3.	AI/ML or frequently updated tools	Agile
4.	Infrastructure-as-Code & CI/CD tools	Agile or Hybrid
5.	Documentation & traceability	Applied across both

Recommended Validation Model for Cloud-Based GxP System Modules : ²²

Selecting the right validation approach is critical for maintaining compliance in cloud-based pharmaceutical systems. The V-Model ensures robust control for static, high-risk modules, while the Agile/Iterative model supports rapid, cloud-native development with continuous compliance. The Hybrid approach, widely adopted in the industry, combines the strengths of both, offering a balanced and scalable solution aligned with 21 CFR Part 11 and GAMP 5 (2nd Edition) requirements.

Validation Model Recommendations by Module for Cloud-Based GxP Systems (Aligned with 21 CFR Part 11 & GAMP 5 2nd Edition)

Module Name	Recommended Validation Model	Simplified Regulatory Alignment and Justification
IAM (Access Management)	V-Model	Ensures only authorized users access GxP data (21 CFR Part 11.10(d)).
Audit Trail	V-Model	Ensures traceable record of changes (21 CFR Part 11.10(e)).
Electronic Signature	V-Model	Required for secure e-signatures (21 CFR Part 11 Subpart C).
Configuration Management	V-Model or Hybrid	Tracks system changes and maintains control (21 CFR Part 11.10(k)).
Backup & Recovery	V-Model	Ensures data protection and recovery (21 CFR Part 11.10(c)).
Interfaces / API Integrations	Agile or Hybrid	Validates data transfer integrity (GAMP 5 2nd Ed.).
Patch & Update Management	Agile	Keeps system validated after updates (21 CFR Part 11.10(a)).
Risk Management	Agile or V-Model	Risk-based approach aligns with GAMP 5.
Reporting & Analytics	Agile or V-Model	Ensures accurate reporting and audit readiness (21 CFR Part 11.10(k)).
AI/ML Module	Agile	Validates adaptive systems (GAMP 5 2nd Ed. for AI/ML lifecycle).
Data Residency Controls	Agile or V-Model	Meets global data privacy laws and data location control (GDPR, 21 CFR Part 11).
Validation Documentation	V-Model	Supports traceable validation records (21 CFR Part 11.10(j)).

CONCLUSION:

This review clearly shows the need to update traditional Computer System Validation (CSV) methods to support the use of cloud-based systems in the pharmaceutical industry. As more companies adopt cloud services like SaaS, PaaS, and IaaS, they face new compliance challenges that old, on-premises validation models cannot fully address. Therefore, validation practices must now align with current global regulatory standards such as FDA 21 CFR Part 11, EU Annex 11, and GAMP 5 (2nd Edition).

The paper identifies important gaps in validating modern cloud systems, especially when dealing with cloud-native applications, AI/ML features, and third-party micro services. To close these gaps, the paper recommends using a hybrid validation approach. This combines the V-Model for stable, high-risk systems (like audit trails or electronic signatures) with Agile methods for fast-changing or AI-based cloud modules.

It also explains how to classify cloud applications by their function, GxP impact, and deployment model (public, private, hybrid, or community). This helps companies apply the right level of validation effort. In addition, the paper stresses the need for strong vendor oversight, clear roles and responsibilities, and risk-based validation planning when working with cloud service providers. This review provides a practical and regulatory-aligned framework for validating cloud-based systems in pharma. It helps organizations stay GxP compliant, protect critical data, work more efficiently across borders, and safely use modern technologies. It ensures that companies can confidently move to the cloud without risking product quality, patient safety, or compliance.

CONFLICT OF INTEREST:

The authors declare no other conflicts of interest and affirm that the content reflects independent research and interpretation.

ACKNOWLEDGMENTS:

The authors sincerely thank Valsyner Consultancy Services Private Limited, Dehuroad, Pune and Special thanks to Mr. Rajwada Boys for their continued support during the preparation of this manuscript.

REFERENCES:

1. Ullagaddi P. A Framework for Cloud Validation in Pharma: Data Integrity in Modern IT. Journal of Computer and Communications. 2024; 12(9): 105–123. http://dx.doi.org/10.4236/jcc.2024.129006

2. Raja R, Kella A, Narayanasamy D. The Essential Guide to Computer System Validation in the Pharmaceutical Industry. Cureus. 2024 Aug; 16(8): e67555. https://doi.org/10.7759/cureus.67555

3. O’Donnell D, Miller R, Zaccheddu V. Cloud Validation in Pharma: Compliance and Strategic Value. International Journal of Business Marketing and Management. 2025.

4. Jadhav MS, et al. Computer System Validation: A Review. International Journal of Trend in Scientific Research and Development (IJTSRD). 2023; 7(2):711–715.

5. Evaluating challenges and solutions for ensuring regulatory compliance in cloud-hosted LIMS platforms used in pharmaceutical and biotech industries. ResearchGate. 2024. Available from:

6. Sorenson, J., & Rengaswamy, R. (2023). Cloud Compliance in Life Sciences: A Practical Guide, PharmaTech Press.

7. Lee, H. C., & Patel, M. (2022). CSV in the Cloud Era: Strategies for SaaS, PaaS, IaaS, CRC Press.

8. Raja R, et al. (2024) and Todkar V, et al. (2014), include reviews of validation approaches including V Model and Agile methods.

9. Humphrey, D. (2022). GAMP 5 Guide: A Risk‑Based Approach to Compliant GxP Computerized Systems, ISPE.

10. ISPE. (2022). GAMP 5: Guide for Validation of Automated Systems, 2nd Ed., ISPE.

11. Shah J, Jain AK. Scaling Cloud Data Platforms for Compliance Analytics: A Strategic Approach for the Pharmaceutical Industry. Universal Research Reports. 2025;12(1):288–296. doi:10.36676/urr. v12.i1.1483.

12. Mohan, R. (2021). Cloud‑Based LIMS & CTMS: Design, Validation, and Compliance, Springer.

13. Fischer, L., & Smith, E. (2024). Next‑Gen CSV: Cloud‑Native, Agile, and AI‑Ready Frameworks for Regulated Industries, Academic Press.

14. Akundi A, Pavithra G, Swapnil SN. Integrated Approaches to Computer System Validation Within GxP Compliant QMS. International Journal of Scientific Research & Engineering Trends (IJSRET). 2025 May; 11(2): 458. doi: 10.61137/ijsret.vol.11.issue2.458 IJSRET_V11_issue2_788.pdf

15. Davis, J., & Lambert, M. (2023). Hybrid Validation Strategies: Bridging V‑Model and Agile in GxP Systems, Springer.

16. Tahir A, Chen F, Khan HU, Ming Z, Ahmad A, Nazir S, Shafiq M. A Systematic Review on Cloud Storage Mechanisms Concerning e-Healthcare Systems. Sensors. 2020; 20(18): 5392. doi:10.3390/s20185392.

17. Pandey G. Validation of ERP Software and System Architectures in a GxP Controlled Environment. International Journal of Scientific Research Archive. 2024 Aug; 12(1): 413–416. http://dx.doi.org/10.30574/ijsra.2024.12.1.0828

18. Todkar V, et al. Computerized System Validation: Introduction, Implementation and Regulations – A Review. International Journal for Pharmaceutical Research Scholars (IJPRS). 2014; 3(3):122–131. https://www.ijprs.com/wp-content/uploads/2018/09/IJPRS-V3-I3-00360.pdf

19. Khalil R, et al. Walking the Talk in Digital Transformation of Regulatory Review. Frontiers in Medicine. 2023; 10:1233142. doi:10.3389/fmed.2023.1233142

20. Salamanca‑Buentello, F. (2022). Cloud Deployment Models in Regulated Industries, Wiley.

21. Cloud Infrastructure Validation in the Pharmaceutical Industry. Pharma Connections. 2024. Available from: https://pharmaconnections.in/cloud-infrastructure-validation-in-the-pharmaceutical-industry/

22. The Influence of Cloud Computing on the Healthcare Industry: A Review of Applications, Opportunities, and Challenges for the CIO. Procedia Computer Science. 2022; (DOI: 10.1016/j.procs.2022.07.106).

Received on 18.07.2025 Revised on 08.09.2025

Accepted on 23.10.2025 Published on 14.02.2026

Available online from February 18, 2026

Research J. Science and Tech. 2026; 18(1):61-69.

DOI: 10.52711/2349-2988.2026.00010

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License. Creative Commons License.