How to Utilize GAMP to Achieve a GxP Cloud

Posted by Sierra Labs on Oct 17, 2019 11:03:18 AM

Connecting the dots between Cloud technology and regulatory compliance.


Cloud computing is currently a booming topic of discussion in various industries. One of the more complicated applications of cloud is in the life science space.

In order to protect patient privacy, there needs to be data security measures in place to prevent hacking and leaking of private medical information.This is why there are guidelines and regulations in place to assure that Cloud systems stay compliant.

In this blog we will cover the organizations and guidelines that are in place to help manufacturers achieve a GxP validated Cloud. To learn what to look for when choosing a Cloud provider in this space, check out our next blog.

Let's get started!

What is ISPE?

ISPE is an industry group that was founded in 1980 and is short for the International Society for Pharmaceutical Engineering. It is comprised of pharmaceutical professionals who collaboratively create various GMP solutions.

Its members include:

    • Engineers
    • Microbiologists
    • Chemists
    • QA/QC
    • Production
    • Process development
    • Pharmacists
    • Regulatory and training personnel
    • Academia
    • Suppliers
    • Other professionals

ISPE provides conferences, training, and guidelines. Its primary goals are worldwide patient safety, quality medicine manufacturing, and the connection between innovative technologies and regulations.

They define industry standards and best practices, and their Guides are accepted globally. These Guides detail how to design, build, qualify, license, operate and maintain complex pharmaceutical manufacturing facilities.


What is GAMP Guidance?

GAMP is short for Good Automated Manufacturing Practice. It is both a subcommittee of ISPE, as well as a set of good practice guidelines created by ISPE for pharmaceutical manufacturers and users of automated systems.

It was founded in 1991 in the UK in order to keep up with the ever-changing US FDA requirements for GMP (good manufacturing practice) compliance. The first Guidance was published in 1994, but GAMP didn’t officially become part of ISPE until 2000.

GAMP Guides are well accepted on a global scale and cover several topics surrounding drug manufacturing. ISPE has published a series of Guides including:

    • GAMP Good Practice Guide: A Risk-Based Approach to Compliant GxP Computerized Systems
    • GAMP Good Practice Guide: Calibration Management
    • GAMP Good Practice Guide: Electronic Data Archiving
    • GAMP Good Practice Guide: Global Information Systems Control and Compliance
    • GAMP Good Practice Guide: IT Infrastructure Control and Compliance
    • GAMP Good Practice Guide: Testing of GxP Systems
    • GAMP Good Practice Guide: Validation of Laboratory Computerized Systems
    • GAMP Good Practice Guide: Validation of Process Control Systems


What is GAMP®5?

GAMP®5 is the most recent revision of GAMP Guides, published by ISPE in February 2008. It is a guidance document titled A Risk-Based Approach to Compliant GxP Computerized Systems.

It is a risk-based approach to categorizing computer system validations based on the systems' intended use and complexity. This categorization helps manufacturers to write their system documentation and prepare for regulatory audits.

Conducting these validation tests ensures that the system functions properly by using the requirements and specifications as an objective standard for testing the system. Since the test scripts are tied to specific requirements and specifications, a passing test indicates the associated requirements and specifications have been met, and vice versa with a failed test.

GAMP®5 is comprised of guidelines, not regulations, thus following it isn’t necessarily mandatory. Yet, following this Guide is largely beneficial, for it heavily overlaps with regulations from EMA, FDA, etc. and is widely accepted and approved on a global scale.


How does GAMP®5 align with ISO 90003:2004?

GAMP®5 greatly aligns with ISO 90003:2004 and overlaps in many different sections. See the chart below to see the various overlaps between the guidance and the standard.


Subject ISO 90003:2004 GAMP®5, Appendix
Basic Design

7.3.2, 7.3.3

Design and Development inputs and outputs (Define product design and development inputs. Generate product design and development outputs.)


Functional Specifications/ Configuration and Design

Detailed Design
Design Review


Design and development review (Perform product design and development reviews.)


Design Review and Traceability

Code Review

7.3.4, 7.3.5

Design and development review and verification (Perform product design and development reviews. Conduct product design and development verifications.)


Management, Development, and Review of Software

Module (unit) Test 

Design and development validation - Testing (Carry out planned software testing activities.)


Testing of Computerized Systems

Integration/System Test b

Design and development validation: Testing (Carry out planned software testing activities.)


Testing of Computerized Systems

IQ/OQ – System Test c

  • Design and development validation: Testing
  • Control of production and service provision: Installation
  • Control of production and service provision: Operations


Testing of Computerized Systems/Validation Reporting

PQ – Acceptance Test d

Design and development validation: Testing (Carry out planned software testing activities.)


Testing of Computerized Systems/Validation Reporting

Change Control


Control of design and development changes (Control product design and development changes.)


Operational Change and Configuration Management

Configuration Management

Identification and traceability - Configurations management process (Control software replication activities.)


Operational Change and Configuration Management


What does this all mean? It means that if you are following GAMP®5 Guidance, then you are simultaneously checking regulatory compliance boxes as well, killing two birds with one stone - saving time and money!

What is the main problem with the Cloud?

There are many benefits of Cloud Computing! Cloud systems are:

    • Fast
    • Flexible
    • Scalable
    • Easy to backup/archive
    • Low cost (compared to traditional internal servers)

If it sounds too good to be true, it’s because we have left out the main problem that arises with the use of Cloud in the regulated marketplace: Compliance.

In order for consumers to have data security and privacy, there needs to be rules and regulations surrounding data storage on the Cloud. Keep in mind, the data in this industry is medical data and private patient information, thus it needs to be safe and secure.

The problem is that there is fast evolving Cloud technology readily available, yet regulations are evolving at a snail's pace. This results in a lack of specific guidelines for Cloud, and this in addition to the low-risk (slow moving) regulatory culture, curbs the pharmaceutical industry from adopting this new Cloud technology.

A GxP Cloud Solution

What is the solution to the compliance problem for Cloud? A Cloud validation system that ensures compliance and GxP validation!

Sierra Cloud solves this compliance problem by being the first validated GxP system that allows for continuous compliance, completely abstracted from the Cloud environment. This means it can be attached to any Cloud system of your choice, and make it compliant!

It offers a solution to have a fully automated GxP compliant Cloud environment for all regulated workloads, a feat that no other Cloud Validator has yet to achieve. It allows you to manage your Cloud policies and requirements, and run validation/qualification tests, all while staying fully GxP compliant. 

We will continue to dive deeper and deeper into GxP Cloud computing in future blogs so stay tuned!

If you have read all of the above and think you're ready to find a compliant Cloud provider, then check out or next blog: 3 Crucial Steps in Choosing the Right GxP Cloud Provider!


Want to achieve a GxP validated Cloud? 

Download our free White Paper to learn how!

White Paper

It's that simple.

Topics: Cloud, Compliance, GxP, Validated Cloud, GxP Cloud, Regulations, Data Security, GAMP, GAMP5, ISO90003:2004, ISPE

Recent Posts


See all

Subscribe Here