Regulations regarding chemical software and data can be intimidating. What is software validation? How does that relate to Good Laboratory Practices (GLP) and Good Manufacturing Practices (GMP)? It all begins to sound like legal mumbo jumbo.

Luckily, we can help demystify GXP. Dr. Karim Kassam has helped many clients implement ACD/Labs software in regulated environments. In this episode, he will answer common questions about how these different forms of regulation fit together.

Read the full transcript

00:01  Sarah Srokosz

I know it’s past Halloween, but we have something to share with you today that spooks a lot of scientists.

00:07  Jesse Harris

Data regulation.

00:09  Sarah Srokosz

That’s right. Researchers working in DLP and GMP environments can get pretty anxious or freaked out about software validation or 21 CFR Part 11 Compliance.

00:20  Jesse Harris

Maybe you were one of those scientists who got scared by these topics. Or maybe you don’t even know what GLP and GMP stand for. Either way, this episode is for you.

00:29  Sarah Srokosz

Hi, I’m Sarah.

00:31  Jesse Harris

I’m Jesse. And we’re the hosts of the Analytical Wavelength, brought to you by ACD/Labs. In today’s episode, we wanted to demystify the regulations surrounding data and chemistry software.

00:43  Sarah Srokosz

For those of you who don’t already know, GLP and GMP stand for ‘good laboratory practice’ and ‘good manufacturing practice’, respectively. These topics are often grouped alongside those from other industries under the acronym GXP. These good practices are guidelines and requirements to ensure a product is safe and meets its intended use.

01:06  Jesse Harris

GLP affirms the quality and integrity of non-clinical laboratory studies in the development of products relevant to human and animal health. While GMP ensures that this quality is maintained from batch to batch once in production.

01:22  Sarah Srokosz

Up until the early 1970s. Procedures for non-clinical safety studies were left up to the laboratory conducting them. And while many employed principles similar to what we now know as GLP, there was little to no oversight from regulators. In 1972, New Zealand and Denmark were the first to formally implement GLP.

01:44  Jesse Harris

A few years later, several cases of fraudulent data being submitted to regulatory agencies in the United States and Canada resulted in a number of pharmaceuticals and pesticides being pulled from the market. This led to the adoption of federal GLP regulations. In the U.S. these regulations are set out in Title 21 of the Code of Federal Regulations, which is commonly referred to as 21 CFR.

02:10  Sarah Srokosz

Since then, GXP has been adopted as law in most of the industrialized world for organizations developing, producing and testing a long list of products such as pharmaceuticals, medical devices, food additives and packaging and even electronics.

02:27  Jesse Harris

And then we know what you’re thinking. As interesting as this is, what does any of this have to do with software? Well, the principles of GXP have remained fairly consistent over the years. They are continually updated to include new scientific activities and tools such as computers and the software that runs on them.

02:46  Sarah Srokosz

Because these regulations now cover so much, it’s no wonder researchers feel overwhelmed. But that’s why today we are talking with Kareem Kassam, senior director of Customer Success at ACD/Labs. He is our resident GXP expert with years of experience helping our partners implement ACD/Labs software and regulated environments and allowing researchers to focus on what they do best, the science.

03:30  Jesse Harris

Hi, Karim. How are you doing today?

03:33  Karim Kassam

I’m doing very well. How are you doing, Jesse?

03:35  Jesse Harris

Doing very well. Staying busy. Staying busy. So, yeah, I wanted to start off by asking you are a go to icebreaker question. What is your favorite chemical?

03:43  Karim Kassam

That is interesting. So I thought long and hard about this and I’d have to say serotonin; dangerous, feel good drug.

03:51  Sarah Srokosz

Can I ask why is it serotonin versus any of the other neurotransmitters?

03:57  Jesse Harris

Ah, so there is… That’s a good question because I don’t really know why I picked that one. But the reason why I said that one is because you asked me for my favorite chemical. And the reason why I said serotonin is lately, over the past few years, I’ve become interested in learning more about neuroscience. As you guys know, it’s an emerging field aimed to better understand how the mind works and human behavior in general.

So there’s a lot of chemical messengers, as you know they’re called, neurotransmitters. And these are responsible for many functions within the mind and the body and communication within the brain. And serotonin, which is one of the more popular ones, it’s been known to dramatically influence many human functions, such as mood, sleep patterns… There’s also some evidence that it can even help you live longer.

And what I find really interesting is serotonin is such a simple chemical, but it’s responsible for influencing an incredibly complex set of biological processes. And we’re just beginning to start… beginning to understand all the different ways that it can influence human behavior. And so I’ve been interested in knowing more about that and reading up on various aspects of it.

05:16  Jesse Harris

Yes, of course. It’s a really complicated field. But another complicated field, of course, is good laboratory practices in good manufacturing practices are GLP and GMP, which is what we brought you on here to talk about today. This is an area that I think that people who are working in industry probably know at least some amount about.

But maybe there are people who are in academia who haven’t been as exposed to this. Can you give us like a general introduction about like who this applies to and why they are using GLP and GMP?

05:50  Karim Kassam

Sure, sure. GLP and GMP fall under the umbrella term of GXP, which are quality guidelines used by regulatory bodies to ensure that a product is safe and meets intended use.

Both GLP and GMP are similar in that they have to do with laboratory testing and it’s relevant to industries such as food, drug, medical devices, cosmetics. Now GLP guidelines are designed to protect scientific data integrity and are used in the context of research and development. GMP, on the other hand, GMP guidelines are used in the context of product manufacturing.

So many regulatory bodies, such as the Environmental Protection Agency, the EPA, the Food and Drug Administration, FDA, these are in the US; Health Canada, European Medical Association. They follow GMP or GLP guidelines and or very closely related guidelines.

06:56  Sarah Srokosz

So is GXP the same everywhere or are there some differences based on the region that you’re located in?

07:06  Karim Kassam

I’m not sure about the details, but overall, GLP and GMP guidelines are adhered to across different regions, at least for the most part. For example, the EPA, the Environmental Protection Agency, and the FDA, the Food and Drug Administration in the U.S. follow GMP and GLP guidelines. So does Health Canada. The European Medical Agency also does. Other countries may have slight variations, but from what I understand, they are very closely related to the official GMP and GLP guidelines.

07:42  Jesse Harris

Yeah. So GXP then is a pretty large topic covering a lot of different activities. But we specifically, we want to talk to you today about how this applies to data and software. Why is this a part of GXP regulation?

07:59  Karim Kassam

As mentioned before, GXP guidelines are meant to ensure the consumer that the product that they’re using will be safe. GXP requirements around data and software ensures that the data which is used to make important scientific and safety decisions, is stored in a software system that can be audited if necessary and cannot be tampered with; so that the output of your data analysis is accurate.

08:29  Sarah Srokosz

Before you even reach GXP, with respect to software, you have kind of this lower threshold of software validation. So what does it mean for software to be validated?

08:43  Karim Kassam

Okay. So the FDA defines validation as confirmation by examination and provision of objective evidence that software specifications conform to user needs and intended use in their environment. So essentially, in short, it’s telling you that the software should do what the user needs it to do within their environment, within certain metrics. So companies will evaluate the software to make sure that it’s giving them the results that they expect.

They may also choose to audit software vendors to ensure that the vendor has a quality management system in place and their software is developed using procedures that are well documented. And they follow rigorous quality procedures. The process of software validation, from what we’ve been involved in, requires a company to perform installation qualifications, operation qualifications, and performance qualifications. So these are all documents that have to be filled out to document that the software has been installed correctly and is operating within their environment.

And this is the key point. When you’re doing these IQ, OQ, PQ scripts that you have to make sure that you do them within your environment and not, you know, as the software comes from the vendor, it has to be qualified once it’s in your environment and installed.

10:14  Jesse Harris

Okay. So that’s with software validation. So how is that different than GXP? What features of software are necessary for something to be compliant?

10:25  Karim Kassam

So one of the predicate rules of GXP is validation. So for a software to be GXP compliant, it has to be validated first, and then it requires a number of software features to allow it to be installed within a GXP environment. One of those things is an audit trail, and this audit trail needs to be created at the point in time when a record is first saved to durable media. The audit trail must contain the date and time stamp of any change if it was made, the description of the change, the reason for the change, and the name of the person who makes the change. An audit trail must not obscure previous values, so an old value that was there previously must still be visible. And then the new value is displayed for the user.

This software system must have specific user accounts so you can’t share one account across several people. The software has to have forward compatibility of all the files that are generated within the software. So next year, if a vendor comes up with a new version of the software, it must be able to read files that were generated in the previous versions. And all records, including the audit trail, must be protected from tampering.

11:50  Sarah Srokosz

Okay, so that’s GXP. And so if we go kind of one level further in the U.S. at least, there are additional regulations set out in 21 CFR Part 11, which is set by the FDA. How did those regulations then differ from GXP?

12:10  Karim Kassam

Okay. So part 11 functionality requires all the predicate rules, as I said before, what we’re talking about GXP. So now part 11 capability is has to have the software that’s validated and has to have all of the functionality of GXP validated software. In addition, for part 11 functionality, it requires the ability to generate an electronic signature within the software. And this is typically used when the software is deployed in a way that it is used to submit data electronically for FDA filings.

12:56  Jesse Harris

Okay. Now with that explanation of validation, GXP and 21 CFR Part 11 compliance, are these just about the software or is it also about the way they’re being used? I think you mentioned this a little bit earlier, and I think it’s a point that’s worth emphasis.

13:09  Karim Kassam

So as I mentioned, the software does need to be validated and the software also has to have features that allow it to be rolled out into a GXP and a 21 CFR Part 11 compliant environment. However, along with the software functionality, a company must include standard operating procedures to ensure that all of the regulations are being followed. For example, the idea of having user accounts, the software has the capability of allowing people to create their own user accounts with passwords. However, if people share their information with colleagues, so if user names and passwords are shared, then that would be a violation and would have to be enforced by standard operating procedures within the company to make sure people are following the rules, not just that the software has the capability to insure some of these rules.

14:11  Sarah Srokosz

Yeah. So I guess we can’t really say then that ACD/Labs software out of the box is necessarily software validated, GXP compliant, or CFR Part 11 compliant. But can it be any of those things or all of them?

14:28  Karim Kassam

Yes. So the ACD/Labs, Spectrus platform software has been validated and rolled out in compliant environments by a number of our customers. However, it’s the company’s responsibility to make sure that they have the adequate standard operating procedures on their intended use cases for the software within their individual workflows.

14:57  Jesse Harris

So then that case is, is there anything else folks should know about if they’re looking into software validation or GXP, or anything else that you think is useful information?

15:04  Karim Kassam

Yeah. So a lot of the customers that I’ve spoken to about this, I see two ends of the spectrum. Either they are afraid to do anything at all that’s too big a problem to tackle, or they keep pushing it forward and they don’t deal with it, or they throw the kitchen sink at it. And they want to do everything now, make sure that everything is done regardless of what’s necessary or not.

What I would recommend is to have a plan, have the right people on your team, either people internally or, you know, hire somebody who has experience and understand what is necessary for the type of regulatory compliance that your company needs. And then doing the appropriate amount of work that is necessary.

15:59  Jesse Harris

Yeah, because I think that, you know, how you spelled things out today, it’s I mean, there’s a lot of work that is involved in it still, but it’s not that complicated at the end of the day.

16:04  Karim Kassam

Yeah. Yeah. But it’s just knowing what you need to know and then making sure that you do those things and focus on that and not everything else that people may think as part of regulatory compliance.

16:21  Jesse Harris

Perfect. Okay. Well, I think that that is all of our questions are for you today. Thank you so much for taking the time to talk with us.

16:24  Karim Kassam

Thank you, Jesse. Thank you, Sarah.

16:25  Sarah Srokosz

Thank you.

16:28  Jesse Harris

Well, I guess data regulation isn’t so scary after all. We hope this introduction to chemical data and software in regulated environments can help you feel confident in your data analysis.

16:40  Sarah Srokosz

If you’d like to learn about how ACD/Labs’ supports scientists who work in GXP environments, you can always set up a consultation with our expert staff like Karim on our website.

16:50  Jesse Harris

Absolutely. Just go to and click on the Contact Us button at the top right.

16:58  Sarah Srokosz

Thanks so much for joining us today. Take care.


Analytical Wavelength is brought to you by ACD/Labs. We create software to help scientists make the most of their analytical data by predicting molecular properties and by organizing and analyzing their experimental results. To learn more, please visit us at

Enjoying the show?

Suscribe to the podcast using your favourite service.