Regulatory Profiles
GxP.MD ships with four built-in profiles. Each configures risk thresholds, required verification tiers, signing requirements, and quality gate checks for a specific regulatory domain.
Profile Comparison
| Requirement | Pharma | Medical Device | Clinical Trial | Laboratory |
|---|---|---|---|---|
| HIGH coverage threshold | 95% | 95% | 95% | 90% |
| MEDIUM coverage threshold | 80% | 80% | 85% | 75% |
| MPA signing (HIGH) | Required | Required | Required | Recommended |
| IQ required | HIGH + MEDIUM | All levels | HIGH only | HIGH only |
| Audit trail | Required | Required | Required | Required |
| GDPR controls | - | - | Required | - |
| Design history file | - | Required | - | - |
Pharmaceutical Standard
pharma-standard The most comprehensive profile. Covers pharmaceutical manufacturing, distribution, and quality management systems. Designed for GAMP Category 5 (custom applications).
Standards Covered
- 21 CFR Part 11 — Electronic Records and Electronic Signatures (FDA). Mandatory sections: 11.10 (controls), 11.30 (open systems), 11.50 (signatures), 11.70 (linked signatures).
- EU Annex 11 — Computerised Systems (EMA). Focus on: risk management (§1), validation (§4), data integrity (§7), audit trail (§9).
- ICH Q7 — Good Manufacturing Practice for Active Pharmaceutical Ingredients.
- ICH Q9 — Quality Risk Management. Provides the risk assessment methodology.
- ICH Q10 — Pharmaceutical Quality System. Knowledge management and continual improvement.
- GAMP 5 — A Risk-Based Approach to Compliant GxP Computerized Systems. Software lifecycle framework.
Key Requirements
- Electronic signatures with non-repudiation (ES256 JWS)
- Complete audit trails with tamper-evident logging
- Periodic review of system access and validation status
- Change control with impact assessment for all modifications
Medical Device
medical-device For medical device software lifecycle management. Maps software safety classification (Class A/B/C) to GxP.MD risk levels (LOW/MEDIUM/HIGH).
Standards Covered
- IEC 62304 — Medical Device Software Lifecycle Processes. Covers software development planning (§5.1), architecture design (§5.3), unit implementation (§5.5), integration testing (§5.6), system testing (§5.7).
- ISO 13485 — Medical Devices Quality Management Systems. Design and development planning (§7.3), design review (§7.3.5), design verification (§7.3.6).
- FDA 21 CFR 820 — Quality System Regulation. Design controls (§820.30), design history file (§820.30(j)).
Key Requirements
- Software safety classification determines verification rigor
- Design history file (DHF) maintained as .gxp/ artifacts
- IQ required at all risk levels (infrastructure is always critical)
- SOUP (Software of Unknown Provenance) documentation for dependencies
Clinical Trial
clinical-trial For clinical trial data systems, electronic Case Report Forms (eCRF), Clinical Trial Management Systems (CTMS), and randomization systems. Includes GDPR data protection requirements.
Standards Covered
- ICH E6(R2) — Good Clinical Practice. Investigator responsibilities (§4), sponsor responsibilities (§5), essential documents (§8).
- 21 CFR Part 11 — Electronic records for clinical trial data.
- GDPR — General Data Protection Regulation. Data minimization (Art. 5(1)(c)), right to erasure compatibility (Art. 17), lawful basis for processing (Art. 6).
Key Requirements
- Patient data must never appear in test fixtures or evidence artifacts
- GDPR-compliant data handling with anonymization support
- Higher MEDIUM coverage threshold (85%) due to patient safety implications
- Consent tracking and data subject rights support
Laboratory
laboratory For Good Laboratory Practice (GLP) systems, Laboratory Information Management Systems (LIMS), and testing/calibration laboratory software. Lighter weight than pharmaceutical standard.
Standards Covered
- 21 CFR Part 58 — Good Laboratory Practice for Nonclinical Studies. Protocol and conduct of studies (§58.120), reporting (§58.185), record retention (§58.195).
- ISO 17025 — General Requirements for Testing and Calibration Laboratories. Management requirements (§4), technical requirements (§5).
Key Requirements
- Raw data integrity is the primary concern
- Lower coverage thresholds than pharmaceutical standard
- MPA signing recommended but not required for HIGH risk
- Focus on method validation and equipment qualification