Good Laboratory Practice, or GLP, is not just a documentation standard. In the pharmaceutical industry, it is a management and control system for nonclinical safety studies that governs how studies are planned, performed, monitored, recorded, reported, and archived so regulators can trust the data used in research and marketing applications. The core global baseline is the OECD Principles of GLP; in the United States, the binding rule is FDA 21 CFR Part 58, with 21 CFR Part 11 acting as the electronic-records overlay when required records are maintained electronically; in the EU/EEA, OECD GLP is incorporated through Directives 2004/9/EC and 2004/10/EC, while EMA coordinates dossier-facing GLP compliance work and audit triggers for centrally authorized applications.
International harmonization is strong at the principles level. OECD’s Mutual Acceptance of Data system means compliant nonclinical test data generated in one participating country are accepted in many others, reducing duplicate testing and supporting a common global expectation for quality systems, study control, and data integrity. In practice, however, national implementation still varies in inspection models, certificates/statements of compliance, country-specific monitoring authorities, and how regulators verify foreign laboratories. citeturn17view5turn19view0turn17view6turn33view2
For a mid-sized pharma lab, the most material GLP design decisions are: clear management accountability; a genuinely independent QA unit; robust study-director control; disciplined SOP and change control; validated computerized systems with audit-trail review; sample, test-item, reagent, and reference-standard accountability; secure archiving and retrievability; and a risk-based data-integrity program using ALCOA+ across the full data life cycle. The official trend in OECD and regulator guidance is unmistakably toward risk-based control, not mere paper compliance. citeturn10view4turn10view3turn13view1turn13view3turn32view2turn36view3
The most recurrent GLP failures seen in recent official inspection and enforcement material are not subtle: incomplete or non-retained source data, specimen and animal misidentification, weak or non-independent QA oversight, incomplete master schedules, inconsistent or unsupported QA statements, training that is documented poorly or not evaluated for effectiveness, and weak control of electronic records and audit trails. Recent FDA warning letters publicized these exact patterns in nonclinical laboratories, and the failure modes are directly relevant to pharma GLP systems even where the cited labs were not drug-development sites. citeturn8view0turn34view0turn34view1turn34view3turn34view4turn34view6turn34view7
The recommended implementation strategy for a mid-sized pharma lab is to upgrade GLP in this order: governance and role clarity; data-integrity and computerized-system risk assessment; QA program redesign; protocol, raw-data, and archiving controls; sample/test-item/reagent/reference-standard accountability; vendor and cloud governance; then inspection rehearsal and metrics-driven continual improvement. With no budget constraint, a realistic high-confidence implementation horizon is about twelve months, with the first ninety days focused on risk containment and the last quarter focused on mock inspections, evidence readiness, and closure of residual gaps. citeturn24view0turn24view1turn13view6turn14view8turn36view1turn36view2
Assumptions and regulatory framing
This report assumes a sponsor-owned or sponsor-controlled mid-sized pharmaceutical nonclinical laboratory that conducts or oversees pivotal safety studies, uses a hybrid paper/electronic environment, and outsources some specialized work or IT services. Because the user did not specify countries, country comparisons below are illustrative rather than exhaustive; the representative jurisdictions selected are the United States, EU/EEA, the United Kingdom, Japan, and India.
Within pharma, GLP primarily governs nonclinical safety work, not clinical trials and not manufacturing. OECD states that GLP applies to nonclinical safety testing for pharmaceutical products and other regulated product categories, while FDA Part 58 applies to nonclinical laboratory studies that support research or marketing permits. GLP is therefore distinct from GCP and GMP, even though all three share data-integrity expectations. citeturn31view0turn8view9turn30search2
For medicinal products, GLP also does not automatically govern every preclinical or analytical activity. A useful EU clarification is that efficacy studies for medicines are normally not required to be GLP, but safety-linked efficacy studies can be. EMA also recognizes that certain specialized areas, such as some ATMP-related nonclinical work, may not always be fully GLP-compliant, but then expect stronger justification, prospective protocols, documented deviations, archiving discipline, and sometimes additional data or site verification. citeturn20view0turn11view9
A final framing point: ISO/IEC 17025 is not a substitute for GLP. OECD explicitly states that GLP and ISO/IEC 17025 have different historical purposes and regulatory roles; accreditation may be valuable, but for most regulated nonclinical health and environmental safety testing, GLP is the more appropriate framework. citeturn27search0turn27search1
Regulatory frameworks and international harmonization
OECD remains the foundation of cross-border GLP harmonization. Its principles define GLP as a managerial concept for organizing and controlling nonclinical studies, and OECD’s MAD system requires participating governments to accept compliant data generated in other participating jurisdictions. OECD currently states that a test performed in one participating country is accepted in over 40 others, and its current public materials list both OECD members and non-member adherents such as India, Brazil, Singapore, South Africa, Malaysia, Thailand, and Argentina. citeturn11view0turn17view5turn17view6
The United States takes a direct regulatory-rule approach. FDA 21 CFR Part 58 is the binding GLP rule for nonclinical studies supporting FDA-regulated products, and FDA’s 2025 BIMO compliance program states that its objectives include verifying data quality and integrity, inspecting nonclinical laboratories approximately every two years, and auditing safety studies for GLP compliance. Where required records are electronic, Part 11 adds expectations for system validation, complete copies, secure time-stamped audit trails, authority checks, training, accountability, and signature controls. citeturn8view9turn23view0turn24view0turn22view1turn22view2turn22view6
The EU/EEA structure is more layered. The European Commission states that OECD GLP was incorporated into EU law through the GLP directives; Directive 2004/9/EC requires Member States to designate GLP inspection authorities and follow OECD compliance-monitoring guides, while Directive 2004/10/EC requires Member States to ensure laboratories conducting relevant safety studies comply with OECD GLP. EMA’s role is important, but different: it chairs and coordinates an ad hoc GLP Inspectors Working Group, supports nonclinical assessors in verifying GLP compliance, and publishes audit triggers for centrally authorized applications. In other words, EU legal enforceability rests chiefly with the directives and national authorities, while EMA operationalizes dossier-facing GLP review. citeturn19view0turn8view6turn33view2
| Framework | Legal character and scope | Practical significance for pharma labs | Primary official basis |
|---|---|---|---|
| OECD GLP | International baseline for nonclinical safety studies, including pharmaceutical products; defines GLP as a managerial quality system. | Sets the common architecture for organization, study control, QA, recording, reporting, and archiving; anchors international acceptance. | OECD Principles and OECD GLP overview. citeturn11view0turn30search2 |
| OECD MAD | Multilateral recognition system requiring participating countries to accept compliant nonclinical test data from other participants. | Makes globally accepted GLP systems commercially valuable and reduces duplicate studies. | OECD MAD system and participant list. citeturn17view5turn17view6 |
| FDA 21 CFR Part 58 | Binding U.S. GLP rule for nonclinical studies supporting FDA-regulated products. | Governs personnel, QA, facilities, equipment, SOPs, protocols, raw data, reports, archives, and FDA inspection rights. | eCFR Part 58; FDA BIMO CP 7348.808. citeturn8view9turn23view0 |
| FDA 21 CFR Part 11 | Predicate-rule overlay for required electronic records and signatures. | Critical for electronic raw data, hybrid systems, audit trails, access control, and e-signatures. | eCFR Part 11 and FDA guidance. citeturn22view1turn22view2turn8view8 |
| EU/EEA GLP directives | OECD GLP transposed through Directives 2004/9/EC and 2004/10/EC; implemented by national authorities. | Creates the EU legal backbone for monitoring, mutual acceptance, and inspection. | European Commission GLP page and Q&A. citeturn19view0turn19view1 |
| EMA GLP guidance | Dossier-focused GLP coordination, compliance advice, and audit triggers for centralised applications. | Matters most for submission strategy, pivotal-study verification, and when non-GLP studies are submitted. | EMA GLP compliance page, EMA audit triggers, EMA ICH M3(R2), EMA ATMP note. citeturn8view6turn33view2turn16view5turn11view9 |
Because country specifics were unspecified, the variation table below is intentionally representative rather than exhaustive.
| Jurisdiction | Notable variation | Practical implication |
|---|---|---|
| United States | FDA uses inspection and enforcement rather than a routine public “membership/certificate” model; BIMO aims for inspections about every two years; FDA may refuse to consider noncompliant studies or disqualify facilities. | U.S. readiness depends on inspection evidence, study acceptability, and response quality rather than on a standing public GLP certificate. citeturn24view0turn26view0 |
| EU/EEA | National authorities are designated under Directive 2004/9/EC; the GLP directives also apply to Iceland, Liechtenstein, and Norway; the EU notes GLP MRAs with Israel, Japan, and Switzerland. | Labs need to understand both EU-level principles and the competent national authority’s program. citeturn19view0 |
| United Kingdom | MHRA GLP Monitoring Authority runs an implementation inspection for new members and issues a statement of GLP compliance once satisfactory. | UK labs can often evidence status through membership and a formal compliance statement. citeturn17view2 |
| Japan | PMDA routine GLP inspections are for domestic test facilities; certificates are valid for three years; PMDA accepts studies from MAD adherents. | Foreign sponsors often rely on MAD status and local authority certification rather than PMDA routine inspection. citeturn17view3turn20view2 |
| India | NGCMA under DST runs a voluntary GLP certification scheme; India is listed by OECD as a non-member participant in the MAD system. | India can be a globally usable GLP location, but sponsors should verify scope, current certification, and study-specific applicability. citeturn17view4turn17view5 |
Core GLP system requirements
The table below translates the highest-confidence official requirements into a system design view for pharmaceutical labs. It synthesizes OECD GLP, FDA Part 58, FDA Part 11, EMA/EU materials, and OECD’s later guidance on data integrity, computerized systems, cloud computing, QA, and IT security. citeturn11view0turn8view9turn22view1turn13view1turn13view3turn32view2turn36view5
| Control area | Minimum requirement | What “good” looks like in a pharma lab | Official anchor |
|---|---|---|---|
| Organization and personnel | Qualified personnel, job descriptions, training/experience records, sufficient staffing; management must designate a Study Director and ensure resources are available. | Role charters, current CV/training files, resource planning, single-point study control, no ambiguous reporting lines. | FDA 58.29, 58.31, 58.33; OECD SD guidance. citeturn10view4turn25view3turn28view0turn28view1 |
| Facilities | Suitable size, construction, and separation to prevent adverse cross-effects; controlled archives and designated storage areas. | Segregated dosing/prep/storage areas, controlled animal areas if applicable, secure records/specimen archives with restricted access. | FDA 58.41, 58.47, 58.51, 58.190; OECD archive guidance. citeturn9view2turn10view5turn10view2turn11view3 |
| Equipment | Fit-for-purpose design; inspection, maintenance, calibration, and records. | Lifecycle file for each critical instrument, calibration schedule, out-of-tolerance impact review, backup plans for critical assets. | FDA 58.61, 58.63. citeturn9view3turn25view4 |
| SOPs | Written SOPs for core laboratory operations; deviations must be authorized and documented; historical file of revisions required. | Controlled document system, effective-date discipline, periodic review, deviation linkage, local availability at point of use. | FDA 58.81; FDA BIMO SOP review expectations. citeturn9view4turn24view2 |
| Study plans | Approved written protocol with objectives, methods, test systems, doses, records, statistics, and signed amendments. | Prospectively approved protocols, controlled amendments, delegated-phase plans where relevant, bias-control methods explicitly described. | FDA 58.120; EMA ATMP note for non-GLP pivotal work. citeturn10view0turn26view0turn11view9 |
| Raw data and recordkeeping | Direct, prompt, legible original recording; changes must preserve the original, state the reason, and identify the responsible person. | Contemporaneous capture, attributable corrections, verified transcriptions, exception review of data transfers, retained machine-generated source data. | FDA 58.130; OECD ALCOA+ guidance. citeturn10view1turn13view1turn13view2 |
| QA unit | Independent from study conduct; master schedule; protocol copies; study/facility/process inspections; final-report QA statement. | Risk-based annual QA plan, inspection schedule tied to critical phases, defined escalation criteria, QA trending, and TFM oversight of QA effectiveness. | FDA 58.35; OECD QA 2022. citeturn10view3turn14view6turn14view7turn14view8turn14view9 |
| Archiving | Orderly storage and expedient retrieval; authorized access only; indexed materials; defined archivist; retention periods applicable. | Hybrid archive map for paper and electronic materials, retrieval challenge tests, transfer controls for business closure or outsourced archives. | FDA 58.190, 58.195; OECD archive guidance; EC Q&A on contract archives. citeturn26view0turn11view3turn20view0 |
| Sample, test-item, and reference-standard management | Identity, batch, purity/composition, stability, labeling, storage, reserve samples, mixture uniformity/stability, specimen identification. | Full accountability ledger from receipt through use, storage-condition monitoring, reserve-sample custody, chain of custody for specimens. | FDA 58.105, 58.107, 58.113; OECD test-item guidance. citeturn9view5turn10view0turn13view8turn31view6turn31view7 |
| Reagents and solutions | Labeled identity, concentration/titer, storage requirements, and expiration date; no outdated or deteriorated reagents in use. | Approved receipt/release process, lot traceability, expiry/retest monitoring, point-of-use labeling and segregation. | FDA 58.83; FDA BIMO reagent-review expectations. citeturn25view1turn24view2 |
| Data integrity and electronic records | ALCOA+ across the data life cycle; risk-based governance; validated systems; audit trails; controlled access; secure backups; accountable e-signatures where used. | Formal data map, DIRA, system inventory, validation packages, audit-trail review SOP, role-based access, tested backups, disaster recovery, metadata retention. | OECD DI 2021; OECD computerized systems 2016; FDA Part 11; MHRA data-integrity guidance. citeturn13view1turn13view4turn22view2turn21view1turn21view3 |
| Cloud and external IT | Test Facility Management retains overall responsibility; duties, validation, data access, security, audit rights, and termination rights must be in SLAs. | Approved vendor qualification, service-level agreements, data-repatriation testing, shared-responsibility matrix, periodic vendor review, cyber incident playbooks. | OECD cloud supplement 2023. citeturn32view1turn32view2 |
| Audit and inspection readiness | Records, specimens, systems, and documentation must be available for inspection; assessors focus on pivotal studies, GLP status, and major deviations affecting reliability. | Current org chart, floor plan, master schedule, submission-ready study binders, inspection room, evidence indices, and mock-inspection rehearsal. | FDA BIMO 7348.808; EMA audit triggers. citeturn24view1turn33view2turn33view6 |
Implementation best practices and common failures
The strongest official pattern across OECD and regulator material is risk-based prioritization. OECD’s data-integrity document explicitly calls for a risk-based approach to data management using data risk, criticality, and life cycle; the computerized-systems guidance makes documented risk assessment central to scalable validation; OECD’s QA guidance allows inspection frequency and scope to be dictated by risk; and MHRA’s data-integrity guidance uses the same logic for data criticality, inherent integrity risk, and interim risk-reduction measures while remediation is underway. In practice, the right first move is almost never “write more SOPs.” It is to map critical data flows and identify where a failure would most directly undermine study validity or regulatory reliance. citeturn13view0turn13view3turn13view6turn21view3
A mature implementation therefore starts with seven linked controls: a laboratory-wide data/process inventory; a risk-ranked list of critical systems and study phases; an upgraded QA program with study-, facility-, and process-based inspection logic; disciplined change control and CAPA; role-based training with effectiveness checks; strong vendor/cloud governance; and routine management review of trend data and KPIs. OECD’s quality-improvement paper is especially useful here because it explicitly links issue detection, root cause analysis, CAPA, change control, and review of effectiveness, and it defines KPIs as measurable parameters showing process performance. citeturn14view8turn36view1turn36view2
Recent official enforcement examples show how GLP systems fail in the real world. FDA’s 2024 press statement and 2025 warning letters cited pervasive failures in data management, QA, training, and oversight; incomplete animal-weight data; missing or inconsistent QA records; incomplete master schedules; altered or back-filled archive indexes ahead of inspection; loss of machine-generated electronic source data with only hand-transcribed paper retained; and specimen/animal identification that destroyed traceability. These are system failures, not isolated clerical mistakes. citeturn8view0turn34view0turn34view1turn34view3turn34view4turn34view6turn34view7
Training deserves special emphasis. Official requirements are broader than simple read-and-sign. FDA Part 58 requires education, training, and experience appropriate to assigned functions; Part 11 requires that persons who develop, maintain, or use electronic systems have the education, training, and experience to perform assigned tasks; OECD’s computerized-systems guidance requires documented task-specific training with maintained records; and MHRA explicitly expects data-integrity training for all appropriate staff, including senior management, in an environment that encourages reporting of errors and undesirable results. Training programs that are not role-based, not assessed, or not linked to actual system access are weak by design. citeturn10view4turn22view1turn35view3turn35view4turn35view7turn21view2
The gap-remediation table below prioritizes what a mid-sized pharma lab should fix first.
| Priority | Recurring gap or failure mode | Why it is high risk | Immediate containment | Permanent remediation | Official basis |
|---|---|---|---|---|---|
| Critical | Incomplete, back-filled, or non-retained raw data, including machine-generated source data | Directly undermines reliability, reconstruction, and study acceptability | Freeze deletion privileges; preserve all source exports; initiate retrospective data inventory | Data-map all raw data; validate capture/retention; enforce ALCOA+ and audit-trail review | FDA 58.130; OECD DI; FDA warning letter examples. citeturn10view1turn13view1turn34view6 |
| Critical | QA not independent or not inspecting at adequate intervals | Removes the lab’s primary internal GLP assurance mechanism | Reassign conflicted QA roles; issue interim QA schedule for ongoing critical studies | Rebuild QA charter, staffing, inspection model, escalation rules, and trending | FDA 58.35; OECD QA 2022; FDA warning letters. citeturn10view3turn14view6turn34view1turn34view4 |
| Critical | Master schedule incomplete or inaccurate | Prevents scheduled inspections, jeopardizes oversight across the portfolio | Reconcile all ongoing/recent studies manually within 10 business days | Controlled electronic or hybrid master schedule with ownership, periodic QA verification, and audit trail | FDA 58.35; FDA BIMO expectations; warning letters. citeturn10view3turn24view1turn34view1turn34view4 |
| High | Specimen, sample, or animal misidentification | Breaks traceability and may invalidate pathology or toxicology conclusions | Stop use of ambiguous IDs; quarantine affected materials; perform impact assessment | Unique ID convention, barcode or equivalent controls, reconciliation checks, and SOP retraining | FDA 58.130, 58.90; warning letters. citeturn10view1turn25view2turn34view7 |
| High | Computerized systems not validated for intended use or lacking meaningful audit trails | Electronic data can be inaccurate, alterable, or unreadable during inspection | Restrict admin access; enable available audit trails; document residual risks | Risk-based CSV, role-based access, secure time-stamped audit trails, disaster recovery testing | OECD computerized systems; FDA Part 11; MHRA DI. citeturn13view3turn13view4turn22view2turn21view1 |
| High | SOP set incomplete, obsolete, or not reflecting actual practice | Deviations become normal and noncompliance becomes systemic | Issue controlled interim work instructions for critical processes | Tiered SOP architecture with periodic review, change control, training, and point-of-use availability | FDA 58.81; FDA BIMO review criteria. citeturn9view4turn24view2 |
| High | Training program not role-based or not checked for effectiveness | Personnel may have formal training records but still be unable to perform compliantly | Suspend high-risk tasks where competence is unverified | Curriculum by role/system, effectiveness checks, qualification sign-off, retraining triggers | FDA 58.29; Part 11; OECD computerized systems; MHRA DI. citeturn10view4turn35view5turn35view3turn35view7 |
| Medium | Weak archive governance, retrieval, or contract-archive control | Inspection failure and loss of long-term reconstructability | Perform retrieval challenge for pivotal studies; restrict archive access immediately | Archive SOPs, archivist role, index discipline, commercial archive technical agreements and oversight | FDA 58.190, 58.195; OECD archive guidance; EC Q&A. citeturn26view0turn11view3turn20view0 |
| Medium | Weak test-item, reference-standard, reagent, and solution accountability | Mix-ups and stability unknowns can corrupt dose/exposure conclusions | Verify labels, expiry, and batch reconciliation for all ongoing studies | Central accountability system covering receipt, storage, use, reserve samples, and disposal | FDA 58.83, 58.105, 58.107, 58.113; OECD test-item guidance. citeturn25view1turn9view5turn10view0turn29search0 |
| Medium | Cloud or external IT services not governed through a GLP-aware SLA | Responsibility becomes unclear and data access/security may fail during incidents or termination | Inventory vendors and freeze unmanaged interfaces | Shared-responsibility matrix, audit rights, validation evidence, exit/repatriation test | OECD cloud supplement; OECD IT security paper. citeturn32view1turn32view2turn36view5 |
Mid-sized pharma lab roadmap
For a mid-sized lab, the right target state is a management-led, QA-verified, study-director-controlled system in which data ownership is explicit and no sponsor, department head, or vendor can bypass study control or archive/data-governance requirements. That target state is directly grounded in FDA management and Study Director responsibilities, QA independence requirements, OECD study-director guidance, and OECD’s sponsor-influence paper. citeturn10view4turn10view3turn25view3turn28view0turn28view5
flowchart TB
ES[Executive Sponsor]
TFM[Test Facility Management]
QA[Quality Assurance Unit]
SD[Study Directors]
FH[Functional Heads and Lab Supervisors]
PI[Principal Investigators and Test Sites]
IT[IT and Computerized System Owners]
AR[Archivist and Records Manager]
SP[Sponsor Program Owner]
ST[Scientists and Analysts]
ES --> TFM
TFM --> SD
TFM --> FH
TFM --> IT
TFM --> AR
TFM --> QA
FH --> ST
SD --> ST
SD --> PI
SP --> TFM
QA -. independent oversight and status reports .-> TFM
QA -. inspections and findings .-> SD
IT -. validated systems and access control .-> SD
AR -. archive intake and retrieval .-> SDA practical prioritized roadmap for such a lab is shown below. The sequence is deliberate: stabilize control of critical data first, then institutionalize governance, then validate systems and rehearse inspection readiness.
| Roadmap wave | Primary outputs | Why it comes in this order |
|---|---|---|
| Stabilize | Governance charter, interim data-preservation controls, inventory of studies/systems/archives, critical-gap freeze actions | Prevents fresh integrity loss while the redesign is still underway. |
| Build | Role charters, QA redesign, SOP architecture, protocol/deviation/change-control framework, training curriculum | Establishes the operating model before detailed validation work. |
| Validate | CSV packages, audit-trail review, archive qualification, vendor/cloud qualification, retrieval tests | Converts policy intent into objectively inspectable evidence. |
| Demonstrate | Mock inspections, dossier-ready evidence packs, management review of KPIs, external independent review | Proves the system is controllable under regulatory pressure. |
The roles-and-responsibilities matrix below is a condensed RACI-style design for a GLP lab. It is a synthesized operating model based on FDA Part 58, OECD Study Director and QA guidance, and OECD electronic/cloud accountability guidance. Abbreviations: A accountable, R responsible, C consulted, I informed. citeturn10view4turn10view3turn28view0turn35view3turn32view2
| Role | Governance and resources | Study plan and amendments | Study conduct and deviations | QA inspections | Data and archiving | CSV / Part 11 / IT security | Training and CAPA |
|---|---|---|---|---|---|---|---|
| Test Facility Management | A | C | C | A | A | A | A |
| Study Director | C | A/R | A/R | C | A for study file transfer | C | C |
| Quality Assurance Unit | I | C | I | A/R | C for archive transfer checks | C | C |
| Functional Heads / Lab Supervisors | C | C | R | C | C | C | R |
| Archivist / Records Manager | I | I | I | I | A/R | C | I |
| IT / System Owners | I | I | C | C | C | A/R | C |
| Scientists / Analysts | I | I | R | I | R for source data completion | R for compliant use | R |
| Sponsor Program Owner | I | C | I | I | I | C for contracted services | I |
The highest-value roadmap decision for a mid-sized lab is whether to centralize GLP oversight. The answer should be yes for QA governance, master schedule ownership, computerized-system inventory, archiving standards, and inspection readiness; and no for scientific decision-making that properly belongs to the Study Director. This separation is essential to protect both compliance and scientific accountability. citeturn10view3turn25view3turn28view5
Templates, checklist, KPIs, and timeline
A workable SOP template for GLP should contain, at minimum: document ID and version; purpose; scope; roles and responsibilities; definitions; required systems/materials; stepwise procedure; data-integrity controls; deviations/exceptions; forms and records generated; training requirements; references; effective date; approvals; and revision history. That template is the simplest way to satisfy the combined official expectations for written procedures, authorization of revisions, historical file maintenance, computerized-system controls, and IT-security procedure coverage. citeturn9view4turn25view4turn22view2turn36view4turn36view5
The prioritized SOP library below is the minimum coherent set I would recommend for implementing or upgrading GLP in a mid-sized pharma lab.
| Priority | Recommended SOP template | What it must cover | Regulatory anchor |
|---|---|---|---|
| Immediate | GLP governance and role charter | TFM, QA, Study Director, PI, archivist, IT, sponsor interfaces, independence rules | FDA 58.31, 58.33, 58.35; OECD SD and sponsor papers. citeturn10view4turn10view3turn28view0turn28view5 |
| Immediate | Master schedule management | Study entry criteria, status updates, non-GLP designation logic, QA access, reconciliation | FDA 58.35; FDA BIMO. citeturn10view3turn24view1 |
| Immediate | Study plan, amendment, and deviation control | Approval workflow, protocol changes, deviation documentation, impact assessment | FDA 58.120, 58.130; OECD SD guidance. citeturn26view0turn28view0 |
| Immediate | Raw data generation and correction practices | Original records, contemporaneous entry, correction method, verified copies, transcription control | FDA 58.130; OECD DI. citeturn10view1turn13view2 |
| Immediate | QA inspection program | Study-, facility-, process-based inspections; reporting; escalation; QA statement rules | FDA 58.35; OECD QA 2022. citeturn10view3turn14view6turn14view8 |
| High | Computerized system validation | Inventory, intended use, risk assessment, URS, testing, release, periodic review, retirement | OECD computerized systems; FDA Part 11. citeturn13view3turn22view3 |
| High | Audit-trail review and electronic data review | Review frequency, exception reports, roles, escalation, metadata retention | OECD computerized systems; FDA Part 11; MHRA DI. citeturn13view4turn22view2turn21view1 |
| High | User access, e-signature, and account management | Role-based access, authority checks, password/ID controls, signer accountability | FDA Part 11. citeturn22view1turn22view4turn22view6 |
| High | Test item and reference standard control | Receipt, characterization, batch control, storage, reserve samples, disposal | FDA 58.105–58.113; OECD test-item guidance. citeturn9view5turn10view0turn29search0 |
| High | Reagent and solution management | Receipt/release, labeling, storage, expiry, use, disposal | FDA 58.83. citeturn25view1 |
| High | Sample/specimen identification and chain of custody | Unique IDs, labels, transfers, reconciliation, pathology alignment | FDA 58.130; warning letters. citeturn10view1turn34view7 |
| High | Archive management | Intake, indexing, retrieval, access control, transfer to contract archives, disaster events | FDA 58.190–58.195; OECD archive guidance. citeturn26view0turn11view3 |
| Medium | Data-integrity risk assessment | Criticality, inherent risk, controls, residual risk, interim mitigations | OECD DI; MHRA DI. citeturn13view0turn21view3 |
| Medium | CAPA and change control | Issue intake, root cause, corrective/preventive actions, change review, effectiveness review | OECD improvement tools paper. citeturn36view1turn36view3 |
| Medium | Vendor, supplier, and cloud governance | Qualification, SLA, validation evidence, audit rights, termination/repatriation | OECD cloud supplement. citeturn32view1turn32view2 |
| Medium | Backup, cybersecurity, and incident response | Backup frequency/retention, restore testing, remote access, backend protection, incident escalation | OECD IT security paper. citeturn36view5turn36view6 |
| Medium | Training and qualification | Role-based curricula, effectiveness checks, periodic retraining, system-specific authorization | FDA 58.29; Part 11; OECD computerized systems; MHRA DI. citeturn10view4turn35view5turn35view3turn35view7 |
| Medium | Mock inspection and regulator-response management | Inspection room, SMEs, evidence packs, CAPA responses, communication rules | FDA BIMO; MHRA response guidance; EMA triggers. citeturn24view1turn7search1turn33view2 |
The KPI set below is recommended, not prescribed. It is built from OECD’s emphasis on trend analysis, QA effectiveness, performance monitoring, CAPA, and root-cause-based improvement. citeturn14view9turn36view1turn36view2
| KPI | Example definition | Why it matters |
|---|---|---|
| QA inspection coverage | % of critical studies/phases inspected versus plan | Confirms QA is observing what it says it is observing. |
| Critical/major findings closure time | Median days to verified closure | Measures responsiveness to material compliance risk. |
| Overdue CAPA rate | % of CAPAs past due date | Signals whether the quality system can finish what it starts. |
| Protocol deviation rate | Deviations per active study, risk-weighted | Tracks process discipline and study-control maturity. |
| Audit-trail review completion | % of required audit-trail reviews completed on time | Shows whether electronic oversight is real rather than theoretical. |
| Training effectiveness | % of staff passing role-based assessment / observation check | Better than mere read-and-sign completion percentages. |
| Archive retrieval success | % of retrieval tests completed within target time, without discrepancy | Tests real-world reconstructability. |
| Instrument/SOP overdue rate | % of calibrations or periodic SOP reviews past due | Predicts failure before it reaches study data. |
| Vendor review timeliness | % of critical vendors/cloud services reviewed per plan | Important where GLP reliance extends outside the lab. |
| Inspection readiness index | % of evidence packages complete for selected pivotal studies | Converts readiness from opinion into evidence. |
The checklist below is a concise pre-inspection and pre-upgrade checklist for a mid-sized lab. It is intentionally evidence-based. citeturn24view1turn33view2turn10view3
| Checklist item | Evidence to verify |
|---|---|
| Every active and recently completed GLP study is on the master schedule | Controlled schedule, reconciliation log |
| Study Director is named and replacements are documented | Appointment memo, handover record |
| QA is independent from study conduct | Org chart, role descriptions |
| Current SOPs exist for all critical operations and key electronic controls | Controlled SOP index, point-of-use access |
| Protocols and amendments are prospectively approved | Signed protocol files |
| Raw data are original, attributable, contemporaneous, and reconstructable | Source-data review samples |
| Machine-generated source data are retained where relevant | Instrument files, exports, metadata |
| Critical computerized systems are validated and access controlled | System inventory, validation files, access matrix |
| Audit trails are enabled and reviewed where risk requires | Review logs, exception reports |
| Test items, reference standards, reagents, and solutions are fully accountable | Receipt/use/disposal logs, labels |
| Archive indexing and restricted access are demonstrably effective | Retrieval test, access logs |
| Role-based training is current and effective | Training files, competence assessments |
| CAPAs and change controls are risk-ranked and on schedule | CAPA register, change log |
| Vendor/cloud agreements preserve GLP accountability and data access | SLAs, qualification records |
| Mock inspection can produce evidence packages for pivotal studies within hours | Mock drill output |
The 12‑month improvement timeline below assumes a project start on 2026-06-01. Its sequencing follows the risk-based priorities in OECD and FDA materials: first preserve data and clarify accountability, then strengthen QA and SOP control, then validate computerized systems and archives, then demonstrate inspection readiness. citeturn24view0turn13view6turn36view3
gantt
title GLP implementation and upgrade timeline for a mid-sized pharma lab
dateFormat YYYY-MM-DD
axisFormat %b %Y
section Stabilize
Governance charter and executive sponsorship :a1, 2026-06-01, 30d
Data and archive preservation controls :a2, 2026-06-01, 45d
Study/system/archive inventory :a3, 2026-06-01, 45d
Initial risk ranking and DIRA :a4, 2026-06-15, 45d
section Build
QA program redesign and staffing :b1, 2026-07-01, 60d
SOP architecture and document control :b2, 2026-07-01, 90d
Protocol and deviation framework :b3, 2026-07-15, 60d
Training curriculum and qualification model :b4, 2026-08-01, 75d
section Validate
CSV for critical systems :c1, 2026-09-01, 120d
Audit-trail review and access governance :c2, 2026-09-15, 90d
Archive qualification and retrieval testing :c3, 2026-10-01, 75d
Test item, sample, reagent accountability :c4, 2026-09-15, 75d
Vendor and cloud qualification :c5, 2026-10-01, 75d
IT security and backup testing :c6, 2026-10-01, 90d
section Demonstrate
Internal audits and KPI dashboard :d1, 2026-11-01, 90d
Mock inspection round one :d2, 2026-12-01, 30d
CAPA closure and effectiveness review :d3, 2026-12-15, 60d
Mock inspection round two :d4, 2027-02-01, 30d
Final management review and go-live :d5, 2027-02-15, 30dOpen questions and limitations
Because country-specific details were unspecified, the jurisdictional section is representative rather than exhaustive. It does not map every national GLP ordinance, local record-retention overlay, or sector-specific pharmaceutical rule that may sit on top of OECD GLP.
The report prioritizes primary or official sources, but some recent concrete failure examples come from FDA warning letters issued to nonclinical laboratories supporting device submissions rather than drug submissions. I used them because the cited failure modes—raw-data loss, QA weakness, traceability gaps, missing source electronic data, incomplete master schedules, and weak training evidence—are generic GLP control failures, not device-specific concepts. citeturn8view0turn34view1turn34view6turn34view7
EMA materials cited here are mainly about compliance coordination, audit triggers, and dossier expectations, not a full standalone GLP operating code. For EU legal implementation, the more operative controls still come from OECD GLP, the EU directives, and national GLP compliance monitoring authorities. citeturn8view6turn19view0turn33view2
If this roadmap is used for a real implementation, the only items that still need local legal mapping are the country-specific retention rules, national certification mechanics, special modality guidance for areas like in vitro studies or multisite studies, and any product-class-specific exceptions such as ATMPs or other specialized non-GLP justifications. Those should be checked against the specific jurisdiction and study portfolio before execution. citeturn11view9turn30search7turn12search16