GxP

Overview

DNAnexus enables compliance with the requirements of current Good Clinical Practices (“cGCP”), current Good Laboratory Practices (“cGLP”), current Good Manufacturing Practices (“cGMP”) and since the DNAnexus Platform uses electronic records, 21 CFR § 11 by those who use and submit genomic data to the U.S. Food and Drug Administration (“FDA”) and comparable regulatory organizations outside the United States.

GxP Offering

The GxP offering provides the “people, process and technology” of the DNAnexus managed components for our Customers to participate in regulated research (GLP), clinical trials (GCP), machine learning (GMLP) and manufacturing processes (GMP) with the regulators in their target countries. While “GxP” refers to the US regulations, the term is used generically to refer to other agencies, such as Medicines Health Products Regulatory Agency (MHRA), and European Medicines Agency (EMA). At present, the health regulatory agencies include the US, UK, and EU. Other countries, such as Australia, China, etc. are under discussion at this time.

We provide GxP customers with specific components that they will use to submit and sustain their regulatory processes. Since DNAnexus does not manufacture medical or pharmaceutical objects nor does it directly perform clinical trials or clinical tests, these specific components are typically documents to be incorporated into your Quality and Regulatory documentation.

DNAnexus recognizes the company may be subject to both Customer and Regulatory Agency audits at any time.

Also Included

• 21 CFR§11 components, including electronic records, human-readable and the necessary security around these elements. Electronic signatures are currently not in scope of the Platform. Because 21 CFR§11 is in play, the Platform and components must be Computer System Validated (CSV).

• Provides a human-readable , produced every 24 hours and placed in the customer’s project folder. The format is comma-separated values (csv) with the .

• Pre-Release and Release Notes of GxP relevant changes to the DNAnexus Platform. These notes are released to the Customer’s Regulatory & Compliance groups on a weekly basis, usually on a Monday.

• Ongoing access to Computer System Validation documentation on the DNAnexus Platform and Apollo. We also include qualification documents on several of the DNAnexus qualified apps. These documents should be considered qualification documents by the GxP Customer.

• Access to a Pre-Release environment (Platform software that has yet to be released) to execute their Performance Qualification (PQ) or System Requirements testing.

• Ability to lock pipelines. After all, you don’t want your scientists to be changing applications, pipelines or parameters outside your protocol!

• Processes in alignment with 21 CFR § 820 and ISO/IEC 13485:2016 in terms of Quality for medical device and CE Marks.

• Guidance on how to set up the customer’s operating policies on the DNAnexus Platform.

• Assistance with the Customer’s internal and external audits.

What is the Difference between Validation and Qualification?

Validation

Validation is the process of “establishing documented evidence” that provides a high degree of assurance that a specific process will consistently produce a product or system that meets predetermined specifications (URS, FS, Design Spec) and quality attributes. Simply stated, it is the act, process or instance to substantiate something on a reliable basis. It is the process to prove the system matches the requirements.

Qualification

Qualification is the process to establish confidence that a process or system will work correctly and consistently operate within established limits and tolerances. Qualifications tend to be smaller in scope, more static in nature and are usually subsets for a greater validation initiative. Qualification allows for tests to be performed on one element or component of the process to be validated against a specified outcome. Simply stated, it is the act or process to assure that something complies with an expected outcome, standard or set of specific requirements.

How do Qualification and Validation Work Together?

Validation incorporates the concept of qualification. Qualification is used to assess something dynamic that is likely to change (e.g. you qualify a computer network -- how the packets are routed will change, but the process of communication happens). Validation is larger in scope and can incorporate various qualifications to achieve the end result. In both qualification and verification, you still must establish evidence against a predetermined criteria. Validation criteria tend to be more exacting than qualification, where the latter tolerates variation within the range of acceptable criteria.

How Do I Get GxP?

Your GxP license should extend to only the areas covered by the GxP regulations. You should also consider:

• • What project folder should they reside within your GxP orgs?

  • The files are in comma-separated-variable (csv) format. What will you do with these files? Leave them in the project folder or download them periodically for internal analysis?

  • The size of the daily files is proportional to the activity of that org. If you are reviewing a month’s worth of records, you might be analyzing hundreds of gigabytes. Consult your company's business intelligence tools for guidance.

How do I test my pipelines on the next Production release?

GxP users will get detailed Release/Pre-Release documents on every Monday, regardless of whether there is a release to Production on the subsequent Tuesday. These Release/Pre-Release Notes describe the changes anticipated in Production the following day as well as anticipated changes in the coming weeks and months. The impact of each change described in the Release/Pre-Release Notes are evaluated with regard to Major or Minor impact to the GxP subscriber. This impact assessment is made by DNAnexus on the basis of our knowledge of the GxP community's use of DNAnexus. Should the GxP subscriber determine a change is may impact their computer system validated pipeline, the GxP subscriber has access to DNAnexus' Staging environment to re-run their computer system validation tests. As the update of the Staging environment is done at the same time period as the update to Production, the duration of testing lasts from Tuesday to the next push to Staging and Production.

DNAnexus' Staging environment is used for testing the system prior to review by DNAnexus' Change Control Board. DNAnexus uses this environment to perform computer system validation of the Platform. As such, there are ground rules for this environment that must be observed for GxP subscribers using DNAnexus' Staging environment, namely:

1. Confidential or proprietary data shall NOT be used in this environment. We recommend using synthetic data to test your pipelines whenever possible.

2. As Staging is a test environment, this environment may be fluid. This is the environment where we try to break the Platform. Fixes may be implemented into this environment to fix bugs found early in our test cycle. Bugs that persist beyond Wednesday will either be reverted to previous code that worked or the function will not be advanced to Production.

3. The performance of the Staging environment may be similar to Production, but please reserve your performance testing to the weekend.

4. Not all functions in the Staging environment will be advanced to Production in the following week. For example, high risk changes may "bake" in Staging for several weeks prior to promotion to Production. Bugs, including bugs arising from pipelines run in Staging, may cancel the either the function or the entire promotion of changes to Production. The GxP Release/Pre-Release Notes are critical to discern the functionality that lands in Production as some intended features may require additional testing.

5. Access to DNAnexus' Staging environment purposely uses a different account than access to DNAnexus' Production environment to avoid user's confusion over the environment.

What Do All Customers Get?

DNAnexus maintains compliance with many regulations for all of our customers (GxP and non-GxP), such as Privacy that are used by all customers of DNAnexus. DNAnexus will respond to supplier questionnaires, audits, etc.

The DNAnexus Platform is authorized, certified or compliant with:

• ISO/IEC 27001:2022 (certified)

• Data Privacy Framework (including the UK,Swiss, EU-US)

• FedRAMP ATO = Moderate (Authorized to Operate)

• Global Data Privacy Regulation (compliant)

• HIPAA (compliant, Business Associates Agreement required)

• Cyber Essentials Plus (certified)

Is the DNAnexus Platform Archive Service Functionality GxP-Compliant?

Q8. Can sponsors and other regulated entities use durable electronic storage devices to archive required records from a clinical investigation? Yes. Using an electronic means, such as a durable electronic storage device is an acceptable method to archive study-related records at the end of the study. Sponsors and other regulated entities should ensure that the integrity of the original data and the content and meaning of the record are preserved. In addition, if the electronic records are archived in such a way that the records can be searched, sorted, or analyzed, sponsors and other regulated entities should provide electronic copies with the same capability to FDA during inspection if it is reasonable and technically feasible. During inspection, FDA may request to review and copy records in a human readable form using electronic system hardware.