Good Laboratory Practice, Good Manufacturing Practice, and the broader GXP family of regulations share one non-negotiable demand: that your data is trustworthy, your records are complete, and your processes are documented and defensible. This guide explains what each standard requires — and how CERF ELN helps your organization meet every one.
The GXP Family at a Glance
The "Good Practice" regulations are a family of quality standards enforced by the FDA, OECD, EMA, and other global agencies. They share a common philosophy — that the quality of science can only be judged by the quality of its records — but apply to different activities along the drug and product development pipeline.
Governs non-clinical safety studies — how they are planned, performed, monitored, recorded, reported, and archived. Applies to studies submitted in support of regulatory marketing permits.
21 CFR Part 58 · OECD GLP Principles
CROs · Pharma pre-clinical · Agrochemical · Environmental
Provides the framework for consistent production of pharmaceutical, food, and medical device products. Covers manufacturing premises, equipment, batch records, and quality control.
21 CFR Parts 210 & 211 · EU GMP · ICH Q7
Drug manufacturers · API producers · CMOs · Food & cosmetics
International standard for design, conduct, recording, and reporting of clinical trials. Ensures participant rights are protected and clinical data is credible and accurate.
21 CFR Parts 50, 54, 56, 312 · ICH E6(R2)
Sponsors · CROs · Investigators · Site management
Collective shorthand for all "Good Practice" quality guidelines across pharma, biotech, medical device, and food industries. All GXP frameworks share common principles around documentation, traceability, and data integrity.
Underpinned by 21 CFR Part 11
Any organization across the product development lifecycle
Record Keeping & Data Management Rules
While each GXP standard has its own specific regulations, they all converge on the same core principles for data management and record keeping. Here is what they require — and what CERF ELN provides to address each one.
GLP (21 CFR 58.130) and GMP (21 CFR 211.68) both require that raw data be recorded directly, promptly, and legibly at the time of observation. Any correction must be made by drawing a single line through the original entry so that it remains legible, dated, signed, and accompanied by a reason for the change. Electronic systems must enforce equivalent controls — preventing backdating and ensuring no original entry can be obscured.
21 CFR Part 11 §11.10(e) mandates secure, computer-generated, time-stamped audit trails that independently record all operator entries and actions that create, modify, or delete electronic records. The audit trail itself must be impossible to alter from within the system. Supervisors must be able to review audit trails readily, and they must be exportable for inspection.
GLP and GMP both require that all previous versions of records remain accessible. A regulatory inspector must be able to see the full evolution of a document — not just its current state. This is incompatible with file management systems that allow version histories to be purged, or word processors where files are simply overwritten.
GLP (21 CFR 58.81) and GMP (21 CFR 211.68) require that all laboratory operations be described by written SOPs, that personnel follow approved SOPs, and that superseded SOPs be archived and retrievable. For GLP, the Study Director must ensure all personnel are familiar with applicable SOPs before beginning work.
21 CFR Part 11 Subpart C governs electronic signatures used in GXP contexts. Signatures must be unique to each individual, non-transferable, and cryptographically linked to the signed record so that the signature cannot be excised, copied, or transferred to falsify a record. GLP additionally requires that study directors sign the final study report and that peer reviewers co-sign raw data entries.
21 CFR Part 11 §11.10(d) and GLP/GMP regulations require that system access be limited to authorized individuals. Access controls must prevent unauthorized users from viewing, creating, modifying, or deleting records — and these controls must apply at the data level, not just the folder level. Even in search results, users must not see records they are not authorized to access.
GLP regulations (21 CFR 58.195) require that raw data, protocols, final reports, specimens, and all documentation related to a study be retained for specified periods — which for many pharmaceutical submissions effectively means indefinitely. The archiving system must protect records from deterioration, accidental loss, and unauthorized access, and must allow retrieval at any time.
GLP (21 CFR 58.29) requires that the test facility have sufficient personnel with education, training, and experience necessary to perform their assigned functions. These qualifications must be documented, and personnel must be trained in the specific SOPs they are expected to follow before performing regulated work.
Data Integrity Framework
ALCOA (and its extended form, ALCOA-PLUS) is the foundational data integrity framework referenced by the FDA, WHO, EMA, and MHRA in their GMP and GLP guidance. It defines the essential attributes that all regulated records — paper or electronic — must possess. CERF ELN enforces all nine principles.
It must be clear who collected or generated the data, and when
Records must be readable and understandable throughout their retention period
Data must be recorded at the time the activity is performed — not reconstructed later
The first record of an observation — or a certified true copy — must be maintained
Data must faithfully represent the activity performed, free from errors or omissions
All data — including out-of-specification results — must be included; nothing omitted
Data must be recorded in a consistent sequence and chronological order
Records must last for as long as they are required — resistant to degradation
Records must be accessible for review and inspection throughout their retention period
CERF Feature Detail
This table maps every major GXP compliance requirement to the specific, tested CERF capability that addresses it.
| GXP / GLP / GMP Requirement | CERF Feature | How It Works |
|---|---|---|
| Raw data recorded directly, not reconstructed (GLP 58.130) | Timestamped Notebook Entries | Computer-generated timestamps on all entries; no backdating possible |
| Changes visible; original not obscured (GLP 58.130, 21 CFR Part 11 11.10(e)) | Strike Out Entry | Strikethrough displayed on screen and in all PDF prints; original always legible |
| Secure audit trail; all modifications recorded (21 CFR Part 11 11.10(e)) | Immutable Audit Trail | Computer-generated, unalterable log of all user actions with timestamps and identities |
| All record versions retained permanently | Version Control (Check Out / Check In) | All versions stored indefinitely; viewable and printable by authorized users at any time |
| Digital signatures unique, non-repudiable, linked to record (21 CFR Part 11 11.70) | PKI Digital Signatures (DSA) | MD5 hash + DSA private key; cryptographically linked; three-factor signing |
| Signature workflows for peer review and management approval | Configurable Signature Workflows | Submitter → Peer Reviewer → Manager → Legal/Regulatory; co-signing with notifications |
| SOPs written, approved, distributed, and acknowledged (GLP 58.81) | Controlled Documents System | Full SOP lifecycle management; mandatory acknowledgment; expiry tracking and automated warnings |
| Work cannot be signed without applicable SOP in place | Controlled Document Placeholders | Notebook page templates require active SOP before signing is permitted |
| Personnel training documented before performing regulated work | Controlled Document Acceptance Records | Timestamped acceptance logs per user per SOP version; exportable for inspection |
| Access limited to authorized individuals (21 CFR Part 11 11.10(d)) | Workgroup Role-Based Access Control | Five roles per workgroup; object-level permissions; search results filtered by access |
| Records available for regulatory inspection at all times | CERF Exporter + Official Printed Copy | On-demand bulk export as native files + XML; PDF generation with signature records |
| Long-term archiving; records retained for life of study (GLP 58.195) | Ultra-Long-Term Storage Architecture | Native file format storage; available perpetual license; sealed LAN capable; no cloud dependency |
| Instrument data captured promptly at time of generation | CERF Automaton + Email-to-CERF | Automated ingestion of instrument data files; no manual transfer steps or chain-of-custody gaps |
| System validated for intended use (21 CFR Part 11 11.10(a)) | IQ / OQ Validation Support | Lab-Ally and validation partners provide full IQ/OQ documentation and services |
Beyond Mandatory Compliance
"In the spirit of GLP" describes the voluntary adoption of GLP-quality data management practices by organizations not formally required to comply. It is increasingly common in academic research, early-stage biotech, and non-profit institutions that want to future-proof their data.
"Digital records should be collected and stored in a 21 CFR Part 11 compliant system if you want to eventually use your records as supporting evidence in any type of formal, legal, or regulatory proceeding, or if you want the records to be used in patent hearings, or other 'due diligence' / intellectual property verification events."
— Lab-Ally LLC, Resources Related to Compliance and 21 CFR Part 11
The standards that make GLP data legally defensible — audit trails, signed records, version control, SOP discipline — also make scientific data more credible, reproducible, and commercially valuable. Research that will never be submitted to the FDA can still benefit enormously from GLP-style record keeping if it might one day support a patent application, licensing negotiation, publication, or collaboration agreement.
Pursuing technology licensing or spin-out companies. GLP-quality records become invaluable during technology transfer and IP verification.
Drug discovery organizations pre-IND, and medical device companies in development stages where future regulatory submissions are anticipated.
Research organizations seeking NIH or federal grant funding where FAIR data compliance is increasingly required as a condition of funding.
Any organization managing high-stakes records that may be subject to due diligence review, litigation, or acquisition scrutiny benefits from CERF's audit infrastructure.
Common Questions
Talk to a CERF specialist about your organization's specific regulatory environment. We'll show you exactly how CERF addresses your compliance requirements — whether you're a fully GLP-regulated CRO, a pharmaceutical QA team, or a research lab working in the spirit of GLP.