Learn about the DNAnexus GxP offering and how to get and use it.
DNAnexus enables compliance with the requirements of current Good Clinical Practices (“cGCP”), current Good Laboratory Practices (“cGLP”), current Good Manufacturing Practices (“cGMP”) and since the DNAnexus Platform uses electronic records, 21 CFR § 11 by those who use and submit genomic data to the U.S. Food and Drug Administration (“FDA”) and comparable regulatory organizations outside the United States.
The GxP offering provides the “people, process and technology” of the DNAnexus managed components for our Customers to participate in regulated research (GLP), clinical trials (GCP), machine learning (GMLP) and manufacturing processes (GMP) with the regulators in their target countries. While “GxP” refers to the US regulations, the term is used generically to refer to other agencies, such as Medicines Health Products Regulatory Agency (MHRA), and European Medicines Agency (EMA). At present, the health regulatory agencies include the US, UK, and EU. Other countries, such as Australia, China, etc. are under discussion at this time.
We provide GxP customers with specific components that they will use to submit and sustain their regulatory processes. Since DNAnexus does not manufacture medical or pharmaceutical objects nor does it directly perform clinical trials or clinical tests, these specific components are typically documents to be incorporated into your Quality and Regulatory documentation.
DNAnexus recognizes the company may be subject to both Customer and Regulatory Agency audits at any time.
- 21 CFR§11 components, including electronic records, human-readable audit trail and the necessary security around these elements. Electronic signatures are currently not in scope of the Platform. Because 21 CFR§11 is in play, the Platform and components must be Computer System Validated (CSV).
- Provides a human-readable audit trail, produced every 24 hours and placed in the customer’s project folder. The format is comma-separated-variables (csv) with the following format.
- Pre-Release and Release Notes of GxP relevant changes to the DNAnexus Platform. These notes are released to the Customer’s Regulatory & Compliance groups on a weekly basis, usually on a Monday.
- Ongoing access to Computer System Validation documentation on the DNAnexus Platform and Apollo. We also include qualification documents on several of the DNAnexus qualified apps. These documents should be considered qualification documents by the GxP Customer.
- Access to a Pre-Release environment (Platform software that has yet to be released) to execute their Performance Qualification (PQ) testing.
- Ability to lock pipelines. After all, you don’t want your scientists to be changing applications, pipelines or parameters outside your protocol!
- Processes in alignment with 21 CFR § 820 and ISO/IEC 13485:2016 in terms of Quality for medical device and CE Marks.
- Guidance on how to set up the customer’s operating policies on the DNAnexus Platform.
- Assistance with the Customer’s internal and external audits.
Validation is the process of “establishing documented evidence” that provides a high degree of assurance that a specific process will consistently produce a product or system that meets predetermined specifications (URS, FS, Design Spec) and quality attributes. Simply stated, it is the act, process or instance to substantiate something on a reliable basis. It is the process to prove the system matches the requirements.
Qualification is the process to establish confidence that a process or system will work correctly and consistently operate within established limits and tolerances. Qualifications tend to be smaller in scope, more static in nature and are usually subsets for a greater validation initiative. Qualification allows for tests to be performed on one element or component of the process to be validated against a specified outcome. Simply stated, it is the act or process to assure that something complies with an expected outcome, standard or set of specific requirements.
Validation incorporates the concept of qualification. Qualification is used to assess something dynamic that is likely to change (e.g. you qualify a computer network -- how the packets are routed will change, but the process of communication happens). Validation is larger in scope and can incorporate various qualifications to achieve the end result. In both qualification and verification, you still must establish evidence against a predetermined criteria. Validation criteria tend to be more exacting than qualification, where the latter tolerates variation within the range of acceptable criteria.
Your GxP license should extend to only the areas covered by the GxP regulations. You should also consider:
- What is your governance plan with respect to your “orgs”? For example, most GxP license holders will have a “production org” and a corresponding “non-production org” for each phase of their clinical trial or regulated manufacturing process (or cleaning process). You will use the non-production org for PQ (Performance Qualification) testing. You will work with your DNAnexus team to configure these orgs and link them to your GxP license.
- 21 CFR§11 audit trails are generated daily for all of the API calls that occur in your org. You can work with your DNAnexus team for this configuration. Some questions to consider:
- What project folder should they reside within your GxP orgs?
- The files are in comma-separated-variable (csv) format. What will you do with these files? Leave them in the project folder or download them periodically for internal analysis?
- The size of the daily files is proportional to the activity of that org. If you are reviewing a month’s worth of records, you might be analyzing hundreds of gigabytes. Consult your company's business intelligence tools for guidance.
The GxP subscribers get access to the qualification documentation for specific apps.
Qualification means the applications have already gone through the qualification arm of Computer System Validation. Generally, the GxP documentation that comes with these apps includes:
- Qualification Plan,
- Requirements and Functional Specifications
- Design Specification,
- Trace Matrix, and
- Requirements Testing Report
Since DNAnexus staff are not the business users, there is no PQ/UAT Report or Validation Report.
The apps include:
Note: These apps are available to non-GxP customers, but not the qualification documentation. This documentation is controlled with limited access within DNAnexus.
DNAnexus maintains compliance with many regulations for all of our customers (GxP and non-GxP), such as Privacy that are used by all customers of DNAnexus. DNAnexus will respond to supplier questionnaires, audits, etc.
The DNAnexus Platform is authorized, certified or compliant with:
- ISO/IEC 27001:2013 (certified)
- EU-US Privacy Shield (including the UK), Swiss-US Privacy Shield (certified, 2022 version)
- FedRAMP ATO = Moderate (authorized)
- Global Data Privacy Regulation (compliant)
- HIPAA (compliant, Business Associates Agreement required)
- Cyber Essentials Plus (certified)
Yes, the DNAnexus file archiving functionality, accessible via the DNAnexus Archive Service, is compliant with Part 11 (remember to include the relevant audit trail logs as well)! Looking at the 2017 draft Guidance document for 21 CFR Part 11 , Q8 states:
Q8. Can sponsors and other regulated entities use durable electronic storage devices to archive required records from a clinical investigation? Yes. Using an electronic means, such as a durable electronic storage device is an acceptable method to archive study-related records at the end of the study. Sponsors and other regulated entities should ensure that the integrity of the original data and the content and meaning of the record are preserved. In addition, if the electronic records are archived in such a way that the records can be searched, sorted, or analyzed, sponsors and other regulated entities should provide electronic copies with the same capability to FDA during inspection if it is reasonable and technically feasible. During inspection, FDA may request to review and copy records in a human readable form using electronic system hardware.
DNAnexus provides the methods and tools to help GxP subscribers will have their own Standard Operating Procedures (SOP), such as implementing the requirements such as 21 CFR 58.190 (c and d) where it states: "(c) An individual shall be identified as responsible for the archives;" and "(d) Only authorized personnel shall enter the archives." Your SOP may be interpret this requirement to mean that once a GLP study is archived, only the (An "individual" is interpreted as singular) approved individual (e.g. "GLP Archivist") or their designated authorized personnel can enter the archives to retrieve it. Given DNAnexus allows users with contribute or administer permissions to archive or unarchive files in that reside in the project -- the GxP subscriber will need to craft their SOP to restrict the unarchiving capability.