How Logilab SDMS helps Laboratories to enable GLP Compliance – Part 1

Posted on October 25, 2022 By Agaram Technologies Blog

INTRODUCTION

About GLP and its importance

Good Laboratory Practices (GLP) is a quality system concerned with Laboratories’ organizational process and conditions under which non-clinical, health and environmental safety studies are planned, performed, monitored, recorded, archived and reported. This has been introduced by Organization for Economic Cooperation and Development (OECD) with the intention to promote data quality and guarantee data integrity.

This White Paper covers how Logilab Scientific Management System (SDMS), a software product developed Agaram Technologies Private Limited, India, helps Laboratories to adhere and follow the Principles of GLP as applied to Computerized Systems in laboratories.

Apart from other guidelines regarding quality research, the GLP Principles can be found in the member counties of the OECD (except USA and Japan) for non-clinical, chemical and agrochemical research testing studies.

The GLP principles intend to provide a secure research environment that protects raw data from manipulation during and after testing procedures. It incorporates all organizational structures of research procedures. This implies that GLP, not only regulates the personnel working in a laboratory or other research facility, but also applies to computerized systems and their device-specific requirements used for research purposes.

GLP and Computerized Systems

Throughout recent years there has been an increase in the use of computerized systems by Laboratories undertaking health and environmental safety testing. These computerized systems may be involved with the direct or indirect capture of data, processing, reporting and storage of data, and increasingly as an integral part of automated equipment. Where these computerized systems are associated with the conduct of studies intended for regulatory purposes, it is essential that they are developed, validated, operated and maintained in accordance with the OECD Principles of GLP.

Duly considering the principles of GLP, Laboratory Data Management software systems like Logilab SDMS have to provide validated services to ensure accuracy, reliability and consistent intended performance, including the ability to ensure data quality and integrity, protecting stored records against manipulation or loss.

In the following text the citations in italics are from the OECD documents on “The Application of the Principles of GLP to Computerized Systems”

The definition of computerized systems is important in that it includes the hardware and the software components. They are considered together as constituting the entity that performs a particular function.

“A computerized system is defined as a group of hardware components and associated software designed and assembled to perform a specific function or group of functions.”

Which computerized systems are subject to GLP compliance? Essentially, the answer to that question is that any system having a potential impact on the quality or integrity of the data provided in a submission dossier is a candidate for GLP compliance.

The activities that are targeted in this OECD Consensus document are:

System development,
System validation,
Use/operation of systems,
Maintenance of
Modification / retirement of systems

“All computerized systems used for the generation, measurement or assessment of data intended for regulatory submission should be developed, validated, operated and maintained in ways which are compliant with the GLP Principles.”

From development, through validation, use and maintenance, the OECD document advises a life-cycle approach which is now the industrial and regulatory standard. The details of the GLP requirements applicable to computerized systems are described in the following pages.

RESPONSIBILITIES

Management

As elsewhere in GLP, management has overall responsibility for compliance. In the field of computerized systems, management should assure that GLP compliance applies to the life cycle of the system and that the appropriate documentation at each stage is in place and, in the case of prescriptive documents followed. Clearly some of these responsibilities are delegated to senior staff and specialists. This delegation may be documented in SOPs, policy documents, job description etc.

“Management is responsible for ensuring that computerized systems are suitable for the intended purposes. It should establish computing policies and procedures to ensure that systems are developed, validated, operated and maintained in accordance with the GLP Principles. Management should also ensure that these policies and procedures are understood and followed, and ensure that effective monitoring of such requirements occurs.”

Study Director

Since many such studies will utilize computerized systems, it is essential that Study Directors are fully aware of the involvement of any computerized systems used in studies under their direction. The Study Director’s responsibility for data recorded electronically is the same as that for data recorded on paper and thus only systems that have been validated should be used in GLP studies.

Personnel

As with any other equipment, it is a GLP responsibility of all personnel to use computerized Systems in compliance with GLP. Compliance concerns systems in all of the steps of their life cycle: development, validation, use and maintenance. Thus, all operations must be properly planned, conducted and documented. Only properly trained persons should operate systems. Such training must, of course, be fully documented.

Quality Assurance (QA)

Management should define the responsibilities that QA have with respect o computerized systems. These responsibilities must be set out in documents such as policy documents and SOPs. Again, responsibilities should be tailored to the life cycle approach, with QA involvement right through the various steps. If the steps include development stages, there should be QA activities related to this, if the steps start with the purchase of systems

QA should be involved in this.

Once in place QA should monitor both use and maintenance of computerized systems.

In order to avoid any conflicts, QA is usually given read only access to files and access to the audit trail functions.

Facilities and Equipment

“Due consideration should be given to the physical location of computer hardware, peripheral components, communications equipment and electronic storage media. Extremes of temperature and humidity, dust, electromagnetic interference and proximity to high voltage cables should be avoided unless the equipment is specifically designed to operate under such conditions. Consideration must also be given to the electrical supply for computer equipment and, where appropriate, back-up or uninterruptible supplies for computerized systems, whose sudden failure would affect the results of a study.

Adequate facilities should be provided for the secure retention of electronic storage media.”

MAINTENANCE AND DISASTER RECOVERY

Computerized systems should be considered in the same manner as any equipment in that preventive and curative maintenance is essential. Maintenance should be planned and documented when it is performed. Procedures for maintenance should exist.

Sometimes it may be necessary to revalidate systems after maintenance, adding patches or version changes. Decisions of this sort should be based on a rationale, often after risk analysis.

Disaster Recovery

Because of the problems that could arise due to partial or complete breakdown, institutions should implement contingency procedures to deal with such problems. The most commonly encountered is to return to a paper-based system in the event of computer shut down. It is also possible in some circumstances to reinstall systems from backup copies.

DATA

Raw data are defined as: “… all original laboratory records and documentation, including data directly entered into a computer through an instrument interface, which are the results of original observations and activities in a study and which are necessary for the reconstruction and evaluation of the report of that study.”

Whether electronic or not, it is essential to define all raw data. As for paper data, electronic raw data should provide the possibility of performing a full audit trail showing.

“All changes to the data without obscuring the original data. It should be possible to associate all changes to data with the persons making those changes by use of timed and dated (electronic) signatures. Reasons for change should be given.”

The difficulty associated with the rapid development of new systems is discussed in the OECD document. Long term retention of data may be difficult if the associated hardware and software is rapidly changing.

“Where system obsolescence forces a need to transfer electronic raw data from one system to another then the process must be well documented and its integrity verified. Where such migration is not practicable then the raw data must be transferred to another medium and this verified as an exact copy prior to any destruction of the original electronic records.”

SECURITY AND DATA INTEGRITY

“Documented security procedures should be in place for the protection of hardware, software and data from corruption or unauthorized modification, or loss. In this context security includes the prevention of unauthorized access or changes to the computerized system as well as to the data held within the system.”

Physical security measures cover, for example:

Restricting access to facilities where hardware, storage disks, terminals are
Assuring an adequate environment where computers, servers etc are
Providing special safes for the retention of disks and
Software security measures cover, for example:
Prevention of unauthorized access by pass word
Coding confidential
Anti-virus systems, firewalls
Procedures for adding new software to existing

All persons working with computer systems must be aware of the security needed to protect data. It is good practice to perform regular back-ups of data to avoid loss. Retention of duplicate data sets, usually at two different sites is also standard practice.

VALIDATION OF COMPUTERIZED SYSTEMS

It is the responsibility of management to demonstrate that computerized systems are suitable for the processes they perform. In addition, it must be demonstrated that the systems are operating in compliance with their specifications (functional, operational…). This can be demonstrated by formal validation.

Validation tests

“There should be adequate documentation that each system was developed in a controlled manner and preferably according to recognized quality and technical standards (e.g.

ISO/9001)”.

When a system has been developed by the vendor, the documentation regarding development will usually be retained by the vendor. However, there should be evidence that this development has been correctly conducted and tested at the site where the system is used. There is usually evidence of audits performed at the vendor site to support the vendor’s documentation.

Acceptance testing should be conducted against acceptance criteria. There should be a plan (protocol) prescribing the tests to be conducted, results of tests should be retained, and a formal report should be written containing the results and conclusion of the tests.

Retrospective Evaluation

Inevitably, some systems exist that were not at first intended for use in a GLP environment but that are later deployed under GLP. In this case, retrospective evaluation would be acceptable.

“Retrospective evaluation begins by gathering all historical records related to the computerized system. These records are then reviewed and a written summary is produced.”

If supplementary validation work is required this should be conducted and reported. Change Control Any modifications to the computerized system should be achieved by following a change control procedure. This procedure prescribes the method for evaluating the impact of the proposed change. A decision concerning the need for full or partial revalidation will be taken, and documented, after the impact analysis.

DOCUMENTATION

The OECD guide to GLP and computerized systems lists the documents typically required for the development, operation and maintenance of computerized systems. These are: Policies

“There should be written management policies covering, inter alia, the acquisition, requirements, design, validation, testing, installation, operation, maintenance, staffing, control, auditing, monitoring and retirement of computerized systems”

Application Description

For each application there should be documentation fully describing:

The name of the application software or identification code and a detailed and clear description of the purpose of the application.
The hardware (with model numbers) on which the application software
The operating system and other system software (e.g., tools) used in conjunction with the application.
The application programming language(s) and/or data base tools
The major functions performed by the application
An overview of the type and flow of data/data base design associated with the
File structures, error and alarm messages, and algorithms associated with the application
The application software components with version
Configuration and communication links among application modules and to equipment and other systems.

Standard Operating Procedures (SOPs)

Much of the documentation covering the use of computerized systems will be in the form of SOPs. These should cover but not be limited to the following:

Procedures for the operation of computerized systems (hardware/software), and the responsibilities of personnel involved.
Procedures for security measures used to detect and prevent unauthorized access and programme changes.
Procedures and authorization for programme changes and the recording of changes.
Procedures and authorization for changes to equipment (hardware/software) including testing before use if appropriate
Procedures for the periodic testing for correct functioning of the complete system or its component parts and the recording of these tests.
Procedures for the maintenance of computerized systems and any associated
Procedures for software development and acceptance testing, and the recording of all acceptance testing.
Back-up procedures for all stored data and contingency plans in the event of a
Procedures for the archiving and retrieval of all documents, software and computer

Source Code

Some OECD countries require the source code (human readable version of the program) to be made available to monitoring authorities. In this case, the test facility will usually have an agreement with the system vendor to allow inspectors to see the code if they so wish.