DNAnexus enables compliance with the requirements of current Good Clinical Practices (“cGCP”), current Good Laboratory Practices (“cGLP”), current Good Manufacturing Practices (“cGMP”) and since the DNAnexus Platform uses electronic records, 21 CFR § 11 by those who use and submit genomic data to the U.S. Food and Drug Administration (“FDA”) and comparable regulatory organizations outside the United States.
The GxP offering provides the “people, process and technology” of the DNAnexus managed components for our Customers to participate in regulated research (GLP), clinical trials (GCP), machine learning (GMLP) and manufacturing processes (GMP) with the regulators in their target countries. While “GxP” refers to the US regulations, the term is used generically to refer to other agencies, such as Medicines Health Products Regulatory Agency (MHRA), and European Medicines Agency (EMA). At present, the health regulatory agencies include the US, UK, and EU. Other countries, such as Australia, China, etc. are under discussion at this time
We provide GxP customers with specific components that they will use to submit and sustain their regulatory processes. Since DNAnexus does not manufacture medical or pharmaceutical objects nor does it directly perform clinical trials or clinical tests, these specific components are typically documents to be incorporated into your Quality and Regulatory documentation.
DNAnexus recognizes the company may be subject to both Customer and Regulatory Agency audits at any time.
21 CFR§11 components, including electronic records, human-readable audit trail and the necessary security around these elements. Electronic signatures are currently not in scope of the Platform. Because 21 CFR§11 is in play, the Platform and components must be Computer System Validated (CSV).
Pre-Release and Release Notes of GxP relevant changes to the DNAnexus Platform. These notes are released to the Customer’s Regulatory & Compliance groups on a weekly basis, usually on a Monday.
Ongoing access to Computer System Validation documentation on the DNAnexus Platform and Apollo. We also include qualification documents on several of the DNAnexus qualified apps. These documents should be considered qualification documents by the GxP Customer.
Access to a Pre-Release environment (Platform software that has yet to be released) to execute their Performance Qualification (PQ) testing.
Ability to lock pipelines. After all, you don’t want your scientists to be changing applications, pipelines or parameters outside your protocol!
Processes in alignment with 21 CFR § 820 in terms of Quality for medical device and CE Marks.
Guidance on how to set up the customer’s operating policies on the DNAnexus Platform.
Assistance with the Customer’s internal and external audits.
Validation is the process of “establishing documented evidence” that provides a high degree of assurance that a specific process will consistently produce a product or system that meets predetermined specifications (URS, FS, Design Spec) and quality attributes. Simply stated, it is the act, process or instance to substantiate something on a reliable basis. It is the process to prove the system matches the requirements.
Qualification is the process to establish confidence that a process or system will work correctly and consistently operate within established limits and tolerances. Qualifications tend to be smaller in scope, more static in nature and are usually subsets for a greater validation initiative. Qualification allows for tests to be performed on one element or component of the process to be validated against a specified outcome. Simply stated, it is the act or process to assure that something complies with an expected outcome, standard or set of specific requirements.
Validation incorporates the concept of qualification. Qualification is used to assess something dynamic that is likely to change (e.g. you qualify a computer network -- how the packets are routed will change, but the process of communication happens). Validation is larger in scope and can incorporate various qualifications to achieve the end result. In both qualification and verification, you still must establish evidence against a predetermined criteria. Validation criteria tend to be more exacting than qualification, where the latter tolerates variation within the range of acceptable criteria.
You need a GxP license, please contact email@example.com. The license should extend to only the areas covered by the GxP regulations. You should also consider:
What is your governance plan with respect to your “orgs”? For example, most GxP license holders will have a “production org” and a corresponding “non-production org” for each phase of their clinical trial or regulated manufacturing process (or cleaning process). You will use the non-production org for PQ (Performance Qualification) testing. You will work with your DNAnexus team to configure these orgs and link them to your GxP license.
21 CFR§11 audit trails are generated daily for all of the API calls that occur in your org. You can work with your DNAnexus team for this configuration. Some questions to consider:
What project folder should they reside within your GxP orgs?
The files are in comma-separated-variable (csv) format. What will you do with these files? Leave them in the project folder or download them periodically for internal analysis?
The size of the daily files is proportional to the activity of that org. If you are reviewing a month’s worth of records, you might be analyzing hundreds of gigabytes. Consult your company's business intelligence tools for guidance.
The GxP licensees get access to the qualification documentation for specific apps.
Qualification means the applications have already gone through the qualification arm of Computer System Validation. Generally, the GxP documentation that comes with these apps includes:
User Requirements Spec/Functional Spec (one document),
Trace Matrix, and
Since DNAnexus staff are not the business users, there is no PQ Report or Validation Report.
The apps include:
Note: These apps are available to non-GxP customers, but not the qualification documentation. This documentation is controlled with limited access within DNAnexus.
DNAnexus maintains compliance with many regulations for all of our customers (GxP and non-GxP), such as Privacy that are used by all customers of DNAnexus. DNAnexus will respond to supplier questionnaires, audits, etc.
The DNAnexus Platform is authorized, certified or compliant with:
ISO/IEC 27001:2013 (certified)
EU-US Privacy Shield (including the UK), Swiss-US Privacy Shield (certified)
FedRAMP ATO = Moderate (authorized)
Global Data Privacy Regulation (compliant)
HIPAA (compliant, Business Associates Agreement required)