Introduction
This white paper summarizes how the Labfolder platform enables compliance with the requirements of the OECD Series on Principles of Good Laboratory Practice (GLP) and Compliance Monitoring.
As a quality assurance system, the GLP Principles have been introduced by the Organisation for Economic Co-operation and Development (OECD) with the intention to promote data quality and guarantee data integrity. Apart from other guidelines regarding quality research, the GLP Principles can be found in the member counties of the OECD (except USA and Japan) for non-clinical, chemical and agrochemical research testing studies.
In particular, the GLP principles intend to provide a secure research environment that protects raw data from manipulation during and after testing procedures and incorporates all organizational structures of research procedures. Therefore GLP not only regulates the personnel working in a laboratory or other research facility, but also applies to computerized systems and their device-specific requirements used for research purposes.
As a result, computerized systems like Labfolder have to provide validated services to ensure accuracy, reliability and consistent intended performance, including the ability to ensure data quality and integrity, protecting stored records against manipulation or loss.
Please note that this page contains just parts of the original white paper version. If you would like to have the GLP Compliance information’s complete file, you can get a free access of the full PDF version of this white paper here:
Labfolder’s compliance with the GLP
Labfolder is a management software, used for the electronic analysis and management of research data across scientific disciplines. For a computerized system with integrated archive facilities like Labfolder, the provision of services that are compliant with the GLP Principles is of utmost importance.
The Labfolder system has considered the GLP Principles during its development phase and continues to incorporate the regulations within its system life cyle to ensure continuous quality, integrity and security of research data stored in the electronic archive facilities.
Since the compliant adherence to GLP is not reclusively based on the software system itself but also depends on procedural controls (such as SOPs, well trained personnel, physical conditions of research facilities) within a laboratory or other research organizations using electronic management systems for research purposes, a software system cannot be certified to be compliant (and any software vendor claiming GLP-compliance is incorrect!). However, software vendors can offer a system which meets the technical requirements for computerized systems and the management of electronic records set by the OECD in a compliant set-up.
The following section below gives a brief summary on how the Labfolder system complies with selected GLP Principles that are relevant for software systems used in laboratories or other research institutions. The Labfolder system provides a secure, GLP-compliant environment for research data by employing the following features:
Security
Labfolder incorporates state of the art enterprise security – both logical and physical – to protect research data, including:
- Access control: Password complexity requirements
- Back-up power: Daily back-ups of records
- High-security data center: Offsite back-ups on redundant servers with TÜV approved data security and ISO 27001 certificate for excellent data security
- Strict network firewalls: System access only allowed for verified IP addresses
- Multiple encryption: Storage encryption, encrypted communication and encryption during uploads and downloads
- System check-ups: System scanning and monitoring routines
- IT updates: Regular security and functionality updates
- Business infrastructure: Validation plan and continuity and disaster recovery procedures
- Physical protection programme: Secure data centre with regular stress testing of the infrastructure, climate protection procedures (e.g fire. water or other natural disasters), the provision of redundancies and emergency management
Confidentiality
The Labfolder system employs procedures that keep all stored records protected from disclosure to unauthorized parties, including:
- Admission control: Limited access to data only for account owner and authorised persons
- Data encryption: Encryption for identifiable data during uploads/downloads, transfer and storage
- Secure Storage: Separate security locations on redundant servers with various seciurity procedures in place (both physical and logical)
- Safe disposal: of data and media
- Confidentiality Agreement: Records Management Section for staff working with sensitive research data, well trained personnel and internal security training
Authenticity
Labfolder guarantees the reliability of data transfers and the information exchange within research networks through:
- Multi-level authentication processes:Login/password combination and access rights management
- Secure user identification: Identification needed to access and to manage data
- Electronic signatures: Sign and witness functions for digital data
- Migration plan: Secure data transfer with encrypted coding
Integrity
Labfolder provides comprehensive protection of research data from unauthorised access and changes through:
- Access control: Restricted management rights to ensure data quality in a regulated environment
- Authority checks: Limited access to authorized individuals only
- Full audit trail: All activities within the system will be recorded
- Version control: Recording and monitoring of all activities, including IT related processes
- Logged data: Uploads and downloads are logged and “hashed” to verify data integrity
- Timestamps: Records and changes are provided with a system-created timestamp, recording person, date and time
- Electronic signatures: Option to sign and witness electronic documents
- Secure data transfer: Migration plan with encrypted coding
- Data retention: Long term retention of electronic records for at least 3 years until deleted by account owner
- Data availability: Stored records are available for collection, inspection and review by the agency/reviewing body
- Data deletion: Deletion of records can be controlled and prohibited by organizational policy
- Standard Operation Procedures: SOPs to ensure optimal system performance and uninterrupted services, including validation, operation and maintenance
This white paper at hand summarizes the sections of the OECD Series on Principles of Good Laboratory Practice (GLP) and Compliance Monitoring regulations which are relevant to electronic systems like Labfolder, also pointing out the Labfolder implementation to meet these technical requirements.
In addition to the selected GLP Principles (No 1, 10 and 15), there are several sections of the GLP regulations that do not apply (test sites and physical archives only) to the system and services provided by Labfolder.
However, this document does not give detailed information on GLP, nor does it provide legal advice for full compliance. The full text of GLP can be found on the OECD website.
OECD Principles of Good Laboratory Practice
SECTION II GOOD LABORATORY PRACTICE PRINCIPLES
3. Facilities
3.4 Archive Facilities
Archive facilities should be provided for the secure storage and retrieval of study plans, raw data, final reports, samples of test items and specimens. Archive design and archive conditions should protect contents from untimely deterioration.
Labfolder implementation: As an archive facility Labfolder aims to support the promotion of quality test data, providing a powerful research tool that ensures a sound and reliable approach to the management of research studies.
In terms of data security, the Labfolder infrastructure employs redundant servers, daily back-ups and encrypted communication between any device in use and the Labfolder cloud, providing bank level security for all records. Strict access control with a login/password combination and an automated audit trail with system-created timestamps further protects all stored content.
In case of closure, the system also provides a business continuity and disaster recovery plan, including the safe transfer or record to a new archive facility. Labfolder offers a long term retention of electronic records with the secure stiorage of records for three years beyond the subscription period unless explicitly being deleted by the account owner. Deletion of records can be controlled by management rights control and prohibited by organizational policy.
4. Apparatus, material and reagents
- Apparatus, including validated computerised systems, used for the generation, storage and retrieval of data, and for controlling environmental factors relevant to the study should be suitably located and of appropriate design and adequate capacity.
- Apparatus used in a study should be periodically inspected, cleaned, maintained, and calibrated according to Standard Operating Procedures. Records of these activities should be maintained. Calibration should, where appropriate, be traceable to national or international standards of measurement.
- Apparatus and materials used in a study should not interfere adversely with the test systems.
Labfolder implementation:
to (1): As a validated computerised system, Labfolder uses redundant servers that are located in Germany. These servers operate under the strictest international data protection laws.
to (2): As part of the Labfolder IT development cycle, the Labfolder system undergoes regular system scanning and monitoring, according to national and international standards. These scheduled unit and integration tests also include all newly integrated features with the continuous integration system running whole test suite on any code change. The dedicated test system is the exact copy of the original production system. Records of these test inspections are kept for further review.
to (3): Labfolder does not interfere adversely with the test system. The Labfolder system is designed to support research projects.
Continue reading on full PDF version.
GLP Consensus Document
The Application Of The Principles Of GLP To Computerised Systems Environment Monograph No 116
The following considerations will assist in the application of the GLP Principles to computerised systems outlined above:
1. Responsibilities
-
- Management of a test facility has the overall responsibility for compliance with the GLP Principles. This responsibility includes the appointment and effective organisation of an adequate number of appropriately qualified and experienced staff, as well as the obligation to ensure that the facilities, equipment and data handling procedures are of an adequate standard
Management is responsible for ensuring that computerised systems are suitable for their intended purposes. It should establish computing policies and procedures to ensure that systems are developed, validated, operated and maintained in accordance with the GLP Principles.
Management should also ensure that these policies and procedures are understood and followed, and ensure that effective monitoring of such requirements occurs. Management should also designate personnel with specific responsibility for the development, validation, operation and maintenance of computerised systems. Such personnel should be suitably qualified, with relevant experience and appropriate training to perform their duties in accordance with the GLP Principles.
Labfolder implementation: This principle lies beyond the scope of Labfolder and reaches out to the sole responsibilieties of the respective management unit of a test facility. However, as an archive facility and powerful research tool the Labfolder system supports the promotion of quality test data and offering a reliable management facility of research studies.
Overall, the Labfolder system is developed, validated, operated and maintained in accordance with the GLP Principles. Amongst other principles our management ensures that all Labfolder personnel is qualified and experienced in regards to software development and laboratory research. Our Labfolder IT personnel are well trained in the fields of software design, implementation of cryptographic methods and regulations. Labfolder personnel who are not familiar with the system and the requirements are being provided with manuals and training.
Due to regular check-ups and maintenance work the Labfolder system is kept in adequate condition.
-
- Personnel. All personnel using computerised systems have a responsibility for operating these systems in compliance with the GLP Principles. Personnel who develop, validate, operate and maintain computerised systems are responsible for performing such activities in accordance with the GLP Principles and recognized technical standards.
Labfolder implementation:All Labfolder personnel are qualified and experienced in regards to software development and laboratory research. The Labfolder IT personnel are well trained in the fields of software design, implementation of cryptographic methods and regulations, including GLP compliance. For all personnel using the Labfolder system, Labfolder provides guidelines and training to ensure compliance with the GLP Principles.
-
- Quality Assurance (QA) responsibilities for computerised systems must be defined by
management and described in written policies and procedures. The quality assurance programme should include procedures and practices that will assure that established standards are met for all phases of the validation, operation and maintenance of computerised systems. It should also include procedures and practices for the introduction of purchased systems and for the process of in-house development of computerised systems. Quality Assurance personnel are required to monitor the GLP compliance of computerised systems and should be given training in any specialist techniques necessary. They should be sufficiently familiar with such systems so as to permit objective comment; in some cases the appointment of specialist auditors may be necessary. QA personnel should have, for review, direct read-only access to the data stored within a computerised system.
- Quality Assurance (QA) responsibilities for computerised systems must be defined by
Labfolder implementation: However, Labfolder incorporates a Quality Assurance (QA) Programme, assuring that established policies and procedures are maintained at all stages of system operation. In order to guarantee GLP-compliance, designated QA personnel monitor the Labfolder system on a regular basis. Labfolder also provides training and manuals to all personnel not familiar with the GLP Principles.
2. Training
The GLP Principles require that a test facility has appropriately qualified and experienced personnel and that there are documented training programmes including both on-the-job training and, where appropriate, attendance at external training courses. Records of all such training should be maintained.
The above provisions should also apply for all personnel involved with computerised systems.
Labfolder implementation: This principle is partly beyond the scope of Labfolder, being part of the responsibilities by the Quality Assurance Unit provided by the institution using the Labfolder system for research purposes.
However, all Labfolder personnel are qualified to perform assigned task in alliance with the GLP Principles. The Labfolder management as well as the IT personnel are both well trained in reference to set regulations. Team members who are not familiar with the system and the requirements are being provided with manuals and specific training courses by Labfolder.
3. Facilities and equipment
Adequate facilities and equipment should be available for the proper conduct of studies in compliance with GLP. For computerised systems there will be a number of specific
considerations:
-
- Facilities
Due consideration should be given to the physical location of computer hardware, peripheral components, communications equipment and electronic storage media. Extremes of temperature and humidity, dust, electromagnetic interference and proximity to high voltage cables should be avoided unless the equipment is specifically designed to operate under such conditions.
Consideration must also be given to the electrical supply for computer equipment and, where
appropriate, back-up or uninterruptable supplies for computerised systems, whose sudden failure would affect the results of a study. Adequate facilities should be provided for the secure retention of electronic storage media.
Labfolder implementation: All redundant Labfolder servers are exclusively located in Germany and operate under regulated EU and German data security and privacy laws. The data centre employs a specific climate management plan with an optimal cooling system, power supply with dual protection and emergency generators, and a planned network infrastructure to handle high volume of traffic.
With regular maintenance procedures scheduled, including system scanning and monitoring, Labfolder ensures optimal system operation and performance under any conditions and circumstances, reducing the likelihood of an unexpected breakdown and, as a consequence, loss of data. In addition, daily back-ups guarantee maximum data safety and secure storage facilities. Even in the case of a possible device failure or other incidents, the abfolder system provides for the secure retention of all stored data.
-
- Equipment
-
-
- Hardware and Software
-
A computerised system is defined as a group of hardware components and associated software designed and assembled to perform a specific function or group of functions.
Hardware is the physical components of the computerised system; it will include the computer
unit itself and its peripheral components.
Software is the programme or programmes that control the operation of the computerised system.
All GLP Principles which apply to equipment therefore apply to both hardware and software.
Labfolder implementation: Labfolder is a software that allows its clients to archive, manage and share research data. The Labfolder system offers web applications for all major browsers and operating systems via selected networks. In reference to peripheral components, Labfolder employs a high-tech data centre for back-up and redundant storage, providing the following services for the secure retention of electronic storage media:
-
-
-
- Connection to multi-redundant, carrier-neutral 75 Gbit/s internet backbone
- Uninterruptible Power Supply (n+1 UPS) and redundant power supply
- Climate management and air conditioning (n+2)
- Argon fire extinguishing facility with early warning system
- Fire/alarm control panel
-
-
For all hardware devices used to run the Labfolder software the sole responsibility lies with the owner/operator/user.
-
-
- Communications
-
Communications related to computerised systems broadly fall into two categories: between
computers or between computers and peripheral components.
All communication links are potential sources of error and may result in the loss or corruption
of data. Appropriate controls for security and system integrity must be adequately addressed
during the development, validation, operation and maintenance of any computerised system.
Labfolder implementation:Labfolder applies encrypted communication between any device in use and the Labfolder cloud. The encryption via SSL (256-bit) ensures maximum data security, anytime and anywhere. Automated system scans and monitoring procedures during the system life-cycle are in place to prevent interruptions and failure of service, simultaneously guaranteeing a reliable and secure business continuity of Labfolder.
Continue reading on full PDF version.
Establishment and Control of Archives
4. Roles and Responsibilities
4.3 Archive Contracting Facility
If a sponsor or test facility management uses a contract archive for the storage of records and/or materials for a GLP study, the contracting parties should ensure compliance with the relevant sections of the Principles of GLP.
Labfolder implementation:The Labfolder system presents an archive contracting facility, supporting documentation, archiving processes and management of quality test data. Labfolder operates in compliance with GLP Principles and provides a reliable research tool for the management of sensitive research data. Amongst other procedures, the Labfolder system generates a full audit trail and records all activities related to stored entries, including up- and downloads of data as well as changes to existing records. In terms of data security and integrity, Labfolder relies on encrypted communication, redundant servers and daily back-ups, all procedures that ensure maximum data safety and integrity. Additionally, access control with a login/password combination and restricted management riights further ensure GLP-compliance.
4.8 Information Technology (IT) Personnel
IT personnel involved in archiving operations (such as ensuring integrity of electronic records) should be adequately trained and their activities should conform to GLP requirements. Since activities pertaining to archiving are the primary responsibility of the archivist, these IT personnel ideally should work under the direction and supervision of the archivist. Because it is recognised that such organisational structures are not feasible in modern companies, the co-operation between the archivist and IT personnel should be ensured in other ways, for instance in SOPs or written service level agreements.
Labfolder implementation: Labfolder employs IT personnel for all archiving operations and software development procedures. All IT personnel is well trained and experienced in the fields of software design, implementation of cryptographic methods with all actions being compliant to GLP. New team members obtain hands on training-sessions and training manuals, including an introduction to the GLP Principles (as pointed out in GLP No. 10, 1 a&d).
5. Archive Facilities
The archive facility should be suitably designed and constructed to accommodate the archived records and materials. This may be one or more buildings, rooms, safes or lockable cabinets or other locations that provide suitable security. The archive facility should be physically secure to prevent unauthorised access to the retained records and materials. The use of locks or electronic entry systems is required. The components that provide storage of unique electronic records should also be physically secure. The computerised archive facility should have processes to prevent unauthorised access and virus protection.
The building(s) or room(s) that house the archive should be constructed to withstand the elements of local weather, etc. Consideration may need to be given to specific local conditions such as a risk of flooding. The archive design should protect the contents from untimely deterioration for example by leakage of running water pipes in the archive areas. The risk of fire and explosion should be minimised. In most circumstances it will be necessary that an automated fire and/or smoke detection system be installed. Management may also consider an automated fire suppression system that minimises the risk of damage. If there is a risk of flooding, a water detector and/or water drain should be considered.
The archive facility should be designed to prevent the entry of rodent and insect pests. Where
appropriate, pest control procedures should be in place.
Where necessary, back-up electrical power should be provided for all temperature-critical equipment (e.g., refrigerators and freezers).
Labfolder implementation:This principle is beyond the scope of the electronic software system provided by Labfolder and does only apply to physical archives. However, Labfolder can provide guidelines and training for clients to ensure compliance.
As a provider of computerised archive facilities for research data, Labfolder ensures that all entered data is kept safe and secure – without loss or deterioration. The Labfolder system presents a centralised, secure repository for the storage and retrieval scientific data and employs several safety procedures and processes to prevent unauthorised access and virus protection. In compliance with the GLP Principles, Labfolder controls data management and modifications, recording all logins and logouts in an audit trail. In case of system-failure, Labfolder
5.1 Archive Conditions
Storage conditions should be designed to preserve and not adversely affect the quality and integrity of retained records and materials. Special storage conditions may be required to maintain the integrity of some retained record(s) and material(s) for the specified retention period(s). For example, it might be appropriate to store wet tissues, blocks and reserve samples of test items separate from paper and histology slides.
Special storage conditions may be required for particular materials. Examples are materials required to be stored frozen, refrigerated, desiccated, etc., or free from dust or magnetic interference in the case of electronic media. The need for special storage conditions should be defined in relevant test facility Standard Operating Procedures.
If special storage conditions have been defined, environmental monitoring procedures should be implemented within archive storage areas to confirm that specified conditions of storage are being achieved. Where continuous (automated) monitoring systems are used (which may also act as alarms that are activated in the event that defined conditions are outside specified limits), these systems should be regularly maintained, tested, and verified, and records thereof retained, as required by the Principles of GLP.
Labfolder implementation:This principle is beyond the scope of the electronic software system provided by Labfolder and does only apply to physical archives. However, Labfolder can provide guidelines and training for clients to ensure compliance.
As an electronic repository for research data, Labfolder stores all entered records on a secure cloud and redundant servers. Strict security measures ensure maximum data protection and integrity. With monitoring procedures scheduled on a regular basis, the Labfolder system guarantees excellent storage conditions as previously pointed out in GLP No 1, 6c, 3.4, 7, 10 and No 10, 3a, 4 and 6.
5.2 Disaster Recovery
Test facilities and contract archives should have procedures in place to minimise damage to archived records and materials caused by adverse events. Some of the more common adverse events to be considered include fire, electrical failure, extreme weather-related damage, flooding, theft, and sabotage.
The procedures may cover protective measures that may be implemented, as well as the recovery and/or restoration of lost or damaged records and materials and re-establishment of security. The plan should include useful and emergency contacts, the location of necessary equipment, and the records that should be made (e.g., documentation of the event and the steps taken to resolve and/or restore).
Labfolder implementation:Labfolder employs a specific Disaster Recovery Programm with measures to be taken in the event of partial or total failure of the Labfolder system. The Labfolder Contingency Plan is well documented, validated and ensures continued data integrity that will not compromise the research project. The allocated procedures for the recovery depend on the criticality of the system, but it is essential that back-up copies of all software are maintained. Labfolder informas all clients about the Disaster Recovery Programm before the initial sign-up to the electronic lab notebook. Disaster recovery is also pointed out in detail in GLP No 1,7 and No 10, 4.
6. Security
6.1 Physical and Operational Security
The archive facility should be both physically and operationally secure to prevent unauthorised access and changes to or loss of retained records and materials. Test facility management should ensure security by implementing appropriate measures that should be described in the test facility’s SOPs.
The security controls necessary to restrict access to electronic records will usually be different from those applied to other record types. Since many electronic storage media can be re-used (e.g. overwritten), measures should be implemented to ensure that records cannot be altered or deleted.
Labfolder implementation:A wide array of security procedures are used to protect all research data stored in Labfolder’s archive facilities from corruption or unauthorised access, modification or loss. Corruption of hardware and software by viruses or other maleficient agents are also covered by the operational security procedures employed by Labfolder. Alll securty measures are descriped in the SOPs as pointed out under GLP No 1,7 and No 10, 6.
As an electronic repository for digital data, Labfolder implements specific security measures to prevent unauthorized manipulation of records. In order to maintain data integrity and provide maximum data protection, access to Labfolder requires authentication via a unique login/password combination. Access to records – including alteration and deletion – can be controlled, granted and revoked anytime by the author or organization which controls and owns these records.
For all physical security aspects of the test facility, the respective Test Facility Management is responsible to ensure GLP compliance.
6.2 Access to the Archive
With normal archive operations, access to the archive should be controlled by and restricted to the archivist and archive staff. For emergency access (especially during off-hours or for safety reasons), emergency personnel may enter and/or operate the archive unaccompanied. Otherwise visitors should be naccompanied by the archivist or a member of the archive staff. The procedures for access to archive storage areas should be documented. The record of such visits should be retained. For electronic archives the above mentioned restrictions might not be applicable, but as a minimum deletion or alteration of electronic records in electronic archives should be avoided. Management might authorise read-only access on electronic records to a broader community.
Labfolder implementation:As an electronic archive Labfolder provides centralised, secure repository for the storage and retrieval of scientific data. All entries as well as changes to existing records are tracked in a full audit trail and obtain a timestamp provided by the server-system which cannot be manipulated by others. The deletion of documents is possible after authorization, and can be further controlled by granting restricted access rights by organizational policy.
Continue reading on full PDF version.
Do you have further questions about the GLP Compliance? Contact us! Our experts are happy to personally help you at any time.