GxP Compliance¶
Configure GxPSign for FDA 21 CFR Part 11 and other regulatory compliance.
What is GxP?¶
GxP refers to "Good Practice" regulations in life sciences:
- GMP - Good Manufacturing Practice
- GLP - Good Laboratory Practice
- GCP - Good Clinical Practice
GxPSign is designed to meet GAMP5 Level 3 requirements for computer systems used in regulated environments.
Enabling GxP Mode¶
Prerequisites¶
Before enabling GxP compliance:
- Ensure you have appropriate plan features
- Configure a signing certificate
- Train users on compliance requirements
Enable GxP Compliance¶
- Go to Settings > Organization
- Find GxP Settings
- Check Enable GxP Compliance
- Select your Qualification Status
- Click Save
Screenshot Coming Soon
Screenshot of GxP settings will be added here.
GxP Features¶
When GxP mode is enabled, the following features activate:
Signature Meaning Required¶
Every signature must include a meaning:
| Meaning | FDA Requirement |
|---|---|
| I have reviewed and approved | Approval signature |
| I attest to the accuracy | Data verification |
| I have performed the work | Work completion |
| I have witnessed the activity | Witnessing |
| I have verified the information | Verification |
| I authorize the release | Authorization |
Enhanced Audit Trails¶
All actions are logged with:
- User identity
- Timestamp (server time)
- IP address
- User agent
- Action description
- Before/after values for changes
Re-Authentication¶
Configurable password re-entry for:
- Multiple signatures in a session
- Sensitive operations
- Extended sessions
Document Integrity¶
- SHA-256 hash calculated on upload
- Hash verified before signing
- Digital signatures with timestamps
- Long-term validation (LTV) data
Qualification Status¶
Qualification Levels¶
| Status | Description |
|---|---|
| Not Qualified | System not yet validated |
| IQ Completed | Installation Qualification done |
| OQ Completed | Operational Qualification done |
| PQ Completed | Performance Qualification done |
| Fully Qualified | All qualifications complete |
Setting Qualification Status¶
- Go to Settings > GxP Settings
- Select the appropriate Qualification Status
- Click Save
Documentation Required
Maintain qualification documentation separately. GxPSign tracks status but doesn't generate qualification documents.
Re-Authentication Settings¶
Purpose¶
Re-authentication ensures the person signing is who they claim to be, even in shared computer environments.
Configuration¶
- Go to Settings > GxP Settings
- Enable Re-authentication Required
- Set Timeout Minutes (default: 15)
- Click Save
How It Works¶
- User signs their first document normally
- Authentication is cached for the timeout period
- For additional signatures within timeout: no re-auth needed
- After timeout expires: password re-entry required
Recommended Settings¶
| Environment | Timeout |
|---|---|
| Shared workstations | 5-10 minutes |
| Personal computers | 15-30 minutes |
| High-security | 0 (always re-authenticate) |
21 CFR Part 11 Compliance¶
Electronic Signatures¶
GxPSign provides:
| Requirement | Implementation |
|---|---|
| Unique to one individual | Email-based identity |
| Not reused or reassigned | User accounts are unique |
| Contain identifying information | Signature includes name, date, meaning |
| Only used by genuine owner | Password-protected accounts |
Electronic Records¶
GxPSign ensures:
| Requirement | Implementation |
|---|---|
| Accurate and complete copies | PDF documents with all signatures |
| Protected throughout retention | Encryption at rest and in transit |
| Limited system access | Role-based access control |
| Audit trails | Comprehensive event logging |
| Sequence of entries | Immutable, timestamped records |
Controls¶
| Requirement | Implementation |
|---|---|
| Operational checks | Validation of signature authority |
| Authority checks | Role-based permissions |
| Device checks | Re-authentication requirements |
| Personnel qualifications | Training status tracking |
Document Types¶
GxP Critical Documents¶
Documents that directly impact product quality or patient safety:
- Batch records
- Deviation reports
- CAPA documents
- Validation protocols
- Release certificates
Settings:
- Signature meaning required
- Full audit trail
- Re-authentication (if enabled)
- Long-term archival
GxP Non-Critical Documents¶
Documents with less regulatory impact:
- Meeting minutes
- Training records
- General procedures
Settings:
- Signature meaning required
- Audit trail maintained
- Standard retention
Audit Trail¶
Accessing Audit Logs¶
- Go to Settings > Audit Log
- Filter by date, user, or action type
- Export as needed
Logged Events¶
| Event | Details Captured |
|---|---|
| Sign-in/Sign-out | User, time, IP, success/failure |
| Document upload | User, time, file hash, metadata |
| Document view | User, time, document ID |
| Signature applied | User, time, meaning, field ID |
| Request created | User, time, document, signers |
| Settings changed | User, time, old value, new value |
Audit Log Protection¶
- Logs are append-only (cannot be modified)
- Logs are retained according to policy
- Access to logs is controlled by role
Training Management¶
Training Status¶
Track user training status:
- Go to Settings > Users
- Click on a user
- Update Training Status
Training Statuses¶
| Status | Meaning | Action Needed |
|---|---|---|
| Pending | Not started | Schedule training |
| In Progress | Currently training | Monitor completion |
| Completed | Training verified | None |
| Expired | Renewal needed | Schedule refresher |
Training and Signing¶
Best Practice
Consider preventing users with "Pending" or "Expired" training from signing GxP-critical documents.
Validation Support¶
System Validation¶
GxPSign provides supporting documentation for validation:
- Functional specifications
- User requirements
- Test protocols
- Traceability matrix
Contact support for validation packages.
Ongoing Validation¶
Maintain validation through:
- Regular system reviews
- Change control procedures
- Periodic testing
- User training updates
Best Practices¶
- Enable early - Set up GxP mode before production use
- Train users - Ensure all users understand compliance requirements
- Document everything - Maintain qualification and validation records
- Regular audits - Review audit logs periodically
- Keep training current - Track and update training status
- Test re-authentication - Verify timeout settings work as expected
- Review access - Regularly audit user permissions