Skip to main content

SAP S/4HANA Validation Guide: How to Apply GAMP 5 Category 4 and CSA to GxP Modules in Pharma

A step-by-step guide for pharmaceutical, biotech, and medical device manufacturers validating SAP S/4HANA GxP modules using GAMP 5 Category 4 methodology and FDA Computer Software Assurance (CSA) principles.

Written by: Sundar , Director, GoVal
GAMP 5 Category 4 CSA · FDA Final Guidance 2025 21 CFR Part 11 EU Annex 11 IQ / OQ / PQ
Quick Answer

What GAMP 5 category is SAP S/4HANA, and does it need GxP validation?

SAP S/4HANA is GAMP 5 Category 4 — Configured Software. It requires GxP validation in pharma, biotech, and medical device manufacturing whenever it manages records or decisions affecting product quality, patient safety, or regulatory compliance. Validation scope covers only GxP-impacting modules — typically QM, PP, MM, PM, and WM/EWM — not the entire SAP landscape. Under FDA's final Computer Software Assurance (CSA) guidance (September 2025), effort must be proportionate to risk: high-risk configurations require scripted testing with full traceability; low-risk standard ERP functions can be verified with documented critical thinking. Custom ABAP code or bespoke Fiori applications are elevated to Category 5 and require separate qualification.

How to Perform Computer Software Assurance (CSA) for SAP S/4HANA

7 steps from initial GxP impact assessment through ongoing change control — following GAMP 5 Second Edition and FDA CSA principles.

Step 1

Determine GxP Impact and Classify Under GAMP 5

Before writing a single requirement, assess whether and how SAP S/4HANA affects regulated activities in your environment. For each business process supported by SAP, answer three questions:

  • Does this process directly or indirectly affect the quality of a regulated product?
  • Does it create or modify records required by a predicate rule (21 CFR 210/211, EU GMP, ISO 13485)?
  • Does it generate or maintain electronic signatures with regulatory significance?

Any process answering yes to at least one question falls within GxP validation scope.

GAMP 5 Classification for SAP S/4HANA

Standard SAP S/4HANA is Category 4 — Configured Software. SAP SE develops and tests the application; your obligation is to validate your specific configuration, not the underlying software engineering process.

ComponentGAMP 5 CategoryWhat this means for validation
Standard S/4HANA application (QM, PP, MM, PM, WM)Category 4Configuration verification, IQ/OQ, change control
Unmodified standard Fiori applicationsCategory 4Configuration and UI behaviour verified in OQ
Custom ABAP programs or enhancementsCategory 5FS, DS, code review, full IQ/OQ/PQ required
Bespoke Fiori apps or BSP applicationsCategory 5Full design and UI qualification required
SAP Basis, OS, database layerInfraInfrastructure IQ using vendor qualification artefacts
Step 2

Scope the Validation to GxP-Impacting Modules Only

A full SAP S/4HANA landscape includes dozens of modules. Validating all of them wastes resources and produces documentation burden with no safety benefit. Focus validation on modules with a direct connection to regulated manufacturing, quality, or data integrity.

In ScopeQM — Quality Management

Inspection lots, usage decision, results recording, certificates of analysis, batch classification. QM's integration with PP and MM at goods receipt and production order confirmation makes it the highest-risk area in most pharma SAP landscapes.

In ScopePP — Production Planning

Process orders, batch manufacturing steps, in-process quality inspection triggers, goods movements, and master recipe management. Errors in PP configuration can cascade directly into batch record discrepancies.

In ScopeMM — Materials Management

Goods receipt QM inspection trigger, batch management, blocked and quarantine stock controls, shelf life management, and temperature-sensitive material classification. Standard purchasing and invoicing workflows are typically excluded.

In ScopePM — Plant Maintenance

Equipment qualification status, preventive maintenance scheduling, calibration order management, and maintenance history for GMP-critical equipment. PM validation is often overlooked but directly supports equipment qualification records.

In ScopeWM / EWM — Warehouse Management

Quarantine and blocked stock segregation, FEFO picking configuration, temperature-controlled storage zone management, and serialisation integration for track-and-trace compliance.

Typically Out of ScopeFI / CO — Finance & Controlling

No direct connection to product quality, patient safety, or GMP record integrity. Excluded unless a specific FI configuration generates or modifies quality-relevant records.

Step 3

Apply CSA Critical Thinking to Determine Assurance Level

This is the step most teams either skip or perform superficially — and it is the one that matters most under FDA's CSA framework. For each GxP-impacting SAP function, decide which assurance approach is proportionate to the actual risk.

CSA does not mean less rigour. It means correctly directed rigour. The obligation that replaces test script volume is a documented, defensible rationale for every scope decision. An inspector will ask: "Why did you not script-test this function?" A three-line answer that says "standard functionality" will not satisfy them.

High-Assurance Testing Required

Where a configuration failure would have a direct, undetected impact on patient safety or product quality

  • QM Usage Decision logic controlling batch release from quarantine
  • Electronic signature configuration (DSF) for GxP-critical approvals
  • Batch management controls preventing release of expired materials
  • Audit trail activation for GxP tables and transactions
  • Role-based access segregation for quality-critical transaction pairs

Lighter Approach Acceptable

Where vendor testing is extensive and a failure would be immediately detected or has no direct GxP consequence

  • Standard organisational unit assignments and chart of accounts
  • Standard Fiori navigation for non-GxP transactions
  • Currency and unit of measure configuration
  • Standard purchasing workflow (non-GxP supplier orders)
  • Standard print layout configuration for non-regulated outputs
Key point: Document the specific failure mode, why it would be detected, and what existing controls make scripted testing redundant. Vague justifications create inspection risk — specific ones create audit-ready rationale.
Step 4

Author User Requirements Specifications (URS) for GxP Configurations

The URS for SAP S/4HANA documents what each GxP-impacting configuration must do — expressed as verifiable, testable requirements, not system design descriptions.

Weak — not testable:

"The system shall manage batch records."

Better — testable:

"Once a Usage Decision is recorded in QM and the inspection lot status is set to Released, the system shall prevent modification of inspection results without generating an audit trail entry capturing user ID, timestamp, original value, and new value."

Each URS requirement must connect forward to the risk assessment, the OQ test case that verifies it, and the test result that proves it passed. This traceability chain is what the Requirement Traceability Matrix (RTM) captures. Gaps in it are a consistent inspection finding for SAP validation packages.

For a Category 4 system, also prepare a Configuration Specification — a document mapping each URS requirement to the specific SAP table entries, customising settings, and workflow rules that implement it. This becomes the baseline for change control: any deviation from this baseline triggers revalidation assessment.

Step 5

Perform a Functional Risk Assessment (FRA)

The FRA scores each URS requirement for Severity × Occurrence × Detectability = RPN. High RPN items get scripted OQ test coverage with explicit pass/fail criteria; lower RPN items are addressed with lighter approaches or vendor documentation references.

For SAP S/4HANA, typical high-severity items include:

  • Any configuration controlling whether a batch can be released from quarantine without a Usage Decision
  • Electronic signature bypasses or overrides in DSF (Digital Signature Framework)
  • Authorisation settings allowing a single user to both record and approve quality inspection results
  • Audit trail deactivation for GxP-critical transaction types

Detectability scores should reflect your existing controls. A QM usage decision failure caught immediately by a production supervisor before goods movement reduces the effective risk compared to a silent configuration failure that passes non-conforming material to release.

Under CSA: The FRA output directly justifies your testing scope decisions. If a function is excluded from scripted testing, the FRA must show a low RPN and identify the existing detection mechanism. This is the auditable CSA rationale.
Step 6

Execute IQ, OQ, and PQ Protocols

Three qualification phases address progressively higher levels of operational reality.

IQ — Installation Qualification

Verifies the SAP S/4HANA technical landscape is correctly installed, patched, and configured before functional testing begins.

  • S/4HANA release version and Support Package stack matches the approved baseline
  • Transport routes DEV → QAS → PRD are correct and locked in TMS
  • SAP Basis security profile parameters: password policy, session timeout, logon attempt limits
  • Security Audit Log and change document logging activated for GxP tables
  • RFC connection security and authorisation for LIMS, MES integrations
  • Backup configuration and disaster recovery verified against IT policy
OQ — Operational Qualification

Tests each GxP-impacting configuration against URS under controlled conditions, including boundary conditions and error scenarios.

  • QM: Inspection lot creation triggers fire at goods receipt, production confirmation, and goods issue
  • QM: Usage Decision requires e-signature with meaning statement (DSF configured)
  • QM: Modifying a released inspection lot generates audit trail entry with before/after values
  • PP: System prevents goods issue of materials in blocked or quarantine stock status
  • MM: Batch classification and shelf life controls function at goods receipt
  • Access control: QA role cannot execute production-only transactions and vice versa
  • Security Audit Log captures failed logon attempts and privileged access events
PQ / UAT — Performance Qualification

Confirms end-to-end GxP processes perform correctly in production with real users, real master data, and integrated process flows.

  • Raw material receipt → QM inspection lot → usage decision → stock release
  • Process order creation → in-process QM inspection → goods issue → batch record completion
  • Finished goods: QM usage decision → CoA generation → transfer to released stock
  • Equipment maintenance: PM order → execution → calibration record with QA sign-off
  • Batch recall: batch search across sites → logistics block → stock restriction

Under CSA, PQ/UAT can carry more verification weight for lower-risk configurations, reducing the scripted OQ test suite where the FRA justifies it.

Step 7

Establish Change Control and Periodic Review

SAP's continuous release cadence — Support Packages, Enhancement Packages, and major annual releases — creates a permanent change assessment obligation for any validated GxP environment.

Change Type Assessment Required Typical Revalidation Scope
Major version upgrade(e.g., S/4HANA 2022 → 2023) Full GxP impact assessment — review SAP release notes for all GxP-relevant application areas Risk-based regression of affected OQ test cases; VSR update; QA sign-off before PRD transport
Support Package / kernel update Review SP notes for corrections to GxP-relevant transactions. Most SPs require targeted assessment only Targeted regression on affected functions; lighter documentation where CSA rationale supports
GxP configuration change(customising, roles, workflow rules) Change impact assessment for each in-scope customising change before transport to PRD Test proportionate to risk. Transport log from TMS provides audit trail — reference it in the change record
Interface change(LIMS, MES, serialisation) Interface qualification re-assessment — data transfer accuracy, error handling, new field mapping Interface OQ re-execution for affected data flows; data integrity verification in PQ

Periodic review — typically annual or triggered by material change — confirms the system remains in its validated state: access controls are current, audit trail is functioning, the Configuration Specification reflects actual settings, and no undocumented drift has occurred.

Common Inspection Findings for SAP S/4HANA in Pharma

These patterns appear consistently in FDA 483 observations and EMA inspection reports for pharmaceutical companies running SAP ERP systems.

  1. Audit trail not activated or incomplete for QM transactions. SAP's audit trail mechanisms are not always on by default for application objects. Inspectors check whether change documents for QM inspection lots and usage decisions capture who changed what, when, and the original value. Gaps — especially in usage decision reversals — are the single most common SAP-related finding.
  2. Shared SAP user accounts used for GxP transactions. Production floor users sharing a single SAP login for goods movement convenience invalidates electronic signature compliance for any transaction executed under that account. System-level enforcement — not just a procedural prohibition — is what inspectors look for.
  3. Validation documentation reflects the initial go-live state, not the current system. Inspectors compare current system configuration against the validation documentation baseline. Discrepancies not covered by documented change control records constitute a significant finding, often requiring retrospective revalidation of affected scope.
  4. Interfaces to LIMS, MES, or serialisation platforms not separately qualified. Interfaces transferring GxP-relevant data — inspection results from LIMS to QM, production order completions from MES to PP — require their own interface qualification. Missing interface validation is a common root cause finding when batch record discrepancies occur between connected systems.
  5. Segregation of duties enforced by procedure only, not by the system. A written SOP prohibiting a user from both recording and approving quality inspection results is insufficient. The authorisation profile design must enforce the segregation at the system level.

Frequently Asked Questions

Is SAP S/4HANA GAMP 5 Category 3 or Category 4?

SAP S/4HANA is GAMP 5 Category 4 — Configured Software. GAMP 5 Second Edition (published 2022) eliminated Category 3 (Non-Configured Products) and merged it into Category 4, which now covers all commercial off-the-shelf software configured rather than custom-coded. Custom ABAP programs, bespoke Fiori apps, or third-party add-ons are Category 5 — Bespoke Software and require Functional Specification, Design Specification, and code-level review.

Do you need to validate every SAP module in a pharma company?

No. Only modules where a configuration failure could directly impact patient safety, product quality, or GMP record integrity require GxP validation. QM, PP, MM (batch management and goods receipt), PM, and WM/EWM are typically in scope. FI/CO, HR, and standard procurement workflows are generally excluded unless they interact with quality-relevant configurations or generate records required by a predicate rule. The exclusion rationale — "FI/CO has no connection to product release decisions or GMP records" — must be formally documented.

Can we use CSA instead of CSV for SAP S/4HANA? What is the practical difference?

CSA is an evolution of CSV, not a replacement. Under FDA's final CSA guidance (September 2025), you still produce validation documentation and still test GxP-critical configurations — but effort must be proportionate to risk. High-risk configurations (batch release controls, e-signature logic, audit trail activation) still require scripted OQ testing with full traceability. Lower-risk standard ERP functions can be verified with vendor documentation, configuration screenshots, and a documented critical-thinking rationale explaining why scripted testing adds no incremental assurance. That rationale documentation is now more important than the test scripts it replaces.

How do you handle SAP S/4HANA Support Package updates in a validated GxP environment?

Every SAP Support Package must go through a documented change impact assessment before production deployment. Review SAP SP notes for corrections or changes to GxP-relevant transactions, tables, and application areas. If the SP modifies validated configurations, run targeted regression testing and update validation documentation before transporting to production. Pure basis, kernel, or security patches with no application-layer GxP impact can be managed with a lighter assessment and documented rationale. The TMS transport log provides the built-in audit trail — reference it in your change control record rather than recreating it separately.

Does SAP's built-in audit trail satisfy 21 CFR Part 11 without additional configuration?

No. SAP S/4HANA has multiple audit trail mechanisms — change documents, database logging, and the Security Audit Log — but none are fully activated for GxP purposes by default. You must explicitly configure and activate the relevant mechanisms for each GxP-relevant table and transaction type, test that they capture user ID, timestamp, old value, and new value, and confirm records are tamper-evident and retrievable. This configuration must itself be tested in OQ and protected from unauthorised change — audit trail deactivation by a privileged user is a data integrity risk inspectors specifically probe.

What is the validation approach for SAP S/4HANA Cloud (RISE) vs on-premise?

On-premise S/4HANA allows direct IQ of the infrastructure layer — server configuration, database version, network settings. With RISE with SAP (cloud), infrastructure responsibility shifts to SAP SE. The IQ approach changes: instead of directly testing infrastructure, you document a supplier qualification assessment using SAP's SOC 2 Type II reports, ISO 27001 certifications, and system qualification documentation from SAP, plus a supplier audit. OQ and PQ scope is comparable in both deployments — the cloud validation package must include supplier qualification artefacts in place of infrastructure test scripts.

What is the difference between Greenfield and Brownfield S/4HANA migration for validation?

A Greenfield implementation (new build from scratch) requires complete prospective validation: URS, risk assessment, IQ/OQ/PQ, and Validation Summary Report built from the ground up. A Brownfield (system conversion from ECC or legacy SAP) requires a retrospective gap assessment of the existing validated state, a delta validation covering changes introduced by the migration, and a data migration validation confirming GxP records transferred accurately and with intact audit trails. Brownfield scopes revalidation to what changed — it does not exempt the organisation from revalidation.

What are the most common FDA findings for SAP ERP systems in pharma inspections?

The five most frequently cited issues are: (1) audit trail not activated or incomplete for QM usage decisions and results recording; (2) shared SAP user accounts used for GxP transactions, violating Part 11 individual credential requirements; (3) validation documentation reflecting the initial go-live state rather than the current system after subsequent upgrades and configuration changes; (4) interfaces to LIMS, MES, or serialisation platforms not separately qualified; and (5) segregation of duties enforced by procedure only — the same user role can both record and approve quality inspection results.