Introducing Axon.R: Appsilon's Framework for R Package Validation in Pharma

Reading time:
time
min
By:
Rafael Pereira
April 21, 2026

In 2026, R can give your clinical trial team a competitive advantage - but unfortunately, onboarding a single package takes 3+ months.

Without a standardized approach, every new R package goes through the same cycle: biostats, QA, IT, and programmers all need to sign off, documentation has to be produced from scratch, and submissions wait. Because of that, teams fall back to SAS. Not because it's better, but because it's already approved.

There's a smarter approach to R package validation in pharma - one that's repeatable, audit-ready, and something your organization actually owns.

In this article, we'll cover why R package validation is harder than most teams expect, the two main ways pharma organizations go about it today, and what we built at Appsilon to solve it.

Why R Package Validation Is a Bigger Challenge Than Most Teams Realize

R has moved well beyond exploratory analysis. Companies like Roche, Novartis, and GSK now use it for regulatory submissions - the kind that go directly to the FDA and EMA.

When R was just a research tool, a buggy third-party package was an inconvenience you could work around. But now when it's part of a clinical submission, it's a liability.

Moving away from SAS comes with a responsibility most teams underestimate. SAS has built-in validation by design since it's a proprietary, controlled environment. R doesn't work that way. A package having 500,000 downloads and a good README doesn't mean it's fit for a regulated workflow. It’s your job to prove it is.

Here’s what regulators expect:

  • Traceability: Who approved this package, under what conditions, and for which use cases.
  • Reproducibility: The same inputs produce the same outputs, every time, across environments.
  • Evidence: Validation reports, test results, and an audit trail showing the package was assessed before it was used in a clinical workflow.

Getting a single package approved means pulling in biostats, QA, IT, and programmers - each with their own checklist and sign-off requirements. Documentation gets written from scratch. The process isn't standardized, so the next package starts the same cycle all over again.

In the real world, this translates to 3+ months to onboard a single package. During that time, studies wait, and teams tend to fall back to tools they were trying to move away from.

Two Approaches to R Package Validation

When it comes to validating R packages in a regulated environment, there are two ways most pharma teams go about it. Here's how they differ.

The pre-validated package route

Some vendors offer pre-validated R packages you can download and install. The idea that instead of running validation yourself, you get packages that someone else already checked. You install them, generate a report from that installation, and lock down an immutable R environment that users can't modify.

In other words, you get a controlled environment and a validation report.

What you don't get is much else. The process doesn't scale to packages outside that vendor's catalog. You can't validate internal packages your team builds. And if your organization ever needs to explain or extend the validation process, there's no framework to fall back on.

The framework-based approach

The second approach is building a validation framework your organization owns and runs. This is the methodology backed by the R Validation Hub - an industry working group focused on helping pharma companies use R in regulated environments.

The core idea is risk-based validation.

Not every package carries the same risk, so not every package needs the same level of scrutiny. A low-risk utility package used for data formatting gets treated differently than a package running statistical models in a clinical submission.

This approach produces your own evidence bundles, your own SOPs, and your own approved package repository. Your team controls the process, can apply it to any package - public or internal - and can extend it as your needs grow.

With that said, keep in mind that building this from scratch takes time and expertise most teams don't have.

Introducing Axon.R: Appsilon's Approach to R Package Validation

Axon.R is Appsilon's answer to the framework-based approach.

It’s a pre-built, GxP-aligned validation and maintenance framework you can implement without starting from scratch.

Axon.R is built on R Validation Hub best practices and extended for regulated use. Its goal is to give your organization a validation process it fully owns and can run independently.

Here's what Axon.R does for you:

  • Standardized risk-based validation: Axon.R automatically scores each package across weighted metrics – including download volume, vignette count, website presence, dependency count, R CMD check results, test coverage, and source control presence – then combines them with manual risk classification based on context-of-use. Not every package gets treated the same – risk level controls how much scrutiny a package receives.
  • Approval workflows and remediation loops: When checks fail or evidence is incomplete, Axon.R flags it and routes it for remediation. High-risk packages require supporting evidence before entering review. All packages require sign-off from multiple independent reviewers before approval. Nothing gets approved by accident.
  • Controlled validation runs with reproducible evidence: Validation runs in an isolated container environment (e.g. Docker) and produces consistent outputs and a traceable evidence bundle your QA team and auditors can actually use.
  • Repository-ready outcomes: Once a package clears approval, Axon.R publishes it to your validated repository or any other CRAN-like repository and keeps the full audit trail and version lineage intact.
  • Scalable architecture: Axon.R is designed to integrate with CI/CD pipelines and enterprise authentication systems. It supports Kubernetes deployment and is built to work within your existing infrastructure.
  • Full ownership transfer: After implementation, your biostats, programming, and platform teams run the framework. Appsilon trains them and hands over the code and SOPs. Optional ongoing support is available, but you're not dependent on it.

In plain English: You end up with a validation process that's repeatable, auditable, and yours.

How Axon.R Works

Axon.R takes a package from intake to approved repository in six steps.

  1. Intake packages from public or internal sources: Axon.R pulls packages from CRAN, Bioconductor, or your organization’s internal uploads. It works for both third-party and in-house packages.
  2. Run automated risk scoring: Axon.R automatically scores each package and all of its strong dependencies across a set of weighted criteria – dependency count, documentation quality, test coverage, R CMD check results, and more. This produces a numeric risk score that informs the next step.
  3. Classify risk by context-of-use: A reviewer manually assigns a risk level (low, medium, or high) based on the automated score and how the package will actually be used by your team. They document the intended use and justification. High-risk packages are flagged to require supporting evidence before they can proceed to approval.
  4. Produce an evidence bundle and route for approval: For high-risk packages, supporting documentation must be uploaded before review can begin. All packages then enter multi-reviewer approval – requiring at least two independent approvals with zero rejections. Nothing gets approved until the evidence is complete.
  5. Remediate if rejected: If any reviewer rejects a package, it enters a remediation state. The team downloads the original source, applies fixes, and re-uploads a corrected version that goes back through the assessment and approval cycle. This loop ensures nothing ships without passing review.
  6. Publish to your approved repository with version lineage tracking: Before publication, Axon.R verifies that all package dependencies are themselves approved: a package cannot be published until its full dependency chain has passed review, something most competing solutions don't enforce. Once approved, the package is published to your validated repository – Posit Package Manager with full metadata and audit trail retained.

From first conversation to a working framework, Appsilon targets approximately 90 days in the best-case scenario. Delivery runs as a milestone-based rollout, meaning assessment and design in weeks 1-3, implementation in weeks 3-8, and validation with full handover in weeks 8-12.

Your exact timeline will depend on your current environment setup and internal approval cycles.

Where Axon.R Fits in Your SCE

R package validation doesn't happen in isolation. It's one piece of a broader Scientific Computing Environment (SCE) - the infrastructure your organization uses to run, manage, and control analytical workflows in a regulated setting.

Axon.R is built to work with that infrastructure. It connects with Posit Package Manager, container images, and CI/CD pipelines, so it works alongside what you've already built rather than replacing it.

If your team is running an open-source SCE, Axon.R just fills the validation gap. You have the environment and tools, but package validation is often the piece that's still manual, inconsistent, or entirely missing.

And if you're mid-migration from SAS to open source, this matters even more. Moving fast on that transition requires approved packages. Without a repeatable validation process in place, every new package can take months to properly integrate.

Conclusion

R package validation doesn't have to be a months-long project - that’s every time you’re working with a new package. With the right framework in place, it's a repeatable process your team runs, owns, and builds on.

That's what Axon.R is built to deliver. Not a one-time engagement, but a validation capability that stays with your organization - one your biostats, programming, and platform teams can run and extend.

If you're not sure where your organization stands today, start with our free R Package Validation Checklist - it'll give you an idea of what's in place and what's missing. Or if you're ready to talk through your environment and what implementation could look like, book a validation strategy call with our team.

Have questions or insights?

Engage with experts, share ideas and take your data journey to the next level!
Contact Us

Stop Struggling with Outdated Clinical Data Systems

Join pharma data leaders from Jazz Pharmaceuticals and Novo Nordisk in our live podcast episode as they share what really works when building modern, compliant Statistical Computing Environments (SCEs).
Save My Spot

Is Your Software GxP Compliant?

Download a checklist designed for clinical managers in data departments to make sure that software meets requirements for FDA and EMA submissions.
Get the Checklist

Ensure Your R and Python Code Meets FDA and EMA Standards

A comprehensive diagnosis of your R and Python software and computing environment compliance with actionable recommendations and areas for improvement.
Book the Audit

The AI-Ready SCE: A Pharma Guide to Building Validated Environments That Don't Hold You Back

The 2026 edition of Appsilon's most downloaded resource is in the works. Updated with AI infrastructure, risk-based validation frameworks, and real-world lessons from teams running LLMs and Python pipelines inside GxP environments. Join the waitlist to get it first.
Join The Waitlist
Explore Possibilities

Share Your Data Goals with Us

From advanced analytics to platform development and pharma consulting, we craft solutions tailored to your needs.

Talk to our Experts