GxP

Overview

DNAnexus enables compliance with multiple regulatory requirements. These include current Good Clinical Practices ("cGCP"), current Good Laboratory Practices ("cGLP"), current Good Manufacturing Practices ("cGMP"), and 21 CFR § 11. This compliance supports those who use and submit genomic data to the U.S. Food and Drug Administration ("FDA") and comparable regulatory organizations outside the United States.

GxP Offering

The GxP offering provides the "people, process and technology" of the DNAnexus managed components for our Customers to participate in regulated research (GLP), clinical trials (GCP), machine learning (GMLP) and manufacturing processes (GMP) with the regulators in their target countries. While "GxP" refers to the US regulations, the term is used generically to refer to other agencies, such as Medicines Health Products Regulatory Agency (MHRA), and European Medicines Agency (EMA). At present, the health regulatory agencies include the US, UK, and EU. Other countries, such as Australia or China, are under discussion at this time.

We provide GxP customers with specific components that they will use to submit and sustain their regulatory processes. Since DNAnexus does not manufacture medical or pharmaceutical objects nor does it directly perform clinical trials or clinical tests, these specific components are typically documents to be incorporated into your Quality and Regulatory documentation.

DNAnexus recognizes the company may be subject to both Customer and Regulatory Agency audits at any time.

Also Included

• 21 CFR§11 components, including electronic records, human-readable Audit Trail and the necessary security around these elements. Electronic signatures are currently not in scope of the Platform. Because 21 CFR§11 is in play, the Platform and components must be Computer System Validated (CSV).

• Provides a human-readable Audit Trail, produced every 24 hours and placed in the customer's project folder. The format is comma-separated values (CSV) with the following format.

• Pre-Release and Release Notes of GxP relevant changes to the DNAnexus Platform. These notes are released to the Customer's Regulatory & Compliance groups on a weekly basis, typically on a Monday.

• Ongoing access to Computer System Validation documentation on the DNAnexus Platform and Apollo. We also include qualification documents on specific DNAnexus qualified apps. These documents should be considered qualification documents by the GxP Customer.

• Access to a Pre-Release environment (Platform software that has yet to be released) to execute their Performance Qualification (PQ) or System Requirements testing.

• Ability to lock pipelines to prevent unauthorized changes to applications, pipelines, or parameters outside your approved protocol.

• Processes in alignment with 21 CFR § 820 and ISO/IEC 13485:2016 in terms of Quality for medical device and CE Marks.

• Guidance on how to set up the customer's operating policies on the DNAnexus Platform.

• Assistance with the Customer's internal and external audits.

What is the Difference between Validation and Qualification?

Validation

Validation is the process of "establishing documented evidence" that provides a high degree of assurance that a specific process will consistently produce a product or system that meets predetermined specifications (URS, FS, Design Spec) and quality attributes. Simply stated, it is the act, process or instance to prove something on a reliable basis. It is the process to prove the system matches the requirements.

Qualification

Qualification is the process to establish confidence that a process or system will work correctly and consistently operate within established limits and tolerances. Qualifications tend to be smaller in scope, more static in nature and are subsets for a greater validation initiative. Qualification allows for tests to be performed on one element or component of the process to be validated against a specified outcome. Simply stated, it is the act or process to assure that something complies with an expected outcome, standard or set of specific requirements.

How do Qualification and Validation Work Together?

Validation incorporates the concept of qualification. Qualification is used to assess something dynamic that is likely to change. For example, you can qualify a computer network, that is how the routed packets change, but the process of communication happens. Validation is larger in scope and can include specific qualifications to achieve the end result. In both qualification and verification, you still must establish evidence against a predetermined criteria. Validation criteria tend to be more exacting than qualification, where the latter tolerates variation within the range of acceptable criteria.

How Do I Get GxP?

Your GxP license should extend to only the areas covered by the GxP regulations. You should also consider:

• What is your governance plan for your "orgs"? For example, most GxP license holders will have a "production org" and a corresponding "non-production org" for each phase of their clinical trial or regulated manufacturing process (or cleaning process). You will use the non-production org for PQ (Performance Qualification) or Requirements testing. You will work with your DNAnexus team to configure these orgs and link them to your GxP license.

• 21 CFR§11 Audit Trails are generated daily for all the API calls that occur in your org. You can work with your DNAnexus team for this configuration. Some questions to consider:

  • What project folder should they reside within your GxP orgs?

  • The files are in comma-separated-variable (CSV) format. What will you do with these files? Leave them in the project folder or download them periodically for internal analysis?

  • The size of the daily files is proportional to the activity of that org. If you are reviewing a month's worth of records, you might be analyzing hundreds of gigabytes. Consult your company's business intelligence tools for guidance.

How do I test my pipelines on the next Production release?

GxP users will get detailed Release/Pre-Release documents on every Monday, regardless of whether there is a release to Production on the subsequent Tuesday. These Release/Pre-Release Notes describe the changes anticipated in Production the following day as well as anticipated changes in the coming weeks and months. The impact of each change described in the Release/Pre-Release Notes are evaluated regarding Major or Minor impact to the GxP subscriber. This impact assessment is made by DNAnexus based on our knowledge of the GxP community's use of DNAnexus. Should the GxP subscriber determine a change is may impact their computer system validated pipeline, the GxP subscriber has access to DNAnexus' Staging environment to re-run their computer system validation tests. As the update of the Staging environment is done simultaneously with the update to Production, the duration of testing lasts from Tuesday to the next push to Staging and Production.

Should the GxP subscriber incur a test failure in their pipeline, we urge you to file a bug report with DNAnexus Support and emphasize the failure occurred in Staging.

DNAnexus' Staging environment is used for testing the system before review by DNAnexus' Change Control Board. DNAnexus uses this environment to perform computer system validation of the Platform. As such, there are ground rules for this environment that must be observed for GxP subscribers using DNAnexus' Staging environment, namely:

1. Confidential or proprietary data shall NOT be used in this environment. We recommend using synthetic data to test your pipelines whenever possible.

2. As Staging is a test environment, this environment may be fluid. This is the environment where we try to break the Platform. Fixes may be implemented into this environment to fix bugs found early in our test cycle. Bugs that persist beyond Wednesday will either be reverted to previous code that worked or the function will not be advanced to Production.

3. The performance of the Staging environment may be similar to Production, but reserve your performance testing to the weekend.

4. Not all functions in the Staging environment will be advanced to Production in the following week. For example, high risk changes may "bake" in Staging for multiple weeks before promotion to Production. Bugs, including bugs arising from pipelines run in Staging, may cancel the either the function or the entire promotion of changes to Production. The GxP Release/Pre-Release Notes are critical to discern the functionality that lands in Production as some intended features may require additional testing.

5. Access to DNAnexus' Staging environment purposely uses a different account than access to DNAnexus' Production environment to avoid user's confusion over the environment.

What Do All Customers Get?

DNAnexus maintains compliance with many regulations for all our customers (GxP and non-GxP), such as Privacy that are used by all customers of DNAnexus. DNAnexus will respond to supplier questionnaires, audits, and compliance verification requests.

The DNAnexus Platform is authorized, certified or compliant with:

• ISO/IEC 27001:2022 (certified)

• Data Privacy Framework (including the UK,Swiss, EU-US)

• FedRAMP ATO = Moderate (Authorized to Operate)

• Global Data Privacy Regulation (compliant)

• HIPAA (compliant, Business Associates Agreement required)

• Cyber Essentials Plus (certified)

Comparison of Base License vs GxP License

Is the DNAnexus Platform Archive Service Functionality GxP-Compliant?

Yes, the DNAnexus file archiving functionality, accessible via the DNAnexus Archive Service, is compliant with Part 11 (remember to include the relevant Audit Trail logs as well)! Looking at the 2017 draft Guidance document for 21 CFR Part 11, Q8 states:

Q8. Can sponsors and other regulated entities use durable electronic storage devices to archive required records from a clinical investigation? Yes. Using an electronic means, such as a durable electronic storage device is an acceptable method to archive study-related records at the end of the study. Sponsors and other regulated entities should ensure that the integrity of the original data and the content and meaning of the record are preserved. Also, if the electronic records are archived in such a way that the records can be searched, sorted, or analyzed, sponsors and other regulated entities should provide electronic copies with the same capability to FDA during inspection if it is reasonable and technically feasible. During inspection, FDA may request to review and copy records in a human readable form using electronic system hardware.

DNAnexus provides the methods and tools to help GxP subscribers. GxP subscribers will have their own Standard Operating Procedures (SOP) for implementing requirements such as 21 CFR 58.190 (c and d) where it states: "(c) An individual shall be identified as responsible for the archives" and "(d) Only authorized personnel shall enter the archives." Your SOP may interpret this requirement to mean that once a GLP study is archived, only the (An "individual" is interpreted as singular) approved individual or their designated authorized personnel can enter the archives to retrieve it. This approved individual might be a designated "GLP Archivist". Given DNAnexus allows users with contribute or administer permissions to archive or unarchive files in that reside in the project -- the GxP subscriber will need to craft their SOP to restrict the unarchiving capability.